How to block access to a file from being served by Tomcat?

We have a few tomcat servers and we just discovered that some files that we don't want public to have access to those files. To exemplify:

Let say we have a folder /var/www/html/ that we are publishing through tomcat, but we don't want to expose /var/www/html/conf/dbinfo.txt. At this moment people is able to go to www.thissite.com/conf/dbinfo.txt and they are able to see things. I will like to be able to block it so does not shows it but it allows it to be read by tomcat itself.

Any help is appreciated.


Tomcat's file access is controlled by the security constraints section of WEB-INF/web.xml.

You can block conf this way:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>HTTP-Protected-Resource-1</web-resource-name>
        <description>Description here</description>
        <url-pattern>/conf/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>NOSOUPFORYOU</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>DEFAULT</auth-method>
    <realm-name>NOACCESSFORANYONE</realm-name>
</login-config>
<security-role>
    <role-name>NOSOUPFORYOU</role-name>
</security-role>

If you are using apache to serve static content, this will not work as apache will serve the conf files before tomcat gets the URL. In those cases, you would need to solve this via apache's http config files.


Hello to all the SysAdmin and IT Workers in this post. Thanks for your responses. Many of the replies to my questions were acceptable but this one was best suited for our production environment.

Ok. To block a directory or a file within a virtual host in server.xml you just have to add the following code to the server.xml in the tomcat/conf directory.

Before:

  <Host name="www.customer.com" appBase="/usr/share/app4_0b/tomcat/webapps/" autoDeploy="false">
    <Context path="" docBase="./customer" />

    <Valapp className="org.apache.catalina.valapps.FastCommonAccessLogValapp"
           directory="weblogs/customer"
           prefix="www_customer_com_"
           suffix=".txt"
           pattern="combined"
           resolappHosts="false" />
  </Host>

After:

  <Host name="www.customer.com" appBase="/usr/share/app4_0b/tomcat/webapps/" autoDeploy="false">
    <Context path="" docBase="./customer" />

    <Context path="/app/xv/~customer/etc" docBase="" >
      <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>
    <Context path="/etc" docBase="" >
      <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>

    <Valapp className="org.apache.catalina.valapps.FastCommonAccessLogValapp"
           directory="weblogs/customer"
           prefix="www_customer_com_"
           suffix=".txt"
           pattern="combined"
           resolappHosts="false" />
  </Host>

So the answer to the question is add the following lines:

    <Context path="/app/xv/~customer/etc" docBase="" >
      <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>
    <Context path="/etc" docBase="" >
      <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>