permaculture playing cards*
The moose likes Tomcat and the fly likes webapp root not secure Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "webapp root not secure" Watch "webapp root not secure" New topic
Author

webapp root not secure

Benjamin Hundley
Ranch Hand

Joined: Mar 06, 2006
Posts: 53
Can someone point me in the right direction here. I recently registered with a Hosting site and they are using Tomcat.

I use their Tomcat Web Application Manager to deploy the war file for my website and it puts the war file in this folder called "public_html" and then unpacks it. It then leaves the war file in that directory.

Everything is fine except for the fact that it seems that everything in that public_html directory is accessible, including my war file! Anyone that knows the name of my war file can just type in the URL and download the war file to my entire application.

How do I prevent this? Does it have anything to do with the web.xml and server.xml files in the conf directory?
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

I'd say it has more to do with they way your hosting company has Apache Web Server and Tomcat configured.

By default, Tomcat unpacks the war file in a sibling directory to the actual war (example: MyApp.war and the directory MyApp would both be under tomcat/webapps).

You might also want to check and see if files under the WEB-INF directory are accessible to the web.

Your best bet would be to inform your hosting company of this and see if they're willing to work out a solution. If not, find a better one.


I'm going to move this to our Apache / Tomcat forum because this is not really a servlet issue.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41155
    
  45
Do you have access to the Tomcat Manager (which is usually found at /manager/html/list) ? It allows to deploy war files directly, without putting them in a public directory first. But hosting companies probably disable it.

Not really a solution, but the web app should run without problems if you remove the war file after a successful deployment.


Ping & DNS - my free Android networking tools app
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by Ulf Dittmer:

Not really a solution, but the web app should run without problems if you remove the war file after a successful deployment.


Not always.
In some cases (like if the app was deployed by dropping the war file in webapps) removing the war file will cause Tomcat to undeploy the app (removing the app's directory in the process.

Test this before trying with a production setup.
Benjamin Hundley
Ranch Hand

Joined: Mar 06, 2006
Posts: 53
I ended up changing the server.xml file to say that the root was webapps instead of public_html and I created a webapps folder in tomcat's directory. This fixed it. But thanks for your responses!
 
 
subject: webapp root not secure
 
Similar Threads
Servlet reloading in Tomcat 3.2.4
War not deploying
catalina.out log shows all classes being loaded - why?
a problem only on the server
compiling web.xml