On 08/11/2011 15:12, Alexander Diedler wrote: > Hello > >> That most probably means that the URL mappings for mod_jk are not correct, > and that Apache httpd is serving that content directly. >> Look at (or show here) the JkMount lines that should be somewhere in your > Apache configuration. > > Was attached in the post: > JkMount /* loadbalancer > So everything would be served by tomcat. > >> At a second level, it also means that you are doing something that is > really not recommended : allow Apache httpd access to the Tomcat application > directories.
+1 I'd go further: *never* publish a Tomcat application docBase as an HTTPD DocumentRoot. >> That bypasses any security that you may have in Tomcat. >> Your current problem is a perfect example : Apache now shows the source > code of your JSP pages. Hopefully there is no secret password in there. > >> Test : (http://www.test.de/xyz)/WEB-INF/web.xml > Yes you are right, I can read the web.xml from the browser. How we can avoid > it? Don't publish a Tomcat application docBase as an HTTPD DocumentRoot. Simples. p > Greetings > Alexander > > > >> >> >> >> In the Apache access log: >> >> xxx.xxx.214.145 - - [08/Nov/2011:14:44:08 +0100] "GET / HTTP/1.1" 200 >> 23281 ##OK >> >> xxx.xxx.214.145 - - [08/Nov/2011:14:44:11 +0100] "GET >> /go/VV4QB69WO9F01A9KGBSYVGNVGHY6T95J HTTP/1.1" 200 88572 ##Not ok, >> sorcecode displayed. >> >> >> >> In the virtual-host.conf: >> >> ## Tomcatanbindung >> >> JkMount /* loadbalancer >> >> JkOptions +ForwardURICompatUnparsed >> >> AllowEncodedSlashes On >> >> >> >> >> >> Greetings >> >> Alexander >> >> >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- [key:62590808]
signature.asc
Description: OpenPGP digital signature
