OK, this is correct! Sorry, but I also thing that we must
have a secretKey and a restricted IP list to register inside cluster I
want implement this
inside the next release. But currenly the cluster message are not
crypted and when clients can connect
to your network your go in trouble. At
When using tomcat clusters on an untrusted subnet or using a routable
multicast address, i see the potential for a rogue tomcat instance to
join a cluster in order to hijack session information. This doesn't
seem to be cured by any firewalling of incoming connections to the
valid servers, as,
When using tomcat clusters on an untrusted subnet or using a routable
multicast address, i see the potential for a rogue tomcat instance to
join a cluster in order to hijack session information. This doesn't
seem to be cured
by any firewalling of incoming connections to the valid servers, as,
Hi
I am using separate contexts in Tomcat 5,0, creating a XML in
CATALINA_HOME/conf/Catalina/localhost and in this not desired context
I need to forbid to some IPs, but when use this archive and make
deploy, the Tomcat does not load the modules of the Struts and nor
Tiles plugin. Somebody knows
Hello, I have a question regarding security on Tomcat. first, some background:
I'm currently assisting in the deployment of a Xerox Docushare system. This
implementation DocuShare runs on Tomcat (among other platforms.) The problem I've been
having with this particular app/server setup is that
See the servlet spec. I know for version 2.3 of the spec (which is tomcat4
stuff) - security is applied only to the incoming URL. (The same went for
filters too)
For 2.4 - I know that filters can be applied on RequestDispatcher.include and
RequestDispatcher.forward. So security constraints
I do have a question regarding security across appfuse and other
webapps. Currently, I have two separate web applications running under
Tomcat (5.0.26):
- tdx (which is a version of appfuse)
- jGallery (which dynamically serves images)
The way jGallery works is that it 'crossmaps' image gallery
Is it possible to configure tomcat to use public / private key pairs
that implement the java.security API for authentication a la ssh? I
assume it is but haven't found out how yet.
I'm using SSL at the moment but I need to implement a higher security
environment in the same shape and form as
It can't be done (at least without hacking :). The servlet-spec only tells
how to secure a page. There is no concept of un-securing a page.
If you are using iPlanet+Tomcat, and the un-secure areas are all static
content, then you can configure iPlanet to serve the un-secure areas
(bypassing
Security for the site I'm working with was originally done via IPlanet's
internal security. I'd like to move to using the webapp security in
Tomcat. Under iPlanet, the security was set up with the entire site - /*
- being secured, then specific uri's were explicitly declared
un-secured.
So,
I have a server with Apache 2.0.44 and Jakarta-Tomcat 4.1.18. I am using OpenSSL
0.9.7a with Apache.
Question:
If the user activates a jsp page with a javabean component with access to a PostgreSQL
database server (communicates with port 5432) from the secure area (https) - is it
then
Here are the channels of communication. For a typical web page there are
3 socket connections that can be concurrently open.
A: Web Browser -- Apache
B: Apache -- Tomcat
C: Tomcat -- Database
Now onto the security ...
A: If ssl then secure
B: If ssl, then secure. If not ssl, then someone between
to encrypt the
communications yourself.
Michael
-Original Message-
From: Lars Nielsen Lind [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 5. Mrz 2003 10:45
To: Tomcat Users List
Subject: Security Question
I have a server with Apache 2.0.44 and Jakarta-Tomcat 4.1.18.
I am using
Hi David,
if it weren't Apache I would say: try
HttpServletRequest.getUserPrincipal().getName(). Maybe it could
be that this also works with Apache...
Andreas
I'm trying to retrieve the userid that logged into apache and accessed
the current JSP page. How can I get this info?
I'm trying to retrieve the userid that logged into apache and accessed
the current JSP page. How can I get this info?
Explanation: I'm implementing a very crude security system on my site
for right now (mainly to just keep people from accessing the email
addresses and photos on the site),
Is there a list of security related changes made to Jboss and Tomcat
between 2.4.1-3.2.3 and the most recent stable releases? We're trying to
compile a list of security related reasons for upgrading. TIA
--
Austin Gonyou [EMAIL PROTECTED]
Coremetrics, Inc.
signature.asc
Description:
Ok here is a straight forward question:
I understand how to change my server.xml and setup my web.xml files so that security
reaml on my server uses odbc to verify the roles / passwords.
The catch is im not very happy with having to edit the server.xml file. I would like
to know if their is
On Mon, 22 Jul 2002, Jamie M. Guillemette wrote:
Date: Mon, 22 Jul 2002 14:54:17 -0400
From: Jamie M. Guillemette [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Realm Security Question
Ok here is a straight forward question:
I understand
Hello --
I am trying to get a new Tomcat system configured for my school's CS
department. We want to use version 4 (I am working with 4.0.2).
We need a system that lets students keep their files private, to make sure
that nobody cheats by stealing somebody's servlets or jsp. I am testing
it
: Security question
Hi,
It is possible de verify that a servlet has been called by a specific
servlet or jsp
and that it can't be called by another one.
