tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Debugging tomcat<->apache(mod_jk) bridge
Date Wed, 02 Dec 2009 22:13:45 GMT
groupalias v wrote:
> In response to Chris' question -   I have only one tomcat instance
> running and it picks up the webapps in /srv/tomcat6/webapps/
> and the URL works fine.  I tried
> with the mod_jk.c and jk_module with the same result.
> In response to André's question this is the first time I am hearing
> about the SetHandler construct.  Is there documentation somewhere I
> can read?

Look at the bottom of this page.

(Off-topic note : this page seems quite hard to find, starting from the 
top documentation page for Tomcat 6.0 at
Is this a mistake or intentional ?)

> The issue about security is something I am concerned too and thought
> its too error prone.
> What is the workers.tomcat_home directive in used for?
Chris answered that. Remove it.  There are a couple more like that, if 
you copied an older into a newer Tomcat config.

> If the communication is over the 8009 port why does apache care about
> one of tomcat's directories?
I will be a bit more nuanced (and considerably longer) than Chris here.

The Connector port has nothing to do with it.
Basically, Apache does not know anything about Tomcat at all, ever.
The only thing Apache knows, is that for each request URL, there is a 
"response generator" (also called a handler).

Apache itself normally generates a response using its own default 
handler.  That handler resolves the URL location, generally, to a file 
on disk, and returns the content of that file as the response to the 
request. (I am simplifying a bit, but it is the general idea).

Except, if something in the configuration tells it that for some 
specific URL, there is another handler to use for generating the response.
JkMount is such a configuration directive.
It tells Apache that for some URLs, it should use another response 
generator called mod_jk.
(The same is achieved by the "SetHandler jakarta-servlet" directive.)

So for such URLs, Apache does not generate the response itself, but 
passes the request to mod_jk, and expects mod_jk to produce the 
response. When the response comes from mod_jk, Apache merely copies it 
back to the browser.
Apache has no idea that mod_jk, to produce the response, is using one or 
more Tomcats in the background.  Apache also does not know that mod_jk 
communicates with Tomcat via port 8009 (or any other port).
If instead of talking to a Tomcat via port 8009, mod_jk was talking to 
you by telephone, and you were writing the response, Apache would not 
see the difference.

But what Apache knows about, is any filesystem location you tell it to 
look into, to find files to return as response for some URLs.
By using the directive
Alias /test/ /srv/tomcat6/webapps/A
you are telling Apache "hey, if the request URL is /test/abc.html, then 
go look for a file /srv/tomcat6/webapps/A/abc.html".
Apache has no idea that this directory is also part of the "Tomcat 
space", and it could not care less.  If it looks there, and finds a file 
"abc.html", it will just copy its content to the browser, without ever 
asking mod_jk or Tomcat anything.  In other words, it completely ignores 
mod_jk and Tomcat, and serves the file directly from the filesystem.

That is why this Alias is dangerous.
That is also why it is extremely dangerous to do as quite a few people 
seem to do, to set the Apache DocumentRoot to the "webapps" directory of 
Tomcat, thinking "hey, I'll serve the static content directly with 
Apache". (That may be an appropriate thing to do sometimes, but not in 
this way).

According to Chris, the later JkMount's in your config will take 
precedence over that Alias, and thus "override" (or "cancel") it.  But 
it is not quite clear yet that they always do, and there is no 
documentation that I know of, that confirms this.
Let me give you a partial counter-example :

If you had
Alias /test/ /srv/tomcat6/webapps/A

and then you also had
JkMount /test/*.jsp A

then indeed, for any request URL starting with "/test/" and ending in 
".jsp", the JkMount would take precedence over the Alias, and that 
request will be served by mod_jk (and thus really by Tomcat).
But for a request URL like "/test/secret-data.conf" the above JkMount 
would not take precedence over the Alias, and Apache would serve that 
file directly from disk.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message