Re: AW: isapi_redirector & protected Diretories

[Rainer Jung]

Holger Burde wrote:
Hi;
Thanks for the reply.

This type of matching breaks at least every JSF Netbeans (5.x/6.x)
App and maybe others. We have no choice now than patching the
isapi_redirector. Also i thought that Tomcat protects those dirs ? or
is this not the case if access is via ajp13 ?

It is, even for ajp13. To document the problem please open an issue in 
bugzilla and give some information, why you can't simply avoid those 
directory names.


hb

Regards,

Rainer


-----Ursprüngliche Nachricht----- Von: Rainer Jung
[mailto:[EMAIL PROTECTED] Gesendet: Montag, 21. Januar 2008
11:47 An: Tomcat Users List Betreff: Re: isapi_redirector & protected
Diretories

Hi Holger,

Holger Burde wrote:
Hi;

I did a Netbeans 6 JSF Project recently  which was developed and
tested with Tomcat6. The final installation was set up with  Tomcat
6.0.14 behind IIS6 (Connectors / isapi_rediretor (latest version)).


Running some tests we discovered  that allmost all Javascript was 
filtered out and we got almost blank pages. The Reason was that the
 isapi_redirector filters out every access to any URI which
*contains* META-INF / WEB-INF ANYWERE in the PATH.

Example : javascript   $CONTEXT/theme/META-INF/json/json.jsf

This is not THE META-INF config directory - its just a Path which 
accidential contains META-INF !!!

Is there any way to configure access to such directories or ist his
a Bug in the isapi_redirector ? From the source it looks like it a 
substring Match which filters out anything. Any Comments on this
are welcome.

No, there is no way to change this via configuration. A context path
can be multiple-directories, so since we don't know what's exactly
deployed in the backend, we need to secure all possible WEB-INF and
META-INF directories.

Best would be to not use those names for normal content directories.
Not only because your isapi redirector problem, but also because
admins might misinterprete the directories.

If the stuff in the directories is static and you deploy it on IIS 
itself, you can use an exclusion mount for them. That way we don't
find a worker, and for requests that don't get send to the backend,
there is no such check. Be careful though, you don't want to expose
your real META-INF resp. WEB-INF.

Thanks in advance


Hb

Java developer

Regards,

Rainer

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]