tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adrián Córdoba <>
Subject Re: Tomcat behind Apache and security-constraint
Date Thu, 21 Jul 2011 19:28:43 GMT
Thank you, André.
I know this "Warning", but I want to serve static content with Apache web
server and dynamic content with Tomcat. (The web application contains only
links to other pages in the same application. It is a test application to

In those conditions, with those settings, if an user enters
http://localhost/Andromeda, he gets the "*index.jsp*" page in the WebContent
directory. So, I think Tomcat is serving that content.
Do you think Apache is serving "index.jsp" file content?

Anyway, I will try removing the trailing "/".

(I know the security issues, but I'm using this application in my local
network in order to learn only.)

Thank you, very much.
[Adrián Córdoba]

2011/7/21 André Warnier <>

> Addendum :
> This, which I missed earlier, is of course also a no-no, for the same
> reasons as explained earlier :
> DocumentRoot /opt/apache-tomcat-7.0.12/**webapps/
> see the remark in red here :
> André Warnier wrote:
>> Adrián Córdoba wrote:
>> ...
>>  JkMount  /Andromeda/* worker1
>>>  <Directory "/opt/apache-tomcat-7.0.12/**webapps/Andromeda">
>>>    Options Indexes FollowSymLinks
>>>    AllowOverride None
>>>    Order allow,deny
>>>    Allow from all
>>>  </Directory>
>>> </VirtualHost>
>>> ------------------------------**---------------------------
>> ...
>>  May be, I have a configuration mistake.
>> Yes, a big one above.
>> Wether it is the cause of your problem, I am not quite sure yet (but it
>> could be).
>> It is bad anyway, because you are allowing Apache users, potentially, to
>> bypass Tomcat and to access the Tomcat application directory directly.
>> So, again potentially, if a user manages to access the directory
>> "/opt/apache-tomcat-7.0.12/**webapps/Andromeda" through Apache and
>> without going through Tomcat, then anything that you did in Tomcat to
>> protect access to that directory is useless.
>> And that is probably the case here :
>> Say a user enters the URL "http://ASIA/Andromeda" in his browser, and the
>> browser requests that URL.  What happens ?
>> Apache will compare that URL (the part after the host) with the JkMount
>> instruction.
>> The request URL is "/Andromeda", which is compared to the URL in the
>> JkMount "/Andromeda/*".
>> It does not match, since the request URL is missing the trailing "/" of
>> the expression in the JkMount.
>> So Apache does not forward this request to Tomcat, but handles it itself.
>> After a few more steps in Apache, finally Apache comes to this directory
>> "/opt/apache-tomcat-7.0.12/**webapps/Andromeda", and looks for a document
>> to serve.
>> Since no document is specified in the URL, Apache will use the one
>> specified in the relevant "DirectoryIndex" directive.  That may be, for
>> instance, "index.html" or similar.
>> And it will serve it according to its own permissions settings, which here
>> are :
>>  >     Allow from all
>> (so anyone can get anything, without access control)
>> It is a bit difficult, not knowing the exact content of your pages, to
>> figure out what the full consequences may be, but maybe it gives you a clue
>> already.
>> In other words,
>> 1) remove the section
>> <Directory "/opt/apache-tomcat-7.0.12/**webapps/Andromeda">
>> from the Apache configuration.  It has nothing to do there, because you
>> want Apache to forward these URLs to Tomcat anyway.
>> And it is a security risk (particularly on Windows, but even here).
>> 2) add the following JkMount :
>> JkMount  /Andromeda worker1
>> (so that a request for "http://ASIA/Andromeda" will be *also* forwarded
>> to Tomcat.)
>> Then try again, and come back here if you still have a problem.
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**<>
>> For additional commands, e-mail:
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**<>
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message