tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat behind Apache and security-constraint
Date Thu, 21 Jul 2011 20:20:19 GMT
Hash: SHA1


On 7/21/2011 4:09 PM, Adrián Córdoba wrote:
> So, how to serve dynamic content with Tomcat and static one with
> Apache, all in the same web application, in secure way? Can you show
> me that or tell me a link to learn it?

At least three ways:

1. Separate your static content from your webapp and deploy it
   separately into your DocumentRoot.
   (FWIW, I don't like this strategy because it's unnatural for me.
    Better to keep everything together)

2. Copy static content out of your webapp into some other directory
   you use as your DocumentRoot. Do this at build-time. This is
   probably the way to go.

3. Use DocumentRoot = appbase, but make sure you protect things
   correctly in your Apache httpd configuration. Use restrictions like
   <Location> and <Directory> with "Order deny,allow", "Deny from all".
   (This is actually what I do, but you have to be very careful how you
   protect things. Be creative and think like an evildoer.)

You specifically asked how to hook up httpd and Tomcat together, but
here's another option:

4. Dump httpd altogether. Unless you need it for other things, it's
   just complicating your configuration.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message