Hi,
I have a strange problem with my Struts-Webapp (nightly build) on 5.0.18 -
every TC version before worked like expected (4.1.x as well as 5.1.x. but
maybe I'm getting the SERVLET2.4 spec wrong, and some changes have been made
to 5.0.18 regarding this aspect).
I have declared a security
I have been working on tracking down a problem with special characters in
URLs that shows up when using form-based authentication in a security
constraint. I have just about reached the limit of my ability to find the
problem and am hoping that someone more familiar with the details
, 2004 2:13 PM
To: Tomcat Users List
Subject: URL encoding/decoding bug in form-based security?
I have been working on tracking down a problem with special characters in
URLs that shows up when using form-based authentication in a security
constraint. I have just about reached the limit of my ability
(4.1.x as well as 5.1.x. but
maybe I'm getting the SERVLET2.4 spec wrong, and some changes have been
made
to 5.0.18 regarding this aspect).
I have declared a security-constraint with no (empty element) assigned
roles for a whole subdirectory containing my JSP pages and other stuff:
url
Howdy,
why dont you use filters (standard) or valves (tomcat specific)
filip
It's looking like I'm going to have no choice, but I don't want to
because
I want the security simple, and I want to keep the security settings
for a
page in the page itself.
What happens when you have 10 pages
)
filip
It's looking like I'm going to have no choice, but I don't want to
because
I want the security simple, and I want to keep the security settings
for a
page in the page itself.
What happens when you have 10 pages with possibly different security
policies? You should take Filip's suggestion
I am having trouble receiving posted data from a browser that has Norton
Internet Security. The browser has no problem posting the data to an asp
page, but will not to a servlet. Has anybody else come across this?
There is a setting in Norton that rectifies it, but short have having people
In the JSVC (tomcat 5.0) docs, there's no mention of being able to use the
-server option to the JVM to get the server VM.
Also, when using the startup.sh script, I can add the -security option to
cause tomcat to run with a security manager. But with JSVC, I cannot add
Is there any reason that HttpJspBase.service() is final, apart from to make
my life hard?
I'm trying to implement a _simple_ security system that intercepts requests
before they get to _jspService() so that if certain conditions aren't met,
a redirect occours instead. I don't want to use
why dont you use filters (standard) or valves (tomcat specific)
filip
- Original Message -
From: Josh G [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, February 03, 2004 5:23 PM
Subject: Simple security - or Why is HttpJspBase.service final?
Is there any reason
At 11:27 AM 4/02/2004, you wrote:
why dont you use filters (standard) or valves (tomcat specific)
filip
It's looking like I'm going to have no choice, but I don't want to because
I want the security simple, and I want to keep the security settings for a
page in the page itself.
-Josh
Hi !
On Tue, 27 Jan 2004 12:14:16 -0500, Jeanfrancois Arcand [EMAIL PROTECTED] escreveu:
De: Jeanfrancois Arcand [EMAIL PROTECTED]
Data: Tue, 27 Jan 2004 12:14:16 -0500
Para: Tomcat Users List [EMAIL PROTECTED]
Assunto: Re: Tomcat + Hibernate2 + Security Manager
Webmaster wrote
Webmaster wrote:
Hi !
On Tue, 27 Jan 2004 12:14:16 -0500, Jeanfrancois Arcand [EMAIL PROTECTED] escreveu:
De: Jeanfrancois Arcand [EMAIL PROTECTED]
Data: Tue, 27 Jan 2004 12:14:16 -0500
Para: Tomcat Users List [EMAIL PROTECTED]
Assunto: Re: Tomcat + Hibernate2 + Security Manager
Hi all,
I know this is a little bit out of topic, but the general concept is useful for
everybody.
I run tomcat with security manager for a dozen users. Recently, people started to use
the hibernate 2 which requires some funky permissions.
I had to put these lines in the 'global' permission
codeBase file:/home//client/public_html/WEB-
INF/lib/hibernate2.jar!/- {
but the classes hibernate creates after reflection stop obeying the
security manager.
Yeah, that's too bad. The SuppressAccessChecks permission is dangerous,
if malicious code is running inside your VM.
Yoav Shapira
Could you give an example of how a malicious code could affect the security of the JVM
?
Usually I have a codebase policy like this for each user:
permission java.io.FilePermission /home/client/public_html/-, read,write,delete;
I guess that if someone writes a piece of code that tries
Howdy,
Could you give an example of how a malicious code could affect the
security
of the JVM ?
You mean in general? How about System.exit()?
Usually I have a codebase policy like this for each user:
permission java.io.FilePermission /home/client/public_html/-,
read,write,delete;
I guess
Webmaster wrote:
Hi all,
I know this is a little bit out of topic, but the general concept is useful for everybody.
I run tomcat with security manager for a dozen users. Recently, people started to use the hibernate 2 which requires some funky permissions.
I had to put these lines
FYI: This has also been discussed here:
http://freeroller.net/page/jcarreira/20040126
-Original Message-
From: Shapira, Yoav [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 27, 2004 11:04 AM
To: Tomcat Users List
Subject: RE: Tomcat + Hibernate2 + Security Manager
Howdy
Hi,
I have a strange problem with my Struts-Webapp (nightly build) on 5.0.18 -
every TC version before worked like expected (4.1.x as well as 5.1.x. but
maybe I'm getting the SERVLET2.4 spec wrong, and some changes have been made
to 5.0.18 regarding this aspect).
I have declared a security
://localhost/timesheet/login.jsp;. Also, I had a check at the top fo the
login.jsp page to redirect via HTTPS if the connection wasn't secure. Then I found
out about the security-constraint element in my application's web.xml. Under
5.0.16, I added the security-constraint element to my web.xml
I (accidently) figured out the problem with the security-constraint. The problem
was in the Connector definition for port 80 in server.xml. The excerpt from
server.xml that I posted was correct because it was inadvertently from the 5.0.16
installation. (The editor helpfully remembered
and
username for the user. Which is great, I can use the username to tie
into AD and get that persons security groups to determine access to
certain job specific functions on the intranet (btw, all clients are
IE). But, I'm concerned. My question does not really have to do with
jcifs but with security
Russ
-Original Message-
From: Pitre, Russell
Sent: Thursday, January 22, 2004 9:32 AM
To: [EMAIL PROTECTED]
Subject: jcifs and security realm discussion.
Hello all-
I am really puzzled right now and was hoping you all could shed some
light onto me. I am developing a corporate
Hello,
I was setting fine grained permissions to my webapp, but always an
exception was thrown. So I tried to use
grant {
permission java.security.AllPermission;
};
but even with that, my application doesn't run (which it does without
-security). When calling the site, I get
Howdy,
What JDK (including minor version) on what OS is this?
Yoav Shapira
Millennium ChemInformatics
-Original Message-
From: Marten Lehmann [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 15, 2004 8:14 AM
To: '[EMAIL PROTECTED]'
Subject: -security with 5.0.16 doesn't work
Hello
Marten Lehmann wrote:
Hello,
I was setting fine grained permissions to my webapp, but always an
exception was thrown. So I tried to use
grant {
permission java.security.AllPermission;
};
but even with that, my application doesn't run (which it does without
-security). When calling
I thought it would be a good idea to have a place to learn while I have
my server on-line business uses. In my server.xml I have two sessions
running. One should answer on 8080 and the other off port 80 through
mod_jk/apache. I am testing a simple BASIC auth setup and for some
reason the app
. Apache's security should kick in before it passes request to
Tomcat via mod_jk2.
Nix.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Bill Barker wrote:
I just tried this with the CVS HEAD of Tomcat 5 (after putting in a
security-constraint in the ROOT web.xml) and Tomcat happily returned a 403
response.
I don't care about this lame XSS bug. However, what you describe doesn't
work for me.
--
x
Rémy
vulnerability tool was still able to detect the HTTP TRACE support.
security-constraint
web-resource-collection
web-resource-nameDisableExploitTraceHTTP/web-resource-name
url-pattern/*/url-pattern
http-methodTRACE/http-method
/web-resource-collection
/security-constraint
2
://marc.theaimsgroup.com/?l=tomcat-userm=105632353125969w=2
Having applied the security constraint, did you try exploiting TRACE or
did you just run your security analysis tool?
Is there a formal URL for reporting Tomcat bugs?
This is the place.
In the past I have detected other bugs, posted them on this list
Yoav,
This was detected both before and after applying the fix snippet to web.xml, by both
the security analysis tool and by typing TRACE / HTTP/1.0 and hitting return twice
on a telnet session.
