File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Tomcat and the fly likes Tomcat security constraint doesn't work behind Apache Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat security constraint doesn Watch "Tomcat security constraint doesn New topic
Author

Tomcat security constraint doesn't work behind Apache

Adrian Cordoba
Greenhorn

Joined: Jul 09, 2011
Posts: 13

I have a very simple web application (JSP based), deployed on Tomcat webapps directory with a security constraint in order to protect an internal directory. Tomcat is running behind Apache web server (httpd).

If I try to access to some file within internal directory, directly in Tomcat (http://localhost:8080/...), username and password are required, and I can reach the file (if username and password are wright). That's wright!

But, if I try to access the same file within internal directory, through Apache web server (http://localhost/...), username and password are required, but a blank page is displayed on Firefox navigator.
(If I delete the security constraint, the web application works fine.)

Do you have any idea?

I was searching in Google in order to solve this problem, but nothing was found.

Thank you, in advance.

[Adrián E. Córdoba]
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16054
    
  21

Well, a web server is not a file server, so you're not doing yourself any favors in talking about "directories" and "files". Whether or not in this particular instance, the resource is ultimately resolved by retrieving a file from a directory, what you're actually submitting are URLs, and it's up to the server and application as to how they resolve the URL request. That's an important distinction to bear in mind, since web.xml acts by matching URL patterns, NOT by protecting raw resources such as files and directories.

However, pedantry aside, I suspect that probably you don't have the Apache connector for the https channel setup correctly. If you're using a transport guarantee - and one normally does for secured resources - the URL "http://localhost:8080/mywebapp/mydirectory/myfile" should have been rerouted to "https://localhost:8080/mywebapp/mydirectory/myfile". But if the https channel is mis-configured, you'll have problems.


Customer surveys are for companies who didn't pay proper attention to begin with.
Adrian Cordoba
Greenhorn

Joined: Jul 09, 2011
Posts: 13

Tim:
I beg your pardon for the confusion. (My English is not good!)
I want to use Tomcat as a web container behind Apache as a web server, serving JSP and HTML pages (in webapps directory) to browsers that request URLs like http://localhost/AppPrefix...
Also, I want to say I'm not using SSL. No <transport-guarantee>CONFIDENTIAL</transport-guarantee> subelement exists in web.xml file.
Thank you for replay
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16054
    
  21

Tambien no se mi español mas fuerte. But you are doing OK. There was no ambiguity. I made my statement because mistaking URLs for filenames is common in any language.

The most common cause of a blank page display is that the page rendering operation failed. Often a browser "View Page Source" command can show useful information, but it's worth checking the Tomcat catalina.out and localhost log files as well.

The fact that this only happens when accessing through Apache makes it sound like an Apache problem. One mistake I may have made, however, is that I assumed that you'd defined container security in Tomcat using web.xml. It sounds like possibly that you're using the Apache page security system. The Apache and Tomcat security systems don't talk to each other, so Apache security should be limited to who may access the Tomcat server as a whole, and not attempt to restrict individual sub-levels of the URL when you are using web.xml.

Adrian Cordoba
Greenhorn

Joined: Jul 09, 2011
Posts: 13

Tim Holloway wrote:Tambien no se mi español mas fuerte. But you are doing OK. There was no ambiguity. I made my statement because mistaking URLs for filenames is common in any language.

The most common cause of a blank page display is that the page rendering operation failed. Often a browser "View Page Source" command can show useful information, but it's worth checking the Tomcat catalina.out and localhost log files as well.

The fact that this only happens when accessing through Apache makes it sound like an Apache problem. One mistake I may have made, however, is that I assumed that you'd defined container security in Tomcat using web.xml. It sounds like possibly that you're using the Apache page security system. The Apache and Tomcat security systems don't talk to each other, so Apache security should be limited to who may access the Tomcat server as a whole, and not attempt to restrict individual sub-levels of the URL when you are using web.xml.



Tim:
The source code of the blank page I get, is empty.
Log files don´t show information about this issue.
I'm only using Tomcat security. No Apache security is used.

Thank you, again.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Tomcat security constraint doesn't work behind Apache