How to block access to a file from being served by Tomcat?
Solution 1
Hello to all the SysAdmin and IT Workers in this post. Thanks for your responses. Many of the replies to my questions were acceptable but this one was best suited for our production environment.
Ok. To block a directory or a file within a virtual host in server.xml you just have to add the following code to the server.xml in the tomcat/conf directory.
Before:
<Host name="www.customer.com" appBase="/usr/share/app4_0b/tomcat/webapps/" autoDeploy="false">
<Context path="" docBase="./customer" />
<Valapp className="org.apache.catalina.valapps.FastCommonAccessLogValapp"
directory="weblogs/customer"
prefix="www_customer_com_"
suffix=".txt"
pattern="combined"
resolappHosts="false" />
</Host>
After:
<Host name="www.customer.com" appBase="/usr/share/app4_0b/tomcat/webapps/" autoDeploy="false">
<Context path="" docBase="./customer" />
<Context path="/app/xv/~customer/etc" docBase="" >
<Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
</Context>
<Context path="/etc" docBase="" >
<Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
</Context>
<Valapp className="org.apache.catalina.valapps.FastCommonAccessLogValapp"
directory="weblogs/customer"
prefix="www_customer_com_"
suffix=".txt"
pattern="combined"
resolappHosts="false" />
</Host>
So the answer to the question is add the following lines:
<Context path="/app/xv/~customer/etc" docBase="" >
<Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
</Context>
<Context path="/etc" docBase="" >
<Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
</Context>
Solution 2
Tomcat's file access is controlled by the security constraints section of WEB-INF/web.xml.
You can block conf this way:
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTP-Protected-Resource-1</web-resource-name>
<description>Description here</description>
<url-pattern>/conf/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>NOSOUPFORYOU</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>DEFAULT</auth-method>
<realm-name>NOACCESSFORANYONE</realm-name>
</login-config>
<security-role>
<role-name>NOSOUPFORYOU</role-name>
</security-role>
If you are using apache to serve static content, this will not work as apache will serve the conf files before tomcat gets the URL. In those cases, you would need to solve this via apache's http config files.
Solution 3
Why not store it outside your web directory structure? We never put anything under /var/www/html/ that we wouldn't want a user to discover.
Solution 4
Normally configuration information (like database connection information, ...) is stored in files under the WEB-INF folder of the WAR file deployed to Tomcat. Files under WEB-INF are not accessible to clients.
Solution 5
Word of advice. After you fix the permissions. Change all the passwords, and make SURE that there isn't a google cache of it.
Related videos on Youtube
02 : 17
07 : 12
03 : 02
02 : 00
01 : 57
bassen
I have been exchanging knowledge for over 11 years, StackExchange just makes it easier. Come and find out which other SE sites I collaborate. Follow me on Twitter.
Updated on September 17, 2022Comments
-
bassen over 1 year
We have a few tomcat servers and we just discovered that some files that we don't want public to have access to those files. To exemplify:
Let say we have a folder /var/www/html/ that we are publishing through tomcat, but we don't want to expose /var/www/html/conf/dbinfo.txt. At this moment people is able to go to www.thissite.com/conf/dbinfo.txt and they are able to see things. I will like to be able to block it so does not shows it but it allows it to be read by tomcat itself.
Any help is appreciated.
-
bassen almost 15 yearsThanks! is fixed now. I just want to know if there is a better fix for it out there. If I don't get replies, I will post the fix. Thanks again.