webspherewebsphere-8

How to disable directory browsing in websphere 8.5?

I need to know how I could disable ability to retrieve list of js/css files from browser when user tries to access resource folder instead of file itself (e.g. by typing http://domain/appname/resources/js) on webshere 8.5.

According IBM Knowledge Center documentation Web Container default value for directoryBrowsingEnabled is false which suggest that I do not necessary need define: <enable-directory-browsing value="false"/> on ibm-web-ext.xml in the first place.

On my case WebSphere generates ibm-web-ext.xml with content:

<?xml version="1.0" encoding="UTF-8"?>
<web-ext xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://websphere.ibm.com/xml/ns/javaee"
    xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-web-ext_1_0.xsd" version="1.0">
    <jsp-attribute name="reloadEnabled" value="true"/>
    <jsp-attribute name="reloadInterval" value="5"/>
</web-ext>

In case I modify and replace ibm-web-ext.xml with content:

<?xml version="1.0" encoding="UTF-8"?>
<web-ext xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://websphere.ibm.com/xml/ns/javaee"
    xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-web-ext_1_0.xsd" version="1.0">
    <jsp-attribute name="reloadEnabled" value="true"/>
    <jsp-attribute name="reloadInterval" value="5"/>
    <enable-directory-browsing value="false"/>
</web-ext>

After application restart seems nothing changed.

Why CSS / JS resources files list accessible from browser even if directoryBrowsingEnabled flag is set to false? Seems like directoryBrowsingEnabled alone isn't enough. What do I missing?

Solution

  • Short answer: directory browsing for WAS is already disabled by default.

    Please note that 'directory browsing' mean to be FTP style directory browsing when user can navigate directories by clicking folders upwards / downwards.

    My case browsers responds with 200 code by downloading folder as plain text file when user hits http://domain/appname/resources/js. So it's not previously mentioned 'FTP' style browsing case.

    Along with other static resource configuration there was spring mvc resource tag. 

    <mvc:resources mapping="/**" location="/resources/" />

    I do not think that tag alone was cause of this issue. However, by removing it resource directories URL no longer resulting in 200 status code.