Re: where to put static files?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 11/21/11 4:06 AM, André Warnier wrote: S Ahmed wrote: I know when I go in production I will have nginx map to this folder to serve the static files, which, as far as I understand your planned setup, would be a really bad idea. Only if you don't know what you're doing. Also, there is a big difference between this: DocumentRoot /path/to/tomcat/webapps/mywebapp and this: Alias /Assets /path/to/tomcat/webapps/mywebapp/Assets The latter is quite a bit safer IMO. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7LuKkACgkQ9CaO5/Lv0PBhYwCdGIGSURI4NDOjPMQ10neIOS0b whMAoJvsbx8tHhUrRbFPyQojKPSITjsO =vTIG -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: where to put static files?
Chris, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 11/21/11 4:06 AM, André Warnier wrote: S Ahmed wrote: I know when I go in production I will have nginx map to this folder to serve the static files, which, as far as I understand your planned setup, would be a really bad idea. Only if you don't know what you're doing. Granted. But in that respect, many people don't realise what they're doing, as many previous questions on the list show. Also, there is a big difference between this: DocumentRoot /path/to/tomcat/webapps/mywebapp and this: Alias /Assets /path/to/tomcat/webapps/mywebapp/Assets The latter is quite a bit safer IMO. Yes, but what the OP would need to do, considering where he wanted to put the files, would be Alias /Assets /path/to/tomcat/webapps/mywebapp/WEB-INF/Assets which in my view is at least an opening for doing less safe things (*), which is why several people have already suggested /not/ to put the Assets sub-directory under WEB-INF. (*) because in order for that to work, the user-id under which Apache is running, already needs at least rx permissions to all the directories in that path (WEB-INF included). Which is unnecessary and unsafe. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: where to put static files?
S Ahmed wrote:
I have a spring project (web app), in my project where should I be putting
my static files like images/css/javascript?
In my WEB-INF like:
/WEB-INF/Assets {images/css/js}
I know when I go in production I will have nginx map to this folder to
serve the static files,
which, as far as I understand your planned setup, would be a really bad idea.
See the note in bold here :
http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html
This is also applicable for other front-end webservers.
but I just want to know where I can put them for
development/testing.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: where to put static files?
On 21 Nov 2011, at 03:15, S Ahmed sahmed1...@gmail.com wrote:
I have a spring project (web app), in my project where should I be putting
my static files like images/css/javascript?
In my WEB-INF like:
/WEB-INF/Assets {images/css/js}
You can't serve files directly from WEB-INF.
I know when I go in production I will have nginx map to this folder to
serve the static files, but I just want to know where I can put them for
development/testing.
How about somewhere sensible?
/images
/scripts
/styles
p
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: where to put static files?
Hello,
when I started my project others told me to use apache for static
content and tomcat for java/jsp.
It works quite good. Tomcat is hidden under reverse proxy (mod_ajp). So
static content gives apache, dynamic tomcat.
Jan.
I have a spring project (web app), in my project where should I be putting
my static files like images/css/javascript?
In my WEB-INF like:
/WEB-INF/Assets {images/css/js}
I know when I go in production I will have nginx map to this folder to
serve the static files, but I just want to know where I can put them for
development/testing.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: where to put static files?
On Mon, 2011-11-21 at 01:41 -0800, Pid * wrote:
On 21 Nov 2011, at 03:15, S Ahmed sahmed1...@gmail.com wrote:
I have a spring project (web app), in my project where should I be putting
my static files like images/css/javascript?
In my WEB-INF like:
/WEB-INF/Assets {images/css/js}
You can't serve files directly from WEB-INF.
Not Tomcat related, but if you're using a recent version of Spring (i.e.
3.0.x), you could use the mvc:resources / tag.
http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/mvc.html#mvc-static-resources
I know when I go in production I will have nginx map to this folder to
serve the static files, but I just want to know where I can put them for
development/testing.
How about somewhere sensible?
/images
/scripts
/styles
Otherwise, I second this approach.
Dan
Re: where to put static files?
Hi.
What we are trying to say is this :
The WEB-INF and META-INF sub-directories of a Tomcat webapp, are supposed to contain files
that should NOT be accessed by the users. For example, in the WEB-INF and META-INF
subdirectories, there are files (like WEB-INF/web.xml) which may contain private
information (such as, e.g., passwords to access a database system).
For that reason, Tomcat itself forbids access to the content of these
directories.
If you try to access Tomcat directly via a URL like
http://myhost.company.com/mywebapp/WEB-INF/somefile;, you will get a Forbidden
response. Always.
