Re: Newbie question on Tomcat security
First, no direct requests for anything under WEB-INF is allowed. Second, check out the welcome-file element in web.xml. Make sure it says index.jsp. Third, check out the listings parameter, make sure it is set to off or false. Fourth, TURN OFF the Invoker, and DON'T use it. Fifth, use the security manager. Sixth, don't put ANYTHING confidential in a JSP...move it (like a database connection URL, a username, or a password) to web.xml or server.xml, or a properties file under WEB-INF. Seventh, if you really want to obscure paths when people view HTML source, simply make all URLs a call to a servlet with a parameter. This is a lot of extra work for not much benefit, but it can be done. The servlet reads the file from a protected area (like WEB-INF/*), sets the appropriate Content-Type, and spools the file to the client. This will work for any file, CSS, GIF, JPEG, whatever, as in a sense your servlet will just be a web server...the client doesn't care where the file is coming from, as long as the request is satisfied and the Content-Type is correct. Thus, when viewing HTML source, the path to a CSS file would not be myApp/my.css but soemthing like /servlet/fileGet?file=my.css. And, if you still want more info, consider the Apache Tomcat Security Handbook published by Wrox Press. John On Mon, 14 Jul 2003 19:05:18 -0500, epyonne [EMAIL PROTECTED] wrote: Thanks for the reply. Actually, I don't worry about people can do view source. I just don't like the fact that they can type in the folder and list the whole directory tree on the browser. They can open any file on the directory and potentially alter the code. Most web sites I've been to, if you type in the folder directory, you will get an access deny or something like that. I am wondering if I can set up something similar in Tomcat? By the way, I do have an index.jsp. Thanks. - Original Message - From: Reginald Oake [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Monday, July 14, 2003 5:58 PM Subject: Re: Newbie question on Tomcat security Hi. I'm not certain about this but it seems to me that it would be next to impossible to keep the html source from being viewed by someone using any browser (this is not a server side issue). The source has to be uploaded to the browser and, once it is uploaded anyone can view source on the page. As far as keeping your directory structure at least a little bit more obscured you can do two things. You can never fully obscure the directory structure as the browser requires this information to load images, style sheets and links. The first is to put an index.jsp or index.html file in so that people cannot view your directory structure directly (there is probably a better way to do this). The second is to use servlet mappings. I'm not sure if this needs to be said but even though people can determine your directory structure with fairly little effort this does not, in itself, pose a security risk. Thanx Reg On Mon, 2003-07-14 at 15:49, substring wrote: Hello All, I just developed a JSP application called myapp, running on Tomcat 4.1.24. How can I keep people from accessing my files under tomcat/webapps/myapp? For example, people can do a simple view source and find the path to my css file, then they can type in the path on the browser to access my files. What kind of security that I should set up for that? I am pretty new to Tomcat so I need help. By the way, my OS is Windows 2000 Pro. Any help will be very much appreciated. __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Newbie question on Tomcat security
Hello All, I just developed a JSP application called myapp, running on Tomcat 4.1.24. How can I keep people from accessing my files under tomcat/webapps/myapp? For example, people can do a simple view source and find the path to my css file, then they can type in the path on the browser to access my files. What kind of security that I should set up for that? I am pretty new to Tomcat so I need help. By the way, my OS is Windows 2000 Pro. Any help will be very much appreciated. __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
newbie question on Tomcat security
Hello All, I just developed a JSP application called myapp, running on Tomcat 4.1.24. How can I keep people from accessing my files under tomcat/webapps/myapp? For example, people can do a simple view source and find the path to my css file, then they can type in the path on the browser to access my files. What kind of security that I should set up for that? I am pretty new to Tomcat so I need help. By the way, my OS is Windows 2000 Pro. Any help will be very much appreciated. _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Newbie question on Tomcat security
Hi. I'm not certain about this but it seems to me that it would be next to impossible to keep the html source from being viewed by someone using any browser (this is not a server side issue). The source has to be uploaded to the browser and, once it is uploaded anyone can view source on the page. As far as keeping your directory structure at least a little bit more obscured you can do two things. You can never fully obscure the directory structure as the browser requires this information to load images, style sheets and links. The first is to put an index.jsp or index.html file in so that people cannot view your directory structure directly (there is probably a better way to do this). The second is to use servlet mappings. I'm not sure if this needs to be said but even though people can determine your directory structure with fairly little effort this does not, in itself, pose a security risk. Thanx Reg On Mon, 2003-07-14 at 15:49, substring wrote: Hello All, I just developed a JSP application called myapp, running on Tomcat 4.1.24. How can I keep people from accessing my files under tomcat/webapps/myapp? For example, people can do a simple view source and find the path to my css file, then they can type in the path on the browser to access my files. What kind of security that I should set up for that? I am pretty new to Tomcat so I need help. By the way, my OS is Windows 2000 Pro. Any help will be very much appreciated. __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Newbie question on Tomcat security
