Is it secure to have a configuration file outside a deployed java war file?

Specifically, is it more or less secure having the file on the outside?

Thi开发者_Python百科s is assuming you put the configuration files in the root directory (of the web server). And that there are only standard restrictions to files applied (no special lock down tools).

Depends on where you put your configuration files in your WAR. In you put it in WEB-INF or META-INF you will not be able route to those files.

/app/WEB-INF/web.xml gives a HTTP 404.

Unless there is some other exploit that would allow someone access to files on the server, I would say its no more secure in the WAR in the right place then outside the WAR file.

Yes it can be secure, although I would not use the root directory of the web server.

Typically a web server is configured to run as its own user (for instance, tomcat on Linux runs as user tomcat). So if the file can only be read by tomcat only the web server can access it.

You can use Context.xml in tomcat's conf directory to either directly inject the settings in the applications context, or add a property there pointing to the file location. That way the location need not be fixed.