You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Robert Youngblood <th...@gmail.com> on 2016/05/27 17:16:28 UTC
Direct url access to protected page: /docs*
I was recently cited for these pages not being locked down. Is there a way
to remove or lockdown the default pages?
Bobby
Re: Direct url access to protected page: /docs*
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Robert,
On 5/27/16 10:35 PM, Robert Youngblood wrote:
> Chris, thank you for your reply. Are you saying that you normally
> rename the catalina folder to catalina_base and then create empty
> catalina_home folder.
No. CATALINA_HOME and CATALINA_BASE refer to the environment variables
used to control a split-installation of Tomcat where the Tomcat base
files are in one location and your "active" installation (basically,
your server.xml and webapps) are in another. Read the "Advanced
Configuration - Multiple Tomcat Instances" section of the RUNNING.txt
for details.
> So, when i unc to server:8080, do i go to the catalina\webapps
> folder?
What you /what/ to port 8080?
The bottom line is that you need to remove the sample/demo
applications from any production-quality instance of Tomcat.
- -chris
> On 5/27/16 1:16 PM, Robert Youngblood wrote:
>>>> I was recently cited for these pages not being locked down.
>>>> Is there a way to remove or lockdown the default pages?
>
> What default pages? Do you mean the "docs" web application?
>
> $ rm -rf webapps/docs
>
> You might want to remove the other stock applications as well...
> you should only be deploying those on a test/dev server.
>
> I always recommend a split CATALINA_HOME/CATALINA_BASE where
> CATALINA_HOME has a stock Tomcat deployment (including all of the
> optional web applications in CATALINA_HOME/webapps) and then only
> my own web applications in CATALINA_BASE/webapps.
>
> That way, you don't have to remember to remove the sample
> applications.
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXSzfeAAoJEBzwKT+lPKRYwysQAJSw0TrRlOCP/GWlZSTAYMI+
oKQkpXtLrdANluL1+BkYP2zppnQ22GWMl31y7RMqBxErY+B3fhI+fPPPpkvCSAUs
GHjckqeQKrySWsngoBQHRKd6JIrhhhblBNUd8aKrJ+4VfDMtGnACbpbd20K9TNse
kGOwXpIfqJ2s/N7rTl1ux4ngV63M0/HEX5N7pQlkqJlRBo95JnMamXfqVw6eHhUa
1RIZCrojEEpbbJYol1HwElsRGEgdvUsD4XaCZI1xCUKXRlg7hjl0PPnLNZ2ixKds
V4uh1yg4c0lUmLDLuFgcU8i+czVIjogxw+YkD/toxASerhr7UW61NunIOqZXnFl9
93QrO5Z/NiYuA9eG8IqcZUx00OlQeoMu14BQ8yYlF/wqcuguoXqO3zWP9fzukgdD
REWGeB78k3wAdjd+9ZjBvFAl2HV7uLOC9Z7AiiiD/dDE95tG4D+0Ya4vckPsYw+7
xZR1xNWHGYtLcsyAXwSNiCTJ5O5NsqL1EsqSyjTFxkcXCoUtYbVMvl/LsKs8ioGy
2Pg4uOciiqqyBSLFUkrTYVlD9aZGlgrA9Ya8VQjxd1G0LazGlnRP1rS5pqN49VFO
YiM2HbTriFpeGaBgTjbU2XzSRI+A/RKkGGadfQtUROod1ShMfGgf40peTbqEn+yW
L3pLOMAG0HP64iXBZvSk
=PH1y
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Direct url access to protected page: /docs*
Posted by Robert Youngblood <th...@gmail.com>.
Chris, thank you for your reply. Are you saying that you normally rename
the catalina folder to catalina_base and then create empty catalina_home
folder.
So, when i unc to server:8080, do i go to the catalina\webapps folder?
Thanks, again.
On May 27, 2016 12:47 PM, "Christopher Schultz" <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Robert,
>
> On 5/27/16 1:16 PM, Robert Youngblood wrote:
> > I was recently cited for these pages not being locked down. Is
> > there a way to remove or lockdown the default pages?
>
> What default pages? Do you mean the "docs" web application?
>
> $ rm -rf webapps/docs
>
> You might want to remove the other stock applications as well... you
> should only be deploying those on a test/dev server.
>
> I always recommend a split CATALINA_HOME/CATALINA_BASE where
> CATALINA_HOME has a stock Tomcat deployment (including all of the
> optional web applications in CATALINA_HOME/webapps) and then only my
> own web applications in CATALINA_BASE/webapps.
