-
1. Re: JSP hot deploy in production, good or bad idea?
ctomc Oct 19, 2017 7:11 AM (in response to bungrudi)The question, will this be a bad idea?
Is there a security concern related to leaving JSP subsytem's development mode on in production server?
Yes that is a bad idea.
Mostly from performance point of view, as server cannot optimize and cache resources and is always checking for modifications.
security wise it is also not the best, but given that this could only be exploited once attacker gains shell access to your server, this would be least of your issues....
-
2. Re: JSP hot deploy in production, good or bad idea?
bungrudi Oct 25, 2017 3:19 AM (in response to ctomc)Hi Tomaz,
Intrigued by your response above, I created this sandbox GitHub - bungrudi/JspPerformanceTest: Simple webapp intended to be stress tested
Unfortunately I am hit by a problem in which I seem unable to turn off development mode in Jastow, How to turn off JSP hot deploy?
However I did try in Tomcat 8.5.23 and there seem to be no difference in performance between development mode turned on and off.
Once I am able to compare the result in Wildfly 10.1.0.Final I will update again.
-
3. Re: JSP hot deploy in production, good or bad idea?
gir489 Oct 25, 2017 1:00 PM (in response to bungrudi)How does jsp-config development work?
You can reference my thread for how development mode in Jastow works. We found no performance hit when using development mode in production.
-
4. Re: JSP hot deploy in production, good or bad idea?
nathandennis Oct 25, 2017 1:27 PM (in response to bungrudi)2 of 2 people found this helpfuli seem to recall an unsecured http PUT in jboss 5 where the attacker could upload a jsp and write it to the deployment folder.. with hot deploy enabled they could then hit their own code as the user that owned the jboss process. Following a series of crafty buffer overflows root could be obtained. Regardless if you think they need console access, hot deployment in production is a very very bad idea. That's just experience talking. Its not what you are thinking about that will get you owned. Its what you havent thought of.
-
5. Re: JSP hot deploy in production, good or bad idea?
gir489 Oct 25, 2017 2:24 PM (in response to bungrudi)That's a very good point Nathan. If the server allows arbitrary file uploads, it should be checking if the file is a JSP file and reject it... Otherwise, development mode could treat it as a new JSP file to be ran.