-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark,
Mark Thomas wrote: | My best guess from | the limited information is that you are using httpd and mod_jk and your | configuration isn't secure. Agreed. You should always lock-down Apache httpd by prohibiting access to, say, "*.jsp" in your webapp directory /from httpd configuration/. Tomcat will protect *.jsp and anything under /WEB-INF/ and /META-INF/ for you, but you can always use Apache http to avoid those protections. Make sure you do something like: <Directory "/path/to/webapps/mywebapp/META-INF"> ~ Order deny,allow ~ Deny from all </Directory> <Directory "/path/to/webapps/mywebapp/WEB-INF"> ~ Order deny,allow ~ Deny from all </Directory> <Directory "/path/to/webapps/mywebapp/"> ~ <Files "*.jsp"> ~ Order deny,allow ~ Deny from all ~ </Files> ~ ... any other files that should never be served by Apache httpd. </Directory> - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgGRBgACgkQ9CaO5/Lv0PACRwCgrbyVqw6sa24SfDWTstFSZ3IW NI4AoJ8TlxcqsLVOpdRFwS3bYn3OGHBN =qrbK -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
