:[EMAIL PROTECTED]]
Sent: Monday, February 10, 2003 3:50 PM
To: Tomcat Users List
Subject: Re: IIS+Tomcat security constraint = Unauthorized: Logon Failed
Can you authenticate through the Tomcat standalone port? Or does that
fail
as well?
What method of authentication are you using? BASIC or DIGEST
Message -
From: Felipe [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Sent: Monday, February 10, 2003 14:39
Subject: RE: IIS+Tomcat security constraint = Unauthorized: Logon Failed
Yes. I can authenticate through the tomcat standalone port.
I am using the BASIC with a MemoryRealm
: Saturday, February 08, 2003 21:13
Subject: War files / codeBase and security permissions (v4.0.4)
I'm deploying a war file with unpackWARs=false. I am trying to grant
permissions to this war in 04webapps.policy.
Here is what I've tried...
Given the examples this is what I would expect
Hello,
I'm a tomcat newbie running debian and trying to use tomcat 4.0.3-3woody2
and velocity-1.3.1-rc2. So far I haven't managed all that well. =)
If I disable the java security manager everything works fine. But I
kinda figure that the security manager is there to serve a purpose.
I would
I am trying to use the tomcat security constraints behind an IIS web
server. I know tomcat and the ISAPI filter are working. Also, Tomcat
authorization is working bypassing IIS using port 8080.
When I try to reach the exactly same application through IIS (port 80) I
get the user validation
I'm deploying a war file with unpackWARs=false. I am trying to grant
permissions to this war in 04webapps.policy.
Here is what I've tried...
Given the examples this is what I would expect to work but doesn't:
grant codeBase file:${catalina.home}/webapps/iface.war!/- {
permission
.
//
// catalina.corepolicy - Security Policy Permissions for Tomcat 4.0
//
// This file contains a default set of security policies to be enforced (by
the
// JVM) when Catalina is executed with the -security option. In addition
somebody can help me!
I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27, and it works fine if started without the security manager. Recently I had to put up a file upload form on one of my web sites, and when I deployed the jsp to accept the form data and save the uploaded
the security manager. Recently I had
to put up a file upload form on one of my web sites, and when I deployed
the jsp to accept the form data and save the uploaded file to disk...it
came up with the error File cannot be saved. I am using jspSmartUpload
class to handle the multipart form data
to which I want to save
uploaded files.
//
// catalina.corepolicy - Security Policy Permissions for Tomcat 4.0
//
// This file contains a default set of security policies to be enforced (by
the
// JVM) when Catalina is executed
Hello All
Hope somebody can help me!
I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27, and it works
fine if started without the security manager. Recently I had to put up a file upload
form on one of my web sites, and when I deployed the jsp to accept the form data
has anyone come across an implementation of a realm for Tomcat which
authenticates users against the operating system's logins/passwords?
thanks in anticipation
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional
[EMAIL PROTECTED] wrote:
has anyone come across an implementation of a realm for Tomcat which
authenticates users against the operating system's logins/passwords?
thanks in anticipation
Cyrus SASL 2.1.x has a JAR file with some classes that have SASL functionality.
Maybe it is not too hard to
application via its web.xml
file in spite of the presence of a security manager. The content
of files that can be read as part of an XML document would be
accessible. If you are running Tomcat 3.3.1 or earlier with a
security manager, and are serving web applications whose web.xml
content is not known
Apparently, this is the case. Yet another awful fact for those stuck
with Tomcat 3.3.
!-- URL Mapping. This must go between servlet and security sections. --
servlet-mapping
servlet-name
DynaFastSurv3
/servlet-name
url-pattern
/s3
/url-pattern
/servlet-mapping
se. Yet another awful fact for those stuck
with Tomcat 3.3.
!-- URL Mapping. This must go between servlet and security
sections. --
servlet-mapping
servlet-name
DynaFastSurv3
/servlet-name
url-pattern
/s3
/url-pattern
/servlet
Hi,
When tomcat starts up, it displays all the information initially itself
specific to a web application (all the tables information)
Here is the context path I have given in server.xml
Context path=/ormap cookies=true
docBase=D:\Tomcat\webapps\ormap
reloadable=true crossContext=true
Realm
hi,
Are there any known security holes in tomcat 3.2.3 ?
thanx and regards
anil
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
: security holes in tomcat 3.2.3
hi,
Are there any known security holes in tomcat 3.2.3 ?
thanx and regards
anil
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
Hello everyone,
Just thought some people would like to see this, if they had not heard of it already.
