• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 168
  • Last Modified:

Blocking the listing of files in browser.

Hi,

I am using an Apache-Tomcat setup. How do I prevent the listing of files in the browser? For example if I type, http://localhost/projectname/jsp/ in the browser, it should not list the files and directories under the same. How do I go about that?

Thanks,
Brijesh.
0
brijeshkumar
Asked:
brijeshkumar
  • 4
  • 2
  • 2
  • +1
1 Solution
 
brijeshkumarAuthor Commented:
This problem occurs in both Windows and Linux.

I tried the following 2 options

1)
Under 'Static Interceptor' attribute settings, adding the following attribute: suppress="true" in server.xml

2) Changing
          <init-param>
               <param-name>listings</param-name>
               <param-value>true</param-value>
          </init-param>

to
          <init-param>
               <param-name>listings</param-name>
               <param-value>false</param-value>
          </init-param>


in web.xml

0
 
ahoffmannCommented:
you need to change your httpd.conf (in /etc/httpd usualy):

IndexOptions StandardIndexing
0
 
ZookCommented:
A very simple solution is to set in http.conf eg.

DirectoryIndex index.html /index.html

Whenever no local index page (index.html) is found the global one "/index.html" will be shown, thus preventing the generic directory listing.

Of course you can also use a line like this one:
DirectoryIndex index.var index.shtml index.html welcome.htm /noaccess.html

Names will be tried left to right.

cu
Zook
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
brijeshkumarAuthor Commented:
Hi Zook,

I tried that option. In fact before you replied I had got that option from my friend. But its a workaround  - a crude way of doing it. It works for sure! But if that user knows the file name then he can request it directly. i.e.
http://localhost/projectname/jsp/filename.jsp/html .

Thanks!
Brijesh.

Hi ahoffman,

Your suggestion gave a error "Invalid directory indexing option".

Thanks for your suggestion.
Brijesh.
0
 
ZookCommented:
Brijesh,

I am afraid I don't understand your problem then.
It's the idea behind a web site to get the URLs that you request, isn't it? So of course, if you know the exact URL you get the file ...!?

What exactly do you want to achive? What do you want to protect/hide from whom?

cu
Zook
0
 
brijeshkumarAuthor Commented:
Hi Zook,

It's like this. I am trying to block the directory listing without giving a blank index.html or index.jsp. Something that can be done by making changes in the configuration files. Is that possible?

Regards,
Brijesh.
0
 
ahoffmannCommented:
just comment out the IndexOptions line.
(NOTE: this option may be in each <Directory> context.
0
 
blackcCommented:
in your configuration file, find the line contained in <Directory 'whateverthedocumentrootis'>
</Directory>
that has:
Options ...
in it.  then just remove the word "Indexes" from it.  it will then provide a 404 error, document not found page when no page is specified and no index exists.  hope it helps!
0
 
brijeshkumarAuthor Commented:
blackc,

I tried that. It didn't work.

Regards,
Brijesh.
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now