-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris,
On 8/25/2009 9:37 PM, Chris Cheshire wrote: > However, even with a directory deny rule in apache conf to block the > web-inf and meta-inf directories, requests to it are still getting > passed to tomcat. That's because they aren't being treated as directories in those cases. Try using a <Location> instead of a <Directory> and see if that works. I think mod_jk takes the first crack at serving files, and then allows Apache to continue with the rest of its possibilities. So, if your mod_jk mappings also map those directories, they're going to be sent to Tomcat. > If I put in a JkUnMount to those directories, then apache is > returning a forbidden error. Sound like that's what you want to do, anyway, right? > JkMount /* worker1 What types of URLs do you actually want Tomcat to process? For instance, I use Struts 1.x, j_security_check-style security, and a few JSPs, so I only mount /*.do, /*.jsp, and /j_security_check. If you have similar requirements, maybe you could tighten-up your JkMount directives. > JkUnMount /META-INF/* worker1 # without this, apache directory > directive to return a forbidden error doesn't happen Right. Instead, you get a 404 from Tomcat (which isn't so bad, honestly). > <Directory /home/www/web/ROOT/META-INF> > AllowOverride none > Order deny,allow > Deny from all > Satisfy all > </Directory> Whatever else you do, you should leave this configuration in Apache httpd.conf, even if it's not actually doing anything. Later, if someone modifies your configuration, this might provide "backup" protection for you. Try <Location> in addition to the <Directory>, but you might just need the JkUnMount (or more specific JkMount directives). > Are the JkMount directives taking precedence over apache's Directory > directives? I have another web server running mod_jk-1.2.15, tomcat > 5.5, apache 2.0.52 and I don't have this issue. What are the differences in configuration, then? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqUmiEACgkQ9CaO5/Lv0PA62QCffb1r57B/7TqmOqX/SRViHhCC XNwAoLRDndH7GY5rx5b3SO35MnsdFNBg =A9SR -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
