Tomcat behind Apache and security-constraint

[Adrián Córdoba <ad...@gmail.com>]

Hi!
I have a very simple web application
(JSP<http://www.coderanch.com/forums/f-50/JSP> based),
deployed on Tomcat webapps directory with a security constraint in order to
protect an internal directory. Tomcat (7.0.12) is running behind Apache
(2.2.17) web server (httpd).

If I try to access to some file within internal directory, directly in
Tomcat (*http://localhost:8080/...*), username and password are required,
and I can reach the file (if username and password are wright). That's
wright!

But, *if I try to access the same file within internal directory, through
Apache web server* (*http://localhost/...*), username and password are
required, but *a blank page is displayed on Firefox navigator*.
(If I delete the security constraint, the web application works fine.)

Do you have any idea?

I was searching in Google in order to solve this problem, but nothing was
found.

Thank you, in advance.
--
[Adrián Córdoba]

RE: Tomcat behind Apache and security-constraint

["Propes, Barry L " <ba...@citi.com>]

Sounds like Tomcat is running at port 8080 and not port 80?

You don't show 8080 in your second Firefox "navigator" example. I've not heard of FF Navigator for the record, but I guess it's a flavor of their browsers or a euphemism for it.


-----Original Message-----
From: Adrián Córdoba [mailto:adr.cordoba@gmail.com]
Sent: Thursday, July 21, 2011 11:25 AM
To: users@tomcat.apache.org
Subject: Tomcat behind Apache and security-constraint

Hi!

If I try to access to some file within internal directory, directly in Tomcat (*http://localhost:8080/...*), username and password are required, and I can reach the file (if username and password are wright). That's wright!

But, *if I try to access the same file within internal directory, through Apache web server* (*http://localhost/...*), username and password are required, but *a blank page is displayed on Firefox navigator*.
(If I delete the security constraint, the web application works fine.)

Do you have any idea?

--
[Adrián Córdoba]

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat behind Apache and security-constraint

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adrián,

On 7/21/2011 4:09 PM, Adrián Córdoba wrote:
> So, how to serve dynamic content with Tomcat and static one with
> Apache, all in the same web application, in secure way? Can you show
> me that or tell me a link to learn it?

At least three ways:

1. Separate your static content from your webapp and deploy it
   separately into your DocumentRoot.
   (FWIW, I don't like this strategy because it's unnatural for me.
    Better to keep everything together)

2. Copy static content out of your webapp into some other directory
   you use as your DocumentRoot. Do this at build-time. This is
   probably the way to go.

3. Use DocumentRoot = appbase, but make sure you protect things
   correctly in your Apache httpd configuration. Use restrictions like
   <Location> and <Directory> with "Order deny,allow", "Deny from all".
   (This is actually what I do, but you have to be very careful how you
   protect things. Be creative and think like an evildoer.)

You specifically asked how to hook up httpd and Tomcat together, but
here's another option:

4. Dump httpd altogether. Unless you need it for other things, it's
   just complicating your configuration.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4oigMACgkQ9CaO5/Lv0PAFCgCcCdevRHGToiakS7rgT8o9C3tt
pZUAn3FIFoXdSJ1uL+jdv5sKYYdm1eLL
=/uJC
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat behind Apache and security-constraint

[Adrián Córdoba <ad...@gmail.com>]

Thank you, Chris... I appreciate your tips.
So, how to serve dynamic content with Tomcat and static one with Apache, all
in the same web application, in secure way? Can you show me that or tell me
a link to learn it?
Now, users and passwords are in tomcat-users.xml file.
When I get home, I'll try some test in order to prove who is serving the
content. I will to add or remove dynamic content to the pages. (Maybe some
pages haven't dynamic content.
Sorry.

Thank you, again.
--
[Adrián Córdoba]



2011/7/21 Christopher Schultz <ch...@christopherschultz.net>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Adrián,
>
> On 7/21/2011 3:28 PM, Adrián Córdoba wrote:
> > Thank you, André. I know this "Warning", but I want to serve static
> > content with Apache web server and dynamic content with Tomcat.
>
> You can still do that without setting the DocumentRoot to your appbase.
>
> Try this:
>
> GET http://localhost/Andromeda/META-INF/context.xml
>
> (or maybe GET http://localhost/Andromeda/WebContent/META-INF/context.xml
> - - it's really hard to understand what your appbase really is).
>
> If you have a container-managed db connection pool, you are more than
> likely to have your database username and password in that file, which
> is now publicly accessible via HTTP. Pwned.
>
> > (The web application contains only links to other pages in the same
> > application. It is a test application to learn.)
>
> You should learn to do things properly. I'm not trying to be nasty, but
> you should try to get in the habit of doing things securely even when
> they are toys. That way you won't forget to do it when it really matters.
>
> > In those conditions, with those settings, if an user enters
> > http://localhost/Andromeda, he gets the "*index.jsp*" page in the
> > WebContent directory.
>
> That's surprising, given your configuration.
>
> > So, I think Tomcat is serving that content.
>
> Yes, if the tags are being evaluated and you're not just getting the
> source code.
>
> > Do you think Apache is serving "index.jsp" file content?
>
> Can't tell, you didn't show us any of that.
>
> > Anyway, I will try removing the trailing "/".
>
> If that points to a directory, both Apache and Tomcat will perform a
> redirect and add the "/" so it probably doesn't matter.
>
> > (I know the security issues, but I'm using this application in my
> > local network in order to learn only.)
>
> See above.
>
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk4ogdgACgkQ9CaO5/Lv0PC48wCeO5dHc6XWZT7LjGZqrcETbN3Q
> JuEAn02R6OeNCfjLoAoOMdPXFqr7miAI
> =TxOq
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Tomcat behind Apache and security-constraint

[Adrián Córdoba <ad...@gmail.com>]

Ok.
Thank you.
--
[Adrián Córdoba]



2011/7/22 André Warnier <aw...@ice-sa.com>

> Adrián Córdoba wrote:
>
>> André:
>>  This is in my URL bar of Chrome or Firefox:
>>      http://localhost/Andromeda
>>
>>  Ok. That, *and* the fact that you have a single VirtualHost, explains why
> it works, and explains the log entries.
> But it works *only* because you have a single VirtualHost, and in Apache
> the first listed VirtualHost is the default host, despite the fact that you
> have the line
> ServerName ASIA
> (In Tomcat it is different, and the default Host is explicitly indicated)
>
> Now again, did you install the recommended plugin into Firefox, and did you
> examine the requests/responses which lead to your blank page ?
>
> Also again :
> - because in your particular setup this is not impossible
> and
> - because we (contrary to you) do not see the content of your pages
>
> we cannot be sure that the browser request which returns the blank page
> really comes back from Tomcat, through Apache.
>
> So you must examine, step by step, what happens in the browser/server
> dialog.
> And the best/easiest way to do that in this case is with such a browser
> plugin.
>
> The rest is a waste of time for everyone, you included.
>
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Tomcat behind Apache and security-constraint

[André Warnier <aw...@ice-sa.com>]

Adrián Córdoba wrote:
> André:
>   This is in my URL bar of Chrome or Firefox:
>       http://localhost/Andromeda
> 
Ok. That, *and* the fact that you have a single VirtualHost, explains why it works, and 
explains the log entries.
But it works *only* because you have a single VirtualHost, and in Apache the first listed 
VirtualHost is the default host, despite the fact that you have the line
ServerName ASIA
(In Tomcat it is different, and the default Host is explicitly indicated)

Now again, did you install the recommended plugin into Firefox, and did you examine the 
requests/responses which lead to your blank page ?

Also again :
- because in your particular setup this is not impossible
and
- because we (contrary to you) do not see the content of your pages

we cannot be sure that the browser request which returns the blank page really comes back 
from Tomcat, through Apache.

So you must examine, step by step, what happens in the browser/server dialog.
And the best/easiest way to do that in this case is with such a browser plugin.

The rest is a waste of time for everyone, you included.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat behind Apache and security-constraint

[Adrián Córdoba <ad...@gmail.com>]

André:
  This is in my URL bar of Chrome or Firefox:
      http://localhost/Andromeda

  Thank you.
--
[Adrián Córdoba]



