Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] File locking when Jetty service is up(Need to lock the Web ARchieve preventing the file from tampering when the Jetty service is up and running)

Hello Jan,

Thanks for your reply. Jetty version should be jetty-distribution-9.4.9.v20180320.

Making the scanInterval to 0 in jetty-deploy.xml does one time scan of the monitored directory upon starting the Jetty service. This gives me a partial solution since any changes in the webapps directory is not reflecting in the response. Why I mean partial is that, on the time of scan the content of the WAR file is extracted into an temporary directory and Jetty uses the extracted files to process the request and delivers a response.

If I make changes to files in the temporary directory containing my resource files, this would still allow file tampering.

Is jetty-distribution-9.4.9.v20180320 run on NIO based connectors? If Yes,making the configuration useFileMappedBuffer for DefaultServlet to be true is having no effect to use memory-mapped files.

Could you advise me how to secure my resource files in this case?

Thanks in advance!

On Tue, Jul 16, 2019 at 10:26 PM Jan Bartel <janb@xxxxxxxxxxx> wrote:
You haven't provided a recognisable jetty version, can you double check what you're using?

You don't have to use the webapp deployer to deploy your webapp if you don't want to. The one we provide will periodically scan for changed files, however you could write your own that just deploys once. Take a look in the jetty-deploy maven src module, should be pretty easy.

You might be able to fudge it by setting the scanInterval to 0 on the current deployer in the ini file or in the jetty-deploy.xml file, but I've never tried that so can't guarantee it works.

Other option is you can just write a small xml file that directly deploys your webapp.

You should also be using operating system privileges to protect who can interact with the jetty instance, do things like copying or modifying files, starting or stopping jetty.



On Tue., 16 Jul. 2019, 07:44 deepak dhandapani, <deepakd020395@xxxxxxxxx> wrote:
Hi There,

I'm currently working with the Gradle project which is used to design an web services to deploy in the Jetty web server in the location "C:\Program Files\jetty\mt-base\webapps" as .WAR file. When I run the Jetty services, my services working fine as expected but what worrying me is, Jetty allowing the WAR file for modification even when Jetty is running and thus reloading the services to have effect on the server response for the client request.

This allows for malicious tampering of the WAR file and we are looking to protect this from happening.

My question is, Is there any Jetty configuration to lock the web application file while the service is up and running (I.E., lock all files inside "C:\Program Files\jetty\mt-base\webapps" folder)? If Yes, could you let me know how to setup the configurations for me, please?

However, I do see a facility 'useFileMappedBuffer' property in the link https://wiki.eclipse.org/Jetty/Reference/webdefault.xml for memory-mapping of files for the Jetty services. I'm currently trying this to see if I can achieve my need. Could you elaborate the statement "Jetty buffers static content for webapps such as HTML files, CSS files, images, etc. If you are using NIO connectors, Jetty uses memory-mapped files to do this." in the link https://wiki.eclipse.org/Jetty/Reference/webdefault.xml? What does NIO connectors mean? How to implement in my Jetty?

Current Jetty I'm using is Jetty (x64) 1.4.0.56668 
OS - Windows 10 Enterprise

Thanks in advance!
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

Back to the top