tomcat Webapp security.

[Sachin Patel <sa...@yahoo.com>]

I have a web application and a functionality to be able to upload files to one of the folders inside it and be able to access it using direct link URL.

now I am wondering if someone uploads .jsp file, how would I stop tomcat from compiling and running that file when someone requests that same file using direct link. I want to treat it as a file, not a page.

Is there any configuration that will stop that file from configuring? Just like execute scripts permission on IIS directory.


 
____________________________________________________________________________________
We won't tell. Get more on shows you hate to love 
(and love to hate): Yahoo! TV's Guilty Pleasures list.
http://tv.yahoo.com/collections/265 

Re: tomcat Webapp security.

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David and Sachin,

David Smith wrote:
> The best method I can think of is to store the jsp in a directory
> outside your tomcat and outside your webapp.  Then configure the path to
> the storage in either the context.xml or web.xml for your webapp and use
> a ServletContextListener to load up an application scope attribute with
> the path.  Lastly a slightly modified version of the default servlet
> could offer up the jsp files as type text/plain.  The benefits of
> storing the files in a location outside tomcat and the webapp include
> easy upgrade of both and inhibiting execution of the jsp.

Another option is to place your uploaded files in a particular
subdirectory and then configure the JSP servlet to ignore that
directory. Or probably more appropriately, configure that directory to
serve everything through the generic servlet that just does static content.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFtka/9CaO5/Lv0PARAogmAJ4kEkBXUBlAdJw2KaqQZPklrIGZBQCgrxTQ
JzE0oInPKl/uCMKn7JPM3p4=
=HiX+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: tomcat Webapp security.

[David Smith <dn...@cornell.edu>]

The best method I can think of is to store the jsp in a directory
outside your tomcat and outside your webapp.  Then configure the path to
the storage in either the context.xml or web.xml for your webapp and use
a ServletContextListener to load up an application scope attribute with
the path.  Lastly a slightly modified version of the default servlet
could offer up the jsp files as type text/plain.  The benefits of
storing the files in a location outside tomcat and the webapp include
easy upgrade of both and inhibiting execution of the jsp.

--David

Sachin Patel wrote:

>I have a web application and a functionality to be able to upload files to one of the folders inside it and be able to access it using direct link URL.
>
>now I am wondering if someone uploads .jsp file, how would I stop tomcat from compiling and running that file when someone requests that same file using direct link. I want to treat it as a file, not a page.
>
>Is there any configuration that will stop that file from configuring? Just like execute scripts permission on IIS directory.
>
>
> 
>____________________________________________________________________________________
>We won't tell. Get more on shows you hate to love 
>(and love to hate): Yahoo! TV's Guilty Pleasures list.
>http://tv.yahoo.com/collections/265 
>  
>


-- 
=======================================
David Smith
Network Operations Supervisor
Department of Entomology
College of Agriculture & Life Sciences
Cornell University
2132 Comstock Hall
Ithaca, NY  14853
Phone: 607.255.9571
Fax: 607.255.0939


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org