tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Jacobson <robert.c.jacob...@nasa.gov>
Subject deny access to directory
Date Tue, 30 Aug 2011 13:28:23 GMT

I'm trying to deny access to the .svn directories for my Tomcat 6.0.32
installation (on Windows Server 2003, if that matters), but what I'm
doing isn't working and I need help, please.  I'm using the built-in web
server (i.e. I have not integrated w/ Apache).

My install directory structure looks like this:

$TOMCAT_DIR:
.svn/  LICENSE*  NOTICE*  Uninstall.exe*  bin/  conf/  lib/  logs/ 
temp/  tomcat.ico*  webapps/  work/

$TOMCAT_DIR/webapps:
 .svn/  ROOT/  ROOT.war*  docs/  host-manager/  manager/  tomcat/

$TOMCAT_DIR/webapps/ROOT:
.svn/    META-INF/    WEB-INF/   index.jsp  [etc...]

When I request:

http://server/.svn/entries

It returns the contents of $TOMCAT_DIR/webapps/.svn/entries.  I don't
want Tomcat to return the content of any file in .svn/.

I searched the mailing list and google, and general approach appears to
be adding a security-constraint to web.xml. (e.g.
http://shrubbery.mynetgear.net/c/display/W/Prevent+access+to+include+files)
  So, I tried the following in $TOMCAT_DIR/webapps/ROOT/WEB-INF/web.xml:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>svn entries</web-resource-name>
      <url-pattern>/.svn/*</url-pattern>
      <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint/>
  </security-constraint>


I've also tried adding the same security constraint above to
$TOMCAT_DIR/conf/web.xml, with the same results.

For kicks I also tried an explicit role that doesn't exist (e.g.
"NOBODY"), but that didn't work either.  (aside:  an empty
auth-constraint mean no one is allowed access, correct?)

Can someone please tell me why the above changes did not work?  Or, is
there another way to accomplish what I want (deny access to all files in
.svn directories)?

Also -- I'm puzzled why Tomcat is returning webapps/.svn/entries instead
of ROOT/.svn/entries?

Excerpt from server.xml:

  <Service name="Catalina">
    <Engine name="Catalina" defaultHost="localhost">

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="false"
            xmlValidation="false" xmlNamespaceAware="false">
    [...]

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Robert Jacobson               Robert.C.Jacobson@nasa.gov
Lead System Admin       Solar Dynamics Observatory (SDO)
Bldg 14, E222                             (301) 286-1591 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message