tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r544037 - in /tomcat/connectors/trunk/jk/xdocs: reference/apache.xml webserver_howto/apache.xml
Date Mon, 04 Jun 2007 03:22:02 GMT
Author: markt
Date: Sun Jun  3 20:22:01 2007
New Revision: 544037

URL: http://svn.apache.org/viewvc?view=rev&rev=544037
Log:
A better warning for the httpd docs.

Modified:
    tomcat/connectors/trunk/jk/xdocs/reference/apache.xml
    tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml

Modified: tomcat/connectors/trunk/jk/xdocs/reference/apache.xml
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/reference/apache.xml?view=diff&rev=544037&r1=544036&r2=544037
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/reference/apache.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/reference/apache.xml Sun Jun  3 20:22:01 2007
@@ -25,10 +25,14 @@
 Exceptions from this rule are
 again explicitely listed in the table below.
 </p>
-<p><b>The Apache httpd DocumentRoot should not overlap with a Tomcat Host's
-appBase or the docBase of any Context. Configuring httpd/Tomcat this way is very
-likely to result in JSP source code disclosure and/or other security issues.
-</b></p>
+<p><b>Waring: If Apache httpd and Tomcat are configured to serve content from
+the same filing system location then care must be taken to ensure that httpd is
+not able to serve inappropriate content such as the contents of the WEB-INF
+directory or JSP source code.</b> This could occur if the httpd DocumentRoot
+overlaps with a Tomcat Host's appBase or the docBase of any Context. It could
+also occur when using the httpd Alias directive with a Tomcat Host's appBase or
+the docBase of any Context.
+</p>
 <p>
 Here are the all directives supported by Apache:
 </p>
@@ -119,7 +123,11 @@
 </p></attribute>
 <attribute name="JkAutoAlias" required="false"><p>
 Automatically Alias webapp context directories into the Apache
-document space. 
+document space.
+<br/>
+Care should be taken to ensure that only static content is served via httpd as a
+result of using this directive. Any static content served by httpd will bypass any
+security constraints defined in the application's web.xml.
 <br/>
 For inheritance rules, see: JkMountCopy.
 <br/>
@@ -697,9 +705,12 @@
 the Apache document space. It enables Apache to serve a static context while Tomcat
 serving dynamic context. This directive is used for convenience so that you don't
 have to put an apache Alias directive for each application directory inside Tomcat's
-webapp directory.
+webapp directory. For security reasons is is strongly recommended that JkMount
+is used to pass all requests to Tomcat by default and JkUnMount is used to
+explicitly exclude static content to be served by httpd. It should also be noted
+that content served by httpd will bypass any security constraints defined in the
+applciation's web.xml.
 </p>
-
 <source>
   # enter the full path to the tomcat webapps directory
   JkAutoAlias /opt/tomtact/webapps

Modified: tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml?view=diff&rev=544037&r1=544036&r2=544037
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml Sun Jun  3 20:22:01 2007
@@ -44,10 +44,14 @@
 and <a href="../reference/apache.html">Apache</a>.
 </p>
 
-<p><b>The Apache httpd DocumentRoot should not overlap with a Tomcat Host's
-appBase or the docBase of any Context. Configuring httpd/Tomcat this way is very
-likely to result in JSP source code disclosure and/or other security issues.
-</b></p>
+<p><b>Waring: If Apache httpd and Tomcat are configured to serve content from
+the same filing system location then care must be taken to ensure that httpd is
+not able to serve inappropriate content such as the contents of the WEB-INF
+directory or JSP source code.</b> This could occur if the httpd DocumentRoot
+overlaps with a Tomcat Host's appBase or the docBase of any Context. It could
+also occur when using the httpd Alias directive with a Tomcat Host's appBase or
+the docBase of any Context.
+</p>
 
 <p>
 This document was originally part of <b>Tomcat: A Minimalistic User's Guide</b>
written by Gal Shachor,
@@ -712,8 +716,11 @@
 </p>
 
 <p>
-Caution: If Apache is configured to serve static pages for a web application it bypasses
-any security contraints you may have configured in your web application web.xml config file.
+Caution: For security reasons is is strongly recommended that JkMount is used to
+pass all requests to Tomcat by default and JkUnMount is used to explicitly
+exclude static content to be served by httpd. It should also be noted that
+content served by httpd will bypass any security constraints defined in the
+applciation's web.xml.
 </p>
 
 <p>Use Apache's <b>Alias</b> directive to map a single web application
context directory into Apache's
@@ -723,15 +730,12 @@
 <source>
   # Static files in the examples webapp are served by apache
   Alias /examples /vat/tomcat3/webapps/examples
-  # The following line prohibits users from directly access WEB-INF
-  &lt;Location "/examples/WEB-INF/"&gt;
-      AllowOverride None
-      deny from all
-  &lt;/Location&gt;
-  # All JSP will goes to worker1
-  JkMount /*.jsp worker1
-  # All servlets goes to worker1
-  JkMount /*/servlet/ worker1
+  # All requests go to worker1 by default
+  JkMount /* worker1
+  # Serve html, jpg and gif using httpd
+  JkUnMount /*.html worker1
+  JkUnMount /*.jpg  worker1
+  JkUnMount /*.gif  worker1
 </source>
 
 <p>
@@ -783,8 +787,13 @@
 <source>
   # Static files in all Tomcat webapp context directories are served by apache
   JkAutoAlias /var/tomcat3/webapps
-  JkMount /*.jsp ajp13
-  JkMount /*/servlet/ ajp13
+
+  # All requests go to worker1 by default
+  JkMount /* ajp13
+  # Serve html, jpg and gif using httpd
+  JkUnMount /*.html ajp13
+  JkUnMount /*.jpg  ajp13
+  JkUnMount /*.gif  ajp13
 </source>
 
 <p>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message