Bill Barker wrote: > <[EMAIL PROTECTED]> wrote in message >> +<p><b>The Apache httpd DocumentRoot should not overlap with a Tomcat >> Host's >> +appBase or the docBase of any Context. Configuring httpd/Tomcat this way >> is very >> +likely to result in JSP source code disclosure and/or other security >> issues. >> +</b></p> > > IMHO, this is misleading. It requires a lot more httpd configuration to > make this secure, but it isn't in and of itself insecure. > > And, if you are going to go this route, you should also warn about: > Alias /myapp /var/tomcat/webapps/myapp >
I am not going to get upset if you want to commit some alternative guidance. My main concern is that there is some warning as a number of how-to guides seem to recommend it without the extra security and there has been a rash of related e-mails recently. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
