tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adrián Córdoba <adr.cord...@gmail.com>
Subject Re: Tomcat behind Apache and security-constraint
Date Fri, 22 Jul 2011 00:36:52 GMT
Well...
1- I delete the "Directory" section from httpd.conf file.
2- I add "JkMount  /Andromeda worker1" to the virtual host.
3- I add dynamic content to index.jsp page
So I proved the content is served by Tomcat. But I have the same problem: I
cannot view the content of protected section of my web application through
Apache web server.

If I access directly to Tomcat (skipping httpd), I can see the protected
content.

Access log in httpd is:
------------------------------------------------------
::1 - - [21/Jul/2011:21:27:18 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/StyleSheet.css
HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux i686)
AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/StyleSheet.css
HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux i686)
AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:27:24 -0300] "GET /Andromeda/internal/internal.jsp
HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
Safari/534.30"
::1 - - [21/Jul/2011:21:27:41 -0300] "GET
/Andromeda/internal/j_security_check HTTP/1.1" 200 433 "-" "Mozilla/5.0
(X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
Safari/534.30"
::1 - - [21/Jul/2011:21:29:46 -0300] "GET /Andromeda/internal/internal.jsp
HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
Safari/534.30"
::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/StyleSheet.css
HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux i686)
AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:29:53 -0300] "GET /Andromeda/internal/internal.jsp
HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
Safari/534.30"
------------------------------------------------------

Thank you, very much.
--
[Adrián Córdoba]



2011/7/21 André Warnier <aw@ice-sa.com>

> Christopher Schultz wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Adrián,
>>
>> On 7/21/2011 3:28 PM, Adrián Córdoba wrote:
>>
>>> Thank you, André. I know this "Warning", but I want to serve static
>>> content with Apache web server and dynamic content with Tomcat.
>>>
>>
>> You can still do that without setting the DocumentRoot to your appbase.
>>
>> Try this:
>>
>> GET http://localhost/Andromeda/**META-INF/context.xml<http://localhost/Andromeda/META-INF/context.xml>
>>
>> (or maybe GET http://localhost/Andromeda/**WebContent/META-INF/context.**
>> xml <http://localhost/Andromeda/WebContent/META-INF/context.xml>
>> - - it's really hard to understand what your appbase really is).
>>
>> If you have a container-managed db connection pool, you are more than
>> likely to have your database username and password in that file, which
>> is now publicly accessible via HTTP. Pwned.
>>
>>  (The web application contains only links to other pages in the same
>>> application. It is a test application to learn.)
>>>
>>
>> You should learn to do things properly. I'm not trying to be nasty, but
>> you should try to get in the habit of doing things securely even when
>> they are toys. That way you won't forget to do it when it really matters.
>>
>
> +1
> In addition, the way you have things set up, it is really difficult to
> help, because we cannot be sure of which server is serving what.
>
>
>
>>  In those conditions, with those settings, if an user enters
>>> http://localhost/Andromeda, he gets the "*index.jsp*" page in the
>>> WebContent directory.
>>>
>>
>> That's surprising, given your configuration.
>>
>>  So, I think Tomcat is serving that content.
>>>
>>
>> Yes, if the tags are being evaluated and you're not just getting the
>> source code.
>>
>>  Do you think Apache is serving "index.jsp" file content?
>>>
>>
>> Can't tell, you didn't show us any of that.
>>
>
> +1
> In addition again, it may be serving /that/ file, but what about any links
> maybe *contained* in that file.  Perhaps there are none, but perhaps also
> there is a link inside (to an image, or an iframe e.g.) which ends up being
> served by Apache, and which is the reason for the blank page.
>
> The main point again : it is *possible* to configure things the way you
> have done, and to nevertheless avoid security holes and other issues.  But
> it is *hard*, and any mistake can compromise your server, or lead to errors
> difficult to debug.
> (For example, you also allow Symlinks, which may confuse things yet a bit
> more).
>
> You should give Apache a different DocumentRoot, not your Tomcat webapps
> directory.
> (And maybe put some single html page in it, which should never be appear,
> and if it does you will know something is wrong).
>
> Then you should use both
> JkMount /Andromeda worker1
> JkMount /Andromeda/* worker1
> (because they do not overlap)
>
> Then, later, if you want Apache to be serving something directly instead of
> forwarding it to Tomcat, you should look up the JkUnMount directive, and do
> it selectively.
> Or use something like
> SetEnvIf Request_URI "\.jpg$" no-jk
>
> Or you could look at an alternative way to specify what needs to be
> forwarded, which I personally find more flexible and more Apache-like than
> JkMount/unMount :
> See here : http://tomcat.apache.org/**connectors-doc/reference/**
> apache.html<http://tomcat.apache.org/connectors-doc/reference/apache.html>
> The section "Using SetHandler and Environment Variables"
>
> Now, if you really want to know what is serving what (and learn other
> interesting things besides about HTTP) install a browser plugin like HttpFox
> (for Firefox) or Fiddler2 (for IE).  These plugins allow you to see the
> contents of each packet sent by the browser to the server, and from the
> server to the browser, including the HTTP headers and all.
>
> The mod_jk logging is also a tool, but it will only show the traffic
> between Apache and Tomcat, not what Apache serves directly.
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<users-unsubscribe@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message