We strongly advise against sharing a filesystem directory between Apache httpd's document root tree and Tomcat's webapps tree. Although it could be convenient to put together a web application that is contained within one directory and takes advantage of features from both Apache httpd and Tomcat, the security implications of doing so are just too numerous to track and handle.

A common example of this: a company already has Apache httpd serving a PHP web application, and for whatever reason they want to also include some JSP pages and potentially Java servlets. They add the JSP files among the PHP files—in the same directory. They configure Tomcat to deploy one of the directories in Apache httpd's document root as a Tomcat webapp, even though it is already deployed in Apache httpd. Apache httpd handles the *.php files, and the developers configure Apache httpd to forward all requests for *.jsp to Tomcat. Works great, right? Because of the security issues with this configuration, we strongly advise you not to share deployment directories this way.

When sharing a physical directory of web pages between the Apache httpd web server and Tomcat on the same machine (or network filesystem), beware of interactions between their respective security models. This is particularly critical when you have "protected directories." If you're using the simplistic sharing modes detailed in Chapter 5, such as load sharing using separate port numbers or proxying from Apache ...