You're right, I totally forgot to put appBase attributes in my Host declarations. However, httpd only lets *.jsp and *.do requests pass on to Tomcat so I don't have to worry about the security issue.
I'm gonna put appBase attributes into my config and see if that fixes it. thanks On Fri, Oct 30, 2009 at 7:59 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hassan, > > On 10/30/2009 5:07 PM, Hassan Schroeder wrote: > > On Fri, Oct 30, 2009 at 2:03 PM, Jonathan Mast > > <jhmast.develo...@gmail.com> wrote: > >> When I log into the Tomcat Web Application Manager, in addition to the > >> actual webapps defined in server.xml, it also lists the /bin, /conf, > /logs, > >> /temp, /lib and /work directories of the Tomcat installation as if they > are > >> webapps. > >> > >> I doubt this is correct, so how do I fix it? > > > > Sounds like your server.xml is wildly wrong. :-) > > +1 > > I suspect you have something like this: > > <Host appBase="" ... > > If you thought "I don't need a webapps directory because all my webapps > are defined in their own XML files" and you decided to just remove the > appBase string, then you likely ended up setting your appBase to > CATALINA_BASE and exposing all your configuration to the world. If > you're using JNDI DataSources, you might want to change your database > passwords right about now. ;) > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkrri9sACgkQ9CaO5/Lv0PCWAACfQmyQyUGXH1JmWdC5KjjvPrhT > psoAnAtiufYZvyqE8Fd4D9gZYm4Qa3UB > =XY3t > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
