Skip to main content
G
gabrieldavis321
Inspiring
November 16, 2022
Question

Disable JSP functionality on CF2021

  • November 16, 2022
  • 3 replies
  • 2803 views

Hi,

I read that you can disable JSP at least on CF 9 - https://www.3gpp2.org/cfdocs/htmldocs/Installing/WSf01dbd23413dda0e5753779b11fae614009-8000.html

by commenting out 

<!-- 
<servlet-mapping> 
<servlet-name>JspLicenseServlet</servlet-name> 
<url-pattern>*.jsp</url-pattern> 
</servlet-mapping> 
--> in  cf_root\WEB-INF\web.xml.

We are using the same website to host CF and Confluence (confluence runs jsp) with a URL rewrite rule 
to redirect to a different port which works fine as long as the url does not have .jsp in it... 
but if the url does have .jsp in it CF takes over and tries to process the page so 
we want to disabke CF from taking over.
The issue is that I can't find JspLicenseServlet in cf_root\WEB-INF\web.xml.
Our web.xml is attached.

 



 

    This topic has been closed for replies.

    3 replies

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    November 21, 2022

    I would advice you NOT to disable JSP functionality in ColdFusion 2021. Especially not for the reason you've given.

     

    JSP is a vital part of ColdFusion 2021's engine, with intricate connections and dependencies all over. If you tamper with just one part, you will run the risk of causing a malfunction elsewhere. I would say that the probability of that happening is close to 100%.

     

    Besides, in software analysis and design terms, disabling ColdFusion's JSP is not a good solution to the problem. Why not, you may ask.

     

    Because it is not ColdFusion's responsibility that the client requests JSP (GRASP). So, you should find a way to ensure that such JSP requests are (re)directed to the Confluence server.

     

     

     

     

     

     

        

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    November 21, 2022

    Some good points, BKBK, though I'd contend strongly with your main point. 

     

    1) First, you say "JSP is a vital part of ColdFusion 2021's engine, with intricate connections and dependencies all over"?

     

    You may be confusing here jsps with servlets. It's indeed true that all cf request processing is based on servlet processing (though the average cf developer would never know it, as it's completely under the covers, as reflected in that web.xml referred to earlier).

     

    But as far as I know, the only non-custom use of jsps in cf is how some very-low level error messages are presented via jsp pages, which are usually tomcat rather than cf errors.

     

    They're still important, of course. And that may well be a reason to be WARY of making the changes discussed here. But until we have proof of the grave dangers you speak of, your assertion may be overstated.

     

    2) But then there's the fact the cf docs do still discuss disabling jsps (for those who may want to), as I discussed in my first reply above.  That current doc page makes no warning of the sort you do

     

    3) So Gabriel, have you tried what I posed in my Nov 17 reply regarding the uriworkermap.properties file?

     

    Indeed, if anything, that one change alone may suffice--and not have the risks that BKBK wants to warn us of. 

     

    4) Finally, he makes a good point on trying to find a way simply to ensure that confluence alone gets the jsp requests and not cf. That too could seemingly be handled at the web server level. Can't you setup a site/virtual host that handles requests to that (perhaps using a different domain or subdomain)?

     

    If you do that, you'd need to not use the "all sites" feature of the cf web server configuration tool (wsconfig), which would implement only one numbered wsconfig folder (and properties file) that would be used by all sites. Instead, you'd need a separate connector for each site--which has been an option in the wsconfig tool since cf2016.

     

    Hope you'll let us know where things stand, Gabriel. 

    /Charlie (troubleshooter, carehart. org)
      BKBK
      Community Expert
      BKBKCommunity Expert
      Community Expert
      November 22, 2022

      Thanks for your remark, Charlie.

      No, I'm not confusing JSP with servlets. By JSP I mean "JSP functionality", the subject of the question.

