From users-return-265387-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Mon Aug 20 20:11:40 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 21054180663 for ; Mon, 20 Aug 2018 20:11:39 +0200 (CEST) Received: (qmail 22934 invoked by uid 500); 20 Aug 2018 18:11:38 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 22874 invoked by uid 99); 20 Aug 2018 18:11:37 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Aug 2018 18:11:37 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 97F46180582 for ; Mon, 20 Aug 2018 18:11:37 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.999 X-Spam-Level: X-Spam-Status: No, score=0.999 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id afuch85qpMjb for ; Mon, 20 Aug 2018 18:11:35 +0000 (UTC) Received: from mailbox.servedge.com (li1281-212.members.linode.com [45.79.182.212]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 0010D5F439 for ; Mon, 20 Aug 2018 18:11:34 +0000 (UTC) Received: (qmail 13193 invoked by uid 513); 20 Aug 2018 13:11:33 -0500 Received: from pool-74-96-225-21.washdc.fios.verizon.net (HELO Christophers-iMac.local) (chris@christopherschultz.net@74.96.225.21) by mailbox.servedge.com with ECDHE-RSA-AES128-GCM-SHA256 encrypted SMTP; 20 Aug 2018 13:11:33 -0500 Subject: Re: how to prevent user access to JSP pages? To: users@tomcat.apache.org References: <3ae60d06-877b-ee31-fe7f-ebba6984f029@christopherschultz.net> From: Christopher Schultz Openpgp: preference=signencrypt Autocrypt: addr=chris@christopherschultz.net; prefer-encrypt=mutual; keydata= xsFNBE+pgz4BEADd7qAWgqXcNltlB3aow0UneRmNSVjHKgekgs0ZXxG9l50Athksr/3bL/yg bxFB00JcM9W+UxLhKHiMSyzfeBHn9l9wAlLFKs0S91KXTUnRwGFtvgstvGROoqPgTVREklnm yW/KpzOwqSrQ5xHcogaT+XWlXmRbtFypi52Z5HGWlFWWgwx0vKBWHmQayPtCif0v1RDxfdV9 zziodn0TnpfBQsEgf9TDAjkNT8f0ecwTnhSihTDm1W5HCK7Pm5DfUtree1Oh6Ncz2ljlUO0b 3Lai9pX48eZOj7WQXPefkcv2AoUvdELkQKw3klM5YNXbXPf1KAjky+q4DQ1ydD6LkK+9cI3S TeMesTlk/tytOsaN2NH2k87sEpcumbH0AcmPFEnIYUfm4KzWdKlYA6mbV3Pk3tHSuayyJovj h/7Y7BG9p2l7D60r49hzrTPG8VxNkSliNLcSjI3QjYpfhSlqmqXyVKzdzirK1HPr1xfJStig RpLP9nWarZjoXng9N0etGwtH/8roeDPYA8x9ba1KXy/1g/i+RLx2ms+rueCpnFZxU3GZNUSp RfpdUbwCN3Zm1w5Z6SI8X2aSnWWeYzU6HMsV+P4PROnFsgxDeOpyWhyEaaVLXQtOYwcHneHb n56vSG50TkAuHs5kk/3/YDPSsqjsUPOuhKgFMh3iqMTh5DMdSwARAQABzTJDaHJpc3RvcGhl ciBTY2h1bHR6IDxjaHJpc0BjaHJpc3RvcGhlcnNjaHVsdHoubmV0PsLBegQTAQgAJAIbLwUL CQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCT6mETgIZAQAKCRDzrVyUpn9wflkxD/9IsahRqHTV /hH5nuPqVO692cQqHvPtMPO6lDb4909VN5T1i+1hFr80P0KVDL6EI78lDBJ2TThWI0o5vFdm sRlei59wsgTvkKTph5QwwOWl7OyzUDX3WbKhkNQdGf4I+/g/1s2bHaRoG30ELdL7cwUPCPrW 0KQwBy7Rtr0WbdujKOw9b/UcgyXEOE1wNcorq/E1o5/6BRYIcFQOO4sjHjGcChOpSg5ms4zb s+Xv3gOtLrbmOPRTXdvBxwJA6kkfQFHvI42kXYghTdqhBVPnHYPqUeavRsb+Yz3ghkZhj35i GfaGyXNwFBikCYjzIaj44NOkT1pU50MgIbjSJ+xoHnC20T942kekqp6wzqUM19Pa9ohsEdA1 Sf6/A7RmpZRrxSIY02ZVnGccnVjglnylVcnxrNAZC3ebxCeZPQ09FBR0Uqlsrdt7A3hlEP2F aoMTSa+hYqfWBGB7uZhcJZIsZspxm8J0txeOzYNSFDl7mF134ShRsq6dpSugCdcdeSWKliBz q0U8sIabOFLMxM0hbwkn2RG4OaurJLWXQf+7IhA/J8TizjkbdxLmR2PiTiVtrx484mpWpbF8 po/em0q/reFnL+JtOM6qlJE/Q4B6PfkchhU5vKPfmGw98t9guyw5G8YSR1rR+SOowHg4T/i2 Rezz1idKmoFpPdNFRPlOAC+d687BTQRPqYM+ARAAzEItVpzvcgZB+faUWi54lJoA8GnVxXEe OQY+7wk/P5i9GtL0UVXC53j2F87BDVXGalKgVjEVdNY3Cyx+dJ2os65gjxd6ZK18zc6N7YZB Z00XNU9nTz5XImZzHn4VmeXYMQrKO/981nCNPlV6CVdgGg9wl1Ij5Sh8SSTb8kWSo1ngx+XX 