aspose file tools*
The moose likes Servlets and the fly likes what is the .do extension? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "what is the .do extension?" Watch "what is the .do extension?" New topic
Author

what is the .do extension?

Stephen Huey
Ranch Hand

Joined: Jul 15, 2003
Posts: 618
On several websites that I believe to be J2EE-powered, I see that the "page extension" in the address bar is .do (as in contact.do or mailbox.do instead of contact.html or contact.jsp). I assume that this is the name mapped to a servlet or something like that, but I'm wondering where this standard naming of .do on the end comes from. At first, I wondered if it stood for something, but now I'm actually thinking it could actually mean the word "do"! Please excuse my ignorance, but this question really is bugging me.
Peter den Haan
author
Ranch Hand

Joined: Apr 20, 2000
Posts: 3252
It might be any of a number of things, but the ".do" extension is a popular mapping for the Struts ActionServlet. Personally, I don't like that; you won't believe what most sites are giving away about their underlying technology and thereby possible modes of attack. Best stick to an .html mapping (path mapping, possibly), never let a stack trace seep out, and leave black hats guessing.

- Peter
Stephen Huey
Ranch Hand

Joined: Jul 15, 2003
Posts: 618
So, you would not even have a .jsp extension? Or do you not use JSP too much?
Peter den Haan
author
Ranch Hand

Joined: Apr 20, 2000
Posts: 3252
These days, on the stuff I'm involved in, there's no access to .jsps except through the controller, and the controllers use *.html mappings. No reason to give anyone a clue that it's a Java-powered site (beyond the fact that it's fast and bug-free of course )

- Peter
Stephen Huey
Ranch Hand

Joined: Jul 15, 2003
Posts: 618
Hope I'm not bugging you too much, but I've got a really quick question that's sure to betray some ignorance on my part: you can use JSPs without showing a .jsp extension? How? Or is there some way to tell J2EE/Tomcat that the .html file is a JSP and should be compiled?
David Hibbs
Ranch Hand

Joined: Dec 19, 2002
Posts: 374
Originally posted by Peter den Haan:
These days, on the stuff I'm involved in, there's no access to .jsps except through the controller, and the controllers use *.html mappings. No reason to give anyone a clue that it's a Java-powered site (beyond the fact that it's fast and bug-free of course )

- Peter


It's a nice thought, but there are any number of ways to query a web server to see what it's running. A recent job applicant sent me a list of what our servers were running (show off!) in order to tie it to his resume. So while changing the extension might hide what is a JSP vs. what is a flat file or what is struts vs a plain JSP, it doesn't help much.

For a while, I used .dhtml to identify tiles pages, but gave up in order to promote ease of maintaining the site. When I was asked to help with apps that I'd written a year ago, I had a hard time guessing--which was a hassle. Now, if you see a .html extension, you can find a .html file.


"Write beautiful code; then profile that beautiful code and make little bits of it uglier but faster." --The JavaPerformanceTuning.com team, Newsletter 039.
Peter den Haan
author
Ranch Hand

Joined: Apr 20, 2000
Posts: 3252
Originally posted by David Hibbs:
It's a nice thought, but there are any number of ways to query a web server to see what it's running.
And well-defended (security-sensitive) sites do routinely obscure the platform they're running on, often deliberately masquerading as a different platform or version - sometimes combined with code detecting attacks against known vulnerabilities of the masqueraded software. It won't fool a true expert but it'll catch out most.

But that's the exception, and goes way beyond the point I was trying to make. When you are using a "*.do" mapping, you're basically broadcasting "I am using Struts". That's way more information than you need to give out, information that might be extremely useful to an attacker. Avoid it - at the very least you can choose a different extension to map to!

We tend to use path mapping instead of extension mapping, which makes it really easy to know for a developer whether a *.html file is an *.html file or a controller. But it's not really important to use *.html - it won't fool anyone into thinking the site is actually static anyway.

- Peter
[ June 02, 2004: Message edited by: Peter den Haan ]
Ken Robinson
Ranch Hand

Joined: Dec 23, 2003
Posts: 101
Originally posted by Peter den Haan:
It might be any of a number of things, but the ".do" extension is a popular mapping for the Struts ActionServlet. Personally, I don't like that; you won't believe what most sites are giving away about their underlying technology and thereby possible modes of attack. Best stick to an .html mapping (path mapping, possibly), never let a stack trace seep out, and leave black hats guessing.

- Peter


I totally agree with hiding the technology under the covers for a number of reasons.

When the container allows it I like to put the JSPs in a directory under WEB-INF to avoid the user requesting a JSP directly. Tomcat allows the RequestDispatcher to hit JSPs in WEB-INF without allowing the user access while other app servers do not allow RequestDispatcher to do this
.
Peter den Haan
author
Ranch Hand

Joined: Apr 20, 2000
Posts: 3252
Originally posted by Karelicek Huey:
Hope I'm not bugging you too much, but I've got a really quick question that's sure to betray some ignorance on my part: you can use JSPs without showing a .jsp extension? How? Or is there some way to tell J2EE/Tomcat that the .html file is a JSP and should be compiled?
You can (by mapping *.html to the JSP servlet), but I wouldn't recommend it.

When you are strictly using an MVC architecture, your .jsps will never be accessed directly (many store them under /WEB-INF/jsp/ or similar to make them totally inaccessible even to those who know/can guess the location). Requests go to a controller, the controller performs the processing and then forwards the request to a .jsp or other view for response rendering.

The externally visible URLs are the locations that your controller is mapped to. In the case of Struts, everything that ends in ".do" is typically mapped to the controller. So "/viewArticle.do?id=123" might map to the controller, which will delegate to an action class (for example, ViewArticleAction.class) that loads up article 123 from the database. Then the request is forwarded to a jsp (/viewArticle.jsp, perhaps) which takes care of the HTML rendering. The browser is quite unaware of the process, so all you see is that you're requesting "/viewArticle.do?id=123" and the server is returning the appropriate HTML.

- Peter
[ June 02, 2004: Message edited by: Peter den Haan ]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60992
    
  65

These days, on the stuff I'm involved in, there's no access to .jsps except through the controller, and the controllers use *.html mappings.


Just a head's up on this. At a previous job we did this as well and started getting bizarre bugs where one user's data whould start showing up when another hit the app.

Turns out some helpful server along the way (thanks AOL!) was caching the pages since it "knew" that .html pages were static. We changed the mapping to .page and all was well again.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: what is the .do extension?