I'm having problems using the Tomcat 4 security design for a slightly
customised requirement. I've created a custom realm for an external
information provider which, when I authenticate a user, gives me a token (in
the form of an essentially opaque object). This token needs to be passed
back
On Fri, 25 Oct 2002, vsajip (yahoo.com) wrote:
Date: Fri, 25 Oct 2002 23:06:29 +0100
From: vsajip (yahoo.com) [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Problems with Tomcat4 Security Design
I'm having problems using the Tomcat 4
Tim Funk wrote:
You'll want to protect your WEB-INF directory as well as any properties
files. You can do that by using by the following in your httpd.conf:
(This should be the syntax)
Files ~ \.properties$
Order allow,deny
Deny from all
Satisfy All
/Files
Directory ~ /WEB-INF/
SecurityManager permission problems are much easier to debug if you start tomcat
with the -Djava.security.debug=access,failure property defined, then
check your logs for the string denied. Then review the stack trace
and the ProtectionDomain which failed.
Regards,
Glenn
[EMAIL PROTECTED]
401/404 - Forbidden vs not found doesn't matter as long as the intruder
is forbidden. Relying on confusing the user is a nice technique to
preventing intruders since it may waste more of their time and make them
more likely to give up. But that may make others more determined to try
to break
I wish I could see some log files. Only file that seems to be active
is catalina.out
any assistance in this matter would be appreciated
here is the entry for the service
Service name=Tomcat-Apache13
Connector className=org.apache.ajp.tomcat4.Ajp13Connector
port=8009
:
Subject:Re: Security RISK !
Sigurður Bjarnason wrote:
Hi all
The question is.. is there any security risk if I Have the Apache
DocumentRoot
pointing straight to the webapps folder ?!
First of all, Apache cannot handle JSPs and has no knowledge of Servlets.
Second, if both
Robert L Sowders wrote:
This doesn't really pose a problem with a correctly configured connector
that is setup to handle all *.jsp and servlet requests.
Perhaps, but that idea somehow defeats my idea of a web application as a path
deployed from some other server. Maybe I'm wrong...
Nix.
--
You are not wrong at all.
Best practices for web servers dictate that no programs that operate as
root should have access to the document root of the web server. It is
indeed a bad practice from a strict security stand point. I was just
pointing out that it could be done without apparent
.
Regards,
Glenn
Sigurður Bjarnason wrote:
Hi all
I am using apache 1.3 and tomcat 4.0.4 together
I use apache to serve all the static content, witch I have a special directory for and Tomcat serve all the jsp and servlet stuff..
The question is.. is there any security risk if I Have the Apache
I have the following exception thrown when attempting to access tomcat
app resources
WarpEngine[Apache - Tomcat4]: Mapping request
Security Violation, attempt to use Restricted Class:
org.apache.catalina.core.ApplicationDispatcher
java.security.AccessControlException: access denied
java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.core.*;
}
or do not use the SecurityManager.
*But* remember you are opening the Tomcat core classes to all web
applications, and this is potentially a *security risk*. Also, your
application is not portable across different Servlet
accessClassInPackage.org.apache.catalina.core.*;
}
or do not use the SecurityManager.
*But* remember you are opening the Tomcat core classes to all web
applications, and this is potentially a *security risk*. Also, your
application is not portable across different Servlet Container when
doing
accessClassInPackage.org.apache.catalina.core.*;
}
or do not use the SecurityManager.
*But* remember you are opening the Tomcat core classes to all web
applications, and this is potentially a *security risk*. Also, your
application is not portable across different Servlet Container when
doing
{
[...]
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.core.*;
}
or do not use the SecurityManager.
*But* remember you are opening the Tomcat core classes to all web
applications, and this is potentially a *security risk*. Also, your
application is not portable
I'm having problems using the Tomcat 4 security design for a slightly
customised requirement. I've created a custom realm for an external
information provider which, when I authenticate a user, gives me a token (in
the form of an essentially opaque object). This token needs to be passed
back
Hi all
I am using apache 1.3 and tomcat 4.0.4 together
I use apache to serve all the static content, witch I have a special directory for and
Tomcat serve all the jsp and servlet stuff..
