tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Tomcat behind Apache and security-constraint
Date Thu, 21 Jul 2011 18:55:22 GMT
Adrián Córdoba wrote:

> JkMount  /Andromeda/* worker1
>   <Directory "/opt/apache-tomcat-7.0.12/webapps/Andromeda">
>     Options Indexes FollowSymLinks
>     AllowOverride None
>     Order allow,deny
>     Allow from all
>   </Directory>
> </VirtualHost>
> ---------------------------------------------------------

> May be, I have a configuration mistake.

Yes, a big one above.
Wether it is the cause of your problem, I am not quite sure yet (but it could be).
It is bad anyway, because you are allowing Apache users, potentially, to bypass Tomcat and

to access the Tomcat application directory directly.
So, again potentially, if a user manages to access the directory 
"/opt/apache-tomcat-7.0.12/webapps/Andromeda" through Apache and without going through 
Tomcat, then anything that you did in Tomcat to protect access to that directory is useless.

And that is probably the case here :

Say a user enters the URL "http://ASIA/Andromeda" in his browser, and the browser requests

that URL.  What happens ?
Apache will compare that URL (the part after the host) with the JkMount instruction.
The request URL is "/Andromeda", which is compared to the URL in the JkMount "/Andromeda/*".
It does not match, since the request URL is missing the trailing "/" of the expression in

the JkMount.
So Apache does not forward this request to Tomcat, but handles it itself.
After a few more steps in Apache, finally Apache comes to this directory
"/opt/apache-tomcat-7.0.12/webapps/Andromeda", and looks for a document to serve.
Since no document is specified in the URL, Apache will use the one specified in the 
relevant "DirectoryIndex" directive.  That may be, for instance, "index.html" or similar.
And it will serve it according to its own permissions settings, which here are :
 >     Allow from all
(so anyone can get anything, without access control)

It is a bit difficult, not knowing the exact content of your pages, to figure out what the

full consequences may be, but maybe it gives you a clue already.

In other words,
1) remove the section
<Directory "/opt/apache-tomcat-7.0.12/webapps/Andromeda">
from the Apache configuration.  It has nothing to do there, because you want Apache to 
forward these URLs to Tomcat anyway.
And it is a security risk (particularly on Windows, but even here).

2) add the following JkMount :
JkMount  /Andromeda worker1
(so that a request for "http://ASIA/Andromeda" will be *also* forwarded to Tomcat.)

Then try again, and come back here if you still have a problem.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message