> 1) Get off of windows :)

Excellent point (just kidding) but actually, thanks for pointing the
case-problem-fix out.

This also happens on Mac OS X (which has a case-respecting, case-insensitive
filesystem that annoys me frequently when working in the Unix side).  Apple
distributes an Apache module which fixes the associated security problems
for httpd, but I didn't even think to check this under Tomcat.  Good thing I
only deploy on Linux.  ;)

So, Mac OS X users beware.

I wonder how receptive the Tomcat committers would be to patches /
automatically enabled workarounds for resolving / protecting against this
issue.

cheers
fillup


On 5/30/02 3:43 PM, "Mike Jackson" <[EMAIL PROTECTED]> wrote:

> 1) Get off of windows :)
> 
>  Or add the following to web.xml under $TOMCAT_HOME/conf, unless I'm
> mistaken that should cover all of the possible miss-cases of "jsp".
> 
> <servlet-mapping>
>   <servlet-name>jsp</servlet-name>
>   <url-pattern>*.Jsp</url-pattern>
> </servlet-mapping>
> <servlet-mapping>
>   <servlet-name>jsp</servlet-name>
>   <url-pattern>*.JSp</url-pattern>
> </servlet-mapping>
> <servlet-mapping>
>   <servlet-name>jsp</servlet-name>
>   <url-pattern>*.JsP</url-pattern>
> </servlet-mapping>
> <servlet-mapping>
>   <servlet-name>jsp</servlet-name>
>   <url-pattern>*.JSP</url-pattern>
> </servlet-mapping>
> <servlet-mapping>
>   <servlet-name>jsp</servlet-name>
>   <url-pattern>*.jSp</url-pattern>
> </servlet-mapping>
> <servlet-mapping>
>   <servlet-name>jsp</servlet-name>
>   <url-pattern>*.jSP</url-pattern>
> </servlet-mapping>
> <servlet-mapping>
>   <servlet-name>jsp</servlet-name>
>   <url-pattern>*.jsP</url-pattern>
> </servlet-mapping>
> 
> 2) You'll probably have to do this in your application I think.  If it were
> me I'd create a singleton class that stored a list of login attempts with ip
> address of the source, and prior to allowing some client to attempt login
> I'd check the list.
> 
> --mikej
> -=-----
> mike jackson
> [EMAIL PROTECTED]
> 
>> -----Original Message-----
>> From: Walid Mohamed Al Abbadi [mailto:[EMAIL PROTECTED]]
>> Sent: Thursday, May 30, 2002 3:24 PM
>> To: [EMAIL PROTECTED]
>> Subject: Need Help plz
>> 
>> 
>> 
>> Hi ,
>> 
>>       i need  help please in two subjects .. My problems are what
>> configuration I should have to do in the server to prevent:
>> 
>>  1)       Prohibit downloading the *.jsp files from any client on the
>> internet... [ I noticed that if  I wrote the URL of my site ending with
>> myFile.JSP  [ JSP in Capital letters] the page not opened ! , but  the
>> server offered me to download the file it self ! ..Which I
>> don&#8217;t want
>> any user knows this property to download my own source-code jsp files!
>> 
>>  2)       My application  is  depend on a password authentication  , which
>> I don&#8217;t want  any cracker to keep trying usernames/passwords for
>> many tries ..  How should I tell the server to block an ip after 3 times
>> tries [for example] and for how long this ip will be blocked!
>> 
>>   are thses problems related with the Apache server or Tomcat
>> serve or both
>> of them !!.. does anyone face like these problems ?!
>> 
>> 
>>  Java_lover : Walid
>> 
>> --
>> To unsubscribe, e-mail:
>> <mailto:[EMAIL PROTECTED]>
>> For additional commands, e-mail:
>> <mailto:[EMAIL PROTECTED]>
>> 
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
> 


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to