I've been playing with the address bar into the browser, typing the direct path to .xhtml web pages for our study project.
It happened few times that instead of rendering the page, the browser prompted me if I want to download the page as a file and I downloaded it!
How to prevent that from tomcat? It exposes small part of the server side code.
I think it is not a big deal at all in our case, but the question is a matter of principle and i don't want to neglect it.
Is there some restriction in tomcat's configuration .xml files?
//tomcat 7 standalone
If you don't think the browser is suspect (I've seen IE do this a lot in earlier versions) then you need to start looking at the responses -- particularly the response headers -- that aren't acting correctly and see what the differences are.
It was IE7 that did the job. And I thing it is over privileged to do that.
By the same token, why not trying to dump some file from the java beans .
I will look at the headers, but then what, introducing some restriction rules somewhere in the tomcat configuration files?
I thought it is a standard issue, still cannot sit calmly and read tomcat's documentation. (or something more about browser-server communication over http)
I'm not sure why you think that this is a Tomcat configuration issue. if it works sometimes and doesn't work at others, it's clearly not a config issue. After all, there's no setting in Tomcat that says "work correctly" that you can set to true or false.
The most likely reason is a difference in the response to the browser, or the browser being flaky.
Browsers have bugs. Im not saying that that is definitely the case here, but its a possibility. If you return the correct response from the server (which we have not established yet) and the browser gets it wrong because of bugs, there's not much that can be done.
But, I suspect that the most likely cause is response content or header problems.
I agree that it doesn't sound like a browser problem. If the server is supposed to process a file -instead of sending its raw contents- then the problem is at the server side. This would be like Tomcat sending the JSP file to the browser instead of processing it first and sending the output.
posted 7 years ago
Following basic system architecture and security course. There are no high prerequisites apart from basic programming skills and web knowledge.
The study project is a web application - suggested use of java, tomcat and jsf.
The teaching team does not give us much more info but to explore some common attacks, and how to prevent them by design, otherwise the scope is really huge and advanced. Following course textbooks.
So now I don't know if I need to dive a bit into the http protocol (good thing anyway) or it is purely about server settings.
Couldn't easily find step by step explanation what happens under http when you get the download box in a browser .
Still if I simply try to go to some server directories a get an error page - 'access restricted'. So there are some restrictions set somewhere.