-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Peter,
On 10/29/2010 7:57 AM, Mark Thomas wrote: > On 29/10/2010 12:30, Haledor wow wrote: >> Hi, >> >> I have read in various forums that there are situations where the content of >> WEB-INF can be accessed. Some people say that it is good practice to hide >> sensitive files in WEB-INF and some say it might not be... >> >> I am using Tomcat 6.0 and I am worried someone could access some of my >> sensitive files located inside the WEB-INF folder. Could you explain to me >> whether this is possible or not. > > Nothing under WEB-INF is directly accessible to a user. Requests to > http://host:port/app/WEB-INF/... will always be rejected. If Tomcat is being used behind a web server such as Apache httpd, then the web server can be used to subvert the security provided by Tomcat. For example, a naive configuration might be: httpd.conf: DocumentRoot /var/www/my-webapp JkMount /*.jsp worker my-webapp.xml: <Context docBase="/var/www/my-webapp" /> If a request comes in for /WEB-INF/web.xml, Apache httpd will happily serve that file off the disk while the same request to Tomcat would fail. There are many solutions to this problem, including: 1. Not using a fronting web server 2. Setting DocumentRoot != docBase 3. Adding <Limit> directives to httpd.conf to specifically exclude WEB-INF and other sensitive areas 4. Making WEB-INF and other sensitive areas unreadable by the httpd process 5. Use a more general (or additional) JkMount directives, like JkMount /*.jsp worker JkMount /WEB-INF/* worker ... though if you have a JkMount for /WEB-INF/, you may as well do #3 or #4 above. I highly favor #1 and #2 above, though your environment may necessitate some of the other options. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzO2LYACgkQ9CaO5/Lv0PBW0QCgg5q/Lizid5o3U/9rIaFEeMC1 nCoAniiFNjRYMKdtdl3ljYfICBEB3V0r =oDBU -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org