Hello Konstantin Kolinko and André Warnier, thank you both for your replies.
> -----Original Message----- > From: André Warnier [mailto:a...@ice-sa.com] > Sent: Sunday, March 11, 2012 12:14 AM > To: Tomcat Users List > Subject: Re: Some questions about Tomcat ISAPI Connector and its > documentation > > That is probably what isapi_redirector does anyway (forward the request > to Tomcat, and let > Tomcat send the 404 response (which may be customised)). In such a case, the ISAPI connector seems to sends its own 404 error message (which can't be customized I think). > But perhaps the log message in the isapi_redirector log is there for > the following reason > : when Tomcat is hosted on a separate host, it may be nice, on the > IIS/isapi_redirector > host, to have a log entry recording this. Just in case the IIS-side > logs are being > watched closely, and the Tomcat logs less so. > After all, someone using a URL including WEB-INF or META-INF, is quite > likely to be > someone who /is/ trying to hack the system. > > That kind of overlaps the warning in red text that is present on the > connectors "how-to" > pages, like : > > However, you should be very careful when you implement the following > configuration style, > because by doing so you are in fact providing a "back-door" to IIS, and > allowing it to > serve files out of a Tomcat context without Tomcat's knowledge, thus > bypassing any > security restrictions which Tomcat itself and the Tomcat context > (webapp) may place on > those files. That's right; however, it seems that the warning only appears when the request is actually mapped to the ISAPI connector - if it is not mapped to it, it does not prevent accessing directories called "WEB-INF" (e.g. when trying to have IIS serve the static files and Tomcat serve only Servlets/JSPs). > Does this log message bother you ? why would you want to /not/ have it > ? > It does not bother me - I just wondered why the ISAPI would to this checks, when Tomcat already does it. :) Regards, Konstantin Preißer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
