tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Holger Burde" <>
Subject AW: isapi_redirector & protected Diretories
Date Mon, 21 Jan 2008 12:11:05 GMT


Thanks for the reply. 

This type of matching breaks at least every JSF Netbeans (5.x/6.x) App and maybe others. We
have no choice now than patching the isapi_redirector. Also i thought that Tomcat protects
those dirs ? or is this not the case if access is via ajp13 ?


-----Urspr√ľngliche Nachricht-----
Von: Rainer Jung [] 
Gesendet: Montag, 21. Januar 2008 11:47
An: Tomcat Users List
Betreff: Re: isapi_redirector & protected Diretories

Hi Holger,

Holger Burde wrote:
> Hi;
> I did a Netbeans 6 JSF Project recently  which was developed and tested
> with Tomcat6. The final installation was set up with  Tomcat 6.0.14
> behind IIS6 (Connectors / isapi_rediretor (latest version)).
> Running some tests we discovered  that allmost all Javascript was
> filtered out and we got almost blank pages. The Reason was that the
> isapi_redirector filters out every access to any URI which *contains*
> Example : javascript   $CONTEXT/theme/META-INF/json/json.jsf
> This is not THE META-INF config directory - its just a Path which
> accidential contains META-INF !!!
> Is there any way to configure access to such directories or ist his a
> Bug in the isapi_redirector ? From the source it looks like it a
> substring Match which filters out anything. Any Comments on this are
> welcome.

No, there is no way to change this via configuration. A context path can 
be multiple-directories, so since we don't know what's exactly deployed 
in the backend, we need to secure all possible WEB-INF and META-INF 

Best would be to not use those names for normal content directories. Not 
only because your isapi redirector problem, but also because admins 
might misinterprete the directories.

If the stuff in the directories is static and you deploy it on IIS 
itself, you can use an exclusion mount for them. That way we don't find 
a worker, and for requests that don't get send to the backend, there is 
no such check. Be careful though, you don't want to expose your real 

> Thanks in advance
> Hb
> Java developer



To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message