Re: AW: mod_jk - Browser displays HTML Sourcecode

Tue, 08 Nov 2011 07:55:08 -0800 

Hi.

Pid wrote:

On 08/11/2011 15:12, Alexander Diedler wrote:

Hello


That most probably means that the URL mappings for mod_jk are not correct,

and that Apache httpd is serving that content directly.

Look at (or show here) the JkMount lines that should be somewhere in your

Apache configuration.

Was attached in the post:
JkMount /* loadbalancer
So everything would be served by tomcat.



But obviously it isn't, so there's something wrong with this JkMount.

Somewhere else you are talking of VirtualHost.
Are you sure that the above line is inside the <VirtualHost> configuration ?
If it is in the "main" Apache config, it is not automatically "inherited" by the VirtualHost's. Check the JkMountCopy directive for details. 


At a second level, it also means that you are doing something that is

really not recommended : allow Apache httpd access to the Tomcat application
directories.


+1  I'd go further: *never* publish a Tomcat application docBase as an
HTTPD DocumentRoot.



That bypasses any security that you may have in Tomcat.
Your current problem is a perfect example : Apache now shows the source

code of your JSP pages.  Hopefully there is no secret password in there.


Test : (http://www.test.de/xyz)/WEB-INF/web.xml

Yes you are right, I can read the web.xml from the browser. How we can avoid
it?


Don't publish a Tomcat application docBase as an HTTPD DocumentRoot.
Simples.



To say that in another way :
Suppose that your Tomcat webapps directory is /var/lib/tomcatx/webapps.
Then DO NOT define in Apache
DocumentRoot /var/lib/tomcatx/webapps
(or any other overlap between these two, or subdirectories of ditto).

Apache httpd and Tomcat "don't know eachother", they are independent 
applications.
Each one has its own security system, based on different principles.
For example, Tomcat will /never/ allow a client to retrieve a file from inside a webapp's WEB-INF subdirectory. But Apache httpd doesn't know that a WEB-INF sub-directory is something special, so it will happily serve its content, if the URL maps there for Apache. Similarly, Apache doesn't know that a JSP file is something special (that must be compiled to a java servlet etc..). So if the URL which Apache handles points to something like that, Apache will happily serve it as a text file. 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to