tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adrián Córdoba <adr.cord...@gmail.com>
Subject Re: Tomcat behind Apache and security-constraint
Date Fri, 22 Jul 2011 12:49:43 GMT
André:
  This is in my URL bar of Chrome or Firefox:
      http://localhost/Andromeda

  Thank you.
--
[Adrián Córdoba]



2011/7/22 André Warnier <aw@ice-sa.com>

> Adrián Córdoba wrote:
>
>> André:
>> 1- So how come the requests are made to the host "localhost" ?
>>  I think this is so, because <VirtualHost *:80>.
>> 2- Is this the one and only VirtualHost in Apache ?
>>  This is the only virtual host.
>>
>
> How do you enter a URL in the browser, to access this ?
> (paste an example)
>
>
>
>> Best regards
>> --
>> [Adrián Córdoba]
>>
>>
>>
>> 2011/7/22 André Warnier <aw@ice-sa.com>
>>
>>  Adrián Córdoba wrote:
>>>
>>>  Well...
>>>> 1- I delete the "Directory" section from httpd.conf file.
>>>> 2- I add "JkMount  /Andromeda worker1" to the virtual host.
>>>> 3- I add dynamic content to index.jsp page
>>>> So I proved the content is served by Tomcat. But I have the same
>>>> problem:
>>>> I
>>>> cannot view the content of protected section of my web application
>>>> through
>>>> Apache web server.
>>>>
>>>> If I access directly to Tomcat (skipping httpd), I can see the protected
>>>> content.
>>>>
>>>>
>>>>  Ok, so what does that tell us ?
>>> - that the webapp in Tomcat seems to work as it should
>>> - that at least some requests going through Apache are being forwarded to
>>> Tomcat
>>> - but obviously, that at least one response page is different, at the
>>> browser level, when it is coming back (or not) through Apache, than when
>>> it
>>> is coming back directly from Tomcat
>>>
>>> So we must find out what the difference is.
>>> And the easiest way to find that out - at least at the first level - is a
>>> plugin added to the browser, which would show the real content of that
>>> response which appears as a blank page.
>>> Do it.
>>>
>>> Incidentally, the logfile below does not show any error.
>>> But it shows only the requests made to Apache httpd.
>>> It would not, for example, show us if the browser, for whatever reason,
>>> decided to send a request to www.google.com, and got a blank page in
>>> response.
>>> But the browser plugin would show you that.
>>>
>>>
>>> Now wait a minute..
>>> The logfile below shows requests made to "localhost".
>>> But if I remember correctly, this was a VirtualHost, with "ASIA" as
>>> ServerName.
>>> So how come the requests are made to the host "localhost" ?
>>> Is this the one and only VirtualHost in Apache ?
>>>
>>>  Access log in httpd is:
>>>
>>>> ------------------------------****------------------------
>>>> ::1 - - [21/Jul/2011:21:27:18 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>>>> "-"
>>>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>>> Chrome/12.0.742.124 Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>>>> "-"
>>>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>>> Chrome/12.0.742.124 Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/StyleSheet.css
>>>> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>>>> i686)
>>>> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>>>> Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>>>> "-"
>>>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>>> Chrome/12.0.742.124 Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/StyleSheet.css
>>>> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>>>> i686)
>>>> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>>>> Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:27:24 -0300] "GET /Andromeda/internal/internal.*
>>>> ***
>>>> jsp
>>>> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11;
>>>> Linux
>>>> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>>>> Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:27:41 -0300] "GET
>>>> /Andromeda/internal/j_****security_check HTTP/1.1" 200 433 "-"
>>>> "Mozilla/5.0
>>>> (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>>> Chrome/12.0.742.124
>>>> Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:29:46 -0300] "GET /Andromeda/internal/internal.*
>>>> ***
>>>> jsp
>>>> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11;
>>>> Linux
>>>> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>>>> Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>>>> "-"
>>>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>>> Chrome/12.0.742.124 Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/StyleSheet.css
>>>> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>>>> i686)
>>>> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>>>> Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:29:53 -0300] "GET /Andromeda/internal/internal.*
>>>> ***
>>>> jsp
>>>> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11;
>>>> Linux
>>>> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>>>> Safari/534.30"
>>>> ------------------------------****------------------------
>>>>
>>>> Thank you, very much.
>>>> --
>>>> [Adrián Córdoba]
>>>>
>>>>
>>>>
>>>> 2011/7/21 André Warnier <aw@ice-sa.com>
>>>>
>>>>  Christopher Schultz wrote:
>>>>
>>>>>  -----BEGIN PGP SIGNED MESSAGE-----
>>>>>
>>>>>> Hash: SHA1
>>>>>>
>>>>>> Adrián,
>>>>>>
>>>>>> On 7/21/2011 3:28 PM, Adrián Córdoba wrote:
>>>>>>
>>>>>>  Thank you, André. I know this "Warning", but I want to serve static
>>>>>>
>>>>>>> content with Apache web server and dynamic content with Tomcat.
>>>>>>>
>>>>>>>  You can still do that without setting the DocumentRoot to your
>>>>>>>
>>>>>> appbase.
>>>>>>
>>>>>> Try this:
>>>>>>
>>>>>> GET http://localhost/Andromeda/******META-INF/context.xml<http://localhost/Andromeda/****META-INF/context.xml>
>>>>>> <http://**localhost/Andromeda/**META-**INF/context.xml<http://localhost/Andromeda/**META-INF/context.xml>
>>>>>> >
>>>>>> <http://**localhost/Andromeda/**META-INF/**context.xml<http://**
>>>>>> localhost/Andromeda/META-INF/**context.xml<http://localhost/Andromeda/META-INF/context.xml>
>>>>>> >
>>>>>>
>>>>>> (or maybe GET http://localhost/Andromeda/******<http://localhost/Andromeda/****>
>>>>>> WebContent/META-INF/context.****<http://localhost/Andromeda/****
>>>>>> WebContent/META-INF/context.**<http://localhost/Andromeda/**WebContent/META-INF/context.**>
>>>>>> **>
>>>>>> xml <http://localhost/Andromeda/****WebContent/META-INF/context.****
>>>>>> xml <http://localhost/Andromeda/**WebContent/META-INF/context.**xml><
>>>>>> http://localhost/**Andromeda/WebContent/META-INF/**context.xml<http://localhost/Andromeda/WebContent/META-INF/context.xml>
>>>>>> >
>>>>>>
>>>>>> - - it's really hard to understand what your appbase really is).
>>>>>>
>>>>>> If you have a container-managed db connection pool, you are more
than
>>>>>> likely to have your database username and password in that file,
which
>>>>>> is now publicly accessible via HTTP. Pwned.
>>>>>>
>>>>>>  (The web application contains only links to other pages in the same
>>>>>>
>>>>>>  application. It is a test application to learn.)
>>>>>>>
>>>>>>>  You should learn to do things properly. I'm not trying to be
nasty,
>>>>>>>
>>>>>> but
>>>>>> you should try to get in the habit of doing things securely even
when
>>>>>> they are toys. That way you won't forget to do it when it really
>>>>>> matters.
>>>>>>
>>>>>>  +1
>>>>>>
>>>>> In addition, the way you have things set up, it is really difficult to
>>>>> help, because we cannot be sure of which server is serving what.
>>>>>
>>>>>
>>>>>
>>>>>  In those conditions, with those settings, if an user enters
>>>>>
>>>>>> http://localhost/Andromeda, he gets the "*index.jsp*" page in the
>>>>>>> WebContent directory.
>>>>>>>
>>>>>>>  That's surprising, given your configuration.
>>>>>>>
>>>>>>  So, I think Tomcat is serving that content.
>>>>>> Yes, if the tags are being evaluated and you're not just getting
the
>>>>>> source code.
