RE: TC 3.3.1: How to disable static access to *certain* directori es?
-Original Message- From: Larry Isaacs [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 3:07 PM To: Tomcat Users List Subject: RE: TC 3.3.1: How to disable static access to *certain* directories? -Original Message- From: Lemke, Michael IZ/HZA-IE5 [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 8:04 AM To: '[EMAIL PROTECTED]' Subject: TC 3.3.1: How to disable static access to *certain* directories? I want to serve a few static pages with standalone tomcat 3.3.1 (no apache etc). I got that to work (StaticInterceptor listings=false /). However, it is still possible to access pages in other contexts if I know the path: http://host.dom:4711/otherapplication/someknownpath/file.html But if I try http://host.dom:4711/otherapplication/WEB-INF/web.xml I get a 403 Forbidden. How can I make tomcat to return 403 (or 404) for the first path as well? I just couldn't find anything in the docs or google. You could delete file.html. That would result in a 404 error. Not good enough. There's stuff I can't take out. If this isn't feasible, you need to explain why, so options as to how to hide it can be determined. Well, I simply don't want to serve anything that I don't need. For the main application I don't need any static pages so I can do without StaticInterceptor (done that). I don't want any files to be available that might be placed there by mistake or otherwise. Only the few pages under the `static' path should be accessible. Simple security concerns - don't open more than what is necessary. Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: TC 3.3.1: How to disable static access to *certain* directori es?
Thanks. I might try that. One more question: How can I change the default page, i.e., the one that displays when I just enter a path, from index.html to something else? Thanks again, Michael -Original Message- From: Larry Isaacs [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 3:59 PM To: Tomcat Users List Subject: RE: TC 3.3.1: How to disable static access to *certain* directories? The feature of arbitrarily not serving content in the webapp is one that is not in high demand and isn't currently supported, other than removing the StaticInterceptor, as you have done. I haven't tried the following, but you might try for each static page you want to serve: 1) Make a copy of the static page and rename it to end with .jsp. 2) In the web.xml, add a servlet declaration for that JSP and add a servlet mapping that maps it to the old static file's name. Then remove the StaticInterceptor from the webapp. This way, only the static files you map get served. Note, this assumes all the static files you want to serve are HTML. HTH. Larry -Original Message- From: Lemke, Michael IZ/HZA-IE5 [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 9:28 AM To: 'Tomcat Users List' Subject: RE: TC 3.3.1: How to disable static access to *certain* directories? -Original Message- From: Larry Isaacs [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 3:07 PM To: Tomcat Users List Subject: RE: TC 3.3.1: How to disable static access to *certain* directories? -Original Message- From: Lemke, Michael IZ/HZA-IE5 [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 8:04 AM To: '[EMAIL PROTECTED]' Subject: TC 3.3.1: How to disable static access to *certain* directories? I want to serve a few static pages with standalone tomcat 3.3.1 (no apache etc). I got that to work (StaticInterceptor listings=false /). However, it is still possible to access pages in other contexts if I know the path: http://host.dom:4711/otherapplication/someknownpath/file.html But if I try http://host.dom:4711/otherapplication/WEB-INF/web.xml I get a 403 Forbidden. How can I make tomcat to return 403 (or 404) for the first path as well? I just couldn't find anything in the docs or google. You could delete file.html. That would result in a 404 error. Not good enough. There's stuff I can't take out. If this isn't feasible, you need to explain why, so options as to how to hide it can be determined. Well, I simply don't want to serve anything that I don't need. For the main application I don't need any static pages so I can do without StaticInterceptor (done that). I don't want any files to be available that might be placed there by mistake or otherwise. Only the few pages under the `static' path should be accessible. Simple security concerns - don't open more than what is necessary. Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: TC 3.3.1: How to disable static access to *certain* directori es?
Hello, If you have permission to edit the master configuration files then you can edit the files httpd.conf and srm.conf file and do the following: - Find this line. DirectoryIndex index.html and change it as follows: DirectoryIndex index.shtml index.html. Of course, you can use any filename you wish. I prefer to leave index.html as a valid index as well. - If you are unable to edit your master configuration files, you can use this directive from .htaccess. Just edit the .htaccess file located in your main HTML directory. If you do not have this file, feel free to create it! To change the default page, either edit the existing DirectoryIndex line or add the following: DirectoryIndex index.shtml index.html This will make index.shtml the default page. By using a .htaccess file in a subdirectory, you can specify a different default page for that one directory without affecting the rest of your site. Naveen Punjabi USC, Computer Science http://www-scf.usc.edu/~npunjabi -Original Message- From: Lemke, Michael IZ/HZA-IE5 [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 9:35 AM To: 'Tomcat Users List' Subject: RE: TC 3.3.1: How to disable static access to *certain* directori es? Thanks. I might try that. One more question: How can I change the default page, i.e., the one that displays when I just enter a path, from index.html to something else? Thanks again, Michael -Original Message- From: Larry Isaacs [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 3:59 PM To: Tomcat Users List Subject: RE: TC 3.3.1: How to disable static access to *certain* directories? The feature of arbitrarily not serving content in the webapp is one that is not in high demand and isn't currently supported, other than removing the StaticInterceptor, as you have done. I haven't tried the following, but you might try for each static page you want to serve: 1) Make a copy of the static page and rename it to end with .jsp. 2) In the web.xml, add a servlet declaration for that JSP and add a servlet mapping that maps it to the old static file's name. Then remove the StaticInterceptor from the webapp. This way, only the static files you map get served. Note, this assumes all the static files you want to serve are HTML. HTH. Larry -Original Message- From: Lemke, Michael IZ/HZA-IE5 [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 9:28 AM To: 'Tomcat Users List' Subject: RE: TC 3.3.1: How to disable static access to *certain* directories? -Original Message- From: Larry Isaacs [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 3:07 PM To: Tomcat Users List Subject: RE: TC 3.3.1: How to disable static access to *certain* directories? -Original Message- From: Lemke, Michael IZ/HZA-IE5 [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 8:04 AM To: '[EMAIL PROTECTED]' Subject: TC 3.3.1: How to disable static access to *certain* directories? I want to serve a few static pages with standalone tomcat 3.3.1 (no apache etc). I got that to work (StaticInterceptor listings=false /). However, it is still possible to access pages in other contexts if I know the path: http://host.dom:4711/otherapplication/someknownpath/file.html But if I try http://host.dom:4711/otherapplication/WEB-INF/web.xml I get a 403 Forbidden. How can I make tomcat to return 403 (or 404) for the first path as well? I just couldn't find anything in the docs or google. You could delete file.html. That would result in a 404 error. Not good enough. There's stuff I can't take out. If this isn't feasible, you need to explain why, so options as to how to hide it can be determined. Well, I simply don't want to serve anything that I don't need. For the main application I don't need any static pages so I can do without StaticInterceptor (done that). I don't want any files to be available that might be placed there by mistake or otherwise. Only the few pages under the `static' path should be accessible. Simple security concerns - don't open more than what is necessary. Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional
