Eric Daniel Mauricio wrote:
>
> There is another way to get the source from a jsp page using Tomcat.
> If you don't write HTTP/1.0 or HTTP/1.1 in the end of the GET request,
> you will get the source code and not the jsp processed.
> In other words, use Apache + Tomcat if you intend to protect your source code.
Even if Apache is wrapping Tomcat, port 8080 (example) is still "open for
business" (*) to reveal source as described above.
It may be understood or implied but, if you do run Tomcat under Apache as
suggested, you should add the "inet" param to tomcat/conf/server.xml (and
restart) to restrict access, e.g.:
<!-- Normal HTTP -->
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler"
value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
<Parameter name="inet" value="127.0.0.1"/>
<Parameter name="port" value="8080"/>
</Connector>
(similar config for 8007, 8009, 8443, etc...as needed)
REF: http://mikal.org/interests/java/tomcat/archive/view?mesg=22911
* - in a default tomcat 3.2.1 install. Tomcat 4.0x untested
--
monwel @ interhack.net