>>>>>>
>>>>>>  Do you think Apache is serving "index.jsp" file content?
>>>>>> Can't tell, you didn't show us any of that.
>>>>>>
>>>>>>  +1
>>>>>>
>>>>> In addition again, it may be serving /that/ file, but what about any
>>>>> links
>>>>> maybe *contained* in that file.  Perhaps there are none, but perhaps
>>>>> also
>>>>> there is a link inside (to an image, or an iframe e.g.) which ends up
>>>>> being
>>>>> served by Apache, and which is the reason for the blank page.
>>>>>
>>>>> The main point again : it is *possible* to configure things the way you
>>>>> have done, and to nevertheless avoid security holes and other issues.
>>>>>  But
>>>>> it is *hard*, and any mistake can compromise your server, or lead to
>>>>> errors
>>>>> difficult to debug.
>>>>> (For example, you also allow Symlinks, which may confuse things yet a
>>>>> bit
>>>>> more).
>>>>>
>>>>> You should give Apache a different DocumentRoot, not your Tomcat
>>>>> webapps
>>>>> directory.
>>>>> (And maybe put some single html page in it, which should never be
>>>>> appear,
>>>>> and if it does you will know something is wrong).
>>>>>
>>>>> Then you should use both
>>>>> JkMount /Andromeda worker1
>>>>> JkMount /Andromeda/* worker1
>>>>> (because they do not overlap)
>>>>>
>>>>> Then, later, if you want Apache to be serving something directly
>>>>> instead
>>>>> of
>>>>> forwarding it to Tomcat, you should look up the JkUnMount directive,
>>>>> and
>>>>> do
>>>>> it selectively.
>>>>> Or use something like
>>>>> SetEnvIf Request_URI "\.jpg$" no-jk
>>>>>
>>>>> Or you could look at an alternative way to specify what needs to be
>>>>> forwarded, which I personally find more flexible and more Apache-like
>>>>> than
>>>>> JkMount/unMount :
>>>>> See here : http://tomcat.apache.org/******connectors-doc/reference/**<http://tomcat.apache.org/****connectors-doc/reference/**>
>>>>> <ht**tp://tomcat.apache.org/****connectors-doc/reference/**<http://tomcat.apache.org/**connectors-doc/reference/**>
>>>>> >
>>>>>
>>>>> apache.html<http://tomcat.**ap**ache.org/connectors-doc/**<http://apache.org/connectors-doc/**>
>>>>> reference/apache.html<http://**tomcat.apache.org/connectors-**
>>>>> doc/reference/apache.html<http://tomcat.apache.org/connectors-doc/reference/apache.html>
>>>>> >
>>>>>
>>>>> The section "Using SetHandler and Environment Variables"
>>>>>
>>>>> Now, if you really want to know what is serving what (and learn other
>>>>> interesting things besides about HTTP) install a browser plugin like
>>>>> HttpFox
>>>>> (for Firefox) or Fiddler2 (for IE).  These plugins allow you to see the
>>>>> contents of each packet sent by the browser to the server, and from the
>>>>> server to the browser, including the HTTP headers and all.
>>>>>
>>>>> The mod_jk logging is also a tool, but it will only show the traffic
>>>>> between Apache and Tomcat, not what Apache serves directly.
>>>>>
>>>>>
>>>>> ------------------------------******--------------------------**--**
>>>>> --**---------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.****apa**che.org<
>>>>> http://apache.org**>
>>>>> <users-unsubscribe@**tomcat.**apache.org <http://tomcat.apache.org><
>>>>> users-unsubscribe@**tomcat.apache.org<users-unsubscribe@tomcat.apache.org>
>>>>> >
>>>>>
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>>
>>>>>  ------------------------------****----------------------------**
>>> --**---------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apa**che.org<http://apache.org>
>>> <users-unsubscribe@**tomcat.apache.org<users-unsubscribe@tomcat.apache.org>
>>> >
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<users-unsubscribe@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message