Sorry for the top post; iphone iant the best email client in the world.
Try:
<Location "/*.jsp">
Deny from all
</Location>
When configuring Apache httpd in front of Tomcat, you should set up
lots of these types of rules to protect your (jsp) sources, WEB-INF,
META-INF, etc.
-chris
On Dec 16, 2008, at 12:53, "Payne, George \(ghp5h\)" <gh...@eservices.virginia.edu
> wrote:
This is a problem I've seen reported on very old versions of mod_jk,
but it
seems (apparently) to have a new life in 1.2.27 and possibly other
recent
versions.
If a user puts a double slash (http://mysite.com//myapp/myjsp.jsp)
instead
of a single slash in a url, apache does not recognize it as part of
a normal
pattern (eg JkMount /myapp/*.jsp) to be forwarded to tomcat and
displays it
as html/text instead of as a jsp, revealing the source.
My system:
Httpd: Apache 2.0.46
Jk: 1.2.27 (from binary posted on
http://apache.mirrors.timporter.net/tomcat/tomcat-connectors/jk/binaries/lin
ux/jk-1.2.27/i386/mod_jk-1.2.27-httpd-2.0.61.so)
Tomcat: 5.5.27
I'd be happy to hear someone say I misconfigured something, but I'm
not sure
what I could misconfigure to make this happen.
I've worked around by doing things like
JkMount /*.jsp ajp13
JkMount /*.do ajp13
Etc, but this is not a good solution.
George Payne
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
