Changeset 26517 for main/trunk/greenstone3/web/WEB-INF/web.xml

Timestamp:

2012-11-23T20:19:42+13:00 (11 years ago)

Author:

ak19

Message:

Not allowing browser access to the contents of folder usersDB

File:

• main/trunk/greenstone3/web/WEB-INF/web.xml (modified) (1 diff)

main/trunk/greenstone3/web/WEB-INF/web.xml

@@ -409 +409 @@
   </mime-mapping>
 
+<!-- Deny access to contents of URL pattern /usersDB/*
+It appears the url pattern has to be relative to the web directory (a url-pattern of /usersDB/* is insufficient), so this may need to be done for all sites.
+http://stackoverflow.com/questions/5333266/tomcat-deny-access-to-specific-files
+and http://www.coderanch.com/t/84442/Tomcat/write-correct-url-pattern-security -->
+  <security-constraint>
+    <web-resource-collection>
+        <web-resource-name>usersDB files</web-resource-name>
+        <description>No direct access to usersDB files.</description>
+        <url-pattern>/sites/localsite/etc/usersDB/*</url-pattern>
+    <!--<url-pattern>/usersDB/*</url-pattern>-->
+        <http-method>POST</http-method>
+        <http-method>GET</http-method>
+    </web-resource-collection>
+    <auth-constraint>
+        <description>No direct browser access to usersDB files.</description>
+        <role-name>NobodyHasThisRole</role-name>
+    </auth-constraint>
+  </security-constraint>
+
 </web-app>