Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Tomcat access/security problem  RSS feed

 
Glenn Murray
Ranch Hand
Posts: 74
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I'm a relative Tomcat newbie with the following problem. I have a publicly
accessible servlet which runs some legacy .exe files. The files are in a subdirectory of webapps/<servlet context>/legacy/. The servlet has no trouble finding and executing these files, but to my surprise, anybody with a browser can browse into this subdirectory and download the executables. I want to prevent users from dowloading them. What's the best way to do this?

Many thanks,
Glenn
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In TOMCAT/conf/web.xml, look for the entry for DefaultServlet.
It has an attribute called "listings". If you set it to false, you will disable directory browsing.

Alternatively (and more portable), you could store those exe files under WEB-INF which can't be accessed directly from a browser (even if you know the filename).

Or, just store them outside of your webapps and use an absolute path to access them from within your servlet code.
 
Glenn Murray
Ranch Hand
Posts: 74
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the timely response, Ben. It seems that good programming practice
would have been to put the legacy directory under WEB-INF/ in the first place, right?

By the way, my poor man's solution was to put index.html files into the directories so the contents wouldn't be read.

Cheers,
Glenn
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Unless they were being shipped as part of the webapp, I would have opted to keep them outside of the app's directory structure altogether.

If they were being shipped with the webapp, I would have put them under WEB-INF.
 
Glenn Murray
Ranch Hand
Posts: 74
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, I was in the latter category. This issue could have been avoided if
I had understood what the WEB-INF directory was for (what does "INF" mean,
anyway?). Section 9.5 of the 2.4 servlet spec says what I needed to
know, but it also says that the contents of WEB-INF/ are web.xml,
classes/, and lib/, so I was leery of putting something else in there.

I suppose the spec is just reflecting what is Java's greatest weakness
in my opinion, which is awkwardness in dealing with legacy issues.

Thanks again,
Glenn
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If moving them isn't an option, you could write a filter that screens out any requests for *.exe and returns a 404 status code.
 
Glenn Murray
Ranch Hand
Posts: 74
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ben,

I did move my legacy/ directory to WEB-INF/ and everything is peachy.
However, since you mentioned it, I'm curious to know how/where such
a filter would go.

Thanks,
Glenn
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66205
151
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
so I was leery of putting something else in there.


While the contents of WEB-INF (INF == info) must contain the expected content as described by the spec, there's no issue with putting other stuff in there too.

I routinely create a folder named 'pages' in WEB-INF and that's where I put all my JSPs (none of which should be directly referenced independently of their controllers). Anything else that shouldn't be directly referenced -- your exe files being a good example -- can also be placed there.

To keep things tidy, I never dump anything directly in WEB-INF itself, but always create a descriptive folder for whatever content is being hidden.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66205
151
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm curious to know how/where such a filter would go.


You'd write the filter like any other class, put it under WEB-INF/classes (or in a WEB-INF/lib jar), and then declare it and which URL pattern(s) it applies to in the web.xml file.

The filter then gains control when the URL pattern is recognized and you can decide whether to proceed with the request or to take alternative action. In this case, returning the response with an error code of 'forbidden' might be most appropriate.
 
Glenn Murray
Ranch Hand
Posts: 74
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Bear,

Thanks for the two responses. It is reassuring to know that experts are
using the WEB-INF/ directory for other stuff. Also, your remark about
the filter led me to investigate whether I could use wild cards for url
patterns in web.xml, and lo, that is the case. Cool.

So that makes four ways to solve my problem. I'm finding that with
Tomcat there is usually "More Than One Way To Do It".

Cheers,
Glenn
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!