.
Murray
-Original Message-
From: Jeff Tulley [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 13 August 2003 02:41
To: [EMAIL PROTECTED]
Subject: RE: security hole on windows tomcat?
So this issue is confusing. It seems that indeed there IS an issue,
though most cannot see a problem.
Talking
So I looked at the servlet spec, but it doesn't specify (as far as I read)
how hierarchical security constraints should work and Tomcat 4.1.27 seems to
not do hiarachical constraints :) Also searching the list I didn't turn up
results of this type, although I swear I've seen this issue before
]
Sent: Wednesday, August 13, 2003 11:24 AM
To: [EMAIL PROTECTED]
Subject: RE: security hole on windows Apache - Tomcat?
Yes, but all Apache does is redirect the request to Tomcat
for handling.
Tomcat itself decides whether to compile the JSP or serve
the file as a
static file (and hence
which operating system?
Paul
John Turner wrote:
Appending %20 to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling(Webdaddy) wrote:
I came across what appears to be a security hole when running tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet
my windows
2003 02:41
To: [EMAIL PROTECTED]
Subject: RE: security hole on windows tomcat?
So this issue is confusing. It seems that indeed there IS an issue,
though most cannot see a problem.
Talking to some people off-list, it seems that some think it is a JK2
/
workers2.properties issue. But I'm
fwiw,
windows server 2003 standard edition
j2sdk 1.4.2
jakarta-tomcat-4.1.27-LE-jdk14 zip (not exe)
http://localhost:8080/examples/jsp/num/numguess.jsp%20 problem appeared in
opera 7.11
viewed page in ie 6 and got 404
subsequently got 404 in opera
flicked around other samples in opera and saw
provide a site where it DOES happen so you guys
can see what is happening.
-Original Message-
From: Cox, Charlie [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:07 PM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
sorry, I don't know - I
List'
Subject: RE: security hole on windows tomcat?
can you turn on debug for the defaultservlet - set it to 99
in conf/web.xml
and post the log.
-Original Message-
From: Angus Mezick [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:39 PM
To: Tomcat Users List
sorry, I overlooked where you mentioned it was the default install.
please post a link
Charlie
-Original Message-
From: Cox, Charlie [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:15 PM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
did you
Can't replicate your problem, tried both linux and win2k
Version of tomcat is the same as yours.
Paul Sundling(Webdaddy) wrote:
I came across what appears to be a security hole when running tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet my
windows XP, tomcat
can you turn on debugging for the default servlet(conf/web.xml) and also
turn on the requestdumpervalve(server.xml) and post the log.
-Original Message-
From: Paul Sundling [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 8:43 PM
To: Tomcat Users List
Subject: Re: security
can you turn on debug for the defaultservlet - set it to 99 in conf/web.xml
and post the log.
-Original Message-
From: Angus Mezick [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:39 PM
To: Tomcat Users List
Subject: RE: security hole on windows tomcat?
Nope
PROTECTED]
Sent: Monday, August 11, 2003 12:15 PM
To: Tomcat Users List
Subject: RE: security hole on windows tomcat?
Ok guys,
What could I have turned on that would have allowed this bug
to happen?
I can make it happen in both tomcat and tomcat through apache. (Most
recent of both) I can provide
is happening.
-Original Message-
From: Cox, Charlie [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:07 PM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
sorry, I don't know - I don't use Apache. This was just a
thought that I
had.
I do not have
Charlie,
How do you fix this within apache?
-Original Message-
From: Cox, Charlie [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 10:15 AM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
do you have apache on the front end and are you only
[mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:07 PM
To: 'Tomcat Users List'
Subject: RE: security hole on windows tomcat?
sorry, I don't know - I don't use Apache. This was just a
thought that I
had.
I do not have this problem 4.1.24 on Win2k
Charlie
-Original
I came across what appears to be a security hole when running tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet my
windows XP, tomcat 4.1.24 is vulnerable.
I found that if you append %20 to a jsp page it shows the source code
instead of displaying the page:
http
:[EMAIL PROTECTED]
Friday, August 15, 2003, 1:38:17 AM, you wrote:
MC So I looked at the servlet spec, but it doesn't specify (as far as I read)
MC how hierarchical security constraints should work and Tomcat 4.1.27 seems to
MC not do hiarachical constraints :) Also searching the list I didn't turn
Sorry sorry, web-resource-name elements are unique, just a copying error.
