Home / server / Questions / 28337
Accepted
Geo
Asked: 2009-06-19 12:29:39 +0800 CST

How to block access to a file from being served by Tomcat?

  • 772

We have a few tomcat servers and we just discovered that some files that we don't want public to have access to those files. To exemplify:

Let say we have a folder /var/www/html/ that we are publishing through tomcat, but we don't want to expose /var/www/html/conf/dbinfo.txt. At this moment people is able to go to www.thissite.com/conf/dbinfo.txt and they are able to see things. I will like to be able to block it so does not shows it but it allows it to be read by tomcat itself.

Any help is appreciated.

tomcat java linux

7 Answers

  1. Tomcat's file access is controlled by the security constraints section of WEB-INF/web.xml.

    You can block conf this way:

    <security-constraint>
    <web-resource-collection>
        <web-resource-name>HTTP-Protected-Resource-1</web-resource-name>
        <description>Description here</description>
        <url-pattern>/conf/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>NOSOUPFORYOU</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>DEFAULT</auth-method>
    <realm-name>NOACCESSFORANYONE</realm-name>
</login-config>
<security-role>
    <role-name>NOSOUPFORYOU</role-name>
</security-role>

    If you are using apache to serve static content, this will not work as apache will serve the conf files before tomcat gets the URL. In those cases, you would need to solve this via apache's http config files.

    • 5
  2. Best Answer

    Hello to all the SysAdmin and IT Workers in this post. Thanks for your responses. Many of the replies to my questions were acceptable but this one was best suited for our production environment.

    Ok. To block a directory or a file within a virtual host in server.xml you just have to add the following code to the server.xml in the tomcat/conf directory.

    Before:

      <Host name="www.customer.com" appBase="/usr/share/app4_0b/tomcat/webapps/" autoDeploy="false">
    <Context path="" docBase="./customer" />

    <Valapp className="org.apache.catalina.valapps.FastCommonAccessLogValapp"
           directory="weblogs/customer"
           prefix="www_customer_com_"
           suffix=".txt"
           pattern="combined"
           resolappHosts="false" />
  </Host>

    After:

      <Host name="www.customer.com" appBase="/usr/share/app4_0b/tomcat/webapps/" autoDeploy="false">
    <Context path="" docBase="./customer" />

    <Context path="/app/xv/~customer/etc" docBase="" >
      <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>
    <Context path="/etc" docBase="" >
      <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>

    <Valapp className="org.apache.catalina.valapps.FastCommonAccessLogValapp"
           directory="weblogs/customer"
           prefix="www_customer_com_"
           suffix=".txt"
           pattern="combined"
           resolappHosts="false" />
  </Host>

    So the answer to the question is add the following lines:

        <Context path="/app/xv/~customer/etc" docBase="" >
      <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>
    <Context path="/etc" docBase="" >
      <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>
    • 5

  3. Why not store it outside your web directory structure? We never put anything under /var/www/html/ that we wouldn't want a user to discover.

    • 4

  4. Normally configuration information (like database connection information, ...) is stored in files under the WEB-INF folder of the WAR file deployed to Tomcat. Files under WEB-INF are not accessible to clients.

    • 3

  5. Word of advice. After you fix the permissions. Change all the passwords, and make SURE that there isn't a google cache of it.

    • 2

  6. Having the same issue, but I can't see how the accepted answer can really work. The valve invoked here applies to the ENTIRE webapp. Not part of it. So I'm assuming that in this case once it can't recognize the context as representing a webapp, it's simply ignoring the directive and throwing some comments in the log file.

    • 0

  7. You can block the directory in public access through server.xml file

    Add this lines to that server.xml file

        <Context path="/opt/tomcat7/webapps/examples" docBase="" >
    <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>

    <Context path="/examples" docBase="" >
    <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>

    then access that http://localhost:8080/examples then it show as a 404 page error,ie) means blocked

    • 0