I am not familiar with the analysis tool used by our security team, but I know it is
supposed
I just tried this with the CVS HEAD of Tomcat 5 (after putting in a
security-constraint in the ROOT web.xml) and Tomcat happily returned a 403
response.
[EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Yoav,
This was detected both before and after applying the fix snippet to
web.xml
!
Nick wrote:
Help?
Installed Tomcat from the binary (5.0.16) on to a Fedora box.
Tried to run the security example from the Documentation.
Noticed that the link wasn't changed even though the directory had been
Is: http://localhost:8080/examples/jsp/security/protected/
Should
Help?
Installed Tomcat from the binary (5.0.16) on to a Fedora box.
Tried to run the security example from the Documentation.
Noticed that the link wasn't changed even though the directory had been
Is: http://localhost:8080/examples/jsp/security/protected/
Should be: http://localhost
yep. Had exactly the same behavior bad don't know the reason!
Nick wrote:
Help?
Installed Tomcat from the binary (5.0.16) on to a Fedora box.
Tried to run the security example from the Documentation.
Noticed that the link wasn't changed even though the directory had been
Is: http://localhost
Has anyone tried Apache redirection to Tomcat, on Java code that makes uses of
JDBD security realms?
Assuming the redirection from Apache to Tomcat works fine when I type
'http://localhost/examples/servlets/index.html'
But for my own code, I include url 'alerts.do' inside
Good morning.
I'm new in Tomcat-Apache administration and I just created a production environment,
but I need some guidelines to give securtity to my web applications.
Can anyone give me some url's where I can find information about it?
Thank you very much.
Howdy,
Maybe google or a book like this:
http://www.programming123.com/detail/apache/apache_1861008309.html
In the future, you might want to think about security before setting up
a production environment ;)
Yoav Shapira
Millennium ChemInformatics
-Original Message-
From: Joaquin
I have this book and I like it.The java security manager is a little
over my head at this point in my Tomcat experiencesI'm sure I'll
pick it up soon.the chapters on the Realms are really good as well
as the second or third chapter on file security...I found it pretty
straight forward
Kwok Peng Tuck wrote:
Hi list ,
With regards to the security manager in tomcat, is it possible
to ship a policy file with each webapp ?
No it is not. You have to put those permission in catalina.policy.
-- Jeanfrancois
Hi,
I'm getting the following error log trying to install my webapp in
tomcat 5.0.16. When I remove the security constraints section
in web.xml the app install and runs ok, but when I restore de security
section in web.xml I can't install the app.
I have tested this issue on Tomcat 5.0.16
Is it possible to configure tomcat to use public / private key pairs
that implement the java.security API for authentication a la ssh? I
assume it is but haven't found out how yet.
I'm using SSL at the moment but I need to implement a higher security
environment in the same shape and form
jose wrote:
Hi,
I'm getting the following error log trying to install my webapp in
tomcat 5.0.16. When I remove the security constraints section
in web.xml the app install and runs ok, but when I restore de security
section in web.xml I can't install the app.
I have tested this issue
Remy,
Thanks... I can't believe how I haven't seen the error
Jose
Remy Maucherat wrote:
jose wrote:
Hi,
I'm getting the following error log trying to install my webapp in
tomcat 5.0.16. When I remove the security constraints section
in web.xml the app install and runs ok, but when I
Hi list ,
With regards to the security manager in tomcat, is it possible to
ship a policy file with each webapp ?
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Hi!
I am trying to set up security management for my web applications
through JDBCRealm.
What i have done:
1. modify the server.xml file to add a Realm tag (Realm
className=org.apache.catalina.realm.JDBCRealm debug=99
connectionName=root connectionPassword=
connectionURL=jdbc:mysql
the web.xml to add a security-constraint tag (
security-constraint
web-resource-collection
web-resource-nameArea de pruebas de
seguridad/web-resource-name
url-pattern/cosa.jsp/url-pattern
url-pattern/test.jsp/url-pattern
http-methodDELETE
Hello,
I attempt to use jsvc from commons-daemon project to launch my tomcat instance.
How can I specify the '-security' option (used with catalina.sh)?
