How do I restrict access from servlets to certain directories?

Richard Braun

[ How can I only allow the servlets in a specific web application to access only regular Tomcat directories and the directory under /tomcat/webapps/<web_app_name>?

So far I found out that with the default Tomcat configuration (I am using 3.2.1), I am able to access every directory at my server (like File.canWrite() on "/" returns true).]

It's not that difficult. You can simply use the Java Security, provided you have Java 2.

For example :

grant {
    permission java.io.FilePermission "-", "read,write";
This only allows to read and write in the current directory and its sub-directories. Write this in your tomcat.policy file and then start tomcat like this :
/path/to/java/bin/java -Djava.security.manager 
  -Dtomcat.home=/path/to/tomcat org.apache.tomcat.startup.Tomcat "$@" &
Don't forget the necessary permissions for tomcat to work properly.

Bye ;)