Two Laptop Bag
The moose likes JSP and the fly likes Jsp Source Code Disclosure Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "Jsp Source Code Disclosure" Watch "Jsp Source Code Disclosure" New topic

Jsp Source Code Disclosure

Goldie Fernandes

Joined: Mar 22, 2002
Posts: 3
Was going thro some security sites and realized that it is possible to obtain the source of a JSp page.
It is said that in some tomcat implementations instead of the trailing "p" in .jsp if u use "%70" (the char for 'p') the server incorrectly recognizes this as a request for a non .jsp file and pumps out the file onto the client. I tried the above in tomcat 3.3 on a WinMe platform and a SunSolaris ver 5 platform, and it DINT show the source code.
The above is described at
What i was worried about is that, i had passwords to the Mysql database in the .jsp file(s) itself. after reading this security issue, i have since removed it from the file(s).
Are there any other ways by which one may view the source of a .jsp file?

Web and Database Designer for the Factoids Program<br />Computing and Media Services<br />Syracuse University
Anthony Villanueva
Ranch Hand

Joined: Mar 22, 2002
Posts: 1055
I suppose these bugs are server-dependent so I would suggest you precompile your JSPs before deploying them to your production server.
Michael Yuan
Ranch Hand

Joined: Mar 07, 2002
Posts: 1427
You should not have database passwords hardcoded in JSP pages. You can make the password embeded in database access JavaBeans, which are compiled and located under WEB-INF/ (not accessible from the web server).
You should also configure your database so that it only accepts connection with that password from your trusted server domains.

Seam Framework:
David O'Meara

Joined: Mar 06, 2001
Posts: 13459

"Goldie TheDude",
The Java Ranch has thousands of visitors every week, many with surprisingly similar names. To avoid confusion we have a naming convention, described at
We require names to have at least two words, separated by a space, and strongly recommend that you use your full real name. Please edit your profile and select a new name which meets the requirements.
Guy Allard
Ranch Hand

Joined: Nov 24, 2000
Posts: 776
1) How to distribute .class files only for JSPs is explained quite clearly in the JSP pecs, Appendix A.
2) That does not address your problem with passwords. Coded 'in clear' in the .jsp, they will also be in clear in the generated .java and the .class files.
3) I think you have a design problem.
Regards, Guy
I agree. Here's the link:
subject: Jsp Source Code Disclosure
It's not a secret anymore!