I believe your PathCheck is the expected approach. It is mentioned in the documentation:
http://tomcat.apache.org/connectors-doc-archive/jk2/jk/neshowto.html I can't say how up to date this document is, however. Note that in Tomcat 3.3.x, its auto-generated object.conf file included: ####################################################### # Protecting the WEB-INF and META-INF directories. ####################################################### PathCheck fn="deny-existence" path="*/WEB-INF" PathCheck fn="deny-existence" path="*/WEB-INF/*" PathCheck fn="deny-existence" path="*/META-INF" PathCheck fn="deny-existence" path="*/META-INF/*" For more details about what was generated in Tomcat 3.3.x, see: http://svn.apache.org/repos/asf/tomcat/container/branches/tc3.3.x/src/share/org/apache/tomcat/modules/config/NSConfig.java HTH, Larry > -----Original Message----- > From: Greg Wetmore [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 11, 2006 10:52 AM > To: dev@tomcat.apache.org > Subject: Access WEB-INF through the JK NSAPI connector > > I am looking at: > http://svn.apache.org/repos/asf/tomcat/connectors/tags/jk1.2.x > /JK_1_2_16/jk/native/netscape/jk_nsapi_plugin.c > > I do not see any code blocks specifically checking for and > rejecting requests to WEB-INF/* or META-INF/*. > > This seems different in design from the Apache or IIS filters > - for example: > Apache 2.0 - mod_jk.c:2575 > IIS - jk_isapi_plugin.c:869 > > Does this represent a security flaw or a bug? > > In the mean time I have configured iplanet to reject requests > to WEB-INF: > PathCheck fn="deny-existence" path="*/WEB-INF/*" > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] For > additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
