tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kitching Simon <>
Subject RE: Deny web-inf access (security problem)
Date Wed, 20 Dec 2000 10:30:19 GMT
Hi Paul,

I disagree with Guy's email here. There are several very good
reasons why your servlet classes *should* be within your webapp,
and *not* within your CLASSPATH. Just follow the examples that
come with tomcat, and you shouldn't go far wrong.

The sun servlet specs say quite explicitly that *no* file in WEB-INF 
can ever be downloaded by a browser. So if you can download the
binary "mybean.class" file, save it to disk, then decompile it, that
is a definite security hole, and a violation of the servlet spec.

There can be problems if you use apache as a front-end, because of
course apache doesn't obey the servlet specs - it isn't a servlet engine.
However, in your case you explicitly said that you were running tomcat
standalone, so that can't be it.

One thing you didn't tell us is what version of tomcat you are using.

There has been a recent patch to tomcat3.2 (3.2.1) which fixes a
number of security problems. I am willing to bet that if you upgrade
to tomcat3.2.1 (from whatever you were using) the problem will go

I would also just point out that the WEB-INF directory should 
have the same capitalisation I have shown, even on windows
(which you appear to be using). Yes, windows file explorer will
"adjust" the capitalisation of files, but you should make sure
that at the "DOS" level, the capitalisation is actually correct.



> -----Original Message-----
> From: []
> Sent:	Wednesday, December 20, 2000 12:58 AM
> To:
> Subject:	RE: Deny web-inf access (security problem)
> Set up a directory outside your tomcat directory to contain java class
> files, and include that directory in your classpath.  Keep it outside of
> your Apache directory as well.
> -----Original Message-----
> From: Paul Gonin []
> Sent: Tuesday, December 19, 2000 2:02 PM
> To:
> Subject: Deny web-inf access (security problem)
> Hi, 
> I have a JSP that uses a bean. It uses the following directory structure :
>     webapps/myapply/myapply.jsp
>     webapps/myapply/web-inf/classes/mybean.class
> It works fine but I am annoyed that people can download the bean directly
> and "access" its content because it contains critical information
> (passwords). 
> How do I protect my bean and more generraly I'd like to protect the whole
> web-inf directory (if it's possible)
> Note : I'm using Tomcat standalone.
> Thanks 

View raw message