Hi All,
May i know is it possible to have more than one login config for a
single container. Says i have 2 applications running on different
context; APP1 and APP2 both of them using container managed security.
But required seperate login credential. Can i mantain 2 or more set of
users
with web.xml and security
If you check your log files, you should see that it doesn't like your
web.xml file because session-config comes after servlet-mapping and
before mime-mapping (which both come before security-constraint).
Tomcat 4.x is picky about enforcing the order of elements in your
PROTECTED] On Behalf Of Bill Barker
Sent: Tuesday, June 17, 2003 11:46 PM
To: [EMAIL PROTECTED]
Subject: Re: problems with web.xml and security
servlet-mapping and mime-mapping are optional elements. If you
don't
need them, then they don't have to be there.
If you remove the session-config
Now we are getting somewhere ;-).
If you have a context with a path=/secure, then you need to set the
security-constraint (including login-config) in that web.xml as you have
except that you only need to have the url-pattern/*/url-pattern (since
the url-pattern is relative to the context-path
Thanks!
The SingleSignOn valve works like a charm!
-Original Message-
From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker
Sent: Wednesday, June 18, 2003 1:02 AM
To: [EMAIL PROTECTED]
Subject: Re: problems with web.xml and security
Now we are getting somewhere ;-).
If you
Hi,
p
My question is regarding using Tomcat (4.1.18) container security, with using a
JDBCRealm along with a security constraint for FORM type loggin in. Ok, before I start
confusing myself and you, let me be more clear.
p
I'm using Tomcat with win2k pro, and currently the system is running
Rosaria Silipo wrote:
Thanks Carl,
Yes, I tried to see /secure as first thing and I can see it without
authentication.
I tried to close browser and restart it and I still could see it.
Maybe the problem is on the web.xml of /secure. Is it possible?
-- Rosaria
If I'm reading your sentence
Unbelieveable to say. It works!
Do you have an explanation for this?
Thanks
-- Rosaria
-Original Message-
From: Carl Walker [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 17, 2003 1:25 PM
To: Tomcat Users List
Subject: Re: problems with web.xml and security
What happens when you take
I include /secure in the root web application?
Thanks
-- Rosaria
-Original Message-
From: Jon Eaves [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 17, 2003 3:04 PM
To: Tomcat Users List
Subject: Re: problems with web.xml and security
Rosaria Silipo wrote:
Thanks Carl,
Yes, I tried
in conf/server.xml point to the
appropriate web application.
This will map to http://my.domain.com/secure
Remember, we're talking about web applications, and *not*
directories.
So, in the web application that you have defined to be
the context /secure, put the security constraint
]
Sent: Tuesday, June 17, 2003 3:52 PM
To: Tomcat Users List
Subject: Re: problems with web.xml and security
You need 2 web.xml files.
In / (or ROOT) for the context that maps to
http://my.domain.com/
and in the web application defined by the context /secure
which may be in the subdirectory
If you check your log files, you should see that it doesn't like your
web.xml file because session-config comes after servlet-mapping and
before mime-mapping (which both come before security-constraint).
Tomcat 4.x is picky about enforcing the order of elements in your web.xml
file (TC 3.3
Tomcat's security checks). If it works, this is probably the
easiest.
Otherwise you probably would need to plug in your own custom Authenticator
that would be smart enough to un-secure some configured set of URLs.
Bob Damato [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Security
] On Behalf Of Bill Barker
Sent: Tuesday, June 17, 2003 8:16 PM
To: [EMAIL PROTECTED]
Subject: Re: problems with web.xml and security
If you check your log files, you should see that it doesn't like your
web.xml file because session-config comes after servlet-mapping and
before mime-mapping (which both come
/secure/*.
Have you have ever seen this problem before?
Thanks for any help
-- Rosaria
!DOCTYPE web-app
PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN
http://java.sun.com/dtd/web-app_2_3.dtd;
web-app
...
!-- SECURITY CONSTRAINT --
security-constraint
web-resource
PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN
http://java.sun.com/dtd/web-app_2_3.dtd;
web-app
...
!-- SECURITY CONSTRAINT --
security-constraint
web-resource-collection
web-resource-nameSecure Pages/web-resource-name
descriptionSecurity constraint on all files
PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN
http://java.sun.com/dtd/web-app_2_3.dtd;
web-app
...
!-- SECURITY CONSTRAINT --
security-constraint
web-resource-collection
web-resource-nameSecure Pages/web-resource-name
descriptionSecurity constraint on all
To: Tomcat Users List
Subject: Re: problems with web.xml and security
In which way doesn't it work? Are you prohibited from viewing the files
after logging in or can you see the files even if you haven't
authenticated?
-Carl
Rosaria Silipo wrote:
Hi,
I am trying to set up Tomcat as a secure web
web-resource-nameSecadminJsps/web-resource-name
url-pattern/*/url-pattern
url-pattern/secadmin/*/url-pattern
/web-resource-collection
auth-constraint
role-namesecadmin/role-name
/auth-constraint
/security-constraint
Rosaria Silipo wrote:
The second.
I can see
Security for the site I'm working with was originally done via IPlanet's
internal security. I'd like to move to using the webapp security in
Tomcat. Under iPlanet, the security was set up with the entire site - /*
- being secured, then specific uri's were explicitly declared
un-secured.
So
:[EMAIL PROTECTED]
Sent: Tuesday, June 17, 2003 12:56 PM
To: Tomcat Users List
Subject: Re: problems with web.xml and security
I just tested this and wasn't able to see /secadmin without logging-on.
Are
you closing the browser (possible including mail clients) between
trials?
If you go from hitting
. Is it possible?
-- Rosaria
-Original Message-
From: Carl Walker [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 17, 2003 12:56 PM
To: Tomcat Users List
Subject: Re: problems with web.xml and security
I just tested this and wasn't able to see /secadmin without logging-on.
Are
you
The security constraint I am adding is screwing up my web.xml. After adding
the contraint tomcat cannot find my taglibs. Any ideas? (web.xml below)
Thanks,
Euan
?xml version=1.0 encoding=ISO-8859-1?
!DOCTYPE web-app
PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN
Euan,
If you look at the DTD 2.3 specs, the security constraint and
login-confi entries have to be placed after the taglib entries. It's
very picky about tags being in the correct order.
Hope that helps.
__
John Rishea
Avaya, Inc.
(303) 538-4503
-Original Message-
From
Thanks John - solved.
-Original Message-
From: John Rishea [mailto:[EMAIL PROTECTED]
Sent: 14 June 2003 16:46
To: Tomcat Users List
Subject: RE: security constraint web.xml
Euan,
If you look at the DTD 2.3 specs, the security constraint and
login-confi entries have to be placed after
Hi,
Is there a typical security configuration for a web application in
catalina.policy ?
I have a lot of
java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessDeclaredMembers)
and i don't understand where it comes from
tks
Did you start tomcat with start security? If not, some else messed up.
-Original Message-
From: Maxime Colas des Francs [mailto:[EMAIL PROTECTED]
Sent: June 10, 2003 3:23 PM
To: [EMAIL PROTECTED]
Subject: tomcat security
Hi,
Is there a typical security configuration for a web
of course yes
i start tomat with -security and -Djava.security.debug=access,failure for trace
else no security exception
At 15:16 2003-06-10 -0400, you wrote:
Did you start tomcat with start security? If not, some else messed up.
-Original Message-
From: Maxime Colas des Francs [mailto
Is there a mailing list for security warnings for tomcat?
Thanks
Nope. Typically if a security issue is found, it will be discussed by the
committers to confirm the vulnerability. A patch and a new release is made.
The announcement of the vulnerabilty and the new release are usually made at
the same time.
The annoucement is typically made to:
- tomcat-user
]'
Subject: Mailing List for Security warnings
Is there a mailing list for security warnings for tomcat?
Thanks
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Ronnie Tartar:
Is there a mailing list for security warnings for tomcat?
Are there any security issues in a default tomcat install ?
Ciao
Jens Skripczynski
--
E-Mail: skripi-lists(at)myrealbox(dot)com
* life is real - unless declared integer
:
Is there a mailing list for security warnings for tomcat?
Are there any security issues in a default tomcat install ?
Ciao
Jens Skripczynski
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Well, if you put in code, then every time it changes you need to recompile
your code, and redeploy your application.
If you put it in server.xml, you don't ever have to do that.
The security on server.xml is easy:
chmod 700 TOMCAT_USER
TOMCAT_USER = whatever user Tomcat runs as
John
On Thu
TC 3.3.x has a variable-replacement option, which is very nice for this sort
of thing. Unfortunately, it hasn't been ported to TC 4.x.
