You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by tomcat user <to...@gmail.com> on 2007/06/25 17:11:09 UTC
securing directory
Hi all,
I would like to know if anybody can tell me how to restrict web access to my
web app's base directory and its sub directories.
i.e. webapp "Test1" has a file root.xml (tomcat\webapps\Test1\root.xml)
While I do need read access programmatically, I need for web users to not
access that file.
I am using an isapi connector through IIS (if that helps).
I do realize that permissions for directories reside in catalina.policy but
that appears to be permissions for programmatic access (i.e. my webapp). I
am running Tomcat version 5.x.
Thank you for your help.
Re: securing directory
Posted by Rainer Jung <ra...@kippdata.de>.
If you really really want to it:
Read about exclusion rules in
http://tomcat.apache.org/connectors-doc/reference/uriworkermap.html
but think twice, if this is robust, i.e. if the web server admin will
have a chance to keep this up-to-date.
Regards,
Rainer
tomcat user wrote:
>> Why would you assume that?
> because.
>
>> Not readily, since static content comes from there. You could write a
>> filter to return an error for a request for a prohibited file.
>
> Thank you for your help Chuck, I just thought there had to be an easier
> way. I would think it pretty basic to want to be able to allow certain
> directories to be viewed or not within a web server, but I guess not.
> Thanks again.
>
> Frank
>
>
>
>
> On 6/25/07, Caldarale, Charles R <Ch...@unisys.com> wrote:
>>
>> > From: tomcat user [mailto:tomkat.user@gmail.com]
>> > Subject: Re: securing directory
>> >
>> > assuming that a file does need to reside directly under
>> > the webapp folder
>>
>> Why would you assume that?
>>
>> > can I secure the webapp directory?
>>
>> Not readily, since static content comes from there. You could write a
>> filter to return an error for a request for a prohibited file.
>>
>> - Chuck
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: securing directory
Posted by tomcat user <to...@gmail.com>.
> Why would you assume that?
because.
> Not readily, since static content comes from there. You could write a
> filter to return an error for a request for a prohibited file.
Thank you for your help Chuck, I just thought there had to be an easier
way. I would think it pretty basic to want to be able to allow certain
directories to be viewed or not within a web server, but I guess not.
Thanks again.
Frank
On 6/25/07, Caldarale, Charles R <Ch...@unisys.com> wrote:
>
> > From: tomcat user [mailto:tomkat.user@gmail.com]
> > Subject: Re: securing directory
> >
> > assuming that a file does need to reside directly under
> > the webapp folder
>
> Why would you assume that?
>
> > can I secure the webapp directory?
>
> Not readily, since static content comes from there. You could write a
> filter to return an error for a request for a prohibited file.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: securing directory
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: tomcat user [mailto:tomkat.user@gmail.com]
> Subject: Re: securing directory
>
> assuming that a file does need to reside directly under
> the webapp folder
Why would you assume that?
> can I secure the webapp directory?
Not readily, since static content comes from there. You could write a
filter to return an error for a request for a prohibited file.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: securing directory
Posted by tomcat user <to...@gmail.com>.
Chuck,
I appreciate the response, but assuming that a file does need to reside
directly under the webapp folder, can it be hidden from view. Again, I
understand the alternative, but can I secure the webapp directory?
On 6/25/07, Caldarale, Charles R <Ch...@unisys.com> wrote:
>
> > From: tomcat user [mailto:tomkat.user@gmail.com]
> > Subject: securing directory
> >
> > I would like to know if anybody can tell me how to restrict
> > web access to my web app's base directory and its sub directories.
>
> Read the servlet spec. Anything under WEB-INF is automatically
> invisible to everything but the webapp.
>
> To access resources, don't open them via the file system, use the
> mechanism described here:
> http://wiki.apache.org/tomcat/HowTo#head-45c3314139cb900ddd43dde2ff67153
> 2e6e844bc
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: securing directory
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: tomcat user [mailto:tomkat.user@gmail.com]
> Subject: securing directory
>
> I would like to know if anybody can tell me how to restrict
> web access to my web app's base directory and its sub directories.
Read the servlet spec. Anything under WEB-INF is automatically
invisible to everything but the webapp.
To access resources, don't open them via the file system, use the
mechanism described here:
http://wiki.apache.org/tomcat/HowTo#head-45c3314139cb900ddd43dde2ff67153
2e6e844bc
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org