You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by prashant sharma <pa...@gmail.com> on 2016/02/02 19:02:15 UTC

Http 403: access to requested resource denied

Hi,
I am using apache tomcat 7.0.57 and jdk 7 on windows 7.
I have deployed a simple web application inside tomcat webapps folder by
placing the war file directly in webapps.
This is a basic application which exposes an endpoint with put request
method.

When I try to access this endpoint I get 403 access forbidden error.

However If I place war file outside tomcat  and point it by creating
context.xml in conf/Catalina/localhost I am able to access my endpoint.

Can someone pls tell what's wrong with the first approach and why its not
working in that

Regards,
Prashant

07440456543

Re: Http 403: access to requested resource denied

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 2/4/16 6:27 AM, André Warnier (tomcat) wrote:
> On 03.02.2016 22:17, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> André,
>> 
>> On 2/3/16 1:50 PM, André Warnier (tomcat) wrote:
>>> On 03.02.2016 19:07, David kerber wrote:
>>>> On 2/3/2016 12:50 PM, prashant sharma wrote:
>>>>> On 3 Feb 2016 17:42, "David kerber" <dc...@verizon.net> 
>>>>> wrote:
>>>>>> 
>>>>>> On 2/3/2016 12:23 PM, prashant sharma wrote:
>>>>>>> 
>>>>>>> On 3 Feb 2016 16:38, "Mark Eggers" 
>>>>>>> <it...@yahoo.com.invalid> wrote:
>>>>>>>> 
>>>>>>>> 
>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>>>>> 
>>>>>>>> Quick note - please post at the bottom or inline.
>>>>>>>> 
>>>>>>>> See item 6 of the Tomcat users mailing list here: 
>>>>>>>> http://tomcat.apache.org/lists.html
>>>>>>>> 
>>>>>>>> On 2/3/2016 8:20 AM, prashant sharma wrote:
>>>>>>>>> 
>>>>>>>>> That's true. But we are not doing any authn/authz
>>>>>>>>> in our application. Its just a simple webapp that
>>>>>>>>> exposes 1 endpoint (put method). Any body should be
>>>>>>>>> able to hit that end point.
>>>>>>>>> 
>>>>>>>>> It works fine if I place my war outside tomcat 
>>>>>>>>> installation directory and create a context from 
>>>>>>>>> Catalina/localhost. But if I place my war inside 
>>>>>>>>> webapps then it gives http 403 when I hit my
>>>>>>>>> endpoint.
>>>>>>>>> 
>>>>>>>>> Regards, Prashant
>>>>>>>>> 
>>>>>>>>> 07440456543 On 3 Feb 2016 16:11, "David kerber" 
>>>>>>>>> <dc...@verizon.net> wrote:
>>>>>>>>> 
>>>>>>>>>> 403 is an authentication/authorization error,
>>>>>>>>>> which means the logged-in user doesn't have
>>>>>>>>>> permissions to the requested resource.
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> On 2/3/2016 11:05 AM, prashant sharma wrote:
>>>>>>>>>> 
>>>>>>>>>>> Hi, Can someone pls provide any inputs on
>>>>>>>>>>> below. Thanks
>>>>>>>>>>> 
>>>>>>>>>>> Regards, Prashant
>>>>>>>>>>> 
>>>>>>>>>>> 07440456543 On 2 Feb 2016 18:02, "prashant
>>>>>>>>>>> sharma" <pa...@gmail.com> wrote:
>>>>>>>>>>> 
>>>>>>>>>>> Hi,
>>>>>>>>>>>> 
>>>>>>>>>>>> I am using apache tomcat 7.0.57 and jdk 7 on 
>>>>>>>>>>>> windows 7. I have deployed a simple web 
>>>>>>>>>>>> application inside tomcat webapps folder by 
>>>>>>>>>>>> placing the war file directly in webapps.
>>>>>>>>>>>> This is a basic application which exposes an
>>>>>>>>>>>> endpoint with put request method.
>>>>>>>>>>>> 
>>>>>>>>>>>> When I try to access this endpoint I get 403 
>>>>>>>>>>>> access forbidden error.
>>>>>>>>>>>> 
>>>>>>>>>>>> However If I place war file outside tomcat
