Security Query.

["R. S. Patil" <kp...@gmail.com>]

Hello,

I am a total newbie to web applications and tomcat, a student.
In some discussion i heard that the WEB-INF contents can not be accessed
from Internet at all. So one can keep secret information in that
folder in plain text files

How far this is true ?

if not then where to put secret information like database URL,
Username and password ?

I don't want to recompile application when database access password is changed.

Thanks and best regards

Raja

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Security Query.

["R. S. Patil" <kp...@gmail.com>]

Thanks Juha,

>
> Yes, context root will be served, as will be other folders under
> context root. WEB-INF and its subfolders are safe, from the container
> (Tomcat) point-of-view. Note however, that you as web application
> developer can break this safety mechanism: a servlet can be
> programmed to read a file from within WEB-INF and serve the contents
> to the Internet. If such a servlet contains a bug that allows intruder
> to freely choose a file, instead of strictly providing one of
> predefined files, then it could be that an intruder could read any
> file within WEB-INF.
>

Well Thanks for valuable tip, I will keep in this mind.

> You could store the database access information in a plain-text file,
> but then, you could also store them as web-application context
> parameters in WEB-INF/web.xml file. Or you could set up a proper
> JNDI database resource, but perhaps that's something that can be
> left for a bit later on the learning curve.
>
aha a new area to study, I will try to find out more on JNDI.

>> BTW can u suggest some good book/study material on tomcat for a newbie.
>
> Even though it is not intended as such, I would like to recommend the
> Servlet specification available from Sun. That document describes what
> you can expect from a servlet container (such as Tomcat).
> --

I will read this first to get hang of tomcat, yes its necessary to know how
tomcat behaves before I write some web application i.e. some servlets
and applets/jsps.

Thanks once again

Raja

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Security Query.

[Juha Laiho <Ju...@iki.fi>]

R. S. Patil wrote:
> Thanks Chuk,
> 
>>> In some discussion i heard that the WEB-INF contents can not be
>>> accessed from Internet at all.
>> The servlet spec requires that the servlet container (Tomcat) prevent direct access to WEB-INF.
>>
>>> How far this is true ?
>> Completely, as far as Tomcat is concerned.  If you have an alternative means of accessing the host (e.g., httpd, SMB, NFS) and you have not configured such alternatives correctly, there may be other ways of reaching the files.  Tomcat obviously cannot protect you from mistakes made in other components.
>>
> 
> So what I have understood is if only tomcat is installed on webserver i.e.
> No samba, nfs, FTP, apache web server etc. etc. then even hackers can not
> access WEB-INF folder so I can keep JDBC database connection info in that
> folder as plain text file. The only accessible part of application will be the
> context root i.e. folder above WEB-INF folder.

Yes, context root will be served, as will be other folders under
context root. WEB-INF and its subfolders are safe, from the container
(Tomcat) point-of-view. Note however, that you as web application
developer can break this safety mechanism: a servlet can be
programmed to read a file from within WEB-INF and serve the contents
to the Internet. If such a servlet contains a bug that allows intruder
to freely choose a file, instead of strictly providing one of
predefined files, then it could be that an intruder could read any
file within WEB-INF.

You could store the database access information in a plain-text file,
but then, you could also store them as web-application context
parameters in WEB-INF/web.xml file. Or you could set up a proper
JNDI database resource, but perhaps that's something that can be
left for a bit later on the learning curve.

> BTW can u suggest some good book/study material on tomcat for a newbie.

Even though it is not intended as such, I would like to recommend the
Servlet specification available from Sun. That document describes what
you can expect from a servlet container (such as Tomcat).
-- 
..Juha

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Security Query.

["R. S. Patil" <kp...@gmail.com>]

Thanks Chuk,

>> In some discussion i heard that the WEB-INF contents can not be
>> accessed from Internet at all.
>
> The servlet spec requires that the servlet container (Tomcat) prevent direct access to WEB-INF.
>
>> How far this is true ?
>
> Completely, as far as Tomcat is concerned.  If you have an alternative means of accessing the host (e.g., httpd, SMB, NFS) and you have not configured such alternatives correctly, there may be other ways of reaching the files.  Tomcat obviously cannot protect you from mistakes made in other components.
>

So what I have understood is if only tomcat is installed on webserver i.e.
No samba, nfs, FTP, apache web server etc. etc. then even hackers can not
access WEB-INF folder so I can keep JDBC database connection info in that
folder as plain text file. The only accessible part of application will be the
context root i.e. folder above WEB-INF folder.

BTW can u suggest some good book/study material on tomcat for a newbie.

Thanks once again and regards.

RAJA

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Security Query.

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: R. S. Patil [mailto:kpr.rspatil@gmail.com]
> Subject: Security Query.
> 
> In some discussion i heard that the WEB-INF contents can not be
> accessed from Internet at all.

The servlet spec requires that the servlet container (Tomcat) prevent direct access to WEB-INF.

> How far this is true ?

Completely, as far as Tomcat is concerned.  If you have an alternative means of accessing the host (e.g., httpd, SMB, NFS) and you have not configured such alternatives correctly, there may be other ways of reaching the files.  Tomcat obviously cannot protect you from mistakes made in other components.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org