• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Source jsp code visible in apache

 
Ashutosh Uprety
Ranch Hand
Posts: 39
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There seems to be a bug in Apache.
I am using apache+tomcat config on win95.
If I put a dot(".") after the name of the jsp in the browser location bar, then the whole code of my jsp is visible on the browser.
example:
if my jsp is "security.jsp" in abc directory, then if I type
"http://servername/abc/security.jsp." on the browser, the whole code of security.jsp is visible on the browser. How should I stop this. I am able to restrict access to the directory listing, but if anyone knows the full path, then the whole code is shown.
Can anyone suggest something to stop this.

[This message has been edited by Ashutosh Uprety (edited July 17, 2001).]
 
Wayne Hefner
Greenhorn
Posts: 13
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Add the following into your httpd.conf
<Files ~ "*.jsp.">
Order allow,deny
Deny from all
</Files>
 
Sreenivas Makala
Greenhorn
Posts: 4
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I got the same problem on weblogic once.
But I got this problem not when accessing the .jsp but when we navigate to the .jsp by clicking the browser back button.
Then what I have done is I have converted the html comments(we had a lot of then ) into java style comments <!-- --> into /* */ and mysteriously the problem dissappeared.Please try this one also just as an experiment and educate me on this...
Thanks in Advance,
Sreenivas Makala
------------------
 
Ashutosh Uprety
Ranch Hand
Posts: 39
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Wayne,
I have tried <Files>, <FileMatch>,<Limit>,<LimitExcept>... but nothing seems to work.
Either it is stopping the jsp itself, or it is showing the code.
What I can make out is that it is not parsing the "dot" properly, and is a bug in Apache, because things work properly with only tomcat.
Any more inputs will be welcome.
 
Ashutosh Uprety
Ranch Hand
Posts: 39
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Wayne,
Nothing seems to work. I used <Files>, <FileMatch> with <Limit>, <LimitExcept> tags , but the "dot" still plays havoc.
Things work fine when using only Tomcat, but with apache it is bombing
 
Raghavendra Holla
Ranch Hand
Posts: 58
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In Tomcat configuration file web.xml in directory <TOMCAT_HOME>/conf, try to change <servlet-mapping> tag. Try after changing <url-pattern> from *.jsp to *.jsp? or *.jsp*.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic