Return-Path: Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 37429 invoked from network); 19 Dec 2000 19:03:23 -0000 Received: from scaup.prod.itd.earthlink.net (207.217.121.49) by locus.apache.org with SMTP; 19 Dec 2000 19:03:23 -0000 Received: from [63.214.93.129] (dialup-63.214.93.129.Boston1.Level3.net [63.214.93.129]) by scaup.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id LAA12425 for ; Tue, 19 Dec 2000 11:03:22 -0800 (PST) User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Date: Tue, 19 Dec 2000 14:02:12 -0500 Subject: Deny web-inf access (security problem) From: Paul Gonin To: Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N Hi, I have a JSP that uses a bean. It uses the following directory structure : webapps/myapply/myapply.jsp webapps/myapply/web-inf/classes/mybean.class It works fine but I am annoyed that people can download the bean directly and "access" its content because it contains critical information (passwords). How do I protect my bean and more generraly I'd like to protect the whole web-inf directory (if it's possible) Note : I'm using Tomcat standalone. Thanks