tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Gonin <>
Subject Re: Deny web-inf access (security problem)
Date Thu, 21 Dec 2000 19:47:50 GMT
Thanks a lot for all who helped me.

It turned out that I could read a class file in the apps directory (i don't
why this copy of the class was there... bad manipulation I guess) but I
cannot acces files inside web-inf !

Sorry for the inconvenience and thanks again.


on 12/20/00 5:30 AM, Kitching Simon at wrote:

> Hi Paul,
> I disagree with Guy's email here. There are several very good
> reasons why your servlet classes *should* be within your webapp,
> and *not* within your CLASSPATH. Just follow the examples that
> come with tomcat, and you shouldn't go far wrong.
> The sun servlet specs say quite explicitly that *no* file in WEB-INF
> can ever be downloaded by a browser. So if you can download the
> binary "mybean.class" file, save it to disk, then decompile it, that
> is a definite security hole, and a violation of the servlet spec.
> There can be problems if you use apache as a front-end, because of
> course apache doesn't obey the servlet specs - it isn't a servlet engine.
> However, in your case you explicitly said that you were running tomcat
> standalone, so that can't be it.
> One thing you didn't tell us is what version of tomcat you are using.
> There has been a recent patch to tomcat3.2 (3.2.1) which fixes a
> number of security problems. I am willing to bet that if you upgrade
> to tomcat3.2.1 (from whatever you were using) the problem will go
> away.
> I would also just point out that the WEB-INF directory should
> have the same capitalisation I have shown, even on windows
> (which you appear to be using). Yes, windows file explorer will
> "adjust" the capitalisation of files, but you should make sure
> that at the "DOS" level, the capitalisation is actually correct.
> Regards,
> Simon
>> -----Original Message-----
>> From: []
>> Sent: Wednesday, December 20, 2000 12:58 AM
>> To:
>> Subject: RE: Deny web-inf access (security problem)
>> Set up a directory outside your tomcat directory to contain java class
>> files, and include that directory in your classpath.  Keep it outside of
>> your Apache directory as well.
>> -----Original Message-----
>> From: Paul Gonin []
>> Sent: Tuesday, December 19, 2000 2:02 PM
>> To:
>> Subject: Deny web-inf access (security problem)
>> Hi, 
>> I have a JSP that uses a bean. It uses the following directory structure :
>> webapps/myapply/myapply.jsp
>> webapps/myapply/web-inf/classes/mybean.class
>> It works fine but I am annoyed that people can download the bean directly
>> and "access" its content because it contains critical information
>> (passwords). 
>> How do I protect my bean and more generraly I'd like to protect the whole
>> web-inf directory (if it's possible)
>> Note : I'm using Tomcat standalone.
>> Thanks 

View raw message