Michenaud Laurent
- Adeuza -
[ Développeur Web - Administrateur Réseau ]
--
To unsubscribe: mailto:[EMAIL PROTECTED]
For additional
Hi,
Got it to work, permissions for JSPs can only be given at the context
root level. I was trying to be more fine grained which is not possible.
Antony
Antony Bowesman wrote:
Hi,
How can you assign permissions to code compiled from a JSP, it is
possible or do you have to put all code
Hi,
It is possible de verify that a servlet has been called by a specific
servlet or jsp
and that it can't be called by another one.
Michenaud Laurent
- Adeuza -
[ Développeur Web - Administrateur Réseau ]
--
To unsubscribe: mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL
You can pass (possibly encrypted) information that
only the two parties know. This is essentially
authentication like your username/password.
Frank Lawlor
Athens Group, Inc.
(512) 345-0600 x151
Athens Group, an employee-owned consulting firm integrating technology
strategy and software
Hi,
How do you grant permissions in the policy file to jsp pages. I've tried
grant codeBase
file:${catalina.home}/work/localhost/examples/jsp/security/protected/-
{
permission java.security.AllPermission;
};
but I get an AccessControlException when some code in the jsp tries to
do
Hi,
How can you assign permissions to code compiled from a JSP, it is
possible or do you have to put all code that performs actions that may
encounter security checks inside a bean and then allocate permissions to
the bean class?
I tried adding
grant codeBase
I've started looking at some of the security issues
but I'm still behind where you are in the area of
your questions.
Where did you find this document that has
section 8 on Existing Risks and Problems
Thanks,
Frank Lawlor
Athens Group, Inc.
(512) 345-0600 x151
Athens Group, an employee-owned
Hi there,
I have read the Existing Risks and Problems (Chapter 8 in the internal
document of the TC-3.3) and spotted that there is a potentional security
risk in using Tomcat as a platform for the Application Gateway to an
enterprise business support system.
One of very important subprojects I
I am using Tomcat with JBoss and JBoss is handling security. Everything
works fine and each time a secured component is accessed I see two lines in
the logs:
User: name is authenticated
User: name is authorized
There are now thousands of these lines! How do I get rid of them?
There are so many
What is your debug level in the context?
Darrell
-Original Message-
From: Gerry Duhig [mailto:[EMAIL PROTECTED]]
Sent: Friday, October 19, 2001 9:34 AM
To: [EMAIL PROTECTED]
Subject: Fw: Security Question
I am using Tomcat with JBoss and JBoss is handling security. Everything
works
PROTECTED]
Sent: Friday, October 19, 2001 5:56 PM
Subject: RE: Security Question
What is your debug level in the context?
Darrell
-Original Message-
From: Gerry Duhig [mailto:[EMAIL PROTECTED]]
Sent: Friday, October 19, 2001 9:34 AM
To: [EMAIL PROTECTED]
Subject: Fw: Security
On Wed, 29 Aug 2001, Achim Baier wrote:
Now my question:
Am I wrong-minded, is it bug or is it a jsp/servlet/j2ee-feature? Any
comments?
Security constraints that you mention in your web.xml deployment
descriptor are *only* applied to the original request URI, *not* to any
request URI
Hello everybody,
I just tried to make a HTTPS connection to a web-application on tomcat
3.2.2. Because of the documentation it was not difficult but I
recognized something I want to ask about.
I have a directory /secure/. Every resource inside is protected by
web.xml security constraint
Just hoping someone can help me deal with this question...
In the application I'm developing I need to restrict access to a bunch of
binary files (sound recordings). Each user should only be able to download
their own files. Files and users will be added and deleted dynamically. The
realm based
.
Randy
-Original Message-
From: Hamish Barney [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 19, 2001 10:56 AM
To: '[EMAIL PROTECTED]'
Subject: Tomcat security question
Just hoping someone can help me deal with this question...
In the application I'm developing I need
Hi guys,
I have a very simple problem: how can I prevent Tomcat from displaying a
directory listing ? My servlets are installed in webapps/app directory and
asking for the URL http://localhost:8080/app/ just displays the content of the
directory, which I obviously do not want.
Thanks for
Hello Jeff, Hello List,
thank you very much for your reply. A look at this example would have
prevent me from spending a lot of time and writeing the other mail. The
build in example doesn't work at my installation. That j_security_check
stuff is missing. But that doesn't matter, I try to use
Hello everybody,
the "problem" is that I should have some security on my site. I think of
authentifikation by a username and password and then access rights for
special areas of the site. so far, so good. I started looking arround. I
know have a login form, a jsp to chaeck username and password
It's all defined in the servlet spec, downloadable from
http://java.sun.com/products/servlet/index.html.
Tomcat comes with a preconfigured example (examples/jsp/security)
demonstrating this.
--Jeff
On Fri, Apr 06, 2001 at 09:49:38AM +0800, [EMAIL PROTECTED] wrote:
Hello everybody,
the
38 matches
Mail list logo