-Original Message-
From: Alexander Vavilin [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 14, 2003 10:33 PM
To: Tomcat Users List
Subject: Re: url-pattern and realms security
Hello Colin,
I am not sure, but I
error.
MC -Original Message-
MC From: Alexander Vavilin [mailto:[EMAIL PROTECTED]
MC Sent: Thursday, August 14, 2003 10:33 PM
MC To: Tomcat Users List
MC Subject: Re: url-pattern and realms security
MC Hello Colin,
MC I am not sure, but I think you cannot do this, first an web-resource
PROTECTED] wrote in message
news:[EMAIL PROTECTED]
So I looked at the servlet spec, but it doesn't specify (as far as I read)
how hierarchical security constraints should work and Tomcat 4.1.27 seems
to
not do hiarachical constraints :) Also searching the list I didn't turn
up
results
So simple, gotta love those. All is working as desired. Thanks Bill!
-Original Message-
From: Bill Barker [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 14, 2003 11:27 PM
To: [EMAIL PROTECTED]
Subject: Re: url-pattern and realms security
It's a Tomcat implementation detail, but I
I came across what appears to be a security hole when running tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet my
windows XP, tomcat 4.1.24 is vulnerable.
I found that if you append %20 to a jsp page it shows the source code
instead of displaying the page:
http
: Re: security hole on windows tomcat?
Appending %20 to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling(Webdaddy) wrote:
I came across what appears to be a security hole when
running tomcat.
I'm not sure how widespread it is, but my linux server is
safe, yet my
John
Paul Sundling wrote:
which operating system?
Paul
John Turner wrote:
Appending %20 to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling(Webdaddy) wrote:
I came across what appears to be a security hole when running
tomcat. I'm not sure how widespread it is, but my linux server
, 2003 13:28
To: Tomcat Users List
Subject: Re: security hole on windows tomcat?
Interesting.
WinXP
Tomcat 4.1.24
http://localhost:8080/examples/jsp/num/numguess.jsp%20
I get the source.
-e
On Mon, 11 Aug 2003, John Turner wrote:
Let's see the Tomcat-only link.
John
Angus Mezick wrote
you can also turn on the AccessLogValve in server.xml to show if the request
gets to tomcat from apache and to see what it looks like.
-Original Message-
From: Angus Mezick [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 12:56 PM
To: Tomcat Users List
Subject: RE: security
Turner wrote:
Appending %20 to my Tomcat 4.1.1x URLs generates a 404.
John
Paul Sundling(Webdaddy) wrote:
I came across what appears to be a security hole when running
tomcat.
I'm not sure how widespread it is, but my linux server is safe, yet
my windows XP, tomcat 4.1.24 is vulnerable
configuration for most of the pages of the site
-- I have security-contstraint tags and a login-config section in
my applications web.xml file.
My problem is this:
One of the protected pages is a jsp (map.jsp) page that has an applet
tag. This tag references a jar file that is also contained
Hi,
I have a serlvet that is used to download a file to the client.
I am using Tomcat 4.1.24, with IE6.
All is fine when no security-constraint is applied in the deployment
descriptor, but when I introduce such a constraint the file cannot be
downloaded. I recieve the error:
Internet Explorer
wrote:
Hi,
I have a serlvet that is used to download a file to the client.
I am using Tomcat 4.1.24, with IE6.
All is fine when no security-constraint is applied in the deployment
descriptor, but when I introduce such a constraint the file cannot be
downloaded. I recieve the error:
Internet Explorer
ah the old IE + SSL + cacheing problem ;)
I am not using SSL,
I haveadding the suggested code it does not
solve the problem...
Cheers
Rob
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL
ah the old IE + SSL + cacheing problem ;)
This seems to solve the problem:
response.setHeader(Cache-Control, public);
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Cool. Was just writing a response about the headers tomcat adds when
using a security restraint. But you've already worked it out...
