tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Debugging tomcat<->apache(mod_jk) bridge
Date Wed, 02 Dec 2009 10:30:51 GMT
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> All,
> 
> On 12/1/2009 10:26 AM, André Warnier wrote:
>> groupalias v wrote:
>>> httpd.conf
>>> -------------
>>>
>>> LoadModule jk_module          modules/mod_jk.so
>>>
>>> <IfModule jk_module>
>> What the h.. is this line for : ?
> 
> It's for conditional inclusion of Apache httpd directives when modules
> may or may not be loaded.

No. I was talking about the "Alias" which follows. Hence the trailing 
":" in my question. Ok, following the colon by a question mark wasn't 
the clearest thing either...


  The test I have in my httpd.conf is:
> 
> <IfModule mod_jk.c>
> 
> I can't find any references online to the use of jk_module in
> <IfModule>, so the OP might want to change it.
> 
>>> Alias /test/ "/srv/tomcat6/webapps/A"
>> It kind of contradicts these next lines :
>>
>>> JKMount        /test/ A
>>> JkMount     /test/* A
>> Because of the Alias line, I don't think that mod_jk even gets to see
>> your /test/ URLs.
> 
> No, mod_jk gets higher priority than mod_alias. I'm not entirely sure
> how the pecking order is decided, but I do know that mod_jk gets first shot.

Yes, +1 about the "not sure". That is why I prefer, rather than JkMount, 
the form with
<Location /test>
   SetHandler jakarta-servlet
   ...
</Location>

At least in that case the precedences are clear, and I find that this 
syntax fits better with "the Apache way of things", and is much more 
flexible than JkMount/JkUnMount.

My general gripe about that Alias line, is that it generally gives 
access for Apache, to the entire tomcat webapps directory, thus from the 
start bypassing anything configured at Tomcat level in terms of 
security.  Then later, one has to "patch" this hole by a series of 
conditional Deny rules, hoping not to forget one.
And in 99% of the cases, one does forget something, such as also 
forbidding META-INF e.g.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message