-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jonathan,
On 11/25/2009 11:13 AM, Jonathan Mast wrote:
> Can someone please provide the magical httpd config-cantation that will
> block httpd from accessing anything in WEB-INF directories?
<Directory "/path/to/webapp/WEB-INF">
Order deny,allow
Deny from all
</Directory>
> I need something that will be apply globally
How about:
<DirectoryMatch ".*/WEB-INF">
Order deny,allow
Deny from all
</DirectoryMatch>
> and can't be overridden by
> VirtualHost directives
This might not be possible. Any part of httpd.conf can override any
other part, I think. You can make it so that .htaccess files can't
override the "Order" and "Deny" directives, though.
Note that you'll probably want to protect META-INF as well.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksUNy8ACgkQ9CaO5/Lv0PAvNwCgr1MuY9z65FqtjckGGJqftmDO
CBgAniX+ta69krZ8mEQ6mVmW42/GBUMI
=vCxT
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
