Thanks a lot for all who helped me.
It turned out that I could read a class file in the apps directory (i don't
why this copy of the class was there... bad manipulation I guess) but I
cannot acces files inside web-inf !
Sorry for the inconvenience and thanks again.
Paul
on 12/20/00 5:30 AM, Kitching Simon at [EMAIL PROTECTED] wrote:
> Hi Paul,
>
> I disagree with Guy's email here. There are several very good
> reasons why your servlet classes *should* be within your webapp,
> and *not* within your CLASSPATH. Just follow the examples that
> come with tomcat, and you shouldn't go far wrong.
>
> The sun servlet specs say quite explicitly that *no* file in WEB-INF
> can ever be downloaded by a browser. So if you can download the
> binary "mybean.class" file, save it to disk, then decompile it, that
> is a definite security hole, and a violation of the servlet spec.
>
> There can be problems if you use apache as a front-end, because of
> course apache doesn't obey the servlet specs - it isn't a servlet engine.
> However, in your case you explicitly said that you were running tomcat
> standalone, so that can't be it.
>
> One thing you didn't tell us is what version of tomcat you are using.
>
> There has been a recent patch to tomcat3.2 (3.2.1) which fixes a
> number of security problems. I am willing to bet that if you upgrade
> to tomcat3.2.1 (from whatever you were using) the problem will go
> away.
>
> I would also just point out that the WEB-INF directory should
> have the same capitalisation I have shown, even on windows
> (which you appear to be using). Yes, windows file explorer will
> "adjust" the capitalisation of files, but you should make sure
> that at the "DOS" level, the capitalisation is actually correct.
>
> Regards,
>
> Simon
>
>> -----Original Message-----
>> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
>> Sent: Wednesday, December 20, 2000 12:58 AM
>> To: [EMAIL PROTECTED]
>> Subject: RE: Deny web-inf access (security problem)
>>
>> Set up a directory outside your tomcat directory to contain java class
>> files, and include that directory in your classpath. Keep it outside of
>> your Apache directory as well.
>>
>> -----Original Message-----
>> From: Paul Gonin [mailto:[EMAIL PROTECTED]]
>> Sent: Tuesday, December 19, 2000 2:02 PM
>> To: [EMAIL PROTECTED]
>> Subject: Deny web-inf access (security problem)
>>
>>
>> Hi,
>>
>> I have a JSP that uses a bean. It uses the following directory structure :
>> webapps/myapply/myapply.jsp
>> webapps/myapply/web-inf/classes/mybean.class
>>
>> It works fine but I am annoyed that people can download the bean directly
>> and "access" its content because it contains critical information
>> (passwords).
>>
>> How do I protect my bean and more generraly I'd like to protect the whole
>> web-inf directory (if it's possible)
>>
>> Note : I'm using Tomcat standalone.
>>
>> Thanks
