On 21 Nov 2011, at 18:52, "André Warnier" <a...@ice-sa.com> wrote:
> Hi. > > What we are trying to say is this : > > The WEB-INF and META-INF sub-directories of a Tomcat webapp, are supposed to > contain files > that should NOT be accessed by the users. For example, in the WEB-INF and > META-INF > subdirectories, there are files (like WEB-INF/web.xml) which may contain > private > information (such as, e.g., passwords to access a database system). > For that reason, Tomcat itself forbids access to the content of these > directories. > If you try to access Tomcat directly via a URL like > "http://myhost.company.com/mywebapp/WEB-INF/somefile";, you will get a > "Forbidden" > response. Always. > > But if on the same host, you run another webserver (Apache, nginx,..), and > you allow this > webserver to access the content of the Tomcat ../webapps/mywebapp/WEB-INF > directory, then > you bypass the Tomcat security and make it useless. > That means that a user, with a well-crafted URL, will be able to access and > display the > content of those files. This is a big security hole. > You can configure the front-end webserver to also forbid this, but it > requires additional > configuration, and you will forget to do it, or do it wrong. > So don't do that. > > > > Tomcat will server static resources just fine, usually as fast as Apache or > nginx would. > > If you insist that you must serve this static content directly from the > front-end > webserver, and not ask Tomcat to do it, then place them somewhere under the > DocumentRoot > of the front-end webserver (which should /NOT/ be the same as the Tomcat > webapps > directory), and use the proxy instructions so that these requests are /not/ > forwarded to > Tomcat, but served locally. +1. I would use stronger terms: never allow DocumentRoot and tomcat/webapps to overlap. p > For example : > > ProxyPass /mywebapp/images ! > ProxyPass /mywebapp/css ! > ProxyPass /mywebapp ajp://tomcat:8009/mywebapp > > will proxy all requests for /mywebapp to Tomcat, *except* for the /images and > /css > subdirectories. > > > > Jan Vávra wrote: >> Hello, >> when I started my project others told me to use apache for static >> content and tomcat for java/jsp. >> It works quite good. Tomcat is hidden under reverse proxy (mod_ajp). So >> static content gives apache, dynamic tomcat. >> >> Jan. >> >>> I have a spring project (web app), in my project where should I be >>> putting >>> my static files like images/css/javascript? >>> >>> In my WEB-INF like: >>> >>> /WEB-INF/Assets {images/css/js} >>> >>> >>> I know when I go in production I will have nginx map to this folder to >>> serve the static files, but I just want to know where I can put them for >>> development/testing. >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