2011/7/22 André Warnier <aw...@ice-sa.com>

> Adrián Córdoba wrote:
>
>> André:
>> 1- So how come the requests are made to the host "localhost" ?
>>  I think this is so, because <VirtualHost *:80>.
>> 2- Is this the one and only VirtualHost in Apache ?
>>  This is the only virtual host.
>>
>
> How do you enter a URL in the browser, to access this ?
> (paste an example)
>
>
>
>> Best regards
>> --
>> [Adrián Córdoba]
>>
>>
>>
>> 2011/7/22 André Warnier <aw...@ice-sa.com>
>>
>>  Adrián Córdoba wrote:
>>>
>>>  Well...
>>>> 1- I delete the "Directory" section from httpd.conf file.
>>>> 2- I add "JkMount  /Andromeda worker1" to the virtual host.
>>>> 3- I add dynamic content to index.jsp page
>>>> So I proved the content is served by Tomcat. But I have the same
>>>> problem:
>>>> I
>>>> cannot view the content of protected section of my web application
>>>> through
>>>> Apache web server.
>>>>
>>>> If I access directly to Tomcat (skipping httpd), I can see the protected
>>>> content.
>>>>
>>>>
>>>>  Ok, so what does that tell us ?
>>> - that the webapp in Tomcat seems to work as it should
>>> - that at least some requests going through Apache are being forwarded to
>>> Tomcat
>>> - but obviously, that at least one response page is different, at the
>>> browser level, when it is coming back (or not) through Apache, than when
>>> it
>>> is coming back directly from Tomcat
>>>
>>> So we must find out what the difference is.
>>> And the easiest way to find that out - at least at the first level - is a
>>> plugin added to the browser, which would show the real content of that
>>> response which appears as a blank page.
>>> Do it.
>>>
>>> Incidentally, the logfile below does not show any error.
>>> But it shows only the requests made to Apache httpd.
>>> It would not, for example, show us if the browser, for whatever reason,
>>> decided to send a request to www.google.com, and got a blank page in
>>> response.
>>> But the browser plugin would show you that.
>>>
>>>
>>> Now wait a minute..
>>> The logfile below shows requests made to "localhost".
>>> But if I remember correctly, this was a VirtualHost, with "ASIA" as
>>> ServerName.
>>> So how come the requests are made to the host "localhost" ?
>>> Is this the one and only VirtualHost in Apache ?
>>>
>>>  Access log in httpd is:
>>>
>>>> ------------------------------****------------------------
>>>> ::1 - - [21/Jul/2011:21:27:18 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>>>> "-"
>>>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>>> Chrome/12.0.742.124 Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>>>> "-"
>>>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>>> Chrome/12.0.742.124 Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/StyleSheet.css
>>>> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>>>> i686)
>>>> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>>>> Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>>>> "-"
>>>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>>> Chrome/12.0.742.124 Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/StyleSheet.css
>>>> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>>>> i686)
>>>> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>>>> Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:27:24 -0300] "GET /Andromeda/internal/internal.*
>>>> ***
>>>> jsp
>>>> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11;
>>>> Linux
>>>> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>>>> Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:27:41 -0300] "GET
>>>> /Andromeda/internal/j_****security_check HTTP/1.1" 200 433 "-"
>>>> "Mozilla/5.0
>>>> (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>>> Chrome/12.0.742.124
>>>> Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:29:46 -0300] "GET /Andromeda/internal/internal.*
>>>> ***
>>>> jsp
>>>> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11;
>>>> Linux
>>>> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>>>> Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>>>> "-"
>>>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>>> Chrome/12.0.742.124 Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/StyleSheet.css
>>>> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>>>> i686)
>>>> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>>>> Safari/534.30"
>>>> ::1 - - [21/Jul/2011:21:29:53 -0300] "GET /Andromeda/internal/internal.*
>>>> ***
>>>> jsp
>>>> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11;
>>>> Linux
>>>> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>>>> Safari/534.30"
>>>> ------------------------------****------------------------
>>>>
>>>> Thank you, very much.
>>>> --
>>>> [Adrián Córdoba]
>>>>
>>>>
>>>>
>>>> 2011/7/21 André Warnier <aw...@ice-sa.com>
>>>>
>>>>  Christopher Schultz wrote:
>>>>
>>>>>  -----BEGIN PGP SIGNED MESSAGE-----
>>>>>
>>>>>> Hash: SHA1
>>>>>>
>>>>>> Adrián,
>>>>>>
>>>>>> On 7/21/2011 3:28 PM, Adrián Córdoba wrote:
>>>>>>
>>>>>>  Thank you, André. I know this "Warning", but I want to serve static
>>>>>>
>>>>>>> content with Apache web server and dynamic content with Tomcat.
>>>>>>>
>>>>>>>  You can still do that without setting the DocumentRoot to your
>>>>>>>
>>>>>> appbase.
>>>>>>
>>>>>> Try this:
>>>>>>
>>>>>> GET http://localhost/Andromeda/******META-INF/context.xml<http://localhost/Andromeda/****META-INF/context.xml>
>>>>>> <http://**localhost/Andromeda/**META-**INF/context.xml<http://localhost/Andromeda/**META-INF/context.xml>
>>>>>> >
>>>>>> <http://**localhost/Andromeda/**META-INF/**context.xml<http://**
>>>>>> localhost/Andromeda/META-INF/**context.xml<http://localhost/Andromeda/META-INF/context.xml>
>>>>>> >
>>>>>>
>>>>>> (or maybe GET http://localhost/Andromeda/******<http://localhost/Andromeda/****>
>>>>>> WebContent/META-INF/context.****<http://localhost/Andromeda/****
>>>>>> WebContent/META-INF/context.**<http://localhost/Andromeda/**WebContent/META-INF/context.**>
>>>>>> **>
>>>>>> xml <http://localhost/Andromeda/****WebContent/META-INF/context.****
>>>>>> xml <http://localhost/Andromeda/**WebContent/META-INF/context.**xml><
>>>>>> http://localhost/**Andromeda/WebContent/META-INF/**context.xml<http://localhost/Andromeda/WebContent/META-INF/context.xml>
>>>>>> >
>>>>>>
>>>>>> - - it's really hard to understand what your appbase really is).
>>>>>>
>>>>>> If you have a container-managed db connection pool, you are more than
>>>>>> likely to have your database username and password in that file, which
>>>>>> is now publicly accessible via HTTP. Pwned.
>>>>>>
>>>>>>  (The web application contains only links to other pages in the same
>>>>>>
>>>>>>  application. It is a test application to learn.)
>>>>>>>
>>>>>>>  You should learn to do things properly. I'm not trying to be nasty,
>>>>>>>
>>>>>> but
>>>>>> you should try to get in the habit of doing things securely even when
>>>>>> they are toys. That way you won't forget to do it when it really
>>>>>> matters.
>>>>>>
>>>>>>  +1
>>>>>>
>>>>> In addition, the way you have things set up, it is really difficult to
>>>>> help, because we cannot be sure of which server is serving what.
>>>>>
>>>>>
>>>>>
>>>>>  In those conditions, with those settings, if an user enters
>>>>>
>>>>>> http://localhost/Andromeda, he gets the "*index.jsp*" page in the
>>>>>>> WebContent directory.
>>>>>>>
>>>>>>>  That's surprising, given your configuration.
>>>>>>>
>>>>>>  So, I think Tomcat is serving that content.
>>>>>> Yes, if the tags are being evaluated and you're not just getting the
>>>>>> source code.
>>>>>>
>>>>>>  Do you think Apache is serving "index.jsp" file content?
>>>>>> Can't tell, you didn't show us any of that.
>>>>>>
>>>>>>  +1
>>>>>>
>>>>> In addition again, it may be serving /that/ file, but what about any
>>>>> links
>>>>> maybe *contained* in that file.  Perhaps there are none, but perhaps
>>>>> also
>>>>> there is a link inside (to an image, or an iframe e.g.) which ends up
>>>>> being
>>>>> served by Apache, and which is the reason for the blank page.
>>>>>
>>>>> The main point again : it is *possible* to configure things the way you
>>>>> have done, and to nevertheless avoid security holes and other issues.
>>>>>  But
>>>>> it is *hard*, and any mistake can compromise your server, or lead to
>>>>> errors
>>>>> difficult to debug.
>>>>> (For example, you also allow Symlinks, which may confuse things yet a
>>>>> bit
>>>>> more).
>>>>>
>>>>> You should give Apache a different DocumentRoot, not your Tomcat
>>>>> webapps
>>>>> directory.
>>>>> (And maybe put some single html page in it, which should never be
>>>>> appear,
>>>>> and if it does you will know something is wrong).
>>>>>
>>>>> Then you should use both
>>>>> JkMount /Andromeda worker1
>>>>> JkMount /Andromeda/* worker1
>>>>> (because they do not overlap)
>>>>>
>>>>> Then, later, if you want Apache to be serving something directly
>>>>> instead
>>>>> of
>>>>> forwarding it to Tomcat, you should look up the JkUnMount directive,
>>>>> and
>>>>> do
>>>>> it selectively.
>>>>> Or use something like
>>>>> SetEnvIf Request_URI "\.jpg$" no-jk
>>>>>
>>>>> Or you could look at an alternative way to specify what needs to be
>>>>> forwarded, which I personally find more flexible and more Apache-like
>>>>> than
>>>>> JkMount/unMount :
>>>>> See here : http://tomcat.apache.org/******connectors-doc/reference/**<http://tomcat.apache.org/****connectors-doc/reference/**>
>>>>> <ht**tp://tomcat.apache.org/****connectors-doc/reference/**<http://tomcat.apache.org/**connectors-doc/reference/**>
>>>>> >
>>>>>
>>>>> apache.html<http://tomcat.**ap**ache.org/connectors-doc/**<http://apache.org/connectors-doc/**>
>>>>> reference/apache.html<http://**tomcat.apache.org/connectors-**
>>>>> doc/reference/apache.html<http://tomcat.apache.org/connectors-doc/reference/apache.html>
>>>>> >
>>>>>
>>>>> The section "Using SetHandler and Environment Variables"
>>>>>
>>>>> Now, if you really want to know what is serving what (and learn other
>>>>> interesting things besides about HTTP) install a browser plugin like
>>>>> HttpFox
>>>>> (for Firefox) or Fiddler2 (for IE).  These plugins allow you to see the
>>>>> contents of each packet sent by the browser to the server, and from the
>>>>> server to the browser, including the HTTP headers and all.
>>>>>
>>>>> The mod_jk logging is also a tool, but it will only show the traffic
>>>>> between Apache and Tomcat, not what Apache serves directly.
>>>>>
>>>>>
>>>>> ------------------------------******--------------------------**--**
>>>>> --**---------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.****apa**che.org<
>>>>> http://apache.org**>
>>>>> <users-unsubscribe@**tomcat.**apache.org <http://tomcat.apache.org><
>>>>> users-unsubscribe@**tomcat.apache.org<us...@tomcat.apache.org>
>>>>> >
>>>>>
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>>
>>>>>  ------------------------------****----------------------------**
>>> --**---------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apa**che.org<http://apache.org>
>>> <us...@tomcat.apache.org>
>>> >
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Tomcat behind Apache and security-constraint

[André Warnier <aw...@ice-sa.com>]

Adrián Córdoba wrote:
> André:
> 1- So how come the requests are made to the host "localhost" ?
>   I think this is so, because <VirtualHost *:80>.
> 2- Is this the one and only VirtualHost in Apache ?
>   This is the only virtual host.

How do you enter a URL in the browser, to access this ?
(paste an example)


> 
> Best regards
> --
> [Adrián Córdoba]
> 
> 
> 
> 2011/7/22 André Warnier <aw...@ice-sa.com>
> 
>> Adrián Córdoba wrote:
>>
>>> Well...
>>> 1- I delete the "Directory" section from httpd.conf file.
>>> 2- I add "JkMount  /Andromeda worker1" to the virtual host.
>>> 3- I add dynamic content to index.jsp page
>>> So I proved the content is served by Tomcat. But I have the same problem:
>>> I
>>> cannot view the content of protected section of my web application through
>>> Apache web server.
>>>
>>> If I access directly to Tomcat (skipping httpd), I can see the protected
>>> content.
>>>
>>>
>> Ok, so what does that tell us ?
>> - that the webapp in Tomcat seems to work as it should
>> - that at least some requests going through Apache are being forwarded to
>> Tomcat
>> - but obviously, that at least one response page is different, at the
>> browser level, when it is coming back (or not) through Apache, than when it
>> is coming back directly from Tomcat
>>
>> So we must find out what the difference is.
>> And the easiest way to find that out - at least at the first level - is a
>> plugin added to the browser, which would show the real content of that
>> response which appears as a blank page.
>> Do it.
>>
>> Incidentally, the logfile below does not show any error.
>> But it shows only the requests made to Apache httpd.
>> It would not, for example, show us if the browser, for whatever reason,
>> decided to send a request to www.google.com, and got a blank page in
>> response.
>> But the browser plugin would show you that.
>>
>>
>> Now wait a minute..
>> The logfile below shows requests made to "localhost".
>> But if I remember correctly, this was a VirtualHost, with "ASIA" as
>> ServerName.
>> So how come the requests are made to the host "localhost" ?
>> Is this the one and only VirtualHost in Apache ?
>>
>>  Access log in httpd is:
>>> ------------------------------**------------------------
>>> ::1 - - [21/Jul/2011:21:27:18 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>>> "-"
>>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>> Chrome/12.0.742.124 Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>>> "-"
>>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>> Chrome/12.0.742.124 Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/StyleSheet.css
>>> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>>> i686)
>>> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>>> "-"
>>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>> Chrome/12.0.742.124 Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/StyleSheet.css
>>> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>>> i686)
>>> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:27:24 -0300] "GET /Andromeda/internal/internal.**
>>> jsp
>>> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>>> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>>> Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:27:41 -0300] "GET
>>> /Andromeda/internal/j_**security_check HTTP/1.1" 200 433 "-" "Mozilla/5.0
>>> (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>> Chrome/12.0.742.124
>>> Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:29:46 -0300] "GET /Andromeda/internal/internal.**
>>> jsp
>>> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>>> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>>> Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>>> "-"
>>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>>> Chrome/12.0.742.124 Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/StyleSheet.css
>>> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>>> i686)
>>> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
>>> ::1 - - [21/Jul/2011:21:29:53 -0300] "GET /Andromeda/internal/internal.**
>>> jsp
>>> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>>> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>>> Safari/534.30"
>>> ------------------------------**------------------------
>>>
>>> Thank you, very much.
>>> --
>>> [Adrián Córdoba]
>>>
>>>
>>>
>>> 2011/7/21 André Warnier <aw...@ice-sa.com>
>>>
>>>  Christopher Schultz wrote:
>>>>  -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> Adrián,
>>>>>
>>>>> On 7/21/2011 3:28 PM, Adrián Córdoba wrote:
>>>>>
>>>>>  Thank you, André. I know this "Warning", but I want to serve static
>>>>>> content with Apache web server and dynamic content with Tomcat.
>>>>>>
>>>>>>  You can still do that without setting the DocumentRoot to your
>>>>> appbase.
>>>>>
>>>>> Try this:
>>>>>
>>>>> GET http://localhost/Andromeda/****META-INF/context.xml<http://localhost/Andromeda/**META-INF/context.xml>
>>>>> <http://**localhost/Andromeda/META-INF/**context.xml<http://localhost/Andromeda/META-INF/context.xml>
>>>>>
>>>>> (or maybe GET http://localhost/Andromeda/****
>>>>> WebContent/META-INF/context.**<http://localhost/Andromeda/**WebContent/META-INF/context.**>
>>>>> xml <http://localhost/Andromeda/**WebContent/META-INF/context.**xml<http://localhost/Andromeda/WebContent/META-INF/context.xml>
>>>>> - - it's really hard to understand what your appbase really is).
>>>>>
>>>>> If you have a container-managed db connection pool, you are more than
>>>>> likely to have your database username and password in that file, which
>>>>> is now publicly accessible via HTTP. Pwned.
>>>>>
>>>>>  (The web application contains only links to other pages in the same
>>>>>
>>>>>> application. It is a test application to learn.)
>>>>>>
>>>>>>  You should learn to do things properly. I'm not trying to be nasty,
>>>>> but
>>>>> you should try to get in the habit of doing things securely even when
>>>>> they are toys. That way you won't forget to do it when it really
>>>>> matters.
>>>>>
>>>>>  +1
>>>> In addition, the way you have things set up, it is really difficult to
>>>> help, because we cannot be sure of which server is serving what.
>>>>
>>>>
>>>>
>>>>   In those conditions, with those settings, if an user enters
>>>>>> http://localhost/Andromeda, he gets the "*index.jsp*" page in the
>>>>>> WebContent directory.
>>>>>>
>>>>>>  That's surprising, given your configuration.
>>>>>  So, I think Tomcat is serving that content.
>>>>> Yes, if the tags are being evaluated and you're not just getting the
>>>>> source code.
>>>>>
>>>>>  Do you think Apache is serving "index.jsp" file content?
>>>>> Can't tell, you didn't show us any of that.
>>>>>
>>>>>  +1
>>>> In addition again, it may be serving /that/ file, but what about any
>>>> links
>>>> maybe *contained* in that file.  Perhaps there are none, but perhaps also
>>>> there is a link inside (to an image, or an iframe e.g.) which ends up
>>>> being
>>>> served by Apache, and which is the reason for the blank page.
>>>>
>>>> The main point again : it is *possible* to configure things the way you
>>>> have done, and to nevertheless avoid security holes and other issues.
>>>>  But
>>>> it is *hard*, and any mistake can compromise your server, or lead to
>>>> errors
>>>> difficult to debug.
>>>> (For example, you also allow Symlinks, which may confuse things yet a bit
>>>> more).
>>>>
>>>> You should give Apache a different DocumentRoot, not your Tomcat webapps
>>>> directory.
>>>> (And maybe put some single html page in it, which should never be appear,
>>>> and if it does you will know something is wrong).
>>>>
>>>> Then you should use both
>>>> JkMount /Andromeda worker1
>>>> JkMount /Andromeda/* worker1
>>>> (because they do not overlap)
>>>>
>>>> Then, later, if you want Apache to be serving something directly instead
>>>> of
>>>> forwarding it to Tomcat, you should look up the JkUnMount directive, and
>>>> do
>>>> it selectively.
>>>> Or use something like
>>>> SetEnvIf Request_URI "\.jpg$" no-jk
>>>>
>>>> Or you could look at an alternative way to specify what needs to be
>>>> forwarded, which I personally find more flexible and more Apache-like
>>>> than
>>>> JkMount/unMount :
>>>> See here : http://tomcat.apache.org/****connectors-doc/reference/**<http://tomcat.apache.org/**connectors-doc/reference/**>
>>>> apache.html<http://tomcat.**apache.org/connectors-doc/**
>>>> reference/apache.html<http://tomcat.apache.org/connectors-doc/reference/apache.html>
>>>> The section "Using SetHandler and Environment Variables"
>>>>
>>>> Now, if you really want to know what is serving what (and learn other
>>>> interesting things besides about HTTP) install a browser plugin like
>>>> HttpFox
>>>> (for Firefox) or Fiddler2 (for IE).  These plugins allow you to see the
>>>> contents of each packet sent by the browser to the server, and from the
>>>> server to the browser, including the HTTP headers and all.
>>>>
>>>> The mod_jk logging is also a tool, but it will only show the traffic
>>>> between Apache and Tomcat, not what Apache serves directly.
>>>>
>>>>
>>>> ------------------------------****----------------------------**
>>>> --**---------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apa**che.org<http://apache.org>
>>>> <us...@tomcat.apache.org>
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat behind Apache and security-constraint

[Adrián Córdoba <ad...@gmail.com>]

André:
1- So how come the requests are made to the host "localhost" ?
  I think this is so, because <VirtualHost *:80>.
2- Is this the one and only VirtualHost in Apache ?
  This is the only virtual host.

