> -----Original Message----- > From: Larry Isaacs [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 23, 2003 3:07 PM > To: Tomcat Users List > Subject: RE: TC 3.3.1: How to disable static access to > *certain* directories? > > > > > -----Original Message----- > > From: Lemke, Michael IZ/HZA-IE5 [mailto:[EMAIL PROTECTED] > > Sent: Thursday, October 23, 2003 8:04 AM > > To: '[EMAIL PROTECTED]' > > Subject: TC 3.3.1: How to disable static access to *certain* > > directories? > > > > > > I want to serve a few static pages with standalone tomcat > > 3.3.1 (no apache etc). > > I got that to work (<StaticInterceptor listings="false" />). > > However, > > it is still possible to access pages in other contexts if I > > know the path: > > > > http://host.dom:4711/otherapplication/someknownpath/file.html > > > > But if I try > > > > http://host.dom:4711/otherapplication/WEB-INF/web.xml > > > > I get a 403 Forbidden. How can I make tomcat to return 403 > (or 404) for > > the first path as well? I just couldn't find anything in the docs > > or google. > > You could delete file.html. That would result in a 404 > error.
Not good enough. There's stuff I can't take out. >If this > isn't feasible, you need to explain why, so options as to how > to "hide" it > can be determined. Well, I simply don't want to serve anything that I don't need. For the main application I don't need any static pages so I can do without StaticInterceptor (done that). I don't want any files to be available that might be placed there by mistake or otherwise. Only the few pages under the `static' path should be accessible. Simple security concerns - don't open more than what is necessary. Michael --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
