tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leo Donahue - PLANDEVX <LeoDona...@mail.maricopa.gov>
Subject RE: Dynamic Security Constraints?
Date Mon, 12 Mar 2012 14:25:27 GMT
>-----Original Message-----
>From: André Warnier [mailto:aw@ice-sa.com]
>Subject: Re: Dynamic Security Constraints?
>
>Addenda :
>1) ... You'd have to think carefully of where you place these
>files to download, so that Tomcat does not unwittingly provide the
>possibility for a user to download such a file directly (bypassing the
>login) by providing a URL that points to the file directly.

Not to change the subject, but I hear a lot of people talking about the point you're making
about where to place the file and unwittingly providing a URL to access it outside of a security
constraint.

Perhaps there is some design history to this that people used to do that I am just missing,
so could someone please enlighten me?

If I place a file in a webapp context of customerx, and restrict access to everything in the
customerx url pattern to a specific login, how can that URL be accessed outside of a security
check?  Are people doing something else when they deploy their apps that would allow the situation
you are describing?  Are they creating a separate docBase?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message