>>>>>>>>>>>> and point it by creating context.xml in 
>>>>>>>>>>>> conf/Catalina/localhost I am able to access
>>>>>>>>>>>> my endpoint.
>>>>>>>>>>>> 
>>>>>>>>>>>> Can someone pls tell what's wrong with the
>>>>>>>>>>>> first approach and why its not working in
>>>>>>>>>>>> that
>>>>>>>>>>>> 
>>>>>>>>>>>> Regards, Prashant
>>>>>>>>>>>> 
>>>>>>>>>>>> 07440456543
>>>>>>>> 
>>>>>>>> 
>>>>>>>> With your put method, are you trying to write to a
>>>>>>>> file within the web application?
>>>>>>>> 
>>>>>>>> . . . just my two cents
>>>>>>> 
>>>>>>> This put method updates a record in database. The same 
>>>>>>> webapp(endpoint) works when I place war outside
>>>>>>> tomcat.
>>>>>> 
>>>>>> 
>>>>>> Check the permissions on the directories where you are 
>>>>>> placing the .war
>>>>> file. .war file is places under tomcat webapps folder.
>>>> 
>>>> Yes, I know.  You need to check the permissions that are set
>>>> on that directory.
>>>> 
>>> 
>>> If that is really what is happening, maybe some warnings are
>>> in order here : 1) from a security point of view, it does not
>>> seem to me a very good idea to allow a PUT to add (or
>>> overwrite) files in the webapps directory. What if someone uses
>>> this to upload a malicious webapp there ?
>> 
>> Re-read his post: he's not writing to the filesystem. Something
>> else is wrong.
>> 
>>> 2) from a portability point of view, the webapps directory is
>>> not guaranteed to be writeable. It may not even be a
>>> filesystem.
>> 
>> +1, not probably not relevant.
>> 
>>> Maybe there is something more subtle going on here : Have a
>>> look at the HTTP RFC and its description of a PUT : 
>>> https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6 I
>>> am not saying that that /is/ how the actual code works, but in 
>>> function of that description, it seems to me that a webserver
>>> would be entitled to map the given PUT URI into the "URI
>>> space", and from there into the filesystem, and check if that
>>> filesystem location is indeed writeable. In any case, it seems
>>> to me dubious to use a PUT, to update a record in a database. A
>>> POST would probably be more appropriate here.
>> 
>> The only weird thing to me is the fact that this works when the
>> OP deploys the same application in a different way.
>> 
> 
> We do not know the webapp. We do not know the URI to which this is
> being PUT. We don't know what security rules are (or are not)
> implemented at the JVM or container level. We do know that there is
> a PUT handler implemented, because a) it works in one case
> (deployed outside of webapps) b) when it does not work (in
> webapps), the error code returned is not 405 (not implemented), but
> 403 (forbidden) Let's presume that the PUT URI does not change, no
> matter where the webapp is actually deployed. Let's presume that
> the application's security-constraints do not change either.
> 
> I would also suppose that we know that when the example DAV
> application (which handles PUTs) is deployed inside the webapps
> directory, it does not return a 403 for allowed PUT URI's.
> 
> Given the above, I can only imagine that it is the OP's
> application itself, which is returning the 403 in one case. The
> application could be trying to write to another file somewhere,
> and return a 403 when it cannot. To really know why it does, would
> require a knowledge of the application, which we don't have.

