tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Tomcat behind Apache and security-constraint
Date Fri, 22 Jul 2011 12:46:13 GMT
Adrián Córdoba wrote:
> André:
> 1- So how come the requests are made to the host "localhost" ?
>   I think this is so, because <VirtualHost *:80>.
> 2- Is this the one and only VirtualHost in Apache ?
>   This is the only virtual host.

How do you enter a URL in the browser, to access this ?
(paste an example)


> 
> Best regards
> --
> [Adrián Córdoba]
> 
> 
> 
> 2011/7/22 André Warnier <aw@ice-sa.com>
> 
>> Adrián Córdoba wrote:
>>
>>> Well...
>>> 1- I delete the "Directory" section from httpd.conf file.
>>> 2- I add "JkMount  /Andromeda worker1" to the virtual host.
>>> 3- I add dynamic content to index.jsp page
>>> So I proved the content is served by Tomcat. But I have the same problem:
>>> I
>>> cannot view the content of protected section of my web application through
>>> Apache web server.
>>>
>>> If I access directly to Tomcat (skipping httpd), I can see the protected
>>> content.
>>>
>>>
>> Ok, so what does that tell us ?
>> - that the webapp in Tomcat seems to work as it should
>> - that at least some requests going through Apache are being forwarded to
>> Tomcat
>> - but obviously, that at least one response page is different, at the
>> browser level, when it is coming back (or not) through Apache, than when it
>> is coming back directly from Tomcat
>>
>> So we must find out what the difference is.
>> And the easiest way to find that out - at least at the first level - is a
>> plugin added to the browser, which would show the real content of that
>> response which appears as a blank page.
>> Do it.
>>
>> Incidentally, the logfile below does not show any error.
>> But it shows only the requests made to Apache httpd.
>> It would not, for example, show us if the browser, for whatever reason,
>> decided to send a request to www.google.com, and got a blank page in
>> response.
>> But the browser plugin would show you that.
>>
>>
>> Now wait a minute..
>> The logfile below shows requests made to "localhost".
>> But if I remember correctly, this was a VirtualHost, with "ASIA" as
>> ServerName.
>> So how come the requests are made to the host "localhost" ?
>> Is this the one and only VirtualHost in Apache ?
>>
>>  Access log in httpd is:
>>> ------------------------------**------------------------
>>> ::1 - - [21/Jul/2011:21:27:18 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>>> "-"
>>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>> Chrome/12.0.742.124 Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>>> "-"
>>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>> Chrome/12.0.742.124 Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/StyleSheet.css
>>> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>>> i686)
>>> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>>> "-"
>>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>> Chrome/12.0.742.124 Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/StyleSheet.css
>>> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>>> i686)
>>> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:27:24 -0300] "GET /Andromeda/internal/internal.**
>>> jsp
>>> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>>> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>>> Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:27:41 -0300] "GET
>>> /Andromeda/internal/j_**security_check HTTP/1.1" 200 433 "-" "Mozilla/5.0
>>> (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>> Chrome/12.0.742.124
>>> Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:29:46 -0300] "GET /Andromeda/internal/internal.**
>>> jsp
>>> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>>> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>>> Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>>> "-"
>>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>> Chrome/12.0.742.124 Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/StyleSheet.css
>>> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>>> i686)
>>> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:29:53 -0300] "GET /Andromeda/internal/internal.**
>>> jsp
>>> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>>> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>>> Safari/534.30"
>>> ------------------------------**------------------------
>>>
>>> Thank you, very much.
>>> --
>>> [Adrián Córdoba]
>>>
>>>
>>>
>>> 2011/7/21 André Warnier <aw@ice-sa.com>
>>>
>>>  Christopher Schultz wrote:
>>>>  -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> Adrián,
>>>>>
>>>>> On 7/21/2011 3:28 PM, Adrián Córdoba wrote:
>>>>>
>>>>>  Thank you, André. I know this "Warning", but I want to serve static
>>>>>> content with Apache web server and dynamic content with Tomcat.
>>>>>>
>>>>>>  You can still do that without setting the DocumentRoot to your
>>>>> appbase.
>>>>>
>>>>> Try this:
>>>>>
>>>>> GET http://localhost/Andromeda/****META-INF/context.xml<http://localhost/Andromeda/**META-INF/context.xml>
>>>>> <http://**localhost/Andromeda/META-INF/**context.xml<http://localhost/Andromeda/META-INF/context.xml>
>>>>>
>>>>> (or maybe GET http://localhost/Andromeda/****
>>>>> WebContent/META-INF/context.**<http://localhost/Andromeda/**WebContent/META-INF/context.**>
>>>>> xml <http://localhost/Andromeda/**WebContent/META-INF/context.**xml<http://localhost/Andromeda/WebContent/META-INF/context.xml>
>>>>> - - it's really hard to understand what your appbase really is).