>
> That way, you don't have to remember to remove the sample applications.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJXSIfyAAoJEBzwKT+lPKRYjoIQAKVOs1VgP9zLXtog763TfVjq
> 4Wgy/oVpkWkqh/JfTFX9UyN1c5er0VZ9bTD+T8qyD74OY22hIh88Fm63CgMzTKUa
> ffesrlz6u8jtW2Xn9JEgkVqV4dVHwh7oibuJSp172Z9PhTCS+EYkpp2krXe+7Otx
> pKwBL1eCEB1dRDJdzwfQOHAuJRGqEzoKPvbs5Zh6xiNamcW0gygP1rBJTAj9T1aR
> CSbcG1979mOJ/j2JdKh1LF7nvyDdyHa9IcjOvvLlFnUQKNESG1MIxuHlMuO9VfCu
> /6u9fpCHuN+CXvEgNmeNtzzr8+mn/eP7K+J+hy3ahD3KMzt2WwzT/RGqh759s26S
> rvr8W3d5fESD9SHrzjGe5iLPWWZlc8MiZU2vsUkyGNJqbDaOB+KB5qkhYTpnhcU7
> A1hmFQDxghEwNpHluEjT9Ob9iR4FsFkimohcUcg0SfDmtRCMo9Yl068kPj44tFnF
> M8En57BF30EkZl9Gg5smALu+EycfYanSnjiU4rZLMLUwaR+YOBMHejY+9MooBrvm
> xf1zK7V+1WMnfg8fVxGTXeqC5fN+7UKLr+8XID05ATyAKJSSGciz3B8gWbzfGuzY
> rkB+0s8akFFnMgXVHIIVdZyLFel0+ebFIeyZov6a37Tv3h9jEtcJEeqDtL4NmBa+
> Ja0S62rO+Ssm/kBp3h1/
> =KDFO
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Direct url access to protected page: /docs*
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Robert,
On 5/27/16 1:16 PM, Robert Youngblood wrote:
> I was recently cited for these pages not being locked down. Is
> there a way to remove or lockdown the default pages?
What default pages? Do you mean the "docs" web application?
$ rm -rf webapps/docs
You might want to remove the other stock applications as well... you
should only be deploying those on a test/dev server.
I always recommend a split CATALINA_HOME/CATALINA_BASE where
CATALINA_HOME has a stock Tomcat deployment (including all of the
optional web applications in CATALINA_HOME/webapps) and then only my
own web applications in CATALINA_BASE/webapps.
That way, you don't have to remember to remove the sample applications.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXSIfyAAoJEBzwKT+lPKRYjoIQAKVOs1VgP9zLXtog763TfVjq
4Wgy/oVpkWkqh/JfTFX9UyN1c5er0VZ9bTD+T8qyD74OY22hIh88Fm63CgMzTKUa
ffesrlz6u8jtW2Xn9JEgkVqV4dVHwh7oibuJSp172Z9PhTCS+EYkpp2krXe+7Otx
pKwBL1eCEB1dRDJdzwfQOHAuJRGqEzoKPvbs5Zh6xiNamcW0gygP1rBJTAj9T1aR
CSbcG1979mOJ/j2JdKh1LF7nvyDdyHa9IcjOvvLlFnUQKNESG1MIxuHlMuO9VfCu
/6u9fpCHuN+CXvEgNmeNtzzr8+mn/eP7K+J+hy3ahD3KMzt2WwzT/RGqh759s26S
rvr8W3d5fESD9SHrzjGe5iLPWWZlc8MiZU2vsUkyGNJqbDaOB+KB5qkhYTpnhcU7
A1hmFQDxghEwNpHluEjT9Ob9iR4FsFkimohcUcg0SfDmtRCMo9Yl068kPj44tFnF
M8En57BF30EkZl9Gg5smALu+EycfYanSnjiU4rZLMLUwaR+YOBMHejY+9MooBrvm
xf1zK7V+1WMnfg8fVxGTXeqC5fN+7UKLr+8XID05ATyAKJSSGciz3B8gWbzfGuzY
rkB+0s8akFFnMgXVHIIVdZyLFel0+ebFIeyZov6a37Tv3h9jEtcJEeqDtL4NmBa+
Ja0S62rO+Ssm/kBp3h1/
=KDFO
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org