You can read the report on their site, as well as get the PDF form:
http://www.owasp.org/
Lior
-
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable.
I'm getting a security alert msg box that says This
page contains both secure and nonsecure items. Do you
want to display the nonsecure items? when I use the
browser back to return to the previous page.
The flow is like this: I have a relative link in
page1.jsp to go to page2.jsp. I land
should happen?
Michael
-Original Message-
From: Peter Lee [mailto:[EMAIL PROTECTED]]
Sent: Freitag, 27. Dezember 2002 21:22
To: [EMAIL PROTECTED]
Subject: RE: Security constraint problem with v4.1.18
On 25 Dec 2002 at 13:30, mech wrote:
I cannot tell if there's a difference
Thank you Gary, I will check these links out. Have a happy new year.
Gary Gwin [EMAIL PROTECTED] wrote:Lior,
It looks like you have short-circuited Tomcat's security model and
created your own. We have a Tomcat Security Overview and Analysis that
might be of help at:
http://www.cafesoft.com
Hello,
I'm a bit confused about the whole security implementation in Tomcat. I'm using a
webapp that has a Login.html page that posts information to a servlet that queries a
database to authenticate the user. The values are then set into a bean, and each page
checks the existance of the bean
Lior,
It looks like you have short-circuited Tomcat's security model and
created your own. We have a Tomcat Security Overview and Analysis that
might be of help at:
http://www.cafesoft.com/products/cams/tomcat-security.html
You might also reference the security section of the the servlet
I cannot tell if there's a difference between 4.1.12 and 4.1.18 as I'm
still using 4.1.15.
I would first change the url pattern to
url-pattern/protected/*/url-pattern
Second add security-rolerole-namemyrole/role-name/security-role
Tags under the document root for all roles you use. As far as I
I upgraded from 4.1.12 to 4.1.18, but I got some problems with security constraints.
I have applied a security constraint on a particular url pattern. Only certain users
with a special rolename can
access that link. It used to work but now the page does not load with v4.1.18.
Is SSL implemented
I upgraded from 4.1.12 to 4.1.18, but I got some problems with security constraints.
I have applied a security constraint on a particular url pattern. Only certain users
with a special rolename can
access that link. It used to work but now the page does not load with v4.1.18.
Is SSL implemented
That is what I needed ...
Thanks all
To follow this up, why is this a security risk?
Do they want specific mapping for each servlet?
Thanks
-Original Message-
From: PELOQUIN,JEFFREY (HP-Boise,ex1) [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 19, 2002 9:54 AM
To: 'Tomcat Users
ext. 258 / Fax 202-463-4863
-Original Message-
From: Randy Paries [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 19, 2002 11:20 AM
To: 'Tomcat Users List'
Subject: RE: Should not be this hard(why is this a security risk)
That is what I needed ...
Thanks all
To follow
These messages indicate that a fix is in the works: A new Tomcat 4.1.x
release incorporating the fix to the invoker servlet will be made
available shortly.
Am I reading this correctly as saying the quick fix is to disable the
invoker, but the long term fix is to change the invoker to make the
-Original Message-
From: Larry Meadors [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 19, 2002 12:09 PM
To: [EMAIL PROTECTED]
Subject: RE: Should not be this hard(why is this a security risk)
These messages indicate that a fix is in the works: A new
Tomcat 4.1.x release
On Thu, 19 Dec 2002, Tim Moore wrote:
Date: Thu, 19 Dec 2002 12:48:37 -0500
From: Tim Moore [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: RE: Should not be this hard(why is this a security risk)
-Original Message
, December 19, 2002 10:19 AM
Subject: RE: Should not be this hard(why is this a security risk)
That is what I needed ...
Thanks all
To follow this up, why is this a security risk?
Do they want specific mapping for each servlet?
