Hi, Kolinko Really thanks. Yes, I have hunt down to UserConfig in the source tree on Tomcat and can modify UserConfig.java to skip those user context if there exists a /WEB-INF/web.xml in their public_html directory. And I can also insert a Valve filter to skip those URL with jsp extension ... But I do think it's very clumsy solution and I'm looking for a more elegant solution in that for a per-user web application the only serlvet that can be invoked is the "DefaultServlet" that serve static files only.. Regards, Kim
> For reference, "User Web Applications" feature is implemented via a > Listener, o.a.catalina.startup.UserConfig which enumerates users and > deploys their web applications. Documentation is in > config/listeners.html and config/host.html. > > Currently it creates web application for each user when Tomcat starts. > Probably it could be improved to perform such deployment once in a > while on Lifecycle.PERIODIC_EVENT. > > > First, > you need to prevent not only jsps, but servlets as well. > > I think I would create my own UserConfig listener so that it would > skip directories > that have WEB-INF and META-INF directories in them. > > Things to beware are WEB-INF/web.xml, WEB-INF/lib (because of web > fragments feature of Servlet 3.0), WEB-INF/classes (unlikely, but just > to be sure; maybe it could be used to reconfigure logging). > > There should not be META-INF/context.xml file. (Though as far as I > remember when an application is deployed via UserConfig the > context.xml file is ignored). > > > Second, > Processing of Jsp files can be enabled though two constructs > a) explicit mapping of JspServlet, like it is done in conf/web.xml > b) implicitly by using <jsp-property-group> with url pattern that > patches the file. > > I think that removing JspServlet mappings from global conf/web.xml > will disable JSP processing for you. > > > > > 2012/6/27 André Warnier <a...@ice-sa.com>: >> >> Have a look first at the file (catalina_home)/conf/catalina.policy, section >> "WEB APPLICATION PERMISSIONS". >> It seems to me that by not granting those permissions (other than to your >> own webapps), you can greatly restrict what users can do. >> > > Note that regardless of contents of conf/catalina.policy every web > application is granted permission to load its own classes and write to > its own temporary directory. The servlet spec requires it. > > Best regards, > Konstantin Kolinko > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org