My money is on the OP looking at the wrong context.xml file: when it's
deployed in webapps/, Tomcat will use META-INF/context.xml. When it's
deployed elsewhere, it's loading conf/[engine]/[host]/[appname].xml.

I suspect that the file META-INF/context.xml is missing something
important -- such as the "privileged" flag or something like that.
Preshant said nothing about what is handling the PUT (e.g.
DefaultServlet).

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla1FmYACgkQ9CaO5/Lv0PA1ogCgnYpdV5Wf2XrYNZ8d+r9pdOd8
lggAoJVnJy6zJc8FX0waWw5C7FgFWCcG
=f1Bq
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Http 403: access to requested resource denied

Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.

On 03.02.2016 22:17, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> André,
>
> On 2/3/16 1:50 PM, André Warnier (tomcat) wrote:
>> On 03.02.2016 19:07, David kerber wrote:
>>> On 2/3/2016 12:50 PM, prashant sharma wrote:
>>>> On 3 Feb 2016 17:42, "David kerber" <dc...@verizon.net>
>>>> wrote:
>>>>>
>>>>> On 2/3/2016 12:23 PM, prashant sharma wrote:
>>>>>>
>>>>>> On 3 Feb 2016 16:38, "Mark Eggers"
>>>>>> <it...@yahoo.com.invalid> wrote:
>>>>>>>
>>>>>>>
>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>>>>
>>>>>>> Quick note - please post at the bottom or inline.
>>>>>>>
>>>>>>> See item 6 of the Tomcat users mailing list here:
>>>>>>> http://tomcat.apache.org/lists.html
>>>>>>>
>>>>>>> On 2/3/2016 8:20 AM, prashant sharma wrote:
>>>>>>>>
>>>>>>>> That's true. But we are not doing any authn/authz in
>>>>>>>> our application. Its just a simple webapp that exposes
>>>>>>>> 1 endpoint (put method). Any body should be able to hit
>>>>>>>> that end point.
>>>>>>>>
>>>>>>>> It works fine if I place my war outside tomcat
>>>>>>>> installation directory and create a context from
>>>>>>>> Catalina/localhost. But if I place my war inside
>>>>>>>> webapps then it gives http 403 when I hit my endpoint.
>>>>>>>>
>>>>>>>> Regards, Prashant
>>>>>>>>
>>>>>>>> 07440456543 On 3 Feb 2016 16:11, "David kerber"
>>>>>>>> <dc...@verizon.net> wrote:
>>>>>>>>
>>>>>>>>> 403 is an authentication/authorization error, which
>>>>>>>>> means the logged-in user doesn't have permissions to
>>>>>>>>> the requested resource.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 2/3/2016 11:05 AM, prashant sharma wrote:
>>>>>>>>>
>>>>>>>>>> Hi, Can someone pls provide any inputs on below.
>>>>>>>>>> Thanks
>>>>>>>>>>
>>>>>>>>>> Regards, Prashant
>>>>>>>>>>
>>>>>>>>>> 07440456543 On 2 Feb 2016 18:02, "prashant sharma"
>>>>>>>>>> <pa...@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I am using apache tomcat 7.0.57 and jdk 7 on
>>>>>>>>>>> windows 7. I have deployed a simple web
>>>>>>>>>>> application inside tomcat webapps folder by
>>>>>>>>>>> placing the war file directly in webapps. This is
>>>>>>>>>>> a basic application which exposes an endpoint
>>>>>>>>>>> with put request method.
>>>>>>>>>>>
>>>>>>>>>>> When I try to access this endpoint I get 403
>>>>>>>>>>> access forbidden error.
>>>>>>>>>>>
>>>>>>>>>>> However If I place war file outside tomcat  and
>>>>>>>>>>> point it by creating context.xml in
>>>>>>>>>>> conf/Catalina/localhost I am able to access my
>>>>>>>>>>> endpoint.
>>>>>>>>>>>
>>>>>>>>>>> Can someone pls tell what's wrong with the first
>>>>>>>>>>> approach and why its not working in that
>>>>>>>>>>>
>>>>>>>>>>> Regards, Prashant
>>>>>>>>>>>
>>>>>>>>>>> 07440456543
>>>>>>>
>>>>>>>
>>>>>>> With your put method, are you trying to write to a file
>>>>>>> within the web application?
>>>>>>>
>>>>>>> . . . just my two cents
>>>>>>
>>>>>> This put method updates a record in database. The same
>>>>>> webapp(endpoint) works when I place war outside tomcat.
>>>>>
>>>>>
>>>>> Check the permissions on the directories where you are
>>>>> placing the .war
>>>> file. .war file is places under tomcat webapps folder.
>>>
>>> Yes, I know.  You need to check the permissions that are set on
>>> that directory.
>>>
>>
>> If that is really what is happening, maybe some warnings are in
>> order here : 1) from a security point of view, it does not seem to
>> me a very good idea to allow a PUT to add (or overwrite) files in
>> the webapps directory. What if someone uses this to upload a
>> malicious webapp there ?
>
> Re-read his post: he's not writing to the filesystem. Something else
> is wrong.
>
>> 2) from a portability point of view, the webapps directory is not
>> guaranteed to be writeable. It may not even be a filesystem.
>
> +1, not probably not relevant.
>
>> Maybe there is something more subtle going on here : Have a look at
>> the HTTP RFC and its description of a PUT :
>> https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6 I am
>> not saying that that /is/ how the actual code works, but in
>> function of that description, it seems to me that a webserver would
>> be entitled to map the given PUT URI into the "URI space", and from
>> there into the filesystem, and check if that filesystem location is
>> indeed writeable. In any case, it seems to me dubious to use a PUT,
>> to update a record in a database. A POST would probably be more
>> appropriate here.
>
> The only weird thing to me is the fact that this works when the OP
> deploys the same application in a different way.
>

