tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maurice Yarrow <>
Subject hacking the tomcat DefaultServlet
Date Tue, 18 Oct 2005 01:24:30 GMT

Hello tomcat users

I have hesitated a while before sending up this question,
for the presumably obvious reason that hacking the tomcat
DefaultServlet is an act of questionable judgement.  But
there are some good reasons why I experimented with this.

In my attempt to get more control over visibility of static
resources on my tomcat 5.0.28, I decided first to write my
own static page downloader servlet which was intended only
for images and applets.  By first defining such a
servlet-mapping as


in my app web.xml, I can thereupon


and obtain the trailing portion of an invoking URL
such as

Then request.getPathInfo() returns


Now, of course, the ImgServlet checks the session obj
for authentication purposes, and, having accepted it as
having a valid session, it then checks and modifies the
/a/b/c.jpg to appropriately point to the actual disk

It is therefore impossible for a client without a valid
session to simply look at something like

because the actual resource isn't available through anything
like this.

Of course, I wrote a download server that includes all the
right response.setHeader(attribName, attrib) and a
getLastModified(HttpServletResponse resp) override method
stuff to mimic what the tomcat DefaultServlet does, and though
my static page server allows browsers to get the file efficiently
(via BufferedOutputStream(response.getOutputStream,...) and
to cache the file fine under http, this would not provide
files that cached under https and Internet Explorer  (it did
work fine for mozilla!).

So then I tried the tomcat DefaultServlet, which I compiled
separately into my own webAppName app and modified to
accommocate the above capabilities.   But this did not cache
images under https/IE either.  Now, mind you, the tomcat
DefaultServlet does cache fine natively (i.e., within tomcat)
for both http and https and IE.

Now, of course, I could add the behaviour I want into the
actual .../org/apache/catalina/servlets/
in the tomcat source tree, and then replace the resultant
class files into the tomcat-5.0.28/server/lib/servlets-default.jar.
But for the reason that I don't really want to tinker too much
which this most basic core tomcat capability for security
reasons, I would rather resolve this in my web app.

So, actually, my simple question, really, is:
Does anyone who has done this kind of thing have any experiences
that they would care to share?

Maurice Yarrow

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message