Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adding safety checks for FileResource references with null characters. 

* Adding testcase for Jsp + DefaultServlet w/aliasing turned on
  with null characters in the request url.
* Adding validateUri() method to FileResource
This commit is contained in:
Joakim Erdfelt 2012-12-27 11:44:19 -07:00
parent 2591ceb8f5
commit 9009f6abbf
6 changed files with 875 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
jetty-util/src/main/java/org/eclipse/jetty/util/resource/FileResource.java
View File

@ -75,6 +75,37 @@ public class FileResource extends URLResource
return __checkAliases;
}
/**
* Perform some basic validation of the characters in the string for invalid
* codepoints and null characters.
*
* @param str the string to validate
* @throws URISyntaxException thrown if invalid characters are encountered
*/
private static final String validateUri(String str) throws URISyntaxException
{
if (str == null)
{
return str;
}
int len = str.length();
int codepoint;
for (int i = 0; i < len; i++)
{
codepoint = str.codePointAt(i);
if (codepoint == 0)
{
throw new URISyntaxException(str,"Encountered NULL character");
}
if (Character.isISOControl(codepoint))
{
throw new URISyntaxException(str,"Encountered ISO Control Code");
}
}
return str;
}
/* -------------------------------------------------------- */
public FileResource(URL url)
throws IOException, URISyntaxException
@ -84,8 +115,23 @@ public class FileResource extends URLResource
try
{
// Try standard API to convert URL to file.
/* Note:
* If the passed in URL has a null at the end of the string, then
* url.toExternalForm() and url.toString() strip that knowledge out.
* Which can lead to false positives for .exists() calls.
*
* The URL should be validated in parts, then passed to the File object.
*/
validateUri(url.getFile());
validateUri(url.getPath());
_file =new File(new URI(url.toString()));
}
catch (URISyntaxException e)
{
throw e;
}
catch (Exception e)
{
LOG.ignore(e);
@ -98,7 +144,7 @@ public class FileResource extends URLResource
if (uri.getAuthority()==null)
_file = new File(uri);
else
_file = new File("//"+uri.getAuthority()+URIUtil.decodePath(url.getFile()));
_file = new File(validateUri("//"+uri.getAuthority()+URIUtil.decodePath(url.getFile())));
}
catch (Exception e2)
{

97
jetty-util/src/test/java/org/eclipse/jetty/util/resource/FileResourceTest.java Normal file
View File

@ -0,0 +1,97 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.util.resource;
import static org.hamcrest.Matchers.*;
import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import org.eclipse.jetty.toolchain.test.TestingDir;
import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.UrlEncoded;
import org.junit.Assert;
import org.junit.Ignore;
import org.junit.Rule;
import org.junit.Test;
public class FileResourceTest
{
@Rule
public TestingDir testdir = new TestingDir();
private URI createDummyFile(String name) throws IOException
{
File file = testdir.getFile(name);
file.createNewFile();
return file.toURI();
}
private URL decode(URL url) throws MalformedURLException
{
String raw = url.toExternalForm();
String decoded = UrlEncoded.decodeString(raw,0,raw.length(),StringUtil.__UTF8);
return new URL(decoded);
}
@Test
public void testExist_Normal() throws Exception
{
createDummyFile("a.jsp");
URI ref = testdir.getDir().toURI().resolve("a.jsp");
FileResource fileres = new FileResource(decode(ref.toURL()));
Assert.assertThat("FileResource: " + fileres,fileres.exists(),is(true));
}
@Ignore("Cannot get null to be seen by FileResource")
@Test
public void testExist_BadNull() throws Exception
{
createDummyFile("a.jsp");
try {
// request with null at end
URI ref = testdir.getDir().toURI().resolve("a.jsp%00");
FileResource fileres = new FileResource(decode(ref.toURL()));
Assert.assertThat("FileResource: " + fileres,fileres.exists(),is(false));
} catch(URISyntaxException e) {
// Valid path
}
}
@Test
public void testExist_BadNullX() throws Exception
{
createDummyFile("a.jsp");
try {
// request with null and x at end
URI ref = testdir.getDir().toURI().resolve("a.jsp%00x");
FileResource fileres = new FileResource(decode(ref.toURL()));
Assert.assertThat("FileResource: " + fileres,fileres.exists(),is(false));
} catch(URISyntaxException e) {
// Valid path
}
}
}

