Hi.
What we are trying to say is this :
The WEB-INF and META-INF sub-directories of a Tomcat webapp, are supposed to contain files
that should NOT be accessed by the users. For example, in the WEB-INF and META-INF
subdirectories, there are files (like WEB-INF/web.xml) which may contain private
information (such as, e.g., passwords to access a database system).
For that reason, Tomcat itself forbids access to the content of these
directories.
If you try to access Tomcat directly via a URL like
"http://myhost.company.com/mywebapp/WEB-INF/somefile";, you will get a "Forbidden"
response. Always.
But if on the same host, you run another webserver (Apache, nginx,..), and you allow this
webserver to access the content of the Tomcat ../webapps/mywebapp/WEB-INF directory, then
you bypass the Tomcat security and make it useless.
That means that a user, with a well-crafted URL, will be able to access and display the
content of those files. This is a big security hole.
You can configure the front-end webserver to also forbid this, but it requires additional
configuration, and you will forget to do it, or do it wrong.
So don't do that.
If you have static resources that need to be accessed via links in your pages, put them in
a subdirectory of your webapp, but /not/ in WEB-INF or META-INF.
For example, in ../webapps/mywebapp/images/*.jpg or
../webapps/mywebapp/css/*.css
Tomcat will server static resources just fine, usually as fast as Apache or
nginx would.
If you insist that you must serve this static content directly from the front-end
webserver, and not ask Tomcat to do it, then place them somewhere under the DocumentRoot
of the front-end webserver (which should /NOT/ be the same as the Tomcat webapps
directory), and use the proxy instructions so that these requests are /not/ forwarded to
Tomcat, but served locally.
For example :
ProxyPass /mywebapp/images !
ProxyPass /mywebapp/css !
ProxyPass /mywebapp ajp://tomcat:8009/mywebapp
will proxy all requests for /mywebapp to Tomcat, *except* for the /images and /css
subdirectories.
Jan Vávra wrote:
Hello,
when I started my project others told me to use apache for static
content and tomcat for java/jsp.
It works quite good. Tomcat is hidden under reverse proxy (mod_ajp). So
static content gives apache, dynamic tomcat.
Jan.
I have a spring project (web app), in my project where should I be
putting
my static files like images/css/javascript?
In my WEB-INF like:
/WEB-INF/Assets {images/css/js}
I know when I go in production I will have nginx map to this folder to
serve the static files, but I just want to know where I can put them for
development/testing.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
