File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

webapp root not secure

 
Benjamin Hundley
Ranch Hand
Posts: 54
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can someone point me in the right direction here. I recently registered with a Hosting site and they are using Tomcat.

I use their Tomcat Web Application Manager to deploy the war file for my website and it puts the war file in this folder called "public_html" and then unpacks it. It then leaves the war file in that directory.

Everything is fine except for the fact that it seems that everything in that public_html directory is accessible, including my war file! Anyone that knows the name of my war file can just type in the URL and download the war file to my entire application.

How do I prevent this? Does it have anything to do with the web.xml and server.xml files in the conf directory?
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'd say it has more to do with they way your hosting company has Apache Web Server and Tomcat configured.

By default, Tomcat unpacks the war file in a sibling directory to the actual war (example: MyApp.war and the directory MyApp would both be under tomcat/webapps).

You might also want to check and see if files under the WEB-INF directory are accessible to the web.

Your best bet would be to inform your hosting company of this and see if they're willing to work out a solution. If not, find a better one.


I'm going to move this to our Apache / Tomcat forum because this is not really a servlet issue.
 
Ulf Dittmer
Rancher
Pie
Posts: 42966
73
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Do you have access to the Tomcat Manager (which is usually found at /manager/html/list) ? It allows to deploy war files directly, without putting them in a public directory first. But hosting companies probably disable it.

Not really a solution, but the web app should run without problems if you remove the war file after a successful deployment.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Ulf Dittmer:

Not really a solution, but the web app should run without problems if you remove the war file after a successful deployment.


Not always.
In some cases (like if the app was deployed by dropping the war file in webapps) removing the war file will cause Tomcat to undeploy the app (removing the app's directory in the process.

Test this before trying with a production setup.
 
Benjamin Hundley
Ranch Hand
Posts: 54
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I ended up changing the server.xml file to say that the root was webapps instead of public_html and I created a webapps folder in tomcat's directory. This fixed it. But thanks for your responses!
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic