> -----Original Message----- > From: Marc Mendez [mailto:mendez@;lug.com] > Sent: Tuesday, November 05, 2002 12:13 PM > To: Tomcat Users List > Subject: Re: Standalone Tomcat : suppress directory listing in web.xml > > > > Stick a file called "index.html" in the directory where you > want listings > > suppressed. > > It may work. But imagine the following directory structure > > Dir A contains Dir B, which contains Dir C > put a file index.htm in "Dir A" > Ok, but, if a "malicious" user knows the structure, he can > easily access to > Dir B, by giving the full path ! Even more, if he knows the > name of a file, > he can download it !
I think you are fixating on this issue a little too much. If someone knows the directory structure, and the name of the file, they can download it regardless of whether a directory is listed or not. I don't see how preventing a directory listing from showing up will get around this. If the user is "malicious", what does downloading a file get them? The only thing they can do is potentially a DoS attack by requesting the file over and over. My point is that you should be handling this scenario in other ways, not by worrying about a directory listing. If the content is protected content, then use the security features and functions already built-in to Java and Tomcat (and Apache if necessary) to protect the content. If the content is unprotected, then what's the point? They can get to it eventually, so what difference does it make? Think about it. John -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>