tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: processing precedence for mod_jk config?
Date Wed, 26 Aug 2009 02:12:49 GMT
Hash: SHA1


On 8/25/2009 9:37 PM, Chris Cheshire wrote:
> However, even with a directory deny rule in apache conf to block the
> web-inf and meta-inf directories, requests to it are still getting
> passed to tomcat.

That's because they aren't being treated as directories in those cases.
Try using a <Location> instead of a <Directory> and see if that works. I
think mod_jk takes the first crack at serving files, and then allows
Apache to continue with the rest of its possibilities. So, if your
mod_jk mappings also map those directories, they're going to be sent to

> If I put in a JkUnMount to those directories, then apache is
> returning a forbidden error.

Sound like that's what you want to do, anyway, right?

> JkMount  /* worker1

What types of URLs do you actually want Tomcat to process? For instance,
I use Struts 1.x, j_security_check-style security, and a few JSPs, so I
only mount /*.do, /*.jsp, and /j_security_check. If you have similar
requirements, maybe you could tighten-up your JkMount directives.

> JkUnMount /META-INF/* worker1     # without this, apache directory
> directive to return a forbidden error doesn't happen

Right. Instead, you get a 404 from Tomcat (which isn't so bad, honestly).

>   <Directory /home/www/web/ROOT/META-INF>
>     AllowOverride none
>     Order deny,allow
>     Deny from all
>     Satisfy all
>   </Directory>

Whatever else you do, you should leave this configuration in Apache
httpd.conf, even if it's not actually doing anything. Later, if someone
modifies your configuration, this might provide "backup" protection for you.

Try <Location> in addition to the <Directory>, but you might just need
the JkUnMount (or more specific JkMount directives).

> Are the JkMount directives taking precedence over apache's Directory
> directives? I have another web server running mod_jk-1.2.15, tomcat
> 5.5, apache 2.0.52 and I don't have this issue.

What are the differences in configuration, then?

- -chris
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message