Addendum :
This, which I missed earlier, is of course also a no-no, for the same reasons as explained
earlier :
DocumentRoot /opt/apache-tomcat-7.0.12/webapps/
see the remark in red here :
http://tomcat.apache.org/connectors-doc/reference/apache.html
André Warnier wrote:
Adrián Córdoba wrote:
...
JkMount /Andromeda/* worker1
<Directory "/opt/apache-tomcat-7.0.12/webapps/Andromeda">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
---------------------------------------------------------
...
May be, I have a configuration mistake.
Yes, a big one above.
Wether it is the cause of your problem, I am not quite sure yet (but it
could be).
It is bad anyway, because you are allowing Apache users, potentially, to
bypass Tomcat and to access the Tomcat application directory directly.
So, again potentially, if a user manages to access the directory
"/opt/apache-tomcat-7.0.12/webapps/Andromeda" through Apache and without
going through Tomcat, then anything that you did in Tomcat to protect
access to that directory is useless.
And that is probably the case here :
Say a user enters the URL "http://ASIA/Andromeda"; in his browser, and
the browser requests that URL. What happens ?
Apache will compare that URL (the part after the host) with the JkMount
instruction.
The request URL is "/Andromeda", which is compared to the URL in the
JkMount "/Andromeda/*".
It does not match, since the request URL is missing the trailing "/" of
the expression in the JkMount.
So Apache does not forward this request to Tomcat, but handles it itself.
After a few more steps in Apache, finally Apache comes to this directory
"/opt/apache-tomcat-7.0.12/webapps/Andromeda", and looks for a document
to serve.
Since no document is specified in the URL, Apache will use the one
specified in the relevant "DirectoryIndex" directive. That may be, for
instance, "index.html" or similar.
And it will serve it according to its own permissions settings, which
here are :
> Allow from all
(so anyone can get anything, without access control)
It is a bit difficult, not knowing the exact content of your pages, to
figure out what the full consequences may be, but maybe it gives you a
clue already.
In other words,
1) remove the section
<Directory "/opt/apache-tomcat-7.0.12/webapps/Andromeda">
from the Apache configuration. It has nothing to do there, because you
want Apache to forward these URLs to Tomcat anyway.
And it is a security risk (particularly on Windows, but even here).
2) add the following JkMount :
JkMount /Andromeda worker1
(so that a request for "http://ASIA/Andromeda"; will be *also* forwarded
to Tomcat.)
Then try again, and come back here if you still have a problem.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
