I've got a site with some administrative pages in its root directory. Question: Is there any possible way for a visitor to see all the pages and/or subdirectories in the root directory of this (or any other) site?
If yes, what has to be done to conceal the directory's content?
Thank you!
You can set this permission in the web server. For IIS there is a enable directory browsing property that can be set on website, virtual directories and applications.
For Apache:
In httpd.conf search for Options, if Indexes is present Directory browsing is enabled else it is disabled
Options All Indexes FollowSymLinks MultiViews (Directory browsing Enabled)
Options All FollowSymLinks MultiViews (Directory browsing Disabled)
It depends on what server you are using. For example, for jetty, you can use a context file (in xml) to conceal/hide a directory's content...
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
<Configure class="org.eclipse.jetty.server.handler.ContextHandler">
<Call class="org.eclipse.jetty.util.log.Log" name="debug">
<Arg>Configure sarbot_files.xml</Arg>
</Call>
<Set name="contextPath">/some_context</Set>
<Set name="resourceBase">/path/to/files</Set>
<Set name="handler">
<New class="org.eclipse.jetty.server.handler.ResourceHandler">
<!-- Set to true or false here -->
<Set name="directoriesListed">true</Set>
<Set name="welcomeFiles">
<Array type="String">
<Item>index.html</Item>
</Array>
</Set>
<Set name="cacheControl">max-age=3600,public</Set>
</New>
</Set>
</Configure>
Related
I have an application that's deployed on wildfly on a centos server.
I have two other applications that access a page of my application using iframe. What I access that I page, that's all I see in console:
1 Refused to display 'APP_URL' in a frame because it set 'X-Frame-Options' to 'deny'.
I know the reason behind this all and I want to allow my wildfly web-server to allow it from my 2 domains like this
X-Frame-Options: ALLOW-FROM https://example.com/
where can I configure this setting in wildfly? I know about apache server, it's done in httpd.conf file but I want to do this in wildfly.
I've configured the "SAMEORIGIN" option in wildlfy once. I suppose the "ALLOW-FROM" should be pretty similar.
You need to make this change in the undertow subsystem of Standalone.xml.
You should find the below settings in your xml.
<subsystem xmlns="urn:jboss:domain:undertow:1.0">
<buffer-caches>
<buffer-cache name="default" buffer-size="1024"
buffers-per-region="1024" max-regions="10" />
</buffer-caches>
<server name="default-server">
<http-listener name="default" socket-binding="http" />
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content" />
</host>
**<filter-ref name="xFrameOptions" />**
</server>
<servlet-container name="default"
default-buffer-cache="default" stack-trace-on-error="local-only">
<jsp-config />
<persistent-sessions />
</servlet-container>
<handlers>
<file name="welcome-content"
path="${jboss.home.dir}/welcome-content" directory-listing="true" />
</handlers>
**<filters>
<response-header name="xFrameOptions"
header-name="X-Frame-Options"
header-value="allow-from https://example.com/" />
</filters>**
</subsystem>
Make sure, you add the filter-reference and then use the reference to add the X-Frame-Options for response-header.
You can do this by manually editing the standalone.xml or by using jboss-cli.
Thanks,
Kamal
I am running .net core 1.1, nuget 3.5, and hosting packages on VS team services.
I looked into transformations here: https://learn.microsoft.com/en-us/nuget/create-packages/source-and-config-file-transformations,
But I need a solution for json files, not config files.
I read that you can use an install.ps1 script to include the file, but I also read that install.ps1 is deprecated.
What is the current method for including json configuration files in a nuget package?
Try to use <files> node in the .nuspec file. Example from here:
<?xml version="1.0"?>
<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
<metadata>
<!-- ... -->
</metadata>
<files>
<!-- Add a readme -->
<file src="readme.txt" target="" />
<!-- Add files from an arbitrary folder that's not necessarily in the project -->
<file src="..\..\SomeRoot\**\*.*" target="" />
</files>
</package>
In /opt/jetty/webapps, I have test.xml under directory w. I have this test.xml in contexts directory:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.eclipse.org/configure.dtd">
<Configure class="org.eclipse.jetty.server.handler.ContextHandler">
<Set name="contextPath">/w</Set>
<Set name="resourceBase">/opt/java/webapps/w/</Set>
<Set name="handler">
<New class="org.eclipse.jetty.server.handler.ResourceHandler">
<Set name="welcomeFiles">
<Array type="String">
<Item>test.xml</Item>
</Array>
</Set>
<Set name="cacheControl">max-age=3600,public</Set>
</New>
</Set>
</Configure>
Why Can't I read http://host/w/test.xml?