4yJNUbfSh32yMPVGI7ZcoZLm9gdgTOOnuEkeeGs/lPvYN+1Cv/YtvkPybSOSWSdHxIVU4Iko 6V7IkM1amjdwKfoeg+CLhZsbY7VLAzVtGvaF5z4rtJtCfTfhbYD0wS8afEBcvsew1HdtYDT5 AJqojeZBGDuY7JCgALc3HCy34Zzk+mi1qwvrm5i/CBMuIvjxB2MkzhHQNUD20fzdRcoIgw4J IzbqZLlOpVFehDXzKT/h5vh+Uv7s6Rz5gP5i0Rkcghw00mRBvuN8mpQnLt4hYL22cNh/tk0L Fxda7ZaPehu7ug4E5FEB0Ifm1KV18P7Kpfu8tiSLz7rl++x73o4uv4bk1ZnjO/jFsx0KLGwq VxR276ZIwsV4WpLYvJ5fR0kqqd/TOKXGSEA0eGxWTeb/fNtkYemRVoasB1+rqjh/Rz0p20o8 elkqDhpzzhrMNzEMYkLySu7npWCeWW4Nd6097+OG9BCLO+ndGmAcupdu6WMEj2UlWsQxuCYC PgsAEQEAAcLDfgQYAQgACQUCT6mDPgIbLgIpCRDzrVyUpn9wfsFdIAQZAQgABgUCT6mDPgAK CRAc8Ck/pTykWO6WD/0XlAG4D4GwzzuOfh7DG6cm/I0vmASEJkY5ghStW4GUbYosgS/btyj/ YPWzVh4HWMvuA6YYKCuz/CM3h34dR25XmHqUdOyJOCnMJ3psdv5YsytgnEdvINZALlDdBX3G sfytgS0KnVjAc92LfJOxHAsZf4zE3SU28FMX7jCgeqO3YrvkHsZ8dzzgw3QYT0J3NcYfkflb DPBXBDGrvdUuea/w6F17pctdRdt7jE3JiLFq2F9ehXOSsIwecUlqVYiCRuxblD4cJ6gKMn0y 8zllW4GyIbf/+mNLkpKoMPYnptDvcEojluHtwbkSfF5AwgJbm6pfs9a2vpGBVko+dBXGh4/T 3qNYxeGEAsI0psEJu3EZN9dYv/ZOb69DUJ6SwEKp/L7lU7C8HoLx/MpKtuJO9OS5uuAhdBSi GqfaN9zP2NxPXSwnexVK2exy/h5sUevDsnBEHmyxe5GRSrIilyijLtlYhq2W7G95poxIFZuL Db98R+7VR9Yl9uOZ6kRBJmzp9X2oB8MDHoKe4QEuiRx/5/DNxB8i2QoTWN/BfluTSfVpO5rf jSXlaUuFOnouBrWdmbaBdg+47m4IGEz129Zdf+y+ISexQ6P16ZY1oYxYlbQSaEwk0+TJ4B0C uvMHwPF3SDH2LeRx+mK2OvwnVulvj2+WdW/rIVgwhwbKmBLj40R+Uq4zD/4iRxJ5PF1ynjxR po3Izp/ZrYWrPgtBg0jUZ8DdlAiRHCFGPpccK8RvBWXmtzF4XQsV39aPBqcE3W6IcTnIMrDi 6mnqealpfiUq+4RGNfRFN9wtgViZLy/FRWi76k+vo/Jmp7/K9JblGX48D2JL9FX0w5PXkpE4 abmY1OASQUiwoJ4n1asxwEonSaWeYbI7X5IqdvevGyfYdSn4VEywdrYGtWjsWlZ/DPofPwsI bQXGY6o+wg9lDAk2L2nVTa05XuyOooUPwKLD0WrLOIxLmcbVv/tgJG03/uI4iDitSofTKnpz E+xdpfFIyw1Mb8PO4WJi0gpHmmLUbG8AMLS+8wSDFwIA4TXQFy9suXXzLuuzML+G5h9Mo5D6 q5HsIe59lhdwk7oEPZJ1NWLfLavTENQg5ObS2YT1KaFskFxxgtcU0aBytAxTjkgGRB8UunXl NJeCuTIAUxXw41P93V4Khigc5dEOG1kEDoq0dAlAE7AbL6Vzc/Go+UwivtUil3sXADOyM9PT JjLNnye+2V0ywQncJ1AG6sxICpPKzv8oYP6xwurEuKnF8DAWEHEwT+Fb277Idv1v8uMGvltp coe7olE0O+TRUtMEwtEp4g4m8ym1rJI/yfwXtHkS8QcVBA9LRqcWEna1VPlT1pk3BSq/1xQa F/4OLScBfV2JbF93sN0SLw== Message-ID: <72c32075-f198-5f8b-8ce9-73435abb2308@christopherschultz.net> Date: Mon, 20 Aug 2018 14:11:32 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Terrence, On 8/18/18 10:39 PM, Terence M. Bandoian wrote: > On 8/17/2018 8:52 AM, Christopher Schultz wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> Mark, >> >> On 8/17/18 3:54 AM, Mark Thomas wrote: >>> On 16/08/18 18:19, Berneburg, Cris J. - US wrote: >>>> Due to security concerns and general fussiness on my part, >>>> I'd like to prevent users from requesting JSP pages directly, >>>> except for the login page. I want all requests to be handled >>>> by servlets. That way I can legitimately claim that all >>>> requests are being validated, input scrubbed, JSP's cannot be >>>> taken advantage of w/o their servlet chaperones being >>>> present, etc. >>> I'm struggling to understand what risks exists with JSPs that >>> don't with Servlets. After all, a JSP is just an alternative >>> way to write a Servlet. Tomcat translates the .jsp file to the >>> .java source for a servlet, compiles it and runs it. >>> >>> Can you elaborate? >> JSP support for input validation, etc. is basically non-existent. >> I'm sure someone has a crappy library that can do it, and yes, >> you can implement everything