>Number: 5330
>Category: config
>Synopsis: Restriction of the connections to Servlets
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: apache
>State: open
>Class: support
>Submitter-Id: apache
>Arrival-Date: Wed Nov 17 14:10:01 PST 1999
>Last-Modified:
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.3.9
>Environment:
Windows NT
>Description:
Servlet :
It has service method, and opens an input stream to read
serialized binary object, and output stream to write a response
respectively. And I have the authorization key included in the serialized
object.
Applet :
applet opens an object output stream over URLConnection to the servlet,
and write the serialized object including aouthorization code, and get
the result by reading the input stream, that is opened just after writing
the request.
Here is my problem. If I write an application with java or C++, or anything
it doesn't metter, I can connect to the servlet as the way applet does, and
write
the serialized object to servlet, I can invoke servlet, run it and get the
result,
success information, becouse I have the source of the binary serialized object
that is used for communication. But as you know, it is not to difficult to find
the java code of binary class file of any applet or object, becouse it is
already
downloaded in to your local machine, there are lots of java decompilers around.
As a metter of fact, this results an unwanted behaviour of business becouse
nobody needs to download my applet or connect to my web page any more.
>How-To-Repeat:
>Fix:
May the connecting client should be detected if it a browser or an application.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <[EMAIL PROTECTED]> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or ]
["Re: general/1098:"). If the subject doesn't match this ]
[pattern, your message will be misfiled and ignored. The ]
["apbugs" address is not added to the Cc line of messages from ]
[the database automatically because of the potential for mail ]
[loops. If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request from a ]
[developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
