Hello Chuck
Yes, I also tried this quite a while back. Only problem: the
image tree is in the many GBytes size. And, in addition,
when redeploying, one has to be careful not to wipe out
such a static file tree.
But the major constraint is that such a static file tree may
be very large and its content may be changing regularly.
Otherwise, putting static content there does make sense
from a security standpoint.
What I currently do is serve the static content from elsewhere,
outside the tomcat/webapps tree. But for security, I vet all
requests for any static content before serving. In addition,
if a serve is thusly permitted, the getPathInfo is appropriately
massaged to point to the correct location and this is passed
to DefaultServlet. That way it is not possible to find the stuff
without permission by specifying (the typical)
"http://domain/image/file"; kind of thing. I.e., the visible URL
does not actually point to the file.
Any thoughts ?
Maurice Yarrow
Caldarale, Charles R wrote:
From: PraDz [mailto:[EMAIL PROTECTED]
Subject: Tomcat Security
How do i restrict users from entering the image/text files
path directly in the browser.
Instead of putting your image/text directories under your <Host>'s
appBase, put them under the associated app's WEB-INF directory, where
they are guaranteed to be protected, per the servlet spec. (Remember
that each webapp is intended to be self-contained, so all static
resources it uses should be bundled with it.) Tomcat treats anything
under appBase as a webapp, so the default servlet is delivering the
images and text.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
