Thanks a lot for the clear explanation, Mark. I have all my questions answered, appreciate your help & you guys are Great! My apologies for the previous follow-up emails, I am still a novice in tomcat & failed in understanding the exact fix quicker.
regards Harish Krishnan On Wed, Mar 16, 2016 at 4:38 AM, Mark Thomas <ma...@apache.org> wrote: > On 15/03/2016 20:58, Harish Krishnan wrote: > > Hello There, > > > > I am kind of blocked here in my project while applying your CVE fix in > our > > product & verify the fix. Any guidelines on what i am doing (mentioned in > > my previous email) wrong is highly appreciated. > > You are failing to follow the hints you have been given previously. > > > All i am trying to do is, disable the redirect for the root (Ex: > /manager & > > /examples in tomcat) of the webapp. If i know how to do this on the > > mentioned tomcat webapps, then i can apply the same for my webapps too. > > Looking for your response & help here. > > You CAN NOT disable the redirect. As the documentation for the two > redirect options makes clear, all they do is change WHERE the redirect > happens. > > The key point in all of this is that security constraints are applied > AFTER the Mapper and BEFORE the DefaultServlet. If the request is for a > protected resource and the redirects take place in the Mapper, then the > response will confirm whether that resource exists irrespective of > whether or not the user is authorized to access the resource. If the > redirect takes place in the Default Servlet, the response will reflect > the security constraints and the user's access rights if any. > > Again, you need to look at the security constraints for the Manager > application. /manager is NOT a protected resource so the redirect is > always going to happen. > > Mark > > > > > > > > regards > > Harish Krishnan > > > > On Fri, Mar 11, 2016 at 4:05 PM, Harish Krishnan <harish....@gmail.com> > > wrote: > > > >> Thanks again for the reply, Chris & Violeta! > >> Thanks for clarifying what the "protected directory" is, even i guessed > it > >> to be same. Now i understood the fix for the directories protected by a > >> security constraint. I also verified this & the redirect is no more > >> happening for these protected ones. Really appreciate your help here. > >> > >> However, i am still unable to disable the redirect for the root of the > >> webapp. This is what i did on the latest tomcat build (7.0.68) - > >> > >> a) Set the context attribute (mapperContextRootRedirectEnabled) to false > >> for manager webapp. Here is my context.xml (from > >> \webapps\manager\META-INF\) file - > >> > >> <Context mapperContextRootRedirectEnabled="false" > >> antiResourceLocking="false" privileged="true" > > >> </Context> > >> > >> b) Accessing http://localhost:8080/manager gets redirected to manger/. > >> > >> c) I have also set the above context attribute in the default > context.xml > >> (from \conf\context.xml) file as well. > >> > >> d) Accessing http://localhost:8080/examples gets redirected to > examples/. > >> > >> Not sure what i am missing here. Same behavior is seen on my web > >> application too. > >> Please let me know where i am doing wrong & help me on how to disable > the > >> redirect for the root of webapps. > >> > >> > >> regards > >> Harish Krishnan > >> > >> > >> > >> > >> > >> > >> > >> On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz < > >> ch...@christopherschultz.net> wrote: > >> > >>> Harish, > >>> > >>> On 3/8/16 5:47 PM, Harish Krishnan wrote: > >>>> Thanks Chris for the reply. > >>>> Looks like my understanding of the fix is incorrect. > >>>> I assumed (my bad) that, with the fix for this CVE in place (tomcat > >>>> 7.0.68) + setting the additional context attribute > >>>> (mapperContextRootRedirectEnabled="false"), all the redirects for that > >>>> webapp where context attribute was set, will completely be disabled. > >>>> You mentioned that only "protected directories" inside the deployed > web > >>>> application is covered in this CVE fix. > >>>> Can you please help me understand what this protected directories are > & > >>> how > >>>> to configure this in tomcat ? > >>> > >>> A "protected directory" is one that has a <security-constraint> in > >>> web.xml. That's not a spec-defined term... just one we've been using > >>> because it captures the meaning with fewer words. > >>> > >>> As for the redirects you are seeing that "expose" the availability of a > >>> particular web application, those are essentially impossible to > prevent, > >>> and not considered a part of the CVE. > >>> > >>> -chris > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>> > >>> > >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
