I believe that the path in <Directory> needs to be fully qualified. So, instead of what you have, it would be something like...
<Directory "C:/my/directory/path/to/my/webapp/WEB-INF/">
Or, you can just do...
JkMount /myapp
JKMount /myapp/*
That will forward *everything* to Tomcat and Tomcat already knows not to allow access to WEB-INF or META-INF.
If you still want to do the mapping in Apache (so you can serve static content using Apache rather than Tomcat) here is a sample from my mod_jk.conf....
#################### localhost:/examples ####################
# Static files
Alias /examples "C:/Java/Apache/Jakarta/Tomcat-4.1.18/webapps/examples"
<Directory "C:/Java/Apache/Jakarta/Tomcat-4.1.18/webapps/examples">
Options Indexes FollowSymLinks
DirectoryIndex index.html index.htm index.jsp
</Directory>
# Deny direct access to WEB-INF and META-INF
#
<Location "/examples/WEB-INF/*">
AllowOverride None
deny from all
</Location>
<Location "/examples/META-INF/*">
AllowOverride None
deny from all
</Location>
#
# Use Directory too. On Windows, Location doesn't work unless case matches
#
<Directory "C:/Java/Apache/Jakarta/Tomcat-4.1.18/webapps/examples/WEB-INF/">
AllowOverride None
deny from all
</Directory>
<Directory "C:/Java/Apache/Jakarta/Tomcat-4.1.18/webapps/examples/META-INF/">
AllowOverride None
deny from all
</Directory>
JkMount /examples/jsp/security/protected/j_security_check ajp13
JkMount /examples/CompressionTest ajp13
JkMount /examples/SendMailServlet ajp13
JkMount /examples/servletToJsp ajp13
JkMount /examples/snoop ajp13
JkMount /examples/*.jsp ajp13
JkMount /examples/servlet/* ajp13
Hope that helps!
Jake
At 05:32 PM 2/1/2003 +0100, you wrote:
I have one application running in tomcat 4.1.18 and apache. if i have writte in the browser (explorer): http://www.domain.com/WEB-INF/web.xml the system shows me the file. This is one great security problem. How can i deny this? i the appache conf file i have: <Directory "WEB-INF"> Options -Indexes AllowOverride None Order deny,allow Deny from all </Directory>Please help me --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
