On 8/24/17, 11:35 AM, Mark Thomas wrote:

Tomcat will prevent access to anything in WEB-INF or META_INF.
Everything else is up to the app to control.

Note: You can place content in WEB-INF and include it from JSPs and
Servlets (and it will work) but direct access will not.

You might want to take a look in the Servlet spec for security constraints.

Thanks. I've just discovered security constraints, along with some material on StackExchange's ServerFault board demonstrating how to create them. It's taken a very large load off my back.

So far, I've only scratched the surface of the subject.

Am I correct in understanding that a security constraint in a context's web.inf only blocks access from outside? That the webapp itself still has full access to the information?

And that if I give it a role name that hasn't been given to anybody in tomcat-users.xml, then nobody can get in at all? Can I set up a security constraint to just unconditionally deny all outside access, without even offering a sign-on dialog?


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to