We do not know the webapp. We do not know the URI to which this is being PUT.
We don't know what security rules are (or are not) implemented at the JVM or container 
level. We do know that there is a PUT handler implemented, because
a) it works in one case (deployed outside of webapps)
b) when it does not work (in webapps), the error code returned is not 405 (not 
implemented), but 403 (forbidden)
Let's presume that the PUT URI does not change, no matter where the webapp is actually 
deployed. Let's presume that the application's security-constraints do not change either.

I would also suppose that we know that when the example DAV application (which handles 
PUTs) is deployed inside the webapps directory, it does not return a 403 for allowed PUT 
URI's.

Given the above, I can only imagine that it is the OP's application itself, which is 
returning the 403 in one case.
The application could be trying to write to another file somewhere, and return a 403 when 
it cannot. To really know why it does, would require a knowledge of the application, which 
we don't have.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Http 403: access to requested resource denied

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 2/3/16 1:50 PM, André Warnier (tomcat) wrote:
> On 03.02.2016 19:07, David kerber wrote:
>> On 2/3/2016 12:50 PM, prashant sharma wrote:
>>> On 3 Feb 2016 17:42, "David kerber" <dc...@verizon.net>
>>> wrote:
>>>> 
>>>> On 2/3/2016 12:23 PM, prashant sharma wrote:
>>>>> 
>>>>> On 3 Feb 2016 16:38, "Mark Eggers"
>>>>> <it...@yahoo.com.invalid> wrote:
>>>>>> 
>>>>>> 
>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>>> 
>>>>>> Quick note - please post at the bottom or inline.
>>>>>> 
>>>>>> See item 6 of the Tomcat users mailing list here: 
>>>>>> http://tomcat.apache.org/lists.html
>>>>>> 
>>>>>> On 2/3/2016 8:20 AM, prashant sharma wrote:
>>>>>>> 
>>>>>>> That's true. But we are not doing any authn/authz in
>>>>>>> our application. Its just a simple webapp that exposes
>>>>>>> 1 endpoint (put method). Any body should be able to hit
>>>>>>> that end point.
>>>>>>> 
>>>>>>> It works fine if I place my war outside tomcat
>>>>>>> installation directory and create a context from
>>>>>>> Catalina/localhost. But if I place my war inside
>>>>>>> webapps then it gives http 403 when I hit my endpoint.
>>>>>>> 
>>>>>>> Regards, Prashant
>>>>>>> 
>>>>>>> 07440456543 On 3 Feb 2016 16:11, "David kerber" 
>>>>>>> <dc...@verizon.net> wrote:
>>>>>>> 
>>>>>>>> 403 is an authentication/authorization error, which
>>>>>>>> means the logged-in user doesn't have permissions to
>>>>>>>> the requested resource.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On 2/3/2016 11:05 AM, prashant sharma wrote:
>>>>>>>> 
>>>>>>>>> Hi, Can someone pls provide any inputs on below.
>>>>>>>>> Thanks
>>>>>>>>> 
>>>>>>>>> Regards, Prashant
>>>>>>>>> 
>>>>>>>>> 07440456543 On 2 Feb 2016 18:02, "prashant sharma" 
>>>>>>>>> <pa...@gmail.com> wrote:
>>>>>>>>> 
>>>>>>>>> Hi,
>>>>>>>>>> 
>>>>>>>>>> I am using apache tomcat 7.0.57 and jdk 7 on
>>>>>>>>>> windows 7. I have deployed a simple web
>>>>>>>>>> application inside tomcat webapps folder by
>>>>>>>>>> placing the war file directly in webapps. This is
>>>>>>>>>> a basic application which exposes an endpoint
>>>>>>>>>> with put request method.
>>>>>>>>>> 
>>>>>>>>>> When I try to access this endpoint I get 403
>>>>>>>>>> access forbidden error.
>>>>>>>>>> 
>>>>>>>>>> However If I place war file outside tomcat  and
>>>>>>>>>> point it by creating context.xml in
>>>>>>>>>> conf/Catalina/localhost I am able to access my
>>>>>>>>>> endpoint.
>>>>>>>>>> 
>>>>>>>>>> Can someone pls tell what's wrong with the first
>>>>>>>>>> approach and why its not working in that
>>>>>>>>>> 
>>>>>>>>>> Regards, Prashant
>>>>>>>>>> 
>>>>>>>>>> 07440456543
>>>>>> 
>>>>>> 
>>>>>> With your put method, are you trying to write to a file
>>>>>> within the web application?
>>>>>> 
>>>>>> . . . just my two cents
>>>>> 
>>>>> This put method updates a record in database. The same
>>>>> webapp(endpoint) works when I place war outside tomcat.
>>>> 
>>>> 
>>>> Check the permissions on the directories where you are
>>>> placing the .war
>>> file. .war file is places under tomcat webapps folder.
>> 
>> Yes, I know.  You need to check the permissions that are set on
>> that directory.
>> 
> 
> If that is really what is happening, maybe some warnings are in
> order here : 1) from a security point of view, it does not seem to
> me a very good idea to allow a PUT to add (or overwrite) files in
> the webapps directory. What if someone uses this to upload a
> malicious webapp there ?

