tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rachel Greenham <>
Subject WEB-INF left open to all and sundry by default
Date Fri, 01 Sep 2000 11:44:36 GMT
We noticed today that people could get at files in our WEB-INF directory,
while accessing the site through Apache. I did a quick fix with file
permissions so that Apache (nobody) couldn't enter that directory, but it
seems to me that a better solution would be a line in tomcat.conf to push
requests for anything in WEB-INF to Tomcat, which would then of course
refuse them. It would be nice if such a line was in the default tomcat.conf
file as distributed.


View raw message