> 1) Get off of windows :) Excellent point (just kidding) but actually, thanks for pointing the case-problem-fix out.
This also happens on Mac OS X (which has a case-respecting, case-insensitive filesystem that annoys me frequently when working in the Unix side). Apple distributes an Apache module which fixes the associated security problems for httpd, but I didn't even think to check this under Tomcat. Good thing I only deploy on Linux. ;) So, Mac OS X users beware. I wonder how receptive the Tomcat committers would be to patches / automatically enabled workarounds for resolving / protecting against this issue. cheers fillup On 5/30/02 3:43 PM, "Mike Jackson" <[EMAIL PROTECTED]> wrote: > 1) Get off of windows :) > > Or add the following to web.xml under $TOMCAT_HOME/conf, unless I'm > mistaken that should cover all of the possible miss-cases of "jsp". > > <servlet-mapping> > <servlet-name>jsp</servlet-name> > <url-pattern>*.Jsp</url-pattern> > </servlet-mapping> > <servlet-mapping> > <servlet-name>jsp</servlet-name> > <url-pattern>*.JSp</url-pattern> > </servlet-mapping> > <servlet-mapping> > <servlet-name>jsp</servlet-name> > <url-pattern>*.JsP</url-pattern> > </servlet-mapping> > <servlet-mapping> > <servlet-name>jsp</servlet-name> > <url-pattern>*.JSP</url-pattern> > </servlet-mapping> > <servlet-mapping> > <servlet-name>jsp</servlet-name> > <url-pattern>*.jSp</url-pattern> > </servlet-mapping> > <servlet-mapping> > <servlet-name>jsp</servlet-name> > <url-pattern>*.jSP</url-pattern> > </servlet-mapping> > <servlet-mapping> > <servlet-name>jsp</servlet-name> > <url-pattern>*.jsP</url-pattern> > </servlet-mapping> > > 2) You'll probably have to do this in your application I think. If it were > me I'd create a singleton class that stored a list of login attempts with ip > address of the source, and prior to allowing some client to attempt login > I'd check the list. > > --mikej > -=----- > mike jackson > [EMAIL PROTECTED] > >> -----Original Message----- >> From: Walid Mohamed Al Abbadi [mailto:[EMAIL PROTECTED]] >> Sent: Thursday, May 30, 2002 3:24 PM >> To: [EMAIL PROTECTED] >> Subject: Need Help plz >> >> >> >> Hi , >> >> i need help please in two subjects .. My problems are what >> configuration I should have to do in the server to prevent: >> >> 1) Prohibit downloading the *.jsp files from any client on the >> internet... [ I noticed that if I wrote the URL of my site ending with >> myFile.JSP [ JSP in Capital letters] the page not opened ! , but the >> server offered me to download the file it self ! ..Which I >> don’t want >> any user knows this property to download my own source-code jsp files! >> >> 2) My application is depend on a password authentication , which >> I don’t want any cracker to keep trying usernames/passwords for >> many tries .. How should I tell the server to block an ip after 3 times >> tries [for example] and for how long this ip will be blocked! >> >> are thses problems related with the Apache server or Tomcat >> serve or both >> of them !!.. does anyone face like these problems ?! >> >> >> Java_lover : Walid >> >> -- >> To unsubscribe, e-mail: >> <mailto:[EMAIL PROTECTED]> >> For additional commands, e-mail: >> <mailto:[EMAIL PROTECTED]> >> > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
