tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Ruthenbeck <>
Subject Re: how to deny .jsp execution within an upload directory
Date Fri, 29 Oct 2004 23:00:30 GMT

For robust installations, this problem is a non-issue due to JSP 
precompilation.  Everyone's situation is different, of course, but it is 
generally much more secure to precompile your JSPs and disable the 
dynamic compilation of new ones.


At 03:25 PM 10/29/2004, you wrote:
>The easiest way to do this would be to create a filter on that 
>directory. The filter would either deny access - of it would get the 
>default servlet via the ServletContext.getNamedDispatcher() and then 
>perform a forwards().
>Chris Lawder wrote:
>>Can somebody please point me to documentaion and examples that describe 
>>how to disallow the execution of .jsp or any other scripts/binaries 
>>within a single directory of a webapplication? Part of the web app, is 
>>being allowed to upload reports which can then be read and downloaded 
>>by another. At this time I can upload a .jsp file and it will run in 
>>that directory.
>>I have found much stuff on SecurityManager and syntax within the 
>>catalina.policy file but nothing yet that really explains to me what I 
>>need to do to accomplish what I described above. My attempts so far at 
>>proper catalina.policy systax have not worked.
>>This is a pure tomcat environment running Tomcat 4.1.30 at this time.
>>Other comments regarding the proper use of an upload directory and it's 
>>security are welcome.
>To unsubscribe, e-mail:
>For additional commands, e-mail:

Justin Ruthenbeck
Lead Software Engineer, NextEngine Inc.
justinr - AT - nextengine DOT com
Confidential. See:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message