tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kim <...@aerodrive.com>
Subject Re: restrict per user public_html to serve static files only...
Date Wed, 27 Jun 2012 14:15:06 GMT
Hi, Kolinko
Really thanks. Yes, I have hunt down to UserConfig in the source tree
on Tomcat and can modify UserConfig.java to skip those user context if
there exists a /WEB-INF/web.xml in their public_html directory.
And I can also insert a Valve filter to skip those URL  with jsp extension ...
But I do think it's very clumsy solution and I'm looking for a more
elegant solution in that for a per-user web application the only
serlvet that can be invoked is the "DefaultServlet" that serve static
files only..
Regards,
Kim

> For reference, "User Web Applications" feature is implemented via a
> Listener, o.a.catalina.startup.UserConfig which enumerates users and
> deploys their web applications.  Documentation is in
> config/listeners.html and config/host.html.
>
> Currently it creates web application for each user when Tomcat starts.
> Probably it could be improved to perform such deployment once in a
> while on Lifecycle.PERIODIC_EVENT.
>
>
> First,
> you need to prevent not only jsps, but servlets as well.
>
> I think I would create my own UserConfig listener so that it would
> skip directories
> that have WEB-INF and META-INF directories in them.
>
> Things to beware are WEB-INF/web.xml, WEB-INF/lib (because of web
> fragments feature of Servlet 3.0), WEB-INF/classes (unlikely, but just
> to be sure; maybe it could be used to reconfigure logging).
>
> There should not be META-INF/context.xml file. (Though as far as I
> remember when an application is deployed via UserConfig the
> context.xml file is ignored).
>
>
> Second,
> Processing of Jsp files can be enabled though two constructs
> a) explicit mapping of JspServlet, like it is done in conf/web.xml
> b) implicitly by using <jsp-property-group> with url pattern that
> patches the file.
>
> I think that removing JspServlet mappings from global conf/web.xml
> will disable JSP processing for you.
>
>
>
>
> 2012/6/27 André Warnier <aw@ice-sa.com>:
>>
>> Have a look first at the file (catalina_home)/conf/catalina.policy, section
>> "WEB APPLICATION PERMISSIONS".
>> It seems to me that by not granting those permissions (other than to your
>> own webapps), you can greatly restrict what users can do.
>>
>
> Note that regardless of contents of conf/catalina.policy every web
> application is granted permission to load its own classes and write to
> its own temporary directory. The servlet spec requires it.
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message