Thanks again for the reply, Chris & Violeta! Thanks for clarifying what the "protected directory" is, even i guessed it to be same. Now i understood the fix for the directories protected by a security constraint. I also verified this & the redirect is no more happening for these protected ones. Really appreciate your help here.
However, i am still unable to disable the redirect for the root of the webapp. This is what i did on the latest tomcat build (7.0.68) - a) Set the context attribute (mapperContextRootRedirectEnabled) to false for manager webapp. Here is my context.xml (from \webapps\manager\META-INF\) file - <Context mapperContextRootRedirectEnabled="false" antiResourceLocking="false" privileged="true" > </Context> b) Accessing http://localhost:8080/manager gets redirected to manger/. c) I have also set the above context attribute in the default context.xml (from \conf\context.xml) file as well. d) Accessing http://localhost:8080/examples gets redirected to examples/. Not sure what i am missing here. Same behavior is seen on my web application too. Please let me know where i am doing wrong & help me on how to disable the redirect for the root of webapps. regards Harish Krishnan On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > Harish, > > On 3/8/16 5:47 PM, Harish Krishnan wrote: > > Thanks Chris for the reply. > > Looks like my understanding of the fix is incorrect. > > I assumed (my bad) that, with the fix for this CVE in place (tomcat > > 7.0.68) + setting the additional context attribute > > (mapperContextRootRedirectEnabled="false"), all the redirects for that > > webapp where context attribute was set, will completely be disabled. > > You mentioned that only "protected directories" inside the deployed web > > application is covered in this CVE fix. > > Can you please help me understand what this protected directories are & > how > > to configure this in tomcat ? > > A "protected directory" is one that has a <security-constraint> in > web.xml. That's not a spec-defined term... just one we've been using > because it captures the meaning with fewer words. > > As for the redirects you are seeing that "expose" the availability of a > particular web application, those are essentially impossible to prevent, > and not considered a part of the CVE. > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
