Re: Deny web-inf access (security problem)
Paul Gonin wrote: Hi, I have a JSP that uses a bean. It uses the following directory structure : webapps/myapply/myapply.jsp webapps/myapply/web-inf/classes/mybean.class It works fine but I am annoyed that people can download the bean directly and "access" its content because it contains critical information (passwords). How do I protect my bean and more generraly I'd like to protect the whole web-inf directory (if it's possible) Note : I'm using Tomcat standalone. Tomcat protects the WEB-INF directory for you. This is required by the servlet specification. Thanks Craig McClanahan
Re: Deny web-inf access (security problem)
Thanks a lot for all who helped me. It turned out that I could read a class file in the apps directory (i don't why this copy of the class was there... bad manipulation I guess) but I cannot acces files inside web-inf ! Sorry for the inconvenience and thanks again. Paul on 12/20/00 5:30 AM, Kitching Simon at [EMAIL PROTECTED] wrote: Hi Paul, I disagree with Guy's email here. There are several very good reasons why your servlet classes *should* be within your webapp, and *not* within your CLASSPATH. Just follow the examples that come with tomcat, and you shouldn't go far wrong. The sun servlet specs say quite explicitly that *no* file in WEB-INF can ever be downloaded by a browser. So if you can download the binary "mybean.class" file, save it to disk, then decompile it, that is a definite security hole, and a violation of the servlet spec. There can be problems if you use apache as a front-end, because of course apache doesn't obey the servlet specs - it isn't a servlet engine. However, in your case you explicitly said that you were running tomcat standalone, so that can't be it. One thing you didn't tell us is what version of tomcat you are using. There has been a recent patch to tomcat3.2 (3.2.1) which fixes a number of security problems. I am willing to bet that if you upgrade to tomcat3.2.1 (from whatever you were using) the problem will go away. I would also just point out that the WEB-INF directory should have the same capitalisation I have shown, even on windows (which you appear to be using). Yes, windows file explorer will "adjust" the capitalisation of files, but you should make sure that at the "DOS" level, the capitalisation is actually correct. Regards, Simon -Original Message- From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] Sent: Wednesday, December 20, 2000 12:58 AM To: [EMAIL PROTECTED] Subject: RE: Deny web-inf access (security problem) Set up a directory outside your tomcat directory to contain java class files, and include that directory in your classpath. Keep it outside of your Apache directory as well. -Original Message- From: Paul Gonin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 19, 2000 2:02 PM To: [EMAIL PROTECTED] Subject: Deny web-inf access (security problem) Hi, I have a JSP that uses a bean. It uses the following directory structure : webapps/myapply/myapply.jsp webapps/myapply/web-inf/classes/mybean.class It works fine but I am annoyed that people can download the bean directly and "access" its content because it contains critical information (passwords). How do I protect my bean and more generraly I'd like to protect the whole web-inf directory (if it's possible) Note : I'm using Tomcat standalone. Thanks
RE: Deny web-inf access (security problem)
Hi Paul, I disagree with Guy's email here. There are several very good reasons why your servlet classes *should* be within your webapp, and *not* within your CLASSPATH. Just follow the examples that come with tomcat, and you shouldn't go far wrong. The sun servlet specs say quite explicitly that *no* file in WEB-INF can ever be downloaded by a browser. So if you can download the binary "mybean.class" file, save it to disk, then decompile it, that is a definite security hole, and a violation of the servlet spec. There can be problems if you use apache as a front-end, because of course apache doesn't obey the servlet specs - it isn't a servlet engine. However, in your case you explicitly said that you were running tomcat standalone, so that can't be it. One thing you didn't tell us is what version of tomcat you are using. There has been a recent patch to tomcat3.2 (3.2.1) which fixes a number of security problems. I am willing to bet that if you upgrade to tomcat3.2.1 (from whatever you were using) the problem will go away. I would also just point out that the WEB-INF directory should have the same capitalisation I have shown, even on windows (which