tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Security of WEB-INF content
Date Fri, 29 Oct 2010 11:57:13 GMT
On 29/10/2010 12:30, Haledor wow wrote:
> Hi,
> I have read in various forums that there are situations where the content of
> WEB-INF can be accessed. Some people say that it is good practice to hide
> sensitive files in WEB-INF and some say it might not be...
> I am using Tomcat 6.0 and I am worried someone could access some of my
> sensitive files located inside the WEB-INF folder. Could you explain to me
> whether this is possible or not.

Nothing under WEB-INF is directly accessible to a user. Requests to
http://host:port/app/WEB-INF/... will always be rejected.

However, applications can forward requests to resources under /WEB-INF
and can also include resources under /WEB-INF. It is up to the
application to make sure it doesn't do that in a way that could
compromise the security of any sensitive data placed under /WEB-INF.

> Do i need to obfuscate the content of the
> files in WEB-INF?


And as an aside, Obfuscation != security


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message