The question is.. is there any security risk if I Have the Apache DocumentRoot
pointing straight
security risk if I Have the Apache DocumentRoot pointing straight to the webapps folder ?!
¨
Best Regards
Siggi
--
To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Sigurður Bjarnason wrote:
Hi all
The question is.. is there any security risk if I Have the Apache DocumentRoot
pointing straight to the webapps folder ?!
First of all, Apache cannot handle JSPs and has no knowledge of Servlets.
Second, if both Apache and Tomcat-via-connector access the same
Bjarnason wrote:
Hi all
I am using apache 1.3 and tomcat 4.0.4 together
I use apache to serve all the static content, witch I have a special directory for
and Tomcat serve all the jsp and servlet stuff..
The question is.. is there any security risk if I Have the Apache DocumentRoot
pointing
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Greetings,
I'm trying to use the security packages that are supported in jdk1.4 (no
need of JCE now) in tomcat environment.
In a test environment running a class test in a shell, I can access a DES
algorithm and use cipher/decipher methods
provider!!) in a
dynamic way without any hardcoded line adding the provider! It works but
only in a shell command line (probably because jre/lib/ext classpath and
other security features not defined in tomcat environment).
On Mon, 21 Oct 2002, psalazar wrote:
Greetings,
I'm trying to use
com.sun.crypto.provider.SunJCE());
The cool thing would be add the SunJCE provider (or other provider!!)
in a
dynamic way without any hardcoded line adding the provider! It works
but
only in a shell command line (probably because jre/lib/ext classpath
and
other security features not defined in tomcat
permissions.
Regards,
Glenn
Dala wrote:
When I use the security manager in Tomcat (4.1.12-LE-jdk1.4) some strange
problems occur.
When I execute the following simple JSP code:
% request.getParameter(foo); %
I get the following exception:
org.apache.jasper.JasperException: org/apache/catalina/util
On Sat, 19 Oct 2002, grenoml wrote:
Date: Sat, 19 Oct 2002 13:33:16 -0700 (PDT)
From: grenoml [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Re: Multiple Tomcat Security Realms
I went through the REALM HOW-TO also
When I use the security manager in Tomcat (4.1.12-LE-jdk1.4) some strange
problems occur.
When I execute the following simple JSP code:
% request.getParameter(foo); %
I get the following exception:
org.apache.jasper.JasperException: org/apache/catalina/util/ParameterMap
I'm using Tomcat 4.1.9.
Can someone point me to a document or provide an
explanation of how the security realms work in Tomcat
and how to implement multiple realms? I've been
through the Manager HOW-TO. Still doesn't answer my
question.
Is it possible to declare more than one realm at a
time
I went through the REALM HOW-TO also. It just tells
you how to setup the various realm types but not how
to configure multiple realms.
--- grenoml [EMAIL PROTECTED] wrote:
I'm using Tomcat 4.1.9.
Can someone point me to a document or provide an
explanation of how the security realms work
Hi.
I'm having problems with https-connection to tomcat 4.0.2.
I have a jsp-page that sets content-type to application/pdf (with
response.setContentType) and prints the pdf with iText.
This works fine with http-connection and https without
security-constraints.
Has someone tested
: Exception starting filter Security Filter
Hi!
In fact I was wrong in my last post. As I found out later, it did not
work. I found a solution for my problem but I am not sure if it also
applies to yours, Dan. Sorry for not sharing my knowledge until now, but
it did not seem to interest anyone ;)
During
combinations
but to no avail. What do you think?
-Dan
-Original Message-
From: Volker Leidl [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 10, 2002 3:14 AM
To: Tomcat Users List
Subject: Re: Exception starting filter Security Filter
Hi!
In fact I was wrong in my last post. As I found out
tomcat instances, using the CATALINA_BASE
env. variable.
-Dan
-Original Message-
From: Cox, Charlie [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 09, 2002 3:38 PM
To: 'Tomcat Users List'
Subject: RE: Exception starting filter Security Filter
someone else had this problem a last week
-Original Message-
From: Volker Leidl [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 10, 2002 4:14 AM
To: Tomcat Users List
Subject: Re: Exception starting filter Security Filter
Hi!
In fact I was wrong in my last post. As I found out later, it did not
work. I found
Do we get contributing author credit?
