tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "alla winter" <alla1.win...@gmail.com>
Subject Re: Security restrictions for Tomcat
Date Wed, 26 Sep 2007 19:02:45 GMT
you guys are Awesome
thanks a lot.


On 9/26/07, Mitesh Shah <mitesh.shah@eclinicalworks.com> wrote:
>
>
> To disable directory listing, change tag value to 'false' for init
> parameter
> of listing in web.xml
>
>        <init-param>
>            <param-name>listings</param-name>
>            <param-value>FALSE</param-value>
>      </init-param>
>
>
> Mitesh Shah
> Hosted Services Engineer
> eClinicalWorks LLC
>
> -----Original Message-----
> From: alla winter [mailto:alla1.winter@gmail.com]
> Sent: Wednesday, September 26, 2007 2:00 PM
> To: Tomcat Users List; p@pidster.com
> Subject: Re: Security restrictions for Tomcat
>
> OK, I got it, the content type will do the trick.  Thanks
>
> But I would appreciate if you answer on my second question regarding the
> directory listing
> I can see all the directory listing except WEB-INF directory.  I am using
> all default XMLs for configuration without any changes, except web.xmlwere
> I defined my servlets.
> What should I do to disallow the directory listing?
> thanks
>
>
> On 9/26/07, Pid <p@pidster.com> wrote:
> >
> > alla winter wrote:
> > > I am confused now
> > > web.xml instructs Tomcat what application needs to be called for a
> given
> > > MIME type
> >
> > No, unless you've got some weird setup on a windows machine Tomcat is
> > not opening MSWord.  The mime type is sent to the browser in an http
> > header, and the browser decides what to open it with.
> >
> > For example, if you didn't have MSWord installed, but had, say,
> > OpenOffice, you could find that OpenOffice opens the file.
> >
> > > for example:
> > > - <mime-mapping>
> > >   <extension>rtf</extension>
> > >   <mime-type>application/vnd.ms-word</mime-type>
> > >   </mime-mapping>
> > >
> > >  Tomcat pass the request to the  third party application based on the
> > MIME
> > > type, so if I show the link to the .RTF file and the user selects the
> > link,
> > > the Microsoft Word will display the selected file.  The same with PDF
> > files
> > > - the  the ADOBE reader is invoked
> > > My undesraning is that by writing file bytes to the servlet output, I
> am
> > > just creating and HTML file where the file content is a body of the
> HTML
> >
> > Again no, the output is handled by the browser - if you set:
> >
> > Content-Type: text/html
> >
> > the browser will do as it's told and try to process the output as an
> > HTML file.
> >
> >
> >
> > > But if I output the bytes of the file to the servlet output, it will
> > look
> > > the same way as I would open RTF file in the notepad - with all
> controll
> > > characters inside.
> > > Unless I am missing something here...
> >
> > Yes, the Content-Type header is the key to this.
> >
> > p
> >
> >
> > > As far as directory listing - yes, I do see the directory listing for
> > all
> > > folders that are underneath of my application except WEB-INF and I
> > didn't do
> > > any special set up for that - I am using all default XMLs except the
> > > web.xmlwhere I am defining my servlets.
> > >
> > > I appreciate your help.
> > > thanks
> > >
> > > On 9/26/07, Christopher Schultz <chris@christopherschultz.net> wrote:
> > > Alla,
> > >
> > > alla winter wrote:
> > >>>> Thanks for the quick response.
> > >>>> So, I want to make sure that understand it right : you are
> proposing
> > > that
> > >>>> the servlet should  display the file, instead of allowing Tomcat
to
> > > invoke
> > >>>> Microsoft Word to disply the file content.
> > > I think you are misunderstanding what is really going on at a
> > > fundamental level. Tomcat will never invoke Microsoft Word for any
> > > reason, unless you have something truly crazy going on in the
> > background.
> > >
> > > What I'm suggesting is that you write your own code to serve the
> > > contents of a static file. It's pretty simple: open the file, write
> the
> > > appropriate HTTP headers, copy the bytes to the servlet output stream,
> > > close all streams, and you are done.
> > >
> > >>>> The only issue with that is that
> > >>>> the file is created in the RTF format and it has control characters
> > that
> > >>>> governs the formatting.
> > > This is irrelevant. It doesn't matter if you are serving a text file
> or
> > > a PDF, you are just serving bytes to the web browser.
> > >
> > >>>> The second question was about how to set up TOMCAT not to allow
the
> > >>>> directory listing
> > > Actually, I think you have to specifically enable directory listings.
> If
> > > you haven't enabled them, then you shouldn't be getting any. Are you
> > > able to get a directory listing?
> > >
> > > -chris
> > >
> > >>
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> > >>
> > >>
> >
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message