How to forward to hidden / restricted web pages in apache/tomcat

[Andrew Worsley <ep...@asac.ericsson.se>]

   I finally stumbled on a method that works ! To help anyone else who is
   stumbling around in this area I describe my solution.

   I use the poorly documented

       ApJServMount <url> <context>

   command to hide the other paths in the context to apache.

To summarise:

ApJServMount /examples /examples
<Location /examples/WEB-INF/ >
      AllowOverride None
      deny from all
</Location>

    DOESN'T *work*

    apache happily passes requests like
    	
	/examples/WEB-INF/login.jsp 

    through to tomcat which happily serves the results in violation of the
    Servlet spec, section 9.4 page 44 - I quote:

     "No file contained in the WEB-INF directory may be served directly to a
     client"

     Also "Alias" and other commands don't seem to stop apache from blissfully
     passing through every /examples  prefixed request to tomcat.

But change the above line to:

ApJServMount /examples/jsp /examples

   and now only requests prefixed by /examples/jsp go through to tomcat and
   the <Location> stuff starts working!


But you can still forward pages to anywhere in the context as before (even
WEB-INF if you want to). I assume tomcat handles forwarded requests directly
itself with out going through apache (which is *good*). So it's only apache
that is now restricted. You can verify this easily by using the tomcat web
server which will still happily serve out all requests (including
/examples/WEB-INF/ prefixed ones).

   	Andrew