Best regards
--
[Adrián Córdoba]



2011/7/22 André Warnier <aw...@ice-sa.com>

> Adrián Córdoba wrote:
>
>> Well...
>> 1- I delete the "Directory" section from httpd.conf file.
>> 2- I add "JkMount  /Andromeda worker1" to the virtual host.
>> 3- I add dynamic content to index.jsp page
>> So I proved the content is served by Tomcat. But I have the same problem:
>> I
>> cannot view the content of protected section of my web application through
>> Apache web server.
>>
>> If I access directly to Tomcat (skipping httpd), I can see the protected
>> content.
>>
>>
> Ok, so what does that tell us ?
> - that the webapp in Tomcat seems to work as it should
> - that at least some requests going through Apache are being forwarded to
> Tomcat
> - but obviously, that at least one response page is different, at the
> browser level, when it is coming back (or not) through Apache, than when it
> is coming back directly from Tomcat
>
> So we must find out what the difference is.
> And the easiest way to find that out - at least at the first level - is a
> plugin added to the browser, which would show the real content of that
> response which appears as a blank page.
> Do it.
>
> Incidentally, the logfile below does not show any error.
> But it shows only the requests made to Apache httpd.
> It would not, for example, show us if the browser, for whatever reason,
> decided to send a request to www.google.com, and got a blank page in
> response.
> But the browser plugin would show you that.
>
>
> Now wait a minute..
> The logfile below shows requests made to "localhost".
> But if I remember correctly, this was a VirtualHost, with "ASIA" as
> ServerName.
> So how come the requests are made to the host "localhost" ?
> Is this the one and only VirtualHost in Apache ?
>
>  Access log in httpd is:
>> ------------------------------**------------------------
>> ::1 - - [21/Jul/2011:21:27:18 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>> "-"
>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>> Chrome/12.0.742.124 Safari/534.30"
>> ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>> "-"
>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>> Chrome/12.0.742.124 Safari/534.30"
>> ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/StyleSheet.css
>> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>> i686)
>> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
>> ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>> "-"
>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>> Chrome/12.0.742.124 Safari/534.30"
>> ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/StyleSheet.css
>> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>> i686)
>> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
>> ::1 - - [21/Jul/2011:21:27:24 -0300] "GET /Andromeda/internal/internal.**
>> jsp
>> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>> Safari/534.30"
>> ::1 - - [21/Jul/2011:21:27:41 -0300] "GET
>> /Andromeda/internal/j_**security_check HTTP/1.1" 200 433 "-" "Mozilla/5.0
>> (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>> Chrome/12.0.742.124
>> Safari/534.30"
>> ::1 - - [21/Jul/2011:21:29:46 -0300] "GET /Andromeda/internal/internal.**
>> jsp
>> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>> Safari/534.30"
>> ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/ HTTP/1.1" 200 669
>> "-"
>> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
>> Chrome/12.0.742.124 Safari/534.30"
>> ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/StyleSheet.css
>> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>> i686)
>> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
>> ::1 - - [21/Jul/2011:21:29:53 -0300] "GET /Andromeda/internal/internal.**
>> jsp
>> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
>> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
>> Safari/534.30"
>> ------------------------------**------------------------
>>
>> Thank you, very much.
>> --
>> [Adrián Córdoba]
>>
>>
>>
>> 2011/7/21 André Warnier <aw...@ice-sa.com>
>>
>>  Christopher Schultz wrote:
>>>
>>>  -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Adrián,
>>>>
>>>> On 7/21/2011 3:28 PM, Adrián Córdoba wrote:
>>>>
>>>>  Thank you, André. I know this "Warning", but I want to serve static
>>>>> content with Apache web server and dynamic content with Tomcat.
>>>>>
>>>>>  You can still do that without setting the DocumentRoot to your
>>>> appbase.
>>>>
>>>> Try this:
>>>>
>>>> GET http://localhost/Andromeda/****META-INF/context.xml<http://localhost/Andromeda/**META-INF/context.xml>
>>>> <http://**localhost/Andromeda/META-INF/**context.xml<http://localhost/Andromeda/META-INF/context.xml>
>>>> >
>>>>
>>>>
>>>> (or maybe GET http://localhost/Andromeda/****
>>>> WebContent/META-INF/context.**<http://localhost/Andromeda/**WebContent/META-INF/context.**>
>>>> xml <http://localhost/Andromeda/**WebContent/META-INF/context.**xml<http://localhost/Andromeda/WebContent/META-INF/context.xml>
>>>> >
>>>>
>>>> - - it's really hard to understand what your appbase really is).
>>>>
>>>> If you have a container-managed db connection pool, you are more than
>>>> likely to have your database username and password in that file, which
>>>> is now publicly accessible via HTTP. Pwned.
>>>>
>>>>  (The web application contains only links to other pages in the same
>>>>
>>>>> application. It is a test application to learn.)
>>>>>
>>>>>  You should learn to do things properly. I'm not trying to be nasty,
>>>> but
>>>> you should try to get in the habit of doing things securely even when
>>>> they are toys. That way you won't forget to do it when it really
>>>> matters.
>>>>
>>>>  +1
>>> In addition, the way you have things set up, it is really difficult to
>>> help, because we cannot be sure of which server is serving what.
>>>
>>>
>>>
>>>   In those conditions, with those settings, if an user enters
>>>>
>>>>> http://localhost/Andromeda, he gets the "*index.jsp*" page in the
>>>>> WebContent directory.
>>>>>
>>>>>  That's surprising, given your configuration.
>>>>
>>>>  So, I think Tomcat is serving that content.
>>>> Yes, if the tags are being evaluated and you're not just getting the
>>>> source code.
>>>>
>>>>  Do you think Apache is serving "index.jsp" file content?
>>>> Can't tell, you didn't show us any of that.
>>>>
>>>>  +1
>>> In addition again, it may be serving /that/ file, but what about any
>>> links
>>> maybe *contained* in that file.  Perhaps there are none, but perhaps also
>>> there is a link inside (to an image, or an iframe e.g.) which ends up
>>> being
>>> served by Apache, and which is the reason for the blank page.
>>>
>>> The main point again : it is *possible* to configure things the way you
>>> have done, and to nevertheless avoid security holes and other issues.
>>>  But
>>> it is *hard*, and any mistake can compromise your server, or lead to
>>> errors
>>> difficult to debug.
>>> (For example, you also allow Symlinks, which may confuse things yet a bit
>>> more).
>>>
>>> You should give Apache a different DocumentRoot, not your Tomcat webapps
>>> directory.
>>> (And maybe put some single html page in it, which should never be appear,
>>> and if it does you will know something is wrong).
>>>
>>> Then you should use both
>>> JkMount /Andromeda worker1
>>> JkMount /Andromeda/* worker1
>>> (because they do not overlap)
>>>
>>> Then, later, if you want Apache to be serving something directly instead
>>> of
>>> forwarding it to Tomcat, you should look up the JkUnMount directive, and
>>> do
>>> it selectively.
>>> Or use something like
>>> SetEnvIf Request_URI "\.jpg$" no-jk
>>>
>>> Or you could look at an alternative way to specify what needs to be
>>> forwarded, which I personally find more flexible and more Apache-like
>>> than
>>> JkMount/unMount :
>>> See here : http://tomcat.apache.org/****connectors-doc/reference/**<http://tomcat.apache.org/**connectors-doc/reference/**>
>>> apache.html<http://tomcat.**apache.org/connectors-doc/**
>>> reference/apache.html<http://tomcat.apache.org/connectors-doc/reference/apache.html>
>>> >
>>>
>>> The section "Using SetHandler and Environment Variables"
>>>
>>> Now, if you really want to know what is serving what (and learn other
>>> interesting things besides about HTTP) install a browser plugin like
>>> HttpFox
>>> (for Firefox) or Fiddler2 (for IE).  These plugins allow you to see the
>>> contents of each packet sent by the browser to the server, and from the
>>> server to the browser, including the HTTP headers and all.
>>>
>>> The mod_jk logging is also a tool, but it will only show the traffic
>>> between Apache and Tomcat, not what Apache serves directly.
>>>
>>>
>>> ------------------------------****----------------------------**
>>> --**---------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apa**che.org<http://apache.org>
>>> <us...@tomcat.apache.org>
>>> >
>>>
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Tomcat behind Apache and security-constraint

[André Warnier <aw...@ice-sa.com>]

Adrián Córdoba wrote:
> Well...
> 1- I delete the "Directory" section from httpd.conf file.
> 2- I add "JkMount  /Andromeda worker1" to the virtual host.
> 3- I add dynamic content to index.jsp page
> So I proved the content is served by Tomcat. But I have the same problem: I
> cannot view the content of protected section of my web application through
> Apache web server.
> 
> If I access directly to Tomcat (skipping httpd), I can see the protected
> content.
> 

Ok, so what does that tell us ?
- that the webapp in Tomcat seems to work as it should
- that at least some requests going through Apache are being forwarded to Tomcat
- but obviously, that at least one response page is different, at the browser level, when 
it is coming back (or not) through Apache, than when it is coming back directly from Tomcat

So we must find out what the difference is.
And the easiest way to find that out - at least at the first level - is a plugin added to 
the browser, which would show the real content of that response which appears as a blank page.
Do it.

