On 14/10/2019 20:29, André Warnier (tomcat) wrote:
> From a long-time (occasional) list contributor :
> That's a nice post, in many ways, and a good way to get quick and useful
> answers.
> I only regret that my own knowledge is not sufficient to provide such an
> answer.
> (We regularly complain at people posting to this list, when their post
> is "not nice", so I thought we should also from time to time give kudos
> when it is).
+1
> On 14.10.2019 16:37, Robert Olofsson wrote:
>> Hi!
>>
>> Some background:
>> We are currently running tomcat (9.0.26) and we serve data to
>> both html/webapp and to our java application. The java application
>> uses a lot of the same jar files that our servlets use.
>>
>> We have had tomcat setup with two directories:
>> 1) webapps/<webapp>/WEB-INF/lib (as usual for servlet classes)
>> 2) webapps/<webapp>/clientdir/ (jar files for the java application).
>>
>> This means that we have a lot of duplication of jar files in these two
>> directories.
>>
>> We would like to have the duplicate files in only one place, sure
>> disk space is cheap, but data transfer takes time. We thought that
>> having the jars in the clientdir would be nice.
>>
>> We have read the documentation for tomcat and found the resource handling
>> and it looks like we could possibly use something like:
>>
>> <Resources>
>> <JarResources base="${catalina.base}/webapps/<webapp>/clientdir/"
>> className="org.apache.catalina.webresources.DirResourceSet"
>> webAppMount="/WEB-INF/lib" />
>> </Resources>
>>
>> We tested this lightly and things seems to work.
>>
>> Questions:
>> Is there any problem with this?
Generally, no. You've done it in what I'd consider to be the "safer" way
by exposing all the JARs visible to the client to the application's
class loader rather than the other way around.
If applications can upload files then, depending on how that is
configured, you might have opened a remote code execution vulnerability.
But then, if clients can upload arbitrary files into the web app you
likely have an RCE issue anyway (via an uploaded JSP) irrespective of
how you handle JARs.
>> If so, do you know of any better way to accomplish this?
Depending on how early the classes in those JARs might be required,
another option would be to use a ServletContextListener to copy the
files from the app to the WEB-INF/lib directory. That would, arguably,
be safer. You could specify exactly which files to copy and, for extra
security if required, validate the JAR signature (if signed) or SHA512
hash, etc. before copying. To be honest, I'm struggling to think of a
scenario where this would be necessary.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
