Re: Tomcat migration 4.1.3 to 5.5.23: Tomcat5.5 searching servlet file in file system and reporting 404 error rather mapping in web.xml

Fri, 24 Apr 2009 00:28:43 -0700 

Sriganesh Ananth wrote:

Hi Andre,

I got Forbidden - You don't have permission to access
/test/WEB-INF/web.xml on this server.

Under httpd.conf, just before VirtualHost I have following to deny all
from accessing WEB-INF folder.

Httpd.conf configuration:

# Globally deny access to the WEB-INF directory
<LocationMatch '.*WEB-INF.*'>
       deny from all
</LocationMatch>
<VirtualHost …>
DocumentRoot /var/www/testapp
Alias /test /var/www/testapp/
JkMount /*.do ajp13
JkMount /*.jsp ajp13
</VirtualHost>

Do you still smell something fishy here?
Ok, that "LocationMatch" (which you did not mention before, and which still smells fishy if it is really outside of your <VirtualHost> section), makes things somewhat better, although it still smells like fish.
By the way, as written, that is a *very expensive* match, and one that will also match things like 
/any/path/even/NOT-WEB-INF/abc.gif
/any/path/even/WEB-INFORMATION-DEPARTMENT/abc.gif
and under Windows, will not stop people getting to your WEB-INF like so : http://192.168.1.23/test/web-inf/web.xml 

What also still smells fishy is the line
> Alias /test /var/www/testapp/

Why is it there ? What does it achieve, that the following 2 lines do not ?
> JkMount /*.do ajp13
> JkMount /*.jsp ajp13
As a matter of fact, in the case of your configuration above, what does the Apache httpd front-end achieve, that Tomcat alone could not ? (I am not saying that you do not have good reasons to have an Apache httpd in front. Just that it is not very evident from the above why you need it. And if you don't need it, you would gain simplicity and efficiency by taking it out of the equation).
I have a much longer and detailed explanation of my above comments ready for you if you are interested, but if your purpose was simply to get this running on some test system, then it may not be worth it. 
But at least read this
http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html
(the section entitled "Configuring Apache to serve static web application files") 



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to