Solved

using symlink as virtual directory in Tomcat, can I block directory browsing?

Posted on 2002-07-08
9
334 Views
Last Modified: 2013-12-06
I am using a symlink in Tomcat's ROOT directory to create a "virtual directory" without using Apache or another webserver.

So I do the following on Red Hat 7.2:

cd $TOMCAT_HOME/webapps/ROOT
ln -s /repository/assets assets

However, my problem is that a savvy user can enter the following in their browser:  http://myserver.com/assets

and view all the files in this directory.  Is their any way (chmod) with permissions to disable directory browsing?

The other thing I though we could do would be to change the ROOT application's web.xml to protect these symlink'ed directories.

Thanks,

Matt
0
Comment
Question by:mraible
9 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 100 total points
Comment Utility
Anything that you were to do at the file system level to keep folks from browing a directory is going to keep the web server from accessing the directory. If you don't want users to see the contents of a directory you have to configure the web server to prevent that access. That's easy enough to do with an Apache server, and I'd guess that something similar should be possible with Tomcat.
0
 
LVL 1

Author Comment

by:mraible
Comment Utility
that's the problem - I'm not using a webserver to create this virtual directory.  Just a symlink.
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
It is entirely possible that I missed it in the Tomcat documentation, but I don't see any way to limit access to a directory unless Tomcat is running under a Web server. There are one or two things in the FAQ about limitations, but they all reference the use of Apache's config directives.
0
 
LVL 1

Author Comment

by:mraible
Comment Utility
Apache does run a webserver as part of it's package - so it will server up *.html, *.gif, etc files.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Author Comment

by:mraible
Comment Utility
Sorry, I mean Tomcat.
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Right, I realize that Tomcat can do a number of the things that Apache can do. What seems to be missing in Tomcat is the fine grained access control that Apache implements. There are two ways to use Tomcat. As a standalone server and running under Apache. The later method allows for limits to be placed on what clients can see and/or access and is the only way that I saw in the documentation to restrict access.
0
 

Expert Comment

by:CleanupPing
Comment Utility
mraible:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
The answer is ther, though it probably wasn't what mraible wanted.
0
 
LVL 2

Expert Comment

by:TheWeakestLink
Comment Utility
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Accept comments from jlevie as answer
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

TheWeakestLink
EE Cleanup Volunteer
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now