Author: markt
Date: Sun Jun 3 20:22:01 2007
New Revision: 544037
URL: http://svn.apache.org/viewvc?view=rev&rev=544037
Log:
A better warning for the httpd docs.
Modified:
tomcat/connectors/trunk/jk/xdocs/reference/apache.xml
tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml
Modified: tomcat/connectors/trunk/jk/xdocs/reference/apache.xml
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/reference/apache.xml?view=diff&rev=544037&r1=544036&r2=544037
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/reference/apache.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/reference/apache.xml Sun Jun 3 20:22:01
2007
@@ -25,10 +25,14 @@
Exceptions from this rule are
again explicitely listed in the table below.
</p>
-<p><b>The Apache httpd DocumentRoot should not overlap with a Tomcat Host's
-appBase or the docBase of any Context. Configuring httpd/Tomcat this way is
very
-likely to result in JSP source code disclosure and/or other security issues.
-</b></p>
+<p><b>Waring: If Apache httpd and Tomcat are configured to serve content from
+the same filing system location then care must be taken to ensure that httpd is
+not able to serve inappropriate content such as the contents of the WEB-INF
+directory or JSP source code.</b> This could occur if the httpd DocumentRoot
+overlaps with a Tomcat Host's appBase or the docBase of any Context. It could
+also occur when using the httpd Alias directive with a Tomcat Host's appBase or
+the docBase of any Context.
+</p>
<p>
Here are the all directives supported by Apache:
</p>
@@ -119,7 +123,11 @@
</p></attribute>
<attribute name="JkAutoAlias" required="false"><p>
Automatically Alias webapp context directories into the Apache
-document space.
+document space.
+<br/>
+Care should be taken to ensure that only static content is served via httpd as
a
+result of using this directive. Any static content served by httpd will bypass
any
+security constraints defined in the application's web.xml.
<br/>
For inheritance rules, see: JkMountCopy.
<br/>
@@ -697,9 +705,12 @@
the Apache document space. It enables Apache to serve a static context while
Tomcat
serving dynamic context. This directive is used for convenience so that you
don't
have to put an apache Alias directive for each application directory inside
Tomcat's
-webapp directory.
+webapp directory. For security reasons is is strongly recommended that JkMount
+is used to pass all requests to Tomcat by default and JkUnMount is used to
+explicitly exclude static content to be served by httpd. It should also be
noted
+that content served by httpd will bypass any security constraints defined in
the
+applciation's web.xml.
</p>
-
<source>
# enter the full path to the tomcat webapps directory
JkAutoAlias /opt/tomtact/webapps
Modified: tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml?view=diff&rev=544037&r1=544036&r2=544037
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/webserver_howto/apache.xml Sun Jun 3
20:22:01 2007
@@ -44,10 +44,14 @@
and <a href="../reference/apache.html">Apache</a>.
</p>
-<p><b>The Apache httpd DocumentRoot should not overlap with a Tomcat Host's
-appBase or the docBase of any Context. Configuring httpd/Tomcat this way is
very
-likely to result in JSP source code disclosure and/or other security issues.
-</b></p>
+<p><b>Waring: If Apache httpd and Tomcat are configured to serve content from
+the same filing system location then care must be taken to ensure that httpd is
+not able to serve inappropriate content such as the contents of the WEB-INF
+directory or JSP source code.</b> This could occur if the httpd DocumentRoot
+overlaps with a Tomcat Host's appBase or the docBase of any Context. It could
+also occur when using the httpd Alias directive with a Tomcat Host's appBase or
+the docBase of any Context.
+</p>
<p>
This document was originally part of <b>Tomcat: A Minimalistic User's
Guide</b> written by Gal Shachor,
@@ -712,8 +716,11 @@
</p>
<p>
-Caution: If Apache is configured to serve static pages for a web application
it bypasses
-any security contraints you may have configured in your web application
web.xml config file.
+Caution: For security reasons is is strongly recommended that JkMount is used
to
+pass all requests to Tomcat by default and JkUnMount is used to explicitly
+exclude static content to be served by httpd. It should also be noted that
+content served by httpd will bypass any security constraints defined in the
+applciation's web.xml.
</p>
<p>Use Apache's <b>Alias</b> directive to map a single web application context
directory into Apache's
@@ -723,15 +730,12 @@
<source>
# Static files in the examples webapp are served by apache
Alias /examples /vat/tomcat3/webapps/examples
- # The following line prohibits users from directly access WEB-INF
- <Location "/examples/WEB-INF/">
- AllowOverride None
- deny from all
- </Location>
- # All JSP will goes to worker1
- JkMount /*.jsp worker1
- # All servlets goes to worker1
- JkMount /*/servlet/ worker1
+ # All requests go to worker1 by default
+ JkMount /* worker1
+ # Serve html, jpg and gif using httpd
+ JkUnMount /*.html worker1
+ JkUnMount /*.jpg worker1
+ JkUnMount /*.gif worker1
</source>
<p>
@@ -783,8 +787,13 @@
<source>
# Static files in all Tomcat webapp context directories are served by apache
JkAutoAlias /var/tomcat3/webapps
- JkMount /*.jsp ajp13
- JkMount /*/servlet/ ajp13
+
+ # All requests go to worker1 by default
+ JkMount /* ajp13
+ # Serve html, jpg and gif using httpd
+ JkUnMount /*.html ajp13
+ JkUnMount /*.jpg ajp13
+ JkUnMount /*.gif ajp13
</source>
<p>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
