JSP or Servlet wrt security
For creating a totally new web site, is there any difference from security point of view of using only servlets or using only JSPs? Environment (if it matters) non-root Tomcat 4.1.18 (serving both static and dynamic pages - no web server ahead of it), Linux (RH 7.3), DMZ (packet filter), JNDI and some sort of SQL db (running on same server as Tomcat). das - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Hardening Tomcat 3.2.4
I posted a similar question a while ago and did not receive any answer from this list. May be, folks on this list are admins/ developers/programmers who are bothered mostly about application itself and not security. May be there is an overall security list where such questions may be posed. Anybody have suggestions where questions such as these may be directed? On a different thread, some relevant info was posted... http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg60278.html It is probably a good idea to pay some attention to security. A snippet from my access_log (same IP - somebody is curious!) -- [23/Jul/2002:11:49:38 -0800] GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 648 [23/Jul/2002:11:49:38 -0800] GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 648 [23/Jul/2002:11:49:38 -0800] GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 718 [23/Jul/2002:11:49:39 -0800] GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 687 [23/Jul/2002:11:49:39 -0800] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 687 [23/Jul/2002:11:49:39 -0800] GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 721 [23/Jul/2002:11:49:39 -0800] GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 715 [23/Jul/2002:11:55:24 -0800] GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 648 [23/Jul/2002:11:55:24 -0800] GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 648 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 718 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 687 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 687 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 721 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 715 -- Sexton, George wrote: Think about the account you are running it under. -Original Message- From: Patel, Rajni M [mailto:[EMAIL PROTECTED]] Sent: 23 July, 2002 12:17 PM I have tomcat installed and running on a Windows NT 4.0 SP6a box and need to harden the installation. The things that I have thought about and I can do is: 1) Change the HTTP port in server.xml file from default value of 8080. 2) Remove the TOMCAT_HOME\examples directory 3) Remove the weapp\admin directory 4) Utilise a Firewall and restrict access to the NT box to IP Domain. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Hardening Tomcat 3.2.4
Mike Jackson wrote: A firewall is probably the best way to harden tomcat. Or any web server for that matter, however for a one good you're going to probably end up paying a large sum of money. You could go on the cheaper side and only use a stateful port blocking firewall, but really to do it right you'll need a firewall that looks at data being sent to the server and then blocks on types of data rather than just the port. Is iptables on Linux generally good enough(?), assuming the data is not all that critical. Other than its basic functions, haven't really looked at iptables to see whether it can interface with any IDS... das -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Hardening Tomcat 3.2.4
I run Tomcat standalone. The rationale is that by eliminating Apache from the equation, another layer of complex code is eliminated increasing the security. It makes life easier also! (one less thing to configure) das Turner, John wrote: Is it possible to configure tomcat to listen only on the connector ports, and not any other port, such as 8080? Seems to me you could just delete the HTTP connector from port 8080 and that would make tomcat pretty hard to mess with. Any malformed requests at that point would go through apache first, assuming an apache+connector+tomcat configuration. John Turner [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 2:01 PM To: Tomcat Users List Subject: Re: Hardening Tomcat 3.2.4 Mike Jackson wrote: A firewall is probably the best way to harden tomcat. Or any web server for that matter, however for a one good you're going to probably end up paying a large sum of money. You could go on the cheaper side and only use a stateful port blocking firewall, but really to do it right you'll need a firewall that looks at data being sent to the server and then blocks on types of data rather than just the port. Is iptables on Linux generally good enough(?), assuming the data is not all that critical. Other than its basic functions, haven't really looked at iptables to see whether it can interface with any IDS... das -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: common/lib installation problems
Kirsten Sachwitz wrote: 1) install Java 2 run time enviroments (file name: j2re-1_4_0_01-windows-i586.exe) this installs properly Try installing Java SDK, not just run time. das -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: How do I Hide version specific information
Tim Funk wrote: In reality - use best practices to secure your installation. Any best practices link for Tomcat security? das -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: how to make tomcat faster
Joe Schiavone wrote: HOST your production using a UNIX box. I recommend Solaris x86. However, a good tightly configured linux machine would suffice too. Curious to know what advantage Solaris x86 offers versus Linux. Is it thread handling? das -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat, Linux and new JDK
My system (RH 7.1 + TC 4.x) is lightly loaded and it shows around 60. I have tried loading the system with unconnected Java applets and they don't seem to suffer unduly because of Tomcat threads. das Wick Swain wrote: Thanks for the reply, Dave. Would you mind running the command ps -ef | grep java and letting me know how many java processes are running? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 10, 2002 2:21 PM To: [EMAIL PROTECTED] Subject: RE: Tomcat, Linux and new JDK Hi, I just recently installed JDK1.4 and Tomcat 4 on a Mandrake Linux 8.2 system. Had no problems at all, sorry I can't be much more help! Dave http://java.dbmdata.com Is anyone out there successfully using Tomcat with JDK1.3 or JDK1.4 on a linux box? I have JDK1.2.2 working fine, but when I upgrade to JDK1.3 or JDK1.4 Tomcat starts spewing out processes and chews up all my memory (as seen by running ps -ef | grep java command), so I'm wondering if anyone is using this combination successfully. Thanks for any input. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Security of Tomcat sites
I run a couple of websites off of Tomcat 4.x (standalone). Is there a concept of hardening Tomcat, like there is for OS? Any automated programs or recipes out there for testing how secure my installation really is? Thanks, das -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat and static content
Kapil Sharma wrote: Is there any way to know that apache is serving all static content like .html/.gif/.jpeg? [ May be I am missing something fundamental in your question. ] Can't you just access one of your static web pages from another computer and see what you get? das -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Mailing List Load.... Forum???
If the owners of the list are interested in working with me I'll pitch in some work in creating a proposal for a comp.lang.java-server-side Thought this list was specifically for Tomcat and related issues - not the general java-server-side. If folks want to go and create a comp.lang.java-server-side independent of this list, I am all for that. das p.s. Once mod_jk and multipart messages are filtered out, the load is not too bad... -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Book recommendation (Summary)
Summary of all book recommendations received so far. Thanks to all folks who replied to me on and off the list! [EMAIL PROTECTED] wrote: Any recommendation for a good book that covers Tomcat and other related open source technologies? More from an application developers point of view... [SNIP] Some books that came up on Internet search were... 1) MySQL and JSP Web Applications: Data-Driven Programming Using Tomcat and MySQL By James Turner No comments received. 2) Apache Jakarta-Tomcat by James Goodwill Geoff Peters wrote: I've got the James Goodwill book - it is good for a beginner to Tomcat and servlet / jsp technology, very easy to follow and well written [SNIP] Subir Sengupta wrote: The James Goodwill book is much too basic, you could learn as much by reading the Tomcat docs on the Tomcat web site. 3) JSP, Servlets, and Mysql by Dave Harms Cindy Ballreich wrote: I can't speak to the others, but I really didn't like JSP, Servlets, and Mysql. It reads nicely, but the examples are full of really basic errors. Be sure to check out the reader reviews on Amazon for any book you're interested in. 4) Professional Java Server Programming (many authors) Charles Baker wrote: I just got back from Developing J2EE Compliant Enterprise Applications, a Sun course. The instructor recommended 4) in your list Subir Sengupta wrote: The Professional Java Server Programming is good too. --- Any other ones out there and which one would you recommend? - Java Tools for Extreme Programming: Mastering Open Source Tools Including Ant, JUnit, and Cactus by Richard Hightower, Nicholas Lesiecki - Core Servlets and Java Server Pages by Marty Hall Subir Sengupta wrote: I would highly recommend 'More Servlets and Java Server Pages' by Marty Hall Charles Baker wrote: - Core J2EE Patterns - O'Reilly EJB book (latest edition) - EJB Design Patterns - previews of the Struts book ( http://www.theserverside.com/ ) Turner, John wrote: Java Servlet Programming, ISBN 0596000405, by Jason Hunter and William Crawford. JavaServer Pages, ISBN 156592746X, by Hans Bergsten Carl Bacher wrote: Developer's Guide to Tomcat 4 by Alex Garrett Jeff Kean It's due out in October. das -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Book recommendation
Any recommendation for a good book that covers Tomcat and other related open source technologies? More from an application developers point of view as to how various components fit together rather than sysadmin details or exhaustive details about any one particular thing (say JBoss, Servlet etc). Some books that came up on Internet search were... 1) MySQL and JSP Web Applications: Data-Driven Programming Using Tomcat and MySQL By James Turner 2) Apache Jakarta-Tomcat by James Goodwill 3) JSP, Servlets, and Mysql by Dave Harms 4) Professional Java Server Programming (many authors) Any other ones out there and which one would you recommend? das -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: any jsp/servlet based groupware solutions out there?
Rick Fincher wrote: I'm sure a lot of folks have little thangs like that that we can pool and make a nice Tomcat office productivity pack. Tomcat productivity pack sounds like a great idea! As a start to that, it might be helpful to know what kinds of applications folks might find useful on their Desktop / Intranet / Internet. das -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: any jsp/servlet based groupware solutions out there?
Since subscribing to Tomcat Users list (about a week - rather short time period for generalizing!) have noticed mostly administrative / configuration related stuff posted here. The actual use (in terms of jsp/servlet that you seem interested in) seems seldom(?) discussed here. What specific type of groupware project do you have in mind? Is it something like a group calendar, white board, or shared creation of a Tomcat FAQ without (gasp :-) any configuration info... das Vincent Stoessel wrote: Hello, I was wondering if any one knows of any jsp/servlet based groupware projects that are going on. I think that this would be a great example of a j2ee app that would really showcase java technology. Anything out there already? Anybody want to start such a project? Thanks. -- Vincent Stoessel Linux Systems Developer vincent xaymaca.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]