How to block access to a file from being served by Tomcat?

java linux tomcat

We have a few tomcat servers and we just discovered that some files that we don't want public to have access to those files. To exemplify:

Let say we have a folder /var/www/html/ that we are publishing through tomcat, but we don't want to expose /var/www/html/conf/dbinfo.txt. At this moment people is able to go to www.thissite.com/conf/dbinfo.txt and they are able to see things. I will like to be able to block it so does not shows it but it allows it to be read by tomcat itself.

Any help is appreciated.


Tomcat's file access is controlled by the security constraints section of WEB-INF/web.xml.

You can block conf this way:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>HTTP-Protected-Resource-1</web-resource-name>
        <description>Description here</description>
        <url-pattern>/conf/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>NOSOUPFORYOU</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>DEFAULT</auth-method>
    <realm-name>NOACCESSFORANYONE</realm-name>
</login-config>
<security-role>
    <role-name>NOSOUPFORYOU</role-name>
</security-role>

If you are using apache to serve static content, this will not work as apache will serve the conf files before tomcat gets the URL. In those cases, you would need to solve this via apache's http config files.


Hello to all the SysAdmin and IT Workers in this post. Thanks for your responses. Many of the replies to my questions were acceptable but this one was best suited for our production environment.

Ok. To block a directory or a file within a virtual host in server.xml you just have to add the following code to the server.xml in the tomcat/conf directory.

Before:

  <Host name="www.customer.com" appBase="/usr/share/app4_0b/tomcat/webapps/" autoDeploy="false">
    <Context path="" docBase="./customer" />

    <Valapp className="org.apache.catalina.valapps.FastCommonAccessLogValapp"
           directory="weblogs/customer"
           prefix="www_customer_com_"
           suffix=".txt"
           pattern="combined"
           resolappHosts="false" />
  </Host>

After:

  <Host name="www.customer.com" appBase="/usr/share/app4_0b/tomcat/webapps/" autoDeploy="false">
    <Context path="" docBase="./customer" />

    <Context path="/app/xv/~customer/etc" docBase="" >
      <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>
    <Context path="/etc" docBase="" >
      <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>

    <Valapp className="org.apache.catalina.valapps.FastCommonAccessLogValapp"
           directory="weblogs/customer"
           prefix="www_customer_com_"
           suffix=".txt"
           pattern="combined"
           resolappHosts="false" />
  </Host>

So the answer to the question is add the following lines:

    <Context path="/app/xv/~customer/etc" docBase="" >
      <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>
    <Context path="/etc" docBase="" >
      <Valapp className="org.apache.catalina.valapps.RemoteAddrValapp" deny="*" />
    </Context>

Related

Does https include protection from a replay attack?
git vs Subversion - pros and cons [closed]
Truly understanding networking?
What features to you like to see in a help desk product? [closed]
Best way to connect multiple switches together
How do I get transparent, efficient, file system snapshotting or versioning on ext3/4?
Why does FIND on Windows 7 give an "Access Denied" error? [closed]
How to interpret "additional section" in DIG?
Basic Weight Questions with HAProxy
Apache config: Return 404 for single <Location>
Apache rewrite multiple conditions
Is it possible to hardware accelerate LUKS encryption?