...
[13:54:42 CDT(-0500)] <atilling> we have hundreds of *.cfm files, we only want the ones under a particular folder to be secure
[13:55:08 CDT(-0500)] <serac> Understood.
[13:55:13 CDT(-0500)] <serac> You may need an exception.
[13:55:20 CDT(-0500)] <atilling> basically cfm is like jsp
[13:55:41 CDT(-0500)] <serac> I know cfm.
[13:55:42 CDT(-0500)] <atilling> all the jsp files needs to be handled by tomcat
[13:55:45 CDT(-0500)] <atilling> ok
[13:55:46 CDT(-0500)] <serac> Here's the docs:
[13:55:47 CDT(-0500)] <serac> Inside the URI pattern three special characters can be used, '', '?' and '|'. The character '' is a wildchar that matches any number of arbitrary characters in the URI
[13:55:57 CDT(-0500)] <serac> I read that as * matches / characters as well.
[13:56:08 CDT(-0500)] <atilling> right
[13:56:56 CDT(-0500)] <atilling> I can't set the /cfide folder to not be mapped to tomcat still need the CFM processed
[13:56:56 CDT(-0500)] <serac> So a file like /CFIDE/index.cfm would be covered by that mapping.
[13:57:12 CDT(-0500)] <serac> I see.
[13:57:52 CDT(-0500)] <serac> The behavior you're seeing indicates you can't do both.
[13:58:01 CDT(-0500)] <serac> I was thinking this was static content served by Apache.
[13:58:31 CDT(-0500)] <atilling> the /CFIDE folder contains the coldfusion server settings
[13:59:57 CDT(-0500)] <atilling> but the server settings themselves are a cfm page(s)
[14:00:15 CDT(-0500)] <serac> And you need them interpreted by Cold Fusion.
[14:00:59 CDT(-0500)] <serac> You may want to consider switching to mod_proxy_ajp, which I believe would support this use case.
[14:01:02 CDT(-0500)] <atilling> Coldfusion has password protection for the server admin but it's fairly weak and I wanted to put mod_auth_cas in front of that folder
[14:04:02 CDT(-0500)] <serac> You might post to users@tomcat.apache.org to find out whether it's possible to apply Apache security directives to URIs that are mapped to Tomcat. While it would be surprising if you can't, I can imagine that's the case.
[14:04:20 CDT(-0500)] <atilling> thanks
[14:05:45 CDT(-0500)] <serac> Let me know either way. I'm sure that knowledge would come in handy down the road sometime.
[14:06:14 CDT(-0500)] <atilling> will do