Re: RewriteValve and the ROOT webapp

2017-08-31 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 8/30/17 5:03 PM, Mark Thomas wrote:
> On 30/08/17 21:46, Dan Rabe wrote:
>> I’m using Tomcat 8.5.20, trying to use the rewrite valve to
>> rewrite a root-level URL (/foo) to a URL in my webapp
>> (/mywebapp/bar).
>> 
>> I added the rewrite valve to my server.xml, and I put my
>> rewrite.config in conf/Catalina/localhost.
>> 
>> This all works great IF I create an empty “ROOT” directory in
>> webapps. If I remove the ROOT directory, though, accessing /foo
>> just gives me a 404.
>> 
>> Questions:
>> 
>> 1.  Is this by design, or is this a bug? (If it’s by design, then
>> some additional notes in the documentation would be helpful).
> 
> It is by design. See section 12.1 of the Servlet 3.1
> specification. Particularly the first paragraph.
> 
> The Tomcat docs deliberately try to avoid repeating information
> that is in the Servlet specification.
> 
>> 2.  If in fact I do need to have the ROOT webapp, what security
>> precautions should I take? Security guides such as
>> https://www.owasp.org/index.php/Securing_tomcat recommend
>> removing the ROOT webapp, but without providing reasons or
>> rationale.
> 
> Yes, it would help if OWASP explained their rationale.

I believe the OWASP rationale is that Tomcat ships with a ("welcome to
Tomcat") ROOT web app that is simply unnecessary, and unnecessary
things should be removed from production systems.

They obviously aren't explaining that there is nothing wrong with
having *a* ROOT webapp... it's just that the *default* ROOT webapp
should be removed for production.

> The simplest, and safest, approach would be to deploy your own, 
> completely empty ROOT web application (just a dir named "ROOT" in 
> webapps will be fine). Tomcat will handle the 404 for you in that
> case.

Our production builds always include a generated ROOT webapp that
includes absolutely nothing other than a trivial WEB-INF/web.xml. This
allows Tomcat to return a 404 response instead of a "400 Bad Request"
for any requests that don't map to a valid context path.

(Aside: I think it's probably not appropriate for Tomcat to return 400
in these cases... if the URL can't be mapped to a context, that should
be a 404 response, not a 400, since the request itself was valid.)

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZqC8SAAoJEBzwKT+lPKRYfjsP/ik3k5Y7U0b1uLaTQQkjoyxt
3Dpg95p8wQTGelVrw3PFmQZMdnhyMFkro3W0XN4B4EHedZIl61NMyapoLki9IgQA
JLf+xcMIL9Fxi9ELw7jpxnA86dR56bLD0SQZ+gyg8oQ2uSNQvADYFRU2G+MsCBq3
WXykSDAyOc7IzUI4jGkVkYCYLTu4Qz3UljeKyYz8X10Hxw6ooNdps/vrOYSebhyX
mVcASlrRBaWJ/AVyUCIcrZaCAbx73kEzCVJrp5qjBdePY9see6dlQk3wRx+kuRoZ
YWO/6sPm9zVW2iKBxx44lQ5yGRrFIfO9vQ0yGHtKbPxYQ8ZLPjsJeQqMHHPsBoIR
OglGNZ0XI7vxVuElIRS2dekgSalxtu0WZ/RY/SaADC+uShVdETwO23y96L60L+QX
r4HU+iBK9U2JWvUqrn+xZCZ7VMzm1LyUXd29Ve5YG+hGg1UQLJT5dTNg4kBe0R96
oowErlvnG70PLmk0pKHBSjZiwhsyuz+lxpxOHyc13orm+hWTQZwGm8hNca6MWSmk
lIwp88C6Q6DHwmVeyQq5lUcEI+SYsRGI0zU/k9aDkY6RYcU1ansq9LafJIQGWPRi
h6eaTtDq2lSkvt27vrZM0mVDYPi8VIK2mSbcu/oYRlzg262eMicQIOpCwLiLcuhx
dZh1L4FBOSyYZ/ISGRW8
=Zsxc
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: RewriteValve and the ROOT webapp

2017-08-30 Thread tomcat

On 30.08.2017 22:46, Dan Rabe wrote:

I’m using Tomcat 8.5.20, trying to use the rewrite valve to rewrite a 
root-level URL (/foo) to a URL in my webapp (/mywebapp/bar).

I added the rewrite valve to my server.xml, and I put my rewrite.config in 
conf/Catalina/localhost.

This all works great IF I create an empty “ROOT” directory in webapps. If I 
remove the ROOT directory, though, accessing /foo just gives me a 404.

Questions:

   1.  Is this by design, or is this a bug? (If it’s by design, then some 
additional notes in the documentation would be helpful).
   2.  If in fact I do need to have the ROOT webapp, what security precautions 
should I take?


The same as you take with any other webapp.  There is nothing really special about the 
ROOT webapp, except that it responds to the URI "/", but is located under 
(catalina_base)/webapps/ROOT/.
You can replace this easily with your own application, which will then respond to a 
request for "/". See :

https://wiki.apache.org/tomcat/HowTo#How_do_I_make_my_web_application_be_the_Tomcat_default_application.3F

Security guides such as https://www.owasp.org/index.php/Securing_tomcat recommend removing 
the ROOT webapp, but without providing reasons or rationale.


Indeed there is no particular reason (in terms of security). The only "reason" which I can 
think of, is that the standard distribution of tomcat (from https://tomcat.apache.org) 
includes a default ROOT webapp with some information page and a few links, and you 
probably don't want to provide /this/ application as the default application on a 
productive website (you would probably want yours instead).  But I would imagine that the 
tomcat developers do not provide there by default, an application which has (known) 
security issues.


Mmm, I just realised that I am in fact just repeating what a small section of this page is 
already saying :

https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#ROOT
(and by the way, that same page provides a whole series of tips regarding tomcat security, 
and it does provides reasons for each such tip).



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: RewriteValve and the ROOT webapp

2017-08-30 Thread Mark Thomas
On 30/08/17 21:46, Dan Rabe wrote:
> I’m using Tomcat 8.5.20, trying to use the rewrite valve to rewrite a 
> root-level URL (/foo) to a URL in my webapp (/mywebapp/bar).
> 
> I added the rewrite valve to my server.xml, and I put my rewrite.config in 
> conf/Catalina/localhost.
> 
> This all works great IF I create an empty “ROOT” directory in webapps. If I 
> remove the ROOT directory, though, accessing /foo just gives me a 404.
> 
> Questions:
> 
>   1.  Is this by design, or is this a bug? (If it’s by design, then some 
> additional notes in the documentation would be helpful).

It is by design. See section 12.1 of the Servlet 3.1 specification.
Particularly the first paragraph.

The Tomcat docs deliberately try to avoid repeating information that is
in the Servlet specification.

>   2.  If in fact I do need to have the ROOT webapp, what security precautions 
> should I take? Security guides such as 
> https://www.owasp.org/index.php/Securing_tomcat recommend removing the ROOT 
> webapp, but without providing reasons or rationale.

Yes, it would help if OWASP explained their rationale.

The simplest, and safest, approach would be to deploy your own,
completely empty ROOT web application (just a dir named "ROOT" in
webapps will be fine). Tomcat will handle the 404 for you in that case.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org