Hi.
I have not looked through all of your configuration lines, but I believe that the problem
is first of all this line :
On 05.07.2018 09:18, Sandels Mark (RTH) OUH wrote:
DocumentRoot "C:\Program Files (x86)\apache-tomcat-9.0.6\webapps"
That means essentially that you are allowing the Apache httpd front-end to access your
entire tomcat web applications pages directory directly, without going through tomcat.
And Apache httpd, when it serves one of these pages to a browser requesting it, has
absolutely no idea that one of these *files* located in that directory or below, may be a
java jsp page, some highly confidential file located in a WEB-INF directory, or whatever,
and it just returns the content of these files unfiltered to the browser.
That is the default that you get with that DocumentRoot line.
So, *unless* you later contradict/override this by some other configuration line somewhere
else in the configuration, the above is what will happen.
It is thus an extremely unsafe way of configuring Apache httpd in a front-end-to-tomcat
scenario, because anything that you forget to remap later explicitly to tomcat, will be
served by Apache httpd, without tomcat knowing anything about it.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
