On 23/02/2023 16:49, James H. H. Lampert wrote:
On 2/22/23 9:23 AM, Mark Thomas wrote:
Alternatively, you can use denyStatus="404" on the RemoteAddrValve.
That attribute should be available in all versions of all currently
supported Tomcat releases (it was added back in 2011). You can set it
to any value valid for use with HttpServletResponse.sendError(int).
Now that the customer's Tomcat server has had its nightly restart, I see
that adding
denyStatus="404"
to the RemoteAddrValve does indeed give me a 404 page. But it's a 404
page that still admits to the *existence* of a manager context.
I note that if I give it a manifestly nonexistent webapp context, e.g.,
"/foobar," I get a default 404 page. But if I simply rename
/manager/WEB-INF/jsp/404.jsp to 404.jsp.bak, and I (without waiting for
a Tomcat restart) go to the manager from an unauthorized URL, I get
*nothing* -- in Firefox, I get a blank page, and in Chrome, I get a
Chrome-generated message that there is nothing there.
Is there a way, short of manually duplicating the default 404 page, that
I can have /manager look *exactly* like /foobar to an unauthorized
requester?
(Or would waiting for the next scheduled Tomcat restart, with the
manager's 404 page renamed, give me that result?)
You need to remove the error page entry for 404 errors from
WEB-INF/web.xml rather than / as well as renaming / removing 404.jsp
Delete (or comment out) these lines:
<error-page>
<error-code>404</error-code>
<location>/WEB-INF/jsp/404.jsp</location>
</error-page>
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
