Application Server Solutions for Microsoft IIS and ASP.NET
       solutions   products   partners   company   support   downloads         store
ServletExec Self-Help: FAQ
Back to Search >  Back to Search Results

Faq ID 151
Product ServletExec
Category JSP, Security, Web Application
Question If I request a JSP page that does not exist I receive a response in my browser which discloses the absolute path to my web server's document root or to the document root of my web application. Isn't this a security risk?
Answer Perhaps.
If you are concerned by this, then you have a few different choices to resolve it:
  1. If you are using a Web Application then map the 404 status code to whatever resource you wish on the Error Pages mapping page of your web app's admin UI. This is the best option since it is totally spec.-compliant and therefore portable. Be certain that your "Location" value begins with a slash (/) otherwise the mapping won't work.
  2. Use the errorPage init parameter with the JspServlet (named "JSP10Servlet" for SE versions prior to SE 5.0) so that it will no longer use the default response which discloses the path. Note that if you are running within a Web Application, this means you would need to configure the JspServlet inside your web app. It would need to map to:
    • com.newatlanta.servletexec.JspServlet (SE 5.x and newer)
    • com.newatlanta.servletexec.JSP10Servlet (SE 4.x and older)

    and its configuration will only "stick" if you give it at least one init parameter (in this case you would use the errorPage init parameter).
    Note that this method will not protect against the case where people invoke the JspServlet (or JSP10Servlet) directly as in:
    since that URI causes the JSP engine to run in its non-configured state (no init parameters). To prevent that, please apply the techniques described in SE FAQ #354.
  3. If you are not using a web application, but are instead using what we term the "Legacy Context", then use the Main ServletExec Admin UI to set a Global error page that will be used for the entire ServletExec Virtual Server. This would be done on the "Configure Server" subpage of the "Manage Servers" admin page. This option is only valid for ServletExec 4.2 and older. The Main Admin UI of SE 5.x may present you with the ability to configure a global error page as described above, but doing so will have no effect in SE 5.x (SE 6.x removes this setting on that main admin page).

    If you can't use the SE 4.2 admin UI to do this then edit the file (inside the ServletExecData folder) and then bounce SE.
    For example if the name of the SE Virtual Server is "default" and the error page URI being configured is "/yo.jsp" then this line in that file:
    would be changed to:

company media information terms of use privacy policy contact us