The Apache Tomcat Servlet/JSP Container

Apache Tomcat 7

Version 7.0.94, Apr 10 2019
Apache Logo

Links

User Guide

Reference

Apache Tomcat Development

SSI How To

Table of Contents
Introduction

SSI (Server Side Includes) are directives that are placed in HTML pages, and evaluated on the server while the pages are being served. They let you add dynamically generated content to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology.

Within Tomcat SSI support can be added when using Tomcat as your HTTP server and you require SSI support. Typically this is done during development when you don't want to run a web server like Apache.

Tomcat SSI support implements the same SSI directives as Apache. See the Apache Introduction to SSI for information on using SSI directives.

SSI support is available as a servlet and as a filter. You should use one or the other to provide SSI support but not both.

Servlet based SSI support is implemented using the class org.apache.catalina.ssi.SSIServlet. Traditionally, this servlet is mapped to the URL pattern "*.shtml".

Filter based SSI support is implemented using the class org.apache.catalina.ssi.SSIFilter. Traditionally, this filter is mapped to the URL pattern "*.shtml", though it can be mapped to "*" as it will selectively enable/disable SSI processing based on mime types. The contentType init param allows you to apply SSI processing to JSP pages, javascript, or any other content you wish.

By default SSI support is disabled in Tomcat.

Installation

CAUTION - SSI directives can be used to execute programs external to the Tomcat JVM. If you are using the Java SecurityManager this will bypass your security policy configuration in catalina.policy.

To use the SSI servlet, remove the XML comments from around the SSI servlet and servlet-mapping configuration in $CATALINA_BASE/conf/web.xml.

To use the SSI filter, remove the XML comments from around the SSI filter and filter-mapping configuration in $CATALINA_BASE/conf/web.xml.

Only Contexts which are marked as privileged may use SSI features (see the privileged property of the Context element).

Servlet Configuration

There are several servlet init parameters which can be used to configure the behaviour of the SSI servlet.

  • buffered - Should output from this servlet be buffered? (0=false, 1=true) Default 0 (false).
  • debug - Debugging detail level for messages logged by this servlet. Default 0.
  • expires - The number of seconds before a page with SSI directives will expire. Default behaviour is for all SSI directives to be evaluated for every request.
  • isVirtualWebappRelative - Should "virtual" SSI directive paths be interpreted as relative to the context root, instead of the server root? Default false.
  • inputEncoding - The encoding to be assumed for SSI resources if one cannot be determined from the resource itself. Default is the default platform encoding.
  • outputEncoding - The encoding to be used for the result of the SSI processing. Default is UTF-8.
  • allowExec - Is the exec command enabled? Default is false.

Filter Configuration

There are several filter init parameters which can be used to configure the behaviour of the SSI filter.

  • contentType - A regex pattern that must be matched before SSI processing is applied. When crafting your own pattern, don't forget that a mime content type may be followed by an optional character set in the form "mime/type; charset=set" that you must take into account. Default is "text/x-server-parsed-html(;.*)?".
  • debug - Debugging detail level for messages logged by this servlet. Default 0.
  • expires - The number of seconds before a page with SSI directives will expire. Default behaviour is for all SSI directives to be evaluated for every request.
  • isVirtualWebappRelative - Should "virtual" SSI directive paths be interpreted as relative to the context root, instead of the server root? Default false.
  • allowExec - Is the exec command enabled? Default is false.

Directives

Server Side Includes are invoked by embedding SSI directives in an HTML document whose type will be processed by the SSI servlet. The directives take the form of an HTML comment. The directive is replaced by the results of interpreting it before sending the page to the client. The general form of a directive is:

<!--#directive [parm=value] -->

The directives are:

  • config - <!--#config errmsg="Error occured" sizefmt="abbrev" timefmt="%B %Y" --> Used to set SSI error message, the format of dates and file sizes processed by SSI.
    All are optional but at least one must be used. The available options are as follows:
    errmsg - error message used for SSI errors
    sizefmt - format used for sizes in the fsize directive
    timefmt - format used for timestamps in the flastmod directive
  • echo - <!--#echo var="VARIABLE_NAME" encoding="entity" --> will be replaced by the value of the variable.
    The optional encoding parameter specifies the type of encoding to use. Valid values are entity (default), url or none. NOTE: Using an encoding other than entity can lead to security issues.
  • exec - <!--#exec cmd="file-name" --> Used to run commands on the host system.
  • exec - <!--#exec cgi="file-name" --> This acts the same as the include virtual directive, and doesn't actually execute any commands.
  • include - <!--#include file="file-name" --> inserts the contents. The path is interpreted relative to the document where this directive is being used, and IS NOT a "virtual" path relative to either the context root or the server root.
  • include - <!--#include virtual="file-name" --> inserts the contents. The path is interpreted as a "virtual" path which is relative to either the context root or the server root (depending on the isVirtualWebappRelative parameter).
  • flastmod - <!--#flastmod file="filename.shtml" --> Returns the time that a file was last modified. The path is interpreted relative to the document where this directive is being used, and IS NOT a "virtual" path relative to either the context root or the server root.
  • flastmod - <!--#flastmod virtual="filename.shtml" --> Returns the time that a file was last modified. The path is interpreted as a "virtual" path which is relative to either the context root or the server root (depending on the isVirtualWebappRelative parameter).
  • fsize - <!--#fsize file="filename.shtml" --> Returns the size of a file. The path is interpreted relative to the document where this directive is being used, and IS NOT a "virtual" path relative to either the context root or the server root.
  • fsize - <!--#fsize virtual="filename.shtml" --> Returns the size of a file. The path is interpreted as a "virtual" path which is relative to either the context root or the server root (depending on the HTTP/1.1 403 Forbidden Content-Type: text/html Content-Length: 134 Connection: close 403 Forbidden

    403 Forbidden