Kim wrote:
Hi, Andre
How so ? can you explain ?
After all, Tomcat itself has to know if the resource being served is a
servlet or jsp page or something else, in order to serve it properly.
So how come you cannot do the same ?
ans : each user can have his/her own web.xml and can do whatever URL
mapping in web.xml to serve his/her serlvet ... That's why I can not
know in advance unless I go into the user WEB-INF to do the parsing
Right, so you /are/ trying to implement something like the ~userdir of Apache
httpd.
I tend to agree with Mikolaj then, you may be better off keeping Apache httpd
for that.
Or else, this is the kind of situation for which the "security manager" of Tomcat
(actually of Java) may be the way to go. If individual users can upload stuff and have it
served by Tomcat, at least restrict whatever these things can actually do.
Have a look first at the file (catalina_home)/conf/catalina.policy, section "WEB
APPLICATION PERMISSIONS".
It seems to me that by not granting those permissions (other than to your own webapps),
you can greatly restrict what users can do.
As long as the users don't have access to (catalina_base)/conf of course.
It also means of course that you /must/ grant these permissions to your own webapps, which
tends to be a p.i.t.a. But then, you have an open system, so it belongs to you to close
the holes.
...
Another question : where is this "public_html" directory (?) actually
located, and what does/can it contain, other than static pages ?
ans : I configure tomcat to enable per-user web as follows:
<Listener className="org.apache.catalina.startup.UserConfig"
directoryName="public_html"
homeBase=/share/home"
userClass="org.apache.catalina.startup.HomesUserDatabase"/>
Regards,
Kim
2012/6/27 André Warnier <a...@ice-sa.com>:
Regarding the style of communications : on this list, it is preferred if
posters answer *below* the respective text to which they refer, not on top
of the message.
It makes it so much easier to follow the flow of the conversation (rather
than having to scroll up and down to find the appropriate paragraph).
Kim wrote:
Hi,Andre
Thanks for the advice. I do implement a Valve class to capture all the
request before forwarding to actual web app. However, I can not know
in advance the actual url for the servlet or JSP ..
i.e. I can not know from the URI in the Valve class that the
resources is static files or servlet ...
How so ? can you explain ?
After all, Tomcat itself has to know if the resource being served is a
servlet or jsp page or something else, in order to serve it properly. So how
come you cannot do the same ?
Another question : where is this "public_html" directory (?) actually
located, and what does/can it contain, other than static pages ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org