CODEWITHSUNDEEP
jetty
knaccc
knaccc

Reputation: 262

How to disable the Jetty DefaultHandler using XML (to prevent directory listings and webapp context listings)

I have a JETTY_HOME directory containing the unpacked Jetty distribution.

I want to disable the DefaultHandler, to achieve three things:

  1. Prevent directory listings which would otherwise be controlled by the dirAllowed init parameter (the DefaultServlet is configured by this parameter).

  2. Prevent web app context listings, which may reveal sensitive information such as server directory paths or other web app contexts running within the same Jetty instance.

  3. Be sure that DefaultHandler doesn't provide access to any sensitive files in the event that I botch a web app deployment. I'm happy to implement my own static file serving servlet where necessary as an alternative to using DefaultHandler.

I could simply edit JETTY_HOME/etc/jetty.xml and remove the DefaultHandler from there. However, JETTY_HOME is supposed to be read-only, and I'm only supposed to make changes in my JETTY_BASE folder. Only modifying JETTY_BASE comes with the advantage of not having to repeatedly modify JETTY_HOME when upgrading to a newer release of Jetty.

How to I make this change from inside JETTY_BASE?

Upvotes: 1

Views: 876

Answers (1)

Joakim Erdfelt
Joakim Erdfelt

Reputation: 49515

DefaultHandler is necessary, don't remove it.

Lets address each point.

  1. Prevent directory listings which would otherwise be controlled by the dirAllowed init parameter (the DefaultHandler is configured by this parameter).

The DefaultHandler doesn't do directory listings. That's the role of the DefaultServlet in a WebAppContext, or a ResourceService / ResourceHandler in an embedded scenario.

If you want to prevent directory listings presented by the DefaultServlet in a WebAppContext you need to configure the DefaultServlet.

You can do that with one of the following choices.

  1. Declare the <servlet> entries in your WEB-INF/web.xml to configure the named servlet default to have a init-param of dirAllowed set to false.
    This is a change in the individual webapp's own WEB-INF/web.xml

  2. Declare a servlet context init-parameter (not servlet specific, whole context), where the key org.eclipse.jetty.servlet.Default.dirAllowed is set to value false.
    This is a change in either the individual webapp's own WEB-INF/web.xml or the XML deployable (ie: ${jetty.base}/webapps/<name>.xml) for each webapp.

  3. Provide an alternate webdefault.xml for the defaultDescriptor that configures the default behavior to be dirAllowed=false.
    This is a change to the either the individual webapp XML deployable to set the WebAppContext.setDefaultDescriptor(), or the overall deployable defaults for the chosen DeploymentManager / AppProvider combo you are using. This will also require a custom ${jetty.base}/etc/<name>.xml which is your new default descriptor.

  4. Provide a override descriptor xml that can be applied after your defaultDescriptor + webapp descriptor to configure dirAllowed=false.
    This is a change to the either the individual webapp XML deployable to set the WebAppContext.setOverrideDescriptor(), or the overall deployable defaults for the chosen DeploymentManager / AppProvider combo you are using. This will also require a custom ${jetty.base}/etc/<name>.xml which is your new override descriptor.

If you are using ResourceService / ResourceHandler in an embedded-jetty scenario, you can just call ResourceService.setDirAllowed(false).

  1. Prevent web app context listings, which may reveal sensitive information such as server directory paths or other web app contexts running within the same Jetty instance.

That's controlled by the showContexts configuration on the DefaultHandler.

There's 2 ways to control this behavior.

Option A: configure the DefaultHandler

You can add 2 files to your ${jetty.base}

New file: etc/tweak-defaulthandler.xml

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">
<Configure id="DefaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler">
  <Set name="showContexts">false</Set>
</Configure>

Add a line to ${jetty.base}/start.d/tweaks.ini to use this XML

$ cat start.d/tweaks.ini 
etc/tweak-defaulthandler.xml

Option B: just declare a ROOT context with default behavior for ROOT.

Create a ${jetty.base}/webapps/ROOT directory. Add a ${jetty.base}/webapps/ROOT/index.html with whatever content you want. That will be served instead of DefaultHandler creating the list of contexts.

  1. Be sure that DefaultHandler doesn't provide access to any sensitive files in the event that I botch a web app deployment. I'm happy to implement my own static file serving servlet where necessary as an alternative to using DefaultHandler.

The DefaultHandler only serves 3 things.

  1. /favicon.ico requests (only if a GET request)
  2. / (show context listing) (only if a GET request and showContexts is true)
  3. 404 Errors - all other requests that reach this handler.

You are confusing DefaultServlet / ResourceService / ResourceHandler with DefaultHandler a totally different thing.

Upvotes: 4

Related Questions