Lucee & virtual directories in IIS
383 views
Skip to first unread message
Dave Quested
Dec 22, 2015, 4:47:35 AM12/22/15
to Lucee
Hi everyone
We're looking to move from ACF to Lucee. We've hit a major roadblock already unfortunately. It appears Lucee doesn't 'execute' virtual directories in IIS. ACF does this fine.
Is there a way to get Lucee to see/execute the virtual directory as ACF does? There must be other Win/IIS converts that have achieved this in Railo/Lucee?
Refactoring is not an option I'm afraid, just too much work, we have too many websites using it.
Thanks in advance
Dave
Julian Halliwell
Dec 22, 2015, 5:06:22 AM12/22/15
to lu...@googlegroups.com
Hi Dave
Try adding the virtual directories as Lucee mappings, either in your
Application.cfc or in the server/web context admin.
Julian.
Try adding the virtual directories as Lucee mappings, either in your
Application.cfc or in the server/web context admin.
Julian.
Jordan Michaels
Dec 22, 2015, 1:34:11 PM12/22/15
to lu...@googlegroups.com
ACF uses a custom connector and a singular J2EE context to handle requests in order to make some things - like IIS virtual directories - easier, however, these methods don't conform to J2EE standards. Lucee has historically tried to adhere to the J2EE standards and uses standard J2EE contexts to handle different sites and web requests.
Since IIS virtual directories only exist within IIS, they have to be "translated" to a standardized Tomcat contexts. This can be done using the BonCode Connector - which adds the 'x-vdir' header to incoming web requests - and the mod_cfml tomcat valve which creates in-memory contexts for non-existent host names in an authorized request.
How did you install Lucee? If you used the Windows installer, the BonCode Connector and mod_cfml should be installed by default unless you opted not to install them.
Documentation for the BonCode connector is here (created and maintained by Bilal Soylu):
http://boncode.net/connector/webdocs/Tomcat_Connector.htm (Under the "EnableHeaderDataSupport" config option)
Documentation for mod_cfml and the 'x-vdir' header is here (support for 'x-vdir' added by Paul Klinkenberg):
http://www.modcfml.org/index.cfm/documentation/modcfml-so-apache-module/an-in-depth-look-at-modcfml/
--
Kind regards,
Jordan Michaels
Vivio Technologies
--
Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/8ad9b4ed-aaf1-4a92-8ad0-06605b0b2176%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Since IIS virtual directories only exist within IIS, they have to be "translated" to a standardized Tomcat contexts. This can be done using the BonCode Connector - which adds the 'x-vdir' header to incoming web requests - and the mod_cfml tomcat valve which creates in-memory contexts for non-existent host names in an authorized request.
How did you install Lucee? If you used the Windows installer, the BonCode Connector and mod_cfml should be installed by default unless you opted not to install them.
Documentation for the BonCode connector is here (created and maintained by Bilal Soylu):
http://boncode.net/connector/webdocs/Tomcat_Connector.htm (Under the "EnableHeaderDataSupport" config option)
Documentation for mod_cfml and the 'x-vdir' header is here (support for 'x-vdir' added by Paul Klinkenberg):
http://www.modcfml.org/index.cfm/documentation/modcfml-so-apache-module/an-in-depth-look-at-modcfml/
--
Kind regards,
Jordan Michaels
Vivio Technologies
Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/8ad9b4ed-aaf1-4a92-8ad0-06605b0b2176%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Paul Klinkenberg
Dec 22, 2015, 2:36:20 PM12/22/15
to lu...@googlegroups.com
Hi Jordan,
As far as I know, an as I didn't find the word "x-vdirs" in the Lucee source code, Lucee still needs to implement a handler for an incoming x-vdirs header. Also, we still need to add security around this header.
So for the time being, adding the virtual directories as mappings in the Lucee web context is still the way to go. Again, as far as I know.
Kind regards,
Paul Klinkenberg
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/1417637034.215084.1450809247999.JavaMail.zimbra%40viviotech.net.
