tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mitesh Shah" <mitesh.s...@eclinicalworks.com>
Subject RE: Security restrictions for Tomcat
Date Wed, 26 Sep 2007 18:03:58 GMT

To disable directory listing, change tag value to 'false' for init parameter
of listing in web.xml

	<init-param>
            <param-name>listings</param-name>
            <param-value>FALSE</param-value>
      </init-param>


Mitesh Shah
Hosted Services Engineer
eClinicalWorks LLC

-----Original Message-----
From: alla winter [mailto:alla1.winter@gmail.com] 
Sent: Wednesday, September 26, 2007 2:00 PM
To: Tomcat Users List; p@pidster.com
Subject: Re: Security restrictions for Tomcat

OK, I got it, the content type will do the trick.  Thanks

But I would appreciate if you answer on my second question regarding the
directory listing
I can see all the directory listing except WEB-INF directory.  I am using
all default XMLs for configuration without any changes, except web.xml were
I defined my servlets.
What should I do to disallow the directory listing?
thanks


On 9/26/07, Pid <p@pidster.com> wrote:
>
> alla winter wrote:
> > I am confused now
> > web.xml instructs Tomcat what application needs to be called for a given
> > MIME type
>
> No, unless you've got some weird setup on a windows machine Tomcat is
> not opening MSWord.  The mime type is sent to the browser in an http
> header, and the browser decides what to open it with.
>
> For example, if you didn't have MSWord installed, but had, say,
> OpenOffice, you could find that OpenOffice opens the file.
>
> > for example:
> > - <mime-mapping>
> >   <extension>rtf</extension>
> >   <mime-type>application/vnd.ms-word</mime-type>
> >   </mime-mapping>
> >
> >  Tomcat pass the request to the  third party application based on the
> MIME
> > type, so if I show the link to the .RTF file and the user selects the
> link,
> > the Microsoft Word will display the selected file.  The same with PDF
> files
> > - the  the ADOBE reader is invoked
> > My undesraning is that by writing file bytes to the servlet output, I am
> > just creating and HTML file where the file content is a body of the HTML
>
> Again no, the output is handled by the browser - if you set:
>
> Content-Type: text/html
>
> the browser will do as it's told and try to process the output as an
> HTML file.
>
>
>
> > But if I output the bytes of the file to the servlet output, it will
> look
> > the same way as I would open RTF file in the notepad - with all controll
> > characters inside.
> > Unless I am missing something here...
>
> Yes, the Content-Type header is the key to this.
>
> p
>
>
> > As far as directory listing - yes, I do see the directory listing for
> all
> > folders that are underneath of my application except WEB-INF and I
> didn't do
> > any special set up for that - I am using all default XMLs except the
> > web.xmlwhere I am defining my servlets.
> >
> > I appreciate your help.
> > thanks
> >
> > On 9/26/07, Christopher Schultz <chris@christopherschultz.net> wrote:
> > Alla,
> >
> > alla winter wrote:
> >>>> Thanks for the quick response.
> >>>> So, I want to make sure that understand it right : you are proposing
> > that
> >>>> the servlet should  display the file, instead of allowing Tomcat to
> > invoke
> >>>> Microsoft Word to disply the file content.
> > I think you are misunderstanding what is really going on at a
> > fundamental level. Tomcat will never invoke Microsoft Word for any
> > reason, unless you have something truly crazy going on in the
> background.
> >
> > What I'm suggesting is that you write your own code to serve the
> > contents of a static file. It's pretty simple: open the file, write the
> > appropriate HTTP headers, copy the bytes to the servlet output stream,
> > close all streams, and you are done.
> >
> >>>> The only issue with that is that
> >>>> the file is created in the RTF format and it has control characters
> that
> >>>> governs the formatting.
> > This is irrelevant. It doesn't matter if you are serving a text file or
> > a PDF, you are just serving bytes to the web browser.
> >
> >>>> The second question was about how to set up TOMCAT not to allow the
> >>>> directory listing
> > Actually, I think you have to specifically enable directory listings. If
> > you haven't enabled them, then you shouldn't be getting any. Are you
> > able to get a directory listing?
> >
> > -chris
> >
> >>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message