      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity Expert
      Community Expert
      November 17, 2022

      Gabriel, in case somehow it got lost in the shuffle, please notice that I offered a reply earlier this morning that proposed a DIFFERENT solution for you than my first. It's offered as a reply to your responding to my first suggestion. Here's a link to it above

       

      Also, I just edited your original post to put all that XML into a file that is attached instead, just to clean things up for anyone else tryign to follow along in the post. BTW, we who are recognized by Adobe as "Community Experts" have the authority to make edits like that. I very RARELY do it, as I'm sure some would find it off-putting, but since your XML there was SO much, I felt it was worth doing and also that you'd not likely mind. 🙂

      /Charlie (troubleshooter, carehart. org)
      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity Expert
      Community Expert
      November 17, 2022

      I MAY be able to help. While I haven't done what you seek, I can say first is that the doc page you refer being for CF9 is a challenge, as there was indeed a BIG change in the file and folder structure between CF9 and earlier as compared to CF10 and later.

       

      Second, while there is such a WEB-INF/web.xml file in the later CF versions, that's not the one holding what you seek. And you may have noticed that doc page mentioned also a default-web.xml that ALSO had the JSP settings, but that is no longer in CF10 and above at all.

       

      Instead, there is indeed a web.xml, in \ColdFusion2021\cfusion\runtime\conf\, which DOES have a similar set of xml regarding JSP processing:

      <!-- The mapping for the JSP servlet -->

<servlet-mapping>
    <servlet-name>jsp</servlet-name>
    <url-pattern>*.jsp</url-pattern>
    <url-pattern>*.jspx</url-pattern>
</servlet-mapping>

      Granted, the servlet-name is not the "JspLicenseServlet" value, but that name is not significant. The rest is, as you can see clearly it has the url-pattern for *.jsp. So try commenting all THAT out, and then restart CF. (Note that when commenting out XML, you use 2 dash's rather than 3 as in CFML. Indeed, I'd recommend you first copy off the file before touching it, to recover if needed--or if your editor undo feature fails you for any reason.)

       

      Finally, just before I sent this, I thought to look to see if the current CF docs have this same section that you found, with that heading "Disable JSP functionality". It's on this page, naming the same file I found. Sadly, that CURRENT CF doc page DOES refer (in its STEPS) to that "JspLicenseServlet" as being the servlet-name, but then it quotes the exact code I do above, which clearly does NOT use that name.

      (And oddly, that does not come up in a google search for: disable coldfusion jsp, if that may be what you searched for. That old page at www.3gpp2.org DID come up first. This new doc page doesn't appear even within the top 60 results, despite having those 3 words multiple times on the page, albeit separately. Who can figure Google's search algorithm?) 

       

      So anyway, all this seems to confirm that the steps I've proposed SHOULD do what you want, so let us know how that goes. There may well be more to it than these docs indicate, or more that is indicated by the specific challenge you have.

      /Charlie (troubleshooter, carehart. org)
      G
      gabrieldavis321Author
      Inspiring
      November 17, 2022

      Thanks Charlie but unfortunately that didn't have the expected results.  I should have said what I am trying to do is stop CF from listening for .jsp in the URL, in other words it is not enough to just disable jsp functionality, what I need is for CF to stop responding to those requests and that didn't happen when I commented out the relevant section in \ColdFusion2021\cfusion\runtime\conf\web.xml.  Instead I continued to get a 404 page and the error below:

      <%=(request.getAttribute("javax.servlet.error.status_code")!=null)? request.getAttribute("javax.servlet.error.status_code"):"Error" %>

       

      D
      Community Expert
      Dave WattsCommunity Expert
      Community Expert
      November 17, 2022

      Unfortunately, I don't think you're going to be able to do that. Modern versions of CF send EVERY URL to CF from the web server. The file extension is irrelevant if CF is configured properly. At that point, CF looks at the URL and figures out whether it can process it or whether it should just be sent back to the web server for handling. The list of URL patterns that are listed in web.xml (and if you're on IIS, the IIS metabase XML files) are secondary, and only used if the primary method of connecting fails. I used to know more about this than I do now, but I still remember this.

       

      Instead, I would recommend you set up two separate web virtual servers, one for CF and the other for other processors. You might even need more than two, but you'll need at least two I think. You can do that within one IIS install. Then, run the connector and point it to one of the IIS virtual servers only. You'll probably have to run the connector first to disconnect it from the existing virtual servers, so do that too.

       

      Dave Watts, Eidolon LLC

      Dave Watts, Eidolon LLC
      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices