I have Apache2 running as the front end handling all the client PKI authentication. Then Tomcat 4.1 using security constraints in the web.xml. Now I use jk to connect them together and it works fine, sort of. I can access protected files inside of Tomcat from Apache. Specifically any file that is not mapped with a JkMount entry is served up by Apache which ignores my web.xml. Do I have to use Apache to protect them as well as Tomcat? Or should I just make tomcat serve all the files? Does anybody have this issue? How do you deal with it? Thanks