Re-read his post: he's not writing to the filesystem. Something else
is wrong.

> 2) from a portability point of view, the webapps directory is not 
> guaranteed to be writeable. It may not even be a filesystem.

+1, not probably not relevant.

> Maybe there is something more subtle going on here : Have a look at
> the HTTP RFC and its description of a PUT : 
> https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6 I am
> not saying that that /is/ how the actual code works, but in 
> function of that description, it seems to me that a webserver would
> be entitled to map the given PUT URI into the "URI space", and from
> there into the filesystem, and check if that filesystem location is
> indeed writeable. In any case, it seems to me dubious to use a PUT,
> to update a record in a database. A POST would probably be more
> appropriate here.

The only weird thing to me is the fact that this works when the OP
deploys the same application in a different way.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlaybnoACgkQ9CaO5/Lv0PC7zgCfVMUutIxBe+VHOvEpcAuy8SL7
TykAniJiL4AtfNRwhhO81F3Ts7oYPfyZ
=OYC3
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Http 403: access to requested resource denied

Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.

On 03.02.2016 19:07, David kerber wrote:
> On 2/3/2016 12:50 PM, prashant sharma wrote:
>> On 3 Feb 2016 17:42, "David kerber" <dc...@verizon.net> wrote:
>>>
>>> On 2/3/2016 12:23 PM, prashant sharma wrote:
>>>>
>>>> On 3 Feb 2016 16:38, "Mark Eggers" <it...@yahoo.com.invalid> wrote:
>>>>>
>>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> Quick note - please post at the bottom or inline.
>>>>>
>>>>> See item 6 of the Tomcat users mailing list here:
>>>>> http://tomcat.apache.org/lists.html
>>>>>
>>>>> On 2/3/2016 8:20 AM, prashant sharma wrote:
>>>>>>
>>>>>> That's true. But we are not doing any authn/authz in our
>>>>>> application. Its just a simple webapp that exposes 1 endpoint (put
>>>>>> method). Any body should be able to hit that end point.
>>>>>>
>>>>>> It works fine if I place my war outside tomcat installation
>>>>>> directory and create a context from Catalina/localhost. But if I
>>>>>> place my war inside webapps then it gives http 403 when I hit my
>>>>>> endpoint.
>>>>>>
>>>>>> Regards, Prashant
>>>>>>
>>>>>> 07440456543 On 3 Feb 2016 16:11, "David kerber"
>>>>>> <dc...@verizon.net> wrote:
>>>>>>
>>>>>>> 403 is an authentication/authorization error, which means the
>>>>>>> logged-in user doesn't have permissions to the requested
>>>>>>> resource.
>>>>>>>
>>>>>>>
>>>>>>> On 2/3/2016 11:05 AM, prashant sharma wrote:
>>>>>>>
>>>>>>>> Hi, Can someone pls provide any inputs on below. Thanks
>>>>>>>>
>>>>>>>> Regards, Prashant
>>>>>>>>
>>>>>>>> 07440456543 On 2 Feb 2016 18:02, "prashant sharma"
>>>>>>>> <pa...@gmail.com> wrote:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I am using apache tomcat 7.0.57 and jdk 7 on windows 7. I
>>>>>>>>> have deployed a simple web application inside tomcat webapps
>>>>>>>>> folder by placing the war file directly in webapps. This is a
>>>>>>>>> basic application which exposes an endpoint with put request
>>>>>>>>> method.
>>>>>>>>>
>>>>>>>>> When I try to access this endpoint I get 403 access forbidden
>>>>>>>>> error.
>>>>>>>>>
>>>>>>>>> However If I place war file outside tomcat  and point it by
>>>>>>>>> creating context.xml in conf/Catalina/localhost I am able to
>>>>>>>>> access my endpoint.
>>>>>>>>>
>>>>>>>>> Can someone pls tell what's wrong with the first approach and
>>>>>>>>> why its not working in that
>>>>>>>>>
>>>>>>>>> Regards, Prashant
>>>>>>>>>
>>>>>>>>> 07440456543
>>>>>
>>>>>
>>>>> With your put method, are you trying to write to a file within the web
>>>>> application?
>>>>>
>>>>> . . . just my two cents
>>>>
>>>> This put method updates a record in database.
>>>> The same webapp(endpoint) works when I place war outside tomcat.
>>>
>>>
>>> Check the permissions on the directories where you are placing the .war
>> file.
>> .war file is places under tomcat webapps folder.
>
> Yes, I know.  You need to check the permissions that are set on that directory.
>

