On 8/23/2018 4:26 AM, Mark Thomas wrote:
On 22/08/18 19:48, Terence M. Bandoian wrote:
Back on topic, do JSPs have to be registered with the container using
servlet mappings in web.xml or some other mechanism in order to serve as
targets of forwards by servlets? Further, does doing so make
On 22/08/18 19:48, Terence M. Bandoian wrote:
> Back on topic, do JSPs have to be registered with the container using
> servlet mappings in web.xml or some other mechanism in order to serve as
> targets of forwards by servlets? Further, does doing so make those JSPs
> accessible via external
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Cris,
On 8/22/18 11:22 AM, Berneburg, Cris J. - US wrote:
> Chris
>
> [combining messages]
>
> cjb> Am I mistaken, but does vulnerability scanning software cjb>
> seem to feed on that sort of thing?
>
> cs> Most vulnerability scanners just try
Has any decision been made on how the original poster will do this?
As I read through the various responses, while you can always argue
certain structures are better, it's simply not true that if you create
messy/insecure JSPs, you'll somehow create clean/secure servlets. Any
error you would
On 8/21/2018 11:44 AM, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Cris,
On 8/20/18 1:31 PM, Berneburg, Cris J. - US wrote:
Hi Mark
Thanks for taking the time to reply. :-)
cjb> Due to security concerns and general fussiness on my part, I'd
like cjb> to
On Wed, Aug 22, 2018 at 11:44 AM, Berneburg, Cris J. - US
wrote:
> Hi Woonsan
>
> cjb> I'd like to prevent users from requesting JSP pages directly
>
> cjb> a. [...] adding a for each folder.
>
> cjb> b. [...] JSP files under the WEB-INF folder.
>
> wk> c. Implement a servlet filter which is
Hi Woonsan
cjb> I'd like to prevent users from requesting JSP pages directly
cjb> a. [...] adding a for each folder.
cjb> b. [...] JSP files under the WEB-INF folder.
wk> c. Implement a servlet filter which is mapped to /* with
wk> dispatcher options: REQUEST, INCLUDE, FORWARD. The filter
Chris
[combining messages]
cjb> Am I mistaken, but does vulnerability scanning software
cjb> seem to feed on that sort of thing?
cs> Most vulnerability scanners just try to detect your server's
cs> version and look-up any publicly-reported vulnerabilities in
cs> e.g. NVD. They are really stupid
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Cris,
On 8/20/18 1:31 PM, Berneburg, Cris J. - US wrote:
> Hi Mark
>
> Thanks for taking the time to reply. :-)
>
> cjb> Due to security concerns and general fussiness on my part, I'd
> like cjb> to prevent users from requesting JSP pages
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Cris,
On 8/20/18 2:10 PM, Berneburg, Cris J. - US wrote:
> cs> So, while there isn't anything particularly "dangerous" about
> direct- cs> access to JSPs, there are a number of "best practices"
> that suggest cs> that hiding them is a good idea.
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Terrence,
On 8/18/18 10:39 PM, Terence M. Bandoian wrote:
> On 8/17/2018 8:52 AM, Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>
>> Mark,
>>
>> On 8/17/18 3:54 AM, Mark Thomas wrote:
>>> On 16/08/18 18:19,
Chris (and Mark)
Bingo!
cjb> Due to security concerns and general fussiness on my part, I'd like
cjb> to prevent users from requesting JSP pages directly [...]. That
cjb> way I can legitimately claim that all requests are being validated,
cjb> input scrubbed, JSP's cannot be taken advantage
On Mon, Aug 20, 2018 at 1:19 PM, Berneburg, Cris J. - US
wrote:
> Hi Woonsan
>
> Thanks for providing an "option C". :-) There is still much for me to learn.
You're welcome. :-)
>
> cjb> Due to security concerns and general fussiness on my part, I'd like
> cjb> to prevent users from requesting
Hi Mark
Thanks for taking the time to reply. :-)
cjb> Due to security concerns and general fussiness on my part, I'd like
cjb> to prevent users from requesting JSP pages directly [...]. That
cjb> way I can legitimately claim that all requests are being validated,
cjb> input scrubbed, JSP's
Hi Woonsan
Thanks for providing an "option C". :-) There is still much for me to learn.
cjb> Due to security concerns and general fussiness on my part, I'd like
cjb> to prevent users from requesting JSP pages directly [...]. That
cjb> way I can legitimately claim that all requests are being
Hi Chris
Thanks for your insight and reply.
cjb> I'd like to prevent users from requesting JSP pages directly,
cjb> except for the login page.
cs> Why except for the login page? I would include the login page
cs> as something that should be fronted with a (non-JSP) servlet,
cs> even if that
Hi Louis
Thanks for replying to my request for help. :-)
cjb> Due to security concerns and general fussiness on my part, I'd like
cjb> to prevent users from requesting JSP pages directly [...]. That
cjb> way I can legitimately claim that all requests are being validated,
cjb> input
David
Thanks for taking the time to reply. :-)
cjb> Due to security concerns and general fussiness on my part, I'd like to
cjb> prevent users from requesting JSP pages directly [...]. That way I can
cjb> legitimately claim that all requests are being validated, input scrubbed,
cjb> JSP's
To: Tomcat Users List
Subject: Re: how to prevent user access to JSP pages?
On 8/17/2018 8:52 AM, Christopher Schultz wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Mark,
>
> On 8/17/18 3:54 AM, Mark Thomas wrote:
>> On 16/08/18 18:19, Berneburg, Cris J. - US wr
On 8/17/2018 8:52 AM, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Mark,
On 8/17/18 3:54 AM, Mark Thomas wrote:
On 16/08/18 18:19, Berneburg, Cris J. - US wrote:
Due to security concerns and general fussiness on my part, I'd
like to prevent users from requesting
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Mark,
On 8/17/18 3:54 AM, Mark Thomas wrote:
> On 16/08/18 18:19, Berneburg, Cris J. - US wrote:
>> Due to security concerns and general fussiness on my part, I'd
>> like to prevent users from requesting JSP pages directly, except
>> for the login
On 16/08/18 18:19, Berneburg, Cris J. - US wrote:
> Due to security concerns and general fussiness on my part, I'd like to
> prevent users from requesting JSP pages directly, except for the login page.
> I want all requests to be handled by servlets. That way I can legitimately
> claim that
There's another considerable option:
c. Implement a servlet filter which is mapped to /* with dispatcher
options: REQUEST, INCLUDE, FORWARD. The filter may check the request
URI or include/forward URI (through request attributes).
Regards,
Woonsan
On Thu, Aug 16, 2018 at 1:19 PM, Berneburg,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Cris,
On 8/16/18 1:19 PM, Berneburg, Cris J. - US wrote:
> Due to security concerns and general fussiness on my part, I'd
> like to prevent users from requesting JSP pages directly, except
> for the login page.
Why except for the login page? I
@tomcat.apache.org
Subject: Re: how to prevent user access to JSP pages?
- - - external message, proceed with caution - - -
I'll be curious to see the answers.
JSPs are servlets.
For us, the common way would be for your non-JSP servlets to
authenticate the request (and save the results
I'll be curious to see the answers.
JSPs are servlets.
For us, the common way would be for your non-JSP servlets to
authenticate the request (and save the results in the request), and then
your JSPs can check if the request has been authenticated before
progressing further. Of course, if
Due to security concerns and general fussiness on my part, I'd like to prevent
users from requesting JSP pages directly, except for the login page. I want
all requests to be handled by servlets. That way I can legitimately claim that
all requests are being validated, input scrubbed, JSP's
27 matches
Mail list logo