The question, will this be a bad idea?
Is there a security concern related to leaving JSP subsytem's development mode on in production server?
Yes that is a bad idea.
Mostly from performance point of view, as server cannot optimize and cache resources and is always checking for modifications.
security wise it is also not the best, but given that this could only be exploited once attacker gains shell access to your server, this would be least of your issues....
Intrigued by your response above, I created this sandbox GitHub - bungrudi/JspPerformanceTest: Simple webapp intended to be stress tested
Unfortunately I am hit by a problem in which I seem unable to turn off development mode in Jastow, How to turn off JSP hot deploy?
However I did try in Tomcat 8.5.23 and there seem to be no difference in performance between development mode turned on and off.
Once I am able to compare the result in Wildfly 10.1.0.Final I will update again.
2 of 2 people found this helpful
i seem to recall an unsecured http PUT in jboss 5 where the attacker could upload a jsp and write it to the deployment folder.. with hot deploy enabled they could then hit their own code as the user that owned the jboss process. Following a series of crafty buffer overflows root could be obtained. Regardless if you think they need console access, hot deployment in production is a very very bad idea. That's just experience talking. Its not what you are thinking about that will get you owned. Its what you havent thought of.
That's a very good point Nathan. If the server allows arbitrary file uploads, it should be checking if the file is a JSP file and reject it... Otherwise, development mode could treat it as a new JSP file to be ran.