You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by HeoGwangNam <ke...@okjsp.pe.kr> on 2001/08/24 03:42:56 UTC

[security] apache exposes web.xml, .java, .class

I use mod_jk.so to join apache 1.3.20 and tomcat 3.2.3 on Solaris 5.7
and make DocumentRoot of httpd.conf indicate the Root of Tomcat

after that

The browser request of http://www.blar....com/WEB-INF/web.xml appears.
even more
http://www.blar....com/WEB-INF/classes/ok/Fn.java ,
http://www.blar....com/WEB-INF/classes/ok/Fn.class
source appears and class is downloadable.

It's serious problem.

what's wrong with my setup.
How can I solve this problem.

Please.
when I use tomcat stand-alone, there is no problem similar to these.

RE: [security] apache exposes web.xml, .java, .class

Posted by "Rob S." <rs...@home.com>.

Simple... instruct Apache not to serve any directory with "WEB-INF" in the
path.  See the Apache docs at http://httpd.apache.org/.

Good luck! =)

- r

> -----Original Message-----
> From: HeoGwangNam [mailto:kenu@okjsp.pe.kr]
> Sent: Thursday, August 23, 2001 9:43 PM
> To: tomcat-user@jakarta.apache.org
> Subject: [security] apache exposes web.xml, *.java, *.class
>
>
> I use mod_jk.so to join apache 1.3.20 and tomcat 3.2.3 on Solaris 5.7
> and make DocumentRoot of httpd.conf indicate the Root of Tomcat
>
> after that
>
> The browser request of http://www.blar....com/WEB-INF/web.xml appears.
> even more
> http://www.blar....com/WEB-INF/classes/ok/Fn.java ,
> http://www.blar....com/WEB-INF/classes/ok/Fn.class
> source appears and class is downloadable.
>
> It's serious problem.
>
> what's wrong with my setup.
> How can I solve this problem.
>
> Please.
> when I use tomcat stand-alone, there is no problem similar to these.
>
>

[security] apache exposes web.xml, *.java, *.class

RE: [security] apache exposes web.xml, *.java, *.class

[security] apache exposes web.xml, .java, .class

RE: [security] apache exposes web.xml, .java, .class