dev@glassfish.java.net

Re: Does the Servlet spec require this behavior?

From: Jan Luehe <Jan.Luehe_at_Sun.COM>
Date: Fri, 05 Jun 2009 13:30:40 -0700

On 06/ 5/09 11:55 AM, Lloyd Chambers wrote:
> There are potential security issues with just turning on directory
> listings. I don't think it's a spec thing, but I do think it's wise to
> not offer directory listings by default.

Right.

According to Section 10.10 ("Welcome Files") of the Servlet spec:

  If no matching welcome file is found in the manner described,
  the container may handle the request in a manner it finds
  suitable. For some configurations this may mean returning a
  directory listing or for others returning a 404 response.

In GlassFish, directory listings are disabled by default, but may be enabled
as described by Sathyan.

In addition, we recently added support for sorting directory listings by
their
file size and last-modified date (by default, they're sorted in
alphabetical order).
See http://blogs.sun.com/jluehe/entry/new_sorting_options_for_directory
for details.


Jan

>
> Lloyd
> On Jun 5, 2009, at 11:24 AM, Vince Kraemer wrote:
>
>> Hi,
>>
>> I created a web app that has a no descriptor files and a single JSP.
>>
>> If the jsp is named index.jsp, I see the content when I access
>> http://localhost:8080/WarName/... this is a good thing
>>
>> If the jsp is named foobar.jsp, I see a 404 error when I access the
>> same URL... Is the spec forcing us to be so useless?
>>
>> I would think that the server could present a directory listing for
>> the web app... so the user would have a chance to click on foobar.jsp
>> and see its content. That would be friendlier for developers. It
>> probably should not work that way in production, though.
>>
>> One other thing I noticed... There is no error in the server log that
>> would alert the developer to the root cause of the problem.
>>
>> I did this test with v3 promoted build 49.
>>
>> Thanks,
>> vbk
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>> <mailto:dev-unsubscribe_at_glassfish.dev.java.net>
>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>> <mailto:dev-help_at_glassfish.dev.java.net>
>>
>
> Lloyd Chambers
> lloyd.chambers_at_sun.com <mailto:lloyd.chambers_at_sun.com>
> GlassFish Team
>
>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.