Re: where to put static files?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 11/21/11 4:06 AM, André Warnier wrote: S Ahmed wrote: I know when I go in production I will have nginx map to this folder to serve the static files, which, as far as I understand your planned setup, would be a really bad idea. Only if you don't know what you're doing. Also, there is a big difference between this: DocumentRoot /path/to/tomcat/webapps/mywebapp and this: Alias /Assets /path/to/tomcat/webapps/mywebapp/Assets The latter is quite a bit safer IMO. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7LuKkACgkQ9CaO5/Lv0PBhYwCdGIGSURI4NDOjPMQ10neIOS0b whMAoJvsbx8tHhUrRbFPyQojKPSITjsO =vTIG -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: where to put static files?
Chris, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 11/21/11 4:06 AM, André Warnier wrote: S Ahmed wrote: I know when I go in production I will have nginx map to this folder to serve the static files, which, as far as I understand your planned setup, would be a really bad idea. Only if you don't know what you're doing. Granted. But in that respect, many people don't realise what they're doing, as many previous questions on the list show. Also, there is a big difference between this: DocumentRoot /path/to/tomcat/webapps/mywebapp and this: Alias /Assets /path/to/tomcat/webapps/mywebapp/Assets The latter is quite a bit safer IMO. Yes, but what the OP would need to do, considering where he wanted to put the files, would be Alias /Assets /path/to/tomcat/webapps/mywebapp/WEB-INF/Assets which in my view is at least an opening for doing less safe things (*), which is why several people have already suggested /not/ to put the Assets sub-directory under WEB-INF. (*) because in order for that to work, the user-id under which Apache is running, already needs at least rx permissions to all the directories in that path (WEB-INF included). Which is unnecessary and unsafe. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: where to put static files?
S Ahmed wrote: I have a spring project (web app), in my project where should I be putting my static files like images/css/javascript? In my WEB-INF like: /WEB-INF/Assets {images/css/js} I know when I go in production I will have nginx map to this folder to serve the static files, which, as far as I understand your planned setup, would be a really bad idea. See the note in bold here : http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html This is also applicable for other front-end webservers. but I just want to know where I can put them for development/testing. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: where to put static files?
On 21 Nov 2011, at 03:15, S Ahmed sahmed1...@gmail.com wrote: I have a spring project (web app), in my project where should I be putting my static files like images/css/javascript? In my WEB-INF like: /WEB-INF/Assets {images/css/js} You can't serve files directly from WEB-INF. I know when I go in production I will have nginx map to this folder to serve the static files, but I just want to know where I can put them for development/testing. How about somewhere sensible? /images /scripts /styles p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: where to put static files?
Hello, when I started my project others told me to use apache for static content and tomcat for java/jsp. It works quite good. Tomcat is hidden under reverse proxy (mod_ajp). So static content gives apache, dynamic tomcat. Jan. I have a spring project (web app), in my project where should I be putting my static files like images/css/javascript? In my WEB-INF like: /WEB-INF/Assets {images/css/js} I know when I go in production I will have nginx map to this folder to serve the static files, but I just want to know where I can put them for development/testing. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: where to put static files?
On Mon, 2011-11-21 at 01:41 -0800, Pid * wrote: On 21 Nov 2011, at 03:15, S Ahmed sahmed1...@gmail.com wrote: I have a spring project (web app), in my project where should I be putting my static files like images/css/javascript? In my WEB-INF like: /WEB-INF/Assets {images/css/js} You can't serve files directly from WEB-INF. Not Tomcat related, but if you're using a recent version of Spring (i.e. 3.0.x), you could use the mvc:resources / tag. http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/mvc.html#mvc-static-resources I know when I go in production I will have nginx map to this folder to serve the static files, but I just want to know where I can put them for development/testing. How about somewhere sensible? /images /scripts /styles Otherwise, I second this approach. Dan
Re: where to put static files?
