In HFSJ on page 47 it says that it might be possible to navigate directly to the servlet .class file and execute it. It is true? If so, how would one set this up? I know that this is not the way to go for many reasons...
might be possible to navigate directly to the servlet .class file and execute it. It is true? If so, how would one set this up? Assuming we have mapped a servlet to "/TestServlet" in our web.xml, we can either use: - getServletContext().getRequestDispatcher("/TestServlet") OR - request.getRequestDispather("TestServlet") OR - response.sendRedirect("/TestServlet") OR - response.encodeRedirectURL("/TestServlet")
"And what about security? Do you really want the client to know exactly how things are structured on your server? Do you want the to, say attempt to navigate directly to the servlet without going through the right pages or forms? Because if the end-user can see the real path, she can type it into her browser and try to access it directly."
So what I have attempted to do is to copy classes folder from WEB-INF into the root of the app and tried to access class directly using its 'real path'. If I add .class extension, the browser tries to download the servlet file. Without the extension, it gives me 404...
May be that this paragraph is just a hypothetical argument, and not possible in reality anyway.
Resource are ONLY available for direct access by the client in 2 ways: 1. ALL resources under the context folder ie.: /myapp/ 2. ALL resources under a sub directory under the context folder ie.: /myapp/jsp/ or /myapp/classes/ or /myapp/any folder name/
Therefore if you copy the classes directory and paste it under the context folder you have now given clients direct access to your class files.
posted 11 years ago
That is exactly why I copied the classes folder, to try to figure out what that paragraph from the HFSJ means...
That's not possible, but it's possible with an intermediate servlet. For example the InvokerServlet in Tomcat. It's by default disabled since Tomcat 5.5 due to security reasons, but it is still in its web.xml although it is outcommented. [ December 25, 2008: Message edited by: Bauke Scholtz ]
posted 11 years ago
Thanks Bauke: This is exactly what I was looking for! Leonid