> From: Christopher Schultz [mailto:[EMAIL PROTECTED]
> Subject: Re: tomcat Webapp security.
>
> Ugh. What about re-mapping the jsp-servlet to only process
> things in a subdir?
Might work, but I haven't looked at the code to see if the JspServlet
can handle the prefix in the <url-pattern>; would need testing to make
sure it doesn't suffer from the same restriction as the DefaultServlet.
However, there might be another way.
This is the code in DefaultServlet.java that decides what path to use:
protected String getRelativePath(HttpServletRequest request) {
// Are we being processed by a RequestDispatcher.include()?
if (request.getAttribute(Globals.INCLUDE_REQUEST_URI_ATTR) !=
null) {
String result = (String) request.getAttribute(
Globals.INCLUDE_PATH_INFO_ATTR);
if (result == null)
result = (String) request.getAttribute(
Globals.INCLUDE_SERVLET_PATH_ATTR);
if ((result == null) || (result.equals("")))
result = "/";
return (result);
}
// No, extract the desired path directly from the request
String result = request.getPathInfo();
if (result == null) {
result = request.getServletPath();
}
if ((result == null) || (result.equals(""))) {
result = "/";
}
return (result);
}
Perhaps a filter or valve could be used to set the
INCLUDE_REQUEST_URI_ATTR and INCLUDE_PATH_INFO_ATTR attributes in the
request. (These are documented in section 8.4.2 of the servlet spec.)
The INCLUDE_PATH_INFO_ATTR would have to contain the concatenation of
the servlet path and the extra path info, rather than just the extra
path info as it normally does. This would allow the default servlet to
function with any <url-pattern> desired, as long as the filter processed
the request first. Haven't tried it, so there might be something that
precludes this from working.
I think what would be best is to get the DefaultServlet changed so it
includes both getServletPath() and getPathInfo() in its result string,
rather than just one or the other. That would simplify this situation,
and I believe would be compatible with current operation. Note that
mapping the DefaultServlet to patterns other than "/" has been discussed
several times in the past few months.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
