tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Pabst <simon.pa...@web.de>
Subject Re: Newbie question on Tomcat security
Date Tue, 15 Jul 2003 05:31:11 GMT
Look here: http://jakarta.apache.org/tomcat/faq/misc.html#listing


At 19:05 14.07.2003 -0500, you wrote:
>Thanks for the reply.  Actually, I don't worry about people can do "view
>source".  I just don't like the fact that they can type in the folder and
>list the whole directory tree on the browser.  They can open any file on the
>directory and potentially alter the code.
>
>Most web sites I've been to, if you type in the folder directory, you will
>get an access deny or something like that.  I am wondering if I can set up
>something similar in Tomcat?
>
>By the way, I do have an index.jsp.
>
>Thanks.
>
>
>
>----- Original Message -----
>From: "Reginald Oake" <regoake@assistants.ca>
>To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
>Sent: Monday, July 14, 2003 5:58 PM
>Subject: Re: Newbie question on Tomcat security
>
>
> > Hi.
> >
> > I'm not certain about this but it seems to me that it would be next to
> > impossible to keep the html source from being viewed by someone using
> > any browser (this is not a server side issue). The source has to be
> > uploaded to the browser and, once it is uploaded anyone can view source
> > on the page.
> >
> > As far as keeping your directory structure at least a little bit more
> > obscured you can do two things. You can never fully obscure the
> > directory structure as the browser requires this information to load
> > images, style sheets and links.
> >
> > The first is to put an index.jsp or index.html file in so that people
> > cannot view your directory structure directly (there is probably a
> > better way to do this).
> >
> > The second is to use servlet mappings.
> >
> > I'm not sure if this needs to be said but even though people can
> > determine your directory structure with fairly little effort this does
> > not, in itself, pose a security risk.
> >
> >
> > Thanx
> >
> >
> > Reg
> >
> >
> > On Mon, 2003-07-14 at 15:49, substring wrote:
> > > Hello All,
> > >
> > > I just developed a JSP application called myapp,
> > > running on Tomcat 4.1.24.  How can I keep people from
> > > accessing my files under <tomcat>/webapps/myapp?  For
> > > example, people can do a simple "view source" and find
> > > the path to my css file, then they can type in the
> > > path on the browser to access my files.
> > >
> > > What kind of security that I should set up for that?
> > > I am pretty new to Tomcat so I need help.
> > >
> > > By the way, my OS is Windows 2000 Pro.
> > >
> > > Any help will be very much appreciated.
> > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > SBC Yahoo! DSL - Now only $29.95 per month!
> > > http://sbc.yahoo.com
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message