Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] File locking when Jetty service is up(Need to lock the Web ARchieve preventing the file from tampering when the Jetty service is up and running)
wiki.eclipse.org is for a long EOL (End of Life) version of Jetty.
The big red box at the top even tells you that, and gives you a link to the up to date Jetty documentation.

Windows File Locking is a standard feature of windows.  Files that are open are locked and prevented from being tampered with.
You cannot rely on this feature of Windows for what you want.  As Jetty cannot have all files on your webapp open at the same time, that would hit open file limits on your OS rather quickly.

The temporary directory of a webapp is standard servlet spec behavior and is where all temporary files reside, that directory can never be read-only, otherwise your webapp wouldn't function as you expect.

You should probably just rely on standard operating system protections, have Jetty run on it's own user, with it's own temporary directory, setup to not allow other users on the operating system to change/modify the content of those directories.
This is not something that can be controlled by Jetty itself, this is something you have to setup and configure at the OS level, the FileSystem level, and perhaps even configure your WebApp to use those user specific directories.

Joakim Erdfelt / joakim@xxxxxxxxxxx


On Wed, Jul 17, 2019 at 7:41 AM deepak dhandapani <deepakd020395@xxxxxxxxx> wrote:
Hello Jan,

Add on to the above, the link I posted in the first mail list is wrong. It should be https://wiki.eclipse.org/Jetty/Howto/Deal_with_Locked_Windows_Files which deals about disabling memory mapping.

On Wed, Jul 17, 2019 at 1:51 PM deepak dhandapani <deepakd020395@xxxxxxxxx> wrote:
Hello Jan,

Thanks for your reply. Jetty version should be jetty-distribution-9.4.9.v20180320.

Making the scanInterval to 0 in jetty-deploy.xml does one time scan of the monitored directory upon starting the Jetty service. This gives me a partial solution since any changes in the webapps directory is not reflecting in the response. Why I mean partial is that, on the time of scan the content of the WAR file is extracted into an temporary directory and Jetty uses the extracted files to process the request and delivers a response.

If I make changes to files in the temporary directory containing my resource files, this would still allow file tampering.

Is jetty-distribution-9.4.9.v20180320 run on NIO based connectors? If Yes,making the configuration useFileMappedBuffer for DefaultServlet to be true is having no effect to use memory-mapped files.

Could you advise me how to secure my resource files in this case?

Thanks in advance!

On Tue, Jul 16, 2019 at 10:26 PM Jan Bartel <janb@xxxxxxxxxxx> wrote:
You haven't provided a recognisable jetty version, can you double check what you're using?

You don't have to use the webapp deployer to deploy your webapp if you don't want to. The one we provide will periodically scan for changed files, however you could write your own that just deploys once. Take a look in the jetty-deploy maven src module, should be pretty easy.

You might be able to fudge it by setting the scanInterval to 0 on the current deployer in the ini file or in the jetty-deploy.xml file, but I've never tried that so can't guarantee it works.

Other option is you can just write a small xml file that directly deploys your webapp.

You should also be using operating system privileges to protect who can interact with the jetty instance, do things like copying or modifying files, starting or stopping jetty.



On Tue., 16 Jul. 2019, 07:44 deepak dhandapani, <deepakd020395@xxxxxxxxx> wrote:
Hi There,

I'm currently working with the Gradle project which is used to design an web services to deploy in the Jetty web server in the location "C:\Program Files\jetty\mt-base\webapps" as .WAR file. When I run the Jetty services, my services working fine as expected but what worrying me is, Jetty allowing the WAR file for modification even when Jetty is running and thus reloading the services to have effect on the server response for the client request.

This allows for malicious tampering of the WAR file and we are looking to protect this from happening.

My question is, Is there any Jetty configuration to lock the web application file while the service is up and running (I.E., lock all files inside "C:\Program Files\jetty\mt-base\webapps" folder)? If Yes, could you let me know how to setup the configurations for me, please?

However, I do see a facility 'useFileMappedBuffer' property in the link https://wiki.eclipse.org/Jetty/Reference/webdefault.xml for memory-mapping of files for the Jetty services. I'm currently trying this to see if I can achieve my need. Could you elaborate the statement "Jetty buffers static content for webapps such as HTML files, CSS files, images, etc. If you are using NIO connectors, Jetty uses memory-mapped files to do this." in the link https://wiki.eclipse.org/Jetty/Reference/webdefault.xml? What does NIO connectors mean? How to implement in my Jetty?

Current Jetty I'm using is Jetty (x64) 1.4.0.56668 
OS - Windows 10 Enterprise

Thanks in advance!
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

Back to the top