tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Kofon" <>
Subject Re: Control user access to directories in J-T ver 3.3 on unix?
Date Wed, 22 May 2002 13:45:27 GMT
I usually use custom user access control (nothing really fancy) since my 
passwords are hashed and stored in a database. I never investigated if 
Tomcat could give me the level of control I often need.
If you chose to go the same way (i.e. create your own custom solution), then 
you could very easily write a filter that blocks access to user directories 
and would only allow access depending on criteria that you set. The draw 
back I see is that you're using T3.3. If you want to use filters (which I 
think is a really cool feature in Servlet 2.3), then you'd have to upgrade 
to T4.x.x; unless your apps specifically require T3.3.



>From: Christopher Lott <>
>Reply-To: "Tomcat Users List" <>
>Subject: Control user access to directories in J-T ver 3.3 on unix?
>Date: Tue, 21 May 2002 11:29:45 -0400 (EDT)
>Hi, please tell me if fine-grained user access control is possible
>in J-T, and if so, how to accomplish it.
>I'm using Jakarta-Tomcat version 3.3a on a solaris 8 box.
>I have access control enabled such that users of my app must
>supply a password; this uses a SimpleRealm with a local file
>of users and passwords as specified in the context for my webapp
>(in conf/apps-myapp.xml).  To gain access to J-T/webapps/myapp,
>users enter a password.  So the first line of defense is working.
>However, 'myapp' creates directories for each user under webapps/myapp
>where users store their work.  Currently, an authenticated (but
>malicious) user can access the files for another user by guessing the
>appropriate URL under the J-T webapps/myapp/user directory. This is
>the hole we need to close.
>I'm asking about how to restrict access to specific directories.
>I have no need to restrict access on a file-by-file basis.
>We specify a role for the users, but it's not clear to me that the
>role information is used anywhere (?).
>I've read the SimpleRealm part of the Server.xml Configuration
>document.  I have scanned the Tomcat Documentation, including the Tomcat
>User's Guide, the server configuration, etc.  I've googled the question
>with little success (other than some security hole warnings).
>I sure hope that I don't have to create an instance of the webapp for
>each user!
>If it matters, we are using Apache as the front-end, and it forwards
>requests on to the J-T server as needed.
>Does this have anything to do with Slide (something Google turned up)??
>(I don't mean to complain, but I sure would welcome some improvements
>in the J-T documentation. :-/)
>Thanks in advance, I look forward to hearing from someone.
>(cml at cs dot umd dot edu)
>To unsubscribe, e-mail:   
>For additional commands, e-mail: 

Get your FREE download of MSN Explorer at

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message