Monday, June 18, 2012

Jetty - Basic Hardening

Jetty by default is shipped with two annoying features that should be turned off in production.

The first one is contexts listing. If you access the root folder, and if there is no special context configured to be a root context, Jetty will display a list of all contexts installed. While it may be nice to see it during the development, it's unnecessary information during production.

The class responsible for displaying this list is org.eclipse.jetty.server.handler.DefaultHandler and it's configured in jetty.xml. setShowContexts to false to turn off the contexts listing.

Actually you may consider to provide your own Hanlder class instead of the DefaultHanlder. The org.eclipse.jetty.server.handler.DefaultHandler is also responsible to display the Jetty's default favicon. It may be configured not to server the favicon at all by setServeIcon(false), but it does not allow to customize the favicon. So if you want to do it, you'll need a custom class.


The second annoying feature is a directory content listing - when you access a directory, the Jetty will generate a page with a list of files located inside. This configuration can be turned off per context: under <Configure class="org.eclipse.jetty.webapp.WebAppContext"> put the following init parameter:

<Call name="setInitParameter">
  <Arg>org.eclipse.jetty.servlet.Default.dirAllowed</Arg>
  <Arg>false</Arg>
</Call>

7 comments:

Alexey said...

Hey, I tried this, but it does not work for me:

2012-11-07 15:34:46.380:WARN::EXCEPTION
java.lang.IllegalStateException: No Method: org.eclipse.jetty.servlet.Default.dirAllowedfalse on class org.mortbay.jetty.webapp.WebAppContext

Alexey said...

I figured our a better way to do this.
Simply add the following in your context .xml:

/etc/webdefault.xml

and the dirAllowed can be then set in webdefault.xml

-Alexey

Alexey said...

shoot ... the xml got hidden here:

[Set name="defaultsDescriptor"][SystemProperty name="jetty.home" default="."/]/etc/webdefault.xml[/Set]

Unknown said...

Actually you may consider to provide your own Hanlder class instead of the DefaultHanlder. The org.eclipse.jetty.server.handler.DefaultHandler is also responsible to display the Jetty's default favicon. It may be configured not to server the favicon at all by setServeIcon(false), but it does not allow to customize the favicon. So if you want to do it, you'll need a custom class.

How does one go about defining a custom class to do this with embedded Jetty? Thanks in advance!

Tarlog said...

What do you call an embedded Jetty? Do you initialize it from code?

Virgo47 said...

I just needed to do this with Jetty 9 programmatically (at least I didn't want to mess with XML if I could avoid it):

WebAppContext context = new WebAppContext();
context.setServer(server);
context.setContextPath(...);
// this disables directory browsing
context.setInitParameter("org.eclipse.jetty.servlet.Default.dirAllowed", "false");
// and this adds our dummy error handler
context.setErrorHandler(new ErrorHandler());
...
static class ErrorHandler extends ErrorPageErrorHandler {
@Override
public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException {
response.getWriter().append("some error JSON with HTTP status")
.append(String.valueOf(response.getStatus()));
}
}

Reason for this dummy solution is that our REST-like API handles all the errors itself, but only on specific "servlet" path (those error are not handled by Jetty). This covers the rest of errors out of this path.

Anonymous said...
This comment has been removed by a blog administrator.