tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <>
Subject Re: restrict per user public_html to serve static files only...
Date Wed, 27 Jun 2012 09:39:11 GMT
2012/6/27 Kim <>:
> Hi, Dear all
> I'm using tomcat 6.0.35 on linux CentOS 5.7 using sun jdk jdk1.5.0_11.
> I need to enable public_html for my user but for security reason, I
> would like restrict the functions to serve static files only.
> Can anyone tell me how to do that ?
> Actually I can build tomcat from src and don't mind modify the code
> base for this specific feature.
> Can anyone help me to point out which source file I should modify ...

For reference, "User Web Applications" feature is implemented via a
Listener, o.a.catalina.startup.UserConfig which enumerates users and
deploys their web applications.  Documentation is in
config/listeners.html and config/host.html.

Currently it creates web application for each user when Tomcat starts.
Probably it could be improved to perform such deployment once in a
while on Lifecycle.PERIODIC_EVENT.

you need to prevent not only jsps, but servlets as well.

I think I would create my own UserConfig listener so that it would
skip directories
that have WEB-INF and META-INF directories in them.

Things to beware are WEB-INF/web.xml, WEB-INF/lib (because of web
fragments feature of Servlet 3.0), WEB-INF/classes (unlikely, but just
to be sure; maybe it could be used to reconfigure logging).

There should not be META-INF/context.xml file. (Though as far as I
remember when an application is deployed via UserConfig the
context.xml file is ignored).

Processing of Jsp files can be enabled though two constructs
a) explicit mapping of JspServlet, like it is done in conf/web.xml
b) implicitly by using <jsp-property-group> with url pattern that
patches the file.

I think that removing JspServlet mappings from global conf/web.xml
will disable JSP processing for you.

2012/6/27 André Warnier <>:
> Have a look first at the file (catalina_home)/conf/catalina.policy, section
> It seems to me that by not granting those permissions (other than to your
> own webapps), you can greatly restrict what users can do.

Note that regardless of contents of conf/catalina.policy every web
application is granted permission to load its own classes and write to
its own temporary directory. The servlet spec requires it.

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message