On 2/22/23 9:23 AM, Mark Thomas wrote:
Alternatively, you can use denyStatus="404" on the RemoteAddrValve. That attribute should be available in all versions of all currently supported Tomcat releases (it was added back in 2011). You can set it to any value valid for use with HttpServletResponse.sendError(int).
Now that the customer's Tomcat server has had its nightly restart, I see that adding
denyStatus="404"
to the RemoteAddrValve does indeed give me a 404 page. But it's a 404 page that still admits to the *existence* of a manager context.
I note that if I give it a manifestly nonexistent webapp context, e.g., "/foobar," I get a default 404 page. But if I simply rename /manager/WEB-INF/jsp/404.jsp to 404.jsp.bak, and I (without waiting for a Tomcat restart) go to the manager from an unauthorized URL, I get *nothing* -- in Firefox, I get a blank page, and in Chrome, I get a Chrome-generated message that there is nothing there.
Is there a way, short of manually duplicating the default 404 page, that I can have /manager look *exactly* like /foobar to an unauthorized requester?
(Or would waiting for the next scheduled Tomcat restart, with the manager's 404 page renamed, give me that result?)
-- JHHL --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
