I'm trying to deny access to the .svn directories for my Tomcat 6.0.32 installation (on Windows Server 2003, if that matters), but what I'm doing isn't working and I need help, please. I'm using the built-in web server (i.e. I have not integrated w/ Apache).
My install directory structure looks like this: $TOMCAT_DIR: .svn/ LICENSE* NOTICE* Uninstall.exe* bin/ conf/ lib/ logs/ temp/ tomcat.ico* webapps/ work/ $TOMCAT_DIR/webapps: .svn/ ROOT/ ROOT.war* docs/ host-manager/ manager/ tomcat/ $TOMCAT_DIR/webapps/ROOT: .svn/ META-INF/ WEB-INF/ index.jsp [etc...] When I request: http://server/.svn/entries It returns the contents of $TOMCAT_DIR/webapps/.svn/entries. I don't want Tomcat to return the content of any file in .svn/. I searched the mailing list and google, and general approach appears to be adding a security-constraint to web.xml. (e.g. http://shrubbery.mynetgear.net/c/display/W/Prevent+access+to+include+files) So, I tried the following in $TOMCAT_DIR/webapps/ROOT/WEB-INF/web.xml: <security-constraint> <web-resource-collection> <web-resource-name>svn entries</web-resource-name> <url-pattern>/.svn/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint/> </security-constraint> I've also tried adding the same security constraint above to $TOMCAT_DIR/conf/web.xml, with the same results. For kicks I also tried an explicit role that doesn't exist (e.g. "NOBODY"), but that didn't work either. (aside: an empty auth-constraint mean no one is allowed access, correct?) Can someone please tell me why the above changes did not work? Or, is there another way to accomplish what I want (deny access to all files in .svn directories)? Also -- I'm puzzled why Tomcat is returning webapps/.svn/entries instead of ROOT/.svn/entries? Excerpt from server.xml: <Service name="Catalina"> <Engine name="Catalina" defaultHost="localhost"> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false" xmlValidation="false" xmlNamespaceAware="false"> [...] -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Robert Jacobson robert.c.jacob...@nasa.gov Lead System Admin Solar Dynamics Observatory (SDO) Bldg 14, E222 (301) 286-1591 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
