You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Haledor wow <ha...@gmail.com> on 2010/10/29 13:30:10 UTC
Security of WEB-INF content
Hi,
I have read in various forums that there are situations where the content of
WEB-INF can be accessed. Some people say that it is good practice to hide
sensitive files in WEB-INF and some say it might not be...
I am using Tomcat 6.0 and I am worried someone could access some of my
sensitive files located inside the WEB-INF folder. Could you explain to me
whether this is possible or not. Do i need to obfuscate the content of the
files in WEB-INF?
With best regards,
Peter Hallbeck
Re: Security of WEB-INF content
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Peter,
On 10/29/2010 7:57 AM, Mark Thomas wrote:
> On 29/10/2010 12:30, Haledor wow wrote:
>> Hi,
>>
>> I have read in various forums that there are situations where the content of
>> WEB-INF can be accessed. Some people say that it is good practice to hide
>> sensitive files in WEB-INF and some say it might not be...
>>
>> I am using Tomcat 6.0 and I am worried someone could access some of my
>> sensitive files located inside the WEB-INF folder. Could you explain to me
>> whether this is possible or not.
>
> Nothing under WEB-INF is directly accessible to a user. Requests to
> http://host:port/app/WEB-INF/... will always be rejected.
If Tomcat is being used behind a web server such as Apache httpd, then
the web server can be used to subvert the security provided by Tomcat.
For example, a naive configuration might be:
httpd.conf:
DocumentRoot /var/www/my-webapp
JkMount /*.jsp worker
my-webapp.xml:
<Context docBase="/var/www/my-webapp" />
If a request comes in for /WEB-INF/web.xml, Apache httpd will happily
serve that file off the disk while the same request to Tomcat would fail.
There are many solutions to this problem, including:
1. Not using a fronting web server
2. Setting DocumentRoot != docBase
3. Adding <Limit> directives to httpd.conf to specifically
exclude WEB-INF and other sensitive areas
4. Making WEB-INF and other sensitive areas unreadable
by the httpd process
5. Use a more general (or additional) JkMount directives, like
JkMount /*.jsp worker
JkMount /WEB-INF/* worker
... though if you have a JkMount for /WEB-INF/, you may as
well do #3 or #4 above.
I highly favor #1 and #2 above, though your environment may necessitate
some of the other options.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkzO2LYACgkQ9CaO5/Lv0PBW0QCgg5q/Lizid5o3U/9rIaFEeMC1
nCoAniiFNjRYMKdtdl3ljYfICBEB3V0r
=oDBU
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Security of WEB-INF content
Posted by Mark Thomas <ma...@apache.org>.
On 29/10/2010 12:30, Haledor wow wrote:
> Hi,
>
> I have read in various forums that there are situations where the content of
> WEB-INF can be accessed. Some people say that it is good practice to hide
> sensitive files in WEB-INF and some say it might not be...
>
> I am using Tomcat 6.0 and I am worried someone could access some of my
> sensitive files located inside the WEB-INF folder. Could you explain to me
> whether this is possible or not.
Nothing under WEB-INF is directly accessible to a user. Requests to
http://host:port/app/WEB-INF/... will always be rejected.
However, applications can forward requests to resources under /WEB-INF
and can also include resources under /WEB-INF. It is up to the
application to make sure it doesn't do that in a way that could
compromise the security of any sensitive data placed under /WEB-INF.
> Do i need to obfuscate the content of the
> files in WEB-INF?
No.
And as an aside, Obfuscation != security
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org