As far as I know, an as I didn't find the word "x-vdirs" in the Lucee source code, Lucee still needs to implement a handler for an incoming x-vdirs header. Also, we still need to add security around this header.
So for the time being, adding the virtual directories as mappings in the Lucee web context is still the way to go. Again, as far as I know.
Kind regards,
Paul Klinkenberg
Jordan Michaels
Dec 22, 2015, 3:38:52 PM12/22/15
to lu...@googlegroups.com
Hey Paul,
Thanks for correcting my misunderstanding there. I assumed that since we had implemented the x-vdir header that it was also supported by subsequent systems. Can you elaborate on what kind of security you're thinking of adding for it? Looking at the valve source, it looks like the authorization key is validated before processing anything else. Are you thinking character filtering maybe?
For implementation, since a Virtual Directory can be represented in a Tomcat context using the following context config:
<Host name="lucee.org" appBase="/home/lucee/public_html">
<Context path="/vdir/" docBase="/home/other_user/public_html/some_other_directory/" />
<Alias>www.lucee.org</Alias>
</Host>
...do you see any reason we could not add the vdirs from the x-vdir headers to the context xml file that the mod_cfml valve creates for a new context?
Or, while I'm not as familiar as you are with the child context methods, maybe we could implement those in a way that would mimic the above config? Would be something fun to play with and see, if nothing else. ;)
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/83627EAD-48BB-48FC-AB96-59A6FCABAFB2%40ongevraagdadvies.nl.
Thanks for correcting my misunderstanding there. I assumed that since we had implemented the x-vdir header that it was also supported by subsequent systems. Can you elaborate on what kind of security you're thinking of adding for it? Looking at the valve source, it looks like the authorization key is validated before processing anything else. Are you thinking character filtering maybe?
For implementation, since a Virtual Directory can be represented in a Tomcat context using the following context config:
<Host name="lucee.org" appBase="/home/lucee/public_html">
<Context path="/vdir/" docBase="/home/other_user/public_html/some_other_directory/" />
<Alias>www.lucee.org</Alias>
</Host>
...do you see any reason we could not add the vdirs from the x-vdir headers to the context xml file that the mod_cfml valve creates for a new context?
Or, while I'm not as familiar as you are with the child context methods, maybe we could implement those in a way that would mimic the above config? Would be something fun to play with and see, if nothing else. ;)
Paul Klinkenberg
Dec 23, 2015, 4:30:34 AM12/23/15
to lu...@googlegroups.com
Hi Jordan,
When we mailed about this previously with Bilal, I thought the idea was it would be implemented by Lucee as request-only mappings. I sure like the idea of adding it on the Tomcat level, and it sure makes sense.
I will try to implement this on the Tomcat level, probably in January.
The security issue I was worried about, was only applicable when Lucee would handle the mappings, as it currently would not have a way to validate the source of the incoming header. But when done in the Tomcat valve, we have the shared secret key for validation :)
Kind regards,
Paul Klinkenberg
------------
> To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/1194127527.215462.1450816728057.JavaMail.zimbra%40viviotech.net.
When we mailed about this previously with Bilal, I thought the idea was it would be implemented by Lucee as request-only mappings. I sure like the idea of adding it on the Tomcat level, and it sure makes sense.
I will try to implement this on the Tomcat level, probably in January.
The security issue I was worried about, was only applicable when Lucee would handle the mappings, as it currently would not have a way to validate the source of the incoming header. But when done in the Tomcat valve, we have the shared secret key for validation :)
Kind regards,
Paul Klinkenberg
------------
Bilal
Dec 23, 2015, 2:30:35 PM12/23/15
to Lucee
Thanks Paul.
I think the Tomcat level mapping would be interesting.
we can block out the potential security implication by adding a blacklist directive into the BonCode setting file like so: <HeaderBlackList>x-vdirs</HeaderBlackList>
This will prevent externally passed in headers from being added to the HTTP header.
Cheers,
B.
Reply all
Reply to author
Forward
0 new messages