Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Blocking specific folders inside webapps directory

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I am using apache-tomcat 5.5. I want to block access to some specific directories inside the webapps folder (eg:jsp-examples,tomcat-docs,servlets-exmples..) and not to the ROOT folder for users other than localhost. I tried adding the below configuration to the context.xml file inside the conf folder, but its blocking the entire webapps folder. Is there an way for acheiving the above ?

<!-- The contents of this file will be loaded for each web application -->
<Context allowLinking="true" path="/jsp-examples/">
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127.0.0.1" deny=""/>
<!-- Default set of monitored resources -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
</Context>
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to the Ranch. Several comments, in no particular order:

  • In a production environment, those apps shouldn't be deployed.


  • If they are deployed, what's the harm of people accessing them? That's publicly available material anyway.


  • TC 5.5 is obsolete. You should migrate to TC 7 at your earliest convenience.

  •  
    anil sabu
    Greenhorn
    Posts: 2
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    the situation is like its already been deployed and is running in many systems. I need to know what configuration change can block these specific folders without removing or moving them to any other location ?
     
    Ulf Dittmer
    Rancher
    Posts: 43081
    77
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    It being deployed already addresses the 3rd point I raised; can you address the other two as well? Just so we know what the purpose of this is.

    I tried adding the below configuration to the context.xml file inside the conf folder, but its blocking the entire webapps folder.


    Yes, that file applies to all web apps. If you want to set that for individual web apps, you need to create context.xml files for each web app (in conf/Catalina/localhost).

    Or you can set up a password via Basic Authentication for those apps.
     
    Saloon Keeper
    Posts: 27762
    196
    Android Eclipse IDE Tomcat Server Redhat Java Linux
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    A web server is not a file server. Just because you see directories and files looking in via the filesystem doesn't mean that that's what Tomcat serves up to web clients.

    By default, if you dump a WAR file or exploded WAR directory (what you'd get if you unzipped a WAR) into the TOMCAT_HOME/webapps directory, Tomcat will construct a web application context, and thus define a webapp for each such WAR or directory. This only occurs in the webapps directory itself, and not in any sub-directories. The context path in the URLs for a given webapp would be the same as the WAR name. Furthermore, by default, if you drop in a WAR file Tomcat will automatically explode it into a directory having the same name as the WAR, minus the '.war' extension, and use that as its URL context. One exception exists. For the root context ("/"), you cannot name a file "/.war" or a directory "/", so the directory name used for the "/" context will be ROOT.

    To selectively block access to webapps or parts of webapps, you would have to secure the webapps themselves. That can be done by setting up access rules in the webapp web.xml files and defining a security context in a META-INF/context.xml file or an external context file.

    To completely forbid anyone from using a webapp, simply undeploy it. That is, delete the corresponding WARs from the Tomcat webapps directory.

    There's nothing magic about the sample apps that came with Tomcat other than that they were pre-installed in the Tomcat distribution. You can delete them with impunity.

    And listen to Ulf. Tomcat 8 is at or near production status. Tomcat 6 is still supported, I think, but will not be for long. If you have problems with Tomcat 5.5 or older, you're pretty much going to be stuck helping yourself - or paying someone - because most people no longer remember it and the Tomcat support team doesn't support it any more.

    Software is not forever, nor is the price you pay only paid up front. Eventually, one way or another, you have to pay for ongoing support.
     
    Don't get me started about those stupid light bulbs.
    reply
      Bookmark Topic Watch Topic
    • New Topic