开发者

Hiding java package structure in url

Our current web application url reveals the class package structure to the end user. This is because in web.xml the servlet mapping tag is as follows Servlet_ 开发者_运维问答name /servlet/com.xxx.yyy.ClassName

Is there any way by which i can hide the package structure. i.e com.xxx.yyy.ClassName to just ClassName?

Thanks Sameer


This is recognizeable as an old and vulrenable feature of Tomcat's builtin InvokerServlet. To fix this, disable it in Tomcat's /conf.web.xml by removing or outcommenting the <servlet> and <servlet-mapping> entries associated with <servlet-name>invoker</servlet-name>.

This was a security hole in the ancient Tomcat versions and was fixed in Tomcat 5 and upwards where it is been deprecated and by default disabled. It will be removed in Tomcat 7.

You need to explicitly define all of the servlets in webapp's web.xml yourself along with a decent url-pattern. If you have pretty a lot of servlets, consider the Front Controller Pattern, i.e. just only one servlet which delegates and executes the desired business logic based on under each the request method, request URI, request pathinfo and so on.


Yes. Fix your web.xml url mappings.

If for some bizarre reason this isn't possible you could add this filter in front to rewrite the urls:

http://tuckey.org/urlrewrite/

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