tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adrián Córdoba <adr.cord...@gmail.com>
Subject Re: Tomcat behind Apache and security-constraint
Date Fri, 22 Jul 2011 12:26:28 GMT
André:
1- So how come the requests are made to the host "localhost" ?
  I think this is so, because <VirtualHost *:80>.
2- Is this the one and only VirtualHost in Apache ?
  This is the only virtual host.

Best regards
--
[Adrián Córdoba]



2011/7/22 André Warnier <aw@ice-sa.com>

> Adrián Córdoba wrote:
>
>> Well...
>> 1- I delete the "Directory" section from httpd.conf file.
>> 2- I add "JkMount  /Andromeda worker1" to the virtual host.
>> 3- I add dynamic content to index.jsp page
>> So I proved the content is served by Tomcat. But I have the same problem:
>> I
>> cannot view the content of protected section of my web application through
>> Apache web server.
>>
>> If I access directly to Tomcat (skipping httpd), I can see the protected
>> content.
>>
>>
> Ok, so what does that tell us ?
> - that the webapp in Tomcat seems to work as it should
> - that at least some requests going through Apache are being forwarded to
> Tomcat
> - but obviously, that at least one response page is different, at the
> browser level, when it is coming back (or not) through Apache, than when it
> is coming back directly from Tomcat
>
> So we must find out what the difference is.
> And the easiest way to find that out - at least at the first level - is a
> plugin added to the browser, which would show the real content of that
> response which appears as a blank page.
> Do it.
>
> Incidentally, the logfile below does not show any error.
> But it shows only the requests made to Apache httpd.
> It would not, for example, show us if the browser, for whatever reason,
> decided to send a request to www.google.com, and got a blank page in
> response.
> But the browser plugin would show you that.
>
>
> Now wait a minute..
> The logfile below shows requests made to "localhost".
> But if I remember correctly, this was a VirtualHost, with "ASIA" as
> ServerName.
> So how come the requests are made to the host "localhost" ?
> Is this the one and only VirtualHost in Apache ?
>
>  Access log in httpd is:
>> ------------------------------**------------------------
>> ::1 - - [21/Jul/2011:21:27:18 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>> "-"
>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>> Chrome/12.0.742.124 Safari/534.30"
>> ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>> "-"
>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>> Chrome/12.0.742.124 Safari/534.30"
>> ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/StyleSheet.css
>> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>> i686)
>> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
>> ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>> "-"
>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>> Chrome/12.0.742.124 Safari/534.30"
>> ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/StyleSheet.css
>> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>> i686)
>> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
>> ::1 - - [21/Jul/2011:21:27:24 -0300] "GET /Andromeda/internal/internal.**
>> jsp
>> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>> Safari/534.30"
>> ::1 - - [21/Jul/2011:21:27:41 -0300] "GET
>> /Andromeda/internal/j_**security_check HTTP/1.1" 200 433 "-" "Mozilla/5.0
>> (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>> Chrome/12.0.742.124
>> Safari/534.30"
>> ::1 - - [21/Jul/2011:21:29:46 -0300] "GET /Andromeda/internal/internal.**
>> jsp
>> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>> Safari/534.30"
>> ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>> "-"
>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>> Chrome/12.0.742.124 Safari/534.30"
>> ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/StyleSheet.css
>> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>> i686)
>> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
>> ::1 - - [21/Jul/2011:21:29:53 -0300] "GET /Andromeda/internal/internal.**
>> jsp
>> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>> Safari/534.30"
>> ------------------------------**------------------------
>>
>> Thank you, very much.
>> --
>> [Adrián Córdoba]
>>
>>
>>
>> 2011/7/21 André Warnier <aw@ice-sa.com>
>>
>>  Christopher Schultz wrote:
>>>
>>>  -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Adrián,
>>>>
>>>> On 7/21/2011 3:28 PM, Adrián Córdoba wrote:
>>>>
>>>>  Thank you, André. I know this "Warning", but I want to serve static
>>>>> content with Apache web server and dynamic content with Tomcat.
>>>>>
>>>>>  You can still do that without setting the DocumentRoot to your
>>>> appbase.
>>>>
>>>> Try this:
>>>>
>>>> GET http://localhost/Andromeda/****META-INF/context.xml<http://localhost/Andromeda/**META-INF/context.xml>
>>>> <http://**localhost/Andromeda/META-INF/**context.xml<http://localhost/Andromeda/META-INF/context.xml>
>>>> >
>>>>
>>>>
>>>> (or maybe GET http://localhost/Andromeda/****
>>>> WebContent/META-INF/context.**<http://localhost/Andromeda/**WebContent/META-INF/context.**>
>>>> xml <http://localhost/Andromeda/**WebContent/META-INF/context.**xml<http://localhost/Andromeda/WebContent/META-INF/context.xml>
>>>> >
>>>>
>>>> - - it's really hard to understand what your appbase really is).
>>>>
>>>> If you have a container-managed db connection pool, you are more than
>>>> likely to have your database username and password in that file, which
>>>> is now publicly accessible via HTTP. Pwned.
>>>>
>>>>  (The web application contains only links to other pages in the same
>>>>
>>>>> application. It is a test application to learn.)
>>>>>
>>>>>  You should learn to do things properly. I'm not trying to be nasty,
>>>> but
>>>> you should try to get in the habit of doing things securely even when
>>>> they are toys. That way you won't forget to do it when it really
>>>> matters.
>>>>
>>>>  +1
>>> In addition, the way you have things set up, it is really difficult to
>>> help, because we cannot be sure of which server is serving what.
>>>
>>>
>>>
>>>   In those conditions, with those settings, if an user enters
>>>>
>>>>> http://localhost/Andromeda, he gets the "*index.jsp*" page in the
>>>>> WebContent directory.
>>>>>
>>>>>  That's surprising, given your configuration.
>>>>
>>>>  So, I think Tomcat is serving that content.
>>>> Yes, if the tags are being evaluated and you're not just getting the
>>>> source code.
>>>>
>>>>  Do you think Apache is serving "index.jsp" file content?
>>>> Can't tell, you didn't show us any of that.
>>>>
>>>>  +1
>>> In addition again, it may be serving /that/ file, but what about any
>>> links
>>> maybe *contained* in that file.  Perhaps there are none, but perhaps also
>>> there is a link inside (to an image, or an iframe e.g.) which ends up
>>> being
>>> served by Apache, and which is the reason for the blank page.
>>>
>>> The main point again : it is *possible* to configure things the way you
>>> have done, and to nevertheless avoid security holes and other issues.
>>>  But
>>> it is *hard*, and any mistake can compromise your server, or lead to
>>> errors
>>> difficult to debug.
>>> (For example, you also allow Symlinks, which may confuse things yet a bit
>>> more).
>>>
>>> You should give Apache a different DocumentRoot, not your Tomcat webapps
>>> directory.
>>> (And maybe put some single html page in it, which should never be appear,
>>> and if it does you will know something is wrong).
>>>
>>> Then you should use both
>>> JkMount /Andromeda worker1
>>> JkMount /Andromeda/* worker1
>>> (because they do not overlap)
>>>
>>> Then, later, if you want Apache to be serving something directly instead
>>> of
>>> forwarding it to Tomcat, you should look up the JkUnMount directive, and
>>> do
>>> it selectively.
>>> Or use something like
>>> SetEnvIf Request_URI "\.jpg$" no-jk
>>>
>>> Or you could look at an alternative way to specify what needs to be
>>> forwarded, which I personally find more flexible and more Apache-like
>>> than
>>> JkMount/unMount :
>>> See here : http://tomcat.apache.org/****connectors-doc/reference/**<http://tomcat.apache.org/**connectors-doc/reference/**>
>>> apache.html<http://tomcat.**apache.org/connectors-doc/**
>>> reference/apache.html<http://tomcat.apache.org/connectors-doc/reference/apache.html>
>>> >
>>>
>>> The section "Using SetHandler and Environment Variables"
>>>
>>> Now, if you really want to know what is serving what (and learn other
>>> interesting things besides about HTTP) install a browser plugin like
>>> HttpFox
>>> (for Firefox) or Fiddler2 (for IE).  These plugins allow you to see the
>>> contents of each packet sent by the browser to the server, and from the
>>> server to the browser, including the HTTP headers and all.
>>>
>>> The mod_jk logging is also a tool, but it will only show the traffic
>>> between Apache and Tomcat, not what Apache serves directly.
>>>
>>>
>>> ------------------------------****----------------------------**
>>> --**---------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apa**che.org<http://apache.org>
>>> <users-unsubscribe@**tomcat.apache.org<users-unsubscribe@tomcat.apache.org>
>>> >
>>>
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<users-unsubscribe@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message