You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Surya Suravarapu <su...@villanova.edu> on 2002/03/21 05:57:18 UTC

Apache/Tomcat security issue -- URGENT

I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000.

I've a context called WebApp whose docBase="E:\WebApp". So, when I 
point my browser to http://localhost/WebApp/main it will take me to the 
login screen of the application.

There is a folder called "Reports" in my E:\WebApp. Some part of my 
application is using Response.sendRedirect() and displaying the 
requested file (from the Reports folder) to the browser. That's fine. I 
want to show the files from that folder only through the application 
and I have to configure my web server in such a way that it denies 
requests if a User enters the file name manually like 
http://localhost/WebApp/Reports/some-file.xls. Please help me if you 
have a solution for this.

Thanks.
-Surya


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

Re: Apache/Tomcat security issue -- URGENT

Posted by todd tredeau <to...@wisernet.com>.

This is sort of easy... of course you run your site through Apache... 
which in turns does this connection....

deny from all "somedirectory"

in your application or code...

include something from "somedirectory"

todd
http://www.wiserlabz.com
collaborative effort to promote Novell and Open Source solutions
include ... www.link-tool.com on your site

Surya Suravarapu wrote:

>I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000.
>
>I've a context called WebApp whose docBase="E:\WebApp". So, when I 
>point my browser to http://localhost/WebApp/main it will take me to the 
>login screen of the application.
>
>There is a folder called "Reports" in my E:\WebApp. Some part of my 
>application is using Response.sendRedirect() and displaying the 
>requested file (from the Reports folder) to the browser. That's fine. I 
>want to show the files from that folder only through the application 
>and I have to configure my web server in such a way that it denies 
>requests if a User enters the file name manually like 
>http://localhost/WebApp/Reports/some-file.xls. Please help me if you 
>have a solution for this.
>
>Thanks.
>-Surya
>
>
>--
>To unsubscribe:   <ma...@jakarta.apache.org>
>For additional commands: <ma...@jakarta.apache.org>
>Troubles with the list: <ma...@jakarta.apache.org>
>
>




--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>