| Subcribe via RSS

Tomcat: Open Document Directory Listings

December 6th, 2012 Posted in General Idm/IAM, IdM Infrastructure

A lot of us IdMers deploy and run our favorite flavors of IdM tools to and on Apache Tomcat in our personal sandboxes. It’s just an easy servlet container to deploy to. Sun Identity Manager/Oracle Waveset and Sailpoint IIQ come to mind. While this article isn’t necessarily written to plug Sailpoint IIQ, my desire to allow the PDF documents that ship with IdentityIQ to display in my sandbox Tomcat installation did lead to this article being written.

Configuring Tomcat To Allow Directory Listings

Tomcat used to set directory listings to true out of the box. It seems somewhere along the line, this default behavior reverted to false. I’m not sure when. As with plain vanilla Apache HTTP Server, Tomcat does provide directory listings of URLs which don’t point to servlets and other configured objects. It does this through a default servlet (so a servlet is still running — as you might imagine.)

This default servlet can be configured to display directory listings. To do so:

(1) Navigate to the root of your Tomcat installation.

(2) Edit the ./conf/web.xml XML config file.

(3) Look for this section of code and make sure the listings parameter is set to true

<servlet>
   <servlet-name>default</servlet-name>
   <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
   <init-param>
      <param-name>debug</param-name>
      <param-value>0</param-value>
   </init-param>
   <init-param>
      <param-name>listings</param-name>
      <param-value>true</param-value>
   </init-param>
   <load-on-startup>1</load-on-startup>
</servlet>

(4) Restart Tomcat

(NOTE: Be aware this changes the directory listing behavior for ALL APPLICATIONS deployed to Tomcat. If you want directory listings turned off in other applications, you need to make a choice of which web.xml‘s to edit to gain the desired result!)

XSLT Transformations

For those looking to take things into the bonus round, just so you know, the Tomcat default servlet runs these directory listings through an XSLT transformation. If you are especially ambitious, you can override these XSLT transformations with transformations of your own. “Skin” your own directory listings, essentially. If your company for instance insists on proper branding no matter what is served, or, if you were serving this listing up in an iframe on another server, this would be the way to transform the look and feel of the Tomcat directory listing to your liking.

I’m not going to do that here.

SailPoint IIQ PDF Documentation

Now we can navigate to where the Sailpoint IIQ PDF documentation is kept and view these docs right in our browser:

SailPoint IIQ PDF Documents Directory Listing

A really nice benefit is that each time you patch Sailpoint IIQ, this exact directory will be updated with the latest and any changed docs from Sailpoint. As you can see above, I’ve already patched my Sailpoint IIQ v6.0 installation to v6.0p1, and as a result, I have the corresponding v6.0p1 docs as well as the original v6.0 docs.

For IdentityIQ, Delete In Production

While we’re here, just another security pointer… I recommend deleting the PDFs in your production install of IdentityIQ, no matter which application server you choose to install to. It only makes sense. While the docs may not be served via HTTP, there are other people who have access to the file system (system and network admins, etc.) and you want to keep your security documentation inhouse.

Comments are closed.