If I write some system properties (like in catalina.sh):
$CATALINA_HOME/bin/jsvc
[...]
-Djava.security.manager
to the daemon code
grant codeBase file:${catalina.home}/bin/commons-daemon.jar {
permission java.security.AllPermission;
};
M
At 12:06 2003-12-12, you wrote:
Hello,
I attempt to use jsvc from commons-daemon project to launch my tomcat
instance.
How can I specify the '-security' option (used
In looking through the docs I am surpised that I dont see a way to do some
more sophisticated JDBCRealm security. I may just be looking in the wrong
place or misreading something so please let me know if I am.
My DB tables are arranged as follows
create table user
(
id BIGINT NOT NULL
rather than the user table.
Yoav Shapira
Millennium ChemInformatics
-Original Message-
From: Frank Febbraro [mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 10:48 AM
To: Tomcat Users List
Subject: More sophisticated JDBCRealm Security
In looking through the docs I am surpised
PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Monday, December 08, 2003 10:48 AM
Subject: RE: More sophisticated JDBCRealm Security
Howdy,
The typical solution in many cases involving JDBCRealm is (if you don't
want to customize the realm by coding) to create a view for use by the
JDBC
sophisticated JDBCRealm Security
What about the fact that the groupId column in User is called id in the
Groups table, would it be a case of making another view to accomplish
that
translation too?
Besides craeting views, which is easy, what are the other options here?
- Original Message -
From
PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Monday, December 08, 2003 11:49 AM
Subject: RE: More sophisticated JDBCRealm Security
Howdy,
Your other option is to extend JDBCRealm into your own custom realm
implementation.
Yoav Shapira
Millennium ChemInformatics
-Original
Since your making a view to only be used by tomcat, there is no problem.
You can change column names when creating a view.
Additionally, if you want more security, make your group and user views
locked to a tomcat id (sql login that is). Then tomcat itself is locked out
of other changes
Easiest alternative:
Cron and a sql script.
lock user and group table
truncate user and group table
insert into user and group tables with query
unlock
-Tim
Frank Febbraro wrote:
Well crap!
Turns out we are using MySQL 4.0.x which does not have support for views.
Can anyone point me in a
Howdy,
You can search the archives of this list for many examples.
Yoav Shapira
Millennium ChemInformatics
-Original Message-
From: Frank Febbraro [mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 12:10 PM
To: Tomcat Users List
Subject: Re: More sophisticated JDBCRealm Security
or do I have to put it on the
tomcat classpath somewhere?
Thanks again,
Frank
- Original Message -
From: Shapira, Yoav [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Monday, December 08, 2003 2:52 PM
Subject: RE: More sophisticated JDBCRealm Security
Howdy,
You can
It must be in Tomcat's classpath, not in your WAR file.
-Original Message-
From: Frank Febbraro [mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 3:10 PM
To: Tomcat Users List
Subject: Custom Realm deployment, was More sophisticated JDBCRealm
Security
Thanks Yoav,
One more
[mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 3:10 PM
To: Tomcat Users List
Subject: Custom Realm deployment, was More sophisticated JDBCRealm
Security
Thanks Yoav,
One more question to you or the group,
When deploying a custom Realm implementation, I am defining the Realm
inside the Context
Engineer
BAE SYSTEMS
301-838-6899 (phone)
301-838-6802 (fax)
[EMAIL PROTECTED]
-Original Message-
From: Frank Febbraro [mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 3:10 PM
To: Tomcat Users List
Subject: Custom Realm deployment, was More sophisticated JDBCRealm
Security
security can use the rols to decide which actions/pages a user can
switch to/see.
2) Additional business logic decides what particular subset of data the user will see,
depending on their role, on a given page.
The users will not need to switch roles often, and there will be a default role
Hi all,
A direct question arising from a security review :-
Using a datasource it is possible to remove the 'username', 'password' or at least
encrypt them using someting like MD5
thanks in advance for your info
Thomas
The username and password still need decrypted at some time. It just makes
the attacker jump through 1 hoop.
Using file permissions on the config file as well and server security are the
ways to go.
