Return-Path: 
 <users-return-256266-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id BD1DF18661
	for <apmail-tomcat-users-archive@www.apache.org>;
 Wed,  3 Feb 2016 18:50:46 +0000 (UTC)
Received: (qmail 41413 invoked by uid 500); 3 Feb 2016 18:50:38 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 41356 invoked by uid 500); 3 Feb 2016 18:50:38 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 41345 invoked by uid 99); 3 Feb 2016 18:50:38 -0000
Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Feb 2016 18:50:38 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org)
 with ESMTP id C75A3C01A8
	for <users@tomcat.apache.org>; Wed,  3 Feb 2016 18:50:37 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level: 
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=6.31
	tests=[SPF_PASS=-0.001] autolearn=disabled
Received: from mx1-eu-west.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new,
 port 10024)
	with ESMTP id WG8hLepq1o4s for <users@tomcat.apache.org>;
	Wed,  3 Feb 2016 18:50:36 +0000 (UTC)
Received: from thor.wissensbank.com (thor.wissensbank.com [81.169.250.120])
	by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with
 ESMTP id C416D31AA9
	for <users@tomcat.apache.org>; Wed,  3 Feb 2016 18:50:35 +0000 (UTC)
Received: from thor.wissensbank.com (localhost [127.0.0.1])
	by thor.wissensbank.com (Postfix) with ESMTP id 81E8815A60A77
	for <users@tomcat.apache.org>; Wed,  3 Feb 2016 19:50:35 +0100 (CET)
Received: by thor.wissensbank.com (Postfix, from userid 500)
	id 6E40315A60A78; Wed,  3 Feb 2016 19:50:35 +0100 (CET)
Received: from [192.168.245.100] (8.150.14.62.static.jazztel.es [62.14.150.8])
	(Authenticated sender: andre.warnier@ice-sa.com)
	by thor.wissensbank.com (Postfix) with ESMTPA id 9E28915A60A77
	for <users@tomcat.apache.org>; Wed,  3 Feb 2016 19:50:34 +0100 (CET)
From: =?UTF-8?Q?Andr=c3=a9_Warnier_=28tomcat=29?= <aw@ice-sa.com>
Subject: Re: Http 403: access to requested resource denied
To: users@tomcat.apache.org
References: 
 <CAPFWp9q7H-m6Xn+A+MYEZiBcU8QQgHkvjYeRyXsn9-kwbywrnQ@mail.gmail.com>
 <CAPFWp9p2ArJ7U7guj5h42O_oTX8inhtzp=dAUpEUbLwtN9TTsw@mail.gmail.com>
 <56B2268F.3070909@verizon.net>
 <CAPFWp9oJatjaP0S3fTQSkznGmYL5i-d=0p0atMO3mYRi7u5vgA@mail.gmail.com>
 <56B22CBA.6070208@yahoo.com>
 <CAPFWp9pwkqU7+NvnW6t6VAMr1CgzCeWWa6H995ffFs1Fs1ZDjQ@mail.gmail.com>
 <56B23BC7.4010901@verizon.net>
 <CAPFWp9o-Nw9=P7YGEk4ObZV4BiaxQ36YMOT8KWSRgq4O+r=CuQ@mail.gmail.com>
 <56B241D2.7070702@verizon.net>
Message-ID: <56B24BF9.2030108@ice-sa.com>
Date: Wed, 3 Feb 2016 19:50:33 +0100
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101
 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <56B241D2.7070702@verizon.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP

On 03.02.2016 19:07, David kerber wrote:
> On 2/3/2016 12:50 PM, prashant sharma wrote:
>> On 3 Feb 2016 17:42, "David kerber" <dckerber@verizon.net> wrote:
>>>
>>> On 2/3/2016 12:23 PM, prashant sharma wrote:
>>>>
>>>> On 3 Feb 2016 16:38, "Mark Eggers" <its_toasted@yahoo.com.invalid> wrote:
>>>>>
>>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> Quick note - please post at the bottom or inline.
>>>>>
>>>>> See item 6 of the Tomcat users mailing list here:
>>>>> http://tomcat.apache.org/lists.html
>>>>>
>>>>> On 2/3/2016 8:20 AM, prashant sharma wrote:
>>>>>>
>>>>>> That's true. But we are not doing any authn/authz in our
>>>>>> application. Its just a simple webapp that exposes 1 endpoint (put
>>>>>> method). Any body should be able to hit that end point.
>>>>>>
>>>>>> It works fine if I place my war outside tomcat installation
>>>>>> directory and create a context from Catalina/localhost. But if I
>>>>>> place my war inside webapps then it gives http 403 when I hit my
>>>>>> endpoint.
>>>>>>
>>>>>> Regards, Prashant
>>>>>>
>>>>>> 07440456543 On 3 Feb 2016 16:11, "David kerber"
>>>>>> <dckerber@verizon.net> wrote:
>>>>>>
>>>>>>> 403 is an authentication/authorization error, which means the
>>>>>>> logged-in user doesn't have permissions to the requested
>>>>>>> resource.
>>>>>>>
>>>>>>>
>>>>>>> On 2/3/2016 11:05 AM, prashant sharma wrote:
>>>>>>>
>>>>>>>> Hi, Can someone pls provide any inputs on below. Thanks
>>>>>>>>
>>>>>>>> Regards, Prashant
>>>>>>>>
>>>>>>>> 07440456543 On 2 Feb 2016 18:02, "prashant sharma"
>>>>>>>> <pacificmist.0900@gmail.com> wrote:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I am using apache tomcat 7.0.57 and jdk 7 on windows 7. I
>>>>>>>>> have deployed a simple web application inside tomcat webapps
>>>>>>>>> folder by placing the war file directly in webapps. This is a
>>>>>>>>> basic application which exposes an endpoint with put request
>>>>>>>>> method.
>>>>>>>>>
>>>>>>>>> When I try to access this endpoint I get 403 access forbidden
>>>>>>>>> error.
>>>>>>>>>
>>>>>>>>> However If I place war file outside tomcat  and point it by
>>>>>>>>> creating context.xml in conf/Catalina/localhost I am able to
>>>>>>>>> access my endpoint.
>>>>>>>>>
>>>>>>>>> Can someone pls tell what's wrong with the first approach and
>>>>>>>>> why its not working in that
>>>>>>>>>
>>>>>>>>> Regards, Prashant
>>>>>>>>>
>>>>>>>>> 07440456543
>>>>>
>>>>>
>>>>> With your put method, are you trying to write to a file within the web
>>>>> application?
>>>>>
>>>>> . . . just my two cents
>>>>
>>>> This put method updates a record in database.
>>>> The same webapp(endpoint) works when I place war outside tomcat.
>>>
>>>
>>> Check the permissions on the directories where you are placing the .war
>> file.
>> .war file is places under tomcat webapps folder.
>
> Yes, I know.  You need to check the permissions that are set on that directory.
>

If that is really what is happening, maybe some warnings are in order here :
1) from a security point of view, it does not seem to me a very good idea to allow a PUT 
to add (or overwrite) files in the webapps directory. What if someone uses this to upload 
a malicious webapp there ?
2) from a portability point of view, the webapps directory is not guaranteed to be 
writeable. It may not even be a filesystem.

Maybe there is something more subtle going on here :
Have a look at the HTTP RFC and its description of a PUT : 
https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6
I am not saying that that /is/ how the actual code works, but in function of that 
description, it seems to me that a webserver would be entitled to map the given PUT URI 
into the "URI space", and from there into the filesystem, and check if that filesystem 
location is indeed writeable.
In any case, it seems to me dubious to use a PUT, to update a record in a database.
A POST would probably be more appropriate here.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org