How to Restrict Access to Sensitive Files in Tomcat While Maintaining Internal Access


4 views

When deploying web applications on Apache Tomcat, developers often need to store configuration files or sensitive data within the web application directory structure. A common problem occurs when these files become publicly accessible through direct URL requests, potentially exposing critical information like database credentials (dbinfo.txt in your case).

Here are three effective approaches to secure your sensitive files:

1. Using WEB-INF Directory

The most straightforward method is moving sensitive files to the WEB-INF directory:

<Context path="" docBase="/var/www/html">
    <Resources allowLinking="true" />
</Context>

Place your dbinfo.txt in WEB-INF/conf/ where it's accessible to your application but not directly through HTTP requests.

2. Configuring web.xml Security Constraints

Add security constraints in your web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Protected Files</web-resource-name>
        <url-pattern>/conf/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

3. Tomcat Context Configuration

Modify your context.xml to exclude specific paths:

<Context>
    <Parameter name="denyPaths" value="/conf/dbinfo.txt" override="false"/>
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
        deny=".*" allow="127\.0\.0\.1"/>
</Context>

For maximum security, implement a layered approach:

# In server.xml
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
        deny=".*" allow="127\.0\.0\.1|192\.168\.1\.\d+" />
</Host>

# In your application's web.xml
<security-constraint>
    <web-resource-collection>
        <url-pattern>/conf/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

After implementing these changes, verify your configuration:

curl -I http://yourserver.com/conf/dbinfo.txt
# Should return 403 or 404

# For local access testing:
curl --interface lo http://localhost:8080/conf/dbinfo.txt
# Should be accessible only from localhost
  • Regularly audit your Tomcat file permissions
  • Implement proper file system permissions (chmod 600 for sensitive files)
  • Consider using environment variables for sensitive data instead of files
  • Monitor access logs for unauthorized attempts

When deploying web applications with Apache Tomcat, you might need to store configuration files or sensitive data within your web application directory. However, these files should not be accessible to the public while still being readable by your application.

A common scenario is having a file like /var/www/html/conf/dbinfo.txt that contains database credentials. While Tomcat needs to read this file, you don't want users to access it directly via www.yoursite.com/conf/dbinfo.txt.

The most straightforward method is to configure security constraints in your web.xml:


<web-app>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Protected Files</web-resource-name>
            <url-pattern>/conf/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>
</web-app>

This configuration will block all access to files in the /conf/ directory unless the user has the "admin" role.

A more secure approach is to store sensitive files outside the web application directory:


String dbConfigPath = "/etc/yourapp/dbinfo.txt";
// Then read the file using standard Java I/O methods

This completely removes the possibility of web access while maintaining functionality.

You can configure your context to deny access to specific patterns:


<Context>
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
           deny=".*" />
    <Resources className="org.apache.catalina.webresources.StandardRoot">
        <PreResources className="org.apache.catalina.webresources.DirResourceSet"
                      base="/var/www/html/conf"
                      webAppMount="/WEB-INF/conf" />
    </Resources>
</Context>
  • Always store sensitive files outside the web root when possible
  • Use proper file permissions (chmod 600 for sensitive files)
  • Consider encrypting sensitive configuration data
  • Regularly audit your file permissions and web.xml configurations