• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Jsp Source Code Disclosure

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Was going thro some security sites and realized that it is possible to obtain the source of a JSp page.
It is said that in some tomcat implementations instead of the trailing "p" in .jsp if u use "%70" (the char for 'p') the server incorrectly recognizes this as a request for a non .jsp file and pumps out the file onto the client. I tried the above in tomcat 3.3 on a WinMe platform and a SunSolaris ver 5 platform, and it DINT show the source code.
The above is described at http://www.jadcentral.com/newscentral/feature.jsp?feature_ID=23
What i was worried about is that, i had passwords to the Mysql database in the .jsp file(s) itself. after reading this security issue, i have since removed it from the file(s).
Are there any other ways by which one may view the source of a .jsp file?
 
Ranch Hand
Posts: 1055
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I suppose these bugs are server-dependent so I would suggest you precompile your JSPs before deploying them to your production server.
-anthony
 
author
Posts: 1436
6
Python TypeScript Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You should not have database passwords hardcoded in JSP pages. You can make the password embeded in database access JavaBeans, which are compiled and located under WEB-INF/ (not accessible from the web server).
You should also configure your database so that it only accepts connection with that password from your trusted server domains.
 
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
"Goldie TheDude",
The Java Ranch has thousands of visitors every week, many with surprisingly similar names. To avoid confusion we have a naming convention, described at http://www.javaranch.com/name.jsp.
We require names to have at least two words, separated by a space, and strongly recommend that you use your full real name. Please edit your profile and select a new name which meets the requirements.
Thanks.
Dave
 
Ranch Hand
Posts: 776
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
1) How to distribute .class files only for JSPs is explained quite clearly in the JSP pecs, Appendix A.
2) That does not address your problem with passwords. Coded 'in clear' in the .jsp, they will also be in clear in the generated .java and the .class files.
3) I think you have a design problem.
Regards, Guy
 
The knights of nee want a shrubbery. And a tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic