Outdated: Hijacking Servlet Converted from JSP

JSP Tutorials - Herong's Tutorial Examples

∟Outdated: Hijacking Servlet Converted from JSP

This section provides a tutorial example on how to hijack the JSP-to-Servlet conversion process on Tomcat 4.1.18 by placing your own Servlet class in the 'work' folder.

One interesting thing you can do with Tomcat 4 is to hijack the JSP-to-Servlet conversion process, by placing your a different Servlet class in the "work" folder so it behaves differently than the original JSP page.

First write this JSP page, fake.jsp, and save it to \local\jakarta-tomcat-4.1.18\webapps\ROOT:

<!--
 - fake.jsp
 - Copyright (c) HerongYang.com. All Rights Reserved.
-->
<html><body>
This a faked JSP page.
The real content will come from the output of the JSP Servlet class.
</body></html>

Then, write the following JSP Servlet class, fake_jsp.java: and save it to \local\jakarta-tomcat-4.1.18\work\standalone\localhost\_:

/**
 * fake_jsp.java
 * Copyright (c) HerongYang.com. All Rights Reserved.
 */
package org.apache.jsp;
import javax.servlet.*;
import javax.servlet.http.*;
import javax.servlet.jsp.*;
import org.apache.jasper.runtime.*;
public class fake_jsp extends HttpJspBase {
  public java.util.List getIncludes() {
    return null;
  }
  public void _jspService(HttpServletRequest request,
    HttpServletResponse response)
    throws java.io.IOException, ServletException {
    JspFactory _jspxFactory = null;
    javax.servlet.jsp.PageContext pageContext = null;
    JspWriter out = null;
    try {
      _jspxFactory = JspFactory.getDefaultFactory();
      response.setContentType("text/html;charset=ISO-8859-1");
      pageContext = _jspxFactory.getPageContext(this, request,
         response, null, true, 8192, true);
      out = pageContext.getOut();
      out.write("<html>");
      out.write("<body>\r\n");
      out.println("Hello world! - From Servlet");
      out.write("\r\n");
      out.write("</body>");
      out.write("</html>");
    } catch (Throwable t) {
      if (out != null && out.getBufferSize() != 0)
        out.clearBuffer();
      if (pageContext != null) pageContext.handlePageException(t);
    } finally {
      if (_jspxFactory != null)
        _jspxFactory.releasePageContext(pageContext);
    }
  }
}

Compile this class with JDK 1.3.1:

cd \local\jakarta-tomcat-4.1.18\work\standalone\localhost\_
set classpath=..\..\..\..\common\lib\servlet.jar
\local\jdk1.3.1\bin\javac fake_jsp.java

Now, run IE with url: http://localhost:8080/fake.jsp. Guess what you will get on the IE window? The text from the fake.jsp page, or the output of fake_jsp.java?

You should see the output of fake_jsp.java. Tomcat has been fooled by the file names and time stamps. When Tomcat receives a HTTP request for fake.jsp, it will look for fake_jsp.class at the JSP Servlet directory. Since fake_jsp.class is there and has newer time stamp than fake.jsp, it will assume fake_jsp.class is the latest class translated from fake.jsp, and execute it immediately.

Be aware that if you modify fake.jsp and save it back. The next time when Tomcat receives a request for fake.jsp, it will translate the new fake.jsp and replace both fake_jsp.java and fake_jsp.class. The original fake_jsp.java will be gone.