-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jonathan,
On 11/25/2009 11:13 AM, Jonathan Mast wrote: > Can someone please provide the magical httpd config-cantation that will > block httpd from accessing anything in WEB-INF directories? <Directory "/path/to/webapp/WEB-INF"> Order deny,allow Deny from all </Directory> > I need something that will be apply globally How about: <DirectoryMatch ".*/WEB-INF"> Order deny,allow Deny from all </DirectoryMatch> > and can't be overridden by > VirtualHost directives This might not be possible. Any part of httpd.conf can override any other part, I think. You can make it so that .htaccess files can't override the "Order" and "Deny" directives, though. Note that you'll probably want to protect META-INF as well. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksUNy8ACgkQ9CaO5/Lv0PAvNwCgr1MuY9z65FqtjckGGJqftmDO CBgAniX+ta69krZ8mEQ6mVmW42/GBUMI =vCxT -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org