After installing Open Blue Dragon on Tomcat and hooking it up to Apache, I did some poking around and found I was able to pull up my bluedragon.xml configuration file directly in my browser. Now, this may not happen in all configurations (there are many ways to setup a J2EE web application), but it my case, running through Apache and having copied Blue Dragon’s WEB-INF directory to my webroot, I was able to browse this file. In case you didn’t know, all OpenBD’s settings are stored in a single xml file (which I find very convenient, by the way).

It didn’t work when going directly through Tomcat, i.e. browsing on port 8080 would not pull it up, I think Tomcat is smart enough to know not to serve files from the WEB-INF directory. But browsing through Apache on port 80 bypasses Tomcat for anything thats not a .cfm or .cfc file, so it would happily return the xml file. Datasource passwords are stored encrypted but the administrator password is clear text. Its easy to lock this down, just add this to your Apache config file:

<location "/WEB-INF/">
deny from all


  1. William from Lagos says:

    Hi. Thanks for the tip. I have been having a little issue configuring tomcat + apache httpd + OBD that makes use of virtual hosting. In my development environment, I have always prefered using http://app1:8081 or http://app2:8081 instead of http://localhost:8081/app1. Could u kindly point me to any resource you might know of that can help

  2. Ryan Stille says:

    William these may be helpful:

    The key is copying the WEB-INF (and related directories, for openBD thats the bluedragon directory which contains the administrator) to your webroot, and changing Tomcat's server.xml to point there.