You probably wouldn't have this problem if you used apache I think, if the apache module does checking then it'll probably figure out that since the *.jsp file is just that a *.jsp file and if you're using mod_jk or probably mod_webapp (I haven't used this yet), it'll see in it's config that its supposed to hand those over to tomcat. But then again I could be wrong, I don't have one of those environments to play with.
--mikej -=----- mike jackson [EMAIL PROTECTED] > -----Original Message----- > From: Phillip Morelock [mailto:[EMAIL PROTECTED]] > Sent: Thursday, May 30, 2002 3:57 PM > To: Tomcat Users List > Subject: Re: Need Help plz > > > > 1) Get off of windows :) > > Excellent point (just kidding) but actually, thanks for pointing the > case-problem-fix out. > > This also happens on Mac OS X (which has a case-respecting, > case-insensitive > filesystem that annoys me frequently when working in the Unix > side). Apple > distributes an Apache module which fixes the associated security problems > for httpd, but I didn't even think to check this under Tomcat. > Good thing I > only deploy on Linux. ;) > > So, Mac OS X users beware. > > I wonder how receptive the Tomcat committers would be to patches / > automatically enabled workarounds for resolving / protecting against this > issue. > > cheers > fillup > > > On 5/30/02 3:43 PM, "Mike Jackson" <[EMAIL PROTECTED]> wrote: > > > 1) Get off of windows :) > > > > Or add the following to web.xml under $TOMCAT_HOME/conf, unless I'm > > mistaken that should cover all of the possible miss-cases of "jsp". > > > > <servlet-mapping> > > <servlet-name>jsp</servlet-name> > > <url-pattern>*.Jsp</url-pattern> > > </servlet-mapping> > > <servlet-mapping> > > <servlet-name>jsp</servlet-name> > > <url-pattern>*.JSp</url-pattern> > > </servlet-mapping> > > <servlet-mapping> > > <servlet-name>jsp</servlet-name> > > <url-pattern>*.JsP</url-pattern> > > </servlet-mapping> > > <servlet-mapping> > > <servlet-name>jsp</servlet-name> > > <url-pattern>*.JSP</url-pattern> > > </servlet-mapping> > > <servlet-mapping> > > <servlet-name>jsp</servlet-name> > > <url-pattern>*.jSp</url-pattern> > > </servlet-mapping> > > <servlet-mapping> > > <servlet-name>jsp</servlet-name> > > <url-pattern>*.jSP</url-pattern> > > </servlet-mapping> > > <servlet-mapping> > > <servlet-name>jsp</servlet-name> > > <url-pattern>*.jsP</url-pattern> > > </servlet-mapping> > > > > 2) You'll probably have to do this in your application I think. > If it were > > me I'd create a singleton class that stored a list of login > attempts with ip > > address of the source, and prior to allowing some client to > attempt login > > I'd check the list. > > > > --mikej > > -=----- > > mike jackson > > [EMAIL PROTECTED] > > > >> -----Original Message----- > >> From: Walid Mohamed Al Abbadi [mailto:[EMAIL PROTECTED]] > >> Sent: Thursday, May 30, 2002 3:24 PM > >> To: [EMAIL PROTECTED] > >> Subject: Need Help plz > >> > >> > >> > >> Hi , > >> > >> i need help please in two subjects .. My problems are what > >> configuration I should have to do in the server to prevent: > >> > >> 1) Prohibit downloading the *.jsp files from any client on the > >> internet... [ I noticed that if I wrote the URL of my site ending with > >> myFile.JSP [ JSP in Capital letters] the page not opened ! , but the > >> server offered me to download the file it self ! ..Which I > >> don’t want > >> any user knows this property to download my own source-code jsp files! > >> > >> 2) My application is depend on a password > authentication , which > >> I don’t want any cracker to keep trying usernames/passwords for > >> many tries .. How should I tell the server to block an ip > after 3 times > >> tries [for example] and for how long this ip will be blocked! > >> > >> are thses problems related with the Apache server or Tomcat > >> serve or both > >> of them !!.. does anyone face like these problems ?! > >> > >> > >> Java_lover : Walid > >> > >> -- > >> To unsubscribe, e-mail: > >> <mailto:[EMAIL PROTECTED]> > >> For additional commands, e-mail: > >> <mailto:[EMAIL PROTECTED]> > >> > > > > > > -- > > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
