tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Diedler <adied...@tecracer.de>
Subject AW: AW: mod_jk - Browser displays HTML Sourcecode
Date Tue, 08 Nov 2011 15:29:54 GMT
Ok, But would be the better way (of life) for this?
HTTPD vhost.conf:
<VirtualHost 192.168.100.40:80>
    ServerAdmin xxx@yyy
    DocumentRoot "D:/www/apps/app1/ROOT"
<Directory " D:/www/apps/app1/ROOT ">
		Options Indexes FollowSymLinks
		AllowOverride None
		Order allow,deny
		Allow from all
    </Directory>
...
</VirtualHost>

Server.xml:
<Host name="app1" appBase=" D:/www/apps/app1/">          		  
	  <Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
               prefix="app1_access_log." suffix=".txt" pattern="common"
resolveHosts="false"/>
</Host>


ROOT.xml in /conf/
<?xml version="1.0" encoding="UTF-8"?>
<Context docBase=" D:/www/apps/app1/ROOT " privileged="true"
reloadable="true" unpackWAR="true" antiJARLocking="true">
	<Resource name="jdbc/jTDS"
		auth="Container"
		type="javax.sql.DataSource"
		maxActive="100"
		maxIdle="30"
		maxWait="10000"
		username="xxx"
		password="xxx"
		removeAbandoned="true"
		removeAbandonedTimeout="60"
		logAbandoned="true"
		driverClassName="net.sourceforge.jtds.jdbc.Driver"
		url="jdbc:jtds:sqlserver://db:1433/xxxx;charset=UTF-8"
	/>
</Context>

Greetings
Alexander


-----Urspr√ľngliche Nachricht-----
Von: Pid [mailto:pid@pidster.com] 
Gesendet: Dienstag, 8. November 2011 16:21
An: Tomcat Users List
Betreff: Re: AW: mod_jk - Browser displays HTML Sourcecode

On 08/11/2011 15:12, Alexander Diedler wrote:
> Hello
> 
>> That most probably means that the URL mappings for mod_jk are not 
>> correct,
> and that Apache httpd is serving that content directly.
>> Look at (or show here) the JkMount lines that should be somewhere in 
>> your
> Apache configuration.
> 
> Was attached in the post:
> JkMount /* loadbalancer
> So everything would be served by tomcat.
> 
>> At a second level, it also means that you are doing something that is
> really not recommended : allow Apache httpd access to the Tomcat 
> application directories.

+1  I'd go further: *never* publish a Tomcat application docBase as an
HTTPD DocumentRoot.


>> That bypasses any security that you may have in Tomcat.
>> Your current problem is a perfect example : Apache now shows the 
>> source
> code of your JSP pages.  Hopefully there is no secret password in there.
> 
>> Test : (http://www.test.de/xyz)/WEB-INF/web.xml
> Yes you are right, I can read the web.xml from the browser. How we can 
> avoid it?

Don't publish a Tomcat application docBase as an HTTPD DocumentRoot.
Simples.


p



> Greetings
> Alexander
> 
> 
> 
>>
>>  
>>
>> In the Apache access log:
>>
>> xxx.xxx.214.145 - - [08/Nov/2011:14:44:08 +0100] "GET / HTTP/1.1" 200
>> 23281 ##OK
>>
>> xxx.xxx.214.145 - - [08/Nov/2011:14:44:11 +0100] "GET
>> /go/VV4QB69WO9F01A9KGBSYVGNVGHY6T95J HTTP/1.1" 200 88572    ##Not ok,
>> sorcecode displayed.
>>
>>  
>>
>> In the virtual-host.conf:
>>
>> ## Tomcatanbindung
>>
>>     JkMount /* loadbalancer
>>
>> JkOptions +ForwardURICompatUnparsed
>>
>> AllowEncodedSlashes On            
>>
>>  
>>
>>  
>>
>> Greetings
>>
>> Alexander
>>
>>  
>>
>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


-- 

[key:62590808]


Mime
View raw message