I've only seen the problem when using IE with SSL + security constraint
but i guess it's more of a general problem. :(
Jon
Rob Tomlin wrote:
ah the old IE + SSL
to make sure that
you have a valid session id. If your
session id is invalid, you get an access denied page. if not, a http
download is started.
so I guess what I want is to intercept any request to that downloaddir
and perform session\security checking (by another servlet or jsp page)
before allowing
that
you have a valid session id. If your
session id is invalid, you get an access denied page. if not, a http
download is started.
so I guess what I want is to intercept any request to that downloaddir
and perform session\security checking (by another servlet or jsp page)
before allowing access
request to that downloaddir
and perform session\security checking (by another servlet or jsp page)
before allowing access...
Now, is adding additional servlet\jsp the best way to go about this, or is
there a better way through Tomcat configuration?
Thanks
/downloaddir/1/abc.jar
he\she will get an access denied.
Is that more understandable?
We are trying to prevent cutting and pasting of urls.
We are mainly concerned with just providing\denying access to this directory
and not security to an entire web application where I think the REALM would
be more
presence of a session will prove that
your user is logged in and authenticated.
-Original Message-
From: Robert Priest [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2003 11:25 AM
To: 'Tomcat Users List'
Subject: RE: Session\Security Checking
thanks, rick. I appreciate
List'
Subject: RE: Session\Security Checking
I think using a realm and simply setting up /downloaddir/* as a
'protected resource' is the way to go. The functionality you're looking
for has already been implemented by Container-Managed Auth.
Also.. if you use a container AUTH scheme, then you don't
Robert Priest wrote:
the URL for the download will contain a session id for the user. So if you
will allow me to modify my example:
Say user A logs in and has a session id of 1 and wants to download
abc.jar. He will be redirected to the url:
http://localhost/myservlet/downloaddir/1/abc.jar
now I
: Session\Security Checking
But I still need to change how my user are authenticated,
correct. I now need to handle that authentication through the
realm instead of a Form on our page now, right?
-Original Message-
From: Mike Curwen [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28
List'
Subject: RE: Session\Security Checking
If you've already implemented your own access control, then certainly it
might be more feasible to extend that to this set of pages. A filter
might be the best, if you can use a 2.3 compliant container.
The filter would simply check for the presence
[mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2003 12:13 PM
To: 'Tomcat Users List'
Subject: RE: Session\Security Checking
Ok. thanks.
Do you have any links to the proper documentation for doing this?
When you say filter, you are not speaking of a Realm are you?
Could you clarify
Hello
How can I change standard Tomcat error page ?
It prints Tomcat version and our auditors said it might be a security issue.
I have servlets and JSP pages in my app. I have error-page directive in all JSP pages,
however in case of
Null Pointer Exception it's seems not working.
thanx
http://jakarta.apache.org/tomcat/faq/misc.html#error
-Tim
Mris Orbidns wrote:
Hello
How can I change standard Tomcat error page ?
It prints Tomcat version and our auditors said it might be a security issue.
I have servlets and JSP pages in my app. I have error-page directive in all JSP pages
13:02
An: Tomcat Users List
Betreff: Re: Tomcat 4.1.24 + Security Manager + weird Exceptions
- man ulimit
- Google (java Too many open files solaris)
-Tim
Haug Thomas wrote:
Hi everybody,
I am experiencing some strange behaviour with Tomcat 4.1.24
running
We've got a similar issue, though this in on Linux and using channelUnix/JNI instead
of normal tcp channelSocket.
We're using Apache2/mod_jk2 (built from tomcat-connectors-1.1M1).
On heavy load, there are over 3000 sockets open by one Tomcat/JVM, they don't seem to
go down again too while
. It this a known bug?
Regards,
Thomas
-Ursprüngliche Nachricht-
Von: Tim Funk [mailto:[EMAIL PROTECTED]
Gesendet am: Dienstag, 15. Juli 2003 13:02
An: Tomcat Users List
Betreff: Re: Tomcat 4.1.24 + Security Manager + weird Exceptions
- man ulimit
- Google (java Too many open files solaris
Hi everybody,
I am experiencing some strange behaviour with Tomcat 4.1.24 running with a
SecurityManager. The system is running on Solaris 8 using Jdk 1.4.1_02
and/or 1.4.2
Our software seems to use up all available file descriptors. If then tomcat
tries to accept a new request the IO system
- man ulimit
- Google (java Too many open files solaris)
-Tim
Haug Thomas wrote:
Hi everybody,
I am experiencing some strange behaviour with Tomcat 4.1.24 running with a
SecurityManager. The system is running on Solaris 8 using Jdk 1.4.1_02
and/or 1.4.2
Our software seems to use up all available
the security manager.
Sixth, don't put ANYTHING confidential in a JSP...move it (like a database
connection URL, a username, or a password) to web.xml or server.xml, or a
properties file under WEB-INF.
Seventh, if you really want to obscure paths when people view HTML source,
simply make all URLs
Tomcat as a
service, but not with security or the additional cleanup I require. Does
anybody know how to go about this? Any information in this regard is highly
appreciated.
Thanks
-Manoj.
to access my files.
What kind of security that I should set up for that?
I am pretty new to Tomcat so I need help.
By the way, my OS is Windows 2000 Pro.
Any help will be very much appreciated.
__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http
my files.
What kind of security that I should set up for that?
I am pretty new to Tomcat so I need help.
By the way, my OS is Windows 2000 Pro.
Any help will be very much appreciated.
_
Help STOP SPAM with the new MSN 8 and get 2
a security risk.
Thanx
Reg
On Mon, 2003-07-14 at 15:49, substring wrote:
Hello All,
I just developed a JSP application called myapp,
running on Tomcat 4.1.24. How can I keep people from
accessing my files under tomcat/webapps/myapp? For
example, people can do a simple view source
]
Sent: Monday, July 14, 2003 5:58 PM
Subject: Re: Newbie question on Tomcat security
Hi.
I'm not certain about this but it seems to me that it would be next to
impossible to keep the html source from being viewed by someone using
any browser (this is not a server side issue). The source has
Hi.
I don't know if this will be helpful but I have heard of people putting
their JSPs and other ancilliary files inside the WEB-INF directory. I'm
not sure what you have to do to make this work but it may well be worth
looking into.
Reg
of security that I should set up for that?
I am pretty new to Tomcat so I need help.
By the way, my OS is Windows 2000 Pro.
Any help will be very much appreciated.
_
Help STOP SPAM with the new MSN 8 and get 2 months FREE*
http
.
- Original Message -
From: Reginald Oake [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Monday, July 14, 2003 5:58 PM
Subject: Re: Newbie question on Tomcat security
Hi.
I'm not certain about this but it seems to me that it would be next to
impossible to keep the html
http://www.hexworx.com
- Original Message -
From: Susan Hoddinott [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Friday, July 04, 2003 1:15 PM
Subject: Re: Compensating for applet security restrictions
Hello,
I have thought about signing but unfortunately I have many
-Original Message-
From: Susan Hoddinott [mailto:[EMAIL PROTECTED]
Sent: July 3, 2003 2:35 AM
To: Tomcat Users List
Subject: Compensating for applet security restrictions
Hello,
I currently have a JSP with an APPLET tag (including EMBED and OBJECT
references) which runs a JAR file
:
Susan Hoddinott
To: Tomcat Users List
Sent: Thursday, July 03, 2003 12:35
AM
Subject: Compensating for applet security
restrictions
Hello,
I currently have a JSP with an APPLET tag (including EMBED and OBJECT
references) which runs a JAR file located on my server
worldwide, according to a warning issued
Wednesday by security companies and government Internet security
groups. The hacker defacement contest is expected to kick off
on Sunday. The contest supposedly will award free hosting
services, Web mail, unlimited E-mail
A hacking contest slated for this weekend could produce a rash
of Web-site defacements worldwide, according to a warning issued
Wednesday by security companies and government Internet security
groups. The hacker defacement contest is expected to kick off
on Sunday
: Thursday, July 03, 2003 10:51 AM
Subject: Tomcat security?
Anyone want to discuss hardening Tomcat servers?