in JSP using miles of tag libraries >> and stuff like that, but in the application world, that's a >> serious no-no. >> >> MVC (or some version of it, under various names) is the "proper" >> way to build software, and JSPs are relegated to the "V" portion >> of that paradigm. >> >> Once you have decided that JSPs are squarely in the "V" category, >> it's no longer appropriate for them to be treated as "C" >> components and therefore they should not be accessed directly. >> Protecting them from direct-access is a reasonable decision for a >> number of reasons, including security if you have pages that >> cough-up sensitive information under the assumption that >> authentication and authorization requirements have previously >> been satisfied. >> >> Sure, the container's authentication and authorization should be >> able to protect those JSPs just fine, but the application may >> have other controls in place that also need to sanity-check >> things before the JSP takes over. >> >> So, while there isn't anything particularly "dangerous" about >> direct-access to JSPs, there are a number of "best practices" >> that suggest that hiding them is a good idea. >> >> I hope that helps explain Cris's (likely) reasoning a little >> more. >> >> - -chris > > > As far as I know, there is no input validation that can be > performed in servlets that can't also be performed in JSP pages > using the same Java code. Also, I'm not aware of any functional > limitation that prevents JSP pages (classes) from being used as > controllers. As I understand them, JSPs can do anything that can > be done in servlets and offer additional facilities and > ease-of-use. They may be thought of as view-generators only but I > don't think that's a functional limitation. > > Could a servlet filter be used to reject external requests for JSP > pages? You are absolutely correct that (modulo a few edge cases), JSPs can do anything servlets can do. The issue is that they really should not do all of those things, and if you don't agree, that's all well and good: you can put your JSP files anywhere you want and allow direct-access. But for those who wish to implement a separation-of-concerns in their applications, hiding JSPs behind a standard mechanism (i.e. /META-INF) is a reasonable course of action. My post was intended to give background for why anyone would want to do this, not that everyone should do this because of some fundamental problem with JSPs. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlt7BFQACgkQHPApP6U8 pFjEVBAAgOOuo7K0nBZsiCNLy4QbNlDiUUeubz0h1lF5ECbMWcamB9Kd9n5k/qzx VKDcLVuL46Sb6AJ/4wxomx4DIzOq2umhqLLxugo55ZZmD1w0HPT8+iQjq9wHUl9t tHX56E9oGFzJP+mYdBVDMpYrXFE5j9AXVw00LiwRDCqwMqdctqftkFudYcEYIte9 nm87gCbbUgcBWs2MqEZFEBUWURUFYOpYBCCY9Hwmwt/ijmOkkO9OK2VCBNGFZtnG 6xH8VKuQARip+dkS3+DeyGFerJVW05REi1nq2ZSwn7JbOSXd60PcalJo57MRyE6u 6b98b3UEQEUaUopCSmY5LaqfAMmlKu8Yl4da8Z1PVgwVBZZh+rKKUE+M9M/Kb//l DmgfrPs/G4tQcZr2jpMkXs63CvcWlyYHH3pvO/bf+ZcWq6w0yCl6JPK7/I1J1+zl z8+AO8tCgvFXuy6c6KH5zABV2tlpLmKb1jbcd3hRGDExZQ+agZUHWqsAGYi7P17K ToULyRrwKjdIm3PS7ljbJYo0gJ9FTqk1ChKl/Gy0KvzElY5KAt2ry19AGl8snT2w goMihDcVKD7b448HEEqPmNle7SRRPJH/yvNeUMumFskTIChKwNOqU5LavwdwZJ4g atGbrg1W+HeF600Ex/9VZ6hS6CbNdxmjgQ3FBBiALIiPdTv45S4= =Zj+o -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org