Secure Tomcat Webapps folder from direct user access

Is there a way that I can secure the webapps folder in Tomcat from direct access from a system user? In other words, I dont want a user to logon to the server machine and access the webapps folder. However, id still like the contents of the webapps folder to be served accordingly.

Would a soloution such as TrueCrypt to encypt the fo开发者_StackOverflow社区lder work? Or something like Windows admin rights? However, id still need a user to logon to the server machine to start and stop tomcat (bin folder) but not have access to the webapps folder.

Update Feb 15 '11: Yes, it's to stop someone logging onto the server machine and deply/undeploy. Since I'm going to be using a windows machine, I will probably restrict access to the tomcat folder and create an exe on the desktop to start and stop the services.

---

I am not sure what you mean by "access webapps folder", I will assume this means user can deploy/undeploy webapps and start/stop Tomcat. In Unix this can be doable as follows:

• create a user for Tomcat. Change umask so all created files are only readable by this user and no one else, similar for directories.
• create a user (e.g. system) that will be stopping/starting Tomcat.
• give sudo rights for user system just to be able to start/stop Tomcat. You can, for example, externalize catalina.sh start and catalina.sh stop scripts somewhere in /usr/local/bin and give sudo access to those.
• create a script that takes yourwebapp.war and copies to $tomcat_home/webapps or invokes relevant Tomcat manager command (for deployment/undeployment). Again, give sudo rights just for that script but otherwise change it's mode to 700 so it is not even readable by system user.