Baran Topal wrote:
Hi;
Thanks for your interest. Yes, I realized context idea once i read the
documentation.I must admit the hierarchy is weird but it's a custom
installer of a site that installs on Windows machine. There is no Tomcat
manager console in place (at least I didn't see/enable).
The hierarchy is as this:
<programnameunderCdriveProgramFiles>tomcat/webapps/ROOT/WEB-INF and under
WEB-INF, there is jsp folder in which it covers the jsp pages of admin that
i want to filter out for a particular IP.
I think, there is no concern to make the change in server.xml because there
will be absolutely one web application under this Tomcat. So, the change
can be application-wide i guess.
For just testing, within the given valve above, i can filter out index.jsp
which is in the path,
<programnameunderCdriveProgramFiles>/tomcat/webapps/ROOT/ and i can filter
that particular file successfully but fail to filter
<programnameunderCdriveProgramFiles>/tomcat/webapps/ROOT/WEB-INF/jsp/admin
folder.
Thanks for your help.
Regards.
Boran, you are either not listening, or not understanding what Christopher - who is one of
the Tomcat experts on this list - is trying to tell you :
The design of Tomcat is such that, for any normally-configured Tomcat, a client (any
client) should not normally be able to obtain *anything* that is located below the
/WEB-INF/ directory of an application. If your clients can access these files, then it
means that you have found a way to misconfigure Tomcat so badly, that you are bypassing
one of its built-in security features. (And if so, you should file it as a bug).
The /WEB-INF/ sub-directory is a special place, that serves to store configuration files,
compiled java classes and jars, which the clients should /never/ be able to obtain.
It is not meant to contain any JSP's or HTML pages of an application.
2014-09-25 14:52 GMT+02:00 Christopher Schultz <ch...@christopherschultz.net
:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Baran,
On 9/24/14 5:04 PM, Baran Topal wrote:
Hi, following works under server.xml
<Context path="/index.jsp" reloadable="true"> <Valve
className="org.apache.catalina.valves.RemoteAddrValve"
deny="127\.0\.0\.1"/> </Context>
Yes, it will work, but declaring a <Context> in server.xml is a Bad
Idea. It's better to use a META-INF/context.xml file, or, even better,
a file in CATALINA_BASE/conf/[engine]/[host]/[webapp].xml
But, i need to hide my admin directory containing admin.jsp pages
(more than 1 jsp page)
The above configuration will deny all users from localhost (but only
using IPv4) for all URL patterns matching your /index.jsp context (why
in the world would you have a context path /index.jsp?).
Something tells me you are seriously misconfiguring this server.
My admin directory is in WEB-INF and WEB-INF is in the same level
with /index.jsp but simply, not working when i ref. the context as
/WEB-INF/admin
No remote client should be able to directly access anything in
/WEB-INF/ unless you have really done some damage to your server.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUJA/9AAoJEBzwKT+lPKRYeTYP/ArKK6QUQvbLTpIOWn4Pg4Ha
Uys9JOuv0nCLHXj3B7Y21vRwc0fuRvfdjN4J0VML+K0kWUqt4Tp8AkDBTSG7yD2P
tIsUXUUlcOpa1p998d3xtdkLcHQpTkn7nhpcnJwcOQqUUFesKwP9HYNBQI5m5pKX
s/IcX1cj0AV2rXMjOBK1RWU7WZPQGUVR2RRNtVS0Nc4w9RlYyjQjA+hBxpUFG1HS
91OdkcX7sJxerlsIAfewTdYZ1oVd/3KGFlj+zSFcv9E17sOdpvBy+HuFdU9kGkQF
QDCBagmoFNrZmzPktNC0r5BXn1RDOdZ2wAsI9D+ZQyTTG4CPdXZvJRflRIX1QWZe
jjj8ZhlAH2nrLuKHNnwqWY9KK9GHc7+zs3H6hfe7JuJ/i8Z5u2lwrfK7DpquyUK+
gcircWL0dEmosmvNWfm3/G+MvyudgUrDihgiuYZY2s1g5CWRr48TAkhEadr4cdOb
OOMcVTQOyzPLkeNA+5vBBDDEn3dzUq42Semds3HNByumM7Z7/DkALFQ0FYLxk6wd
spjeYFZP1IFjq5R8Ipdr0NngCmoVzqSnBowYgayvBfIO8P89u6i1Q0KjsL1SVefx
RmpJhevt/TSPcHurQpM/4tSQnQQqOXorTkAnKxw6csDiaY7IDEtBnTti2dIMe2Ny
yOF8Ee0Tn2XgILN24ogQ
=JV6J
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