If that is really what is happening, maybe some warnings are in order here :
1) from a security point of view, it does not seem to me a very good idea to allow a PUT 
to add (or overwrite) files in the webapps directory. What if someone uses this to upload 
a malicious webapp there ?
2) from a portability point of view, the webapps directory is not guaranteed to be 
writeable. It may not even be a filesystem.

Maybe there is something more subtle going on here :
Have a look at the HTTP RFC and its description of a PUT : 
https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6
I am not saying that that /is/ how the actual code works, but in function of that 
description, it seems to me that a webserver would be entitled to map the given PUT URI 
into the "URI space", and from there into the filesystem, and check if that filesystem 
location is indeed writeable.
In any case, it seems to me dubious to use a PUT, to update a record in a database.
A POST would probably be more appropriate here.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Http 403: access to requested resource denied

Posted by Mark Eggers <it...@yahoo.com.INVALID>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2/3/2016 10:16 AM, prashant sharma wrote:
> Regards, Prashant
> 
> 07440456543 On 3 Feb 2016 18:07, "David kerber"
> <dc...@verizon.net> wrote:
>> 
>> On 2/3/2016 12:50 PM, prashant sharma wrote:
>>> 
>>> On 3 Feb 2016 17:42, "David kerber" <dc...@verizon.net>
>>> wrote:
>>>> 
>>>> 
>>>> On 2/3/2016 12:23 PM, prashant sharma wrote:
>>>>> 
>>>>> 
>>>>> On 3 Feb 2016 16:38, "Mark Eggers"
>>>>> <it...@yahoo.com.invalid>
> wrote:
>>>>>> 
>>>>>> 
>>>>>> 
> Quick note - please post at the bottom or inline.
> 
> See item 6 of the Tomcat users mailing list here: 
> http://tomcat.apache.org/lists.html
> 
> On 2/3/2016 8:20 AM, prashant sharma wrote:
>>>>>>>> 
>>>>>>>> 
>>>>>>>> That's true. But we are not doing any authn/authz in
>>>>>>>> our application. Its just a simple webapp that
>>>>>>>> exposes 1 endpoint (put method). Any body should be
>>>>>>>> able to hit that end point.
>>>>>>>> 
>>>>>>>> It works fine if I place my war outside tomcat
>>>>>>>> installation directory and create a context from
>>>>>>>> Catalina/localhost. But if I place my war inside
>>>>>>>> webapps then it gives http 403 when I hit my 
>>>>>>>> endpoint.
>>>>>>>> 
>>>>>>>> Regards, Prashant
>>>>>>>> 
>>>>>>>> 07440456543 On 3 Feb 2016 16:11, "David kerber" 
>>>>>>>> <dc...@verizon.net> wrote:
>>>>>>>> 
>>>>>>>>> 403 is an authentication/authorization error, which
>>>>>>>>> means the logged-in user doesn't have permissions
>>>>>>>>> to the requested resource.
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> On 2/3/2016 11:05 AM, prashant sharma wrote:
>>>>>>>>> 
>>>>>>>>>> Hi, Can someone pls provide any inputs on below.
>>>>>>>>>> Thanks
>>>>>>>>>> 
>>>>>>>>>> Regards, Prashant
>>>>>>>>>> 
>>>>>>>>>> 07440456543 On 2 Feb 2016 18:02, "prashant
>>>>>>>>>> sharma" <pa...@gmail.com> wrote:
>>>>>>>>>> 
>>>>>>>>>> Hi,
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> I am using apache tomcat 7.0.57 and jdk 7 on
