tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pid *" <>
Subject Re: where to put static files?
Date Mon, 21 Nov 2011 19:01:23 GMT
On 21 Nov 2011, at 18:52, "André Warnier" <> wrote:

> Hi.
> What we are trying to say is this :
> The WEB-INF and META-INF sub-directories of a Tomcat webapp, are supposed to contain
> that should NOT be accessed by the users.  For example, in the WEB-INF and META-INF
> subdirectories, there are files (like WEB-INF/web.xml) which may contain private
> information (such as, e.g., passwords to access a database system).
> For that reason, Tomcat itself forbids access to the content of these directories.
> If you try to access Tomcat directly via a URL like
> "", you will get a "Forbidden"
> response. Always.
> But if on the same host, you run another webserver (Apache, nginx,..), and you allow
> webserver to access the content of the Tomcat ../webapps/mywebapp/WEB-INF directory,
> you bypass the Tomcat security and make it useless.
> That means that a user, with a well-crafted URL, will be able to access and display the
> content of those files.  This is a big security hole.
> You can configure the front-end webserver to also forbid this, but it requires additional
> configuration, and you will forget to do it, or do it wrong.
> So don't do that.

> Tomcat will server static resources just fine, usually as fast as Apache or nginx would.
> If you insist that you must serve this static content directly from the front-end
> webserver, and not ask Tomcat to do it, then place them somewhere under the DocumentRoot
> of the front-end webserver (which should /NOT/ be the same as the Tomcat webapps
> directory), and use the proxy instructions so that these requests are /not/ forwarded
> Tomcat, but served locally.

+1. I would use stronger terms: never allow DocumentRoot and
tomcat/webapps to overlap.


> For example :
> ProxyPass /mywebapp/images !
> ProxyPass /mywebapp/css !
> ProxyPass /mywebapp ajp://tomcat:8009/mywebapp
> will proxy all requests for /mywebapp to Tomcat, *except* for the /images and /css
> subdirectories.
> Jan Vávra wrote:
>> Hello,
>> when I started my project others told me to use apache for static
>> content and tomcat for java/jsp.
>> It works quite good. Tomcat is hidden under reverse proxy (mod_ajp). So
>> static content gives apache, dynamic tomcat.
>> Jan.
>>> I have a spring project (web app), in my project where should I be
>>> putting
>>> my static files like images/css/javascript?
>>> In my WEB-INF like:
>>> /WEB-INF/Assets {images/css/js}
>>> I know when I go in production I will have nginx map to this folder to
>>> serve the static files, but I just want to know where I can put them for
>>> development/testing.
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message