After installing Open Blue Dragon on Tomcat and hooking it up to Apache, I did some poking around and found I was able to pull up my bluedragon.xml configuration file directly in my browser. Now, this may not happen in all configurations (there are many ways to setup a J2EE web application), but it my case, running through Apache and having copied Blue Dragon’s WEB-INF directory to my webroot, I was able to browse this file. In case you didn’t know, all OpenBD’s settings are stored in a single xml file (which I find very convenient, by the way).
It didn’t work when going directly through Tomcat, i.e. browsing on port 8080 would not pull it up, I think Tomcat is smart enough to know not to serve files from the WEB-INF directory. But browsing through Apache on port 80 bypasses Tomcat for anything thats not a .cfm or .cfc file, so it would happily return the xml file. Datasource passwords are stored encrypted but the administrator password is clear text. Its easy to lock this down, just add this to your Apache config file:
deny from all