• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

what is the .do extension?

 
Stephen Huey
Ranch Hand
Posts: 618
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
On several websites that I believe to be J2EE-powered, I see that the "page extension" in the address bar is .do (as in contact.do or mailbox.do instead of contact.html or contact.jsp). I assume that this is the name mapped to a servlet or something like that, but I'm wondering where this standard naming of .do on the end comes from. At first, I wondered if it stood for something, but now I'm actually thinking it could actually mean the word "do"! Please excuse my ignorance, but this question really is bugging me.
 
Peter den Haan
author
Ranch Hand
Posts: 3252
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It might be any of a number of things, but the ".do" extension is a popular mapping for the Struts ActionServlet. Personally, I don't like that; you won't believe what most sites are giving away about their underlying technology and thereby possible modes of attack. Best stick to an .html mapping (path mapping, possibly), never let a stack trace seep out, and leave black hats guessing.

- Peter
 
Stephen Huey
Ranch Hand
Posts: 618
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So, you would not even have a .jsp extension? Or do you not use JSP too much?
 
Peter den Haan
author
Ranch Hand
Posts: 3252
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
These days, on the stuff I'm involved in, there's no access to .jsps except through the controller, and the controllers use *.html mappings. No reason to give anyone a clue that it's a Java-powered site (beyond the fact that it's fast and bug-free of course )

- Peter
 
Stephen Huey
Ranch Hand
Posts: 618
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hope I'm not bugging you too much, but I've got a really quick question that's sure to betray some ignorance on my part: you can use JSPs without showing a .jsp extension? How? Or is there some way to tell J2EE/Tomcat that the .html file is a JSP and should be compiled?
 
David Hibbs
Ranch Hand
Posts: 374
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Peter den Haan:
These days, on the stuff I'm involved in, there's no access to .jsps except through the controller, and the controllers use *.html mappings. No reason to give anyone a clue that it's a Java-powered site (beyond the fact that it's fast and bug-free of course )

- Peter


It's a nice thought, but there are any number of ways to query a web server to see what it's running. A recent job applicant sent me a list of what our servers were running (show off!) in order to tie it to his resume. So while changing the extension might hide what is a JSP vs. what is a flat file or what is struts vs a plain JSP, it doesn't help much.

For a while, I used .dhtml to identify tiles pages, but gave up in order to promote ease of maintaining the site. When I was asked to help with apps that I'd written a year ago, I had a hard time guessing--which was a hassle. Now, if you see a .html extension, you can find a .html file.
 
Peter den Haan
author
Ranch Hand
Posts: 3252
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by David Hibbs:
It's a nice thought, but there are any number of ways to query a web server to see what it's running.
And well-defended (security-sensitive) sites do routinely obscure the platform they're running on, often deliberately masquerading as a different platform or version - sometimes combined with code detecting attacks against known vulnerabilities of the masqueraded software. It won't fool a true expert but it'll catch out most.

But that's the exception, and goes way beyond the point I was trying to make. When you are using a "*.do" mapping, you're basically broadcasting "I am using Struts". That's way more information than you need to give out, information that might be extremely useful to an attacker. Avoid it - at the very least you can choose a different extension to map to!

We tend to use path mapping instead of extension mapping, which makes it really easy to know for a developer whether a *.html file is an *.html file or a controller. But it's not really important to use *.html - it won't fool anyone into thinking the site is actually static anyway.

- Peter
[ June 02, 2004: Message edited by: Peter den Haan ]
 
Ken Robinson
Ranch Hand
Posts: 101
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Peter den Haan:
It might be any of a number of things, but the ".do" extension is a popular mapping for the Struts ActionServlet. Personally, I don't like that; you won't believe what most sites are giving away about their underlying technology and thereby possible modes of attack. Best stick to an .html mapping (path mapping, possibly), never let a stack trace seep out, and leave black hats guessing.

- Peter


I totally agree with hiding the technology under the covers for a number of reasons.

When the container allows it I like to put the JSPs in a directory under WEB-INF to avoid the user requesting a JSP directly. Tomcat allows the RequestDispatcher to hit JSPs in WEB-INF without allowing the user access while other app servers do not allow RequestDispatcher to do this
.
 
Peter den Haan
author
Ranch Hand
Posts: 3252
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Karelicek Huey:
Hope I'm not bugging you too much, but I've got a really quick question that's sure to betray some ignorance on my part: you can use JSPs without showing a .jsp extension? How? Or is there some way to tell J2EE/Tomcat that the .html file is a JSP and should be compiled?
You can (by mapping *.html to the JSP servlet), but I wouldn't recommend it.

When you are strictly using an MVC architecture, your .jsps will never be accessed directly (many store them under /WEB-INF/jsp/ or similar to make them totally inaccessible even to those who know/can guess the location). Requests go to a controller, the controller performs the processing and then forwards the request to a .jsp or other view for response rendering.

The externally visible URLs are the locations that your controller is mapped to. In the case of Struts, everything that ends in ".do" is typically mapped to the controller. So "/viewArticle.do?id=123" might map to the controller, which will delegate to an action class (for example, ViewArticleAction.class) that loads up article 123 from the database. Then the request is forwarded to a jsp (/viewArticle.jsp, perhaps) which takes care of the HTML rendering. The browser is quite unaware of the process, so all you see is that you're requesting "/viewArticle.do?id=123" and the server is returning the appropriate HTML.

- Peter
[ June 02, 2004: Message edited by: Peter den Haan ]
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64715
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
These days, on the stuff I'm involved in, there's no access to .jsps except through the controller, and the controllers use *.html mappings.


Just a head's up on this. At a previous job we did this as well and started getting bizarre bugs where one user's data whould start showing up when another hit the app.

Turns out some helpful server along the way (thanks AOL!) was caching the pages since it "knew" that .html pages were static. We changed the mapping to .page and all was well again.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic