I have a JEE service on a Tomcat 9 container (Debian 10.8). In front of it an Apache Web Server + mod_proxy_ajp.
In my VH I do not have any ProxyPass rule for /manager/html context but if on a Web client I rewrite my URL adding /..;/manager/html (e.g.: https://www.example.org/site/..;/manager/html) the Tomcat Manager asks for crediatials.
Is there a trick to avoid it? Maybe using modsecurity? Thanks.
On
Since path parameters are only used in Tomcat for session tracking (as an alternative to cookies), you can safely remove them in Apache2 from the .. path segment :
RewriteEngine on
RewriteRule ^(.*)/\.\.;[^/]*(.*)$ $1/..$2 [N]
Alternatively you can remove them altogether:
RewriteEngine on
RewriteRule ^(.*);[^/]*(.*)$ $1$2 [N]
and configure Tomcat to use only cookies for session tracking in $CATALINA_BASE/conf/web.xml:
<session-config>
...
<tracking-mode>COOKIE</tracking-mode>
</session-config>
I solved the problem using a mod_security rules:
It works.