Howto prevent WEB-INF from being browsable

[fo0]

hello, i have setup apache w/ tomcat. though i am able to browse the
WEB-INF directory. how can i set this up to be forbidden to normal
access?

 

[Sudsy]

hello, i have setup apache w/ tomcat. though i am able to browse the
WEB-INF directory. how can i set this up to be forbidden to normal
access?

Use a .htaccess file. And check for Directory tags in your httpd.conf
file.

 

[Tor Iver Wilhelmsen]

hello, i have setup apache w/ tomcat. though i am able to browse the
WEB-INF directory. how can i set this up to be forbidden to normal
access?

The Tomcat web-app area should NOT be anywhere under the Apache's web
content area. Use a different directory tree and set up the Apache +
Tomcat integration as per the docs (mod_jk and all that).

 

[hiwa]

hello, i have setup apache w/ tomcat. though i am able to browse the
WEB-INF directory. how can i set this up to be forbidden to normal
access?

For WEB-INF access, Tomcat 5.0.x gives 404 status code while Resin Web
Server gives 403. Resin's behavior is correct.

I suspect that your WEB-INF is in the Apache document root and
unprotected in the Apache conf.

 

[Oscar kind]

The Tomcat web-app area should NOT be anywhere under the Apache's web
content area. Use a different directory tree and set up the Apache +
Tomcat integration as per the docs (mod_jk and all that).

And when you have set it up in this manner, the WEB-INF folder will not be
browsable, visible nor accessible.