Mohamed Tagari [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hi,
Is there any way of taking the password and username for connecting to a
, if you put in code, then every time it changes you need to recompile
your code, and redeploy your application.
If you put it in server.xml, you don't ever have to do that.
The security on server.xml is easy:
chmod 700 TOMCAT_USER
TOMCAT_USER = whatever user Tomcat runs as
John
Tomcat Security Handbook from Wrox Press, ISBN
1861008309.
John
On Thu, 5 Jun 2003 16:04:43 +0100 (BST), Mohamed Tagari [EMAIL PROTECTED]
wrote:
HI,
the database contains sensitive information and so the password and
username should not be available even as a read only..
Due
Is your book out? I couldn't find in local bookstore.
-Original Message-
From: John Turner [mailto:[EMAIL PROTECTED]
Sent: June 6, 2003 2:19 PM
To: Tomcat Users List
Subject: Re: security of server.xml
Java code can be decompiled. Easily.
Rogue classes can be inserted into improperly
On Fri, 6 Jun 2003 14:24:34 -0400, Phillip Qin [EMAIL PROTECTED] wrote:
Is your book out? I couldn't find in local bookstore.
-Original Message-
From: John Turner [mailto:[EMAIL PROTECTED] Sent: June 6, 2003
2:19 PM
To: Tomcat Users List
Subject: Re: security of server.xml
Java code can
the database but
with luck you have that behind a firewall.
Jeff
-Original Message-
From: Mohamed Tagari [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 05, 2003 9:05 AM
To: Tomcat Users List
Subject: Re: security of server.xml
HI,
the database contains sensitive information and so
Hi,
Is there any way of taking the password and username for connecting to a
database out of the server.xml, and placing it in code before the lookup
is done on this?? As having the username and password as plain text is not
very secure..
// java code
Context init = new InitialContext();
?
3) using TomCat as standalone, is there any security issue?
4) TomCat will deny the download of the java classes of my serlvet, right?
Greetings,
luca
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail
,
as well as tomcat, and configure the connection between them using a
connector such as mod_jk. This seems to be troublesome for many people
for various reasons.
2) can TomCat serves html files besides Java Servlets?
Yes.
3) using TomCat as standalone, is there any security issue?
Compared
Hi all
My conf:
Tomcat 4.1.18 LE JDK1.4
Apache 2.0.44 with openssl
mod_jk
I want to secure a JSP page, but not with authentication, only with HTTPS
support.
So i added the lines in WEB.XML
security-constraint
web-resource-collection
web-resource-nameTest securing JSP pages/web-resource
Hi!
Does anybody know a method to remove a role from a security constraint
during runtime? I need this for disabling logins for ordinary users during
special maintenance inside the application.
cu,
boris
--
Dipl.-Inf. Boris Folgmann mailto:[EMAIL PROTECTED]
Folgmann IT-Consulting
hi.
i am a student and am using tomcat 4.1.18. i have a question regarding file
security. i want to protect files or sites fomr an unauthorized user. when ever
a person clicks on a link or a file in the root directory it sud ask for a user
and password. is it possible with tomcat? i am not sure
hi.
i am a student and am using tomcat 4.1.18. i have a question regarding file
security. i want to protect files or sites fomr an unauthorized user. when
ever a person clicks on a link or a file in the root directory it sud ask
for a user and password. is it possible with tomcat? i am
All,
I'm running 4.1.18 on solaris 2.8 - currently without
any problems as id tomcat. But my issue is I've to
give write permission to tomcat on the conf directory
inorder for tomcat to start successfully. Is there any
other way of starting tomcat without giving this
permission, is this a bug?,
I do not see this as a problem. You can lock the Tomcat account (do have
to give it a shell, though) and no one should be able to get into the
account. I use 'sudo' to allow others the ability to start and stop
Tomcat which 'su's to the Tomcat user before executing.
