Need to view directory list in apache/tomcat

I've done this before, but have apparently forgotten what I did. I have apache 2.4.16 and Tomcat 8.0.23 on Linux Slackware 64 14.1, kernel 3.10.17.

My Apache DocumentRoot is /srv/httpd/htdocs. My Tomcat $CATALINA_HOME is /srv/tomcat. I have a folder: /srv/tomcat/webapps/ohprs/downloads/jones that I want only user "jones" to have access to. Jones is not a local user. In the jones folder I have a .htaccess file as follows:

AuthType Basic
AuthName "SLC"
AuthUserFile /etc/httpd/passwords
Require user jones

I've added jones to the /etc/httpd/passwords file.

in /etc/httpd/httpd.conf I have:

<Directory /srv/tomcat/webapps/ohprs/downloads/jones>
    Options +Indexes
    AllowOverride All
</Directory>

<Location /ohprs/downloads/jones>
    AuthType Basic
    AuthName "Restricted"
    AuthUserFile /etc/httpd/passwords
    Require valid-user
    AuthBasicProvider file
</Location>

When I enter my URL, https://www.mydomain.com/ohprs/downloads/jones, I get the login dialog. I enter the login info which is accepted. However, I get a 404 status, "The requested resource is not available - Apache Tomcat 8.0.23".

The message in /var/log/httpd/access_log is:
[30/Jul/2015:02:41:40 -0400] 76.181.65.196 TLSv1.2 ECDHE-RSA-AES256-SHA384 "GET /ohprs/downloads/jones HTTP/1.1" -
[30/Jul/2015:02:41:40 -0400] 76.181.65.196 TLSv1.2 ECDHE-RSA-AES256-SHA384 "GET /ohprs/downloads/jones/ HTTP/1.1" 1040

Open in new window

Nothing logged in $CATALINA_HOME/logs/catalina.out

What am I doing wrong?
LVL 1
jmarkfoleyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rrzCommented:
What does
$CATALINA_HOME/logs/localhost_access_log.2015-7-30.txt  
list as the path for that 404?
Also, wouldn't Tomcat be looking for the welcome file? What does the web.xml file for the ohprs web app list in the welcome file tag?
Anyway, I can suggest one possible solution.  
Change the web.xml file of the ohprs web app to include something like the following.
    <welcome-file-list>
        <welcome-file>listFiles.jsp</welcome-file>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

Open in new window

Create a file called listFiles.jsp inside of ohprs/downloads/jones  and use the following code as contents.
    <%@ page import="java.io.*,java.util.*" %>
    <%
	    String dirPath = application.getRealPath("/downloads/jones");
	    File dir = new File(dirPath);
	    String[] fileList = dir.list();
	    ArrayList<String> list = new ArrayList<String>();
	    for(String file: fileList){
	        if(!"listFiles.jsp".equals(file))list.add(file);
	    }
    %>
	 <%=list%>

Open in new window

0
jmarkfoleyAuthor Commented:
rrz:
What does $CATALINA_HOME/logs/localhost_access_log.2015-7-30.txt  list as the path for that 404?
$ grep tanner localhost_access_log.2015-07-30.txt
76.181.65.196 - - [30/Jul/2015:02:41:02 -0400] "GET /ohprs/downloads/jones/ HTTP/1.1" 404 1040
76.181.65.196 - - [30/Jul/2015:02:41:40 -0400] "GET /ohprs/downloads/jones HTTP/1.1" 302 -
76.181.65.196 - - [30/Jul/2015:02:41:40 -0400] "GET /ohprs/downloads/jones/ HTTP/1.1" 404 1040
76.181.65.196 - - [30/Jul/2015:02:42:01 -0400] "GET /ohprs/downloads/jones/ HTTP/1.1" 404 1040