Thanks for the reply. Actually, I don't worry about people can do view source. I just don't like the fact that they can type in the folder and list the whole directory tree on the browser. They can open any file on the directory and potentially alter the code. Most web sites I've been to, if you type in the folder directory, you will get an access deny or something like that. I am wondering if I can set up something similar in Tomcat? By the way, I do have an index.jsp. Thanks. - Original Message - From: Reginald Oake [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Monday, July 14, 2003 5:58 PM Subject: Re: Newbie question on Tomcat security Hi. I'm not certain about this but it seems to me that it would be next to impossible to keep the html source from being viewed by someone using any browser (this is not a server side issue). The source has to be uploaded to the browser and, once it is uploaded anyone can view source on the page. As far as keeping your directory structure at least a little bit more obscured you can do two things. You can never fully obscure the directory structure as the browser requires this information to load images, style sheets and links. The first is to put an index.jsp or index.html file in so that people cannot view your directory structure directly (there is probably a better way to do this). The second is to use servlet mappings. I'm not sure if this needs to be said but even though people can determine your directory structure with fairly little effort this does not, in itself, pose a security risk. Thanx Reg On Mon, 2003-07-14 at 15:49, substring wrote: Hello All, I just developed a JSP application called myapp, running on Tomcat 4.1.24. How can I keep people from accessing my files under tomcat/webapps/myapp? For example, people can do a simple view source and find the path to my css file, then they can type in the path on the browser to access my files. What kind of security that I should set up for that? I am pretty new to Tomcat so I need help. By the way, my OS is Windows 2000 Pro. Any help will be very much appreciated. __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Newbie question on Tomcat security
Hi. I don't know if this will be helpful but I have heard of people putting their JSPs and other ancilliary files inside the WEB-INF directory. I'm not sure what you have to do to make this work but it may well be worth looking into. Reg - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: newbie question on Tomcat security
Actually, it is easier than that: They can just go the the browser's cache folder and view it from there. As such, you should consider that your .css files are public info, and leave it at that. epyonne =) [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello All, I just developed a JSP application called myapp, running on Tomcat 4.1.24. How can I keep people from accessing my files under tomcat/webapps/myapp? For example, people can do a simple view source and find the path to my css file, then they can type in the path on the browser to access my files. What kind of security that I should set up for that? I am pretty new to Tomcat so I need help. By the way, my OS is Windows 2000 Pro. Any help will be very much appreciated. _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Newbie question on Tomcat security
Look here: http://jakarta.apache.org/tomcat/faq/misc.html#listing At 19:05 14.07.2003 -0500, you wrote: Thanks for the reply. Actually, I don't worry about people can do view source. I just don't like the fact that they can type in the folder and list the whole directory tree on the browser. They can open any file on the directory and potentially alter the code. Most web sites I've been to, if you type in the folder directory, you will get an access deny or something like that. I am wondering if I can set up something similar in Tomcat? By the way, I do have an index.jsp. Thanks. - Original Message - From: Reginald Oake [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Monday, July 14, 2003 5:58 PM Subject: Re: Newbie question on Tomcat security Hi. I'm not certain about this but it seems to me that it would be next to impossible to keep the html source from being viewed by someone using any browser (this is not a server side issue). The source has to be uploaded to the browser and, once it is uploaded anyone can view source on the page. As far as keeping your directory structure at least a little bit more obscured you can do two things. You can never fully obscure the directory structure as the browser requires this information to load images, style sheets and links. The first is to put an index.jsp or index.html file in so that people cannot view your directory structure directly (there is probably a better way to do this). The second is to use servlet mappings. I'm not sure if this needs to be said but even though people can determine your directory structure with fairly little effort this does not, in itself, pose a security risk. Thanx Reg On Mon, 2003-07-14 at 15:49, substring wrote: Hello All, I just developed a JSP application called myapp, running on Tomcat 4.1.24. How can I keep people from accessing my files under tomcat/webapps/myapp? For example, people can do a simple view source and find the path to my css file, then they can type in the path on the browser to access my files. What kind of security that I should set up for that? I am pretty new to Tomcat so I need help. By the way, my OS is Windows 2000 Pro. Any help will be very much appreciated. __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
