tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat for serving only static files - how to prevent the likes of JSP execution
Date Sun, 05 Jul 2009 14:02:11 GMT
Hash: SHA1


On 7/4/2009 7:17 PM, Keith67 wrote:
> I have an application I would like to allow users to upload files through,
> and then I want to be able to link to them and serve them from the server.
> If I do this, I run the risk of them uploading executable content (e.g. a
> JSP file) and then having it executed on the server, so I would like to stop
> this happening.

It's nice to know that some folks out there actually /think/ about
security before blindly writing code!

> Does anyone know how I could prevent any dynamic processing of files in a
> given Tomcat context.

As Len says, all you need to do is map "/*.jsp" to something other than
the (default configured) JspServlet. While he suggests mapping it to
some error, it seems more appropriate for your application to map it to
the DefaultServlet instead (so you can serve the files).

On the other hand, DefaultServlet may have some problems serving files
that have been written into your webapp's directory after deployment
(search the archives for many discussions of this). It's not a good idea
to write files to the deployment directory, anyway, and so
DefaultServlet (without modifications) won't be able to serve your files.

If you already have a servlet written to serve the files /other/ than
"/*.jsp", simply map "/*.jsp" to that same servlet and you should be
good to go.

- -chris
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message