Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (nike.apache.org: local policy)
Message-ID: <47948DC6.2090200@kippdata.de>
Date: Mon, 21 Jan 2008 13:19:18 +0100
From: Rainer Jung <rainer.jung@kippdata.de>
User-Agent: Thunderbird 2.0.0.6 (X11/20070802)
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: AW: isapi_redirector & protected Diretories
References: <1F568F9582B0544E9E4BB8CFF91F8D940CED66@exchange.merentis.com>
 <47947808.8080608@kippdata.de>
 <1F568F9582B0544E9E4BB8CFF91F8D940CED67@exchange.merentis.com>
In-Reply-To: <1F568F9582B0544E9E4BB8CFF91F8D940CED67@exchange.merentis.com>
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 8bit

Holger Burde wrote:
> Hi;
> 
> Thanks for the reply.
> 
> This type of matching breaks at least every JSF Netbeans (5.x/6.x)
> App and maybe others. We have no choice now than patching the
> isapi_redirector. Also i thought that Tomcat protects those dirs ? or
> is this not the case if access is via ajp13 ?

It is, even for ajp13. To document the problem please open an issue in 
bugzilla and give some information, why you can't simply avoid those 
directory names.

> 
> hb

Regards,

Rainer

> 
> -----Urspr�ngliche Nachricht----- Von: Rainer Jung
> [mailto:rainer.jung@kippdata.de] Gesendet: Montag, 21. Januar 2008
> 11:47 An: Tomcat Users List Betreff: Re: isapi_redirector & protected
> Diretories
> 
> Hi Holger,
> 
> Holger Burde wrote:
>> Hi;
>> 
>> I did a Netbeans 6 JSF Project recently  which was developed and
>> tested with Tomcat6. The final installation was set up with  Tomcat
>> 6.0.14 behind IIS6 (Connectors / isapi_rediretor (latest version)).
>> 
>> 
>> Running some tests we discovered  that allmost all Javascript was 
>> filtered out and we got almost blank pages. The Reason was that the
>>  isapi_redirector filters out every access to any URI which
>> *contains* META-INF / WEB-INF ANYWERE in the PATH.
>> 
>> Example : javascript   $CONTEXT/theme/META-INF/json/json.jsf
>> 
>> This is not THE META-INF config directory - its just a Path which 
>> accidential contains META-INF !!!
>> 
>> Is there any way to configure access to such directories or ist his
>> a Bug in the isapi_redirector ? From the source it looks like it a 
>> substring Match which filters out anything. Any Comments on this
>> are welcome.
> 
> No, there is no way to change this via configuration. A context path
> can be multiple-directories, so since we don't know what's exactly
> deployed in the backend, we need to secure all possible WEB-INF and
> META-INF directories.
> 
> Best would be to not use those names for normal content directories.
> Not only because your isapi redirector problem, but also because
> admins might misinterprete the directories.
> 
> If the stuff in the directories is static and you deploy it on IIS 
> itself, you can use an exclusion mount for them. That way we don't
> find a worker, and for requests that don't get send to the backend,
> there is no such check. Be careful though, you don't want to expose
> your real META-INF resp. WEB-INF.
> 
>> Thanks in advance
>> 
>> 
>> Hb
>> 
>> Java developer
> 
> Regards,
> 
> Rainer

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org