Skip to main content


Eclipse Community Forums

      Home
Home » Eclipse Projects » Equinox » Hide filter access to WEB-INF
Hide filter access to WEB-INF [message #119511] Mon, 13 October 2008 22:41 Go to next message
Eclipse UserFriend
Hi, Im working on a web-application using Eclipse-Equinox server side, I
have integrated myFaces to it. I need the WEB-INF/web.xml file to set some
configurations for myFaces, but I dont want that the users have access to
this resource.

My web resources are under the /web directory, so I have /web/WEB-INF

JspServlet _jspServlet = new JspServlet(context.getBundle(), "/web");

Is there a way to hide to the browser the WEB-INF resource, and any files
or sub directories inside it?

Thanks.
Re: Hide filter access to WEB-INF [message #119542 is a reply to message #119511] Mon, 13 October 2008 23:18 Go to previous messageGo to next message
Eclipse UserFriend
The JSPServlet has built in code to filter out request to WEB-INF. Do you
have a situation where this isn't working?
Looking at the code the match is not case insensitive so perhaps there is a
bug lurking here. Please let me know here.

Anyway... probably the easiest way is to register the JSPServlet with an
extension alias e.g. something like "/*.jsp" or "/web/*.jsp". I should add
that the current OSGi HTTP Service spec does not provide support for
extension aliases so this is specific to the equinox http service
implementations (both servletbridge and jetty-based implementations).

Another possibility is to register a special 404Servlet at WEB-INF although
again it's important to be careful about case sensitivity issues.

HTH
-Simon

"Ignacio M" <nmorenor@gmail.com> wrote in message
news:5ff6ceca6c0f8833c24207229a20a05e$1@www.eclipse.org...
> Hi, Im working on a web-application using Eclipse-Equinox server side, I
> have integrated myFaces to it. I need the WEB-INF/web.xml file to set some
> configurations for myFaces, but I dont want that the users have access to
> this resource.
>
> My web resources are under the /web directory, so I have /web/WEB-INF
>
> JspServlet _jspServlet = new JspServlet(context.getBundle(), "/web");
>
> Is there a way to hide to the browser the WEB-INF resource, and any files
> or sub directories inside it?
>
> Thanks.
>
Re: Hide filter access to WEB-INF [message #119931 is a reply to message #119542] Tue, 21 October 2008 20:59 Go to previous messageGo to next message
Eclipse UserFriend
Im checking this, like I say Im using apache myFaces Servlet, but Im using
the ClassLoader from your JspServlet. I have made a CtxListenerAdaptor
that extends from HttpServlet, then Im adding this to the service method...

public void service(HttpServletRequest req, HttpServletResponse resp)
				throws ServletException, IOException {
			String pathInfo = req.getPathInfo();
			System.out.println(pathInfo);
			if (pathInfo != null && pathInfo.contains("/WEB-INF/")) { //$NON-NLS-1$
				resp.sendError(HttpServletResponse.SC_NOT_FOUND);
				return;
			}
			ClassLoader original = Thread.currentThread()
					.getContextClassLoader();
			try {
				Thread.currentThread().setContextClassLoader(jspLoader);
				delegate.service(req, resp);
			} finally {
				Thread.currentThread().setContextClassLoader(original);
			}
		}


but when I call the getPathInfo I get a null value this class is called to
get this info
org.eclipse.equinox.http.servlet.internal.HttpServletRequest Adaptor is
there a fix for this issue. Or we need to search a workaround for this.

Thanks
Re: Hide filter access to WEB-INF [message #119942 is a reply to message #119931] Tue, 21 October 2008 21:14 Go to previous messageGo to next message
Eclipse UserFriend
But there is a catch, when I do a request to
http://localhost:8080/jsf/WEB-INF/web.xml this service method is not
called...

Thanks
Ignacio M
Re: Hide filter access to WEB-INF [message #119954 is a reply to message #119942] Tue, 21 October 2008 21:31 Go to previous messageGo to next message
Eclipse UserFriend
I think that path info is working as expected, because Im registering the
servlets with this.

_http.registerServlet("/jsf/*.jsf", _servlet, initparams,_context);

so the /WEB-INF/web.xml does not match with this alias. I need to think in
another way...
Re: Hide filter access to WEB-INF [message #120030 is a reply to message #119542] Wed, 22 October 2008 20:31 Go to previous messageGo to next message
Eclipse UserFriend
What do you think if we modify this class
org.eclipse.equinox.http.jetty.internal.HttpServerManager$In ternalHttpServiceServlet

Making it extend from HttpServlet instead implemet Servlet from her self,
and add this lines...

public void service(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
String pathInfo = req.getPathInfo();
System.out.println(pathInfo);
if (pathInfo != null && pathInfo.contains("/WEB-INF/")) { //$NON-NLS-1$
resp.sendError(HttpServletResponse.SC_NOT_FOUND);
return;
}

do you think that it will cause a performance problem or anything else? I
test this change and it is working Im not able to view nothing inside a
WEB-INF direcotry...
Re: Hide filter access to WEB-INF [message #120058 is a reply to message #120030] Wed, 22 October 2008 21:46 Go to previous messageGo to next message
Eclipse UserFriend
Ignacio,

I would not want to make a special rule like this since the OSGi Http
Service makes no special provision for a WEB-INF path.
Here are a couple of alternatives I'd suggest:
1) For your "resource" registration use a custom HttpContext that filters
out the WEB-INF folder.
2) Use a custom ResourceServlet and filter out WEB-INF like you've shown.
3) Package your resources in a separate folder hierarchy from your JSF/JSP
components that need a WEB-INF folder.

Are any of those workable?
-Simon

"Ignacio M" <nmorenor@gmail.com> wrote in message
news:8016f7001f44be975eb327715bb339f5$1@www.eclipse.org...
> What do you think if we modify this class
> org.eclipse.equinox.http.jetty.internal.HttpServerManager$In ternalHttpServiceServlet
>
> Making it extend from HttpServlet instead implemet Servlet from her self,
> and add this lines...
>
> public void service(HttpServletRequest req, HttpServletResponse resp)
> throws ServletException, IOException {
> String pathInfo = req.getPathInfo();
> System.out.println(pathInfo);
> if (pathInfo != null && pathInfo.contains("/WEB-INF/")) { //$NON-NLS-1$
> resp.sendError(HttpServletResponse.SC_NOT_FOUND);
> return;
> }
>
> do you think that it will cause a performance problem or anything else? I
> test this change and it is working Im not able to view nothing inside a
> WEB-INF direcotry...
>
Re: Hide filter access to WEB-INF [message #120131 is a reply to message #120058] Thu, 23 October 2008 22:11 Go to previous message
Eclipse UserFriend
The HttpContext implementation sounds good... Thanks, with this
implementation can we filter any other directory on my web app, based on
javax.security.auth.Subject?? This could be rely good... Today I was
looking to this plugin org.eclipse.equinox.examples.httpsecurity, I think
that is a good base to implement this new HttpContext. Ill try that and
probably I will post more questions thoughts on this later...

many Thanks
Ignacio.
Previous Topic:Running multiple instances of servletbridge in a tomcat instance
Next Topic:Re: Problem integrating equinox transforms (xslt)
Goto Forum:
  


Current Time: Fri May 02 00:07:59 EDT 2025

Powered by FUDForum. Page generated in 0.02926 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly