You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Holger Burde <hb...@merentis.com> on 2008/01/21 09:10:30 UTC
isapi_redirector & protected Diretories
Hi;
I did a Netbeans 6 JSF Project recently which was developed and tested
with Tomcat6. The final installation was set up with Tomcat 6.0.14
behind IIS6 (Connectors / isapi_rediretor (latest version)).
Running some tests we discovered that allmost all Javascript was
filtered out and we got almost blank pages. The Reason was that the
isapi_redirector filters out every access to any URI which *contains*
META-INF / WEB-INF ANYWERE in the PATH.
Example : javascript $CONTEXT/theme/META-INF/json/json.jsf
This is not THE META-INF config directory - its just a Path which
accidential contains META-INF !!!
Is there any way to configure access to such directories or ist his a
Bug in the isapi_redirector ? From the source it looks like it a
substring Match which filters out anything. Any Comments on this are
welcome.
Thanks in advance
Hb
Java developer
AW: AW: isapi_redirector & protected Diretories
Posted by Holger Burde <hb...@merentis.com>.
Hi;
Ok - report is under way ...
PS I 1st checked the Netbeans List to make sure i can't do anything about this from the Netbeans side. Its just emited from the IDE this way and there is no way to change those internals.
Thx
hb
-----Ursprüngliche Nachricht-----
Von: Rainer Jung [mailto:rainer.jung@kippdata.de]
Gesendet: Montag, 21. Januar 2008 13:19
An: Tomcat Users List
Betreff: Re: AW: isapi_redirector & protected Diretories
Holger Burde wrote:
> Hi;
>
> Thanks for the reply.
>
> This type of matching breaks at least every JSF Netbeans (5.x/6.x)
> App and maybe others. We have no choice now than patching the
> isapi_redirector. Also i thought that Tomcat protects those dirs ? or
> is this not the case if access is via ajp13 ?
It is, even for ajp13. To document the problem please open an issue in
bugzilla and give some information, why you can't simply avoid those
directory names.
>
> hb
Regards,
Rainer
>
> -----Ursprüngliche Nachricht----- Von: Rainer Jung
> [mailto:rainer.jung@kippdata.de] Gesendet: Montag, 21. Januar 2008
> 11:47 An: Tomcat Users List Betreff: Re: isapi_redirector & protected
> Diretories
>
> Hi Holger,
>
> Holger Burde wrote:
>> Hi;
>>
>> I did a Netbeans 6 JSF Project recently which was developed and
>> tested with Tomcat6. The final installation was set up with Tomcat
>> 6.0.14 behind IIS6 (Connectors / isapi_rediretor (latest version)).
>>
>>
>> Running some tests we discovered that allmost all Javascript was
>> filtered out and we got almost blank pages. The Reason was that the
>> isapi_redirector filters out every access to any URI which
>> *contains* META-INF / WEB-INF ANYWERE in the PATH.
>>
>> Example : javascript $CONTEXT/theme/META-INF/json/json.jsf
>>
>> This is not THE META-INF config directory - its just a Path which
>> accidential contains META-INF !!!
>>
>> Is there any way to configure access to such directories or ist his
>> a Bug in the isapi_redirector ? From the source it looks like it a
>> substring Match which filters out anything. Any Comments on this
>> are welcome.
>
> No, there is no way to change this via configuration. A context path
> can be multiple-directories, so since we don't know what's exactly
> deployed in the backend, we need to secure all possible WEB-INF and
> META-INF directories.
>
> Best would be to not use those names for normal content directories.
> Not only because your isapi redirector problem, but also because
> admins might misinterprete the directories.
>
> If the stuff in the directories is static and you deploy it on IIS
> itself, you can use an exclusion mount for them. That way we don't
> find a worker, and for requests that don't get send to the backend,
> there is no such check. Be careful though, you don't want to expose
> your real META-INF resp. WEB-INF.
>
>> Thanks in advance
>>
>>
>> Hb
>>
>> Java developer
>
> Regards,
>
> Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AW: isapi_redirector & protected Diretories
Posted by Rainer Jung <ra...@kippdata.de>.
Holger Burde wrote:
> Hi;
>
> Thanks for the reply.
>
> This type of matching breaks at least every JSF Netbeans (5.x/6.x)
> App and maybe others. We have no choice now than patching the
> isapi_redirector. Also i thought that Tomcat protects those dirs ? or
> is this not the case if access is via ajp13 ?
It is, even for ajp13. To document the problem please open an issue in
bugzilla and give some information, why you can't simply avoid those
directory names.
>
> hb
Regards,
Rainer
>
> -----Ursprüngliche Nachricht----- Von: Rainer Jung
> [mailto:rainer.jung@kippdata.de] Gesendet: Montag, 21. Januar 2008
> 11:47 An: Tomcat Users List Betreff: Re: isapi_redirector & protected
> Diretories
>
> Hi Holger,
>
> Holger Burde wrote:
>> Hi;
>>
>> I did a Netbeans 6 JSF Project recently which was developed and
>> tested with Tomcat6. The final installation was set up with Tomcat
>> 6.0.14 behind IIS6 (Connectors / isapi_rediretor (latest version)).
