How to block access to a file from being served by Tomcat?

Solution 1:

Tomcat's file access is controlled by the security constraints section of WEB-INF/web.xml.

You can block conf this way:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>HTTP-Protected-Resource-1</web-resource-name>
        <description>Description here</description>
        <url-pattern>/conf/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>NOSOUPFORYOU</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>DEFAULT</auth-method>
    <realm-name>NOACCESSFORANYONE</realm-name>
</login-config>
<security-role>
    <role-name>NOSOUPFORYOU</role-name>
</security-role>

If you are using apache to serve static content, this will not work as apache will serve the conf files before tomcat gets the URL. In those cases, you would need to solve this via apache's http config files.

Solution 2:

Hello to all the SysAdmin and IT Workers in this post. Thanks for your responses. Many of the replies to my questions were acceptable but this one was best suited for our production environment.

Ok. To block a directory or a file within a virtual host in server.xml you just have to add the following code to the server.xml in the tomcat/conf directory.

Before:

  <Host name="www.customer.com" appBase="/usr/share/app4_0b/tomcat/webapps/" autoDeploy="false">
    <Context path="" docBase="./customer" />

    <Valapp className="org.apache.catalina.valapps.FastCommonAccessLogValapp"
           directory="weblogs/customer"
           prefix="www_customer_com_"
           suffix=".txt"
           pattern="combined"
           resolappHosts="false" />
  </Host>

After:

  <Host name="www.customer.com" appBase="/usr/share/app4_0b/tomcat/webapps/" autoDeploy="false">
    <Context path="" docBase="./customer" />

    <Context path="/app/xv/~customer/etc" docBase="" >
      <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>
    <Context path="/etc" docBase="" >
      <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>

    <Valapp className="org.apache.catalina.valapps.FastCommonAccessLogValapp"
           directory="weblogs/customer"
           prefix="www_customer_com_"
           suffix=".txt"
           pattern="combined"
           resolappHosts="false" />
  </Host>

So the answer to the question is add the following lines:

    <Context path="/app/xv/~customer/etc" docBase="" >
      <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>
    <Context path="/etc" docBase="" >
      <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>

Solution 3:

Why not store it outside your web directory structure? We never put anything under /var/www/html/ that we wouldn't want a user to discover.

Solution 4:

Word of advice. After you fix the permissions. Change all the passwords, and make SURE that there isn't a google cache of it.

Solution 5:

Normally configuration information (like database connection information, ...) is stored in files under the WEB-INF folder of the WAR file deployed to Tomcat. Files under WEB-INF are not accessible to clients.

Tags:

Linux

Java

Tomcat

Recent Posts