How do I prevent users from accessing my war files?
Author: Deron Eriksson
Description: This tutorial describes how to prevent users from accessing your war files on an Apache web server.
Tutorial created using: Windows XP || Apache HTTP Server 2.2.4

You should check your server configuration to be sure that people cannot download your warW files, which could give people access to your code, your application's resources, and possibly things such as databaseW passwords. Therefore, it's important to ensure that your war files are protected.

At home, I normally run TomcatSW by itself without ApacheSW. By default, my current Tomcat (5.5.20) does not allow access to my war files. If I deployed a war file called 'hamburger.war' to the '/hamburger' context using the Tomcat manager, the application would be accessible at http://localhost:8080/hamburger, but I would not be able to access the war file through Tomcat at http://localhost:8080/hamburger.war.

When working with the Apache Web Server in front of Tomcat, you should double-check to be sure that the Apache Web Server hasn't opened up a security hole by allowing users to access and download your war files. In the example above, if you have Apache in front of Tomcat, you should check that http://localhost:80/hamburger.war (or its equivalent path and file name) can't be downloaded by end users via their browsers.

If it turns out that your war files can be downloaded through Apache, you can fix this problem in a couple ways. One way is add an entry to your Apache's httpd.conf file. Another way is to add an entry to an .htaccess file in the directory containing your war files. The httpd.conf method is better in terms of performance, but .htaccess files also have certain benefits, such as the ability to control access to files if you don't have access to the httpd.conf file.

To prevent users from accessing all war files, we can enter the following directive into the httpd.conf file (or also to .htaccess).

<FilesMatch "\.war$">
    Order allow,deny
    Deny from all

Now, let's look at an example. Suppose we have a directory with a war file that is accessible via Apache, such as the following directory:

Directory listing for 'test' directory

Next, I'll add the directive to deny access to war files to my Apache httpd.conf file:

<FilesMatch "\.war$">
    Order allow,deny
    Deny from all

After that, I'll restart Apache.

Restarting Apache

In the browser, if I refresh, in my version of Apache on XP, the war file actually disappears from the directory listing. It's possible that it may still be visible in the directory view in your version of Apache (although it can't be accessed).

Directory listing for 'test' directory - war file not visible

If I try hitting the war file directy by name in the browser, I receive a 403 Forbidden error message, since the war file can't be accessed.

403 Forbidden error when try to access war file directly

As you can see, denying access to war files via Apache settings can fill a potentially serious web application security risk.