John
-Original Message-
From: Nilesh Parmar [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 10, 2002 1:56 AM
To: 'Tomcat Users List '
Subject: Apache Tomcat Security
Hi,
I've been subscribing to the this mailing list from quite
Cox, Charlie wrote:
-Original Message-
From: Volker Leidl [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 10, 2002 4:14 AM
To: Tomcat Users List
Subject: Re: Exception starting filter Security Filter
Hi!
In fact I was wrong in my last post. As I found out later, it did not
work
Include PostgreSQL as you did with mySQL
Thanks...
Andrew
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
]
cc:
Subject: Apache Tomcat Security
10/10/2002 01:55
different than anything else. Please avoid writing or
publishing a me/us too book.
John
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 10, 2002 9:03 AM
To: Tomcat Users List
Cc: 'Tomcat Users List '
Subject: Re: Apache Tomcat Security
: Apache Tomcat Security
Include PostgreSQL as you did with mySQL
Thanks...
Andrew
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
Peer Information India Pvt Ltd, Mumbai
List '
Subject: Re: Apache Tomcat Security
Ditto to the contributing author comment. Looking at your email address,
you're a Wrox guy. Who's the audience for the book? Are you targeting the
developer or the sysadmin?
Nilesh Parmar
[EMAIL PROTECTED
starting filter Security Filter
Hi!
In fact I was wrong in my last post. As I found out later, it did not
work. I found a solution for my problem but I am not sure if it also
applies to yours, Dan. Sorry for not sharing my knowledge until now, but
it did not seem to interest anyone ;)
During
I'm using TC 4.0.4, j2sdk1.4.0_01 and the securityfilter from
sourceforge.net, which is a pseudo container managed JDBC/MySQL security
realm. it's all running on win2000. i've also upgraded my commons-logging to
1.0.2 to see if that helps, but to no avail (although it did change the
stack trace
filter Security Filter
I'm using TC 4.0.4, j2sdk1.4.0_01 and the securityfilter from
sourceforge.net, which is a pseudo container managed
JDBC/MySQL security
realm. it's all running on win2000. i've also upgraded my
commons-logging to
1.0.2 to see if that helps, but to no avail (although
A security vulnerability has been confirmed to exist in Apache Tomcat
4.0.x releases (including Tomcat 4.0.5), which allows to use a specially
crafted URL to return the unprocessed source of a JSP page, or, under
special circumstances, a static resource which would otherwise have been
protected
-Original Message-
From: Cox, Charlie [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 09, 2002 3:38 PM
To: 'Tomcat Users List'
Subject: RE: Exception starting filter Security Filter
someone else had this problem a last week.
http://www.mail-archive.com/tomcat-user@jakarta.apache.org
Hi,
I've been subscribing to the this mailing list from quite a while. I'm
interested in developing a book on Apache Tomcat security. For a start, here
is what i've included as a specification for the book. Can anyone please
give me your valuable suggestions/ideas to make it a better book? I'd
Hi,
I know that when Tomcat starts it uses the catalina.policy file. Does anyone
know if it is possible to set a security policy file for individual WebApps?
Thanks
Jim.
PLEASE READ: The information contained in this email is confidential
and intended for the named recipient(s) only. If you
Hi,
I want to use a jdbc realm with my application in tomcat 4.1
the problem is that I want to utilise a connection pool for authentication, but only
want the
connection pool jar file to have web app scope (in a war file).
I can go DriverManager.getConnection(poolURL) once I have loaded the
Tomcat to use HTTPS. A security
constraint has to have 3 things: 1- the web resource collection describing
what to protect, 2- the authorization constraint describing who gets access,
and 3- the user data constraint telling how to protect it at the transport
level. Since you mentioned that you set
to Tomcat 4.0.5 but I wanted to apply
some security immediately.
Yes, you can remove the sevlet invoker mapping as I noted in the email
on the security issue or on the Jakarta website news post.
Remy
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto
Maybe I don't understand, but DefaultServlet, which is supposed to serve
static content is disabled... How are we supposed to serve up pictures, etc
that are static??
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
The DefaultServlet is ok. But is was being called by the invoker
servlet in a roundabout (unintended manner). The invoker servlet is
typically mapped to /servlet/*
The invoker servlet should be disabled. Or restricted using many of
the ways described in other threads.
