On 24/08/17 19:29, James H. H. Lampert wrote: > I've just discovered that a number of files within our webapp context > are reachable from outside. Not all of them, but a number that really > shouldn't be. > > By its nature, the webapp itself has its own access control, based on > the outside resource it accesses, rather than on, say, tomcat-users.xml > > What controls browser access to static files in a Tomcat context? Where > can I learn more about this, and how to restrict it?
Tomcat will prevent access to anything in WEB-INF or META_INF. Everything else is up to the app to control. Note: You can place content in WEB-INF and include it from JSPs and Servlets (and it will work) but direct access will not. You might want to take a look in the Servlet spec for security constraints. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