Open in new window

Also, wouldn't Tomcat be looking for the welcome file? What does the web.xml file for the ohprs web app list in the welcome file tag?
  <!-- ==================== Default Welcome File List ===================== -->
  <!-- When a request URI refers to a directory, the default servlet looks  -->
  <!-- for a "welcome file" within that directory and, if present, to the   -->
  <!-- corresponding resource URI for display.                              -->
  <!-- If no welcome files are present, the default servlet either serves a -->
  <!-- directory listing (see default servlet configuration on how to       -->
  <!-- customize) or returns a 404 status, depending on the value of the    -->
  <!-- listings setting.                                                    -->
  <!--                                                                      -->
  <!-- If you define welcome files in your own application's web.xml        -->
  <!-- deployment descriptor, that list *replaces* the list configured      -->
  <!-- here, so be sure to include any of the default values that you wish  -->
  <!-- to use within your application.                                       -->

    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

Open in new window

Your suggested .jsp would certainly work, but I'm really looking for a non-programmed solution. As I said, I did this once before, but I forget how. The "Default Welcome File" description in web.xml says,

"If no welcome files are present, the default servlet either serves a directory listing (see default servlet configuration on how to customize) or returns a 404 status, depending on the value of the listings setting."

I suppose I need to look at the "default servlet configuration". Do you know where that would be? In the meantime, I'll research.
0
jmarkfoleyAuthor Commented:
more info ...

The web.xml says, "listings            Should directory listings be produced if there  is no welcome file in this directory?  [false] WARNING: Listings for directories with many entries can be slow and may consume significant proportions of server resources."

The section defining this has:
    <servlet>
        <servlet-name>default</servlet-name>
        <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
        <init-param>
            <param-name>debug</param-name>
            <param-value>0</param-value>
        </init-param>
        <init-param>
            <param-name>listings</param-name>
            <param-value>false</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

Open in new window

So, I suppose I could simply set this to 'true', but I wonder if there is a way to restrict this to just my desired directory? How do Apache's <Directory> and <Location> directives work here? Are they ignored? I'll experiment.
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

rrzCommented:
The default <welcome-file-list>   and the "default Servlet configuration"  are in  
$CATALINA_HOME/conf/web.xml    
you can change from default "false"
        <init-param>
            <param-name>listings</param-name>
            <param-value>true</param-value>
        </init-param>

Open in new window

0
rrzCommented:
Apache's configuration won't affect Tomcat.
0
rrzCommented:
You could change the listings parameter in the default Servlet, but that will expose all your directories in all your web apps on Tomcat if there is no welcome file.
0
jmarkfoleyAuthor Commented:
Yes, changing the default in web.xml is for the whole webapp. Doesn't seem to be a way to expose only one folder. And you are right, Apache settings have no effect.

So, my solution is to use Apache, not Tomcat. Also, Apache allows fancy formatting of the directory. But some wrinkles ... Users are supposed to drag documents to part of the Samba mounted tomcat hierarchy, so I need to leave the files there. What I've done is add an Alias to httpd.conf:

Alias /jones /srv/tomcat/webapps/ohprs/downloads/jones

I did try a symbolic link: /srv/httpd/htdocs/jones -> /srv/tomcat/webapps/ohprs/downloads/jones

and that worked just fine, but I prefer the alias -- except see below.

I needed to make apache a member of the group owning that target directory, but that's better than giving global read access. So, I end up with no <Location> directive in httpd.conf and my <Directory> looks like:

<Directory /srv/tomcat/webapps/ohprs/downloads/jones>
    Options +Indexes
    IndexOptions FancyIndexing HTMLTable SuppressDescription
    IndexOrderDefault Descending Date
    AllowOverride All
    Require all granted
</Directory>

This all works just fine but what is a bit disturbing is that I get the error message:
[Fri Jul 31 14:58:35.311552 2015] [authz_core:error] [pid 8249:tid 140302900623104] [client 76.181.65.196:52072] AH01630: client denied by server configuration: /srv/tomcat/webapps/ohprs/downloads/jones/.htaccess

Open in new window

Yet, I can log in and see/download the files just fine. I'll make this a new question.

Final comments?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rrzCommented:
I don't know the Apache Web Server very well. So, I can't comment on your solution.  I was looking at this question for a Tomcat perspective.  You should mark your comment as the solution.
0
jmarkfoleyAuthor Commented:
I settled on a non-Tomcat solution
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.