Re: RewriteValve and the ROOT webapp

Wed, 30 Aug 2017 14:34:48 -0700 

On 30.08.2017 22:46, Dan Rabe wrote:

I’m using Tomcat 8.5.20, trying to use the rewrite valve to rewrite a 
root-level URL (/foo) to a URL in my webapp (/mywebapp/bar).

I added the rewrite valve to my server.xml, and I put my rewrite.config in 
conf/Catalina/localhost.

This all works great IF I create an empty “ROOT” directory in webapps. If I 
remove the ROOT directory, though, accessing /foo just gives me a 404.

Questions:

   1.  Is this by design, or is this a bug? (If it’s by design, then some 
additional notes in the documentation would be helpful).
   2.  If in fact I do need to have the ROOT webapp, what security precautions 
should I take?
The same as you take with any other webapp. There is nothing really special about the ROOT webapp, except that it responds to the URI "/", but is located under (catalina_base)/webapps/ROOT/. You can replace this easily with your own application, which will then respond to a request for "/". See : 
https://wiki.apache.org/tomcat/HowTo#How_do_I_make_my_web_application_be_the_Tomcat_default_application.3F
Security guides such as https://www.owasp.org/index.php/Securing_tomcat recommend removing the ROOT webapp, but without providing reasons or rationale.
Indeed there is no particular reason (in terms of security). The only "reason" which I can think of, is that the standard distribution of tomcat (from https://tomcat.apache.org) includes a default ROOT webapp with some information page and a few links, and you probably don't want to provide /this/ application as the default application on a productive website (you would probably want yours instead). But I would imagine that the tomcat developers do not provide there by default, an application which has (known) security issues.
Mmm, I just realised that I am in fact just repeating what a small section of this page is already saying : 
https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#ROOT
(and by the way, that same page provides a whole series of tips regarding tomcat security, and it does provides reasons for each such tip). 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to