----------------------------------------------------------------
BEFORE YOU POST, search the faq at <http://java.apache.org/faq/>
WHEN YOU POST, include all relevant version numbers, log files,
and configuration files. Don't make us guess your problem!!!
----------------------------------------------------------------
The following is cut from the howto.security.html file that comes with
JServ 1.1.3b.
Good luck,
Jan
************************ start of
**********************************************
Connection authentication
In the rare cases where IP filtering is not enough, for example when
untrusted users may generate requests from the allowed IP address,
authentication
connection can be used to reduce to a minimum the chance of external
attack. To do this, both the web server and the servlet engine must have a
binary copy of the same file, any file, that is called secret key.
This file may have any format and any length (could even be an image!), but
we suggest you to create your own text file monkey-typing around a hundred
bytes. After a few dozens of bytes, the security improvement is negligible
while the time taken by the authentication procedure is linear with the
secret key length. For this reason there is very little need for long
secret keys.
Note: your security is strictly related to that secret key file. Anybody
that can guess or recreate your secret key is a potential external attacker
if his requests come from the correct IP addresses. It is not needed to
suggest you to protect your secret key files and make them not readable or
writable to untrusted users.
To enable the authentication on the servlet engine side you should add
these two lines to your jserv.properties file
security.authentication=false
security.secretKey=/etc/jserv/jserv.secret.key
Then you have to enable authentication on every web server that connects to
that servlet engine adding this line to your httpd.conf files
ApJServSecretKey /etc/jserv/jserv.secret.key
Make sure the two secret key files are even the same or the exact binary
copy, and both the web server and the servlet engine have permissions to
read them.
**************************** end of *****************************************
At 15:18 24.11.99 +0000, you wrote:
>----------------------------------------------------------------
>BEFORE YOU POST, search the faq at <http://java.apache.org/faq/>
>WHEN YOU POST, include all relevant version numbers, log files,
>and configuration files. Don't make us guess your problem!!!
>----------------------------------------------------------------
>
>Dear List,
>Can someone please explain to me what this is and how it works please?
>
>Marcus.
>
>
>--
>--------------------------------------------------------------
>Please read the FAQ! <http://java.apache.org/faq/>
>To subscribe: [EMAIL PROTECTED]
>To unsubscribe: [EMAIL PROTECTED]
>Archives and Other: <http://java.apache.org/main/mail.html>
>Problems?: [EMAIL PROTECTED]
>
----------------------------------------------------------------------------
---------------------------------------------------------------------
Jan Almaas, B.Sc.
Schlumberger Geco-Prakla, PDN SW Craft
P.B. 234
Solbraaveien 23
N-1372 ASKER
NORWAY
+47 66 78 83 21 (direct) +47 66 78 80 00 (phone) +47 66
78 85 00 (fax)
+47 32 85 44 91 (home) +47 90 14 36 47 (mobile)
e-mail : [EMAIL PROTECTED]
[EMAIL PROTECTED] (home)
----------------------------------------------------------------------------
---------------------------------------------------------------------
--
--------------------------------------------------------------
Please read the FAQ! <http://java.apache.org/faq/>
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives and Other: <http://java.apache.org/main/mail.html>
Problems?: [EMAIL PROTECTED]
