Hi and thanks for the quick response 1. On point one, I appreciate that and it's deliberate to get apache serving the static content without the need to do anything particularly fancy in terms of where files are stored etc. Especially as we run 3.3.2 which isn't exactly blindingly fast for static content! :)
2. I understand that is what's causing the problem, but am unsure really of a way to fix it properly. Any suggestions on better pattern matching for the JkMount as I'm not quite sure on how flexible it is with regex, etc.? I've tried in the past to get around the problem with mod_security but it seems that it can't stop this because apache is normalising the paths so Mod_sec can't do anything about then but then when the request goes to Tomcat it regards, quite rightfully, that the connection doesn't go to through the connector because the pattern doesn't match. Regards John Boocock -----Original Message----- From: Lutz Zetzsche [mailto:[EMAIL PROTECTED] Sent: 13 May 2005 10:21 To: Tomcat Users List Subject: RE: mod_jk shows source - Apache 2.0.53 mod_jk 1.2.12 Hi John, Boocock, John (CSS) schrieb: > If I go to www.domain.com/context/index.jsp I get a page as expected > > If I go to www.domain.com//context/index.jsp I get the source code, also > this isn't just on one context or the index.jsp file, we run quite a few > contexts and it consistently displays source code if you put double (or > more) slashes in the URL before the context. > > Alias "/context/" "/www/content/www.domain.com/webapps/context/" > JkMount "/context/*.jsp" lb-332 > JkMount "/context/servlet/*" lb-332 1. The above Alias in the Apache conf points to the Tomcat webapps directory. That means, Apache can access the files of the tomcat web application. 2. "//context/" does not match the above JkMount patterns which start with "/context/". That means, Apache does not forward a request like "www.domain.com//context/index.jsp" to Tomcat. The result from both is that Apache processes requests like "www.domain.com//context/index.jsp" itself. If it can find and access the requested file, Apache will serve it. Due to the fact, that your Apache has no module installed to process jsp files, it just serves the jsp files plain-text. That's the solution from my point of view. I would recommend not to point to any sub directory of $CATALINA_HOME with a DocumentRoot or Alias in Apache's conf to avoid such security breaches. Best wishes Lutz --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This email has been scanned for all viruses by the MessageLabs SkyScan service. ********************************************************************************** This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system. Computer viruses can be transmitted by e-mail. Recipients should check this e-mail for the presence of viruses. The Capita Group and its subsidiaries accept no liability for any damage caused by any virus transmitted by this e-mail. *********************************************************************************** --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