-Tim
Curley, Thomas wrote:
Hi all,
A direct question arising from a security review
I'd feel more secure with an MD5 or SHA1 encrypted user and password that relying on
unix file level security - what happens if a hacker gets root priv's ?
thanks
Thomas
-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: 26 November 2003 13:51
To: Tomcat Users List
decryption of
passwords. (Like protected keys for ssl)
-Tim
Curley, Thomas wrote:
I'd feel more secure with an MD5 or SHA1 encrypted user and password that relying on unix file level security - what happens if a hacker gets root priv's ?
thanks
Thomas
-Original Message-
From: Tim
If a hacker gets root privileges, the username and password for tomcat are
the least of your concerns.
On Wednesday 26 November 2003 08:53 am, Curley, Thomas wrote:
I'd feel more secure with an MD5 or SHA1 encrypted user and password that
relying on unix file level security - what happens
implementation that works with a .htaccess file, if not, you can
always connect Tomcat to Apache.
Having written a customized realm implementation only yesterday, I can assure you that
it isn't too terribly difficult to do so, as the security is pretty well laid out in
Tomcat.
Justin
-Original
A direct question arising from a security review :-
Using a datasource it is possible to remove the 'username',
'password' or at least encrypt them using someting like MD5
The Password can be digested. See
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#Digested
The link below is for users logging-in (FORM or BASIC). Not for database
connections.
-Tim
[EMAIL PROTECTED] wrote:
A direct question arising from a security review :-
Using a datasource it is possible to remove the 'username',
'password' or at least encrypt them using someting like MD5
From: Curley, Thomas [mailto:[EMAIL PROTECTED]
I'd feel more secure with an MD5 or SHA1 encrypted user and
password that relying on unix file level security - what
happens if a hacker gets root priv's ?
Er ... Without wishing to flame, but if they've got root priv's they can do
what
that if a specific security precaution doesn't absolutely protect the system
there's no point in doing it. By that argument, and given that there are no absolutes
with respect to security, what's the point of implementing any security in the first
place? This question is to those who say it's pointless to encrypt
to server.xml
Thomas
-Original Message-
From: Bob Jacoby [mailto:[EMAIL PROTECTED]
Sent: 26 November 2003 17:10
To: [EMAIL PROTECTED]
Subject: RE: Security Hole - server.xml
I consider things like this. By encrypting the password I'm protecting against casual
learning
have MD5 to store your
passwords with.
Justin
-Original Message-
From: Curley, Thomas [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 26, 2003 1:13 PM
To: Tomcat Users List
Subject: RE: Security Hole - server.xml
Note - in reply to Justin - I don't have a multi-tier login
So
thanks for your time Justin - I will look into this - T
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: 26 November 2003 18:17
To: Tomcat Users List
Subject: RE: Security Hole - server.xml
Well, right, but if you were to inherit from the realm that you wanted
No prob, good luck.
-Original Message-
From: Curley, Thomas [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 26, 2003 1:21 PM
To: Tomcat Users List
Subject: RE: Security Hole - server.xml
thanks for your time Justin - I will look into this - T
-Original Message-
From: Hart
Hi,
I'm looking for a way to declare security on my webapp. The webapp is very
small. It consists of a few JSPs and a servlet controller. I tried to forbid
access to every resource in the app with a security-constraint element via
url-pattern/*/url-pattern and no auth-constraint. I granted access
behind a firewall is possible, etc. etc etc.
Yoav Shapira
Millennium ChemInformatics
-Original Message-
From: Sergey.Livanov [mailto:[EMAIL PROTECTED]
Sent: Monday, November 24, 2003 5:19 PM
To: Tomcat Users List
Subject: Security
I'm launching a SSL technology portal. Would appreciate
I'm launching a SSL technology portal. Would appreciate if you could give me
a tip on what should be done to secure the portal.
Do you have any recommendations ?
Best regards,
Sergey.Livanov mailto:[EMAIL PROTECTED]
Hi,
I'm executing a webapp from a war file, deployed with its own context
descriptor (not autodeployed), in a host (and even context for tomcat5) with
unpackwar=false. Security is enabled and just for testing purpose
catalina.policy has a grant codebase pointing to the war
Hi,
I'm executing a webapp from a war file, deployed with its own context
descriptor (not autodeployed), in a host (and even context for tomcat5) with
unpackwar=false. Security is enabled and just for testing purpose
catalina.policy has a grant codebase pointing to the war
First let me say this is not a specific tomcat question, rather, a general
application security issue that I'd like to get some feedback on. Secondly,
this is NOT my idea and I already have an opinion about it's ... flaws, to
be kind.