Thanks
-Original Message-
From: PELOQUIN,JEFFREY
Tomcat 4.1.18 has just been released, and includes a fix for an object
recylcing bug which could be exploited by a denial of service attack.
The bug was introduced in Tomcat 4.1.16 Beta, and is still present in
Tomcat 4.1.17 Stable. The release also includes a fix for SSL handling
in the JK
the database driver.
Has there been some security updates to Tomcat that prohibit loading a databse driver
unless specified ?
Here's the localhost_log.2002-12-17.txt file error message,
Error Loading interbase.interclient.Driver
...and here's the servlet code..
import interbase.interclient.Driver
:[EMAIL PROTECTED]]
Sent: Tuesday, December 17, 2002 8:55 AM
To: [EMAIL PROTECTED]
Subject: JDBC security?
To all,
I had a servlet communicating via JDBC to an Interbase database on Tomcat
3.? and Apache 1.3.27, I can't remember tomcat version version.
Now that I have Apache 2.04 and Tomcat 4.1.17
and which may due to the
driver lib is located in the wrong place. Hope this helps.
Regards,
Michael
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 17, 2002 8:55 AM
To: [EMAIL PROTECTED]
Subject: JDBC security?
To all,
I had a servlet
: RE: JDBC security?
Here's the localhost_log.2002-12-17.txt
2002-12-17 10:36:05 WebappLoader[/bd]: Deploying class repositories to work
directory /opt/tomcat/work/Standalone/localhost/bd
2002-12-17 10:36:05 WebappLoader[/bd]: Deploy class files /WEB-INF/classes
to /opt/tomcat/webapps/bd/WEB-INF
] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 17, 2002 1:23 PM
To: [EMAIL PROTECTED]
Subject: RE: JDBC security?
Here's the localhost_log.2002-12-17.txt
2002-12-17 10:36:05 WebappLoader[/bd]: Deploying class repositories to work
directory /opt/tomcat/work/Standalone/localhost/bd
2002-12-17 10:36
ROTECTED] wrote:
Hi,
I want to know if there is a way to manage authorization to
URL + Parameters.
I am using servlets and states to identify the action in my
programs, so this is very important.
For now I am using this XML:
security-constraint
web-resource-collection
web-
to know if there is a way to manage
authorization to
URL + Parameters.
I am using servlets and states to identify the action
in my
programs, so this is very important.
For now I am using this XML:
security-constraint
web-resource-collection
web-resource-nameSample
Airlines/web-resou
Adding these permissions took care of the problem. Thanks a lot.
-- Gayathri
-Original Message-
From: Jeanfrancois Arcand [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 13, 2002 12:45 AM
To: Tomcat Users List
Subject: Re: Security violation in Tomcat 4.0.6
In catalina.properties
Am curious as to why the double entry of permission
java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.util; ?
Also I have a stock binary download 4.1.12 and does not have this under
//Required for servlet and JSP's and should I include it?
permission
The fix was introduced in Tomcat 4.1.13.
aps olute wrote:
Am curious as to why the double entry of permission
java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.util; ?
Actually, that's a very good question. It is not supposed to make a
difference. I will try to find why
Hi
I am using Tomcat 4.0.6 LE JDK 1.4 with JDK 1.4.1_01.
I am getting the following Security violation when I try to access my web
application.
java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util
Hi,
I want to know if there is a way to manage authorization to
URL + Parameters.
I am using servlets and states to identify the action in my
programs, so this is very important.
For now I am using this XML:
security-constraint
web-resource-collection
web-resource-nameSample Airlines/web
with JDK 1.4.1_01.
I am getting the following Security violation when I try to access my web
application.
java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util)
at
java.security.AccessControlContext.checkPermission
to know if there is a way to manage authorization to
URL + Parameters.
I am using servlets and states to identify the action in my
programs, so this is very important.
For now I am using this XML:
security-constraint
web-resource-collection
web-resource-nameSample Airlines/web-resource-name
url
session (if it's anotherone). Session
sharing is not possible anymore...
If it was the same session id when switching from http to https, then
that would also be a security risk would not it?
Thanks!
