This is correct,
Although I would recommend something like the following added to your
access.conf file in the /etc/httpd/conf directory.
<Location "/WEB-INF/">
AllowOverride None
deny from all
</Location>
Which will work for all sites. Advanced users will of course need to
included and extended path as mentioned below. For most people using the
default pkg site config using the perl script will always have the
WEB-INF directory in their root web tree this will do the trick once,
for all.
Alexander Povargo wrote:
> Hi,
>
> it may be important to all who use Cobalt Developer Kit for Java.
> First:
> Default configuration of Apache-Tomcat don't hide content of
> WEB-INF directory and all below from web browsing.
> Default cobalt's configuration of access.conf:
> <Directory /home/sites/siteN>
> AllowOverride All
> Options All
> </Directory>
> It allows to any visitor look and browse your WEB-INF and all below
> directories.
> Try to check it: point your web browser to:
> http://<yourdomain>/WEB-INF
> http://<yourdomain>/WEB-INF/classes
>
> You can disable such browsing to all directories of required virtual
> hosts by changing of access.conf as stated below:
> <Directory /home/sites/siteN>
> AllowOverride All
> Options -Indexes
> </Directory>
>
> or see below, if you don't want disable browsing of entire virtual hosts.
>
> Second:
> if you already disable web browsing of directories, it is not all.
> Cobalt's scripts don't disable access to files in WEB-INF.
> Try to check it with pointing your browser to:
> http://<yourdomain>/WEB-INF/web.xml
>
> Your visitor can to see a name of your servlet from URL, can to download
> your servlet by pointing his browser to
> http://<yourdomain>/WEB-INF/classes/<servletName.class>,
> then decompile it and, for example, hack your user name and password
> to your database.
>
> To disable it, make such changes in httpd.conf:
> <VirtualHost your.IP.address.here>
> .... snip ... various config directives ...
> # add this new instructions:
> <Directory "/WEB-INF">
> Options None
> Deny from all
> </Directory>
> # add it for each web-app you have installed:
> <Directory "/<web-app path>/WEB-INF">
> Options None
> Deny from all
> </Directory>
>
> </VirtualHost>
>
> After this correction your web applications will be protected from
> viewing and tampering.
>
> Hope it will be helpful to all users of Cobalt's Tomcat implementation.
>
> Regards,
> Alex
>
> _______________________________________________
> cobalt-developers mailing list
> [EMAIL PROTECTED]
> http://list.cobalt.com/mailman/listinfo/cobalt-developers
--
Sincerely,
William L. Thomson Jr.
Support Group
Obsidian-Studios Inc.
439 Amber Way
Petaluma, Ca. 94952
Phone/fax 707.766.9509
http://www.obsidian-studios.com
_______________________________________________
cobalt-developers mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-developers
