Would Servlet 3 annotations enable secret backdoor access?_问答_开发者

Would Servlet 3 annotations enable secret backdoor access?

开发者 https://www.devze.com 2023-01-10 18:05 出处：网络

I hope people don\'t mind me asking a question which is slightly future gazing.Please forgive me if my understanding is incor开发者_C百科rect (and please put me right!).Servlet 3 introduces several ne

I hope people don't mind me asking a question which is slightly future gazing. Please forgive me if my understanding is incor开发者_C百科rect (and please put me right!). Servlet 3 introduces several new annotations including:

@WebServlet

@WebFilter

@WebListener

and also a something called web-fragment.xml. These all seem to be aimed at making it possible to deploy servlets, filters and listeners without having to edit web.xml.

Does that mean that if I included a JAR file from an unscrupulous provider that they could surface servlets, filters and listeners in my web applications without my knowledge?

Maybe, maybe not. (I don't know for sure). But if you are worried about things that unscrupulous providers might do in their JARs, there are a whole bunch of other nasty things they could do in plain old Java. If you are worried about this kind of thing, you really need to insist on getting source code, and you need to do a thorough audit of the code before you let it onto your production servers.

They could, but the issue here is not in the specification: it's in running untrusted code. If you allow a jar that you don't trust to load and run, then it could potentially do things that are a lot worse than surfacing a servlet.

You can use an <absolute-ordering> element in the main web.xml deployment descriptor to list only the jar files in WEB-INF/lib, which you want to be automatically analyzed for annotations and web-fragment.xml descriptors during deployment.

If you do so, the content of web-fragments or annotated classes in other JAR files are not deployed automatically.

You will be able to control this process, quote from here:

The Servlet 3.0 specification also provides an option for instructing the Web Container, whether the container should process the annotations defined on the web components. The name of the element is metadata-complete and it is a child element of web-app element. The metadata-complete element indicates whether the meta-data information available in the deployment descriptor is complete. So, if the value for the metadata-complete element is set to a value of true, then it means that the meta information found in the deployment descriptor is complete and eventually the annotations defined on the web components will be ignored by the Servlet Container. If the value for metadata-complete is set to false, then it means that the information in the deployment descriptor is not complete and web components decorated with annotations, if any, should be scanned and processed by the Web Container.