tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Tomcat behind Apache and security-constraint
Date Thu, 21 Jul 2011 20:46:39 GMT
Christopher Schultz wrote:
> Hash: SHA1
> Adrián,
> On 7/21/2011 3:28 PM, Adrián Córdoba wrote:
>> Thank you, André. I know this "Warning", but I want to serve static
>> content with Apache web server and dynamic content with Tomcat.
> You can still do that without setting the DocumentRoot to your appbase.
> Try this:
> GET http://localhost/Andromeda/META-INF/context.xml
> (or maybe GET http://localhost/Andromeda/WebContent/META-INF/context.xml
> - - it's really hard to understand what your appbase really is).
> If you have a container-managed db connection pool, you are more than
> likely to have your database username and password in that file, which
> is now publicly accessible via HTTP. Pwned.
>> (The web application contains only links to other pages in the same 
>> application. It is a test application to learn.)
> You should learn to do things properly. I'm not trying to be nasty, but
> you should try to get in the habit of doing things securely even when
> they are toys. That way you won't forget to do it when it really matters.

In addition, the way you have things set up, it is really difficult to help, because we 
cannot be sure of which server is serving what.

>> In those conditions, with those settings, if an user enters 
>> http://localhost/Andromeda, he gets the "*index.jsp*" page in the
>> WebContent directory.
> That's surprising, given your configuration.
>> So, I think Tomcat is serving that content.
> Yes, if the tags are being evaluated and you're not just getting the
> source code.
>> Do you think Apache is serving "index.jsp" file content?
> Can't tell, you didn't show us any of that.

In addition again, it may be serving /that/ file, but what about any links maybe 
*contained* in that file.  Perhaps there are none, but perhaps also there is a link inside

(to an image, or an iframe e.g.) which ends up being served by Apache, and which is the 
reason for the blank page.

The main point again : it is *possible* to configure things the way you have done, and to

nevertheless avoid security holes and other issues.  But it is *hard*, and any mistake can

compromise your server, or lead to errors difficult to debug.
(For example, you also allow Symlinks, which may confuse things yet a bit more).

You should give Apache a different DocumentRoot, not your Tomcat webapps directory.
(And maybe put some single html page in it, which should never be appear, and if it does 
you will know something is wrong).

Then you should use both
JkMount /Andromeda worker1
JkMount /Andromeda/* worker1
(because they do not overlap)

Then, later, if you want Apache to be serving something directly instead of forwarding it

to Tomcat, you should look up the JkUnMount directive, and do it selectively.
Or use something like
SetEnvIf Request_URI "\.jpg$" no-jk

Or you could look at an alternative way to specify what needs to be forwarded, which I 
personally find more flexible and more Apache-like than JkMount/unMount :
See here :
The section "Using SetHandler and Environment Variables"

Now, if you really want to know what is serving what (and learn other interesting things 
besides about HTTP) install a browser plugin like HttpFox (for Firefox) or Fiddler2 (for 
IE).  These plugins allow you to see the contents of each packet sent by the browser to 
the server, and from the server to the browser, including the HTTP headers and all.

The mod_jk logging is also a tool, but it will only show the traffic between Apache and 
Tomcat, not what Apache serves directly.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message