11
test-jetty-webapp/pom.xml
View File

@ -214,5 +214,16 @@
<version>1.2</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.eclipse.jetty.toolchain</groupId>
<artifactId>jetty-test-helper</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-jsp</artifactId>
<version>${project.version}</version>
<scope>test</scope>
</dependency>
</dependencies>
</project>

172
test-jetty-webapp/src/test/java/org/eclipse/jetty/JspMatchingTest.java Normal file
View File

@ -0,0 +1,172 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty;
import static org.hamcrest.Matchers.*;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.URI;
import org.eclipse.jetty.security.HashLoginService;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.handler.ContextHandlerCollection;
import org.eclipse.jetty.server.handler.HandlerList;
import org.eclipse.jetty.server.nio.SelectChannelConnector;
import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
import org.eclipse.jetty.util.IO;
import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.webapp.WebAppContext;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
public class JspMatchingTest
{
private static Server server;
private static URI serverURI;
@BeforeClass
public static void startServer() throws Exception
{
server = new Server();
SelectChannelConnector connector = new SelectChannelConnector();
connector.setPort(0);
server.addConnector(connector);
// Configure LoginService
HashLoginService login = new HashLoginService();
login.setName("Test Realm");
File realmFile = MavenTestingUtils.getTestResourceFile("realm.properties");
login.setConfig(realmFile.getAbsolutePath());
server.addBean(login);
// Configure WebApp
HandlerList handlers = new HandlerList();
ContextHandlerCollection contexts = new ContextHandlerCollection();
WebAppContext context = new WebAppContext();
File webappBase = MavenTestingUtils.getProjectDir("src/main/webapp");
Resource resBase = Resource.newResource(webappBase);
context.setBaseResource(resBase);
File aliasedWebDefault = MavenTestingUtils.getTestResourceFile("webdefault-with-aliases.xml");
context.setDefaultsDescriptor(aliasedWebDefault.getAbsolutePath());
context.setContextPath("/");
server.setHandler(handlers);
handlers.addHandler(contexts);
contexts.addHandler(context);
server.start();
serverURI = new URI("http://localhost:" + connector.getLocalPort() + "/");
}
@AfterClass
public static void stopServer() throws Exception
{
server.stop();
}
@Test
public void testGetBeanRef() throws Exception
{
URI uri = serverURI.resolve("/jsp/bean1.jsp");
HttpURLConnection conn = null;
try
{
conn = (HttpURLConnection)uri.toURL().openConnection();
Assert.assertThat(conn.getResponseCode(),is(200));
System.err.printf("Response Code: %d%n", conn.getResponseCode());
// make sure that jsp actually ran, and didn't just get passed onto
// the default servlet to return the jsp source
String body = getResponseBody(conn);
Assert.assertThat("Body", body, not(containsString("<%@")));
Assert.assertThat("Body", body, not(containsString("<jsp:")));
}
finally
{
close(conn);
}
}
@Test
public void testGetBeanRefInvalid_null() throws Exception
{
URI uri = serverURI.resolve("/jsp/bean1.jsp%00");
HttpURLConnection conn = null;
try
{
conn = (HttpURLConnection)uri.toURL().openConnection();
Assert.assertThat(conn.getResponseCode(),is(404));
System.err.printf("Response Code: %d%n", conn.getResponseCode());
}
finally
{
close(conn);
}
}
@Test
public void testGetBeanRefInvalid_nullx() throws Exception
{
URI uri = serverURI.resolve("/jsp/bean1.jsp%00x");
HttpURLConnection conn = null;
try
{
conn = (HttpURLConnection)uri.toURL().openConnection();
Assert.assertThat(conn.getResponseCode(),is(404));
System.err.printf("Response Code: %d%n", conn.getResponseCode());
}
finally
{
close(conn);
}
}
protected String getResponseBody(HttpURLConnection conn) throws IOException
{
InputStream in = null;
try
{
in = conn.getInputStream();
return IO.toString(in);
}
finally
{
IO.close(in);
}
}
private void close(HttpURLConnection conn)
{
conn.disconnect();
}
}

21
test-jetty-webapp/src/test/resources/realm.properties Normal file
View File

@ -0,0 +1,21 @@
#
# This file defines users passwords and roles for a HashUserRealm
#
# The format is
# <username>: <password>[,<rolename> ...]
#
# Passwords may be clear text, obfuscated or checksummed. The class
# org.eclipse.util.Password should be used to generate obfuscated
# passwords or password checksums
#
# If DIGEST Authentication is used, the password must be in a recoverable
# format, either plain text or OBF:.
#
jetty: MD5:164c88b302622e17050af52c89945d44,user
admin: CRYPT:adpexzg3FUZAk,server-administrator,content-administrator,admin
other: OBF:1xmk1w261u9r1w1c1xmq,user
plain: plain,user
user: password,user
# This entry is for digest auth. The credential is a MD5 hash of username:realmname:password
digest: MD5:6e120743ad67abfbc385bc2bb754e297,user

527
test-jetty-webapp/src/test/resources/webdefault-with-aliases.xml Normal file
View File

@ -0,0 +1,527 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!-- ===================================================================== -->
<!-- This file contains the default descriptor for web applications. -->
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<!-- The intent of this descriptor is to include jetty specific or common -->
<!-- configuration for all webapps. If a context has a webdefault.xml -->
<!-- descriptor, it is applied before the contexts own web.xml file -->
<!-- -->
<!-- A context may be assigned a default descriptor by: -->
<!-- + Calling WebApplicationContext.setDefaultsDescriptor -->
<!-- + Passed an arg to addWebApplications -->
<!-- -->
<!-- This file is used both as the resource within the jetty.jar (which is -->
<!-- used as the default if no explicit defaults descriptor is set) and it -->
<!-- is copied to the etc directory of the Jetty distro and explicitly -->
<!-- by the jetty.xml file. -->
<!-- -->
<!-- ===================================================================== -->
<web-app
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
metadata-complete="true"
version="2.5"
>
<description>
Default web.xml file.
This file is applied to a Web application before it's own WEB_INF/web.xml file
</description>
<!-- ==================================================================== -->
<!-- Removes static references to beans from javax.el.BeanELResolver to -->
<!-- ensure webapp classloader can be released on undeploy -->
<!-- ==================================================================== -->
<listener>
<listener-class>org.eclipse.jetty.servlet.listener.ELContextCleaner</listener-class>
</listener>
<!-- ==================================================================== -->
<!-- Removes static cache of Methods from java.beans.Introspector to -->
<!-- ensure webapp classloader can be released on undeploy -->
<!-- ==================================================================== -->
<listener>
<listener-class>org.eclipse.jetty.servlet.listener.IntrospectorCleaner</listener-class>
</listener>
<!-- ==================================================================== -->
<!-- Context params to control Session Cookies -->
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<!--
UNCOMMENT TO ACTIVATE <context-param> <param-name>org.eclipse.jetty.servlet.SessionDomain</param-name> <param-value>127.0.0.1</param-value> </context-param> <context-param>
<param-name>org.eclipse.jetty.servlet.SessionPath</param-name> <param-value>/</param-value> </context-param> <context-param> <param-name>org.eclipse.jetty.servlet.MaxAge</param-name>
<param-value>-1</param-value> </context-param>
-->
<!-- ==================================================================== -->
<!-- The default servlet. -->
<!-- This servlet, normally mapped to /, provides the handling for static -->
<!-- content, OPTIONS and TRACE methods for the context. -->
<!-- The following initParameters are supported: -->
<!--
* acceptRanges If true, range requests and responses are
* supported
*
* dirAllowed If true, directory listings are returned if no
* welcome file is found. Else 403 Forbidden.
*
* welcomeServlets If true, attempt to dispatch to welcome files
* that are servlets, but only after no matching static
* resources could be found. If false, then a welcome
* file must exist on disk. If "exact", then exact
* servlet matches are supported without an existing file.
