-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 8/30/17 5:03 PM, Mark Thomas wrote: > On 30/08/17 21:46, Dan Rabe wrote: >> I’m using Tomcat 8.5.20, trying to use the rewrite valve to >> rewrite a root-level URL (/foo) to a URL in my webapp >> (/mywebapp/bar). >> >> I added the rewrite valve to my server.xml, and I put my >> rewrite.config in conf/Catalina/localhost. >> >> This all works great IF I create an empty “ROOT” directory in >> webapps. If I remove the ROOT directory, though, accessing /foo >> just gives me a 404. >> >> Questions: >> >> 1. Is this by design, or is this a bug? (If it’s by design, then >> some additional notes in the documentation would be helpful). > > It is by design. See section 12.1 of the Servlet 3.1 > specification. Particularly the first paragraph. > > The Tomcat docs deliberately try to avoid repeating information > that is in the Servlet specification. > >> 2. If in fact I do need to have the ROOT webapp, what security >> precautions should I take? Security guides such as >> https://www.owasp.org/index.php/Securing_tomcat recommend >> removing the ROOT webapp, but without providing reasons or >> rationale. > > Yes, it would help if OWASP explained their rationale. I believe the OWASP rationale is that Tomcat ships with a ("welcome to Tomcat") ROOT web app that is simply unnecessary, and unnecessary things should be removed from production systems. They obviously aren't explaining that there is nothing wrong with having *a* ROOT webapp... it's just that the *default* ROOT webapp should be removed for production. > The simplest, and safest, approach would be to deploy your own, > completely empty ROOT web application (just a dir named "ROOT" in > webapps will be fine). Tomcat will handle the 404 for you in that > case. Our production builds always include a generated ROOT webapp that includes absolutely nothing other than a trivial WEB-INF/web.xml. This allows Tomcat to return a 404 response instead of a "400 Bad Request" for any requests that don't map to a valid context path. (Aside: I think it's probably not appropriate for Tomcat to return 400 in these cases... if the URL can't be mapped to a context, that should be a 404 response, not a 400, since the request itself was valid.) - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZqC8SAAoJEBzwKT+lPKRYfjsP/ik3k5Y7U0b1uLaTQQkjoyxt 3Dpg95p8wQTGelVrw3PFmQZMdnhyMFkro3W0XN4B4EHedZIl61NMyapoLki9IgQA JLf+xcMIL9Fxi9ELw7jpxnA86dR56bLD0SQZ+gyg8oQ2uSNQvADYFRU2G+MsCBq3 WXykSDAyOc7IzUI4jGkVkYCYLTu4Qz3UljeKyYz8X10Hxw6ooNdps/vrOYSebhyX mVcASlrRBaWJ/AVyUCIcrZaCAbx73kEzCVJrp5qjBdePY9see6dlQk3wRx+kuRoZ YWO/6sPm9zVW2iKBxx44lQ5yGRrFIfO9vQ0yGHtKbPxYQ8ZLPjsJeQqMHHPsBoIR OglGNZ0XI7vxVuElIRS2dekgSalxtu0WZ/RY/SaADC+uShVdETwO23y96L60L+QX r4HU+iBK9U2JWvUqrn+xZCZ7VMzm1LyUXd29Ve5YG+hGg1UQLJT5dTNg4kBe0R96 oowErlvnG70PLmk0pKHBSjZiwhsyuz+lxpxOHyc13orm+hWTQZwGm8hNca6MWSmk lIwp88C6Q6DHwmVeyQq5lUcEI+SYsRGI0zU/k9aDkY6RYcU1ansq9LafJIQGWPRi h6eaTtDq2lSkvt27vrZM0mVDYPi8VIK2mSbcu/oYRlzg262eMicQIOpCwLiLcuhx dZh1L4FBOSyYZ/ISGRW8 =Zsxc -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
