This is the second in a series of posts detailing my efforts to stand up a Tomcat/ACF10 development environment next to my existing Apache/JRun/ACF9 stack. For background, see the first post in the series.
I will focus my initial configuration efforts on some basics for securing the Tomcat/ACF10 stack, addressing things I know the security scanning services on our network look specifically for. I will start with disabling directory listings provided by default when a browser requests a URL for a directory without a default document. In this post (and all future posts in the series, unless I specifically indicate otherwise), I will use paths based upon my installation of ACF10 in the default location on Mac OS X systems. By default ACF10 is installed in
/Applications/ColdFusion10; you can translate as needed for your installation.
To disable directory listings, find the
<servlet> element within file
./cfusion/runtime/conf/web.xml. Within that element, find (or insert) an
<init-param> element with a child
<param-name> element with a value of
listings. Set the
<param-value> element to
<servlet> <servlet-name>default</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> ... <init-param> <param-name>listings</param-name> <param-value>false</param-value> </init-param> ... </servlet>
Restart the server, and we can check this one off our list.