tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Security restrictions for Tomcat
Date Wed, 26 Sep 2007 16:09:38 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alla,

alla winter wrote:
> I would appreciate if you would give me some hints how this dispatcher
> servlet should work.

How about this:

1. Check user id against requested path.
 a. Return FORBIDDEN for unauthorized access
 b. Open file and serve bytes to authorized users
2. Configure this servlet to serve all URLs like /content/*
   or something like that, instead of allowing Tomcat
   to serve content from the /content directory.

> Also, what needs to be done to restrict Tomcat to list the directories that
> contain java script and images.

What do you mean? You want people to be able to get directory listings
for certain directories?

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG+oRC9CaO5/Lv0PARApDAAJ9AetKdT4vXe6v9Kmy0lEGB2Dbw/wCeJRk7
fnIa5GJLKAxlUzV69frZJmo=
=q5+j
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message