For robust installations, this problem is a non-issue due to JSP precompilation. Everyone's situation is different, of course, but it is generally much more secure to precompile your JSPs and disable the dynamic compilation of new ones.
justin
At 03:25 PM 10/29/2004, you wrote:
The easiest way to do this would be to create a filter on that directory. The filter would either deny access - of it would get the default servlet via the ServletContext.getNamedDispatcher() and then perform a forwards().
-Tim
Chris Lawder wrote:Hello,
Can somebody please point me to documentaion and examples that describe how to disallow the execution of .jsp or any other scripts/binaries within a single directory of a webapplication? Part of the web app, is being allowed to upload reports which can then be read and downloaded by another. At this time I can upload a .jsp file and it will run in that directory.
I have found much stuff on SecurityManager and syntax within the catalina.policy file but nothing yet that really explains to me what I need to do to accomplish what I described above. My attempts so far at proper catalina.policy systax have not worked.
This is a pure tomcat environment running Tomcat 4.1.30 at this time.
Other comments regarding the proper use of an upload directory and it's security are welcome.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
______________________________________________ Justin Ruthenbeck Lead Software Engineer, NextEngine Inc. justinr - AT - nextengine DOT com Confidential. See: http://www.nextengine.com/confidentiality.php ______________________________________________
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
