tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 50026] DefaultServlet serves META-INF and WEB-INF from root when remapped on /folder/*
Date Sun, 03 Oct 2010 08:05:41 GMT

Tim Whittington <> changed:

           What    |Removed                     |Added
           Priority|P2                          |P3
           Severity|critical                    |enhancement

--- Comment #4 from Tim Whittington <> 2010-10-03 04:05:36 EDT ---
I'm thinking this is a WONTFIX.

The servlet engine protects the WEB-INF and META-INF paths in the web
application (which is working fine), not files of that name under arbitrary

What's actually happening here is you're configuring a general purpose file
serving servlet to mount up your entire web application under a different path
- it's equivalent to configuring Apache to do the same thing. Except that
DefaultServlet isn't a general purpose file server - it's designed to be mapped
to /, and you can't configure it to do anything but serve files out of the web
application directory.

I'm guessing you're trying to work around a problem introduced by mapping
another servlet to /*, which is basically trying to work around the way a
servlet engine works.
has an example of a better way to approach things if this is what you're trying
to do.

Advice to remount DefaultServlet in Tomcat seems to have been around as long as
Tomcat has existed, so perhaps we need to lock it down (so people can't
accidentally create insecure configurations) or support mounting specific
directories (inside or outside the web application), and break if accessing the
root resources when mapped to a sub-path in any case.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message