* Default is true.
*
* This must be false if you want directory listings,
* but have index.jsp in your welcome file list.
*
* redirectWelcome If true, welcome files are redirected rather than
* forwarded to.
*
* gzip If set to true, then static content will be served as
* gzip content encoded if a matching resource is
* found ending with ".gz"
*
* resourceBase Set to replace the context resource base
*
* resourceCache If set, this is a context attribute name, which the servlet
* will use to look for a shared ResourceCache instance.
*
* relativeResourceBase
* Set with a pathname relative to the base of the
* servlet context root. Useful for only serving static content out
* of only specific subdirectories.
*
* aliases If True, aliases of resources are allowed (eg. symbolic
* links and caps variations). May bypass security constraints.
*
* maxCacheSize The maximum total size of the cache or 0 for no cache.
* maxCachedFileSize The maximum size of a file to cache
* maxCachedFiles The maximum number of files to cache
*
* useFileMappedBuffer
* If set to true, it will use mapped file buffer to serve static content
* when using NIO connector. Setting this value to false means that
* a direct buffer will be used instead of a mapped file buffer.
* By default, this is set to true.
*
* cacheControl If set, all static content will have this value set as the cache-control
* header.
-->
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.eclipse.jetty.servlet.DefaultServlet</servlet-class>
<init-param>
<param-name>aliases</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>acceptRanges</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>dirAllowed</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>welcomeServlets</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>redirectWelcome</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>maxCacheSize</param-name>
<param-value>256000000</param-value>
</init-param>
<init-param>
<param-name>maxCachedFileSize</param-name>
<param-value>200000000</param-value>
</init-param>
<init-param>
<param-name>maxCachedFiles</param-name>
<param-value>2048</param-value>
</init-param>
<init-param>
<param-name>gzip</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>useFileMappedBuffer</param-name>
<param-value>true</param-value>
</init-param>
<!--
<init-param>
<param-name>resourceCache</param-name>
<param-value>resourceCache</param-value>
</init-param>
-->
<!--
<init-param>
<param-name>cacheControl</param-name>
<param-value>max-age=3600,public</param-value>
</init-param>
-->
<load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- ==================================================================== -->
<!-- JSP Servlet -->
<!-- This is the jasper JSP servlet from the jakarta project -->
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<!-- The JSP page compiler and execution servlet, which is the mechanism -->
<!-- used by Glassfish to support JSP pages. Traditionally, this servlet -->
<!-- is mapped to URL patterh "*.jsp". This servlet supports the -->
<!-- following initialization parameters (default values are in square -->
<!-- brackets): -->
<!-- -->
<!-- checkInterval If development is false and reloading is true, -->
<!-- background compiles are enabled. checkInterval -->
<!-- is the time in seconds between checks to see -->
<!-- if a JSP page needs to be recompiled. [300] -->
<!-- -->
<!-- compiler Which compiler Ant should use to compile JSP -->
<!-- pages. See the Ant documenation for more -->
<!-- information. [javac] -->
<!-- -->
<!-- classdebuginfo Should the class file be compiled with -->
<!-- debugging information? [true] -->
<!-- -->
<!-- classpath What class path should I use while compiling -->
<!-- generated servlets? [Created dynamically -->
<!-- based on the current web application] -->
<!-- Set to ? to make the container explicitly set -->
<!-- this parameter. -->
<!-- -->
<!-- development Is Jasper used in development mode (will check -->
<!-- for JSP modification on every access)? [true] -->
<!-- -->
<!-- enablePooling Determines whether tag handler pooling is -->
<!-- enabled [true] -->
<!-- -->
<!-- fork Tell Ant to fork compiles of JSP pages so that -->
<!-- a separate JVM is used for JSP page compiles -->
<!-- from the one Tomcat is running in. [true] -->
<!-- -->
<!-- ieClassId The class-id value to be sent to Internet -->
<!-- Explorer when using <jsp:plugin> tags. -->
