On 24/08/17 19:29, James H. H. Lampert wrote:
> I've just discovered that a number of files within our webapp context
> are reachable from outside. Not all of them, but a number that really
> shouldn't be.
> By its nature, the webapp itself has its own access control, based on
> the outside resource it accesses, rather than on, say, tomcat-users.xml
> What controls browser access to static files in a Tomcat context? Where
> can I learn more about this, and how to restrict it?

Tomcat will prevent access to anything in WEB-INF or META_INF.
Everything else is up to the app to control.

Note: You can place content in WEB-INF and include it from JSPs and
Servlets (and it will work) but direct access will not.

You might want to take a look in the Servlet spec for security constraints.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to