How does a malicious foreign applet come to be on my linux/apache2
web-server where only two ports are listening and most services disabled
?
The only way the applets can communicate with the servlets is through an
a2s http-tunnel!
Does this relate a "threat mode" where the threat comes from within the
rank and file ?
Assuming single sign-on is available on TC4.0.x (I haven't looked yet),
that's two sign-on's that a user needs to get to the goodies, and that
is excluding the network sign on.
:-o
"Shapira, Yoav" wrote:
>
> Howdy,
> No, you're not right. The two provide different views of security.
> Httpd.conf controls apache, not tomcat, and does nothing to prevent, for
> example, the execution of malicious applets. Catalina.policy or
> whatever you want to call the policy file is used by the JVM security
> manager to enforce its policies, including for example applet
> sandboxing. If you're not clear what the security manager does, read up
> the JDK documentation for it.
>
> If should use them both if you're concerned about security.
>
> Yoav Shapira
> Millennium ChemInformatics
>
> >-Original Message-
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> >Sent: Tuesday, August 26, 2003 12:14 AM
> >To: [EMAIL PROTECTED]
> >Subject: No need for catalina.policy?
> >
> >Hi
> >Please tell me once more.
> >Am I right in assumng that I don't really need catalina.policy if I use
> >httpd.conf to control access ?
> >If t, how do they interact ?
> >TIA :-)
>
> This e-mail, including any attachments, is a confidential business communication,
> and may contain information that is confidential, proprietary and/or privileged.
> This e-mail is intended only for the individual(s) to whom it is addressed, and may
> not be saved, copied, printed, disclosed or used by anyone else. If you are not
> the(an) intended recipient, please immediately delete this e-mail from your computer
> system and notify the sender. Thank you.
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]