tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Sangalee <>
Subject Re: WEB-INF left open to all and sundry by default
Date Fri, 01 Sep 2000 11:50:51 GMT
On Fri, 1 Sep 2000, Rachel Greenham wrote:

I tried to reproduce this on my installation (Apache + Tomcat3.1 + Linux),
and got 'Forbidden' for contexts, except ROOT which gave 'File not Found'

I think that the ROOT context is the only context that shares a directory
with Apache. I've configured it all according to the guidelines in the
Jakarta docs.

Can you give more details on how to reproduce this? Could it be a
mis-configuration on your part?


> We noticed today that people could get at files in our WEB-INF directory,
> while accessing the site through Apache. I did a quick fix with file
> permissions so that Apache (nobody) couldn't enter that directory, but it
> seems to me that a better solution would be a line in tomcat.conf to push
> requests for anything in WEB-INF to Tomcat, which would then of course
> refuse them. It would be nice if such a line was in the default tomcat.conf
> file as distributed.

View raw message