Your question is a bit confusing, as you mention test.xml twice, and in two different directories.
Anyway, this is a basic example of setting up what you want, using the standard jetty-distribution-8.1.9.v20130131.tar.gz available at download.eclipse.org/jetty/.
The deployable context
Create a file called contexts/w.xml with the following content
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.eclipse.org/configure.dtd">
<Configure class="org.eclipse.jetty.server.handler.ContextHandler">
<Set name="contextPath">/w</Set>
<Set name="resourceBase"><SystemProperty name="jetty.home" default="."/>/w/</Set>
<Set name="handler">
<New class="org.eclipse.jetty.server.handler.ResourceHandler">
<Set name="welcomeFiles">
<Array type="String">
<Item>test.xml</Item>
<Item>index.html</Item>
</Array>
</Set>
<Set name="cacheControl">max-age=3600,public</Set>
</New>
</Set>
</Configure>
Notes:
${jetty.home} points to whatever your /path/to/jetty-distribution-8.1.9.v20130131/ is
This context points to a directory named ${jetty.home}/w/, which is not in the webapps directory, this is intentional, as the webapps directory is for standalone Java Servlet or Java EE webapps, either in archive form, or in an exploded deployable form. Since you are using ContextHandler and ResourceHandler your deployable does not meet these requirements.
The content
In the ${jetty.home}/w/ directory create a few files.
$ mkdir /path/to/jetty-distribution-8.1.9.v20130131/w
$ echo "<h1>Hello World</h1>" > /path/to/jetty-distribution-8.1.9.v20130131/w/index.html
Testing it
Start Jetty
$ cd /path/to/jetty-distribution-8.1.9.v20130131
$ java -jar start.jar
Open up a browser and test it
http://localhost:8080/w/
I try to move some services from my Tomcat Server to Jetty, just to make some comparisons. Obviously I don't want to change my services, but I experiment some issues to deploy them with JDBC.
My services all use the same database to access datas, so I wrote my own library to make my requests. The services don't have any informations about the database, they just know they have to use the library. In this library I make connections with the database using this kind of code:
InitialContext ictx = new InitialContext();
Context envCtx = (Context) ictx.lookup("java:comp/env");
DataSource ds = (DataSource) envCtx.lookup("jdbc/mysql");
In Tomcat my services work well just adding a line in context.xml:
<Resource auth="Container" driverClassName="com.mysql.jdbc.Driver" maxActive="100" maxIdle="30" maxWait="10000" name="jdbc/mysql" username="login" password="password" type="javax.sql.DataSource" url="jdbc:mysql://localhost:3306/mysql" />
So I just want to do the same in Jetty. I added the following block in my jetty.xml:
<New id="mysql" class="org.eclipse.jetty.plus.jndi.Resource">
<Arg></Arg>
<Arg>jdbc/mysql</Arg>
<Arg>
<New class="org.apache.commons.dbcp.BasicDataSource">
<Set name="driverClassName">com.mysql.jdbc.Driver</Set>
<Set name="url">jdbc:mysql://localhost:3306/mysql</Set>
<Set name="username">login</Set>
<Set name="password">password</Set>
</New>
</Arg>
</New>
The server starts well and seem to work, but I get an error when I try to access to my services. In jetty's manual I found it's explictly written that I have to add some informations in web.xml like:
<resource-ref>
<description>My DataSource Reference</description>
<res-ref-name>jdbc/DSTest</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
So I wonder if there is any other solution, than write the same lines in all my web.xml services' files? Like adding a common xml file for all my server with the same informations ?
You can add it to the webdefault.xml that is used as the foundation for processing web.xml.
This file is typically located in etc/webdefault.xml of the distribution.
cheers
I need my css to show for my login page, but it's not showing at the moment. How would I go about allowing access to my login page with the css included? Im using forms authentication, and my code block for my web.config file looks as such:
<authentication mode="Forms">
<forms loginUrl="UserAccount/Login" defaultUrl="UserAccount/Index" timeout="60"></forms>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
My site.css is in my /Content/Site.css path. How do I add it to allow access to this file to all users?
the <deny users="?"/> denies anonymous users from accessing the css file. (read here)
so you'll need to put the following into your <configuration> block within web.config
<location path="Content">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
you can read some more about this here
I work this out by the followings steps:
IIS Manager
Authentication
Right Click Anonymous Authentication.
Switch to application pool identity
Stumbled across this, cause I needed the same thing. Here is a solution:
<location path="Content">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
As is writer here (I used the link from the previous answer) this will give the unauthenticated user access to all the files in the Content folder, and the css file is in this folder.
P.S. sorry guys, this is the same as the previous answer, just ignore this