<!-- [clsid:8AD9C840-044E-11D1-B3E9-00805F499D93] -->
<!-- -->
<!-- javaEncoding Java file encoding to use for generating java -->
<!-- source files. [UTF-8] -->
<!-- -->
<!-- keepgenerated Should we keep the generated Java source code -->
<!-- for each page instead of deleting it? [true] -->
<!-- -->
<!-- logVerbosityLevel The level of detailed messages to be produced -->
<!-- by this servlet. Increasing levels cause the -->
<!-- generation of more messages. Valid values are -->
<!-- FATAL, ERROR, WARNING, INFORMATION, and DEBUG. -->
<!-- [WARNING] -->
<!-- -->
<!-- mappedfile Should we generate static content with one -->
<!-- print statement per input line, to ease -->
<!-- debugging? [false] -->
<!-- -->
<!-- -->
<!-- reloading Should Jasper check for modified JSPs? [true] -->
<!-- -->
<!-- suppressSmap Should the generation of SMAP info for JSR45 -->
<!-- debugging be suppressed? [false] -->
<!-- -->
<!-- dumpSmap Should the SMAP info for JSR45 debugging be -->
<!-- dumped to a file? [false] -->
<!-- False if suppressSmap is true -->
<!-- -->
<!-- scratchdir What scratch directory should we use when -->
<!-- compiling JSP pages? [default work directory -->
<!-- for the current web application] -->
<!-- -->
<!-- tagpoolMaxSize The maximum tag handler pool size [5] -->
<!-- -->
<!-- xpoweredBy Determines whether X-Powered-By response -->
<!-- header is added by generated servlet [false] -->
<!-- -->
<!-- If you wish to use Jikes to compile JSP pages: -->
<!-- Set the init parameter "compiler" to "jikes". Define -->
<!-- the property "-Dbuild.compiler.emacs=true" when starting Jetty -->
<!-- to cause Jikes to emit error messages in a format compatible with -->
<!-- Jasper. -->
<!-- If you get an error reporting that jikes can't use UTF-8 encoding, -->
<!-- try setting the init parameter "javaEncoding" to "ISO-8859-1". -->
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<servlet
id="jsp"
>
<servlet-name>jsp</servlet-name>
<servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
<init-param>
<param-name>logVerbosityLevel</param-name>
<param-value>DEBUG</param-value>
</init-param>
<init-param>
<param-name>fork</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>xpoweredBy</param-name>
<param-value>false</param-value>
</init-param>
<!--
<init-param>
<param-name>classpath</param-name>
<param-value>?</param-value>
</init-param>
-->
<load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.jspf</url-pattern>
<url-pattern>*.jspx</url-pattern>
<url-pattern>*.xsp</url-pattern>
<url-pattern>*.JSP</url-pattern>
<url-pattern>*.JSPF</url-pattern>
<url-pattern>*.JSPX</url-pattern>
<url-pattern>*.XSP</url-pattern>
</servlet-mapping>
<!-- ==================================================================== -->
<!-- Dynamic Servlet Invoker. -->
<!-- This servlet invokes anonymous servlets that have not been defined -->
<!-- in the web.xml or by other means. The first element of the pathInfo -->
<!-- of a request passed to the envoker is treated as a servlet name for -->
<!-- an existing servlet, or as a class name of a new servlet. -->
<!-- This servlet is normally mapped to /servlet/* -->
<!-- This servlet support the following initParams: -->
<!-- -->
<!-- nonContextServlets If false, the invoker can only load -->
<!-- servlets from the contexts classloader. -->
<!-- This is false by default and setting this -->
<!-- to true may have security implications. -->
<!-- -->
<!-- verbose If true, log dynamic loads -->
<!-- -->
<!-- * All other parameters are copied to the -->
<!-- each dynamic servlet as init parameters -->
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<!--
Uncomment for dynamic invocation <servlet> <servlet-name>invoker</servlet-name> <servlet-class>org.eclipse.jetty.servlet.Invoker</servlet-class> <init-param> <param-name>verbose</param-name>
<param-value>false</param-value> </init-param> <init-param> <param-name>nonContextServlets</param-name> <param-value>false</param-value> </init-param> <init-param>
<param-name>dynamicParam</param-name> <param-value>anyValue</param-value> </init-param> <load-on-startup>0</load-on-startup> </servlet> <servlet-mapping> <servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern> </servlet-mapping>
-->
<!-- ==================================================================== -->
