portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Santiago Gala <sg...@hisitech.com>
Subject Re: Servlet 2.2 Spec. and serving files from the WEB-INF directory
Date Thu, 08 Mar 2001 11:26:51 GMT
David Sean Taylor wrote:

> Have you tried starting Catalina with the -security option?
> It doesn't get very far...
> I think Santiago has some experiences that he has documented on this list a
> few weeks back.
> It would be interesting if we get could Jetspeed running with the Security
> Manager.

I got Jetspeed running with security and tomcat 3.2.2dev (or 3.2.2beta1).

The policy that I posted here reflected the results I got (it was rather experimental, though)

This is somehow orthogonal to the issue of allowing servlet requests (jsp are translated into
one servlet each) to servlets withing WEB-INF. 

What they have clearly stated in tomcat docs (and it seems common sense, since the WEB-INF
contains classes and jars, and a war could be handled without expansion) is that a webapp
will have
 default read permission on this directory, and read-write permission only through the temp.dir
 (or work.dir) attribute, whatever I said there.

So, I enter this thread looking also from a default security point of view, and mixing things
(my speciality is to create confusion :)

>> I'm definitely +1 for moving the
>> templates
>> cache

+1, we write it.

>> logs

+1, the same reason.

Also we should think about the psml structure, as we need to write it.
we could check if it is in the "work" area, and create it there if
it was erased. The only problem is long term persistency, since
the work area can be cleared (it is called work in tomcat, after all).
We could differenciate the "default" development/demo war, and a serious
production site.

In the first case, we could use the work directory, and warn people to "don't
delete it unless you want to loose your custom settings. For the second case,
a DB, LDAP, ... based profiling engine should be advised.

Also, we are writing hsql DB inside WEB-INF... The same solution could be applied.

> The spec. seems to be open to interpretation.
> That said, it does explicity state "No file contained in the WEB-INF
> directory may be served directly to a client."
> A template does qualify as a file, does it not? Its not a 'static' file, but
> imo, we are asking for trouble.

Agreed. It is too fuzzy. We can not be certain of this. I think "directly" forbids
request dispatcher accepting WEB-INF files. Not other uses. But again, the way they 
choosed to enforce it can interfere with our code.

> I believe we should try to minimize the grey areas, and move 'cache' and
> 'templates' out of the WEB-INF directory.
> The 'logs' may need to be accessed by administrative users removely.

My idea of logs is that the best bet is to use a syslog type of facility. The
log4java people should take care of this problem for us :) Also, I think we can use the servlet
logging features of servlet engines. I think catalina already hooks into log4java.

For the "default" implementation, we could put them in the work area, and document
that users should move logs, when they go into production, to a more robust implementation,
using things like syslogd (or NT equivalent) remote logging, or plugging log into their favorite
app server scheme.

> Im trying to deploy Jetspeed on Weblogic 6.
> It deploys so easily, it was like a 'write once, deploy anywhere' dream.
> But again it fails to run. I have an open case with Weblogic.
> Im still waiting...same as it ever was

Keep us informed. What kind of problems?

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org

View raw message