Hello Randy,
how can we tell TomCat to perfom user authentication using NT mechnism (NTLM) ? And, if we want to protect
"ourserver/secretfolder" with permissions for user "foo" and user "bar",
but
"ourserver/secretfolder/moresecret" with permissions for user "bar", how could that be possible ?
Bye
Christian
-----Ursprüngliche Nachricht-----
Von: Randy Layman [mailto:[EMAIL PROTECTED]]
Gesendet: Dienstag, 27. Februar 2001 13:57
An: [EMAIL PROTECTED]
Betreff: RE: TomCat - IIS - Security
This seems perfectly reasonable to me - you told IIS to protect
everything it serves our of outserver/secrectfolder and have apparently not
told Tomcat to protect this webapp. If you want to protect all JSPs then
you can protect the /jakarta directory, or you could configure Tomcat to
perform user authentication.
Randy
-----Original Message-----
From: Christian Schulz [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 27, 2001 8:17 AM
To: '[EMAIL PROTECTED]'
Cc: Thomas Dingel
Subject: TomCat - IIS - Security
Importance: High
Hello,
when using Tomcat with IIS, we have a security hole.
We installed Tomcat as descriped at the documentation.
The following scenario will show our problem:
We have a folder named reachable as http://outserver/secretfolder/ with NT
Security permissions set.
The folder "secretfolder" can only be read by the system and by a user named
"foo". Now, without tomcat, the user "foo" can access the contents of the
folder "secretfolder", all other users will get "access denied". We use NTLM
for authentification (so the browser [IE 5.x] automatically send the current
NT user's account to the webserver).
Now, we put a file named "testme.jsp" to "secretfolder" and try to open it
from an NT User's account named "bar". The IIS now redirects to TomCat
without checking any permissions and tomcat returns the result of
"testme.jsp". But, in our opinion, this should not happen !!!
The user "bar" also has to get an error "access denied" ! So, TomCat
bypasses NT Security !
Does anybody have a solution for that ?
Bye bye
Christian Schulz
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