You should be fine
content. But the trouble is originating in the invoker servlet.
Andreas Mohrig
-Original Message-
From: Adam Greene [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 26, 2002 2:47 PM
To: Tomcat Users List
Subject: Questions about [SECURITY] Apache Tomcat 4.x JSP source
disclosure
if u can help me out I will appreciate it
Below is what my web.xml looks like. The manager role is the same role name I
specified in tomcat-users.xml
web-app
security-constraint
web-resource-collection
web-resource-name
Secure Area
/web-resource-name
url-pattern/secure/*/url-pattern
/web
. And some say this invoking method of calling
servlets should be disabled as a security precaution anyway, and only
defined servlets should be allowed (i.e., even before this bug showed
up).
This is all controlled by a servlet definition and mapping in the
web.xml (in Tomcat 4.0.X, at least, and I
if u can help me out I will appreciate it
Below is what my web.xml looks like. The manager role is the same role name I
specified in tomcat-users.xml
web-app
security-constraint
web-resource-collection
web-resource-name
Secure Area
/web-resource-name
url-pattern/secure/*/url-pattern
/web
Hi Ed,
You have a couple of problems. First, you left out the user data constraint
transport guarantee tag that forces Tomcat to use HTTPS. A security
constraint has to have 3 things: 1- the web resource collection describing
what to protect, 2- the authorization constraint describing who
HAVENS,PETER (HP-Cupertino,ex3) wrote:
I am using form based authentication on my Tomcat 4.0.4 server and I am
trying to figure out how to set up a security constraint that would apply
only to the login page. My global web.xml has a security constraint that
points to a login.jsp page
On Wed, 25 Sep 2002, Ramilio D wrote:
Hi Everyone,
I read in the buqraq posting that I could fix the source code
exposure vulnerablilty in tomcat by modifying the JkMount
directive. I took a quick look at some documentation but I couldn't
figure out how to allow apache serve servlets yet
Do not mount /servlet/* but only the servlets that you application is really
using.
Regards,
Rossen Raykov
-Original Message-
From: Ramilio D [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 25, 2002 12:30 AM
To: [EMAIL PROTECTED]
Subject: Tomcat Security Problem Help (using
24, 2002 6:59 PM
To: Tomcat Users List
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote:
OK, thanks. (The BugTraq search engine wasn't working when I checked
there.)
So it sounds pretty much like
to this exposure.
Regards,
Rossen Raykov
-Original Message-
From: Kent Perrier [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 6:59 PM
To: Tomcat Users List
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
On Tue, Sep 24, 2002
that it will be resistant
to this exposure.
Regards,
Rossen Raykov
-Original Message-
From: Kent Perrier [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 6:59 PM
To: Tomcat Users List
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
On Tue
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 6:59 PM
To: Tomcat Users List
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote:
OK, thanks. (The BugTraq search engine wasn't
]]
Sent: Tuesday, September 24, 2002 6:59 PM
To: Tomcat Users List
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote:
OK, thanks. (The BugTraq search engine wasn't working when I checked
I tried to test this security vulnerability on my tomcat 4.0.4 (alone)
setup but wasn't able to view my JSP files as claimed.
According to
http://online.securityfocus.com/archive/1/292936/2002-09-21/2002-09-27/0, if my
JSP file is accessible via http://donor.ucsd.edu
/ Washington, DC 20036
Phone 202-463-4860 ext. 258 / Fax 202-463-4863
-Original Message-
From: Mona Wong-Barnum [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 25, 2002 6:16 PM
To: [EMAIL PROTECTED]
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source
disclosure
to apply
some security immediately.
--
carrie s.
On Wed, Sep 25, 2002 at 03:15:31PM -0700, Mona Wong-Barnum wrote:
I tried to test this security vulnerability on my tomcat 4.0.4 (alone)
setup but wasn't able to view my JSP files as claimed.
