Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Corrected links that should have been relative instead of absolute.

...

[13:54:42 CDT(-0500)] <atilling> we have hundreds of *.cfm files, we only want the ones under a particular folder to be secure

[13:55:08 CDT(-0500)] <serac> Understood.

[13:55:13 CDT(-0500)] <serac> You may need an exception.

[13:55:20 CDT(-0500)] <atilling> basically cfm is like jsp

[13:55:41 CDT(-0500)] <serac> I know cfm.

[13:55:42 CDT(-0500)] <atilling> all the jsp files needs to be handled by tomcat

[13:55:45 CDT(-0500)] <atilling> ok

[13:55:46 CDT(-0500)] <serac> Here's the docs:

[13:55:47 CDT(-0500)] <serac> Inside the URI pattern three special characters can be used, '', '?' and '|'. The character '' is a wildchar that matches any number of arbitrary characters in the URI

[13:55:57 CDT(-0500)] <serac> I read that as * matches / characters as well.

[13:56:08 CDT(-0500)] <atilling> right

[13:56:56 CDT(-0500)] <atilling> I can't set the /cfide folder to not be mapped to tomcat still need the CFM processed

[13:56:56 CDT(-0500)] <serac> So a file like /CFIDE/index.cfm would be covered by that mapping.

[13:57:12 CDT(-0500)] <serac> I see.

[13:57:52 CDT(-0500)] <serac> The behavior you're seeing indicates you can't do both.

[13:58:01 CDT(-0500)] <serac> I was thinking this was static content served by Apache.

[13:58:31 CDT(-0500)] <atilling> the /CFIDE folder contains the coldfusion server settings

[13:59:57 CDT(-0500)] <atilling> but the server settings themselves are a cfm page(s)

[14:00:15 CDT(-0500)] <serac> And you need them interpreted by Cold Fusion.

[14:00:59 CDT(-0500)] <serac> You may want to consider switching to mod_proxy_ajp, which I believe would support this use case.

[14:01:02 CDT(-0500)] <atilling> Coldfusion has password protection for the server admin but it's fairly weak and I wanted to put mod_auth_cas in front of that folder

[14:04:02 CDT(-0500)] <serac> You might post to users@tomcat.apache.org to find out whether it's possible to apply Apache security directives to URIs that are mapped to Tomcat. While it would be surprising if you can't, I can imagine that's the case.

[14:04:20 CDT(-0500)] <atilling> thanks

[14:05:45 CDT(-0500)] <serac> Let me know either way. I'm sure that knowledge would come in handy down the road sometime.

[14:06:14 CDT(-0500)] <atilling> will do