tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William Brogden <wbrog...@bga.com>
Subject Re: Deny web-inf access (security problem)
Date Tue, 19 Dec 2000 20:02:15 GMT


Paul Gonin wrote:
> 
> Hi,
> 
> I have a JSP that uses a bean. It uses the following directory structure :
>     webapps/myapply/myapply.jsp
>     webapps/myapply/web-inf/classes/mybean.class
> 
> It works fine but I am annoyed that people can download the bean directly
> and "access" its content because it contains critical information
> (passwords).
> 
> How do I protect my bean and more generraly I'd like to protect the whole
> web-inf directory (if it's possible)
> 
> Note : I'm using Tomcat standalone.

If you can actually make Tomcat deliver the mybean.class to a
user, it is a serious breach of the API requirements. I am betting
that you can't get Tomcat to serve anything in the WEB-INF directory
to a client.

-- 
WBB - wbrogden@lanw.com
Java Cert mock exams http://www.lanw.com/java/javacert/
Author of Java Developer's Guide to Servlets and JSP 
ISBN 0-7821-2809-2

Mime
View raw message