Hacking Contest Threatens Web Sites
By George V. Hulme, InformationWeek
Updated Wednesday, July 2, 2003, 3:00 PM EDT
A hacking contest slated for this weekend could produce a rash
of Web
By George V. Hulme, InformationWeek
Updated Wednesday, July 2, 2003, 3:00 PM EDT
A hacking contest slated for this weekend could produce a rash
of Web-site defacements worldwide, according to a warning issued
Wednesday by security companies and government Internet
- Original Message -
From: Eugene Lee [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Thursday, July 03, 2003 10:51 AM
Subject: Tomcat security?
Anyone want to discuss hardening Tomcat servers?
Hacking Contest Threatens Web Sites
By George V. Hulme, InformationWeek
Updated Wednesday
Any idea what it was and/or what versions it affected?
- Original Message -
From: John Turner [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Thursday, July 03, 2003 11:13 AM
Subject: Re: Tomcat security?
AFAIK, November 2002.
John
On Thu, 3 Jul 2003 11:14:26
]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Thursday, July 03, 2003 11:13 AM
Subject: Re: Tomcat security?
AFAIK, November 2002.
John
On Thu, 3 Jul 2003 11:14:26 -0500, Nathan McMinn [EMAIL PROTECTED]
wrote:
When was the last time Tomcat had a published exploit?
On a related note
I can't believe that passwords for SSL are stored in the clear. That
places all responsibility of security to the OS, which may not be a good
idea. What happened to defense-in-depth ??
Nathan McMinn wrote:
When was the last time Tomcat had a published exploit?
On a related note, these kind
What do you mean stored in the clear? Are you referring to
tomcat-users.xml? Personally, I use a MySQL database to hold auth
information for a JDBC Realm, and store them digested. As an additional
layer of security, the user account that is used to access the DB for the
realm is only granted
-07-03 at 14:23, Nathan McMinn wrote:
What do you mean stored in the clear? Are you referring to
tomcat-users.xml? Personally, I use a MySQL database to hold auth
information for a JDBC Realm, and store them digested. As an additional
layer of security, the user account that is used to access
in the clear. That
places all responsibility of security to the OS, which may not be a good
idea. What happened to defense-in-depth ??
Nathan McMinn wrote:
When was the last time Tomcat had a published exploit?
On a related note, these kind of contests are fairly common, and
usually
don't produce
am
doing. The first applet just takes parameters and either runs the program
as an applet or an application but the security which is inherited appears
to be that for an applet in either case?
Regards,
Susan Hoddinott
http://www.hexworx.com
- Original Message -
From: Atreya Basu [EMAIL
Hello,
I currently have a JSP with an APPLET tag (including EMBED and OBJECT
references) which runs a JAR file located on my server. The program runs
fine but because the APPLET is run by the Java plug-in whenever it needs to read
or write data it attempts to read or write the data from or
Can somebody point me to a guide that has a good example on adding SSL
to a webapp (or possible a few), but not allowing other webapps to be
accessed via port 80 (unsecure port)?
_
Jeremy Nix
Senior Application Developer
Southwest Financial Ltd.
[EMAIL PROTECTED]
(513) 621-6699
If you grant resolve to jdbc jar, then you don't need to specify the ip in
the url, use host.domain:port
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: June 24, 2003 5:57 PM
To: [EMAIL PROTECTED]
Subject: Tomcat 4.1.24 Security
I am in the process
Another comment, grant codeBase will not accept !, check
${java.home}/docs/guide/security/permissions.html or api javadoc. You have
to use
- file:${path}/- for all classes and jars in this dir and subdirs;
- file:${path}/* for all classes and jars in this dir;
- file:${path}/my.jar for this jar
Look at the documentation for SingleSignonValve.
martin(Feng-Chang) [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Dear all:
I have two web applications named homepage and login.
Application login is for authenticate users.
How those two web applications share security realms?
I
base server. I
get a security error message - as I expected. Looking thru all of the documentation I
could find - I discovered that I needed to add a grant statement to the
catalina.policy file pointing to the codeBase for my JDBC driver.
(as an aside, I am uncertain what I broke, but as soon
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 24, 2003 4:57 PM
To: [EMAIL PROTECTED]
Subject: Tomcat 4.1.24 Security
that the dbcp code had tried 3 times to load before it gave up.
This makes me think all is fine on the Tomcat end
Dear all:
I have two web applications named homepage and login.
