tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Configure read/write-access in TomCat
Date Wed, 18 Aug 2010 13:26:07 GMT
K A wrote:
> Oh, really? I just guessed that if the user could see the absolute url to used/available
files in the application (jsp- or pdf-files) then it was also possible that the user could
compromise the files in that directory, overwrite them or even save new files. But you state
that users can NOT save new files in a directory. Then they can NOT do any of the other stated
actions, right? Or have I misunderstood?
Unless users have access to these directories/files by another way than through Tomcat, 
there is no way for them, using Tomcat, to modify any of these directories/files, even if

they can see them through their web browser and Tomcat.
Unless one of your Tomcat-based applications allows them to do that of course.

An example of how users could modify those files :
if the directories where those files are, are shared as network directories, and users 
have direct access to these directories through e.g. Windows Explorer, then of course 
there is nothing that Tomcat can do to protect them.

Maybe to clarify another aspect :
The Tomcat process itself runs under some user-id.  All web applications running under 
Tomcat "run as" this same user-id.  It does not matter which web user is accessing the 
Tomcat application; any file access by a Tomcat web application always happens under the 
user-id of Tomcat.
The web user's user-id is purely a matter for Tomcat, to allow/disallow access to some 
resource and return a copy of it to the user through HTTP, or return a "forbidden" 
response.  But when Tomcat reads the resource from disk, it always reads it as "tomcat" 
(that is, the user-id under which tomcat is started).

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message