I myself use the Tomcat group,
I'm not sure if I making a correct assumption, but
isn't it possible that someone can exploit the running
tomcat process and gain access as tomcat into the
system (if so, having write permission on the conf dir
is dangerous)
--- Ben Ricker [EMAIL PROTECTED] wrote:
I do not see this as a
to restrict access to any reference of /servlet/app.test.*. However, I want
anything in the /servlet/ directory to be accessible. Is there anyway I can
do this? I tried this undert the security constraint tag:
url-pattern/servlet/app.test.*/url-pattern
However this did not work and its lets me
I have some questions about the url-pattern tag in web.xml. I would like
to restrict access to any reference of /servlet/app.test.*. However, I want
anything in the /servlet/ directory to be accessible. Is there anyway I can
do this? I tried this undert the security constraint tag:
url-pattern
I have a server with Apache 2.0.44 and Jakarta-Tomcat 4.1.18. I am using OpenSSL
0.9.7a with Apache.
Question:
If the user activates a jsp page with a javabean component with access to a PostgreSQL
database server (communicates with port 5432) from the secure area (https) - is it
then
Here are the channels of communication. For a typical web page there are
3 socket connections that can be concurrently open.
A: Web Browser -- Apache
B: Apache -- Tomcat
C: Tomcat -- Database
Now onto the security ...
A: If ssl then secure
B: If ssl, then secure. If not ssl, then someone between
to encrypt the
communications yourself.
Michael
-Original Message-
From: Lars Nielsen Lind [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 5. Mrz 2003 10:45
To: Tomcat Users List
Subject: Security Question
I have a server with Apache 2.0.44 and Jakarta-Tomcat 4.1.18.
I am using
Hi,
If I have the following configuration:
security-constraint
web-resource-collection
web-resource-namesite/web-resource-name
url-pattern/secret/*/url-pattern
/web-resource-collection
auth-constraint
role-nameadministrator/role-name
/auth-constraint
/security-constraint
Don't know
probably it's bug of 4.0.2
it's a very old release... I've 4.0.4, I tried bypassing the security to
test if I'm affected too
but it always ask me authentication
I suggest that u upgrade to a newer release of the server
Simone
-Messaggio originale-
Da: Paul Downs [mailto
* Simone Chiaretta ([EMAIL PROTECTED]) wrote :
Don't know
probably it's bug of 4.0.2
it's a very old release... I've 4.0.4, I tried bypassing the security to
test if I'm affected too
but it always ask me authentication
I suggest that u upgrade to a newer release of the server
Hi,
Sadly
Announcing the release of a new book- Tomcat Security
Handbook (Wrox Press)
http://www.wrox.com/books/1861008309.htm
What does this book cover?
This book is targeted at production deployments of
Tomcat, and is a good complement to the Professional
Apache Tomcat book (also Wrox Press). It covers
Hi,
I have just installed apache 1.3 and tomcat (4.1.18) with mod_jk (1.2.1) connector. I
would like to be kept informed of any security issues that may arise with mod_jk,
tomcat or apache. Is this the correct place to subscribe for such issues
Could someone please advise,
Thanks
Eresha
For creating a totally new web site, is there any difference from
security point of view of using only servlets or using only JSPs?
Environment (if it matters) non-root Tomcat 4.1.18 (serving both static and
dynamic pages - no web server ahead of it), Linux (RH 7.3), DMZ (packet
filter), JNDI
All,
I have been wrestling with this for a week, to no avail. sigh
I am trying to run tomcat with the security flag on. (Win2K)
I have added the following to my catilina.policy
grant codeBase
file:C:/dev/jakarta-tomcat-4.0.3/webapps/ROOT/WEB-INF/lib/site.jar {
permission
I have been testing web site security on my test server at home and I
can authenticate users just fine. But the only way I can add and remove
users is to add and remove them in tomcat-users.xml. But that file is
owned by the server, so whenever I put my web application out on a host
server
Trollinger [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 20, 2003 1:12 PM
To: [EMAIL PROTECTED]
Subject: Form based security and Remember Me
I seached the archive and only saw one message pertaining to this.
Is anyone doing this at all? And if so how?
Thanks,
John
I seached the archive and only saw one message pertaining to this.
Is anyone doing this at all? And if so how?
Thanks,
John
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Howdy,
I'm not doing this, and I'm one of those people who cleans their cache
every time their browser is closed (12Ghosts auto wash is among the
greatest tools I've ever seen for any computing purpose, ever), so
Remember Me functionality doesn't typically work for me, but...
