tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: JSP pages are not loaded. Only HTML source code
Date Tue, 08 Mar 2011 14:51:50 GMT
Petr Hracek wrote:
> Dear users,
> 
> I would like to asked you on the some thing regarding JSP pages.
> On the Linux whereis installed apache 2.2.14 and tomcat 5.5.28

that's an old version of Tomcat. You should be using at least a 6.0.x version by now.

  I would
> like to run
> JSP pages.
> JSP pages should be run over mod_proxy_ajp.
> URL is:
> http://<IP_address>/XYtest/jsp/Viewer/index.html
> ProxyPass /XYtest/*.jsp ajp://localhost:8009/XYtest
> ProxyPassReverse /XYtest/*.jsp ajp://localhost:8009/XYtest
> 
> JSP page is called from HTML (index.html) and FRAME src "view.jsp"
> mentioned above.
> but instead of showing JSP page HTML source code is shown.
> 
> Do you know what could be a reason?
> in the Catalina configuration directory
> (/etc/tomcat5/base/Catalina/localhost/XYtest.xml) is following context
> file
> test# cat /etc/tomcat/5/base/Catalina/locahost/XYtest.xml
> <?xml version='1.0' encoding='utf-8'?>
> <Context docBase="/opt/test/XYtest" allowLinking="true">
> </Context>
> test#
> 
> structure in Linux is:
> /opt/test/XYtest/jsp/Viewer where are located files index.html and
> view.jsp which is part of FRAME
> 

As a general observation : it looks like you are trying to serve the same directory from 
Apache httpd and from Tomcat.  That is generally a quite bad idea in terms of security, 
and also in terms of confusion, as you are experiencing here.

To understand what is happening, you must look at it from the browser point of view.

Step 1 :

Your initial html document "index.html" is :

<frameset rows="63,40,*" frameborder="0">
   <frame src="logo.html" name="logo" noresize scrolling="no"
marginwidth="0" marginheight="
0">
   <frame src="View.jsp" name="toolbar" noresize scrolling="no"
marginwidth="0" marginhei
ght="0">
   <frame src="View2.jsp" name="ctrl">
</frameset>

and the browser loads it from the URL :
http://<IP_address>/XYtest/jsp/Viewer/index.html

Step 2 :

In this document, the browser finds a reference to another document :

<frame src="View.jsp" ..>

The browser interprets that relative URL on the base of the origin of the current page, 
and then it asks the server for that document.
So the browser requests the document (the inside frame) from the URL :
http://<IP_address>/XYtest/jsp/Viewer/View.jsp

Step 3 :
The Apache httpd server receives the request for

http://<IP_address>/XYtest/jsp/Viewer/View.jsp

and it tries to match it with your proxy statement :

ProxyPass /XYtest/*.jsp ajp://localhost:8009/XYtest

It does not match (see below), so Apache httpd serves it itself, directly from disk.
That is why you see the source : Tomcat never sees this request, and Apache has no idea 
that a ".jsp" file is anything else than text.

Now why does it not match ?
Because the ProxyPass directive does not understand wildcards or regexp.
For that, you should us "ProxyPassMatch", for example like this :

ProxyPassMatch "/XYtest/.*\.jsp$" ajp://localhost:8009/XYtest

But it is still a bad idea.
Why ?

Suppose that in the directory /opt/test/XYtest, there is a sub-directory named "WEB-INF",

and in that directory is a file "web.xml".
This file is a configuration file for your Tomcat web application, and it may contain 
things like passwords for accessing a database for example.
For that reason (security), Tomcat /never/ allows a user to request a document within the

WEB-INF sub-directory of a web application.

But with your setup, anyone can ask for the URL :
http://<IP_address>/XYtest/WEB-INF/web.xml

and Apache httpd will happily return that file (also as a text file).
So, with you setup, you are bypassing an important security feature of Tomcat, because you

are allowing Apache httpd to go "around it".

There are different possibilities to fix your configuration.
The first one would be to do this in Apache :

ProxyPass /XYtest ajp://localhost:8009/XYtest

and NOT define the directory /opt/test/XYtest in any way in Apache.
That way, any request for a URL starting will /XYtest will be forwarded directly to 
Tomcat, and Tomcat will happily serve html pages (like index.html) as well as Apache.
And it knows how to handle jsp pages too.

Now, if all you want to do is serve html pages and jsp pages, you could also wonder if you

need Apache httpd and mod_prox_ajp at all. You could set Tomcat to answer directly on port

80, get rid of Apache httpd, and simplify your configuration.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message