That is what I needed ...
Thanks all
To follow this up, why is this a security risk?
Do they want specific mapping for each servlet?
Thanks
-Original Message-
From: PELOQUIN,JEFFREY (HP-Boise,ex1) [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 19, 2002 9:54 AM
To: 'Tomcat Users
ext. 258 / Fax 202-463-4863
-Original Message-
From: Randy Paries [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 19, 2002 11:20 AM
To: 'Tomcat Users List'
Subject: RE: Should not be this hard(why is this a security risk)
That is what I needed ...
Thanks all
To follow
These messages indicate that a fix is in the works: A new Tomcat 4.1.x
release incorporating the fix to the invoker servlet will be made
available shortly.
Am I reading this correctly as saying the quick fix is to disable the
invoker, but the long term fix is to change the invoker to make the
-Original Message-
From: Larry Meadors [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 19, 2002 12:09 PM
To: [EMAIL PROTECTED]
Subject: RE: Should not be this hard(why is this a security risk)
These messages indicate that a fix is in the works: A new
Tomcat 4.1.x release
On Thu, 19 Dec 2002, Tim Moore wrote:
Date: Thu, 19 Dec 2002 12:48:37 -0500
From: Tim Moore [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: RE: Should not be this hard(why is this a security risk)
-Original Message
, December 19, 2002 10:19 AM
Subject: RE: Should not be this hard(why is this a security risk)
That is what I needed ...
Thanks all
To follow this up, why is this a security risk?
Do they want specific mapping for each servlet?
Thanks
-Original Message-
From: PELOQUIN,JEFFREY
without
compromising security, and without replicating files.
- Original Message -
From: Tim Funk [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Thursday, October 24, 2002 12:08 PM
Subject: Re: Security RISK !
401/404 - Forbidden vs not found doesn't matter as long
Rodrigo Ruiz wrote:
I think the idea of letting Apache directly access to the files into the
webapp is interesting. This way there is no need to replicate the static
content for Apache, and Apache will be faster serving all static content
than Tomcat.
True, but bothersome to maintain.
But, at
Tim Funk wrote:
You'll want to protect your WEB-INF directory as well as any properties
files. You can do that by using by the following in your httpd.conf:
(This should be the syntax)
Files ~ \.properties$
Order allow,deny
Deny from all
Satisfy All
/Files
Directory ~ /WEB-INF/
401/404 - Forbidden vs not found doesn't matter as long as the intruder
is forbidden. Relying on confusing the user is a nice technique to
preventing intruders since it may waste more of their time and make them
more likely to give up. But that may make others more determined to try
to break
:
Subject:Re: Security RISK !
Sigurður Bjarnason wrote:
Hi all
The question is.. is there any security risk if I Have the Apache
DocumentRoot
pointing straight to the webapps folder ?!
First of all, Apache cannot handle JSPs and has no knowledge of Servlets.
Second, if both
Robert L Sowders wrote:
This doesn't really pose a problem with a correctly configured connector
that is setup to handle all *.jsp and servlet requests.
Perhaps, but that idea somehow defeats my idea of a web application as a path
deployed from some other server. Maybe I'm wrong...
Nix.
--
]
cc:
Subject:Re: Security RISK !
Robert L Sowders wrote:
This doesn't really pose a problem with a correctly configured connector
that is setup to handle all *.jsp and servlet requests.
Perhaps, but that idea somehow defeats my idea of a web application as a
path
.
Regards,
Glenn
Sigurður Bjarnason wrote:
Hi all
I am using apache 1.3 and tomcat 4.0.4 together
I use apache to serve all the static content, witch I have a special directory for and Tomcat serve all the jsp and servlet stuff..
The question is.. is there any security risk if I Have the Apache
Hi all
I am using apache 1.3 and tomcat 4.0.4 together
I use apache to serve all the static content, witch I have a special directory for and
Tomcat serve all the jsp and servlet stuff..
The question is.. is there any security risk if I Have the Apache DocumentRoot
pointing straight
security risk if I Have the Apache DocumentRoot pointing straight to the webapps folder ?!
¨
Best Regards
Siggi
--
To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Sigurður Bjarnason wrote:
Hi all
The question is.. is there any security risk if I Have the Apache DocumentRoot
pointing straight to the webapps folder ?!
First of all, Apache cannot handle JSPs and has no knowledge of Servlets.
Second, if both Apache and Tomcat-via-connector access the same
Bjarnason wrote:
Hi all
I am using apache 1.3 and tomcat 4.0.4 together
I use apache to serve all the static content, witch I have a special directory for
and Tomcat serve all the jsp and servlet stuff..
The question is.. is there any security risk if I Have the Apache DocumentRoot
pointing
Hello everyone,
I have been running tomcat for a while and just started to notice a
few things. First, let me say I have it configure on a linux server
with mod_webapp, with Tomcat version 4.0.3.
Let's say I have a war file application called hello.war that I call
like so:
Have apache deny the request. Very simple change to httpd.conf.
For example:
# No one in my WEB-INF directory
Location /WEB-INF/
AllowOverride none
deny from all
/Location
# No one look at my properties files
Files ~ *.properties
Order allow,deny
Deny from all
Satisfy All
20 matches
Mail list logo
