Win a copy of The Business Blockchain this week in the Cloud forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

HFSJ page 47 - "navigate directly to the servlet"

 
Leonid Shchervinsky
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In HFSJ on page 47 it says that it might be possible to navigate directly to the servlet .class file and execute it. It is true? If so, how would one set this up? I know that this is not the way to go for many reasons...

Thanks
Leonid
 
Justin Rundle
Ranch Hand
Posts: 123
Hibernate Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
might be possible to navigate directly to the servlet .class file and execute it. It is true? If so, how would one set this up?
Assuming we have mapped a servlet to "/TestServlet" in our web.xml, we can either use:
- getServletContext().getRequestDispatcher("/TestServlet") OR
- request.getRequestDispather("TestServlet") OR
- response.sendRedirect("/TestServlet") OR
- response.encodeRedirectURL("/TestServlet")

Or by navigate you mean manually typing in the URL in the address bar you could something like:
- http://localhost:8080/myapp/TestServlet

HTH
[ December 18, 2008: Message edited by: Justin Rundle ]
 
Leonid Shchervinsky
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
something silly like:
http://localhost:8084/HFSJ/classes/chapter01/Ch1Servlet.class
or
http://localhost:8084/HFSJ/classes/chapter01/Ch1Servlet

without doing any dd mapping

Here is a quote:

"And what about security? Do you really want the client to know exactly how things are structured on your server? Do you want the to, say attempt to navigate directly to the servlet without going through the right pages or forms? Because if the end-user can see the real path, she can type it into her browser and try to access it directly."

So what I have attempted to do is to copy classes folder from WEB-INF into the root of the app and tried to access class directly using its 'real path'. If I add .class extension, the browser tries to download the servlet file. Without the extension, it gives me 404...

May be that this paragraph is just a hypothetical argument, and not possible in reality anyway.

Thanks
Leonid
 
Justin Rundle
Ranch Hand
Posts: 123
Hibernate Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Resource are ONLY available for direct access by the client in 2 ways:
1. ALL resources under the context folder ie.: /myapp/
2. ALL resources under a sub directory under the context folder ie.: /myapp/jsp/ or /myapp/classes/ or /myapp/any folder name/

Therefore if you copy the classes directory and paste it under the context folder you have now given clients direct access to your class files.

HTH
 
Leonid Shchervinsky
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That is exactly why I copied the classes folder, to try to figure out what that paragraph from the HFSJ means...
 
Leonid Shchervinsky
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Where is the bartender when you need one? :-)
Or a better yet, a book author...
 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's not possible, but it's possible with an intermediate servlet. For example the InvokerServlet in Tomcat. It's by default disabled since Tomcat 5.5 due to security reasons, but it is still in its web.xml although it is outcommented.
[ December 25, 2008: Message edited by: Bauke Scholtz ]
 
Leonid Shchervinsky
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Bauke:
This is exactly what I was looking for!
Leonid
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic