tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adrián Córdoba <adr.cord...@gmail.com>
Subject Re: Tomcat behind Apache and security-constraint
Date Thu, 21 Jul 2011 20:09:13 GMT
Thank you, Chris... I appreciate your tips.
So, how to serve dynamic content with Tomcat and static one with Apache, all
in the same web application, in secure way? Can you show me that or tell me
a link to learn it?
Now, users and passwords are in tomcat-users.xml file.
When I get home, I'll try some test in order to prove who is serving the
content. I will to add or remove dynamic content to the pages. (Maybe some
pages haven't dynamic content.
Sorry.

Thank you, again.
--
[Adrián Córdoba]



2011/7/21 Christopher Schultz <chris@christopherschultz.net>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Adrián,
>
> On 7/21/2011 3:28 PM, Adrián Córdoba wrote:
> > Thank you, André. I know this "Warning", but I want to serve static
> > content with Apache web server and dynamic content with Tomcat.
>
> You can still do that without setting the DocumentRoot to your appbase.
>
> Try this:
>
> GET http://localhost/Andromeda/META-INF/context.xml
>
> (or maybe GET http://localhost/Andromeda/WebContent/META-INF/context.xml
> - - it's really hard to understand what your appbase really is).
>
> If you have a container-managed db connection pool, you are more than
> likely to have your database username and password in that file, which
> is now publicly accessible via HTTP. Pwned.
>
> > (The web application contains only links to other pages in the same
> > application. It is a test application to learn.)
>
> You should learn to do things properly. I'm not trying to be nasty, but
> you should try to get in the habit of doing things securely even when
> they are toys. That way you won't forget to do it when it really matters.
>
> > In those conditions, with those settings, if an user enters
> > http://localhost/Andromeda, he gets the "*index.jsp*" page in the
> > WebContent directory.
>
> That's surprising, given your configuration.
>
> > So, I think Tomcat is serving that content.
>
> Yes, if the tags are being evaluated and you're not just getting the
> source code.
>
> > Do you think Apache is serving "index.jsp" file content?
>
> Can't tell, you didn't show us any of that.
>
> > Anyway, I will try removing the trailing "/".
>
> If that points to a directory, both Apache and Tomcat will perform a
> redirect and add the "/" so it probably doesn't matter.
>
> > (I know the security issues, but I'm using this application in my
> > local network in order to learn only.)
>
> See above.
>
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk4ogdgACgkQ9CaO5/Lv0PC48wCeO5dHc6XWZT7LjGZqrcETbN3Q
> JuEAn02R6OeNCfjLoAoOMdPXFqr7miAI
> =TxOq
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message