tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Preißer <verlag.preis...@t-online.de>
Subject RE: Some questions about Tomcat ISAPI Connector and its documentation
Date Sun, 11 Mar 2012 23:32:08 GMT
Hello Konstantin Kolinko and André Warnier,

thank you both for your replies.


> -----Original Message-----
> From: André Warnier [mailto:aw@ice-sa.com]
> Sent: Sunday, March 11, 2012 12:14 AM
> To: Tomcat Users List
> Subject: Re: Some questions about Tomcat ISAPI Connector and its
> documentation
> 
> That is probably what isapi_redirector does anyway (forward the request
> to Tomcat, and let
> Tomcat send the 404 response (which may be customised)).

In such a case, the ISAPI connector seems to sends its own 404 error message (which can't
be customized I think).


> But perhaps the log message in the isapi_redirector log is there for
> the following reason
> : when Tomcat is hosted on a separate host, it may be nice, on the
> IIS/isapi_redirector
> host, to have a log entry recording this.  Just in case the IIS-side
> logs are being
> watched closely, and the Tomcat logs less so.
> After all, someone using a URL including WEB-INF or META-INF, is quite
> likely to be
> someone who /is/ trying to hack the system.
> 
> That kind of overlaps the warning in red text that is present on the
> connectors "how-to"
> pages, like :
> 
> However, you should be very careful when you implement the following
> configuration style,
> because by doing so you are in fact providing a "back-door" to IIS, and
> allowing it to
> serve files out of a Tomcat context without Tomcat's knowledge, thus
> bypassing any
> security restrictions which Tomcat itself and the Tomcat context
> (webapp) may place on
> those files.

That's right; however, it seems that the warning only appears when the request is actually
mapped to the ISAPI connector - if it is not mapped to it, it does not prevent accessing directories
called "WEB-INF" (e.g. when trying to have IIS serve the static files and Tomcat serve only
Servlets/JSPs).

> Does this log message bother you ? why would you want to /not/ have it
> ?
> 

It does not bother me - I just wondered why the ISAPI would to this checks, when Tomcat already
does it. :)


Regards,
Konstantin Preißer


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message