Is anyone doing
Subject: RE: Form based security and Remember Me
Howdy,
I'm not doing this, and I'm one of those people who cleans
their cache every time their browser is closed (12Ghosts auto
wash is among the greatest tools I've ever seen for any
computing purpose, ever), so Remember Me
From: John Trollinger [EMAIL PROTECTED]
Sent: Thursday, February 20, 2003 12:31 PM
Subject: RE: Form based security and Remember Me
But does this work with Form based authenticaiton and realms... How do
you let the realm know that the user remembered so the login can be
bypassed
will always
return a value (null is definitely an error).
Hope this is relevant to the thread
Bill
-Original Message-
From: John Trollinger [mailto:[EMAIL PROTECTED]]
Sent: Friday, 21 February 2003 7:32 AM
To: 'Tomcat Users List'
Subject: RE: Form based security and Remember Me
But does
or false, although I provided that role already.
Is there any better way to update Tomcats security system to use the
current roles and not to force a logoff and relogin?
I have no idea at the moment where Tomcat stores the role info after
login so that I could somehow update this info at the same time
by ezmlm
X-Msmail-Priority: Normal
Content-Type: text/plain;
charset=Windows-1252
X-Received: 18 Feb 2003 13:24:56 GMT
List-Post: mailto:[EMAIL PROTECTED]
Subject: Tomcat 4.1.18 container-specific security
mechanism+JDBCRealm+How to update user roles without
logoff/relogin when DB updated
X
. Februar 2003 18:57
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Tomcat 4.1.18 container-specific security
mechanism+JDBCRealm+How to update user roles without
logoff/relogin when DB updated
I believe there is a problem in Tomcat Form-based
authentication mechanism which some
increases performance, but would be nice to have a
least a chance to trigger an update in a servlet...
Michael
-Original Message-
From: mech [mailto:[EMAIL PROTECTED]]
Sent: Dienstag, 18. Februar 2003 20:04
To: 'Tomcat Users List'
Subject: RE: Tomcat 4.1.18 container-specific security
, 2003 08:48
Subject: RE: Form based security
Here's how I solved your issue:
http://tinyurl.com/5s4e
HTH,
Matt
-Original Message-
From: Sloan Seaman [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 13, 2003 8:32 AM
To: Tomcat Users List
Subject: Re: Form based security
On Fri, Feb 14, 2003 at 03:42:21PM -0700, Sean Dockery wrote:
Redirecting all 400 errors to your index page is a questionable practice
because not all 400 (SC_BAD_REQUEST) errors are Invalid direct reference
... errors. I wish that there was a legitimate configuration change to
enable you to
based security
Struts can hook into container-managed security - it has support for roles
in it's logic:present ... tag, in a roles attribute on it's action
mappings, and also in Tiles for displaying different pages based on roles.
It really does nothing special - just hooks into what's already
Wrox Press. ISBN: 1861008309
John
-Original Message-
From: Manavendra Gupta [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 13, 2003 2:44 PM
To: Tomcat Users List
Subject: Tomcat security configuration guide
Hi,
I have begun to work on a tomcat security configuration guide
I'm attempting to do form based security and I keep getting a 404 error when
I click the submit button.
I'm guessing I'm missing some type of configuration in the server.xml.
The form I am using is:
form method=POST action=j_security_check
input type=text name=j_username/
input type
-
From: Sloan Seaman [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 13, 2003 3:48 PM
To: [EMAIL PROTECTED]
Subject: Form based security
I'm attempting to do form based security and I keep getting a
404 error when
I click the submit button.
I'm guessing I'm missing some type
or is this something within
tomcat?
- Original Message -
From: Barney Hamish [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Sent: Thursday, February 13, 2003 9:50 AM
Subject: RE: Form based security
Are you going directly to the login page? If so then you need to go to a
page
Ok, I figured most of the things out.
My next question (along the same lines) is this:
I have a link to the login.jsp which is now in a security-constraint area.
When they use the login.jsp successfully it complains about:
Invalid direct reference to form login page
How do I use the login page
I think you've got the wrong idea about how the form-based security works.
It is counter-intuitive I agree but anyway...
Firstly the login form should not be in the secure area.
Define as the default page something in the secure area.
When the user tries to go to this default page tomcat
Ok, I've got it now...
Thanks for the information.
Now my manager is saying he wasnted it all done in Struts and that Struts
has a security model that I should be using. Is he wrong? I though struts
was just tag libs and an MVC for hitting business logic.
