-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jason,
On 6/7/2009 7:17 PM, Jason Joseph wrote:
>
> Rainer Jung wrote:
>> Be careful to secure access to WEB-INF and META-INF.
> Yup, Ive got this in there, one for META-INF too...
>
> <Location "/WebApp_ID/WEB-INF/">
> deny from all
> </Location>
I highly recommend using <Directory> instead of <Location>: this will
CYA even if there's another URI that maps to the same place.
<Directory "/path/to/your/webapp/META-INF">
Order deny,allow
Deny from all
</Directory>
<Directory "/path/to/your/webapp/WEB-INF">
Order deny,allow
Deny from all
</Directory>
If you use JSPs, it might not be a bad idea to:
<Directory "/path/to/your/webapp/">
Order allow,deny
Allow from all
Options -Indexes
DirectoryIndex index.html
<FilesMatch "\.jsp.*">
Order deny,allow
Deny from all
</FilesMatch>
</Directory>
This will prevent remote clients reading your JSP source in case you are
using a case-insensitive filesystem or you have your server
misconfigured in some way.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkotN7UACgkQ9CaO5/Lv0PA3qQCfQJlJQ5TR0H7LwAlA0tTdF2ZZ
pgAAoI5LySXgN4UePhrAAXEk69Ca2vC2
=d8WV
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