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto
Actually (hopefully I didn't snip you out of context) ...
If a user switches from http to https - shouldn't a new session id be
assigned? If not - an attacker can swipe the session id while the user
was in http mode. Then the attacker can issue requests using https with
the httpd session id.
javax.servlet.request.cipher_suite? Where did you get that?
Pae
Actually (hopefully I didn't snip you out of context) ...
If a user switches from http to https - shouldn't a new session id be
assigned? If not - an attacker can swipe the session id while the user
was in http mode. Then
On Sat, 7 Dec 2002, Pae Choi wrote:
Date: Sat, 7 Dec 2002 17:17:12 -0500
From: Pae Choi [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Re: Security constrant to force SSL works with apache+tomcat
I got the following warning. what does it really mean?
WARNING: Security role name specialrole used in an auth-constraint without being
defined in a security-
role
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
I have not tested this, but wanted to make sure before I do all the
necesary changes.
I have apache in front of tomcat, apache handles the ssl
communication... I need to make sure that some stuff happens only via
ssl, and i had a filter for that. But i was recommended to use a
security
I guess, in answer to my first question here, The security constrain
tells tomcat to use it's own ssl, it won't tell apache to use ssl...
I would totally use tomcat stand alone with ssl, if i can figure out how
not to loose objects created in the session before switching to https..
Any insight
to use a
security constranint in tomcat instead. Will this work having apache on
top of tomcat?
Also. I only have apache + tomcat becouse when I enabled SSL to tomcat
stand alone, whenever switching to ssl, i would not be able to access
all my session objects created before the switch
the
necesary changes.
I have apache in front of tomcat, apache handles the ssl
communication... I need to make sure that some stuff happens only via
ssl, and i had a filter for that. But i was recommended to use a
security constranint in tomcat instead. Will this work having apache
... Is there a way to be able to access those objects in the
non https session?
AFAIK, pretty much no. Doing so would be a security risk. This has
come up many times before, check the list archives. General
recommendation is to not switch between http and https, always use one
or the other.
Also, I'm
you share yours? If i use the methods (getRemoteAddress() and such) in
stand alone mode, they work fine...
AFAIK, pretty much no. Doing so would be a security risk. This has
come up many times before, check the list archives. General
recommendation is to not switch between http and https
On Fri, 6 Dec 2002, Peter Lee wrote:
Date: Fri, 06 Dec 2002 03:52:38 -0800
From: Peter Lee [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED],
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Security role name warning
I got the following warning. what does it really
On Fri, 6 Dec 2002, Milt Epstein wrote:
Date: Fri, 6 Dec 2002 16:17:41 -0600 (CST)
From: Milt Epstein [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Re: Security constrant to force SSL works with apache+tomcat?
On 6 Dec
Apologies if this has all been asked / answered before (in fact I hope it
has, and a pointer to previous info would be great!), but I'm looking for a
little reassurance on some security concerns. Okay
I have a web-application for which I'm using form-based login to
authenticate the user
info would be great!), but I'm looking for a
little reassurance on some security concerns. Okay
I have a web-application for which I'm using form-based login to
authenticate the user. It's running over HTTPS / SSL. When I fire up my
browser and enter a URL requesting a resource that falls
the security manager correctly
and looked into the tomcat.policy file
in the {tomcat.home}/conf dir just to see that everything was set correctly
(for us) from the site management utility:
...
grant codeBase file:/home/.sites/143/site40/web/- {
permission SocketPermission localhost:1024-, listen
* J.P.Jarolim [EMAIL PROTECTED] [1217 11:17]:
java.security.AccessControlException: access denied (java.io.FilePermission
/home/.sites/143/site40/web/test.txt read)
We looked into the tomcat docs how to setup the security manager correctly
and looked into the tomcat.policy file
docs how to setup the security manager correctly
and looked into the tomcat.policy file
in the {tomcat.home}/conf dir just to see that everything was set correctly
(for us) from the site management utility:
...
grant codeBase file:/home/.sites/143/site40/web/- {
permission SocketPermission
Hi - thanks for the answer;
I found the following line in the description for java.io.FilePermission
indicating that i could have a serious problem in understanding english
(nosarkasm):
A pathname that ends with /- indicates (recursively) all files and
subdirectories contained in that directory.
sites.
thanx for your all your help on this group,
J.P.Jarolim
P.S.: Keywords for other googlers like me:
tomcat ignoring ignore tomcat.policy grant java server.xml security manager
FilePermission java.security.AccessControlException secure security sun
cobalt
--
To unsubscribe, e-mail
about the -nonaming switch in the archives, thanks for
that), but then I get a security authentication
exception in the app. server because principal=null.
