On Mon, Jun 28, 2004 at 12:14:00PM +0100, Euan Guttridge wrote: : Where is the best practice for deploying your WebApp configuration files? : For example a database config file which contains production db password. : Most apps I have seen use WEB-INf/config or WEB-INF/classes - but this is a : no-no from security guys as it is under the document root.
"under the document root" != "available for request." The spec dictates that request for files from WEB-INF are denied. If you're running a web server in front of Tomcat, then, be sure to deny access to WEB-INF from there as well. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
