Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Adrián,
On 7/21/2011 3:28 PM, Adrián Córdoba wrote:
Thank you, André. I know this "Warning", but I want to serve static
content with Apache web server and dynamic content with Tomcat.
You can still do that without setting the DocumentRoot to your appbase.
Try this:
GET http://localhost/Andromeda/META-INF/context.xml
(or maybe GET http://localhost/Andromeda/WebContent/META-INF/context.xml
- - it's really hard to understand what your appbase really is).
If you have a container-managed db connection pool, you are more than
likely to have your database username and password in that file, which
is now publicly accessible via HTTP. Pwned.
(The web application contains only links to other pages in the same
application. It is a test application to learn.)
You should learn to do things properly. I'm not trying to be nasty, but
you should try to get in the habit of doing things securely even when
they are toys. That way you won't forget to do it when it really matters.
+1
In addition, the way you have things set up, it is really difficult to help, because we
cannot be sure of which server is serving what.
In those conditions, with those settings, if an user enters
http://localhost/Andromeda, he gets the "*index.jsp*" page in the
WebContent directory.
That's surprising, given your configuration.
So, I think Tomcat is serving that content.
Yes, if the tags are being evaluated and you're not just getting the
source code.
Do you think Apache is serving "index.jsp" file content?
Can't tell, you didn't show us any of that.
+1
In addition again, it may be serving /that/ file, but what about any links maybe
*contained* in that file. Perhaps there are none, but perhaps also there is a link inside
(to an image, or an iframe e.g.) which ends up being served by Apache, and which is the
reason for the blank page.
The main point again : it is *possible* to configure things the way you have done, and to
nevertheless avoid security holes and other issues. But it is *hard*, and any mistake can
compromise your server, or lead to errors difficult to debug.
(For example, you also allow Symlinks, which may confuse things yet a bit more).
You should give Apache a different DocumentRoot, not your Tomcat webapps
directory.
(And maybe put some single html page in it, which should never be appear, and if it does
you will know something is wrong).
Then you should use both
JkMount /Andromeda worker1
JkMount /Andromeda/* worker1
(because they do not overlap)
Then, later, if you want Apache to be serving something directly instead of forwarding it
to Tomcat, you should look up the JkUnMount directive, and do it selectively.
Or use something like
SetEnvIf Request_URI "\.jpg$" no-jk
Or you could look at an alternative way to specify what needs to be forwarded, which I
personally find more flexible and more Apache-like than JkMount/unMount :
See here : http://tomcat.apache.org/connectors-doc/reference/apache.html
The section "Using SetHandler and Environment Variables"
Now, if you really want to know what is serving what (and learn other interesting things
besides about HTTP) install a browser plugin like HttpFox (for Firefox) or Fiddler2 (for
IE). These plugins allow you to see the contents of each packet sent by the browser to
the server, and from the server to the browser, including the HTTP headers and all.
The mod_jk logging is also a tool, but it will only show the traffic between Apache and
Tomcat, not what Apache serves directly.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
