tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "alla winter" <alla1.win...@gmail.com>
Subject Re: Security restrictions for Tomcat
Date Wed, 26 Sep 2007 16:28:11 GMT
Thanks for the quick response.
So, I want to make sure that understand it right : you are proposing that
the servlet should  display the file, instead of allowing Tomcat to invoke
Microsoft Word to disply the file content. The only issue with that is that
the file is created in the RTF format and it has control characters that
governs the formatting.

The second question was about how to set up TOMCAT not to allow the
directory listing

thanks for your help


On 9/26/07, Christopher Schultz <chris@christopherschultz.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Alla,
>
> alla winter wrote:
> > I would appreciate if you would give me some hints how this dispatcher
> > servlet should work.
>
> How about this:
>
> 1. Check user id against requested path.
> a. Return FORBIDDEN for unauthorized access
> b. Open file and serve bytes to authorized users
> 2. Configure this servlet to serve all URLs like /content/*
>   or something like that, instead of allowing Tomcat
>   to serve content from the /content directory.
>
> > Also, what needs to be done to restrict Tomcat to list the directories
> that
> > contain java script and images.
>
> What do you mean? You want people to be able to get directory listings
> for certain directories?
>
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFG+oRC9CaO5/Lv0PARApDAAJ9AetKdT4vXe6v9Kmy0lEGB2Dbw/wCeJRk7
> fnIa5GJLKAxlUzV69frZJmo=
> =q5+j
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message