Application login is for authenticate users.
How those two web applications share security realms?
I found if i define security-constraint and login-config tags for homepage/web.xml
and login/web.xml,
I access to http://myhost
'
Subject: Container managed security
Hi All,
May i know is it possible to have more than one login config for a
single container. Says i have 2 applications running on different
context; APP1 and APP2 both of them using container managed security.
But required seperate login credential. Can i mantain
Don't know if this mailing list filters my post, try it again.
I am frustrated. I have a webapp developed by struts. If I start Tomcat
without security manager, everything works fine. I can access
https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue.
After I start Tomcat -security
without security manager, everything works fine. I can access
https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue.
After I start Tomcat -security and access the above link, I got the
following error. There is an index.jsp. When some one type
https://myhost.mydomain.com/myapp, this index.jsp
java.security.AllPermission;
};
But I am wondering if this AllPermission is secure enough or I am opening
more holes.
-Original Message-
From: John Turner [mailto:[EMAIL PROTECTED]
Sent: June 23, 2003 2:34 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager
On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
I solved this problem by including a grant entry
grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar {
permission java.security.AllPermission;
};
Why isn't it in WEB-INF/lib ? That is probably why you had to add that grant
Typo, it is WEB-INF/lib.
When there is no grant entry for this jar, tomcat throws
NoClassDefFoundError.
-Original Message-
From: Jason Bainbridge [mailto:[EMAIL PROTECTED]
Sent: June 23, 2003 2:44 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager
Good eye, Jason.
John
On Tue, 24 Jun 2003 02:43:59 +0800, Jason Bainbridge [EMAIL PROTECTED]
wrote:
On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
I solved this problem by including a grant entry
grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar
{
permission
[mailto:[EMAIL PROTECTED]
Sent: June 23, 2003 2:44 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
I solved this problem by including a grant entry
grant codeBase file:${catalina.home}/webapps
Bainbridge [mailto:[EMAIL PROTECTED]
Sent: Monday, June 23, 2003 2:53 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
What other struts.jar files have you got laying around? Have you maybe got
one
in common/lib? I'm not sure why setting a grant like
with security manager + NoClassDefFoundError
On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
I solved this problem by including a grant entry
grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar
{
permission java.security.AllPermission;
};
Why isn't it in WEB-INF/lib
tomcat
classloader should take care of them.
To Yoav:
I start Tomcat with -security option. Tomcat will use Catalina.policy to
manage the permissions. I don't use JAAS or realm at all (realms were
cleaned up in server.xml).
-Original Message-
From: John Turner [mailto:[EMAIL PROTECTED
Howdy,
Is your catalina.policy the default or modified?
Yoav Shapira
Millennium ChemInformatics
-Original Message-
From: Phillip Qin [mailto:[EMAIL PROTECTED]
Sent: Monday, June 23, 2003 3:10 PM
To: 'Tomcat Users List'
Subject: RE: [REPOST]Tomcat with security manager
[mailto:[EMAIL PROTECTED]
Sent: June 23, 2003 2:53 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
What other struts.jar files have you got laying around? Have you maybe got
one
in common/lib? I'm not sure why setting a grant like that would make
Was just doing a bit of reading:
http://jakarta.apache.org/struts/userGuide/installation.html
Running Struts Applications Under A Security Manager
Many application servers execute web applications under the control of a Java
security manager, with restricted permissions on what classes
with security manager + NoClassDefFoundError
Was just doing a bit of reading:
http://jakarta.apache.org/struts/userGuide/installation.html
Running Struts Applications Under A Security Manager
Many application servers execute web applications under the control of a
Java
security manager, with restricted
Bainbridge [mailto:[EMAIL PROTECTED]
Sent: June 23, 2003 3:48 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
Was just doing a bit of reading:
http://jakarta.apache.org/struts/userGuide/installation.html
Running Struts Applications Under A Security
?... first, I got this error.
I looked into catalina.out, there was no permission exception.
-Original Message-
From: Jean-Francois Arcand [mailto:[EMAIL PROTECTED]
Sent: June 23, 2003 4:42 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
Hi
601 - 700 of 1624 matches
Mail list logo
