I’m using Tomcat 8.5.20, trying to use the rewrite valve to rewrite a root-level URL (/foo) to a URL in my webapp (/mywebapp/bar).
I added the rewrite valve to my server.xml, and I put my rewrite.config in conf/Catalina/localhost. This all works great IF I create an empty “ROOT” directory in webapps. If I remove the ROOT directory, though, accessing /foo just gives me a 404. Questions: 1. Is this by design, or is this a bug? (If it’s by design, then some additional notes in the documentation would be helpful). 2. If in fact I do need to have the ROOT webapp, what security precautions should I take? Security guides such as https://www.owasp.org/index.php/Securing_tomcat recommend removing the ROOT webapp, but without providing reasons or rationale. Thank you! --Dan Rabe