According to
http
A security vulnerability has been confirmed to exist in all Apache
Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which
allows to use a specially crafted URL to return the unprocessed source
of a JSP page, or, under special circumstances, a static resource which
would
: [SECURITY] Apache Tomcat 4.x JSP source disclosure
vulnerability
on 2002/9/24 4:59 AM, Remy Maucherat [EMAIL PROTECTED] wrote:
A security vulnerability has been confirmed to exist in all Apache
Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat
4.1.10), which
allows to use a specially
and readable. I haven't seen much about security. What makes
it more secure than JSP?
--
Tim Moore / Blackboard Inc. / Software Engineer
1899 L Street, NW / 5th Floor / Washington, DC 20036
Phone 202-463-4860 ext. 258 / Fax 202-463-4863
-Original Message-
From: Jon Scott Stevens [mailto
,
Rossen
-Original Message-
From: Jon Scott Stevens [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 5:26 PM
To: tomcat-dev; Tomcat Users List
Subject: Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure
vulnerability
on 2002/9/24 4:59 AM, Remy Maucherat [EMAIL PROTECTED
on 2002/9/24 4:59 AM, Remy Maucherat [EMAIL PROTECTED] wrote:
A security vulnerability has been confirmed to exist in all Apache
Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which
allows to use a specially crafted URL to return the unprocessed source
of a JSP page
Subject: RE: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
I'm having a hard time finding many specifics about this exploit. It
sounds like you're forcing the default servlet to serve up the source
page as static content. Why isn't Velocity vulnerable in the
same way?
I'll
/ Washington, DC 20036
Phone 202-463-4860 ext. 258 / Fax 202-463-4863
-Original Message-
From: Rossen Raykov [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 6:17 PM
To: 'Tomcat Users List'
Subject: RE: [SECURITY] Apache Tomcat 4.x JSP source
disclosurevulnerability
See
On Tue, Sep 24, 2002 at 06:52:10PM -0400, Tim Moore wrote:
OK, thanks. (The BugTraq search engine wasn't working when I checked
there.)
So it sounds pretty much like what I thought it was. I still don't
understand why Velocity wouldn't be vulnerable to this exploit.
It sounds to me like it
I am using form based authentication on my Tomcat 4.0.4 server and I am
trying to figure out how to set up a security constraint that would apply
only to the login page. My global web.xml has a security constraint that
points to a login.jsp page as the form-login-page. As I understand
Hi Everyone,
I read in the buqraq posting that I could fix the source code exposure
vulnerablilty in tomcat by modifying the JkMount directive. I took a quick
look at some documentation but I couldn't figure out how to allow apache
serve servlets yet disallow those containing the
?
Explanation: I'm implementing a very crude security system on my site
for right now (mainly to just keep people from accessing the email
addresses and photos on the site), but I need to implement a password
change page. So what I did (and yes I know it's a hack 8), I
implemented a JNI interface
I'm trying to retrieve the userid that logged into apache and accessed
the current JSP page. How can I get this info?
Explanation: I'm implementing a very crude security system on my site
for right now (mainly to just keep people from accessing the email
addresses and photos on the site
Hi,
I'm relatively new to admining tomcat and have been looking for some ways to
secure tomcat. I haven't found much of anything useful. Are there any docs
on known security issues with tomcat, or any howto's when configuring
security? We're running tomcat 4.0.3, apache 1.3.26 and mod_jk
PROTECTED]
Assunto: tomcat security
Hi,
I'm relatively new to admining tomcat and have been looking for some ways to
secure tomcat. I haven't found much of anything useful. Are there any docs
on known security issues with tomcat, or any howto's when configuring
security? We're running
Hi! So is there a way for tomcat to share (or retrieve) the authentication
information with IIS?
-Original Message-
From: Reynir Hübner [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 26, 2002 11:21 AM
To: Tomcat Users List
Subject: RE: IIS and security constraints
I think you need
The Tomcat site contains the following:
http://jakarta.apache.org/tomcat/tomcat-4.0-doc/security-manager-howto.html
and
http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html
The security manager is probably the first place to start.
