tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat) ...@ice-sa.com>
Subject Re: Apache http / tomcat connectors - source code of web-page is displayed rather than web-page
Date Thu, 05 Jul 2018 08:31:38 GMT
Hi.

I have not looked through all of your configuration lines, but I believe that the problem

is first of all this line :

On 05.07.2018 09:18, Sandels Mark (RTH) OUH wrote:
> DocumentRoot "C:\Program Files (x86)\apache-tomcat-9.0.6\webapps"

That means essentially that you are allowing the Apache httpd front-end to access your 
entire tomcat web applications pages directory directly, without going through tomcat.
And Apache httpd, when it serves one of these pages to a browser requesting it, has 
absolutely no idea that one of these *files* located in that directory or below, may be a

java jsp page, some highly confidential file located in a WEB-INF directory, or whatever,

and it just returns the content of these files unfiltered to the browser.

That is the default that you get with that DocumentRoot line.
So, *unless* you later contradict/override this by some other configuration line somewhere

else in the configuration, the above is what will happen.
It is thus an extremely unsafe way of configuring Apache httpd in a front-end-to-tomcat 
scenario, because anything that you forget to remap later explicitly to tomcat, will be 
served by Apache httpd, without tomcat knowing anything about it.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message