You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Eduardo Andrés Alfonso Sierra <ed...@gmail.com> on 2005/02/20 08:18:24 UTC
Avoid Directory Listings
Hi
I'm trying to stop tomcat from list contents of directories. I've
tried securing it and it works but has the BIG problem that you must
secure every directory separated.
Is there any posibility to secure the directory listings of every
directory in an application ??
Thanks in advance.
I'm doing this:
<security-constraint>
<web-resource-collection>
<web-resource-name>LISTINGS</web-resource-name>
<url-pattern>/dir1/</url-pattern>
<url-pattern>/dir1/dir11/</url-pattern>
<url-pattern>/dir1/dir12/</url-pattern>
<url-pattern>/dir1/dir11/dir111/</url-pattern>
<url-pattern>/dir2/</url-pattern>
<url-pattern>/dir2/dir21/</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
It works but I MUST add a url-pattern tag FOR EVERY directory in my
application if i'm to avoid all directory listings in my context.
I've tryied patterns like /*/, /**/, /*/*/*/*/, */ and similar ones
and nothing worked.
Is possible to avoid easily , all the directory listings?
Thanks again.
Eduardo
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Avoid Directory Listings
Posted by Tim Funk <fu...@joedog.org>.
No. You'd need to extend the default servlet then detect when a dir listing
will be displayed, then use programmatic authorization.
-Tim
Eduardo Andrés Alfonso Sierra wrote:
> Hi
>
> I'm trying to stop tomcat from list contents of directories. I've
> tried securing it and it works but has the BIG problem that you must
> secure every directory separated.
>
> Is there any posibility to secure the directory listings of every
> directory in an application ??
>
> Thanks in advance.
>
>
>
> I'm doing this:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>LISTINGS</web-resource-name>
> <url-pattern>/dir1/</url-pattern>
> <url-pattern>/dir1/dir11/</url-pattern>
> <url-pattern>/dir1/dir12/</url-pattern>
> <url-pattern>/dir1/dir11/dir111/</url-pattern>
> <url-pattern>/dir2/</url-pattern>
> <url-pattern>/dir2/dir21/</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>manager</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> It works but I MUST add a url-pattern tag FOR EVERY directory in my
> application if i'm to avoid all directory listings in my context.
>
> I've tryied patterns like /*/, /**/, /*/*/*/*/, */ and similar ones
> and nothing worked.
>
> Is possible to avoid easily , all the directory listings?
>
> Thanks again.
>
> Eduardo
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org