tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "alla winter" <alla1.win...@gmail.com>
Subject Re: Security restrictions for Tomcat
Date Wed, 26 Sep 2007 17:41:06 GMT
I am confused now
web.xml instructs Tomcat what application needs to be called for a given
MIME type
for example:
- <mime-mapping>
  <extension>rtf</extension>
  <mime-type>application/vnd.ms-word</mime-type>
  </mime-mapping>

 Tomcat pass the request to the  third party application based on the MIME
type, so if I show the link to the .RTF file and the user selects the link,
the Microsoft Word will display the selected file.  The same with PDF files
- the  the ADOBE reader is invoked
My undesraning is that by writing file bytes to the servlet output, I am
just creating and HTML file where the file content is a body of the HTML

But if I output the bytes of the file to the servlet output, it will look
the same way as I would open RTF file in the notepad - with all controll
characters inside.
Unless I am missing something here...


As far as directory listing - yes, I do see the directory listing for all
folders that are underneath of my application except WEB-INF and I didn't do
any special set up for that - I am using all default XMLs except the
web.xmlwhere I am defining my servlets.

I appreciate your help.
thanks

On 9/26/07, Christopher Schultz <chris@christopherschultz.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Alla,
>
> alla winter wrote:
> > Thanks for the quick response.
> > So, I want to make sure that understand it right : you are proposing
> that
> > the servlet should  display the file, instead of allowing Tomcat to
> invoke
> > Microsoft Word to disply the file content.
>
> I think you are misunderstanding what is really going on at a
> fundamental level. Tomcat will never invoke Microsoft Word for any
> reason, unless you have something truly crazy going on in the background.
>
> What I'm suggesting is that you write your own code to serve the
> contents of a static file. It's pretty simple: open the file, write the
> appropriate HTTP headers, copy the bytes to the servlet output stream,
> close all streams, and you are done.
>
> > The only issue with that is that
> > the file is created in the RTF format and it has control characters that
> > governs the formatting.
>
> This is irrelevant. It doesn't matter if you are serving a text file or
> a PDF, you are just serving bytes to the web browser.
>
> > The second question was about how to set up TOMCAT not to allow the
> > directory listing
>
> Actually, I think you have to specifically enable directory listings. If
> you haven't enabled them, then you shouldn't be getting any. Are you
> able to get a directory listing?
>
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFG+op/9CaO5/Lv0PARAjKYAKCiAakzT34vnC6U2Qz6cN2LpNL6hQCdGDGi
> gkHO3hS4/W3Y4auUSX2Y/oA=
> =Rrq5
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message