• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Liutauras Vilda
  • Tim Cooke
  • Jeanne Boyarsky
  • Bear Bibeault
  • Knute Snortum
  • paul wheaton
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Ganesh Patekar
  • Tim Holloway
  • Carey Brown
  • salvin francis

tomcat uri disabling and restricting access to classes folder on server

Posts: 25
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dear All,
i have two questions:
1. i want to disable any user to navigate through the application while specifying a URI.
   for example my app is http://myapp, now i need to restrict any user to navigate to any URI under the application manually such as http://myapp/print

2. i am installing the application on a server that is accessible by other people, i need to hide my classes on the server from being read/altered. is there any method?

Posts: 20982
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1. You cannot literally stop someone from typing in any URL they want into their browser, but you can very definitely control what they get back when they do. The easiest and most secure way to do that is to use the Contrainer-Managed security system that's defined as part of the J2EE and JEE standards. This system allows you to assign security roles to users and to map which URLs are allowed access from which roles. So, for example, if I wanted to access http://superwebapp/app/supervisor/delete_account.jsp, but it required an "admin" or "manager" role and I wasn't assigned either of those roles, then the standard response would be a page with "HTTP 403 Forbidden" on it instead the delete_account page.

If you mean "browse urls like a filesystem". web servers are not file servers, so they don't do that anyway. The closest you would get would be if the webapp resource path was mapped to an index-display function and that's no problem to fix.

You might want to read this: https://www.owasp.org/index.php/Securing_tomcat

2. If your server runs Microsoft Windows, then security is sort of hit and miss, since any any given time, one and only one user "owns" the server and access to resources is set by the system administrator. On Unix-like systems like MacOS and Linux, which are true multi-user systems, then you can keep people from seeing anything inside of Tomcat including Tomcat itself simply by giving Tomcat its own private userid and security group. If you do that then only people authorized to login or change their user ids to be the Tomcat ID can access those files via the filesystem, and since webapp classes have to be located within the webapp's WAR WEB-INF/classes directory, they can't use HTTP to see them either (since Tomcat will never serve up the WEB-INF folder or directories/files under it). At that point the only way someone could snoop would be if they had root privileges, and not even then if you set up sufficiently nasty selinux controls.
She'll be back. I'm just gonna wait here. With this tiny ad:
Java file APIs (DOC, XLS, PDF, and many more)
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!