tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: how to deny .jsp execution within an upload directory
Date Fri, 29 Oct 2004 22:25:23 GMT
The easiest way to do this would be to create a filter on that directory. The 
filter would either deny access - of it would get the default servlet via the 
ServletContext.getNamedDispatcher() and then perform a forwards().


Chris Lawder wrote:
> Hello,
> Can somebody please point me to documentaion and examples that describe 
> how to disallow the execution of .jsp or any other scripts/binaries 
> within a single directory of a webapplication? Part of the web app, is 
> being allowed to upload reports which can then be read and downloaded by 
> another. At this time I can upload a .jsp file and it will run in that 
> directory.
> I have found much stuff on SecurityManager and syntax within the 
> catalina.policy file but nothing yet that really explains to me what I 
> need to do to accomplish what I described above. My attempts so far at 
> proper catalina.policy systax have not worked.
> This is a pure tomcat environment running Tomcat 4.1.30 at this time.
> Other comments regarding the proper use of an upload directory and it's 
> security are welcome.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message