Default configuration of Tomcat 'admin' application allows jspf source browsing without any authentication. One needs just to use URL http://tomcat_host:8080/admin/users/ .
The JSP servlet is mapped to *.jsp and *.jspx, as the spec requires. As a result, *.jspf will always go to the default servlet, and as a result, they cannot be secured without some kind of security constraint in the web application.
Well Remy, I completely agree with you regarding servlet mapping. I just meant that IMHO some security constraints should be added to the distributed standard config of the 'admin' app. Otherwise unexperienced system admins may trustfully retain security holes in their production systems. My suggestions are: - consider adding <url-pattern>*.jspf</url-pattern> and <url-pattern>*.xml</url- pattern> to the security constraints (at least); - consider protection of directories from unauthorized browsing; I tried to use <url-pattern>*/</url-pattern> , but it results in an exception during server startup; so I may suggest using listings=false for the default servlet at least. Regards, Serge
At best this is [very] minor since the tomcat source is already open for anyone to see so letting someone browse it doesn't matter. But I'm going to close this anyways.