2012/6/27 Kim <k...@aerodrive.com>: > Hi, Dear all > I'm using tomcat 6.0.35 on linux CentOS 5.7 using sun jdk jdk1.5.0_11. > I need to enable public_html for my user but for security reason, I > would like restrict the functions to serve static files only. > Can anyone tell me how to do that ? > Actually I can build tomcat from src and don't mind modify the code > base for this specific feature. > Can anyone help me to point out which source file I should modify ...
For reference, "User Web Applications" feature is implemented via a Listener, o.a.catalina.startup.UserConfig which enumerates users and deploys their web applications. Documentation is in config/listeners.html and config/host.html. Currently it creates web application for each user when Tomcat starts. Probably it could be improved to perform such deployment once in a while on Lifecycle.PERIODIC_EVENT. First, you need to prevent not only jsps, but servlets as well. I think I would create my own UserConfig listener so that it would skip directories that have WEB-INF and META-INF directories in them. Things to beware are WEB-INF/web.xml, WEB-INF/lib (because of web fragments feature of Servlet 3.0), WEB-INF/classes (unlikely, but just to be sure; maybe it could be used to reconfigure logging). There should not be META-INF/context.xml file. (Though as far as I remember when an application is deployed via UserConfig the context.xml file is ignored). Second, Processing of Jsp files can be enabled though two constructs a) explicit mapping of JspServlet, like it is done in conf/web.xml b) implicitly by using <jsp-property-group> with url pattern that patches the file. I think that removing JspServlet mappings from global conf/web.xml will disable JSP processing for you. 2012/6/27 André Warnier <a...@ice-sa.com>: > > Have a look first at the file (catalina_home)/conf/catalina.policy, section > "WEB APPLICATION PERMISSIONS". > It seems to me that by not granting those permissions (other than to your > own webapps), you can greatly restrict what users can do. > Note that regardless of contents of conf/catalina.policy every web application is granted permission to load its own classes and write to its own temporary directory. The servlet spec requires it. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
