Is it possible for someone to access or view the web.xml file of a web application over internet, using somthing like wget tool? I'm asking for saecurity reasons like username
By specification, it is not possible to directly access /WEB-INF (and /META-INF) contents by a public URL. Here are extracts of relevance from the aforelinked specification:
10.5 Directory structure
...
Also, except
for the case where static resources are packaged in JAR files, any requests from the
client to access the resources in WEB-INF/ directory must be returned with a
SC_NOT_FOUND(404) response.
10.6 Web Application Archive File
...
Also, any requests to access the resources in META-INF
directory must be returned with a SC_NOT_FOUND(404) response.
However, there have been implementations, configurations and even homegrown servlets or filters which introduced a security bug making this possible. All those security issues boil down to be caused by a RequestDispatcher#forward() or even RequestDispatcher#include() (so watch out with dynamic <jsp:include>!) call forwarding or including a resource which is specified by a client-controlled request path or parameter, if necessary making use of path traversal with ../.
Here's the simplest example of such a servlet exposing the security issue:
#WebServlet("/test/*")
public class TestServlet extends HttpServlet {
#Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.getRequestDispatcher(request.getPathInfo()).forward(request, response);
}
}
On Tomcat (tested with 8.0.21), you can with the above servlet get the web.xml contents by just calling http://localhost:8080/context/test/WEB-INF/web.xml. Such a servlet is often implemented as part of homegrown MVC front controller or dispatcher pattern. Decent MVC frameworks like JSF and Spring MVC shouldn't have this issue.
And, some users configure a MVC front controller on a "catch-all" URL pattern of /* or even /, and then re-map the static resources like CSS/JS/images on /static/* to container's default servlet like so:
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/static/*</url-pattern>
</servlet-mapping>
On older Tomcat versions (before 7.0.4), the enduser can get /WEB-INF (and /META-INF) contents through such a mapping. This problem was mentioned previously in this Q&A: Tomcat serving static content. Actually, this mapping approach is wrong and should have been solved with help of a filter as descibed in this answer: How to access static resources when mapping a global front controller servlet on /*. See also Tomcat issue 50026.
Summarized: by default it's not possible. But (bad) code and configuration can make this possible.
Related
How can we do when use onmifaces in the case of spring boot apps?, where the error pages declaration is made at EmbeddedServletContainerCustomizer class?
#Override
public void customize(ConfigurableEmbeddedServletContainer container) {
MimeMappings mappings = new MimeMappings(MimeMappings.DEFAULT);
mappings.add("eot", "application/vnd.ms-fontobject");
mappings.add("ttf", "application/x-font-ttf");
mappings.add("woff", "application/x-font-woff");
mappings.add("woff2", "application/x-font-woff2");
container.setMimeMappings(mappings);
container.addErrorPages(new ErrorPage(HttpStatus.NOT_FOUND, "/error.xhtml"));
container.addErrorPages(new ErrorPage(FaceletException.class, "/error.xhtml"));
container.addErrorPages(new ErrorPage(Throwable.class, "/error.xhtml"));
}
I have analized findErrorPageLocation and it uses WebXml that parses web.xml files.
The Servlet API in its current version does not support programmatically defining and obtaining error pages. That's why OmniFaces had to manually parse web.xml.
OmniFaces does not and will not support Spring specific APIs. I recommend to just keep using web.xml for error page configuration so that non-Spring libraries will be able to share them.
org.primefaces.webapp.filter.FileUploadFilter does not registered to my application, unless I define FileUploadFilter explicitly in my spring configuration like;
#Bean
FileUploadFilter fileUploadFilter() {
return new FileUploadFilter();
}
Referring to this question;
If you're however not using JSF 2.2 yet and you can't upgrade it
(should be effortless when already on a Servlet 3.0 compatible
container), then you need to manually register the below PrimeFaces
file upload filter in web.xml (it will parse the multi part request
and fill the regular request parameter map so that FacesServlet can
continue working as usual)
Conversely I have javax.faces in my classpath: org.glassfish:javax.faces:jar:2.2.13:compile. (and mojarra impl)
Should we go manually with this? Or else It can not be detected and registered automatically, we have to register a manual configuration to joinfaces
UPDATE: Actually this is not directly relevant to registration of FileUploadFilter. Embedded jetty in spring-boot does not pick up annotated configurations example of which FacesServlet has a #MultipartConfig annotation. I have opened an issue to spring-boot for that:
https://github.com/spring-projects/spring-boot/issues/6681
https://github.com/spring-projects/spring-boot/issues/6680 will fix the issue. WebServletHandler will pick up #MultipartConfig annotated classes.
