tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Tomcat behind Apache and security-constraint
Date Thu, 21 Jul 2011 19:07:52 GMT
Addendum :
This, which I missed earlier, is of course also a no-no, for the same reasons as explained

earlier :
DocumentRoot /opt/apache-tomcat-7.0.12/webapps/

see the remark in red here :
http://tomcat.apache.org/connectors-doc/reference/apache.html


André Warnier wrote:
> Adrián Córdoba wrote:
> ...
> 
>> JkMount  /Andromeda/* worker1
>>   <Directory "/opt/apache-tomcat-7.0.12/webapps/Andromeda">
>>     Options Indexes FollowSymLinks
>>     AllowOverride None
>>     Order allow,deny
>>     Allow from all
>>   </Directory>
>> </VirtualHost>
>> ---------------------------------------------------------
> ...
> 
>> May be, I have a configuration mistake.
>>
> 
> Yes, a big one above.
> Wether it is the cause of your problem, I am not quite sure yet (but it 
> could be).
> It is bad anyway, because you are allowing Apache users, potentially, to 
> bypass Tomcat and to access the Tomcat application directory directly.
> So, again potentially, if a user manages to access the directory 
> "/opt/apache-tomcat-7.0.12/webapps/Andromeda" through Apache and without 
> going through Tomcat, then anything that you did in Tomcat to protect 
> access to that directory is useless.
> 
> And that is probably the case here :
> 
> Say a user enters the URL "http://ASIA/Andromeda" in his browser, and 
> the browser requests that URL.  What happens ?
> Apache will compare that URL (the part after the host) with the JkMount 
> instruction.
> The request URL is "/Andromeda", which is compared to the URL in the 
> JkMount "/Andromeda/*".
> It does not match, since the request URL is missing the trailing "/" of 
> the expression in the JkMount.
> So Apache does not forward this request to Tomcat, but handles it itself.
> After a few more steps in Apache, finally Apache comes to this directory
> "/opt/apache-tomcat-7.0.12/webapps/Andromeda", and looks for a document 
> to serve.
> Since no document is specified in the URL, Apache will use the one 
> specified in the relevant "DirectoryIndex" directive.  That may be, for 
> instance, "index.html" or similar.
> And it will serve it according to its own permissions settings, which 
> here are :
>  >     Allow from all
> (so anyone can get anything, without access control)
> 
> It is a bit difficult, not knowing the exact content of your pages, to 
> figure out what the full consequences may be, but maybe it gives you a 
> clue already.
> 
> In other words,
> 1) remove the section
> <Directory "/opt/apache-tomcat-7.0.12/webapps/Andromeda">
> from the Apache configuration.  It has nothing to do there, because you 
> want Apache to forward these URLs to Tomcat anyway.
> And it is a security risk (particularly on Windows, but even here).
> 
> 2) add the following JkMount :
> JkMount  /Andromeda worker1
> (so that a request for "http://ASIA/Andromeda" will be *also* forwarded 
> to Tomcat.)
> 
> Then try again, and come back here if you still have a problem.
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message