On 8/24/17, 11:35 AM, Mark Thomas wrote:
Tomcat will prevent access to anything in WEB-INF or META_INF.
Everything else is up to the app to control.
Note: You can place content in WEB-INF and include it from JSPs and
Servlets (and it will work) but direct access will not.
You might want to take a look in the Servlet spec for security constraints.
Thanks. I've just discovered security constraints, along with some
material on StackExchange's ServerFault board demonstrating how to
create them. It's taken a very large load off my back.
So far, I've only scratched the surface of the subject.
Am I correct in understanding that a security constraint in a context's
web.inf only blocks access from outside? That the webapp itself still
has full access to the information?
And that if I give it a role name that hasn't been given to anybody in
tomcat-users.xml, then nobody can get in at all? Can I set up a security
constraint to just unconditionally deny all outside access, without even
offering a sign-on dialog?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
