You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Euan Guttridge <EG...@buildonline.com> on 2004/06/28 13:14:00 UTC
WebApp config best practice
Where is the best practice for deploying your WebApp configuration files?
For example a database config file which contains production db password.
Most apps I have seen use WEB-INf/config or WEB-INF/classes - but this is a
no-no from security guys as it is under the document root.
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: WebApp config best practice
Posted by fix <ne...@pczone.be>.
Hi,
Tomcat forbids http access to the WEB-INF directory so nobody can receive
this file from a http request. They have to have a ssh/terminal
services/ftp or other direct connection to your directory. If the security
to the machine is good then you files will be safe as well.
regards
Bjorn
> Where is the best practice for deploying your WebApp configuration
> files? For example a database config file which contains production db
> password. Most apps I have seen use WEB-INf/config or WEB-INF/classes -
> but this is a no-no from security guys as it is under the document
> root.
>
> Thanks
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For
> additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: WebApp config best practice
Posted by Sandy McArthur <Sa...@McArthur.org>.
Configure access to the database as a DataSource in Tomcat's
configuration and look up the DataSource via JNDI.
On Jun 28, 2004, at 7:14 AM, Euan Guttridge wrote:
> Where is the best practice for deploying your WebApp configuration
> files?
> For example a database config file which contains production db
> password.
> Most apps I have seen use WEB-INf/config or WEB-INF/classes - but this
> is a
> no-no from security guys as it is under the document root.
Re: WebApp config best practice
Posted by QM <qm...@brandxdev.net>.
On Mon, Jun 28, 2004 at 12:14:00PM +0100, Euan Guttridge wrote:
: Where is the best practice for deploying your WebApp configuration files?
: For example a database config file which contains production db password.
: Most apps I have seen use WEB-INf/config or WEB-INF/classes - but this is a
: no-no from security guys as it is under the document root.
"under the document root" != "available for request."
The spec dictates that request for files from WEB-INF are denied.
If you're running a web server in front of Tomcat, then, be sure to
deny access to WEB-INF from there as well.
-QM
--
software -- http://www.brandxdev.net
tech news -- http://www.RoarNetworX.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org