tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Len Popp <>
Subject Re: Tomcat for serving only static files - how to prevent the likes of JSP execution
Date Sat, 04 Jul 2009 23:37:31 GMT
The default handling of JSP files is set in conf/web.xml: *.jsp and
*.jspx are handled by JspServlet.

In your "special" context, you could handle *.jsp and *.jspx files
with a servlet that just returns an error. That should do the trick.

2009/7/4 Keith67 <>:
> This might seem like a strange request, but I would like to use Tomcat to
> only serve static files, from a certain context anyway.
> I have an application I would like to allow users to upload files through,
> and then I want to be able to link to them and serve them from the server.
> If I do this, I run the risk of them uploading executable content (e.g. a
> JSP file) and then having it executed on the server, so I would like to stop
> this happening.
> Does anyone know how I could prevent any dynamic processing of files in a
> given Tomcat context.
> I appreciate I could just install Apache and do it that way but I'd rather
> just keep it simple with Tomcat.
> Thanks.
> --
> View this message in context:
> Sent from the Tomcat - User mailing list archive at
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message