I have a JEE service on a Tomcat 9 container (Debian 10.8). In front of it an Apache Web Server mod_proxy_ajp.
In my VH I do not have any ProxyPass rule for /manager/html context but if on a Web client I rewrite my URL adding /..;/manager/html (e.g.: https://www.example.org/site/..;/manager/html) the Tomcat Manager asks for crediatials.
Is there a trick to avoid it? Maybe using modsecurity? Thanks.
CodePudding user response:
I solved the problem using a mod_security rules:
SecRule REQUEST_URI "@rx ..;/" "phase:1,severity:'CRITICAL',deny,id:129"
It works.
CodePudding user response:
Since path parameters are only used in Tomcat for session tracking (as an alternative to cookies), you can safely remove them in Apache2 from the ..
path segment :
RewriteEngine on
RewriteRule ^(.*)/\.\.;[^/]*(.*)$ $1/..$2 [N]
Alternatively you can remove them altogether:
RewriteEngine on
RewriteRule ^(.*);[^/]*(.*)$ $1$2 [N]
and configure Tomcat to use only cookies for session tracking in $CATALINA_BASE/conf/web.xml
:
<session-config>
...
<tracking-mode>COOKIE</tracking-mode>
</session-config>