For your webapp, in httpd.conf, you'll want:
# Deny direct access to WEB-INF and META-INF
#
<Location "/myApp/WEB-INF/*">
AllowOverride None
deny from all
</Location>
<Location "/myApp/META-INF/*">
AllowOverride None
deny from all
</Location>
And for the manager on that virtual host:
# Deny direct access to WEB-INF and META-INF
#
<Location "/manager/WEB-INF/*">
AllowOverride None
deny from all
</Location>
<Location "/manager/META-INF/*">
AllowOverride None
deny from all
</Location>
John
> -----Original Message-----
> From: Anderson, M. Paul [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, November 20, 2002 9:05 AM
> To: 'Tomcat Users List'
> Subject: Apache/Tomcat Security
>
>
> I am preparing to launch my first web site utilizing an Apache/Tomcat
> configuration. The server will host a single web site, at
> least for now
> that uses servlets and jsp with a database backend. I have set up the
> Apache and Tomcat as discussed in the documentation with much
> help from
> people on this list. Now my question concerns whether or not
> I need to do
> anything in Apache or Tomcat to protect my site beyond what Apache and
> Tomcat are already set up to do. How secure can I truly
> expect my site to
> be using Apache and Tomcat as is?
>
> --
> To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
