Thank you, André. I know this "Warning", but I want to serve static content with Apache web server and dynamic content with Tomcat. (The web application contains only links to other pages in the same application. It is a test application to learn.)
In those conditions, with those settings, if an user enters http://localhost/Andromeda, he gets the "*index.jsp*" page in the WebContent directory. So, I think Tomcat is serving that content. Do you think Apache is serving "index.jsp" file content? Anyway, I will try removing the trailing "/". (I know the security issues, but I'm using this application in my local network in order to learn only.) Thank you, very much. -- [Adrián Córdoba] 2011/7/21 André Warnier <a...@ice-sa.com> > Addendum : > This, which I missed earlier, is of course also a no-no, for the same > reasons as explained earlier : > DocumentRoot /opt/apache-tomcat-7.0.12/**webapps/ > > see the remark in red here : > http://tomcat.apache.org/**connectors-doc/reference/**apache.html<http://tomcat.apache.org/connectors-doc/reference/apache.html> > > > > André Warnier wrote: > >> Adrián Córdoba wrote: >> ... >> >> JkMount /Andromeda/* worker1 >>> <Directory "/opt/apache-tomcat-7.0.12/**webapps/Andromeda"> >>> Options Indexes FollowSymLinks >>> AllowOverride None >>> Order allow,deny >>> Allow from all >>> </Directory> >>> </VirtualHost> >>> ------------------------------**--------------------------- >>> >> ... >> >> May be, I have a configuration mistake. >>> >>> >> Yes, a big one above. >> Wether it is the cause of your problem, I am not quite sure yet (but it >> could be). >> It is bad anyway, because you are allowing Apache users, potentially, to >> bypass Tomcat and to access the Tomcat application directory directly. >> So, again potentially, if a user manages to access the directory >> "/opt/apache-tomcat-7.0.12/**webapps/Andromeda" through Apache and >> without going through Tomcat, then anything that you did in Tomcat to >> protect access to that directory is useless. >> >> And that is probably the case here : >> >> Say a user enters the URL "http://ASIA/Andromeda"; in his browser, and the >> browser requests that URL. What happens ? >> Apache will compare that URL (the part after the host) with the JkMount >> instruction. >> The request URL is "/Andromeda", which is compared to the URL in the >> JkMount "/Andromeda/*". >> It does not match, since the request URL is missing the trailing "/" of >> the expression in the JkMount. >> So Apache does not forward this request to Tomcat, but handles it itself. >> After a few more steps in Apache, finally Apache comes to this directory >> "/opt/apache-tomcat-7.0.12/**webapps/Andromeda", and looks for a document >> to serve. >> Since no document is specified in the URL, Apache will use the one >> specified in the relevant "DirectoryIndex" directive. That may be, for >> instance, "index.html" or similar. >> And it will serve it according to its own permissions settings, which here >> are : >> > Allow from all >> (so anyone can get anything, without access control) >> >> It is a bit difficult, not knowing the exact content of your pages, to >> figure out what the full consequences may be, but maybe it gives you a clue >> already. >> >> In other words, >> 1) remove the section >> <Directory "/opt/apache-tomcat-7.0.12/**webapps/Andromeda"> >> from the Apache configuration. It has nothing to do there, because you >> want Apache to forward these URLs to Tomcat anyway. >> And it is a security risk (particularly on Windows, but even here). >> >> 2) add the following JkMount : >> JkMount /Andromeda worker1 >> (so that a request for "http://ASIA/Andromeda"; will be *also* forwarded >> to Tomcat.) >> >> Then try again, and come back here if you still have a problem. >> >> >> >> ------------------------------**------------------------------**--------- >> To unsubscribe, e-mail: >> users-unsubscribe@tomcat.**apache.org<users-unsubscr...@tomcat.apache.org> >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> > > ------------------------------**------------------------------**--------- > To unsubscribe, e-mail: > users-unsubscribe@tomcat.**apache.org<users-unsubscr...@tomcat.apache.org> > For additional commands, e-mail: users-h...@tomcat.apache.org > >
