R. S. Patil wrote:
Thanks Chuk,
In some discussion i heard that the WEB-INF contents can not be
accessed from Internet at all.
The servlet spec requires that the servlet container (Tomcat) prevent direct
access to WEB-INF.
How far this is true ?
Completely, as far as Tomcat is concerned. If you have an alternative means of
accessing the host (e.g., httpd, SMB, NFS) and you have not configured such
alternatives correctly, there may be other ways of reaching the files. Tomcat
obviously cannot protect you from mistakes made in other components.
So what I have understood is if only tomcat is installed on webserver i.e.
No samba, nfs, FTP, apache web server etc. etc. then even hackers can not
access WEB-INF folder so I can keep JDBC database connection info in that
folder as plain text file. The only accessible part of application will be the
context root i.e. folder above WEB-INF folder.
Yes, context root will be served, as will be other folders under
context root. WEB-INF and its subfolders are safe, from the container
(Tomcat) point-of-view. Note however, that you as web application
developer can break this safety mechanism: a servlet can be
programmed to read a file from within WEB-INF and serve the contents
to the Internet. If such a servlet contains a bug that allows intruder
to freely choose a file, instead of strictly providing one of
predefined files, then it could be that an intruder could read any
file within WEB-INF.
You could store the database access information in a plain-text file,
but then, you could also store them as web-application context
parameters in WEB-INF/web.xml file. Or you could set up a proper
JNDI database resource, but perhaps that's something that can be
left for a bit later on the learning curve.
BTW can u suggest some good book/study material on tomcat for a newbie.
Even though it is not intended as such, I would like to recommend the
Servlet specification available from Sun. That document describes what
you can expect from a servlet container (such as Tomcat).
--
..Juha
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
