tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: Security restrictions for Tomcat
Date Wed, 26 Sep 2007 17:48:13 GMT
alla winter wrote:
> I am confused now
> web.xml instructs Tomcat what application needs to be called for a given
> MIME type

No, unless you've got some weird setup on a windows machine Tomcat is
not opening MSWord.  The mime type is sent to the browser in an http
header, and the browser decides what to open it with.

For example, if you didn't have MSWord installed, but had, say,
OpenOffice, you could find that OpenOffice opens the file.

> for example:
> - <mime-mapping>
>   <extension>rtf</extension>
>   <mime-type>application/</mime-type>
>   </mime-mapping>
>  Tomcat pass the request to the  third party application based on the MIME
> type, so if I show the link to the .RTF file and the user selects the link,
> the Microsoft Word will display the selected file.  The same with PDF files
> - the  the ADOBE reader is invoked
> My undesraning is that by writing file bytes to the servlet output, I am
> just creating and HTML file where the file content is a body of the HTML

Again no, the output is handled by the browser - if you set:

 Content-Type: text/html

the browser will do as it's told and try to process the output as an
HTML file.

> But if I output the bytes of the file to the servlet output, it will look
> the same way as I would open RTF file in the notepad - with all controll
> characters inside.
> Unless I am missing something here...

Yes, the Content-Type header is the key to this.


> As far as directory listing - yes, I do see the directory listing for all
> folders that are underneath of my application except WEB-INF and I didn't do
> any special set up for that - I am using all default XMLs except the
> web.xmlwhere I am defining my servlets.
> I appreciate your help.
> thanks
> On 9/26/07, Christopher Schultz <> wrote:
> Alla,
> alla winter wrote:
>>>> Thanks for the quick response.
>>>> So, I want to make sure that understand it right : you are proposing
> that
>>>> the servlet should  display the file, instead of allowing Tomcat to
> invoke
>>>> Microsoft Word to disply the file content.
> I think you are misunderstanding what is really going on at a
> fundamental level. Tomcat will never invoke Microsoft Word for any
> reason, unless you have something truly crazy going on in the background.
> What I'm suggesting is that you write your own code to serve the
> contents of a static file. It's pretty simple: open the file, write the
> appropriate HTTP headers, copy the bytes to the servlet output stream,
> close all streams, and you are done.
>>>> The only issue with that is that
>>>> the file is created in the RTF format and it has control characters that
>>>> governs the formatting.
> This is irrelevant. It doesn't matter if you are serving a text file or
> a PDF, you are just serving bytes to the web browser.
>>>> The second question was about how to set up TOMCAT not to allow the
>>>> directory listing
> Actually, I think you have to specifically enable directory listings. If
> you haven't enabled them, then you shouldn't be getting any. Are you
> able to get a directory listing?
> -chris
To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message