Well... 1- I delete the "Directory" section from httpd.conf file. 2- I add "JkMount /Andromeda worker1" to the virtual host. 3- I add dynamic content to index.jsp page So I proved the content is served by Tomcat. But I have the same problem: I cannot view the content of protected section of my web application through Apache web server.
If I access directly to Tomcat (skipping httpd), I can see the protected content. Access log in httpd is: ------------------------------------------------------ ::1 - - [21/Jul/2011:21:27:18 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30" ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30" ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/StyleSheet.css HTTP/1.1" 304 - "http://localhost/Andromeda/"; "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30" ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30" ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/StyleSheet.css HTTP/1.1" 304 - "http://localhost/Andromeda/"; "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30" ::1 - - [21/Jul/2011:21:27:24 -0300] "GET /Andromeda/internal/internal.jsp HTTP/1.1" 200 782 "http://localhost/Andromeda/"; "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30" ::1 - - [21/Jul/2011:21:27:41 -0300] "GET /Andromeda/internal/j_security_check HTTP/1.1" 200 433 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30" ::1 - - [21/Jul/2011:21:29:46 -0300] "GET /Andromeda/internal/internal.jsp HTTP/1.1" 200 782 "http://localhost/Andromeda/"; "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30" ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30" ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/StyleSheet.css HTTP/1.1" 304 - "http://localhost/Andromeda/"; "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30" ::1 - - [21/Jul/2011:21:29:53 -0300] "GET /Andromeda/internal/internal.jsp HTTP/1.1" 200 782 "http://localhost/Andromeda/"; "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30" ------------------------------------------------------ Thank you, very much. -- [Adrián Córdoba] 2011/7/21 André Warnier <a...@ice-sa.com> > Christopher Schultz wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Adrián, >> >> On 7/21/2011 3:28 PM, Adrián Córdoba wrote: >> >>> Thank you, André. I know this "Warning", but I want to serve static >>> content with Apache web server and dynamic content with Tomcat. >>> >> >> You can still do that without setting the DocumentRoot to your appbase. >> >> Try this: >> >> GET >> http://localhost/Andromeda/**META-INF/context.xml<http://localhost/Andromeda/META-INF/context.xml> >> >> (or maybe GET http://localhost/Andromeda/**WebContent/META-INF/context.** >> xml <http://localhost/Andromeda/WebContent/META-INF/context.xml> >> - - it's really hard to understand what your appbase really is). >> >> If you have a container-managed db connection pool, you are more than >> likely to have your database username and password in that file, which >> is now publicly accessible via HTTP. Pwned. >> >> (The web application contains only links to other pages in the same >>> application. It is a test application to learn.) >>> >> >> You should learn to do things properly. I'm not trying to be nasty, but >> you should try to get in the habit of doing things securely even when >> they are toys. That way you won't forget to do it when it really matters. >> > > +1 > In addition, the way you have things set up, it is really difficult to > help, because we cannot be sure of which server is serving what. > > > >> In those conditions, with those settings, if an user enters >>> http://localhost/Andromeda, he gets the "*index.jsp*" page in the >>> WebContent directory. >>> >> >> That's surprising, given your configuration. >> >> So, I think Tomcat is serving that content. >>> >> >> Yes, if the tags are being evaluated and you're not just getting the >> source code. >> >> Do you think Apache is serving "index.jsp" file content? >>> >> >> Can't tell, you didn't show us any of that. >> > > +1 > In addition again, it may be serving /that/ file, but what about any links > maybe *contained* in that file. Perhaps there are none, but perhaps also > there is a link inside (to an image, or an iframe e.g.) which ends up being > served by Apache, and which is the reason for the blank page. > > The main point again : it is *possible* to configure things the way you > have done, and to nevertheless avoid security holes and other issues. But > it is *hard*, and any mistake can compromise your server, or lead to errors > difficult to debug. > (For example, you also allow Symlinks, which may confuse things yet a bit > more). > > You should give Apache a different DocumentRoot, not your Tomcat webapps > directory. > (And maybe put some single html page in it, which should never be appear, > and if it does you will know something is wrong). > > Then you should use both > JkMount /Andromeda worker1 > JkMount /Andromeda/* worker1 > (because they do not overlap) > > Then, later, if you want Apache to be serving something directly instead of > forwarding it to Tomcat, you should look up the JkUnMount directive, and do > it selectively. > Or use something like > SetEnvIf Request_URI "\.jpg$" no-jk > > Or you could look at an alternative way to specify what needs to be > forwarded, which I personally find more flexible and more Apache-like than > JkMount/unMount : > See here : http://tomcat.apache.org/**connectors-doc/reference/** > apache.html<http://tomcat.apache.org/connectors-doc/reference/apache.html> > The section "Using SetHandler and Environment Variables" > > Now, if you really want to know what is serving what (and learn other > interesting things besides about HTTP) install a browser plugin like HttpFox > (for Firefox) or Fiddler2 (for IE). These plugins allow you to see the > contents of each packet sent by the browser to the server, and from the > server to the browser, including the HTTP headers and all. > > The mod_jk logging is also a tool, but it will only show the traffic > between Apache and Tomcat, not what Apache serves directly. > > > ------------------------------**------------------------------**--------- > To unsubscribe, e-mail: > users-unsubscribe@tomcat.**apache.org<users-unsubscr...@tomcat.apache.org> > For additional commands, e-mail: users-h...@tomcat.apache.org > >