you appear to be using). Yes, windows file explorer will "adjust" the capitalisation of files, but you should make sure that at the "DOS" level, the capitalisation is actually correct. Regards, Simon -Original Message- From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] Sent: Wednesday, December 20, 2000 12:58 AM To: [EMAIL PROTECTED] Subject: RE: Deny web-inf access (security problem) Set up a directory outside your tomcat directory to contain java class files, and include that directory in your classpath. Keep it outside of your Apache directory as well. -Original Message- From: Paul Gonin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 19, 2000 2:02 PM To: [EMAIL PROTECTED] Subject: Deny web-inf access (security problem) Hi, I have a JSP that uses a bean. It uses the following directory structure : webapps/myapply/myapply.jsp webapps/myapply/web-inf/classes/mybean.class It works fine but I am annoyed that people can download the bean directly and "access" its content because it contains critical information (passwords). How do I protect my bean and more generraly I'd like to protect the whole web-inf directory (if it's possible) Note : I'm using Tomcat standalone. Thanks
Deny web-inf access (security problem)
Hi, I have a JSP that uses a bean. It uses the following directory structure : webapps/myapply/myapply.jsp webapps/myapply/web-inf/classes/mybean.class It works fine but I am annoyed that people can download the bean directly and "access" its content because it contains critical information (passwords). How do I protect my bean and more generraly I'd like to protect the whole web-inf directory (if it's possible) Note : I'm using Tomcat standalone. Thanks
Re: Deny web-inf access (security problem)
Paul Gonin wrote: Hi, I have a JSP that uses a bean. It uses the following directory structure : webapps/myapply/myapply.jsp webapps/myapply/web-inf/classes/mybean.class It works fine but I am annoyed that people can download the bean directly and "access" its content because it contains critical information (passwords). How do I protect my bean and more generraly I'd like to protect the whole web-inf directory (if it's possible) Note : I'm using Tomcat standalone. If you can actually make Tomcat deliver the mybean.class to a user, it is a serious breach of the API requirements. I am betting that you can't get Tomcat to serve anything in the WEB-INF directory to a client. -- WBB - [EMAIL PROTECTED] Java Cert mock exams http://www.lanw.com/java/javacert/ Author of Java Developer's Guide to Servlets and JSP ISBN 0-7821-2809-2
Re: Deny web-inf access (security problem)
I am surprised this could happen, you must use a customized configuration file. Usually, the default conf file generated by tomcat contains at least something like this for your web-inf folder. You may want to add this to your conf file or web configurations somewhere. (depending on the server you use) Location "/admin/WEB-INF/" AllowOverride None deny from all /Location Ma, Yanbin |+--- || Paul Gonin | || [EMAIL PROTECTED]| || o.edu | || | || 12/19/00 | || 02:02 PM | || Please | || respond to | || tomcat-user | || | |+--- ---| | | | To: [EMAIL PROTECTED] | | cc: (bcc: Yanbin Ma/SYS/NYTIMES)| | Subject: Deny web-inf access (security problem) | ---| Hi, I have a JSP that uses a bean. It uses the following directory structure : webapps/myapply/myapply.jsp webapps/myapply/web-inf/classes/mybean.class It works fine but I am annoyed that people can download the bean directly and "access" its content because it contains critical information (passwords). How do I protect my bean and more generraly I'd like to protect the whole web-inf directory (if it's possible) Note : I'm using Tomcat standalone. Thanks
RE: Deny web-inf access (security problem)
Set up a directory outside your tomcat directory to contain java class files, and include that directory in your classpath. Keep it outside of your Apache directory as well. -Original Message- From: Paul Gonin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 19, 2000 2:02 PM To: [EMAIL PROTECTED] Subject: Deny web-inf access (security problem) Hi, I have a JSP that uses a bean. It uses the following directory structure : webapps/myapply/myapply.jsp webapps/myapply/web-inf/classes/mybean.class It works fine but I am annoyed that people can download the bean directly and "access" its content because it contains critical information (passwords). How do I protect my bean and more generraly I'd like to protect the whole web-inf directory (if it's possible) Note : I'm using Tomcat standalone. Thanks
