NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator's Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series

131

132

133

134

135

136

137

138

139

140

Configuring NSJSP

NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator’s Guide—596210-006

3-58

The server.xml File

There is a potential drawback to setting unpackWARs to false. A web

application's static content will be read from the WAR file directly, instead of from

the otherwise exploded directory. It is recommended that all static content be

served by the iTP Secure WebServer and not by NSJSP.

deployXML

Set this attribute to false, if you want to disable parsing the context.xml file

embedded inside the application (located at /META-INF/context.xml).

Security-conscious environments should set this to false to prevent applications

from interacting with the container's configuration. The administrator will then be

responsible for providing an external context configuration file in

NSJSP_HOME/conf/[enginename]/[hostname]/.

Setting this attribute to true will allow the NSJSP container to deploy the

application using the context.xml file in the application’s META-INF directory.

This means that the application can define its own context. There are certain

parameters in the context definition that could allow a rogue application to gain

access to the NSJSP servlet container's internal resources and also to other

applications running alongside the rogue application. The following attributes can

be exploited by a rogue application:

crossContext

If this value is set to true, calls to

javax.servlet.ServletContext.getContext(<context uri>) will return

the ServletContext of the application with the context name <context uri>. This

means that the caller will have access to contexts for other applications

running on the same Host. Although the default value is false, the application

can still set this attribute to true and gain access to other applications'

contexts.

privileged

If this value is set to true, the application is treated as a privileged

application and will have access to all the internal classes of NSJSP along with

certain container applications, such as the Manager application classes.

Child Element Nested in the Host Element

The request tracker Valve is configured as a child element in the Host element.

Valve Element

A Valve element represents a component that will be inserted into the request

processing pipeline for a container. A Valve element can be configured as a child

element of an Engine, Host or a Context. The following valves are

configured in

the default server.xml file:

Request Tracker Valve

The class name of this valve is

com.hp.tandem.nsjsp.valves.RequestTrackerValve. This valve