Has anyone had success propogating security to an
application server, such as JBoss?
I'm under the impression (from JBoss forums mainly
Run Tomcat with the Java SecurityManager (-security startup option) and only
grant the minimum permissions necessary to your webapp. See the Security
Manager HOWTO in the Tomcat docs.
Glenn
Anderson, M. Paul wrote:
I am preparing to launch my first web site utilizing an Apache/Tomcat
with the exact same text.
Regards,
Glenn
[EMAIL PROTECTED] wrote:
I am not able to grant security permissions on individual jar files. Can
someone tell me what I'm doing wrong?
In my policy file (CATALINA_HOME/conf/catalina.policy) I have the
following setting:
grant codeBase file:${catalina.home
the server as root to
initialize everything that needed root, then the server will change and run
as your desired credential?
With the above setup it is running fine, but when i try to run it with the
security manager using the default catalina.policy
# export CATALINA_OPTS=-Djava.security.debug
as the path
separator. I'm not sure if Tomcat's class loader uses a the standard policy
file reader or not, but with the standard security manager, you need to
escape the backslashes (double-backslashes), as in:
permission java.io.FilePermission d:\\windows\\temp\\-,
read,write,execute,delete
On Win32, the forward slash works as well . For example,
grant codebase file://drive name:/- {
Pae
- Original Message -
From: Greg Trasuk [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Sent: Wednesday, November 20, 2002 5:05 AM
Subject: RE: Granting security
I am preparing to launch my first web site utilizing an Apache/Tomcat
configuration. The server will host a single web site, at least for now
that uses servlets and jsp with a database backend. I have set up the
Apache and Tomcat as discussed in the documentation with much help from
people on
-Original Message-
From: Anderson, M. Paul [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 20, 2002 9:05 AM
To: 'Tomcat Users List'
Subject: Apache/Tomcat Security
I am preparing to launch my first web site utilizing an Apache/Tomcat
configuration. The server will host a single web
Thank you for your suggestions. See my comments below:
First, ensure you are running with the -security option that
turns on Tomcat
with the security manager installed. Often you need to modify the
I am definitely running with the -security option. I have double-checked
that it's in my
I am not able to grant security permissions on individual jar files. Can
someone tell me what I'm doing wrong?
In my policy file (CATALINA_HOME/conf/catalina.policy) I have the
following setting:
grant codeBase file:${catalina.home}/- {
permission java.security.AllPermission;
};
I would
I am not able to grant security permissions on individual jar files. Can
someone tell me what I'm doing wrong?
In my policy file (CATALINA_HOME/conf/catalina.policy) I have the
following setting:
grant codeBase file:${catalina.home}/- {
permission java.security.AllPermission;
};
I would
Thank you for your suggestions. See my comments below:
First, ensure you are running with the -security option that
turns on Tomcat
with the security manager installed. Often you need to modify the
I am definitely running with the -security option. I have double-checked
that it's in my
I know it's not going to help you much or at all. And I am not
certain what's going on with your side, but just FYI. I have
tested the TC v4.1.12 with -security. And it runs fine on
the WinNT.
It has many security permissions in the catalina.policy, inclduing
own Web Apps, JAXM, AXIS, RMI stub
I was trying to use the webapps/exmaples/jsp/security/protected
example with SSL but experienced strange effects with different
browsers.
I did the following with Tomcat 4.1.12LE (Jboss bundle, but shouldn't
matter as tomcat was started standalone):
I successfully enabled SSL by uncommenting
Hi all,
Runnin' Tomcat 4.0.2 and Apache 1.3.26 on SOLARIS 8 in Production.
