-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adrián,
On 7/21/2011 3:28 PM, Adrián Córdoba wrote: > Thank you, André. I know this "Warning", but I want to serve static > content with Apache web server and dynamic content with Tomcat. You can still do that without setting the DocumentRoot to your appbase. Try this: GET http://localhost/Andromeda/META-INF/context.xml (or maybe GET http://localhost/Andromeda/WebContent/META-INF/context.xml - - it's really hard to understand what your appbase really is). If you have a container-managed db connection pool, you are more than likely to have your database username and password in that file, which is now publicly accessible via HTTP. Pwned. > (The web application contains only links to other pages in the same > application. It is a test application to learn.) You should learn to do things properly. I'm not trying to be nasty, but you should try to get in the habit of doing things securely even when they are toys. That way you won't forget to do it when it really matters. > In those conditions, with those settings, if an user enters > http://localhost/Andromeda, he gets the "*index.jsp*" page in the > WebContent directory. That's surprising, given your configuration. > So, I think Tomcat is serving that content. Yes, if the tags are being evaluated and you're not just getting the source code. > Do you think Apache is serving "index.jsp" file content? Can't tell, you didn't show us any of that. > Anyway, I will try removing the trailing "/". If that points to a directory, both Apache and Tomcat will perform a redirect and add the "/" so it probably doesn't matter. > (I know the security issues, but I'm using this application in my > local network in order to learn only.) See above. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4ogdgACgkQ9CaO5/Lv0PC48wCeO5dHc6XWZT7LjGZqrcETbN3Q JuEAn02R6OeNCfjLoAoOMdPXFqr7miAI =TxOq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