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<!-- ==================================================================== -->
<!-- Default MIME mappings -->
<!-- The default MIME mappings are provided by the mime.properties -->
<!-- resource in the org.eclipse.jetty.server.jar file. Additional or modified -->
<!-- mappings may be specified here -->
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<!-- UNCOMMENT TO ACTIVATE
<mime-mapping>
<extension>mysuffix</extension>
<mime-type>mymime/type</mime-type>
</mime-mapping>
-->
<!-- ==================================================================== -->
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<!-- ==================================================================== -->
<locale-encoding-mapping-list>
<locale-encoding-mapping>
<locale>ar</locale>
<encoding>ISO-8859-6</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>be</locale>
<encoding>ISO-8859-5</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>bg</locale>
<encoding>ISO-8859-5</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>ca</locale>
<encoding>ISO-8859-1</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>cs</locale>
<encoding>ISO-8859-2</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>da</locale>
<encoding>ISO-8859-1</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>de</locale>
<encoding>ISO-8859-1</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>el</locale>
<encoding>ISO-8859-7</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>en</locale>
<encoding>ISO-8859-1</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>es</locale>
<encoding>ISO-8859-1</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>et</locale>
<encoding>ISO-8859-1</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>fi</locale>
<encoding>ISO-8859-1</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>fr</locale>
<encoding>ISO-8859-1</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>hr</locale>
<encoding>ISO-8859-2</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>hu</locale>
<encoding>ISO-8859-2</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>is</locale>
<encoding>ISO-8859-1</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>it</locale>
<encoding>ISO-8859-1</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>iw</locale>
<encoding>ISO-8859-8</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>ja</locale>
<encoding>Shift_JIS</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>ko</locale>
<encoding>EUC-KR</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>lt</locale>
<encoding>ISO-8859-2</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>lv</locale>
<encoding>ISO-8859-2</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>mk</locale>
<encoding>ISO-8859-5</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>nl</locale>
<encoding>ISO-8859-1</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>no</locale>
<encoding>ISO-8859-1</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>pl</locale>
<encoding>ISO-8859-2</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>pt</locale>
<encoding>ISO-8859-1</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>ro</locale>
<encoding>ISO-8859-2</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>ru</locale>
<encoding>ISO-8859-5</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>sh</locale>
<encoding>ISO-8859-5</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>sk</locale>
<encoding>ISO-8859-2</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>sl</locale>
<encoding>ISO-8859-2</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>sq</locale>
<encoding>ISO-8859-2</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>sr</locale>
<encoding>ISO-8859-5</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>sv</locale>
<encoding>ISO-8859-1</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>tr</locale>
<encoding>ISO-8859-9</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>uk</locale>
<encoding>ISO-8859-5</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>zh</locale>
<encoding>GB2312</encoding>
</locale-encoding-mapping>
<locale-encoding-mapping>
<locale>zh_TW</locale>
<encoding>Big5</encoding>
</locale-encoding-mapping>
</locale-encoding-mapping-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>Disable TRACE</web-resource-name>
<url-pattern>/</url-pattern>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
</web-app>