aspose file tools*
The moose likes Servlets and the fly likes Source jsp code visible in apache Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Source jsp code visible in apache" Watch "Source jsp code visible in apache" New topic
Author

Source jsp code visible in apache

Ashutosh Uprety
Ranch Hand

Joined: Nov 30, 2000
Posts: 39
There seems to be a bug in Apache.
I am using apache+tomcat config on win95.
If I put a dot(".") after the name of the jsp in the browser location bar, then the whole code of my jsp is visible on the browser.
example:
if my jsp is "security.jsp" in abc directory, then if I type
"http://servername/abc/security.jsp." on the browser, the whole code of security.jsp is visible on the browser. How should I stop this. I am able to restrict access to the directory listing, but if anyone knows the full path, then the whole code is shown.
Can anyone suggest something to stop this.

[This message has been edited by Ashutosh Uprety (edited July 17, 2001).]
Wayne Hefner
Greenhorn

Joined: Jul 13, 2001
Posts: 13
Add the following into your httpd.conf
<Files ~ "*.jsp.">
Order allow,deny
Deny from all
</Files>
Sreenivas Makala
Greenhorn

Joined: Jun 14, 2001
Posts: 4
Hi,
I got the same problem on weblogic once.
But I got this problem not when accessing the .jsp but when we navigate to the .jsp by clicking the browser back button.
Then what I have done is I have converted the html comments(we had a lot of then ) into java style comments <!-- --> into /* */ and mysteriously the problem dissappeared.Please try this one also just as an experiment and educate me on this...
Thanks in Advance,
Sreenivas Makala
------------------
Ashutosh Uprety
Ranch Hand

Joined: Nov 30, 2000
Posts: 39
Hi Wayne,
I have tried <Files>, <FileMatch>,<Limit>,<LimitExcept>... but nothing seems to work.
Either it is stopping the jsp itself, or it is showing the code.
What I can make out is that it is not parsing the "dot" properly, and is a bug in Apache, because things work properly with only tomcat.
Any more inputs will be welcome.
Ashutosh Uprety
Ranch Hand

Joined: Nov 30, 2000
Posts: 39
Hi Wayne,
Nothing seems to work. I used <Files>, <FileMatch> with <Limit>, <LimitExcept> tags , but the "dot" still plays havoc.
Things work fine when using only Tomcat, but with apache it is bombing
Raghavendra Holla
Ranch Hand

Joined: Jun 02, 2000
Posts: 58
In Tomcat configuration file web.xml in directory <TOMCAT_HOME>/conf, try to change <servlet-mapping> tag. Try after changing <url-pattern> from *.jsp to *.jsp? or *.jsp*.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Source jsp code visible in apache