tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: AW: isapi_redirector & protected Diretories
Date Mon, 21 Jan 2008 12:19:18 GMT
Holger Burde wrote:
> Hi;
> 
> Thanks for the reply.
> 
> This type of matching breaks at least every JSF Netbeans (5.x/6.x)
> App and maybe others. We have no choice now than patching the
> isapi_redirector. Also i thought that Tomcat protects those dirs ? or
> is this not the case if access is via ajp13 ?

It is, even for ajp13. To document the problem please open an issue in 
bugzilla and give some information, why you can't simply avoid those 
directory names.

> 
> hb

Regards,

Rainer

> 
> -----Urspr√ľngliche Nachricht----- Von: Rainer Jung
> [mailto:rainer.jung@kippdata.de] Gesendet: Montag, 21. Januar 2008
> 11:47 An: Tomcat Users List Betreff: Re: isapi_redirector & protected
> Diretories
> 
> Hi Holger,
> 
> Holger Burde wrote:
>> Hi;
>> 
>> I did a Netbeans 6 JSF Project recently  which was developed and
>> tested with Tomcat6. The final installation was set up with  Tomcat
>> 6.0.14 behind IIS6 (Connectors / isapi_rediretor (latest version)).
>> 
>> 
>> Running some tests we discovered  that allmost all Javascript was 
>> filtered out and we got almost blank pages. The Reason was that the
>>  isapi_redirector filters out every access to any URI which
>> *contains* META-INF / WEB-INF ANYWERE in the PATH.
>> 
>> Example : javascript   $CONTEXT/theme/META-INF/json/json.jsf
>> 
>> This is not THE META-INF config directory - its just a Path which 
>> accidential contains META-INF !!!
>> 
>> Is there any way to configure access to such directories or ist his
>> a Bug in the isapi_redirector ? From the source it looks like it a 
>> substring Match which filters out anything. Any Comments on this
>> are welcome.
> 
> No, there is no way to change this via configuration. A context path
> can be multiple-directories, so since we don't know what's exactly
> deployed in the backend, we need to secure all possible WEB-INF and
> META-INF directories.
> 
> Best would be to not use those names for normal content directories.
> Not only because your isapi redirector problem, but also because
> admins might misinterprete the directories.
> 
> If the stuff in the directories is static and you deploy it on IIS 
> itself, you can use an exclusion mount for them. That way we don't
> find a worker, and for requests that don't get send to the backend,
> there is no such check. Be careful though, you don't want to expose
> your real META-INF resp. WEB-INF.
> 
>> Thanks in advance
>> 
>> 
>> Hb
>> 
>> Java developer
> 
> Regards,
> 
> Rainer

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message