tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Cheshire <cheshira...@gmail.com>
Subject Re: processing precedence for mod_jk config?
Date Wed, 26 Aug 2009 07:08:08 GMT
The reason why I have the mount directives so open is because I am
using Stripes with no prefix or suffix mappings on the actions
(servlets). JSPs are handled internally (every page is served via an
action), so the urls don't have a specific pattern (/servlet, /action,
.do, etc) that can be isolated for the mount directives. It could
handle it with a minimum amount of configuration and keeps urls very
clean so I went with this.

As for the differences in configuration between the two web servers -
the old one uses servlets with a specific mapping (/servlets/* &
/*.jsp) for the mount directives and is using a much older mod_jk, the
new one is open (no specific mappings) and uses the latest mod_jk. The
apache config is the same.

My concern is why I now need the unmount directives where I didn't
need them before. Is this due to the new version of mod_jk and that's
just how it behaves, or because I have a very open mapping for the
mount directives, or something else I'm just not seeing.

Given that I have a configuration that seems to be somewhat correct
and returning the right results, I'm not hugely concerned. I just like
to know why things behave the way they do so that I roughly know what
to expect if I have to change something later :)

Chris

On Tue, Aug 25, 2009 at 7:12 PM, Christopher
Schultz<chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chris,
>
> On 8/25/2009 9:37 PM, Chris Cheshire wrote:
>> However, even with a directory deny rule in apache conf to block the
>> web-inf and meta-inf directories, requests to it are still getting
>> passed to tomcat.
>
> That's because they aren't being treated as directories in those cases.
> Try using a <Location> instead of a <Directory> and see if that works. I
> think mod_jk takes the first crack at serving files, and then allows
> Apache to continue with the rest of its possibilities. So, if your
> mod_jk mappings also map those directories, they're going to be sent to
> Tomcat.
>
>> If I put in a JkUnMount to those directories, then apache is
>> returning a forbidden error.
>
> Sound like that's what you want to do, anyway, right?
>
>> JkMount  /* worker1
>
> What types of URLs do you actually want Tomcat to process? For instance,
> I use Struts 1.x, j_security_check-style security, and a few JSPs, so I
> only mount /*.do, /*.jsp, and /j_security_check. If you have similar
> requirements, maybe you could tighten-up your JkMount directives.
>
>> JkUnMount /META-INF/* worker1     # without this, apache directory
>> directive to return a forbidden error doesn't happen
>
> Right. Instead, you get a 404 from Tomcat (which isn't so bad, honestly).
>
>>   <Directory /home/www/web/ROOT/META-INF>
>>     AllowOverride none
>>     Order deny,allow
>>     Deny from all
>>     Satisfy all
>>   </Directory>
>
> Whatever else you do, you should leave this configuration in Apache
> httpd.conf, even if it's not actually doing anything. Later, if someone
> modifies your configuration, this might provide "backup" protection for you.
>
> Try <Location> in addition to the <Directory>, but you might just need
> the JkUnMount (or more specific JkMount directives).
>
>> Are the JkMount directives taking precedence over apache's Directory
>> directives? I have another web server running mod_jk-1.2.15, tomcat
>> 5.5, apache 2.0.52 and I don't have this issue.
>
> What are the differences in configuration, then?
>
> - -chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message