Incidentally, the logfile below does not show any error.
But it shows only the requests made to Apache httpd.
It would not, for example, show us if the browser, for whatever reason, decided to send a 
request to www.google.com, and got a blank page in response.
But the browser plugin would show you that.


Now wait a minute..
The logfile below shows requests made to "localhost".
But if I remember correctly, this was a VirtualHost, with "ASIA" as ServerName.
So how come the requests are made to the host "localhost" ?
Is this the one and only VirtualHost in Apache ?

> Access log in httpd is:
> ------------------------------------------------------
> ::1 - - [21/Jul/2011:21:27:18 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
> Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
> Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/StyleSheet.css
> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux i686)
> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
> Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/StyleSheet.css
> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux i686)
> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:27:24 -0300] "GET /Andromeda/internal/internal.jsp
> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
> Safari/534.30"
> ::1 - - [21/Jul/2011:21:27:41 -0300] "GET
> /Andromeda/internal/j_security_check HTTP/1.1" 200 433 "-" "Mozilla/5.0
> (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
> Safari/534.30"
> ::1 - - [21/Jul/2011:21:29:46 -0300] "GET /Andromeda/internal/internal.jsp
> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
> Safari/534.30"
> ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
> Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/StyleSheet.css
> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux i686)
> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:29:53 -0300] "GET /Andromeda/internal/internal.jsp
> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
> Safari/534.30"
> ------------------------------------------------------
> 
> Thank you, very much.
> --
> [Adrián Córdoba]
> 
> 
> 
> 2011/7/21 André Warnier <aw...@ice-sa.com>
> 
>> Christopher Schultz wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Adrián,
>>>
>>> On 7/21/2011 3:28 PM, Adrián Córdoba wrote:
>>>
>>>> Thank you, André. I know this "Warning", but I want to serve static
>>>> content with Apache web server and dynamic content with Tomcat.
>>>>
>>> You can still do that without setting the DocumentRoot to your appbase.
>>>
>>> Try this:
>>>
>>> GET http://localhost/Andromeda/**META-INF/context.xml<http://localhost/Andromeda/META-INF/context.xml>
>>>
>>> (or maybe GET http://localhost/Andromeda/**WebContent/META-INF/context.**
>>> xml <http://localhost/Andromeda/WebContent/META-INF/context.xml>
>>> - - it's really hard to understand what your appbase really is).
>>>
>>> If you have a container-managed db connection pool, you are more than
>>> likely to have your database username and password in that file, which
>>> is now publicly accessible via HTTP. Pwned.
>>>
>>>  (The web application contains only links to other pages in the same
>>>> application. It is a test application to learn.)
>>>>
>>> You should learn to do things properly. I'm not trying to be nasty, but
>>> you should try to get in the habit of doing things securely even when
>>> they are toys. That way you won't forget to do it when it really matters.
>>>
>> +1
>> In addition, the way you have things set up, it is really difficult to
>> help, because we cannot be sure of which server is serving what.
>>
>>
>>
>>>  In those conditions, with those settings, if an user enters
>>>> http://localhost/Andromeda, he gets the "*index.jsp*" page in the
>>>> WebContent directory.
>>>>
>>> That's surprising, given your configuration.
>>>
>>>  So, I think Tomcat is serving that content.
>>> Yes, if the tags are being evaluated and you're not just getting the
>>> source code.
>>>
>>>  Do you think Apache is serving "index.jsp" file content?
>>> Can't tell, you didn't show us any of that.
>>>
>> +1
>> In addition again, it may be serving /that/ file, but what about any links
>> maybe *contained* in that file.  Perhaps there are none, but perhaps also
>> there is a link inside (to an image, or an iframe e.g.) which ends up being
>> served by Apache, and which is the reason for the blank page.
>>
>> The main point again : it is *possible* to configure things the way you
>> have done, and to nevertheless avoid security holes and other issues.  But
>> it is *hard*, and any mistake can compromise your server, or lead to errors
>> difficult to debug.
>> (For example, you also allow Symlinks, which may confuse things yet a bit
>> more).
>>
>> You should give Apache a different DocumentRoot, not your Tomcat webapps
>> directory.
>> (And maybe put some single html page in it, which should never be appear,
>> and if it does you will know something is wrong).
>>
>> Then you should use both
>> JkMount /Andromeda worker1
>> JkMount /Andromeda/* worker1
>> (because they do not overlap)
>>
>> Then, later, if you want Apache to be serving something directly instead of
>> forwarding it to Tomcat, you should look up the JkUnMount directive, and do
>> it selectively.
>> Or use something like
>> SetEnvIf Request_URI "\.jpg$" no-jk
>>
>> Or you could look at an alternative way to specify what needs to be
>> forwarded, which I personally find more flexible and more Apache-like than
>> JkMount/unMount :
>> See here : http://tomcat.apache.org/**connectors-doc/reference/**
>> apache.html<http://tomcat.apache.org/connectors-doc/reference/apache.html>
>> The section "Using SetHandler and Environment Variables"
>>
>> Now, if you really want to know what is serving what (and learn other
>> interesting things besides about HTTP) install a browser plugin like HttpFox
>> (for Firefox) or Fiddler2 (for IE).  These plugins allow you to see the
>> contents of each packet sent by the browser to the server, and from the
>> server to the browser, including the HTTP headers and all.
>>
>> The mod_jk logging is also a tool, but it will only show the traffic
>> between Apache and Tomcat, not what Apache serves directly.
>>
>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat behind Apache and security-constraint

[Adrián Córdoba <ad...@gmail.com>]

Igor:
  mod_jk log file is configured, but nothing relevant is loged.
  Thank you.
--
[Adrián Córdoba]



2011/7/21 Igor Cicimov <ic...@gmail.com>

> Configure a mod_jk log file and see whats going on there
>
> On Jul 22, 2011 10:37 AM, "Adrián Córdoba" <ad...@gmail.com> wrote:
>
> Well...
> 1- I delete the "Directory" section from httpd.conf file.
> 2- I add "JkMount  /Andromeda worker1" to the virtual host.
> 3- I add dynamic content to index.jsp page
> So I proved the content is served by Tomcat. But I have the same problem: I
> cannot view the content of protected section of my web application through
> Apache web server.
>
> If I access directly to Tomcat (skipping httpd), I can see the protected
> content.
>
> Access log in httpd is:
> ------------------------------------------------------
> ::1 - - [21/Jul/2011:21:27:18 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
> Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
> Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/StyleSheet.css
> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
> i686)
> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
> Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/StyleSheet.css
> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
> i686)
> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:27:24 -0300] "GET /Andromeda/internal/internal.jsp
> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
> Safari/534.30"
> ::1 - - [21/Jul/2011:21:27:41 -0300] "GET
> /Andromeda/internal/j_security_check HTTP/1.1" 200 433 "-" "Mozilla/5.0
> (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
> Chrome/12.0.742.124
> Safari/534.30"
> ::1 - - [21/Jul/2011:21:29:46 -0300] "GET /Andromeda/internal/internal.jsp
> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
> Safari/534.30"
> ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
> "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
> Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/StyleSheet.css
> HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
> i686)
> AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
> ::1 - - [21/Jul/2011:21:29:53 -0300] "GET /Andromeda/internal/internal.jsp
> HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
> i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
> Safari/534.30"
> ------------------------------------------------------
>
> Thank you, very much. -- [Adrián Córdoba] 2011/7/21 André Warnier <
> aw@ice-sa.com>
>
> > Christopher Schultz wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >>
> Hash: SHA1 >> >> Adrián, >> ...
> >> GET http://localhost/Andromeda/**META-INF/context.xml<
> http://localhost/Andromeda/META-INF/context.xml>
>
> >> >> (or maybe GET
> http://localhost/Andromeda/**WebContent/META-INF/context.**
> >> xml <http://localhost/Andromeda/WebContent/META-INF/context.xml>
>
> >> - - it's really hard to understand what your appbase really is). >> >>
> If
> you have a container-ma...
> > apache.html<
> http://tomcat.apache.org/connectors-doc/reference/apache.html>
>
> > The section "Using SetHandler and Environment Variables" > > Now, if you
> really want to know what ...
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<
> users-unsubscribe@tomcat.apache.org>
>
> > For additional commands, e-mail: users-help@tomcat.apache.org > >
>

Re: Tomcat behind Apache and security-constraint

[Igor Cicimov <ic...@gmail.com>]

Configure a mod_jk log file and see whats going on there

On Jul 22, 2011 10:37 AM, "Adrián Córdoba" <ad...@gmail.com> wrote:

Well...
1- I delete the "Directory" section from httpd.conf file.
2- I add "JkMount  /Andromeda worker1" to the virtual host.
3- I add dynamic content to index.jsp page
So I proved the content is served by Tomcat. But I have the same problem: I
cannot view the content of protected section of my web application through
Apache web server.

If I access directly to Tomcat (skipping httpd), I can see the protected
content.

Access log in httpd is:
------------------------------------------------------
::1 - - [21/Jul/2011:21:27:18 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/StyleSheet.css
HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux i686)
AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/StyleSheet.css
HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux i686)
AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:27:24 -0300] "GET /Andromeda/internal/internal.jsp
HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
Safari/534.30"
::1 - - [21/Jul/2011:21:27:41 -0300] "GET
/Andromeda/internal/j_security_check HTTP/1.1" 200 433 "-" "Mozilla/5.0
(X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
Safari/534.30"
::1 - - [21/Jul/2011:21:29:46 -0300] "GET /Andromeda/internal/internal.jsp
HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
Safari/534.30"
::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/StyleSheet.css
HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux i686)
AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:29:53 -0300] "GET /Andromeda/internal/internal.jsp
HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
Safari/534.30"
------------------------------------------------------

Thank you, very much. -- [Adrián Córdoba] 2011/7/21 André Warnier <
aw@ice-sa.com>

> Christopher Schultz wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >>
Hash: SHA1 >> >> Adrián, >> ...
>> GET http://localhost/Andromeda/**META-INF/context.xml<
http://localhost/Andromeda/META-INF/context.xml>

>> >> (or maybe GET
http://localhost/Andromeda/**WebContent/META-INF/context.**
>> xml <http://localhost/Andromeda/WebContent/META-INF/context.xml>

>> - - it's really hard to understand what your appbase really is). >> >> If
you have a container-ma...
> apache.html<http://tomcat.apache.org/connectors-doc/reference/apache.html>

> The section "Using SetHandler and Environment Variables" > > Now, if you
really want to know what ...
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<
users-unsubscribe@tomcat.apache.org>

> For additional commands, e-mail: users-help@tomcat.apache.org > >

Re: Tomcat behind Apache and security-constraint

[Adrián Córdoba <ad...@gmail.com>]

Well...
1- I delete the "Directory" section from httpd.conf file.
2- I add "JkMount  /Andromeda worker1" to the virtual host.
3- I add dynamic content to index.jsp page
So I proved the content is served by Tomcat. But I have the same problem: I
cannot view the content of protected section of my web application through
Apache web server.

If I access directly to Tomcat (skipping httpd), I can see the protected
content.

Access log in httpd is:
------------------------------------------------------
::1 - - [21/Jul/2011:21:27:18 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:27:21 -0300] "GET /Andromeda/StyleSheet.css
HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux i686)
AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:27:22 -0300] "GET /Andromeda/StyleSheet.css
HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux i686)
AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:27:24 -0300] "GET /Andromeda/internal/internal.jsp
HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
Safari/534.30"
::1 - - [21/Jul/2011:21:27:41 -0300] "GET
/Andromeda/internal/j_security_check HTTP/1.1" 200 433 "-" "Mozilla/5.0
(X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
Safari/534.30"
::1 - - [21/Jul/2011:21:29:46 -0300] "GET /Andromeda/internal/internal.jsp
HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
Safari/534.30"
::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/ HTTP/1.1" 200 669 "-"
"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko)
Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:29:50 -0300] "GET /Andromeda/StyleSheet.css
HTTP/1.1" 304 - "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux i686)
AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124 Safari/534.30"
::1 - - [21/Jul/2011:21:29:53 -0300] "GET /Andromeda/internal/internal.jsp
HTTP/1.1" 200 782 "http://localhost/Andromeda/" "Mozilla/5.0 (X11; Linux
i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.124
Safari/534.30"
------------------------------------------------------

Thank you, very much.
--
[Adrián Córdoba]



2011/7/21 André Warnier <aw...@ice-sa.com>

> Christopher Schultz wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Adrián,
>>
>> On 7/21/2011 3:28 PM, Adrián Córdoba wrote:
>>
>>> Thank you, André. I know this "Warning", but I want to serve static
>>> content with Apache web server and dynamic content with Tomcat.
>>>
>>
>> You can still do that without setting the DocumentRoot to your appbase.
>>
>> Try this:
>>
>> GET http://localhost/Andromeda/**META-INF/context.xml<http://localhost/Andromeda/META-INF/context.xml>
>>
>> (or maybe GET http://localhost/Andromeda/**WebContent/META-INF/context.**
>> xml <http://localhost/Andromeda/WebContent/META-INF/context.xml>
>> - - it's really hard to understand what your appbase really is).
>>
>> If you have a container-managed db connection pool, you are more than
>> likely to have your database username and password in that file, which
>> is now publicly accessible via HTTP. Pwned.
>>
>>  (The web application contains only links to other pages in the same
>>> application. It is a test application to learn.)
>>>
>>
>> You should learn to do things properly. I'm not trying to be nasty, but
>> you should try to get in the habit of doing things securely even when
>> they are toys. That way you won't forget to do it when it really matters.
>>
>
> +1
> In addition, the way you have things set up, it is really difficult to
> help, because we cannot be sure of which server is serving what.
>
>
>
>>  In those conditions, with those settings, if an user enters
>>> http://localhost/Andromeda, he gets the "*index.jsp*" page in the
>>> WebContent directory.
>>>
>>
>> That's surprising, given your configuration.
>>
>>  So, I think Tomcat is serving that content.
>>>
>>
>> Yes, if the tags are being evaluated and you're not just getting the
>> source code.
>>
>>  Do you think Apache is serving "index.jsp" file content?
>>>
>>
>> Can't tell, you didn't show us any of that.
>>
>
> +1
> In addition again, it may be serving /that/ file, but what about any links
> maybe *contained* in that file.  Perhaps there are none, but perhaps also
> there is a link inside (to an image, or an iframe e.g.) which ends up being
> served by Apache, and which is the reason for the blank page.
>
> The main point again : it is *possible* to configure things the way you
> have done, and to nevertheless avoid security holes and other issues.  But
> it is *hard*, and any mistake can compromise your server, or lead to errors
> difficult to debug.
> (For example, you also allow Symlinks, which may confuse things yet a bit
> more).
>
> You should give Apache a different DocumentRoot, not your Tomcat webapps
> directory.
> (And maybe put some single html page in it, which should never be appear,
> and if it does you will know something is wrong).
>
> Then you should use both
> JkMount /Andromeda worker1
> JkMount /Andromeda/* worker1
> (because they do not overlap)
>
> Then, later, if you want Apache to be serving something directly instead of
> forwarding it to Tomcat, you should look up the JkUnMount directive, and do
> it selectively.
> Or use something like
> SetEnvIf Request_URI "\.jpg$" no-jk
>
> Or you could look at an alternative way to specify what needs to be
> forwarded, which I personally find more flexible and more Apache-like than
> JkMount/unMount :
> See here : http://tomcat.apache.org/**connectors-doc/reference/**
> apache.html<http://tomcat.apache.org/connectors-doc/reference/apache.html>
> The section "Using SetHandler and Environment Variables"
>
> Now, if you really want to know what is serving what (and learn other
> interesting things besides about HTTP) install a browser plugin like HttpFox
> (for Firefox) or Fiddler2 (for IE).  These plugins allow you to see the
> contents of each packet sent by the browser to the server, and from the
> server to the browser, including the HTTP headers and all.
>
> The mod_jk logging is also a tool, but it will only show the traffic
> between Apache and Tomcat, not what Apache serves directly.
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Tomcat behind Apache and security-constraint

[André Warnier <aw...@ice-sa.com>]

Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Adrián,
> 
> On 7/21/2011 3:28 PM, Adrián Córdoba wrote:
>> Thank you, André. I know this "Warning", but I want to serve static
>> content with Apache web server and dynamic content with Tomcat.
> 
> You can still do that without setting the DocumentRoot to your appbase.
> 
> Try this:
> 
> GET http://localhost/Andromeda/META-INF/context.xml
> 
> (or maybe GET http://localhost/Andromeda/WebContent/META-INF/context.xml
> - - it's really hard to understand what your appbase really is).
> 
> If you have a container-managed db connection pool, you are more than
> likely to have your database username and password in that file, which
> is now publicly accessible via HTTP. Pwned.
> 
>> (The web application contains only links to other pages in the same 
>> application. It is a test application to learn.)
> 
> You should learn to do things properly. I'm not trying to be nasty, but
> you should try to get in the habit of doing things securely even when
> they are toys. That way you won't forget to do it when it really matters.

+1
In addition, the way you have things set up, it is really difficult to help, because we 
cannot be sure of which server is serving what.

> 
>> In those conditions, with those settings, if an user enters 
>> http://localhost/Andromeda, he gets the "*index.jsp*" page in the
>> WebContent directory.
> 
> That's surprising, given your configuration.
> 
>> So, I think Tomcat is serving that content.
> 
> Yes, if the tags are being evaluated and you're not just getting the
> source code.
> 
>> Do you think Apache is serving "index.jsp" file content?
> 
> Can't tell, you didn't show us any of that.

+1
In addition again, it may be serving /that/ file, but what about any links maybe 
*contained* in that file.  Perhaps there are none, but perhaps also there is a link inside 
(to an image, or an iframe e.g.) which ends up being served by Apache, and which is the 
reason for the blank page.

