-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 André,
On 9/25/14 5:36 PM, André Warnier wrote: > Baran Topal wrote: >> Hi; >> >> Thanks for your interest. Yes, I realized context idea once i >> read the documentation.I must admit the hierarchy is weird but >> it's a custom installer of a site that installs on Windows >> machine. There is no Tomcat manager console in place (at least I >> didn't see/enable). >> >> The hierarchy is as this: >> >> <programnameunderCdriveProgramFiles>tomcat/webapps/ROOT/WEB-INF >> and under WEB-INF, there is jsp folder in which it covers the jsp >> pages of admin that i want to filter out for a particular IP. >> >> I think, there is no concern to make the change in server.xml >> because there will be absolutely one web application under this >> Tomcat. So, the change can be application-wide i guess. >> >> For just testing, within the given valve above, i can filter out >> index.jsp which is in the path, >> <programnameunderCdriveProgramFiles>/tomcat/webapps/ROOT/ and i >> can filter that particular file successfully but fail to filter >> <programnameunderCdriveProgramFiles>/tomcat/webapps/ROOT/WEB-INF/jsp/admin >> >> >> folder. >> >> Thanks for your help. >> >> Regards. > > Boran, you are either not listening, or not understanding what > Christopher - who is one of the Tomcat experts on this list - is > trying to tell you : > > The design of Tomcat is such that, for any normally-configured > Tomcat, a client (any client) should not normally be able to obtain > *anything* that is located below the /WEB-INF/ directory of an > application. If your clients can access these files, then it means > that you have found a way to misconfigure Tomcat so badly, that you > are bypassing one of its built-in security features. (And if so, > you should file it as a bug). > > The /WEB-INF/ sub-directory is a special place, that serves to > store configuration files, compiled java classes and jars, which > the clients should /never/ be able to obtain. It is not meant to > contain any JSP's or HTML pages of an application. While I don't do it personally, I've seen lots of web applications where the .jsp files are stored under /WEB-INF so that they cannot be accessed directly. Instead, you have to hit some other resource which can then perform an internal forward (i.e. RequestDispatcher.forward) to access that resource. It's a valid use case, but the point is that /WEB-INF can't be accessed directly, and if you don't want people from certain places accessing anything in that directory, then you shouldn't forward those requests in the first place. There's really no need to rely on a Filter or Valve to protect you when you can do the same thing using standard role-based permissions. - -chris >> 2014-09-25 14:52 GMT+02:00 Christopher Schultz >> <ch...@christopherschultz.net >>> : >> > Baran, > > On 9/24/14 5:04 PM, Baran Topal wrote: >>>>> Hi, following works under server.xml >>>>> >>>>> <Context path="/index.jsp" reloadable="true"> <Valve >>>>> className="org.apache.catalina.valves.RemoteAddrValve" >>>>> deny="127\.0\.0\.1"/> </Context> > Yes, it will work, but declaring a <Context> in server.xml is a > Bad Idea. It's better to use a META-INF/context.xml file, or, even > better, a file in CATALINA_BASE/conf/[engine]/[host]/[webapp].xml > >>>>> But, i need to hide my admin directory containing admin.jsp >>>>> pages (more than 1 jsp page) > The above configuration will deny all users from localhost (but > only using IPv4) for all URL patterns matching your /index.jsp > context (why in the world would you have a context path > /index.jsp?). > > Something tells me you are seriously misconfiguring this server. > >>>>> My admin directory is in WEB-INF and WEB-INF is in the same >>>>> level with /index.jsp but simply, not working when i ref. >>>>> the context as /WEB-INF/admin > No remote client should be able to directly access anything in > /WEB-INF/ unless you have really done some damage to your server. > > -chris >>> >>> --------------------------------------------------------------------- >>> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUJYPSAAoJEBzwKT+lPKRYQekP/iuI/5OJI96XI7d2vYHTVDks 7QaT1FunsGpSTn7oDH2d6xQ6YVgauK0mr3Blqpfi5cbWK9TEH8Li9iocYXcD3v/y +Q5J6U+ilm5rpanMLIeL5jsvxlbAcXF6e+TpjiwtWM6T0dnIEABrRuXWSdkRqatj wkMBMz9i8IvoLZpoFZGrS2vT3nPk188+fs0syamOwjGtMuEwEE6NVcLR4IhQiw7O Bm0w9D+e4NA/RbTLS19oKSJ0cxN9Q0iPmrWMnekc4jLCk7da2zNplf05/2EDzmlY LsE9d41W9pKmMziFaG9V/CWUb0Pb//3+LBHEYuEQgekwmuB+tu5cZLs7ogqU3NoX VsKuDJnetMIy++mvBNPawSZlNfX09p4YN8eqZeIdxE63hGOum4SJznyHp5skzIEL Lk1Ntw7kPAW4Q+aHUZjZ9EpFime8ygdMLU/W4FzeOZFKUFHA5kDEQNlSu5OqI3Dy OFtIuwORYtUDmn5PBRMTLMweQ3wtILNyPORuFEqrOujcwzZREIve1xw+n2PPS6Nv Ta/wzgTfS5QDPUFYCrx8CPTncTf2njVHCQvHkHskf578oxkjZFdSuMVj0NlaP/ja wXQW7n4aPVG8sXewEdecODiglU2XZi6R6f7ZFJJLVENF4oFu/FlK1xcv9SyOZQYA qc+/7yX8yDCh2Vi3T5QM =Vygg -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