-- Jeanfrancois
Steven Garrett wrote:
Hi,
I'm
-Original Message-
From: Przemyslaw Wegrzyn [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 06, 2002 1:22 PM
To: Tomcat Users List
Subject: RE: Tomcat shutdown security
On Fri, 2002-09-06 at 21:04, Turner, John wrote:
Very interesting. I hadn't investigated this scenario until now
: Tomcat shutdown security
FYI,
Yes tomcat does use a port to shutdown but it is a
requirement that the port
be written to from the local host. That is if you try to
open a socket and
write the shutdown command to it, Tomcat will only shutdown
if this is done
from the same system
: HAVENS,PETER (HP-Cupertino,ex3) [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 11, 2002 2:12 PM
To: 'Tomcat Users List'
Subject: RE: Tomcat shutdown security
FYI,
Yes tomcat does use a port to shutdown but it is a
requirement that the port
be written to from the local host
:
% System.exit(0); %
To solve that, read up on running Tomcat under a security manager.
Craig
On Wed, 11 Sep 2002, HAVENS,PETER (HP-Cupertino,ex3) wrote:
Date: Wed, 11 Sep 2002 14:12:05 -0400
From: HAVENS,PETER (HP-Cupertino,ex3) [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL
Hey folks -
I searched the archives for help but didn't find what I needed.
I have a security constraint in my web.xml file like so:
web-resource-collection
web-resource-nameProtected pages/web-resource-name
url-pattern/p/*/url-pattern
/web-resource-collection
Problem arises when I want
: www.innovobjx.com
Tel: 905-729-2235 x3
Fax: 905-729-2235
~
-Original Message-
From: Tim Colson [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 10, 2002 5:46 PM
To: [EMAIL PROTECTED]
Subject: Security match fails url-pattern /p/* on TC 3.2.1
Hey folks
Michael -
Wouldn't '/p/*' imply a match for URLs that contain /p/
That is what it's supposed to match, from the servlet spec.
(e.g. http://server/webapp/p/securelist.do).
This is authenticated, as expected.
The problem, as I stated, is that this url also forces authentication -
but it
security
Hello !
I've just installed Tomcat, and discovered, that any regular user can
stop
Tomcat with bin/shutdown.sh. How can I protect Tomcat from this ?
P.Wegrzyn
--
To unsubscribe, e-mail: mailto:tomcat-user-
[EMAIL PROTECTED]
For additional commands, e-mail: mailto:tomcat-user-
[EMAIL
The shutdown.sh is a file and its access can be protected. What were your
expectations?
- Original Message -
From: Shapira, Yoav [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Friday, September 06, 2002 2:40 PM
Subject: RE: Tomcat shutdown security
Hi,
How about
On Fri, 2002-09-06 at 14:40, Shapira, Yoav wrote:
Hi,
How about not letting any regular user execute bin/shutdown.sh? ;) ;) ;)
Nope, it's not the solution.
Anyone can download tomcat, extract shutdown.sh and execute.
Shutdown connects to Tomcat through a socket, so it's even possible
across
Very interesting. I hadn't investigated this scenario until now. I like
your suggestion.
John
-Original Message-
From: Przemyslaw Wegrzyn [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 06, 2002 2:20 PM
To: Tomcat Users List
Subject: RE: Tomcat shutdown security
On Fri
On Fri, 2002-09-06 at 21:04, Turner, John wrote:
Very interesting. I hadn't investigated this scenario until now. I like
your suggestion.
Even more, I've checked what exactly goes there, and you can stop
default Tomcat installation by simply telneting localhost 8005 and
typing SHUTDOW from
Hello !
I've just installed Tomcat, and discovered, that any regular user can stop
Tomcat with bin/shutdown.sh. How can I protect Tomcat from this ?
P.Wegrzyn
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Hello!
I am using Container Based Security with the Tomcat 4.1.9 beta.
Current I have Form based Authentication configured.
I'd like to allow the user to authenticate before he tries to access a
resource that is protected by security contraints in web.xml.
== Is it possible for a Servlet/JSP
Search the archive. The short answers are below.
Andreas Schildbach wrote:
Hello!
I am using Container Based Security with the Tomcat 4.1.9 beta.
Current I have Form based Authentication configured.
I'd like to allow the user to authenticate before he tries to access a
resource
rolename=admin/
user username=admin password=test1 roles=admin/
user username=sysop password=test2 roles=sysop/
In the server.xml file I have uncommented the:
Realm className=org.apache.catalina.realm.MemoryRealm / line.
Then in the web.xml file I have added the following:
security-constraint
901 - 1000 of 1624 matches
Mail list logo