Reputation: 11
Are there any directory permission settings in Tomcat to prevent jsp running?
For instanace, here is the directory structure (and the Tomcat appBase is /home/user/webapps/):
/home/user/webapps/index.jsp
/home/user/webapps/file/
/home/user/webapps/upload/
Is it possible to block Tomcat from running jsps in file/- and upload/-?
For example, files have been uploaded to /file/ directory:
http://mysite.com/file/test.jsp (not OK, jsp won't be executed)
http://mysite.com/file/test.png (OK)
I have checked and tried the catalina.policy and WEB-INF/web.xml security-constraint, but in vain.
I have blocked the illegal file types in my upload servlet, but I have this question in mind as someone may upload jsp files by other means (like FTP).
Thank you very much in advance.
Upvotes: 1
Views: 1407
Answers (1)
Reputation: 13566
By looking at the path you have provided it seems that you are putting a jsp file directly under webapps directory where a web application is expected.
Isn't your jsp file the part of the application?
If you want all the JSP files to be restricted so that they cannot be accessed from the browser directly with the url, then you can put all JSPs and whatever you want to protect in the WEB-INF folder. The resources placed in WEB-INF cannot be accessed directly.
If you want to apply security-constraint then also you can protect your resources based on url pattern.
You will find good information here
http://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html
Upvotes: 1
Related Questions
- How to deny web access to a Tomcat directory
- Restrict file access in Tomcat
- Tomcat doesn't work on specific directory
- How to hide JSP files in TOMCAT webapp folder
- tomcat deny access to specific files
- Is it possible to disallow jsp execution on tomcat + apache
- How do I configure Tomcat 6 so that JSP files in one subdirectory will not be executed?
- Tomcat 7 in Eclipse Indigo with security enabled shows blank JSP pages
- prevent from a user to access directly to a jsp file
- Tomcat6 permissions?