tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Some questions about Tomcat ISAPI Connector and its documentation
Date Sat, 10 Mar 2012 23:13:41 GMT
Konstantin Preißer wrote:
> 2. I observed that when a request is made to IIS which is mapped to Tomcat, and the request
path contains the string "WEB-INF", like
> then the ISAPI connector logs a statement like this:
> [Sat Mar 10 22:34:58.030 2012] [11744:10792] [emerg] handle_notify_event::jk_isapi_plugin.c
(1997): [/test/asdf/blahblah/blah/WEB-INF/blahbla/asdf] points to the web-inf or meta-inf
directory. Somebody tries to hack into the site!!!
> If I remember correctly, in some earlier versions of the ISAPI connector (or IIS), in
such cases the TCP connection from IIS to the client would also be closed without any reply;
however, in the current version, a 404 reply is sent from the ISAPI connector.
> I'm wondering why the ISAPI redirector checks if "WEB-INF" is occurring in the path,
because Tomcat seems to already check if a request is made to the WEB-INF or META-INF directory
of an web application, and if so, sends back a normal 404 response. Is this a kind of relict
from earlier times? Because I would expect that the ISAPI redirector just passes the request
to Tomcat and let Tomcat decide how requests to forbidden directories are handled, without
writing an "emergency" log entry. 
That is probably what isapi_redirector does anyway (forward the request to Tomcat, and let

Tomcat send the 404 response (which may be customised)).
But perhaps the log message in the isapi_redirector log is there for the following reason

: when Tomcat is hosted on a separate host, it may be nice, on the IIS/isapi_redirector 
host, to have a log entry recording this.  Just in case the IIS-side logs are being 
watched closely, and the Tomcat logs less so.
After all, someone using a URL including WEB-INF or META-INF, is quite likely to be 
someone who /is/ trying to hack the system.

That kind of overlaps the warning in red text that is present on the connectors "how-to" 
pages, like :

However, you should be very careful when you implement the following configuration style,

because by doing so you are in fact providing a "back-door" to IIS, and allowing it to 
serve files out of a Tomcat context without Tomcat's knowledge, thus bypassing any 
security restrictions which Tomcat itself and the Tomcat context (webapp) may place on 
those files.

Does this log message bother you ? why would you want to /not/ have it ?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message