On 30.08.2017 22:46, Dan Rabe wrote:
I’m using Tomcat 8.5.20, trying to use the rewrite valve to rewrite a 
root-level URL (/foo) to a URL in my webapp (/mywebapp/bar).

I added the rewrite valve to my server.xml, and I put my rewrite.config in 

This all works great IF I create an empty “ROOT” directory in webapps. If I 
remove the ROOT directory, though, accessing /foo just gives me a 404.


   1.  Is this by design, or is this a bug? (If it’s by design, then some 
additional notes in the documentation would be helpful).
   2.  If in fact I do need to have the ROOT webapp, what security precautions 
should I take?

The same as you take with any other webapp. There is nothing really special about the ROOT webapp, except that it responds to the URI "/", but is located under (catalina_base)/webapps/ROOT/. You can replace this easily with your own application, which will then respond to a request for "/". See :

Security guides such as https://www.owasp.org/index.php/Securing_tomcat recommend removing the ROOT webapp, but without providing reasons or rationale.

Indeed there is no particular reason (in terms of security). The only "reason" which I can think of, is that the standard distribution of tomcat (from https://tomcat.apache.org) includes a default ROOT webapp with some information page and a few links, and you probably don't want to provide /this/ application as the default application on a productive website (you would probably want yours instead). But I would imagine that the tomcat developers do not provide there by default, an application which has (known) security issues.

Mmm, I just realised that I am in fact just repeating what a small section of this page is already saying :
(and by the way, that same page provides a whole series of tips regarding tomcat security, and it does provides reasons for each such tip).

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to