<grumble> Yet another reason I'm anxious to get out of school and work for a
company that will expense trips to ApacheCon and the like =)
- r
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Glenn Nielsen
> Sent: Wednesday, August 01, 2001 8:44 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Guide to developing secure tomcat/jsp web apps - help ??
>
>
> I read that article in JavaPro and many things weren't mentioned.
> I don't think you will find any one source of information that covers
> everything.
>
> Another source of information regarding use of the Java SecurityManager
> and some general rules for writing code for secure applications is at:
>
> http://www.more.net/events/apachecon2001/
>
> Regards,
>
> Glenn
>
> "Rob S." wrote:
> >
> > I think that your question is really about server-side security
> for web apps
> > in general. All of your questions can apply to any web application
> > regardless of technology being used (e.g. asp, dhp, cfm)
> >
> > A good place to start would be Java Pro Magazine. Two issues
> ago - cover
> > page about securing server side in Java. That's as good a
> place as any to
> > start.
> >
> > GL!
> >
> > - r
> >
> > > -----Original Message-----
> > > From: Greg Callaghan [mailto:[EMAIL PROTECTED]]
> > > Sent: Wednesday, August 01, 2001 2:26 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Guide to developing secure tomcat/jsp web apps - help ??
> > >
> > >
> > > Hi all,
> > >
> > > It would be very useful to have a checklist or guidelines to ensure a
> > > JSP/tomcat web site one develops is secure, in particular for the
> > > scenario
> > > where the web application is not huge/complex &/or is developed
> > > by part-time
> > > developers. That is I guess I'm generally asking for the
> easiest way of
> > > ensuring one develops a secure JSP/tomcat app.
> > >
> > > Q1 - Does anyone know of a tutorial/checklist for ensuring a
> > > JSP/tomcat web
> > > app is secure? The types of things I'm thinking of include the
> > > following
> > > items, which I've put forward as specific questions to the
> mail group in
> > > their own right.
> > >
> > > Q2 - How do you ensure directory's under doc root can't be
> viewed? (ie
> > > users see a directory listings)
> > > - is putting in an index.html in each sub-directory a solid answer?
> > > - can this be handled in one hit via WEB.XML entries? if so an
> > > example if
> > > possible?
> > >
> > > Above and beyond basic User Authentication checking (eg
> username/password
> > > check at beginning of session) what is an easy but secure way of
> > > checking -:
> > >
> > > Q3 check that user (ie specific) is allowed to access a specific
> > > JSP page?
> > > (assuming the web app is a totally JSP based solution, ie no
> controller
> > > servlet frontend, ie and that all JSP pages are effectively
> > > assessable under
> > > docroot). Easy way of doing this?
> > > eg (a) put specific check at beginning of each JSP page?
> > > (b) other?
> > >
> > > and
> > >
> > > Q4 given that a user is allowed to access that JSP page,
> check that he is
> > > allowed to view the data which he has requested? (ie stop people
> > > determining how the URL with parameters is constructed and
> > > manually changing
> > > the parameters - eg changing "http://www.test/test.jsp?id=3";, manually
> > > "http://www.test/test.jsp?id=4";. Easy way of doing this?
> > > eg (a) put specific check at beginning of JSP page?
> > > (b) other
> > >
> > > Q5 Is it generally acceptable, given appropriate precautions are
> > > taken, to
> > > setup a web site with all JSP files assessable under doc root,
> > > and that the
> > > manner in which the user navigates around the application is
> > > based on direct
> > > calls from the browser to the next JSP page with parameters?
> (again one
> > > concern I have is eg changing
"http://www.test/test.jsp?id=3";, manually
> > "http://www.test/test.jsp?id=4";). If this is not acceptable what is
> > recommended?
> >
> > (a) as above put a specific check at the beginning of the JSP page
> > (b) for example having to specifically put a controller servlet
> > as a front
> > end, and then direct to JSP pages which are hidden?
> > - in this case how can one hide specific directories under doc root?
> > (c) other??
> >
> > Q6. Regarding image security I assume one really does have to store them
> > outside doc root and develop a small "getImage" servlet so that
> > requests to
> > images can be verified to ensure that (assuming the app lets users load
> > images) the end user can't see another user's image?
> >
> > Q7. Any other general checklist items for a simple JSP/tomcat web site
re
> > security one should check for???
> >
> >
> > Thanks in advance
> > Greg
> >
> >
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp
> >
> >
--
----------------------------------------------------------------------
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
