No. You'd need to extend the default servlet then detect when a dir listing
will be displayed, then use programmatic authorization.
-Tim
Eduardo Andrés Alfonso Sierra wrote:
Hi
I'm trying to stop tomcat from list contents of directories. I've
tried securing it and it works but has the BIG problem that you must
secure every directory separated.
Is there any posibility to secure the directory listings of every
directory in an application ??
Thanks in advance.
I'm doing this:
<security-constraint>
<web-resource-collection>
<web-resource-name>LISTINGS</web-resource-name>
<url-pattern>/dir1/</url-pattern>
<url-pattern>/dir1/dir11/</url-pattern>
<url-pattern>/dir1/dir12/</url-pattern>
<url-pattern>/dir1/dir11/dir111/</url-pattern>
<url-pattern>/dir2/</url-pattern>
<url-pattern>/dir2/dir21/</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
It works but I MUST add a url-pattern tag FOR EVERY directory in my
application if i'm to avoid all directory listings in my context.
I've tryied patterns like /*/, /**/, /*/*/*/*/, */ and similar ones
and nothing worked.
Is possible to avoid easily , all the directory listings?
Thanks again.
Eduardo
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