The main point again : it is *possible* to configure things the way you have done, and to 
nevertheless avoid security holes and other issues.  But it is *hard*, and any mistake can 
compromise your server, or lead to errors difficult to debug.
(For example, you also allow Symlinks, which may confuse things yet a bit more).

You should give Apache a different DocumentRoot, not your Tomcat webapps directory.
(And maybe put some single html page in it, which should never be appear, and if it does 
you will know something is wrong).

Then you should use both
JkMount /Andromeda worker1
JkMount /Andromeda/* worker1
(because they do not overlap)

Then, later, if you want Apache to be serving something directly instead of forwarding it 
to Tomcat, you should look up the JkUnMount directive, and do it selectively.
Or use something like
SetEnvIf Request_URI "\.jpg$" no-jk

Or you could look at an alternative way to specify what needs to be forwarded, which I 
personally find more flexible and more Apache-like than JkMount/unMount :
See here : http://tomcat.apache.org/connectors-doc/reference/apache.html
The section "Using SetHandler and Environment Variables"

Now, if you really want to know what is serving what (and learn other interesting things 
besides about HTTP) install a browser plugin like HttpFox (for Firefox) or Fiddler2 (for 
IE).  These plugins allow you to see the contents of each packet sent by the browser to 
the server, and from the server to the browser, including the HTTP headers and all.

The mod_jk logging is also a tool, but it will only show the traffic between Apache and 
Tomcat, not what Apache serves directly.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat behind Apache and security-constraint

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adrián,

On 7/21/2011 3:28 PM, Adrián Córdoba wrote:
> Thank you, André. I know this "Warning", but I want to serve static
> content with Apache web server and dynamic content with Tomcat.

You can still do that without setting the DocumentRoot to your appbase.

Try this:

GET http://localhost/Andromeda/META-INF/context.xml

(or maybe GET http://localhost/Andromeda/WebContent/META-INF/context.xml
- - it's really hard to understand what your appbase really is).

If you have a container-managed db connection pool, you are more than
likely to have your database username and password in that file, which
is now publicly accessible via HTTP. Pwned.

> (The web application contains only links to other pages in the same 
> application. It is a test application to learn.)

You should learn to do things properly. I'm not trying to be nasty, but
you should try to get in the habit of doing things securely even when
they are toys. That way you won't forget to do it when it really matters.

> In those conditions, with those settings, if an user enters 
> http://localhost/Andromeda, he gets the "*index.jsp*" page in the
> WebContent directory.

That's surprising, given your configuration.

> So, I think Tomcat is serving that content.

Yes, if the tags are being evaluated and you're not just getting the
source code.

> Do you think Apache is serving "index.jsp" file content?

Can't tell, you didn't show us any of that.

> Anyway, I will try removing the trailing "/".

If that points to a directory, both Apache and Tomcat will perform a
redirect and add the "/" so it probably doesn't matter.

> (I know the security issues, but I'm using this application in my
> local network in order to learn only.)

See above.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4ogdgACgkQ9CaO5/Lv0PC48wCeO5dHc6XWZT7LjGZqrcETbN3Q
JuEAn02R6OeNCfjLoAoOMdPXFqr7miAI
=TxOq
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat behind Apache and security-constraint

[Adrián Córdoba <ad...@gmail.com>]

Thank you, André.
I know this "Warning", but I want to serve static content with Apache web
server and dynamic content with Tomcat. (The web application contains only
links to other pages in the same application. It is a test application to
learn.)

In those conditions, with those settings, if an user enters
http://localhost/Andromeda, he gets the "*index.jsp*" page in the WebContent
directory. So, I think Tomcat is serving that content.
Do you think Apache is serving "index.jsp" file content?

Anyway, I will try removing the trailing "/".

(I know the security issues, but I'm using this application in my local
network in order to learn only.)

Thank you, very much.
--
[Adrián Córdoba]



2011/7/21 André Warnier <aw...@ice-sa.com>

> Addendum :
> This, which I missed earlier, is of course also a no-no, for the same
> reasons as explained earlier :
> DocumentRoot /opt/apache-tomcat-7.0.12/**webapps/
>
> see the remark in red here :
> http://tomcat.apache.org/**connectors-doc/reference/**apache.html<http://tomcat.apache.org/connectors-doc/reference/apache.html>
>
>
>
> André Warnier wrote:
>
>> Adrián Córdoba wrote:
>> ...
>>
>>  JkMount  /Andromeda/* worker1
>>>  <Directory "/opt/apache-tomcat-7.0.12/**webapps/Andromeda">
>>>    Options Indexes FollowSymLinks
>>>    AllowOverride None
>>>    Order allow,deny
>>>    Allow from all
>>>  </Directory>
>>> </VirtualHost>
>>> ------------------------------**---------------------------
>>>
>> ...
>>
>>  May be, I have a configuration mistake.
>>>
>>>
>> Yes, a big one above.
>> Wether it is the cause of your problem, I am not quite sure yet (but it
>> could be).
>> It is bad anyway, because you are allowing Apache users, potentially, to
>> bypass Tomcat and to access the Tomcat application directory directly.
>> So, again potentially, if a user manages to access the directory
>> "/opt/apache-tomcat-7.0.12/**webapps/Andromeda" through Apache and
>> without going through Tomcat, then anything that you did in Tomcat to
>> protect access to that directory is useless.
>>
>> And that is probably the case here :
>>
>> Say a user enters the URL "http://ASIA/Andromeda" in his browser, and the
>> browser requests that URL.  What happens ?
>> Apache will compare that URL (the part after the host) with the JkMount
>> instruction.
>> The request URL is "/Andromeda", which is compared to the URL in the
>> JkMount "/Andromeda/*".
>> It does not match, since the request URL is missing the trailing "/" of
>> the expression in the JkMount.
>> So Apache does not forward this request to Tomcat, but handles it itself.
>> After a few more steps in Apache, finally Apache comes to this directory
>> "/opt/apache-tomcat-7.0.12/**webapps/Andromeda", and looks for a document
>> to serve.
>> Since no document is specified in the URL, Apache will use the one
>> specified in the relevant "DirectoryIndex" directive.  That may be, for
>> instance, "index.html" or similar.
>> And it will serve it according to its own permissions settings, which here
>> are :
>>  >     Allow from all
>> (so anyone can get anything, without access control)
>>
>> It is a bit difficult, not knowing the exact content of your pages, to
>> figure out what the full consequences may be, but maybe it gives you a clue
>> already.
>>
>> In other words,
>> 1) remove the section
>> <Directory "/opt/apache-tomcat-7.0.12/**webapps/Andromeda">
>> from the Apache configuration.  It has nothing to do there, because you
>> want Apache to forward these URLs to Tomcat anyway.
>> And it is a security risk (particularly on Windows, but even here).
>>
>> 2) add the following JkMount :
>> JkMount  /Andromeda worker1
>> (so that a request for "http://ASIA/Andromeda" will be *also* forwarded
>> to Tomcat.)
>>
>> Then try again, and come back here if you still have a problem.
>>
>>
>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Tomcat behind Apache and security-constraint

[André Warnier <aw...@ice-sa.com>]

Addendum :
This, which I missed earlier, is of course also a no-no, for the same reasons as explained 
earlier :
DocumentRoot /opt/apache-tomcat-7.0.12/webapps/

see the remark in red here :
http://tomcat.apache.org/connectors-doc/reference/apache.html


André Warnier wrote:
> Adrián Córdoba wrote:
> ...
> 
>> JkMount  /Andromeda/* worker1
>>   <Directory "/opt/apache-tomcat-7.0.12/webapps/Andromeda">
>>     Options Indexes FollowSymLinks
>>     AllowOverride None
>>     Order allow,deny
>>     Allow from all
>>   </Directory>
>> </VirtualHost>
>> ---------------------------------------------------------
> ...
> 
>> May be, I have a configuration mistake.
>>
> 
> Yes, a big one above.
> Wether it is the cause of your problem, I am not quite sure yet (but it 
> could be).
> It is bad anyway, because you are allowing Apache users, potentially, to 
> bypass Tomcat and to access the Tomcat application directory directly.
> So, again potentially, if a user manages to access the directory 
> "/opt/apache-tomcat-7.0.12/webapps/Andromeda" through Apache and without 
> going through Tomcat, then anything that you did in Tomcat to protect 
> access to that directory is useless.
> 
> And that is probably the case here :
> 
> Say a user enters the URL "http://ASIA/Andromeda" in his browser, and 
> the browser requests that URL.  What happens ?
> Apache will compare that URL (the part after the host) with the JkMount 
> instruction.
> The request URL is "/Andromeda", which is compared to the URL in the 
> JkMount "/Andromeda/*".
> It does not match, since the request URL is missing the trailing "/" of 
> the expression in the JkMount.
> So Apache does not forward this request to Tomcat, but handles it itself.
> After a few more steps in Apache, finally Apache comes to this directory
> "/opt/apache-tomcat-7.0.12/webapps/Andromeda", and looks for a document 
> to serve.
> Since no document is specified in the URL, Apache will use the one 
> specified in the relevant "DirectoryIndex" directive.  That may be, for 
> instance, "index.html" or similar.
> And it will serve it according to its own permissions settings, which 
> here are :
>  >     Allow from all
> (so anyone can get anything, without access control)
> 
> It is a bit difficult, not knowing the exact content of your pages, to 
> figure out what the full consequences may be, but maybe it gives you a 
> clue already.
> 
> In other words,
> 1) remove the section
> <Directory "/opt/apache-tomcat-7.0.12/webapps/Andromeda">
> from the Apache configuration.  It has nothing to do there, because you 
> want Apache to forward these URLs to Tomcat anyway.
> And it is a security risk (particularly on Windows, but even here).
> 
> 2) add the following JkMount :
> JkMount  /Andromeda worker1
> (so that a request for "http://ASIA/Andromeda" will be *also* forwarded 
> to Tomcat.)
> 
> Then try again, and come back here if you still have a problem.
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat behind Apache and security-constraint

[André Warnier <aw...@ice-sa.com>]

Adrián Córdoba wrote:
...