I'd like to get /webapp-info/ secured by login/password - even BASIC -
when asked by
http://my.sever.com/webapp-info/
Any help welcome.
Jean-Luc B :O)
--
To unsubscribe, e-mail:
just be strCommand[0] = ls. However, what I'm still puzzled about
is, as indicated by another reader, the security problem related to this.
Everyone programming webapps for a server has basically root rights on this
machine, at least with the default settings. Any suggestions how to get
around
I am using the default security configuration at
manager 'catalina.policy' file, but when i try to
access files which are under the webapp directory who
i am executing i have an exception:
javax.servlet.ServletException: Servlet execution
threw an exception
Which version of Tomcat are you using?
-- Jeanfrancois
Jose Antonio Martinez wrote:
I am using the default security configuration at
manager 'catalina.policy' file, but when i try to
access files which are under the webapp directory who
i am executing i have an exception
tomcat 4.0.5
--- Jeanfrancois Arcand [EMAIL PROTECTED]
escribió: Which version of Tomcat are you using?
-- Jeanfrancois
Jose Antonio Martinez wrote:
I am using the default security configuration at
manager 'catalina.policy' file, but when i try to
access files which are under
the default security configuration at
manager 'catalina.policy' file, but when i try to
access files which are under the webapp directory
who
i am executing i have an exception:
javax.servlet.ServletException: Servlet execution
threw an exception
4.0.5
--- Jeanfrancois Arcand [EMAIL PROTECTED]
escribió: Which version of Tomcat are you using?
-- Jeanfrancois
Jose Antonio Martinez wrote:
I am using the default security configuration at
manager 'catalina.policy' file, but when i try to
access files which are under
of Tomcat are you using?
-- Jeanfrancois
Jose Antonio Martinez wrote:
I am using the default security configuration at
manager 'catalina.policy' file, but when i try to
access files which are under the webapp directory
who
i am executing i have
)?
-- Jeanfrancois
Jose Antonio Martinez wrote:
tomcat 4.0.5
--- Jeanfrancois Arcand [EMAIL PROTECTED]
escribió: Which version of Tomcat are you
using?
-- Jeanfrancois
Jose Antonio Martinez wrote:
I am using the default security configuration
Hi all!
I'm seeing some strange behavior with declarative security. I've got
everything set up and working correctly under jboss-3.0.4_tomcat-4.1.12, when
I access a protected resource, the login page is invoked, the container goes
out to the database, looks up the user, sets up the session
Hi,
I have installed Tomcat 4.1.12 under Windows 2000 as service and it
runs fine. Now I want to enable the Security Manager. This works when
I start the server with startup.bat -security. But I want to start it
as service. Does anyone has ideas how to do it?
I tried the following things without
server, where u can set
user and group permission to run as, you start the server as root to
initialize everything that needed root, then the server will change and run
as your desired credential?
With the above setup it is running fine, but when i try to run it with the
security manager using
Hi,
I invoked the TomCat 4.0.4 with the security manager default policy
(catalina.policy).
The thing is that I could invoke all the servlets,jsp's and html files which
are in my webapps although i specify no access permission to those webapps.
How can I disable specific classes/jsp/html from
without
compromising security, and without replicating files.
- Original Message -
From: Tim Funk [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Thursday, October 24, 2002 12:08 PM
Subject: Re: Security RISK !
401/404 - Forbidden vs not found doesn't matter as long
easier. This way, you can let Apache serve your static content without
compromising security, and without replicating files.
That way a web-app is encapsulated and Apache still gets to do it's job. The
best thing would be if the connector would be able to do this auto-magically -
that is, to create
can stuff a
custom security token object from the realm into the
request. Is there some philosophical reason why the
request can't be passed in to the realm calls? How
would one go about making an official request for the
Realm API to be augmented? I'd be happy to submit a
patch, if that would help
We know that security thru obscurity is not good, but... can the the banner
of the precompiled Tomcat in the Windows download jakarta-tomcat-4.0.5.exe
be changed so that this does not display:
GET / HTTP/1.0
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Date: Sun, 27 Oct 2002 17:23:36
801 - 900 of 1624 matches
Mail list logo