You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Andrew Worsley <ep...@asac.ericsson.se> on 2000/05/11 04:10:16 UTC
How to forward to hidden / restricted web pages in apache/tomcat
I finally stumbled on a method that works ! To help anyone else who is
stumbling around in this area I describe my solution.
I use the poorly documented
ApJServMount <url> <context>
command to hide the other paths in the context to apache.
To summarise:
ApJServMount /examples /examples
<Location /examples/WEB-INF/ >
AllowOverride None
deny from all
</Location>
DOESN'T *work*
apache happily passes requests like
/examples/WEB-INF/login.jsp
through to tomcat which happily serves the results in violation of the
Servlet spec, section 9.4 page 44 - I quote:
"No file contained in the WEB-INF directory may be served directly to a
client"
Also "Alias" and other commands don't seem to stop apache from blissfully
passing through every /examples prefixed request to tomcat.
But change the above line to:
ApJServMount /examples/jsp /examples
and now only requests prefixed by /examples/jsp go through to tomcat and
the <Location> stuff starts working!
But you can still forward pages to anywhere in the context as before (even
WEB-INF if you want to). I assume tomcat handles forwarded requests directly
itself with out going through apache (which is *good*). So it's only apache
that is now restricted. You can verify this easily by using the tomcat web
server which will still happily serve out all requests (including
/examples/WEB-INF/ prefixed ones).
Andrew