Is it possible to prevent remote access of a web page?
Let's say I have my page1 (home page) which is obviously accessible anywhere via its url. Then I have page2 (admin page) which I would only like to be accessible from the machine where my web application is deployed.
This may sound like this kind of scenario. Only, instead of the admin console, page2 should not be accessible remotely.
Please be more precise what are you using?
I assume that you don't use any framework, so you have only serlvets and .jsp pages.
First,put you adminpage.jsp to WEB-INF folder. Content of this folder is not visible out of your application (without your permission).
Second, create filter that will intercept your requests to servlets (Try to use servlets for all requests, don't use direct links to .jsp pages, because this is only way to add some security. These servlets should be like controllers in MVC). To create Filter you need to add class that will implement interface Filter
public MyFilter implements Filter {
...
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain)
throws IOException, ServletException {
if (request.getRemoteAddr.equals("your server address") {
filterChain.doFilter(request,response);
}
}
...
}
You see, if IP address is equal as your server address is, this request will be proceed further. Filter interface has more two methods init() and destroy() and you can leave them blank. To connect your filter with your servlet add to your web.xml following.
<filter>
<filter-name>myFilter</filter-name>
<filter-class>fullPackagePath.MyFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>myFilter</filter-name>
<url-pattern>/url-to-the-admin-panel-servlet</url-pattern>
</filter-mapping>
Of course you need to have servlet with url that will forward to the admin.jsp page.
In my project I use swagger-ui library which have index.html file in the root of class path. In such way this index.html becomes the start page of my app when I hit root url like /.
But I want to use my custom Groovy template index.tpl from resources/templates folder of my Boot project. When I perform such approach application still displays index.html from Swagger-UI JAR file.
How to override index page from jar with custom one from project?
UPD: Approach below doesn't work for me. It returns 404 error. Then I add #EnableWebMvc annotation and now Spring can't find my Groovy Template. I have all necessary dependencies in my classpath for Groovy Template and they are turned on in the properties file. Seems like Spring can't resolve Groovy Template at all.
Spring Boot's WebMvcAutoConfigurationAdapter registers the forward from "/" to "/index.html" by default (in method addStaticIndexHtmlViewControllers). Therefore you have to register the view under the path "/index.html".
This can be done with #RequestMapping("/index.html") on the controller or with:
#Configuration
public class WebConfig extends WebMvcConfigurerAdapter
{
#Override
public void addViewControllers(ViewControllerRegistry registry)
{
registry.addViewController("/index.html").setViewName("index");
}
}
Another option would be to override WebMvcAutoConfigurationAdapter and disable WebMvcAutoConfiguration.
I have a stateless bean which has a method, where I want to get the current/logged user.
My code to get it:
Principal p1 = FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal();
But I am getting nullpointer exception on this. Why is that?
Or is there any other way to get the logged user?
I am using weblogic.
You're not supposed to grab the FacesContext in an EJB. Even more, your EJBs should be completely free from any JSF dependencies. In other words, you should not have any code imported from javax.faces.* package inside your EJBs. Your EJBs should be designed that way that they are reusable across all different front-ends you can think of such as JSF, JAX-RS, Struts, Spring-MVC and even "plain vanilla" Servlets.
If you're using container managed security or a security framework like Apache Shiro, then you're supposed to use the API-provided facilities for that. In case of "plain vanilla" container managed security (JAAS via web.xml and so on), you're supposed to obtain it form SessionContext (which is rightfully from javax.ejb package) which can be injected as #Resource.
#Resource
private SessionContext context;
public void doSomething() {
Principal principal = context.getCallerPrincipal();
// ...
}
An alternative would be to pass the JPA entity representation of the logged-in user as method argument.
verify the import of the following library:
javax.faces.bean.SessionScoped;
Try again