> JkMount  /Andromeda/* worker1
>   <Directory "/opt/apache-tomcat-7.0.12/webapps/Andromeda">
>     Options Indexes FollowSymLinks
>     AllowOverride None
>     Order allow,deny
>     Allow from all
>   </Directory>
> </VirtualHost>
> ---------------------------------------------------------
...

> May be, I have a configuration mistake.
> 

Yes, a big one above.
Wether it is the cause of your problem, I am not quite sure yet (but it could be).
It is bad anyway, because you are allowing Apache users, potentially, to bypass Tomcat and 
to access the Tomcat application directory directly.
So, again potentially, if a user manages to access the directory 
"/opt/apache-tomcat-7.0.12/webapps/Andromeda" through Apache and without going through 
Tomcat, then anything that you did in Tomcat to protect access to that directory is useless.

And that is probably the case here :

Say a user enters the URL "http://ASIA/Andromeda" in his browser, and the browser requests 
that URL.  What happens ?
Apache will compare that URL (the part after the host) with the JkMount instruction.
The request URL is "/Andromeda", which is compared to the URL in the JkMount "/Andromeda/*".
It does not match, since the request URL is missing the trailing "/" of the expression in 
the JkMount.
So Apache does not forward this request to Tomcat, but handles it itself.
After a few more steps in Apache, finally Apache comes to this directory
"/opt/apache-tomcat-7.0.12/webapps/Andromeda", and looks for a document to serve.
Since no document is specified in the URL, Apache will use the one specified in the 
relevant "DirectoryIndex" directive.  That may be, for instance, "index.html" or similar.
And it will serve it according to its own permissions settings, which here are :
 >     Allow from all
(so anyone can get anything, without access control)

It is a bit difficult, not knowing the exact content of your pages, to figure out what the 
full consequences may be, but maybe it gives you a clue already.

In other words,
1) remove the section
<Directory "/opt/apache-tomcat-7.0.12/webapps/Andromeda">
from the Apache configuration.  It has nothing to do there, because you want Apache to 
forward these URLs to Tomcat anyway.
And it is a security risk (particularly on Windows, but even here).

2) add the following JkMount :
JkMount  /Andromeda worker1
(so that a request for "http://ASIA/Andromeda" will be *also* forwarded to Tomcat.)

Then try again, and come back here if you still have a problem.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat behind Apache and security-constraint

[Adrián Córdoba <ad...@gmail.com>]

Konstantin / Barry / André:
Thank you for replay.

1- No important access log is showed for this issue.

2- I have ROOT webapp deployed in Tomcat.

3- I have Apache connected to Tomcat through JK Connector 1.2.32. (I want to
say the  web application works fine if I use an URL to Tomcat, but doesn't
work (only the content within security-constraint) if I use an URL to
Apache.
Platform is OpenSuse 11.4.

4- Details:
*Application structure*:
Andromeda/WebContent/index.jsp (entry page)
Andromeda/WebContent/admin/login.jsp
Andromeda/WebContent/admin/login-error.jsp
Andromeda/WebContent/internal/internal.jsp
Andromeda/WebContent/articles/index.html

The "WebContent/index.jsp" page has two links: a link to
WebContent/internal/internal.jsp", and the other one to
"WebContent/articles/index.html".
The "WebContent/internal/" directory is protected by the following security
constraint in the web.xml file:

---------------------------------------------------
<security-constraint>
  <web-resource-collection>
    <web-resource-name>Internal</web-resource-name>
    <url-pattern>/internal/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>internal-access</role-name>
  </auth-constraint>
</security-constraint>
----------------------------------------------------------------

Also, I declared in the web.xml file:

--------------------------------------------------
<!-- Security roles -->
  <security-role>
    <role-name>internal-access</role-name>
  </security-role>

<!-- Form-based authentication -->
  <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/admin/login.jsp</form-login-page>
      <form-error-page>/admin/login-error.jsp</form-error-page>
    </form-login-config>
  </login-config>
------------------------------------------------

And in the tomcat-users.xml file, I set:

------------------------------------------------
<role rolename="internal-access" />
<user username="xx" password="yy" roles="internal-access" />
------------------------------------------------

I can get the entry page with the "http://localhost/AppPrefix/index.jsp" URL
through Apache server.
When I make click in the internal.jsp link, I get the login.jsp page. That's
wright.
But when I submit the credentials (username: xx / password. yy), I get a
blank page (with http://localhost/Andromeda/internal/j_security_check in the
URL bar), instead of the internal.jsp page.

If I access to entry page with "http://localhost:8080/AppPrefix/index.jsp"
URL, (skipping Apache server,) I can get the internal.jsp page when I submit
the credentials.
Also, if I delete the security constraint, the web application works fine.

The relevant Apache configuration is:

httpd.conf file:

------------------------------------------------------------
LoadModule    jk_module  modules/mod_jk.so
JkWorkersFile /opt/httpd-2.2.17/conf/workers.properties
JkShmFile     /var/log/httpd2.2.17/mod_jk.shm
JkLogFile     /var/log/httpd2.2.17/mod_jk.log
JkLogLevel    info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

<VirtualHost *:80>
ServerAdmin *****@gmail.com
ServerName ASIA
DocumentRoot /opt/apache-tomcat-7.0.12/webapps/
ErrorLog /var/log/httpd2.2.17/andromeda-error_log
CustomLog /var/log/httpd2.2.17/andromeda-access_log combined
HostnameLookups Off
UseCanonicalName Off
ServerSignature On
JkMount  /Andromeda/* worker1
  <Directory "/opt/apache-tomcat-7.0.12/webapps/Andromeda">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
  </Directory>
</VirtualHost>
---------------------------------------------------------

and workers.properties file:

-----------------------------------------------------
workers.java_home=/usr/java/latest
ps=/

worker.list=worker1
worker.worker1.port=8009
worker.worker1.host=localhost
worker.worker1.type=ajp13
----------------------------------------------------

May be, I have a configuration mistake.

Thank you.

--
[Adrián Córdoba]



2011/7/21 André Warnier <aw...@ice-sa.com>

> Adrián Córdoba wrote:
>
>> Hi!
>> I have a very simple web application
>> (JSP<http://www.coderanch.com/**forums/f-50/JSP<http://www.coderanch.com/forums/f-50/JSP>>
>> based),
>>
>> deployed on Tomcat webapps directory with a security constraint in order
>> to
>> protect an internal directory. Tomcat (7.0.12) is running behind Apache
>> (2.2.17) web server (httpd).
>>
>> If I try to access to some file within internal directory, directly in
>> Tomcat (*http://localhost:8080/...*), username and password are required,
>> and I can reach the file (if username and password are wright). That's
>> wright!
>>
>> But, *if I try to access the same file within internal directory, through
>> Apache web server* (*http://localhost/...*), username and password are
>> required, but *a blank page is displayed on Firefox navigator*.
>> (If I delete the security constraint, the web application works fine.)
>>
>>
> What is missing in your otherwise good description above, is how you are
> connecting Apache httpd to Tomcat, and maybe some part of the configuration
> thereof.
> Also, on which platform this is running.
>
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Tomcat behind Apache and security-constraint

[André Warnier <aw...@ice-sa.com>]

Adrián Córdoba wrote:
> Hi!
> I have a very simple web application
> (JSP<http://www.coderanch.com/forums/f-50/JSP> based),
> deployed on Tomcat webapps directory with a security constraint in order to
> protect an internal directory. Tomcat (7.0.12) is running behind Apache
> (2.2.17) web server (httpd).
> 
> If I try to access to some file within internal directory, directly in
> Tomcat (*http://localhost:8080/...*), username and password are required,
> and I can reach the file (if username and password are wright). That's
> wright!
> 
> But, *if I try to access the same file within internal directory, through
> Apache web server* (*http://localhost/...*), username and password are
> required, but *a blank page is displayed on Firefox navigator*.
> (If I delete the security constraint, the web application works fine.)
> 

What is missing in your otherwise good description above, is how you are connecting Apache 
httpd to Tomcat, and maybe some part of the configuration thereof.
Also, on which platform this is running.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat behind Apache and security-constraint

[Konstantin Kolinko <kn...@gmail.com>]

2011/7/21 Adrián Córdoba <ad...@gmail.com>:
> *a blank page is displayed on Firefox navigator*.

Do you have ROOT webapp deployed on your Tomcat?

What is shown in access logs (in Tomcat one and in Apache HTTPD one)?
I hope that you have them configured.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org