Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Tim Cooke
  • Junilu Lacar
  • Paul Clapham
  • Devaka Cooray
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Frits Walraven
  • Carey Brown
  • salvin francis
  • Claude Moore

tomcat uri disabling and restricting access to classes folder on server  RSS feed

Posts: 25
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dear All,
i have two questions:
1. i want to disable any user to navigate through the application while specifying a URI.
   for example my app is http://myapp, now i need to restrict any user to navigate to any URI under the application manually such as http://myapp/print

2. i am installing the application on a server that is accessible by other people, i need to hide my classes on the server from being read/altered. is there any method?

Saloon Keeper
Posts: 20655
Android Eclipse IDE Java Linux Redhat Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1. You cannot literally stop someone from typing in any URL they want into their browser, but you can very definitely control what they get back when they do. The easiest and most secure way to do that is to use the Contrainer-Managed security system that's defined as part of the J2EE and JEE standards. This system allows you to assign security roles to users and to map which URLs are allowed access from which roles. So, for example, if I wanted to access http://superwebapp/app/supervisor/delete_account.jsp, but it required an "admin" or "manager" role and I wasn't assigned either of those roles, then the standard response would be a page with "HTTP 403 Forbidden" on it instead the delete_account page.

If you mean "browse urls like a filesystem". web servers are not file servers, so they don't do that anyway. The closest you would get would be if the webapp resource path was mapped to an index-display function and that's no problem to fix.

You might want to read this:

2. If your server runs Microsoft Windows, then security is sort of hit and miss, since any any given time, one and only one user "owns" the server and access to resources is set by the system administrator. On Unix-like systems like MacOS and Linux, which are true multi-user systems, then you can keep people from seeing anything inside of Tomcat including Tomcat itself simply by giving Tomcat its own private userid and security group. If you do that then only people authorized to login or change their user ids to be the Tomcat ID can access those files via the filesystem, and since webapp classes have to be located within the webapp's WAR WEB-INF/classes directory, they can't use HTTP to see them either (since Tomcat will never serve up the WEB-INF folder or directories/files under it). At that point the only way someone could snoop would be if they had root privileges, and not even then if you set up sufficiently nasty selinux controls.
Attractive, successful people love this tiny ad:
ScroogeXHTML - the small and fast RTF to HTML converter library
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!