tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rachel Greenham <rachel.green...@enetgroup.co.uk>
Subject Re: WEB-INF left open to all and sundry by default
Date Fri, 01 Sep 2000 12:13:41 GMT
Kevin Sangalee wrote:
> 
> On Fri, 1 Sep 2000, Rachel Greenham wrote:
> 
> I tried to reproduce this on my installation (Apache + Tomcat3.1 + Linux),
> and got 'Forbidden' for contexts, except ROOT which gave 'File not Found'
> 
> I think that the ROOT context is the only context that shares a directory
> with Apache. I've configured it all according to the guidelines in the
> Jakarta docs.
> 
> Can you give more details on how to reproduce this? Could it be a
> mis-configuration on your part?

It was indeed the root context - but where in server.xml the context is set
up like this: (on my development system, which shows the same behaviour) as
opposed to being in $TOMCAT_HOME/webapps/ROOT.

       <Context path="" docBase="/home/rachel/esparto/pcwbd-state/htdocs"
debug="0" reloadable="true" > 
        </Context>

And Apache is configured so that it's DocumentRoot also points to the same
directory as docBase above.

It does look like, because there is no mapping of /WEB-INF to be handled by
Tomcat, Apache is just serving them as files under its document root.

I've noticed this bit in the default tomcat.conf which I guess holds the
answers I want. :-)

############################## Context mapping - you need to "deploy"
# ( copy or ln -s ) the context into htdocs
##

# ApJservMount /CONTEXT/servlet  /root
# <Location /CONTEXT/WEB-INF/ >
#      AllowOverride None
#      deny from all
# </Location>

-- 
Rachel

Mime
View raw message