Stopping Virtual Directory Access

Forum Moderators: phranque

Message Too Old, No Replies

Stopping Virtual Directory Access

Maybe a simple question but it's stumped me

apache1048

9:27 pm on Jan 6, 2005 (gmt 0)

I have a server running Apache2 and Tomcat (4.1.24)and serving a couple of JSP applications. My problem is that I need to seperate virtual directories from pesky users.

The sites are different URLs and require authentication via a central DB.

i.e.
www.example.com/detail/ gives a full view of information

www.ukexample.com/nodetail gives a limited view.

How do I stop users simply deleting the 'no' and getting the detail context. The URLs point to the same server and same IP. I need to keep the document root completely seperate for each URL and lock it somehow.

Any help would be appreciated.

jdMorgan

9:53 pm on Jan 6, 2005 (gmt 0)

apache1048,

Welcome to WebmasterWorld!

Can you clarify the relationship between domain "example.com" with "/detail" and "ukexample.com" with "/nodetail," please?

This all depends on how your authentication scheme works. If you were using Apache Basic Authentication, then users would be authenticated only to one domain.

Jim

apache1048

10:15 pm on Jan 6, 2005 (gmt 0)

OK, the domains are on the same server and same the same IP. One is for the US customers and one for the UK customers. The UK customers are not permitted to see the same amount of detail as the US so a different application is provided.

When the customer goes to the URL apache does a redirect (via an index.html file meta redirect in the document root) to the tomcat application directory.

Example below.

Apache conf file 1

<VirtualHost 1.2.3.4>
ServerName ukexample.com
DocumentRoot /usr/local/apache2/htdocs/ukcustomer
ErrorLog /var/logs/httpd/ukcustomer_error_log
CustomLog /var/logs/hd_log combined

<Location "/*.jsp">
JkUriSet worker ajp13:localhost:8009
</Location>
</VirtualHost>

Apache conf file 2

<VirtualHost 1.2.3.4>
ServerName example.com
DocumentRoot /usr/local/apache2/htdocs/
ErrorLog /var/logs/httpd/error_log
CustomLog /var/logs/hd_log combined

<Location "/*.jsp">
JkUriSet worker ajp13:localhost:8009
</Location>
</VirtualHost>

The customer can then ammend the URL from /nodetail to /detail and see the detailed output. They have authenticated via a JDBC realm at this point.

I am guessing it is an apache solution but it may be a tomcat configuration. Thanks.

kalos

12:27 am on Jan 7, 2005 (gmt 0)

Since both the UK and US "servers" have their own htdocs why not just set them both to use /detail/ and control what information is passed via the login or originating URL (by passing a paramater to your jsp page). Using mod_rewrite seems like overkill when you have already done most of the work via the fact you have seperate domain names for each of the locations (although I would have probably stuck to domain.com and used us.domain.com and uk.domain.com -- but that's just me).

-ben

jdMorgan

2:43 am on Jan 7, 2005 (gmt 0)

> When the customer goes to the URL apache does a redirect (via an index.html file meta redirect in the document root)

Red alert! That meta-refresh is not a redirect, it is a client-side browser reload. Therefore, you are "exposing" your Tomcat URL to the public -- and to search engine results listing.

In the strongest (friendly) terms, I advise you to get rid of that little beauty right now! Do a search here on WebmasterWorld for terrifying phrases like "meta-refresh destroyed my ranking" and "302 hijacking" and you will learn why (after reading several hundred posts by affected members).

Meta-refresh is for free-hosting web sites where there is no other available mechanism. If you've got mod_rewrite and scripting available, then rewriting and redirection should be done server-side.

Jim