tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacob Kjome <h...@visi.com>
Subject Re: running tomcat + apache and the system shows me the xml file. bur or bad configuration?
Date Sun, 02 Feb 2003 05:54:50 GMT

I believe that the path in <Directory> needs to be fully qualified.  So, 
instead of what you have, it would be something like...

<Directory "C:/my/directory/path/to/my/webapp/WEB-INF/">

Or, you can just do...

JkMount /myapp
JKMount /myapp/*

That will forward *everything* to Tomcat and Tomcat already knows not to 
allow access to WEB-INF or META-INF.

If you still want to do the mapping in Apache (so you can serve static 
content using Apache rather than Tomcat) here is a sample from my 
mod_jk.conf....


     #################### localhost:/examples ####################

     # Static files
     Alias /examples "C:/Java/Apache/Jakarta/Tomcat-4.1.18/webapps/examples"

     <Directory "C:/Java/Apache/Jakarta/Tomcat-4.1.18/webapps/examples">
         Options Indexes FollowSymLinks
         DirectoryIndex index.html index.htm index.jsp
     </Directory>


     # Deny direct access to WEB-INF and META-INF
     #
     <Location "/examples/WEB-INF/*">
         AllowOverride None
         deny from all
     </Location>

     <Location "/examples/META-INF/*">
         AllowOverride None
         deny from all
     </Location>
     #
     # Use Directory too. On Windows, Location doesn't work unless case matches
     #
     <Directory 
"C:/Java/Apache/Jakarta/Tomcat-4.1.18/webapps/examples/WEB-INF/">
         AllowOverride None
         deny from all
     </Directory>

     <Directory 
"C:/Java/Apache/Jakarta/Tomcat-4.1.18/webapps/examples/META-INF/">
         AllowOverride None
         deny from all
     </Directory>

     JkMount /examples/jsp/security/protected/j_security_check  ajp13
     JkMount /examples/CompressionTest  ajp13
     JkMount /examples/SendMailServlet  ajp13
     JkMount /examples/servletToJsp  ajp13
     JkMount /examples/snoop  ajp13
     JkMount /examples/*.jsp  ajp13
     JkMount /examples/servlet/*  ajp13


Hope that helps!


Jake

At 05:32 PM 2/1/2003 +0100, you wrote:
>I have one application running in tomcat 4.1.18 and apache.
>if i have writte in the browser (explorer):
>http://www.domain.com/WEB-INF/web.xml
>the system shows me the file.
>This is one great security problem.
>How can i deny this?
>i the appache conf file i have:
><Directory "WEB-INF">
>Options -Indexes
>AllowOverride None
>Order deny,allow
>Deny from all
></Directory>
>
>Please help me
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message