Hi all, It would be very useful to have a checklist or guidelines to ensure a JSP/tomcat web site one develops is secure, in particular for the scenario where the web application is not huge/complex &/or is developed by part-time developers. That is I guess I'm generally asking for the easiest way of ensuring one develops a secure JSP/tomcat app. Q1 - Does anyone know of a tutorial/checklist for ensuring a JSP/tomcat web app is secure? The types of things I'm thinking of include the following items, which I've put forward as specific questions to the mail group in their own right. Q2 - How do you ensure directory's under doc root can't be viewed? (ie users see a directory listings) - is putting in an index.html in each sub-directory a solid answer? - can this be handled in one hit via WEB.XML entries? if so an example if possible? Above and beyond basic User Authentication checking (eg username/password check at beginning of session) what is an easy but secure way of checking -: Q3 check that user (ie specific) is allowed to access a specific JSP page? (assuming the web app is a totally JSP based solution, ie no controller servlet frontend, ie and that all JSP pages are effectively assessable under docroot). Easy way of doing this? eg (a) put specific check at beginning of each JSP page? (b) other? and Q4 given that a user is allowed to access that JSP page, check that he is allowed to view the data which he has requested? (ie stop people determining how the URL with parameters is constructed and manually changing the parameters - eg changing "http://www.test/test.jsp?id=3", manually "http://www.test/test.jsp?id=4". Easy way of doing this? eg (a) put specific check at beginning of JSP page? (b) other Q5 Is it generally acceptable, given appropriate precautions are taken, to setup a web site with all JSP files assessable under doc root, and that the manner in which the user navigates around the application is based on direct calls from the browser to the next JSP page with parameters? (again one concern I have is eg changing "http://www.test/test.jsp?id=3", manually "http://www.test/test.jsp?id=4"). If this is not acceptable what is recommended? (a) as above put a specific check at the beginning of the JSP page (b) for example having to specifically put a controller servlet as a front end, and then direct to JSP pages which are hidden? - in this case how can one hide specific directories under doc root? (c) other?? Q6. Regarding image security I assume one really does have to store them outside doc root and develop a small "getImage" servlet so that requests to images can be verified to ensure that (assuming the app lets users load images) the end user can't see another user's image? Q7. Any other general checklist items for a simple JSP/tomcat web site re security one should check for??? Thanks in advance Greg _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp