Re: No need for catalina.policy?

[achana]

 
How does a malicious foreign applet come to be on my linux/apache2
web-server where only two ports are listening and most services disabled
?
The only way the applets can communicate with the servlets is through an
a2s http-tunnel!
Does this relate a "threat mode" where the threat comes from within the
rank and file ?
Assuming single sign-on is available on TC4.0.x (I haven't looked yet),
that's two sign-on's that a user needs to get to the goodies, and that
is excluding the network sign on.
:-o


"Shapira, Yoav" wrote:
> 
> Howdy,
> No, you're not right.  The two provide different views of security.
> Httpd.conf controls apache, not tomcat, and does nothing to prevent, for
> example, the execution of malicious applets.  Catalina.policy or
> whatever you want to call the policy file is used by the JVM security
> manager to enforce its policies, including for example applet
> sandboxing.  If you're not clear what the security manager does, read up
> the JDK documentation for it.
> 
> If should use them both if you're concerned about security.
> 
> Yoav Shapira
> Millennium ChemInformatics
> 
> >-Original Message-
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> >Sent: Tuesday, August 26, 2003 12:14 AM
> >To: [EMAIL PROTECTED]
> >Subject: No need for catalina.policy?
> >
> >Hi
> >Please tell me once more.
> >Am I right in assumng that I don't really need catalina.policy if I use
> >httpd.conf to control access ?
> >If t, how do they interact ?
> >TIA :-)
> 
> This e-mail, including any attachments, is a confidential business communication, 
> and may contain information that is confidential, proprietary and/or privileged.  
> This e-mail is intended only for the individual(s) to whom it is addressed, and may 
> not be saved, copied, printed, disclosed or used by anyone else.  If you are not 
> the(an) intended recipient, please immediately delete this e-mail from your computer 
> system and notify the sender.  Thank you.
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: No need for catalina.policy?

[Shapira, Yoav]

Howdy,
No, you're not right.  The two provide different views of security.
Httpd.conf controls apache, not tomcat, and does nothing to prevent, for
example, the execution of malicious applets.  Catalina.policy or
whatever you want to call the policy file is used by the JVM security
manager to enforce its policies, including for example applet
sandboxing.  If you're not clear what the security manager does, read up
the JDK documentation for it.

If should use them both if you're concerned about security.

Yoav Shapira
Millennium ChemInformatics


>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>Sent: Tuesday, August 26, 2003 12:14 AM
>To: [EMAIL PROTECTED]
>Subject: No need for catalina.policy?
>
>Hi
>Please tell me once more.
>Am I right in assumng that I don't really need catalina.policy if I use
>httpd.conf to control access ?
>If t, how do they interact ?
>TIA :-)



This e-mail, including any attachments, is a confidential business communication, and 
may contain information that is confidential, proprietary and/or privileged.  This 
e-mail is intended only for the individual(s) to whom it is addressed, and may not be 
saved, copied, printed, disclosed or used by anyone else.  If you are not the(an) 
intended recipient, please immediately delete this e-mail from your computer system 
and notify the sender.  Thank you.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

No need for catalina.policy?

[achana]

Hi
Please tell me once more.
Am I right in assumng that I don't really need catalina.policy if I use
httpd.conf to control access ?
If t, how do they interact ?
TIA :-)
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]