[Bug 1892524] [NEW] Issues with context configuration of intrinsic web applications

Fri, 21 Aug 2020 09:05:59 -0700 

Public bug reported:

All context configuration files at https://salsa.debian.org/java-
team/tomcat9/-/tree/master/debian/context for Apache Tomcat's built-in
admin applications (as well as for /docs and /examples) contain a `path`
attribute, which shall specify the webapp's URL context path. However,
according to Apache Tomcat's documentation, this attribute must only be
used when statically defining a context in server.xml. In all other
circumstances, the path will be inferred from the filenames used for
either the .xml context file or the docBase
(https://tomcat.apache.org/tomcat-9.0-doc/config/context.html#Common_Attributes).

As of Apache Tomcat 9.0 (since 2018-02-27) a warning message is logged,
stating that the path specified in context.xml has been ignored:

The path attribute with value [/manager] in deployment descriptor
[/etc/tomcat9/Catalina/localhost/manager.xml] has been ignored

In order to get rid of that warning log messages (one for each
application), the superfluous path attribute should be removed.

The context configuration files of the admin applications (manager.xml
and host-manager.xml) that are actually installed in
/etc/tomcat9/Catalina/localhost/ are significantly different to the
corresponding original context.xml files. The latter limit access to
127.0.0.1 and also setup a sessionAttributeValueClassNameFilter suitable
for use with CSRF Prevention Filter, which is added to these two apps in
web.xml.

Not limiting access to localhost may be intentional for Debian/Ubuntu,
but setting the Manager's sessionAttributeValueClassNameFilter
accordingly may be a good idea in order to make session persistence work
correctly with CSRF Prevention Filter (which must store complex values
(like (Linked)?HashMaps) in the session's attributes).

Source package: tomcat9 (9.0.31-1)

** Affects: tomcat9 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1892524

Title:
  Issues with context configuration of intrinsic web applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1892524/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to