On 30.08.2017 22:46, Dan Rabe wrote:
I’m using Tomcat 8.5.20, trying to use the rewrite valve to rewrite a
root-level URL (/foo) to a URL in my webapp (/mywebapp/bar).
I added the rewrite valve to my server.xml, and I put my rewrite.config in
This all works great IF I create an empty “ROOT” directory in webapps. If I
remove the ROOT directory, though, accessing /foo just gives me a 404.
1. Is this by design, or is this a bug? (If it’s by design, then some
additional notes in the documentation would be helpful).
2. If in fact I do need to have the ROOT webapp, what security precautions
should I take?
The same as you take with any other webapp. There is nothing really special about the
ROOT webapp, except that it responds to the URI "/", but is located under
You can replace this easily with your own application, which will then respond to a
request for "/". See :
Security guides such as https://www.owasp.org/index.php/Securing_tomcat recommend removing
the ROOT webapp, but without providing reasons or rationale.
Indeed there is no particular reason (in terms of security). The only "reason" which I can
think of, is that the standard distribution of tomcat (from https://tomcat.apache.org)
includes a default ROOT webapp with some information page and a few links, and you
probably don't want to provide /this/ application as the default application on a
productive website (you would probably want yours instead). But I would imagine that the
tomcat developers do not provide there by default, an application which has (known)
Mmm, I just realised that I am in fact just repeating what a small section of this page is
already saying :
(and by the way, that same page provides a whole series of tips regarding tomcat security,
and it does provides reasons for each such tip).
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org