Hello Jan, Add on to the above, the link I posted in the first mail list is wrong. It should be https://wiki.eclipse.org/Jetty/Howto/Deal_with_Locked_Windows_Files which deals about disabling memory mapping.
On Wed, Jul 17, 2019 at 1:51 PM deepak dhandapani <[email protected]> wrote: > Hello Jan, > > Thanks for your reply. Jetty version should be > *jetty-distribution-9.4.9.v20180320.* > > Making the scanInterval to 0 in jetty-deploy.xml does one time scan of > the monitored directory upon starting the Jetty service. This gives me a > partial solution since any changes in the webapps directory is not > reflecting in the response. Why I mean partial is that, on the time of scan > the content of the WAR file is extracted into an temporary directory and > Jetty uses the extracted files to process the request and delivers a > response. > > If I make changes to files in the temporary directory containing my > resource files, this would still allow file tampering. > > Is *jetty-distribution-9.4.9.v20180320* run on NIO based connectors? If > Yes,making the configuration *useFileMappedBuffer *for *DefaultServlet* > to be *true* is having no effect to use memory-mapped files. > > Could you advise me how to secure my resource files in this case? > > Thanks in advance! > > On Tue, Jul 16, 2019 at 10:26 PM Jan Bartel <[email protected]> wrote: > >> You haven't provided a recognisable jetty version, can you double check >> what you're using? >> >> You don't have to use the webapp deployer to deploy your webapp if you >> don't want to. The one we provide will periodically scan for changed files, >> however you could write your own that just deploys once. Take a look in the >> jetty-deploy maven src module, should be pretty easy. >> >> You might be able to fudge it by setting the scanInterval to 0 on the >> current deployer in the ini file or in the jetty-deploy.xml file, but I've >> never tried that so can't guarantee it works. >> >> Other option is you can just write a small xml file that directly deploys >> your webapp. >> >> You should also be using operating system privileges to protect who can >> interact with the jetty instance, do things like copying or modifying >> files, starting or stopping jetty. >> >> >> >> On Tue., 16 Jul. 2019, 07:44 deepak dhandapani, <[email protected]> >> wrote: >> >>> Hi There, >>> >>> I'm currently working with the Gradle project which is used to design an >>> web services to deploy in the Jetty web server in the location "*C:\Program >>> Files\jetty\mt-base\webapps*" as .WAR file. When I run the Jetty >>> services, my services working fine as expected but what worrying me is, >>> Jetty allowing the WAR file for modification even when Jetty is running and >>> thus reloading the services to have effect on the server response for the >>> client request. >>> >>> This allows for malicious tampering of the WAR file and we are looking >>> to protect this from happening. >>> >>> My question is, *Is there any Jetty configuration to lock the web >>> application file while the service is up and running (I.E., lock all files >>> inside "C:\Program Files\jetty\mt-base\webapps" folder)? If Yes, could you >>> let me know how to setup the configurations for me, please?* >>> >>> However, I do see a facility *'useFileMappedBuffer'* property in the >>> link https://wiki.eclipse.org/Jetty/Reference/webdefault.xml for >>> memory-mapping of files for the Jetty services. I'm currently trying this >>> to see if I can achieve my need. Could you elaborate the statement "*Jetty >>> buffers static content for webapps such as HTML files, CSS files, images, >>> etc. If you are using NIO connectors, Jetty uses memory-mapped files to do >>> this.*" in the link >>> https://wiki.eclipse.org/Jetty/Reference/webdefault.xml? What does NIO >>> connectors mean? How to implement in my Jetty? >>> >>> Current Jetty I'm using is *Jetty (x64) 1.4.0.56668 * >>> OS - Windows 10 Enterprise >>> >>> Thanks in advance! >>> _______________________________________________ >>> jetty-users mailing list >>> [email protected] >>> To change your delivery options, retrieve your password, or unsubscribe >>> from this list, visit >>> https://www.eclipse.org/mailman/listinfo/jetty-users >> >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://www.eclipse.org/mailman/listinfo/jetty-users > >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