>>>>>>>>>>> windows 7. I have deployed a simple web
>>>>>>>>>>> application inside tomcat webapps folder by
>>>>>>>>>>> placing the war file directly in webapps. This
>>>>>>>>>>> is a basic application which exposes an
>>>>>>>>>>> endpoint with put request method.
>>>>>>>>>>> 
>>>>>>>>>>> When I try to access this endpoint I get 403
>>>>>>>>>>> access forbidden error.
>>>>>>>>>>> 
>>>>>>>>>>> However If I place war file outside tomcat  and
>>>>>>>>>>> point it by creating context.xml in
>>>>>>>>>>> conf/Catalina/localhost I am able to access my
>>>>>>>>>>> endpoint.
>>>>>>>>>>> 
>>>>>>>>>>> Can someone pls tell what's wrong with the
>>>>>>>>>>> first approach and why its not working in that
>>>>>>>>>>> 
>>>>>>>>>>> Regards, Prashant
>>>>>>>>>>> 
>>>>>>>>>>> 07440456543
> 
> 
> 
> With your put method, are you trying to write to a file within the
> web application?
> 
> . . . just my two cents
>>>>>> 
>>>>>> 
>>>>>> This put method updates a record in database. The same
>>>>>> webapp(endpoint) works when I place war outside tomcat.
>>>>> 
>>>>> 
>>>>> 
>>>>> Check the permissions on the directories where you are
>>>>> placing the .war
>>>> 
>>>> file. .war file is places under tomcat webapps folder.
>>> 
>>> 
>>> Yes, I know.  You need to check the permissions that are set on
>>> that
>> directory.
>>> 
>> There are no special permissions for that directory. Its on my
>> local machine (localhost).
>>> 
>>> 
>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>>> 
> /mde/

Where is Tomcat installed, and what are the Windows permissions of
that directory (and those under it)?

If you've installed this in C:\Programs Files\ on Windows 7, then
there are possibly some permissions issues.

When it works, where do you place the WAR file (directory / permissions)
?

A 403 still doesn't make much sense to me in a scenario where you
don't have directory permissions, but that's the only issue that
stands out at the moment.

Before writing to a database, does the application write anything to a
file? For example, are you writing a temporary upload to a spot within
your application before putting the final information into your database
?

I write Jersey REST applications on my local machine all of the time
and have no issues. However:

1. I run Tomcat from within my home directory - mostly via NetBeans
2. I don't write any intermediate values into the web application

AJAX -> JSON -> REST PUT -> Database (MySQL) all work fine on my local
machine as well as within my local network.

. . . just my puzzled 2 cents
/mde/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJWski/AAoJEEFGbsYNeTwtIMEIAJaSLOUxjbpBMlDie2fJYllY
s63Lemw+kFjtyqW3uMnQyZA2tNlnTGWfVMlhDtIb9hLAWxt75s2SlAwjH8hFIBuR
xJvD7oz/H2ZKrG0TsA80zy3T+H5DznhHgJ4Z/GaLZd0Da9dPpyVpnjiUVAIY1wwt
LpGk6mUEbhQsYdi9CoI08TKqsj1WXlMU3JTt9Zqwk1jaXfL0Ha2gUNgppACdzXYs
SQuwsPTkgH+3Z7i12hNydM1tWY3M6E9oe2xlAkgcOzEQwLz3DMOHSVUcaVLQgkHF
AqxB56WNhnGBb1hNKUx29JPKtDlQqvVCM0b5fWeHdEHBnz6TyZXNgyuVF9eDp1M=
=hfCB
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org