You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by HeoGwangNam <ke...@okjsp.pe.kr> on 2001/08/24 03:42:56 UTC
[security] apache exposes web.xml, *.java, *.class
I use mod_jk.so to join apache 1.3.20 and tomcat 3.2.3 on Solaris 5.7
and make DocumentRoot of httpd.conf indicate the Root of Tomcat
after that
The browser request of http://www.blar....com/WEB-INF/web.xml appears.
even more
http://www.blar....com/WEB-INF/classes/ok/Fn.java ,
http://www.blar....com/WEB-INF/classes/ok/Fn.class
source appears and class is downloadable.
It's serious problem.
what's wrong with my setup.
How can I solve this problem.
Please.
when I use tomcat stand-alone, there is no problem similar to these.
RE: [security] apache exposes web.xml, *.java, *.class
Posted by "Rob S." <rs...@home.com>.
Simple... instruct Apache not to serve any directory with "WEB-INF" in the
path. See the Apache docs at http://httpd.apache.org/.
Good luck! =)
- r
> -----Original Message-----
> From: HeoGwangNam [mailto:kenu@okjsp.pe.kr]
> Sent: Thursday, August 23, 2001 9:43 PM
> To: tomcat-user@jakarta.apache.org
> Subject: [security] apache exposes web.xml, *.java, *.class
>
>
> I use mod_jk.so to join apache 1.3.20 and tomcat 3.2.3 on Solaris 5.7
> and make DocumentRoot of httpd.conf indicate the Root of Tomcat
>
> after that
>
> The browser request of http://www.blar....com/WEB-INF/web.xml appears.
> even more
> http://www.blar....com/WEB-INF/classes/ok/Fn.java ,
> http://www.blar....com/WEB-INF/classes/ok/Fn.class
> source appears and class is downloadable.
>
> It's serious problem.
>
> what's wrong with my setup.
> How can I solve this problem.
>
> Please.
> when I use tomcat stand-alone, there is no problem similar to these.
>
>