Thanks again for the reply, Chris & Violeta!
Thanks for clarifying what the "protected directory" is, even i guessed it
to be same. Now i understood the fix for the directories protected by a
security constraint. I also verified this & the redirect is no more
happening for these protected ones. Really appreciate your help here.

However, i am still unable to disable the redirect for the root of the
webapp. This is what i did on the latest tomcat build (7.0.68) -

a) Set the context attribute (mapperContextRootRedirectEnabled) to false
for manager webapp. Here is my context.xml (from
\webapps\manager\META-INF\) file -

<Context mapperContextRootRedirectEnabled="false"
antiResourceLocking="false" privileged="true" >

b) Accessing http://localhost:8080/manager gets redirected to manger/.

c) I have also set the above context attribute in the default context.xml
(from \conf\context.xml) file as well.

d) Accessing http://localhost:8080/examples gets redirected to examples/.

Not sure what i am missing here. Same behavior is seen on my web
application too.
Please let me know where i am doing wrong & help me on how to disable the
redirect for the root of webapps.

Harish Krishnan

On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz <> wrote:

> Harish,
> On 3/8/16 5:47 PM, Harish Krishnan wrote:
> > Thanks Chris for the reply.
> > Looks like my understanding of the fix is incorrect.
> > I assumed (my bad) that, with the fix for this CVE in place (tomcat
> > 7.0.68) + setting the additional context attribute
> > (mapperContextRootRedirectEnabled="false"), all the redirects for that
> > webapp where context attribute was set, will completely be disabled.
> > You mentioned that only "protected directories" inside the deployed web
> > application is covered in this CVE fix.
> > Can you please help me understand what this protected directories are &
> how
> > to configure this in tomcat ?
> A "protected directory" is one that has a <security-constraint> in
> web.xml. That's not a spec-defined term... just one we've been using
> because it captures the meaning with fewer words.
> As for the redirects you are seeing that "expose" the availability of a
> particular web application, those are essentially impossible to prevent,
> and not considered a part of the CVE.
> -chris
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Reply via email to