tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kim <>
Subject Re: restrict per user public_html to serve static files only...
Date Wed, 27 Jun 2012 14:15:06 GMT
Hi, Kolinko
Really thanks. Yes, I have hunt down to UserConfig in the source tree
on Tomcat and can modify to skip those user context if
there exists a /WEB-INF/web.xml in their public_html directory.
And I can also insert a Valve filter to skip those URL  with jsp extension ...
But I do think it's very clumsy solution and I'm looking for a more
elegant solution in that for a per-user web application the only
serlvet that can be invoked is the "DefaultServlet" that serve static
files only..

> For reference, "User Web Applications" feature is implemented via a
> Listener, o.a.catalina.startup.UserConfig which enumerates users and
> deploys their web applications.  Documentation is in
> config/listeners.html and config/host.html.
> Currently it creates web application for each user when Tomcat starts.
> Probably it could be improved to perform such deployment once in a
> while on Lifecycle.PERIODIC_EVENT.
> First,
> you need to prevent not only jsps, but servlets as well.
> I think I would create my own UserConfig listener so that it would
> skip directories
> that have WEB-INF and META-INF directories in them.
> Things to beware are WEB-INF/web.xml, WEB-INF/lib (because of web
> fragments feature of Servlet 3.0), WEB-INF/classes (unlikely, but just
> to be sure; maybe it could be used to reconfigure logging).
> There should not be META-INF/context.xml file. (Though as far as I
> remember when an application is deployed via UserConfig the
> context.xml file is ignored).
> Second,
> Processing of Jsp files can be enabled though two constructs
> a) explicit mapping of JspServlet, like it is done in conf/web.xml
> b) implicitly by using <jsp-property-group> with url pattern that
> patches the file.
> I think that removing JspServlet mappings from global conf/web.xml
> will disable JSP processing for you.
> 2012/6/27 André Warnier <>:
>> Have a look first at the file (catalina_home)/conf/catalina.policy, section
>> It seems to me that by not granting those permissions (other than to your
>> own webapps), you can greatly restrict what users can do.
> Note that regardless of contents of conf/catalina.policy every web
> application is granted permission to load its own classes and write to
> its own temporary directory. The servlet spec requires it.
> Best regards,
> Konstantin Kolinko
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message