tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reginald Oake <rego...@assistants.ca>
Subject Re: Newbie question on Tomcat security
Date Mon, 14 Jul 2003 22:58:42 GMT
Hi.

I'm not certain about this but it seems to me that it would be next to
impossible to keep the html source from being viewed by someone using
any browser (this is not a server side issue). The source has to be
uploaded to the browser and, once it is uploaded anyone can view source
on the page.

As far as keeping your directory structure at least a little bit more
obscured you can do two things. You can never fully obscure the
directory structure as the browser requires this information to load
images, style sheets and links.

The first is to put an index.jsp or index.html file in so that people
cannot view your directory structure directly (there is probably a
better way to do this).

The second is to use servlet mappings.

I'm not sure if this needs to be said but even though people can
determine your directory structure with fairly little effort this does
not, in itself, pose a security risk.


Thanx


Reg


On Mon, 2003-07-14 at 15:49, substring wrote:
> Hello All,
> 
> I just developed a JSP application called myapp,
> running on Tomcat 4.1.24.  How can I keep people from
> accessing my files under <tomcat>/webapps/myapp?  For
> example, people can do a simple "view source" and find
> the path to my css file, then they can type in the
> path on the browser to access my files.
> 
> What kind of security that I should set up for that? 
> I am pretty new to Tomcat so I need help.
> 
> By the way, my OS is Windows 2000 Pro.
> 
> Any help will be very much appreciated.
> 
> 
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message