This week's giveaway is in the JDBC forum.
We're giving away four copies of Java Database Connections & Transactions (e-book only) and have Marco Behler on-line!
See this thread for details.
Win a copy of Java Database Connections & Transactions (e-book only) this week in the JDBC forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Knute Snortum
  • Paul Clapham
  • Tim Cooke
Sheriffs:
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Frits Walraven
Bartenders:
  • Ganesh Patekar
  • Tim Holloway
  • salvin francis

tomcat uri disabling and restricting access to classes folder on server  RSS feed

 
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dear All,
i have two questions:
1. i want to disable any user to navigate through the application while specifying a URI.
   for example my app is http://myapp, now i need to restrict any user to navigate to any URI under the application manually such as http://myapp/print

2. i am installing the application on a server that is accessible by other people, i need to hide my classes on the server from being read/altered. is there any method?

Thanks!
 
Bartender
Posts: 20766
124
Android Eclipse IDE Java Linux Redhat Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1. You cannot literally stop someone from typing in any URL they want into their browser, but you can very definitely control what they get back when they do. The easiest and most secure way to do that is to use the Contrainer-Managed security system that's defined as part of the J2EE and JEE standards. This system allows you to assign security roles to users and to map which URLs are allowed access from which roles. So, for example, if I wanted to access http://superwebapp/app/supervisor/delete_account.jsp, but it required an "admin" or "manager" role and I wasn't assigned either of those roles, then the standard response would be a page with "HTTP 403 Forbidden" on it instead the delete_account page.

If you mean "browse urls like a filesystem". web servers are not file servers, so they don't do that anyway. The closest you would get would be if the webapp resource path was mapped to an index-display function and that's no problem to fix.

You might want to read this: https://www.owasp.org/index.php/Securing_tomcat

2. If your server runs Microsoft Windows, then security is sort of hit and miss, since any any given time, one and only one user "owns" the server and access to resources is set by the system administrator. On Unix-like systems like MacOS and Linux, which are true multi-user systems, then you can keep people from seeing anything inside of Tomcat including Tomcat itself simply by giving Tomcat its own private userid and security group. If you do that then only people authorized to login or change their user ids to be the Tomcat ID can access those files via the filesystem, and since webapp classes have to be located within the webapp's WAR WEB-INF/classes directory, they can't use HTTP to see them either (since Tomcat will never serve up the WEB-INF folder or directories/files under it). At that point the only way someone could snoop would be if they had root privileges, and not even then if you set up sufficiently nasty selinux controls.
 
Too many men are afraid of being fools - Henry Ford. Foolish tiny ad:
how do I do my own kindle-like thing - without amazon
https://coderanch.com/t/711421/engineering/kindle-amazon
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!