tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William Brogden <>
Subject Re: Deny web-inf access (security problem)
Date Tue, 19 Dec 2000 20:02:15 GMT

Paul Gonin wrote:
> Hi,
> I have a JSP that uses a bean. It uses the following directory structure :
>     webapps/myapply/myapply.jsp
>     webapps/myapply/web-inf/classes/mybean.class
> It works fine but I am annoyed that people can download the bean directly
> and "access" its content because it contains critical information
> (passwords).
> How do I protect my bean and more generraly I'd like to protect the whole
> web-inf directory (if it's possible)
> Note : I'm using Tomcat standalone.

If you can actually make Tomcat deliver the mybean.class to a
user, it is a serious breach of the API requirements. I am betting
that you can't get Tomcat to serve anything in the WEB-INF directory
to a client.

Java Cert mock exams
Author of Java Developer's Guide to Servlets and JSP 
ISBN 0-7821-2809-2

View raw message