>>>>>
>>>>> If you have a container-managed db connection pool, you are more than
>>>>> likely to have your database username and password in that file, which
>>>>> is now publicly accessible via HTTP. Pwned.
>>>>>
>>>>>  (The web application contains only links to other pages in the same
>>>>>
>>>>>> application. It is a test application to learn.)
>>>>>>
>>>>>>  You should learn to do things properly. I'm not trying to be nasty,
>>>>> but
>>>>> you should try to get in the habit of doing things securely even when
>>>>> they are toys. That way you won't forget to do it when it really
>>>>> matters.
>>>>>
>>>>>  +1
>>>> In addition, the way you have things set up, it is really difficult to
>>>> help, because we cannot be sure of which server is serving what.
>>>>
>>>>
>>>>
>>>>   In those conditions, with those settings, if an user enters
>>>>>> http://localhost/Andromeda, he gets the "*index.jsp*" page in the
>>>>>> WebContent directory.
>>>>>>
>>>>>>  That's surprising, given your configuration.
>>>>>  So, I think Tomcat is serving that content.
>>>>> Yes, if the tags are being evaluated and you're not just getting the
>>>>> source code.
>>>>>
>>>>>  Do you think Apache is serving "index.jsp" file content?
>>>>> Can't tell, you didn't show us any of that.
>>>>>
>>>>>  +1
>>>> In addition again, it may be serving /that/ file, but what about any
>>>> links
>>>> maybe *contained* in that file.  Perhaps there are none, but perhaps also
>>>> there is a link inside (to an image, or an iframe e.g.) which ends up
>>>> being
>>>> served by Apache, and which is the reason for the blank page.
>>>>
>>>> The main point again : it is *possible* to configure things the way you
>>>> have done, and to nevertheless avoid security holes and other issues.
>>>>  But
>>>> it is *hard*, and any mistake can compromise your server, or lead to
>>>> errors
>>>> difficult to debug.
>>>> (For example, you also allow Symlinks, which may confuse things yet a bit
>>>> more).
>>>>
>>>> You should give Apache a different DocumentRoot, not your Tomcat webapps
>>>> directory.
>>>> (And maybe put some single html page in it, which should never be appear,
>>>> and if it does you will know something is wrong).
>>>>
>>>> Then you should use both
>>>> JkMount /Andromeda worker1
>>>> JkMount /Andromeda/* worker1
>>>> (because they do not overlap)
>>>>
>>>> Then, later, if you want Apache to be serving something directly instead
>>>> of
>>>> forwarding it to Tomcat, you should look up the JkUnMount directive, and
>>>> do
>>>> it selectively.
>>>> Or use something like
>>>> SetEnvIf Request_URI "\.jpg$" no-jk
>>>>
>>>> Or you could look at an alternative way to specify what needs to be
>>>> forwarded, which I personally find more flexible and more Apache-like
>>>> than
>>>> JkMount/unMount :
>>>> See here : http://tomcat.apache.org/****connectors-doc/reference/**<http://tomcat.apache.org/**connectors-doc/reference/**>
>>>> apache.html<http://tomcat.**apache.org/connectors-doc/**
>>>> reference/apache.html<http://tomcat.apache.org/connectors-doc/reference/apache.html>
>>>> The section "Using SetHandler and Environment Variables"
>>>>
>>>> Now, if you really want to know what is serving what (and learn other
>>>> interesting things besides about HTTP) install a browser plugin like
>>>> HttpFox
>>>> (for Firefox) or Fiddler2 (for IE).  These plugins allow you to see the
>>>> contents of each packet sent by the browser to the server, and from the
>>>> server to the browser, including the HTTP headers and all.
>>>>
>>>> The mod_jk logging is also a tool, but it will only show the traffic
>>>> between Apache and Tomcat, not what Apache serves directly.
>>>>
>>>>
>>>> ------------------------------****----------------------------**
>>>> --**---------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apa**che.org<http://apache.org>
>>>> <users-unsubscribe@**tomcat.apache.org<users-unsubscribe@tomcat.apache.org>
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<users-unsubscribe@tomcat.apache.org>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message