>>
>>
>> Running some tests we discovered that allmost all Javascript was
>> filtered out and we got almost blank pages. The Reason was that the
>> isapi_redirector filters out every access to any URI which
>> *contains* META-INF / WEB-INF ANYWERE in the PATH.
>>
>> Example : javascript $CONTEXT/theme/META-INF/json/json.jsf
>>
>> This is not THE META-INF config directory - its just a Path which
>> accidential contains META-INF !!!
>>
>> Is there any way to configure access to such directories or ist his
>> a Bug in the isapi_redirector ? From the source it looks like it a
>> substring Match which filters out anything. Any Comments on this
>> are welcome.
>
> No, there is no way to change this via configuration. A context path
> can be multiple-directories, so since we don't know what's exactly
> deployed in the backend, we need to secure all possible WEB-INF and
> META-INF directories.
>
> Best would be to not use those names for normal content directories.
> Not only because your isapi redirector problem, but also because
> admins might misinterprete the directories.
>
> If the stuff in the directories is static and you deploy it on IIS
> itself, you can use an exclusion mount for them. That way we don't
> find a worker, and for requests that don't get send to the backend,
> there is no such check. Be careful though, you don't want to expose
> your real META-INF resp. WEB-INF.
>
>> Thanks in advance
>>
>>
>> Hb
>>
>> Java developer
>
> Regards,
>
> Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: isapi_redirector & protected Diretories
Posted by Holger Burde <hb...@merentis.com>.
Hi;
Thanks for the reply.
This type of matching breaks at least every JSF Netbeans (5.x/6.x) App and maybe others. We have no choice now than patching the isapi_redirector. Also i thought that Tomcat protects those dirs ? or is this not the case if access is via ajp13 ?
hb
-----Ursprüngliche Nachricht-----
Von: Rainer Jung [mailto:rainer.jung@kippdata.de]
Gesendet: Montag, 21. Januar 2008 11:47
An: Tomcat Users List
Betreff: Re: isapi_redirector & protected Diretories
Hi Holger,
Holger Burde wrote:
> Hi;
>
> I did a Netbeans 6 JSF Project recently which was developed and tested
> with Tomcat6. The final installation was set up with Tomcat 6.0.14
> behind IIS6 (Connectors / isapi_rediretor (latest version)).
>
> Running some tests we discovered that allmost all Javascript was
> filtered out and we got almost blank pages. The Reason was that the
> isapi_redirector filters out every access to any URI which *contains*
> META-INF / WEB-INF ANYWERE in the PATH.
>
> Example : javascript $CONTEXT/theme/META-INF/json/json.jsf
>
> This is not THE META-INF config directory - its just a Path which
> accidential contains META-INF !!!
>
> Is there any way to configure access to such directories or ist his a
> Bug in the isapi_redirector ? From the source it looks like it a
> substring Match which filters out anything. Any Comments on this are
> welcome.
No, there is no way to change this via configuration. A context path can
be multiple-directories, so since we don't know what's exactly deployed
in the backend, we need to secure all possible WEB-INF and META-INF
directories.
Best would be to not use those names for normal content directories. Not
only because your isapi redirector problem, but also because admins
might misinterprete the directories.
If the stuff in the directories is static and you deploy it on IIS
itself, you can use an exclusion mount for them. That way we don't find
a worker, and for requests that don't get send to the backend, there is
no such check. Be careful though, you don't want to expose your real
META-INF resp. WEB-INF.
>
> Thanks in advance
>
>
> Hb
>
> Java developer
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: isapi_redirector & protected Diretories
Posted by Rainer Jung <ra...@kippdata.de>.
Hi Holger,
Holger Burde wrote:
> Hi;
>
> I did a Netbeans 6 JSF Project recently which was developed and tested
> with Tomcat6. The final installation was set up with Tomcat 6.0.14
> behind IIS6 (Connectors / isapi_rediretor (latest version)).
>
> Running some tests we discovered that allmost all Javascript was
> filtered out and we got almost blank pages. The Reason was that the
> isapi_redirector filters out every access to any URI which *contains*
> META-INF / WEB-INF ANYWERE in the PATH.
>
> Example : javascript $CONTEXT/theme/META-INF/json/json.jsf
>
> This is not THE META-INF config directory - its just a Path which
> accidential contains META-INF !!!
>
> Is there any way to configure access to such directories or ist his a
> Bug in the isapi_redirector ? From the source it looks like it a
> substring Match which filters out anything. Any Comments on this are
> welcome.
No, there is no way to change this via configuration. A context path can
be multiple-directories, so since we don't know what's exactly deployed
in the backend, we need to secure all possible WEB-INF and META-INF
directories.
Best would be to not use those names for normal content directories. Not
only because your isapi redirector problem, but also because admins
might misinterprete the directories.
If the stuff in the directories is static and you deploy it on IIS
itself, you can use an exclusion mount for them. That way we don't find
a worker, and for requests that don't get send to the backend, there is
no such check. Be careful though, you don't want to expose your real
META-INF resp. WEB-INF.
>
> Thanks in advance
>
>
> Hb
>
> Java developer
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org