tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Tomcat 7.0.39 - Embedded Tomcat within Eclipse Juno doesn’t pick assets from DOC ROOT
Date Sat, 10 Aug 2013 11:29:45 GMT
Saurabh Agrawal wrote:
> Hi,
> 
> I have developed Struts 2 application which is deployed on Tomcat. I am using Eclipse
to do the coding and configured Tomcat with Eclipse to deploy the war from Eclipse itself.
> 
> My requirement is that all static assets should be served from Apache HTTP Server because
in our production environment that will be the set up.
> 
> As a result, I have configured image URLS like –
> 
> <img src=”/common/images/test.jpg” />
> 
> The assumpition is common folder will be the present in the doc root. I have copied common
folder in the ROOT of Tomcat so that it can be accessed from /common in the URL. However,
my images are not getting picked with the above URL.
> 

I do not pretend to understand your complete setup here, but it looks to me like you are 
setting yourself up for a very insecure website layout.
If you are locating resources in Tomcat's webapps/ROOT directory, but then serving them 
with Apache HTTPD (and for that, mapping the Tomcat ROOT folder to make it directly 
accessible from the HTTPD server), it means that for *everything* in the Tomcat 
webapps/ROOT folder your are completely bypassing the Tomcat bultin security.
(For example, it means that HTTPD users will have direct access to Tomcat's ROOT/WEB-INF 
folder files, whatever private information may be in there.)
HTTPS users will also have access to the source of whatever *.JSP pages you put there.

Heed the bold text here : http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html

The point is : by default, Tomcat "knows" that it should not serve anything from the 
WEB-INF sub-ditectory, nor serve "raw" JPS's.
But HTTPD does not know that, and by default it will serve these things without having a 
second look.
You /can/ make this secure by correct configuration, but it needs careful work, and it is

easy to verlook something.


> However, if I create a war file using Maven and deploy it on the server, /common works.
So I think it may be the problem wuth embedded tomcat instance within eclipse for which may
be ROOT is not the doc root.
> 
> Can anyone suggest how can it work i.e. deploying application from eclipse to a configured
tomcat instance in eclipse ?
> 
> Thanks.
> 
> Regards,
> SAURABH AGRAWAL
> Manager Technology
> —
> SapientNitro
> Aachvis Softech Private Limited SEZ,
> “Oxygen”, (Tower C), Ground – 3rd Floor,
> Plot No. 7, Sector 144 Expressway,
> Noida 201 304, Uttar Pradesh, India
> 
> desk  +91 (120) 479 5000
> mobile  +91 981 866 4383
> fax  +91 (120) 479 5001
> 
> The information transmitted is intended only for the person or entity to which it is
addressed and may contain confidential and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in reliance upon, this information
by persons or entities other than the intended recipient is prohibited. If you received this
in error, please contact the sender and delete the material from any computer.
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message