dmiroshnikov
commented
5 days ago Feel free to close if response to my question will be the same as in #12581
Open dmiroshnikov opened 5 days ago
dmiroshnikov
commented
5 days ago Feel free to close if response to my question will be the same as in #12581
dmiroshnikov
commented
5 days ago Actually, in our case we cannot go from jetty11 to jetty12-ee9 directly due to a "new" behaviour with welcome files.
It doesn't work with the way how we set up our app. As workaround, I need to override doGet of org.eclipse.jetty.ee9.servlet.DefaultServlet with the following conditional logic to avoid 404 if servlet path is "/".
if(...) {
getServletContext()
.getRequestDispatcher("/index.jsp")
.forward(httpServletRequest, httpServletResponse);
} else {
super.doGet(httpServletRequest, httpServletResponse);
}
janbartel
commented
5 days ago @dmiroshnikov not sure I understand your issue with ee9 DefaultServlet. Can you explain the request URL, your expected response, and your particular DefaultServlet configuration?
dmiroshnikov
commented
4 days ago We have multiple web apps with a common login, index.jsp forwards to the proper app based on a state. Internally we use the "/" uri and rely on welcome-file-list logic for forwarding to index.jsp.
In jetty11, "/" -> "/index.jsp" (state=unknown) -> "/login.jsp" -> "/" -> "index.jsp" (state=roleA) -> "webAppForRoleA.jsp"
In jetty12-ee9 / jetty12-ee10, "/" -> "/index.jsp" (state=unknown) -> "/login.jsp" -> "/" -> 404 page not found
Content of defaultsDescriptor.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
metadata-complete="true"
version="3.0">
<context-param>
<param-name>org.mortbay.jetty.servlet.MaxAge</param-name>
<param-value>-1</param-value>
</context-param>
<context-param>
<param-name>org.mortbay.jetty.webapp.NoTLDJarPattern</param-name>
<param-value>
start.jar|ant-.*\.jar|dojo-.*\.jar|jetty-.*\.jar|jsp-api-.*\.jar|junit-.*\.jar|servlet-api-.*\.jar|dnsns\.jar|rt\.jar|jsse\.jar|tools\.jar|sunpkcs11\.jar|sunjce_provider\.jar|xerces.*\.jar
</param-value>
</context-param>
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.eclipse.jetty.ee9.servlet.DefaultServlet</servlet-class>
<init-param>
<param-name>acceptRanges</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>dirAllowed</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>redirectWelcome</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>maxCacheSize</param-name>
<param-value>256000000</param-value>
</init-param>
<init-param>
<param-name>maxCachedFileSize</param-name>
<param-value>10000000</param-value>
</init-param>
<init-param>
<param-name>maxCachedFiles</param-name>
<param-value>1000</param-value>
</init-param>
<init-param>
<param-name>cacheType</param-name>
<param-value>both</param-value>
</init-param>
<init-param>
<param-name>gzip</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>useFileMappedBuffer</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet id="jsp">
<servlet-name>jsp</servlet-name>
<servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
<init-param>
<param-name>logVerbosityLevel</param-name>
<param-value>DEBUG</param-value>
</init-param>
<init-param>
<param-name>fork</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>xpoweredBy</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jsp</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<locale-encoding-mapping-list>
<locale-encoding-mapping>
<locale>en</locale>
<encoding>ISO-8859-1</encoding>
</locale-encoding-mapping>
</locale-encoding-mapping-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>Disable TRACE</web-resource-name>
<url-pattern>/</url-pattern>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<baseResource implementation="org.mortbay.resource.ResourceCollection">
<resourcesAsCSV>src/main/webapp,src/test/webapp</resourcesAsCSV>
</baseResource>
</web-app>In my current workaround, DefaultServlet was overwritten to override doGet method to conditionally forward to index.jsp based on URI value.
janbartel
commented
3 days ago @dmiroshnikov your defaults descriptor is a bit odd, both for jetty-11 and jetty-12.
org.mortbay.jetty in either codebase.org.eclipse.jetty.jsp.JettyJspServlet and in jetty-12 ee9 should be org.eclipse.jetty.ee9.jsp.JettyJspServlet.org.mortbay.resource.ResourceCollection: in jetty-11 it is org.eclipse.jetty.util.resource.ResourceCollection; in jetty-12 it is a CombinedResource (but obtained from a ResourceFactory). In either case you don't need to set it in the defaults descriptor - the MetaInfConfiguration and WebInfConfiguration will sort this out for you.I need to see the request uri, path etc for the case where login.jsp forwards to / and arrives at the DefaultServlet: can you debug it and provide the request info please? Even better would be the worlds smallest reproduction test case so I can run it myself.
Are you planning to fix CVE-2024-6763 in jetty11 or we have to migrate to jetty12-ee9?