Re: Tomcat Security Problem
To my knowledge there is no known functionality like that. IMHO System Administrators should review all applications and make a determination as to a specific app's safety in their environment. --David Stephan Schöffel wrote: hi everbody, i need tomcat to run/deploy only "known" applications. at startup the container should somehow realize that a certain app is a "not authorized one" and not load it. maybe you can point out at me where to start. thanks in advance stephan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Security Problem
If you want to restrict what pages/data items the user sees and to implement security for your web applications then I would look at portals jetspeed is a Portal Manager meaning it will only show the pages that the user is authorised to view as defined within the security roles Martin-- This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents - Original Message - From: "David Smith" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Thursday, October 26, 2006 7:19 AM Subject: Re: Tomcat Security Problem > To my knowledge there is no known functionality like that. IMHO System > Administrators should review all applications and make a determination > as to a specific app's safety in their environment. > > --David > > Stephan Schöffel wrote: > >> hi everbody, >> >> i need tomcat to run/deploy only "known" applications. at startup the >> container should somehow realize that a certain app is a "not >> authorized one" and not load it. >> >> maybe you can point out at me where to start. >> >> thanks in advance >> stephan >> >> - >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> > > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
Re: Tomcat Security Problem
Stephan, > i need tomcat to run/deploy only "known" applications. at startup the > container should somehow realize that a certain app is a "not authorized > one" and not load it. You could turn off automatic deployment of WAR files and configure each "known" application in your server.xml file. Just make sure that only trusted people can edit the server.xml file and bring Tomcat up and down. -chris signature.asc Description: OpenPGP digital signature
RE: Tomcat Security Problem
> From: Martin Gainty [mailto:[EMAIL PROTECTED] > Subject: Re: Tomcat Security Problem > > If you want to restrict what pages/data items the user sees > and to implement security for your web applications then I > would look at portals That has nothing to do with the question he asked. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat Security Problem
> From: Christopher Schultz [mailto:[EMAIL PROTECTED] > Subject: Re: Tomcat Security Problem > > You could turn off automatic deployment of WAR files and > configure each "known" application in your server.xml file. Apps should not be configured in server.xml (you gotta move up, Chris :-). However, the principle is valid - the elements should go into appropriately named .xml files in conf/[engine]/[host], and access to that directory should be tightly controlled. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat Security Problem
> From: alee amin [mailto:[EMAIL PROTECTED] > Subject: Tomcat Security Problem > > Application 2 has form based security and for some > enhanced security i have added the "realm" for the > database in conf/server.xml file. Where in server.xml? A element may be nested inside of an , , or , depending on the desired scope of the realm. Sounds like you need to put it inside the of your application 2, not inside the or where you now have it. Doc reference: http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Security Problem
Yeah i guess so. I want realm thing only for application 2. How can i make it available for it and at the same time i want application 1 BASIC AUTHENTICATION based on tomcat-users.xml file. I am going throgh the page u sent but still not able to get some working solution. Need it urgent. On Feb 7, 2008 8:08 PM, Caldarale, Charles R <[EMAIL PROTECTED]> wrote: > > From: alee amin [mailto:[EMAIL PROTECTED] > > Subject: Tomcat Security Problem > > > > Application 2 has form based security and for some > > enhanced security i have added the "realm" for the > > database in conf/server.xml file. > > Where in server.xml? A element may be nested inside of an > , , or , depending on the desired scope of the > realm. Sounds like you need to put it inside the of your > application 2, not inside the or where you now have it. > > Doc reference: > http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you > received this in error, please contact the sender and delete the e-mail > and its attachments from all computers. > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Muhammad Ali http://techboard.wordpress.com Software Engineer - E2ESP muhammadaliamin(at)gmail(dot)com
RE: Tomcat Security Problem
> From: alee amin [mailto:[EMAIL PROTECTED] > Subject: Re: Tomcat Security Problem > > How can i make it available for it and at the same > time i want application 1 BASIC AUTHENTICATION based > on tomcat-users.xml file. I already answered that question: > > Sounds like you need to put it inside the of your > > application 2, not inside the or where you > > now have it. Leave the original tomcat-users.xml where it is, and put your more secure inside the element of application 2. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Security Problem
actually i am not able to get what you mean by context? should i insert it in conf/server.xml or somewhere else. It is confusing me. On Feb 7, 2008 8:59 PM, Caldarale, Charles R <[EMAIL PROTECTED]> wrote: > > From: alee amin [mailto:[EMAIL PROTECTED] > > Subject: Re: Tomcat Security Problem > > > > How can i make it available for it and at the same > > time i want application 1 BASIC AUTHENTICATION based > > on tomcat-users.xml file. > > I already answered that question: > > > > Sounds like you need to put it inside the of your > > > application 2, not inside the or where you > > > now have it. > > Leave the original tomcat-users.xml where it is, and put your > more secure inside the element of application 2. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you > received this in error, please contact the sender and delete the e-mail > and its attachments from all computers. > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Muhammad Ali http://techboard.wordpress.com Software Engineer - E2ESP muhammadaliamin(at)gmail(dot)com
Re: Tomcat Security Problem
I have placed the following configuration in server.xml file after reading from tomcat site ... ... But it is not allowing me to log in. On Feb 8, 2008 11:26 AM, alee amin <[EMAIL PROTECTED]> wrote: > actually i am not able to get what you mean by context? should i insert it > in conf/server.xml or somewhere else. It is confusing me. > > > On Feb 7, 2008 8:59 PM, Caldarale, Charles R <[EMAIL PROTECTED]> > wrote: > > > > From: alee amin [mailto:[EMAIL PROTECTED] > > > Subject: Re: Tomcat Security Problem > > > > > > How can i make it available for it and at the same > > > time i want application 1 BASIC AUTHENTICATION based > > > on tomcat-users.xml file. > > > > I already answered that question: > > > > > > Sounds like you need to put it inside the of your > > > > application 2, not inside the or where you > > > > now have it. > > > > Leave the original tomcat-users.xml where it is, and put your > > more secure inside the element of application 2. > > > > - Chuck > > > > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > > MATERIAL and is thus for use only by the intended recipient. If you > > received this in error, please contact the sender and delete the e-mail > > and its attachments from all computers. > > > > - > > To start a new topic, e-mail: users@tomcat.apache.org > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > -- > Muhammad Ali > http://techboard.wordpress.com > Software Engineer - E2ESP > muhammadaliamin(at)gmail(dot)com > -- Muhammad Ali http://techboard.wordpress.com Software Engineer - E2ESP muhammadaliamin(at)gmail(dot)com