On 29/10/2010 12:30, Haledor wow wrote: > Hi, > > I have read in various forums that there are situations where the content of > WEB-INF can be accessed. Some people say that it is good practice to hide > sensitive files in WEB-INF and some say it might not be... > > I am using Tomcat 6.0 and I am worried someone could access some of my > sensitive files located inside the WEB-INF folder. Could you explain to me > whether this is possible or not.
Nothing under WEB-INF is directly accessible to a user. Requests to http://host:port/app/WEB-INF/... will always be rejected. However, applications can forward requests to resources under /WEB-INF and can also include resources under /WEB-INF. It is up to the application to make sure it doesn't do that in a way that could compromise the security of any sensitive data placed under /WEB-INF. > Do i need to obfuscate the content of the > files in WEB-INF? No. And as an aside, Obfuscation != security Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