Hi. What we are trying to say is this : The WEB-INF and META-INF sub-directories of a Tomcat webapp, are supposed to contain files that should NOT be accessed by the users. For example, in the WEB-INF and META-INF subdirectories, there are files (like WEB-INF/web.xml) which may contain private information (such as, e.g., passwords to access a database system). For that reason, Tomcat itself forbids access to the content of these directories. If you try to access Tomcat directly via a URL like http://myhost.company.com/mywebapp/WEB-INF/somefile;, you will get a Forbidden response. Always. But if on the same host, you run another webserver (Apache, nginx,..), and you allow this webserver to access the content of the Tomcat ../webapps/mywebapp/WEB-INF directory, then you bypass the Tomcat security and make it useless. That means that a user, with a well-crafted URL, will be able to access and display the content of those files. This is a big security hole. You can configure the front-end webserver to also forbid this, but it requires additional configuration, and you will forget to do it, or do it wrong. So don't do that. If you have static resources that need to be accessed via links in your pages, put them in a subdirectory of your webapp, but /not/ in WEB-INF or META-INF. For example, in ../webapps/mywebapp/images/*.jpg or ../webapps/mywebapp/css/*.css Tomcat will server static resources just fine, usually as fast as Apache or nginx would. If you insist that you must serve this static content directly from the front-end webserver, and not ask Tomcat to do it, then place them somewhere under the DocumentRoot of the front-end webserver (which should /NOT/ be the same as the Tomcat webapps directory), and use the proxy instructions so that these requests are /not/ forwarded to Tomcat, but served locally. For example : ProxyPass /mywebapp/images ! ProxyPass /mywebapp/css ! ProxyPass /mywebapp ajp://tomcat:8009/mywebapp will proxy all requests for /mywebapp to Tomcat, *except* for the /images and /css subdirectories. Jan Vávra wrote: Hello, when I started my project others told me to use apache for static content and tomcat for java/jsp. It works quite good. Tomcat is hidden under reverse proxy (mod_ajp). So static content gives apache, dynamic tomcat. Jan. I have a spring project (web app), in my project where should I be putting my static files like images/css/javascript? In my WEB-INF like: /WEB-INF/Assets {images/css/js} I know when I go in production I will have nginx map to this folder to serve the static files, but I just want to know where I can put them for development/testing. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: where to put static files?
On 21 Nov 2011, at 18:52, André Warnier a...@ice-sa.com wrote: Hi. What we are trying to say is this : The WEB-INF and META-INF sub-directories of a Tomcat webapp, are supposed to contain files that should NOT be accessed by the users. For example, in the WEB-INF and META-INF subdirectories, there are files (like WEB-INF/web.xml) which may contain private information (such as, e.g., passwords to access a database system). For that reason, Tomcat itself forbids access to the content of these directories. If you try to access Tomcat directly via a URL like http://myhost.company.com/mywebapp/WEB-INF/somefile;, you will get a Forbidden response. Always. But if on the same host, you run another webserver (Apache, nginx,..), and you allow this webserver to access the content of the Tomcat ../webapps/mywebapp/WEB-INF directory, then you bypass the Tomcat security and make it useless. That means that a user, with a well-crafted URL, will be able to access and display the content of those files. This is a big security hole. You can configure the front-end webserver to also forbid this, but it requires additional configuration, and you will forget to do it, or do it wrong. So don't do that. Tomcat will server static resources just fine, usually as fast as Apache or nginx would. If you insist that you must serve this static content directly from the front-end webserver, and not ask Tomcat to do it, then place them somewhere under the DocumentRoot of the front-end webserver (which should /NOT/ be the same as the Tomcat webapps directory), and use the proxy instructions so that these requests are /not/ forwarded to Tomcat, but served locally. +1. I would use stronger terms: never allow DocumentRoot and tomcat/webapps to overlap. p For example : ProxyPass /mywebapp/images ! ProxyPass /mywebapp/css ! ProxyPass /mywebapp ajp://tomcat:8009/mywebapp will proxy all requests for /mywebapp to Tomcat, *except* for the /images and /css subdirectories. Jan Vávra wrote: Hello, when I started my project others told me to use apache for static content and tomcat for java/jsp. It works quite good. Tomcat is hidden under reverse proxy (mod_ajp). So static content gives apache, dynamic tomcat. Jan. I have a spring project (web app), in my project where should I be putting my static files like images/css/javascript? In my WEB-INF like: /WEB-INF/Assets {images/css/js} I know when I go in production I will have nginx map to this folder to serve the static files, but I just want to know where I can put them for development/testing. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
where to put static files?
I have a spring project (web app), in my project where should I be putting my static files like images/css/javascript? In my WEB-INF like: /WEB-INF/Assets {images/css/js} I know when I go in production I will have nginx map to this folder to serve the static files, but I just want to know where I can put them for development/testing.