Hello Jan, Thanks for your reply. Jetty version should be *jetty-distribution-9.4.9.v20180320.*
Making the scanInterval to 0 in jetty-deploy.xml does one time scan of the monitored directory upon starting the Jetty service. This gives me a partial solution since any changes in the webapps directory is not reflecting in the response. Why I mean partial is that, on the time of scan the content of the WAR file is extracted into an temporary directory and Jetty uses the extracted files to process the request and delivers a response. If I make changes to files in the temporary directory containing my resource files, this would still allow file tampering. Is *jetty-distribution-9.4.9.v20180320* run on NIO based connectors? If Yes,making the configuration *useFileMappedBuffer *for *DefaultServlet* to be *true* is having no effect to use memory-mapped files. Could you advise me how to secure my resource files in this case? Thanks in advance! On Tue, Jul 16, 2019 at 10:26 PM Jan Bartel <[email protected]> wrote: > You haven't provided a recognisable jetty version, can you double check > what you're using? > > You don't have to use the webapp deployer to deploy your webapp if you > don't want to. The one we provide will periodically scan for changed files, > however you could write your own that just deploys once. Take a look in the > jetty-deploy maven src module, should be pretty easy. > > You might be able to fudge it by setting the scanInterval to 0 on the > current deployer in the ini file or in the jetty-deploy.xml file, but I've > never tried that so can't guarantee it works. > > Other option is you can just write a small xml file that directly deploys > your webapp. > > You should also be using operating system privileges to protect who can > interact with the jetty instance, do things like copying or modifying > files, starting or stopping jetty. > > > > On Tue., 16 Jul. 2019, 07:44 deepak dhandapani, <[email protected]> > wrote: > >> Hi There, >> >> I'm currently working with the Gradle project which is used to design an >> web services to deploy in the Jetty web server in the location "*C:\Program >> Files\jetty\mt-base\webapps*" as .WAR file. When I run the Jetty >> services, my services working fine as expected but what worrying me is, >> Jetty allowing the WAR file for modification even when Jetty is running and >> thus reloading the services to have effect on the server response for the >> client request. >> >> This allows for malicious tampering of the WAR file and we are looking to >> protect this from happening. >> >> My question is, *Is there any Jetty configuration to lock the web >> application file while the service is up and running (I.E., lock all files >> inside "C:\Program Files\jetty\mt-base\webapps" folder)? If Yes, could you >> let me know how to setup the configurations for me, please?* >> >> However, I do see a facility *'useFileMappedBuffer'* property in the >> link https://wiki.eclipse.org/Jetty/Reference/webdefault.xml for >> memory-mapping of files for the Jetty services. I'm currently trying this >> to see if I can achieve my need. Could you elaborate the statement "*Jetty >> buffers static content for webapps such as HTML files, CSS files, images, >> etc. If you are using NIO connectors, Jetty uses memory-mapped files to do >> this.*" in the link >> https://wiki.eclipse.org/Jetty/Reference/webdefault.xml? What does NIO >> connectors mean? How to implement in my Jetty? >> >> Current Jetty I'm using is *Jetty (x64) 1.4.0.56668 * >> OS - Windows 10 Enterprise >> >> Thanks in advance! >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://www.eclipse.org/mailman/listinfo/jetty-users > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