But if on the same host, you run another webserver (Apache, nginx,..), and you allow this
webserver to access the content of the Tomcat ../webapps/mywebapp/WEB-INF directory, then
you bypass the Tomcat security and make it useless.
That means that a user, with a well-crafted URL, will be able to access and display the
content of those files. This is a big security hole.
You can configure the front-end webserver to also forbid this, but it requires additional
configuration, and you will forget to do it, or do it wrong.
So don't do that.
If you have static resources that need to be accessed via links in your pages, put them in
a subdirectory of your webapp, but /not/ in WEB-INF or META-INF.
For example, in ../webapps/mywebapp/images/*.jpg or
../webapps/mywebapp/css/*.css
Tomcat will server static resources just fine, usually as fast as Apache or
nginx would.
If you insist that you must serve this static content directly from the front-end
webserver, and not ask Tomcat to do it, then place them somewhere under the DocumentRoot
of the front-end webserver (which should /NOT/ be the same as the Tomcat webapps
directory), and use the proxy instructions so that these requests are /not/ forwarded to
Tomcat, but served locally.
For example :
ProxyPass /mywebapp/images !
ProxyPass /mywebapp/css !
ProxyPass /mywebapp ajp://tomcat:8009/mywebapp
will proxy all requests for /mywebapp to Tomcat, *except* for the /images and /css
subdirectories.
Jan Vávra wrote:
Hello,
when I started my project others told me to use apache for static
content and tomcat for java/jsp.
It works quite good. Tomcat is hidden under reverse proxy (mod_ajp). So
static content gives apache, dynamic tomcat.
Jan.
I have a spring project (web app), in my project where should I be
putting
my static files like images/css/javascript?
In my WEB-INF like:
/WEB-INF/Assets {images/css/js}
I know when I go in production I will have nginx map to this folder to
serve the static files, but I just want to know where I can put them for
development/testing.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: where to put static files?
On 21 Nov 2011, at 18:52, André Warnier a...@ice-sa.com wrote:
Hi.
What we are trying to say is this :
The WEB-INF and META-INF sub-directories of a Tomcat webapp, are supposed to
contain files
that should NOT be accessed by the users. For example, in the WEB-INF and
META-INF
subdirectories, there are files (like WEB-INF/web.xml) which may contain
private
information (such as, e.g., passwords to access a database system).
For that reason, Tomcat itself forbids access to the content of these
directories.
If you try to access Tomcat directly via a URL like
http://myhost.company.com/mywebapp/WEB-INF/somefile;, you will get a
Forbidden
response. Always.
But if on the same host, you run another webserver (Apache, nginx,..), and
you allow this
webserver to access the content of the Tomcat ../webapps/mywebapp/WEB-INF
directory, then
you bypass the Tomcat security and make it useless.
That means that a user, with a well-crafted URL, will be able to access and
display the
content of those files. This is a big security hole.
You can configure the front-end webserver to also forbid this, but it
requires additional
configuration, and you will forget to do it, or do it wrong.
So don't do that.
Tomcat will server static resources just fine, usually as fast as Apache or
nginx would.
If you insist that you must serve this static content directly from the
front-end
webserver, and not ask Tomcat to do it, then place them somewhere under the
DocumentRoot
of the front-end webserver (which should /NOT/ be the same as the Tomcat
webapps
directory), and use the proxy instructions so that these requests are /not/
forwarded to
Tomcat, but served locally.
+1. I would use stronger terms: never allow DocumentRoot and
tomcat/webapps to overlap.
p
For example :
ProxyPass /mywebapp/images !
ProxyPass /mywebapp/css !
ProxyPass /mywebapp ajp://tomcat:8009/mywebapp
will proxy all requests for /mywebapp to Tomcat, *except* for the /images and
/css
subdirectories.
Jan Vávra wrote:
Hello,
when I started my project others told me to use apache for static
content and tomcat for java/jsp.
It works quite good. Tomcat is hidden under reverse proxy (mod_ajp). So
static content gives apache, dynamic tomcat.
Jan.
I have a spring project (web app), in my project where should I be
putting
my static files like images/css/javascript?
In my WEB-INF like:
/WEB-INF/Assets {images/css/js}
I know when I go in production I will have nginx map to this folder to
serve the static files, but I just want to know where I can put them for
development/testing.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
where to put static files?
I have a spring project (web app), in my project where should I be putting
my static files like images/css/javascript?
In my WEB-INF like:
/WEB-INF/Assets {images/css/js}
I know when I go in production I will have nginx map to this folder to
serve the static files, but I just want to know where I can put them for
development/testing.
