On 30/08/17 21:46, Dan Rabe wrote:
> I’m using Tomcat 8.5.20, trying to use the rewrite valve to rewrite a 
> root-level URL (/foo) to a URL in my webapp (/mywebapp/bar).
> I added the rewrite valve to my server.xml, and I put my rewrite.config in 
> conf/Catalina/localhost.
> This all works great IF I create an empty “ROOT” directory in webapps. If I 
> remove the ROOT directory, though, accessing /foo just gives me a 404.
> Questions:
>   1.  Is this by design, or is this a bug? (If it’s by design, then some 
> additional notes in the documentation would be helpful).

It is by design. See section 12.1 of the Servlet 3.1 specification.
Particularly the first paragraph.

The Tomcat docs deliberately try to avoid repeating information that is
in the Servlet specification.

>   2.  If in fact I do need to have the ROOT webapp, what security precautions 
> should I take? Security guides such as 
> https://www.owasp.org/index.php/Securing_tomcat recommend removing the ROOT 
> webapp, but without providing reasons or rationale.

Yes, it would help if OWASP explained their rationale.

The simplest, and safest, approach would be to deploy your own,
completely empty ROOT web application (just a dir named "ROOT" in
webapps will be fine). Tomcat will handle the 404 for you in that case.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to