tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Smith <d...@cornell.edu>
Subject Re: Prevent unwanted requests
Date Fri, 18 May 2007 23:30:07 GMT
I'll second that one. 

A basic filter that checks the request for .bak, .java, .whatever is 
relatively easy and transparent (you don't have to change even one line 
of your existing code).  When you find one of those banned extensions, 
just return a 403 (forbidden) or 404 (not found) on the response.  If 
not, just chain the request along to it's next step in the process -- 
probably a servlet or jsp.

--David


Lucas Galfaso wrote:
> I think that a new servlet to filter these files is not the proper
> approach, and you should use a filter :)
>
> - LG
>
> On 5/18/07, Milanez, Marcus <Marcus.Milanez@diebold.com> wrote:
>> Is it possible to prevent the request os unwatned extensions, like
>> *.bak, *.java and so on, through web.xml file? My solution was creating
>> a servlet that gets mapped to this extensions, but I could realize that
>> it doesn't work along with DWR for example...  The problem is that when
>> I invoke something like myapp/dwr/file.java, this URL is mapped to dwr
>> servlet instead of ForbiddenFilesController. Does anybody know how to
>> solve that?
>>
>>
>> My web.xml contains the following lines:
>>
>> ...
>>     <servlet-mapping>
>>         <servlet-name>ForbiddenFilesController</servlet-name>
>>         <url-pattern>*.java</url-pattern>
>>     </servlet-mapping>
>>
>>     <servlet-mapping>
>>         <servlet-name>dwr-invoker</servlet-name>
>>         <url-pattern>/dwr/*</url-pattern>
>>     </servlet-mapping>
>> ...
>>
>> And my controller has the following lines of code:
>>
>>         @Override
>>         protected void doGet(HttpServletRequest req, HttpServletResponse
>> resp)
>>                         throws ServletException, IOException {
>>
>>                 //proibido
>>         resp.setStatus(HttpServletResponse.SC_FORBIDDEN);
>>         //resp.getWriter().close();
>>         return;
>>
>>         }
>>
>>         @Override
>>         protected void doPost(HttpServletRequest req,
>> HttpServletResponse resp)
>>                         throws ServletException, IOException {
>>
>>                 //proibido
>>         resp.setStatus(HttpServletResponse.SC_FORBIDDEN);
>>         //resp.getWriter().close();
>>                 super.doPost(req, resp);
>>         }
>>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message