javatomcatliferaytilesapache-tiles

tiles-definitions for apache tiles whether can we use https?


Below is a sample code from one of my tiles.xml file

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE tiles-definitions PUBLIC
       "-//Apache Software Foundation//DTD Tiles Configuration 2.1//EN"
       "http://tiles.apache.org/dtds/tiles-config_2_1.dtd">

<tiles-definitions>

Here if you notice, the url starts with http:// Even in official documentation, the example is written like this. https://tiles.apache.org/framework/tutorial/basic/pages.html

Now, the problem is I am using Tomcat9 with Liferay 7.4 version. And in my tomcat server in production, I need to disable all traffic (inbound + outbound) from port 80. Once I do that, in my application during runtime, I get below error

ERROR com.liferay.portletmvc4spring.DispatcherPortlet - Could not complete request
org.apache.tiles.definition.DefinitionsFactoryException: I/O Error reading definitions.
        at org.apache.tiles.definition.digester.DigesterDefinitionsReader.read(DigesterDefinitionsReader.java:331) ~[tiles-core-3.0.8.jar:3.0.8]
        at org.apache.tiles.definition.dao.BaseLocaleUrlDefinitionDAO.loadDefinitionsFromResource(BaseLocaleUrlDefinitionDAO.java:150) ~[tiles-core-3.0.8.jar:3.0.8]
        at org.apache.tiles.definition.dao.CachingLocaleUrlDefinitionDAO.loadRawDefinitionsFromResources(CachingLocaleUrlDefinitionDAO.java:239) ~[tiles-core-3.0.8.jar:3.0.8]
        at org.apache.tiles.definition.dao.CachingLocaleUrlDefinitionDAO.loadRawDefinitionsFromResources(CachingLocaleUrlDefinitionDAO.java:230) ~[tiles-core-3.0.8.jar:3.0.8]
        at org.apache.tiles.definition.dao.CachingLocaleUrlDefinitionDAO.loadRawDefinitionsFromResources(CachingLocaleUrlDefinitionDAO.java:230) ~[tiles-core-3.0.8.jar:3.0.8]
        at org.apache.tiles.definition.dao.CachingLocaleUrlDefinitionDAO.loadDefinitionsFromResources(CachingLocaleUrlDefinitionDAO.java:208) ~[tiles-core-3.0.8.jar:3.0.8]
        at org.apache.tiles.definition.dao.CachingLocaleUrlDefinitionDAO.loadDefinitions(CachingLocaleUrlDefinitionDAO.java:197) ~[tiles-core-3.0.8.jar:3.0.8]
        at org.apache.tiles.definition.dao.ResolvingLocaleUrlDefinitionDAO.loadDefinitions(ResolvingLocaleUrlDefinitionDAO.java:68) ~[tiles-core-3.0.8.jar:3.0.8]

I am thinking, tomcat is trying to download the definitions file from this url dynamically when the application loads JSP and at that time, as port 80 is blocked, it is giving this exception.

So, my question is

  1. What is a graceful way of handling this if in documentation itself http:// is mentioned?
  2. Why don't all people face similar issue if this is the case?

Solution

  • Apache Tiles 2.1 is an ancient release and the entire Tiles project is retired since 2018. Maybe they never got to implement XML external entity vulnerability prevention. I recommend to migrate to some newer framework and supported framework.

    In the meantime you could download the DTD file into your project and reference it with a local URL instead of a remote one.

    Another option is to just change the URL to HTTPS: https://tiles.apache.org/dtds/tiles-config_2_1.dtd which is working right now. At least while the Apache Foundation doesn't shutdown the site. You can not depend on external resources being online forever, specially with a retired project.