On 15/03/2016 20:58, Harish Krishnan wrote: > Hello There, > > I am kind of blocked here in my project while applying your CVE fix in our > product & verify the fix. Any guidelines on what i am doing (mentioned in > my previous email) wrong is highly appreciated.
You are failing to follow the hints you have been given previously. > All i am trying to do is, disable the redirect for the root (Ex: /manager & > /examples in tomcat) of the webapp. If i know how to do this on the > mentioned tomcat webapps, then i can apply the same for my webapps too. > Looking for your response & help here. You CAN NOT disable the redirect. As the documentation for the two redirect options makes clear, all they do is change WHERE the redirect happens. The key point in all of this is that security constraints are applied AFTER the Mapper and BEFORE the DefaultServlet. If the request is for a protected resource and the redirects take place in the Mapper, then the response will confirm whether that resource exists irrespective of whether or not the user is authorized to access the resource. If the redirect takes place in the Default Servlet, the response will reflect the security constraints and the user's access rights if any. Again, you need to look at the security constraints for the Manager application. /manager is NOT a protected resource so the redirect is always going to happen. Mark > > > regards > Harish Krishnan > > On Fri, Mar 11, 2016 at 4:05 PM, Harish Krishnan <harish....@gmail.com> > wrote: > >> Thanks again for the reply, Chris & Violeta! >> Thanks for clarifying what the "protected directory" is, even i guessed it >> to be same. Now i understood the fix for the directories protected by a >> security constraint. I also verified this & the redirect is no more >> happening for these protected ones. Really appreciate your help here. >> >> However, i am still unable to disable the redirect for the root of the >> webapp. This is what i did on the latest tomcat build (7.0.68) - >> >> a) Set the context attribute (mapperContextRootRedirectEnabled) to false >> for manager webapp. Here is my context.xml (from >> \webapps\manager\META-INF\) file - >> >> <Context mapperContextRootRedirectEnabled="false" >> antiResourceLocking="false" privileged="true" > >> </Context> >> >> b) Accessing http://localhost:8080/manager gets redirected to manger/. >> >> c) I have also set the above context attribute in the default context.xml >> (from \conf\context.xml) file as well. >> >> d) Accessing http://localhost:8080/examples gets redirected to examples/. >> >> Not sure what i am missing here. Same behavior is seen on my web >> application too. >> Please let me know where i am doing wrong & help me on how to disable the >> redirect for the root of webapps. >> >> >> regards >> Harish Krishnan >> >> >> >> >> >> >> >> On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> >>> Harish, >>> >>> On 3/8/16 5:47 PM, Harish Krishnan wrote: >>>> Thanks Chris for the reply. >>>> Looks like my understanding of the fix is incorrect. >>>> I assumed (my bad) that, with the fix for this CVE in place (tomcat >>>> 7.0.68) + setting the additional context attribute >>>> (mapperContextRootRedirectEnabled="false"), all the redirects for that >>>> webapp where context attribute was set, will completely be disabled. >>>> You mentioned that only "protected directories" inside the deployed web >>>> application is covered in this CVE fix. >>>> Can you please help me understand what this protected directories are & >>> how >>>> to configure this in tomcat ? >>> >>> A "protected directory" is one that has a <security-constraint> in >>> web.xml. That's not a spec-defined term... just one we've been using >>> because it captures the meaning with fewer words. >>> >>> As for the redirects you are seeing that "expose" the availability of a >>> particular web application, those are essentially impossible to prevent, >>> and not considered a part of the CVE. >>> >>> -chris >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org