tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: AW: mod_jk - Browser displays HTML Sourcecode
Date Tue, 08 Nov 2011 15:54:18 GMT
Hi.

Pid wrote:
> On 08/11/2011 15:12, Alexander Diedler wrote:
>> Hello
>>
>>> That most probably means that the URL mappings for mod_jk are not correct,
>> and that Apache httpd is serving that content directly.
>>> Look at (or show here) the JkMount lines that should be somewhere in your
>> Apache configuration.
>>
>> Was attached in the post:
>> JkMount /* loadbalancer
>> So everything would be served by tomcat.
>>

But obviously it isn't, so there's something wrong with this JkMount.

Somewhere else you are talking of VirtualHost.
Are you sure that the above line is inside the <VirtualHost> configuration ?
If it is in the "main" Apache config, it is not automatically "inherited" by the 
VirtualHost's.  Check the JkMountCopy directive for details.

>>> At a second level, it also means that you are doing something that is
>> really not recommended : allow Apache httpd access to the Tomcat application
>> directories.
> 
> +1  I'd go further: *never* publish a Tomcat application docBase as an
> HTTPD DocumentRoot.
> 
> 
>>> That bypasses any security that you may have in Tomcat.
>>> Your current problem is a perfect example : Apache now shows the source
>> code of your JSP pages.  Hopefully there is no secret password in there.
>>
>>> Test : (http://www.test.de/xyz)/WEB-INF/web.xml
>> Yes you are right, I can read the web.xml from the browser. How we can avoid
>> it?
> 
> Don't publish a Tomcat application docBase as an HTTPD DocumentRoot.
> Simples.
> 
> 
To say that in another way :
Suppose that your Tomcat webapps directory is /var/lib/tomcatx/webapps.
Then DO NOT define in Apache
DocumentRoot /var/lib/tomcatx/webapps
(or any other overlap between these two, or subdirectories of ditto).

Apache httpd and Tomcat "don't know eachother", they are independent applications.
Each one has its own security system, based on different principles.

For example, Tomcat will /never/ allow a client to retrieve a file from inside a webapp's

WEB-INF subdirectory.
But Apache httpd doesn't know that a WEB-INF sub-directory is something special, so it 
will happily serve its content, if the URL maps there for Apache.
Similarly, Apache doesn't know that a JSP file is something special (that must be compiled

to a java servlet etc..). So if the URL which Apache handles points to something like 
that, Apache will happily serve it as a text file.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message