The reason why I have the mount directives so open is because I am using Stripes with no prefix or suffix mappings on the actions (servlets). JSPs are handled internally (every page is served via an action), so the urls don't have a specific pattern (/servlet, /action, .do, etc) that can be isolated for the mount directives. It could handle it with a minimum amount of configuration and keeps urls very clean so I went with this.
As for the differences in configuration between the two web servers - the old one uses servlets with a specific mapping (/servlets/* & /*.jsp) for the mount directives and is using a much older mod_jk, the new one is open (no specific mappings) and uses the latest mod_jk. The apache config is the same. My concern is why I now need the unmount directives where I didn't need them before. Is this due to the new version of mod_jk and that's just how it behaves, or because I have a very open mapping for the mount directives, or something else I'm just not seeing. Given that I have a configuration that seems to be somewhat correct and returning the right results, I'm not hugely concerned. I just like to know why things behave the way they do so that I roughly know what to expect if I have to change something later :) Chris On Tue, Aug 25, 2009 at 7:12 PM, Christopher Schultz<ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Chris, > > On 8/25/2009 9:37 PM, Chris Cheshire wrote: >> However, even with a directory deny rule in apache conf to block the >> web-inf and meta-inf directories, requests to it are still getting >> passed to tomcat. > > That's because they aren't being treated as directories in those cases. > Try using a <Location> instead of a <Directory> and see if that works. I > think mod_jk takes the first crack at serving files, and then allows > Apache to continue with the rest of its possibilities. So, if your > mod_jk mappings also map those directories, they're going to be sent to > Tomcat. > >> If I put in a JkUnMount to those directories, then apache is >> returning a forbidden error. > > Sound like that's what you want to do, anyway, right? > >> JkMount /* worker1 > > What types of URLs do you actually want Tomcat to process? For instance, > I use Struts 1.x, j_security_check-style security, and a few JSPs, so I > only mount /*.do, /*.jsp, and /j_security_check. If you have similar > requirements, maybe you could tighten-up your JkMount directives. > >> JkUnMount /META-INF/* worker1 # without this, apache directory >> directive to return a forbidden error doesn't happen > > Right. Instead, you get a 404 from Tomcat (which isn't so bad, honestly). > >> <Directory /home/www/web/ROOT/META-INF> >> AllowOverride none >> Order deny,allow >> Deny from all >> Satisfy all >> </Directory> > > Whatever else you do, you should leave this configuration in Apache > httpd.conf, even if it's not actually doing anything. Later, if someone > modifies your configuration, this might provide "backup" protection for you. > > Try <Location> in addition to the <Directory>, but you might just need > the JkUnMount (or more specific JkMount directives). > >> Are the JkMount directives taking precedence over apache's Directory >> directives? I have another web server running mod_jk-1.2.15, tomcat >> 5.5, apache 2.0.52 and I don't have this issue. > > What are the differences in configuration, then? > > - -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