Time for me to learn struts now I
Here's how I solved your issue:
http://tinyurl.com/5s4e
HTH,
Matt
-Original Message-
From: Sloan Seaman [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 13, 2003 8:32 AM
To: Tomcat Users List
Subject: Re: Form based security
Ok, I figured most of the things out.
My
No struts doesn't have a security model of its own but it does make it
considerably easier to build your own if that's the path you want to go down
-Original Message-
From: Sloan Seaman [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 13, 2003 4:52 PM
To: Tomcat Users List
Subject
Struts can hook into container-managed security - it has support for roles
in it's logic:present ... tag, in a roles attribute on it's action
mappings, and also in Tiles for displaying different pages based on roles.
It really does nothing special - just hooks into what's already there. If
you're
Here is what I'm thinking:
I'm going in configure a realm that uses a db to store the user information
(I'll prob. end up posting questions about that one :) ).
I'll use the taglib-request tags to provide security down to the 'within
html' level.
That along with the logic-present tags and tiles
the use
in the role?
If so, How?
Thanks again!
--
Sloan
- Original Message -
From: Barney Hamish [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Sent: Thursday, February 13, 2003 10:54 AM
Subject: RE: Form based security
No struts doesn't have a security model of its own
I received a response to a question on Tomcat security that said if I wanted
to run Tomcat as standalone on port 80, I might have to
run it as root and this was potentially unsafe. What methods are available
to avoid these potentially unsafe issues?
Thanks,
Roy McBrayer
-Original Message
, February 13, 2003 1:20 PM
Subject: Tomcat as root and security issues
I received a response to a question on Tomcat security that said if I
wanted
to run Tomcat as standalone on port 80, I might have to
run it as root and this was potentially unsafe. What methods are available
to avoid
-
From: Jake Robb [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 13, 2003 1:23 PM
To: Tomcat Users List
Subject: Re: Tomcat as root and security issues
Use Apache and a connector like mod_jk. In this setup,
Tomcat typically
runs on port 8009, and Apache uses the connector to send
10:27 AM
To: 'Tomcat Users List'
Subject: RE: Tomcat as root and security issues
There are other alternatives, as well:
- use a port forwarder to forward port 80 to port 8080 (or some
other port)
- use a tool like authbind and its kin
- use chroot (there was a discussion about
Neat. HOWTO? :)
John
-Original Message-
From: Mike Jackson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 13, 2003 1:31 PM
To: Tomcat Users List
Subject: RE: Tomcat as root and security issues
Run squid in as a web accelerator in front of tomcat. Has the added
There's a example in the squid documentation. :)
--mikej
-=-
mike jackson
[EMAIL PROTECTED]
-Original Message-
From: Turner, John [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 13, 2003 10:31 AM
To: 'Tomcat Users List'
Subject: RE: Tomcat as root and security issues
, February 13, 2003 10:41 AM
To: Tomcat Users List
Subject: RE: Tomcat as root and security issues
There's a example in the squid documentation. :)
--mikej
-=-
mike jackson
[EMAIL PROTECTED]
-Original Message-
From: Turner, John [mailto:[EMAIL PROTECTED]]
Sent: Thursday
Hi All,
I heard that there
is a major security hole in 3.2.3. What is that?.. How to simulate this security
hole?..
thanks,
Ramkumar
Hi,
I have begun to work on a tomcat security configuration guide as a one-stop
guide for helping system administrators, security professionals and
programmers to configure system user accounts and groups, file permissions,
tomcat security realms, java security manager, etc in the optimal way
Programmer
SBD Consultants
http://www.sbdconsultants.com
- Original Message -
From: Felipe Crochik [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, February 09, 2003 21:34
Subject: IIS+Tomcat security constraint = Unauthorized: Logon Failed
I am trying to use the tomcat security
the Unauthorized: Logon Failed error page regardless the valid
user and password).
I know the ISAPI filter is working because if I remove the security
constraint from tomcat I can get to it and I know the tomcat security
constraint is working because if I can get to it using the stand alone
port
: IIS+Tomcat security constraint = Unauthorized: Logon Failed
Yes. I have defined the user, password and role and everything else needed
to make it work on tomcat. What seems to be the problem is that IIS is
trying to authenticate the user by itself instead of forwarding the
user/password
701 - 800 of 1624 matches
Mail list logo