Here's the idea in a nutshell (operative word nut):
The app
Gary,
First let me say this is not a specific tomcat question, rather, a general
application security issue that I'd like to get some feedback on.
As I type is in, it's making me even MORE nuts! Am I?
Was there a question in here, somewhere? :)
No, you're not nuts but trying to follow any logic
The long and the short of it is:
There will be an infinite number of application users. (maybe a few less)
They will have 1-n roles. Let say 3 .
There are a finite number of proxy EJB access users.
As mentioned earlier, derived from the application user roles.
The method level security for EJB
from the application user roles.
The method level security for EJB access will be based on the proxy user's
roles. So... 3 application user roles ... 9 proxy EJB access users.
Why not simpler IS the question. Like configuring a single
java.naming.security.principal and
java.naming.security.credentials
: application security gone mad
Gary,
WOW, how could one possibly justify/rationalize the complicated approach
you described in your original post? The architecture as described makes
no real use of CMS. Sounds like a combination of not invented here and
I don't understand it so I'm not gonna
[EMAIL PROTECTED]
Subject: Re: application security gone mad
Gary,
WOW, how could one possibly justify/rationalize the complicated approach
you described in your original post? The architecture as described makes
no real use of CMS. Sounds like a combination of not invented here and
I don't
Hi, all
I am running tomcat as application server and using
session to store objects which will determine what
dynamic content will be displayed. It's typical, but I
have the following question:
1. Where is the session variable stored? server side
or client cookie?
2. If variables stored in
. This is generally a very bad idea for security reasons (anyone can fake
what he sends to you if he knows what he's doing). But luckily this is not
the case.
Greetings
Andreas Mohrig
-Original Message-
From: Vincent Chen [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 13, 2003 11:37 AM
To: [EMAIL
Andreas,
1. Where is the session variable stored? server side or client
cookie?
However,
the sessionid is passed back and forth between the server and the
client, of course. But that should not be a problem, because of the
(pseudo) random and quite complex nature of sessionids it would be
hard
-Original Message-
From: Christopher Schultz [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 13, 2003 2:16 PM
To: Tomcat Users List
Subject: Re: session security questions?
Andreas,
1. Where is the session variable stored? server side or client
cookie?
However,
the sessionid is passed back
Are there any recommendations for a tomcat security book? I've found this
one on amazon.com, but there are no reviews on the book so I thought I would
run it by the list first before I buy itany other suggestions
Thanx for any insight
http://www.amazon.com/exec/obidos/tg
Are there any recommendations for a tomcat security book? I've found this
one on amazon.com, but there are no reviews on the book so I thought I
would
run it by the list first before I buy itany other suggestions
Thanx for any insight
http://www.amazon.com/exec/obidos/tg
The Servlet Spec is also good :-)
http://www.jcp.org/en/jsr/detail?id=154
-- Jeanfrancois
Yann ? wrote:
Are there any recommendations for a tomcat security book? I've found this
one on amazon.com, but there are no reviews on the book so I thought I
would
run it by the list first
page is serving/checking
a security certificate. It is at this point that the page doesn't load
completely. It seems that my very standard TC installation doesn't deal
with the certificate.
To test this theory I unloaded the ISAPI redirector from IIS 6 and went
directly to the page that I require
Hi
One of the libraries I use (actually my own ;-)) uses JAAS. If I ran a
JAAS application on the destop I could simply use
-Djava.security.policy=jaas.policy
Djava.security.auth.login.config=jaas.conf. With Tomcat, however, I can
hardly set those parameters in the start script as other
On 11/10/2003 02:32 PM Marcel Stor wrote:
One of the libraries I use (actually my own ;-)) uses JAAS. If I ran a
JAAS application on the destop I could simply use
-Djava.security.policy=jaas.policy
Djava.security.auth.login.config=jaas.conf. With Tomcat, however, I can
hardly set those parameters
Hi everybody,
Im using the security-constraint feature of Tomcat. Everything works well, but I
dont know how to retrieve the login entered during authentication to use it throughout
my application... Have you guys done this before ?
thx
My login page is specified in my web.xml:
login-config
401 - 500 of 1624 matches
Mail list logo