tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject Re: AW: isapi_redirector & protected Diretories
Date Mon, 21 Jan 2008 12:19:18 GMT
Holger Burde wrote:
> Hi;
> Thanks for the reply.
> This type of matching breaks at least every JSF Netbeans (5.x/6.x)
> App and maybe others. We have no choice now than patching the
> isapi_redirector. Also i thought that Tomcat protects those dirs ? or
> is this not the case if access is via ajp13 ?

It is, even for ajp13. To document the problem please open an issue in 
bugzilla and give some information, why you can't simply avoid those 
directory names.

> hb



> -----Urspr√ľngliche Nachricht----- Von: Rainer Jung
> [] Gesendet: Montag, 21. Januar 2008
> 11:47 An: Tomcat Users List Betreff: Re: isapi_redirector & protected
> Diretories
> Hi Holger,
> Holger Burde wrote:
>> Hi;
>> I did a Netbeans 6 JSF Project recently  which was developed and
>> tested with Tomcat6. The final installation was set up with  Tomcat
>> 6.0.14 behind IIS6 (Connectors / isapi_rediretor (latest version)).
>> Running some tests we discovered  that allmost all Javascript was 
>> filtered out and we got almost blank pages. The Reason was that the
>>  isapi_redirector filters out every access to any URI which
>> *contains* META-INF / WEB-INF ANYWERE in the PATH.
>> Example : javascript   $CONTEXT/theme/META-INF/json/json.jsf
>> This is not THE META-INF config directory - its just a Path which 
>> accidential contains META-INF !!!
>> Is there any way to configure access to such directories or ist his
>> a Bug in the isapi_redirector ? From the source it looks like it a 
>> substring Match which filters out anything. Any Comments on this
>> are welcome.
> No, there is no way to change this via configuration. A context path
> can be multiple-directories, so since we don't know what's exactly
> deployed in the backend, we need to secure all possible WEB-INF and
> META-INF directories.
> Best would be to not use those names for normal content directories.
> Not only because your isapi redirector problem, but also because
> admins might misinterprete the directories.
> If the stuff in the directories is static and you deploy it on IIS 
> itself, you can use an exclusion mount for them. That way we don't
> find a worker, and for requests that don't get send to the backend,
> there is no such check. Be careful though, you don't want to expose
> your real META-INF resp. WEB-INF.
>> Thanks in advance
>> Hb
>> Java developer
> Regards,
> Rainer

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message