tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Tomcat behind Apache and security-constraint
Date Fri, 22 Jul 2011 07:48:35 GMT
Adrián Córdoba wrote:
> Well...
> 1- I delete the "Directory" section from httpd.conf file.
> 2- I add "JkMount  /Andromeda worker1" to the virtual host.
> 3- I add dynamic content to index.jsp page
> So I proved the content is served by Tomcat. But I have the same problem: I
> cannot view the content of protected section of my web application through
> Apache web server.
> 
> If I access directly to Tomcat (skipping httpd), I can see the protected
> content.
> 

Ok, so what does that tell us ?
- that the webapp in Tomcat seems to work as it should
- that at least some requests going through Apache are being forwarded to Tomcat
- but obviously, that at least one response page is different, at the browser level, when

it is coming back (or not) through Apache, than when it is coming back directly from Tomcat

So we must find out what the difference is.
And the easiest way to find that out - at least at the first level - is a plugin added to

the browser, which would show the real content of that response which appears as a blank page.
Do it.

Incidentally, the logfile below does not show any error.
But it shows only the requests made to Apache httpd.
It would not, for example, show us if the browser, for whatever reason, decided to send a

request to www.google.com, and got a blank page in response.
But the browser plugin would show you that.


Now wait a minute..
The logfile below shows requests made to "localhost".
But if I remember correctly, this was a VirtualHost, with "ASIA" as ServerName.
So how come the requests are made to the host "localhost" ?
Is this the one and only VirtualHost in Apache ?

> Access log in httpd is:
> ------------------------------------------------------
> ::1 - - [21/Jul/2011:21:27:18 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
> Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
> Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/StyleSheet.css
> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux i686)
> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
> Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/StyleSheet.css
> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux i686)
> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:27:24 -0300] "GET /Andromeda/internal/internal.jsp
> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
> Safari/534.30"
> ::1 - - [21/Jul/2011:21:27:41 -0300] "GET
> /Andromeda/internal/j_security_check HTTP/1.1" 200 433 "-" "Mozilla/5.0
> (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
> Safari/534.30"
> ::1 - - [21/Jul/2011:21:29:46 -0300] "GET /Andromeda/internal/internal.jsp
> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
> Safari/534.30"
> ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
> Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/StyleSheet.css
> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux i686)
> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:29:53 -0300] "GET /Andromeda/internal/internal.jsp
> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
> Safari/534.30"
> ------------------------------------------------------
> 
> Thank you, very much.
> --
> [Adrián Córdoba]
> 
> 
> 
> 2011/7/21 André Warnier <aw@ice-sa.com>
> 
>> Christopher Schultz wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Adrián,
>>>
>>> On 7/21/2011 3:28 PM, Adrián Córdoba wrote:
>>>
>>>> Thank you, André. I know this "Warning", but I want to serve static
>>>> content with Apache web server and dynamic content with Tomcat.
>>>>
>>> You can still do that without setting the DocumentRoot to your appbase.
>>>
>>> Try this:
>>>
>>> GET http://localhost/Andromeda/**META-INF/context.xml<http://localhost/Andromeda/META-INF/context.xml>
>>>
>>> (or maybe GET http://localhost/Andromeda/**WebContent/META-INF/context.**
>>> xml <http://localhost/Andromeda/WebContent/META-INF/context.xml>
>>> - - it's really hard to understand what your appbase really is).
>>>
>>> If you have a container-managed db connection pool, you are more than
>>> likely to have your database username and password in that file, which
>>> is now publicly accessible via HTTP. Pwned.
>>>
>>>  (The web application contains only links to other pages in the same
>>>> application. It is a test application to learn.)
>>>>
>>> You should learn to do things properly. I'm not trying to be nasty, but
>>> you should try to get in the habit of doing things securely even when
>>> they are toys. That way you won't forget to do it when it really matters.
>>>
>> +1
>> In addition, the way you have things set up, it is really difficult to
>> help, because we cannot be sure of which server is serving what.
>>
>>
>>
>>>  In those conditions, with those settings, if an user enters
>>>> http://localhost/Andromeda, he gets the "*index.jsp*" page in the
>>>> WebContent directory.
>>>>
>>> That's surprising, given your configuration.
>>>
>>>  So, I think Tomcat is serving that content.
>>> Yes, if the tags are being evaluated and you're not just getting the
>>> source code.
>>>
>>>  Do you think Apache is serving "index.jsp" file content?
>>> Can't tell, you didn't show us any of that.
>>>
>> +1
>> In addition again, it may be serving /that/ file, but what about any links
>> maybe *contained* in that file.  Perhaps there are none, but perhaps also
>> there is a link inside (to an image, or an iframe e.g.) which ends up being
>> served by Apache, and which is the reason for the blank page.
>>
>> The main point again : it is *possible* to configure things the way you
>> have done, and to nevertheless avoid security holes and other issues.  But
>> it is *hard*, and any mistake can compromise your server, or lead to errors
>> difficult to debug.
>> (For example, you also allow Symlinks, which may confuse things yet a bit
>> more).
>>
>> You should give Apache a different DocumentRoot, not your Tomcat webapps
>> directory.
>> (And maybe put some single html page in it, which should never be appear,
>> and if it does you will know something is wrong).
>>
>> Then you should use both
>> JkMount /Andromeda worker1
>> JkMount /Andromeda/* worker1
>> (because they do not overlap)
>>
>> Then, later, if you want Apache to be serving something directly instead of
>> forwarding it to Tomcat, you should look up the JkUnMount directive, and do
>> it selectively.
>> Or use something like
>> SetEnvIf Request_URI "\.jpg$" no-jk
>>
>> Or you could look at an alternative way to specify what needs to be
>> forwarded, which I personally find more flexible and more Apache-like than
>> JkMount/unMount :
>> See here : http://tomcat.apache.org/**connectors-doc/reference/**
>> apache.html<http://tomcat.apache.org/connectors-doc/reference/apache.html>
>> The section "Using SetHandler and Environment Variables"
>>
>> Now, if you really want to know what is serving what (and learn other
>> interesting things besides about HTTP) install a browser plugin like HttpFox
>> (for Firefox) or Fiddler2 (for IE).  These plugins allow you to see the
>> contents of each packet sent by the browser to the server, and from the
>> server to the browser, including the HTTP headers and all.
>>
>> The mod_jk logging is also a tool, but it will only show the traffic
>> between Apache and Tomcat, not what Apache serves directly.
>>
>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<users-unsubscribe@tomcat.apache.org>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message