I found a temporary solution. I put the nutch pages and the CMS pages in different sub-domains.
is it possible to make cached.jsp filter <script> tags by modifying config xml file? this will be a good solution for me since I run both CMS and nutch in same domain name. On 9/10/07, Manoharam Reddy <[EMAIL PROTECTED]> wrote: > this seems like a problem. my tomcat server is running Nutch along > with a CMS login page. what to do to resolve this problem? anyone > else having same problem? please help. > > On 9/8/07, Susam Pal <[EMAIL PROTECTED]> wrote: > > I find that 'cached.jsp' executes the scripts that have been cached > > along with the pages. This is not wrong as such. But this becomes a > > security concern when the Nutch search engine is a part of a website > > that implements authentication and authorization. > > > > If the original page has a malicious script, the script will be run > > when a visitor visits its corresponding cached page in the Nutch > > search engine. If the script is a cookie stealer, then it would allow > > the attacker to steal the session cookies of an authenticated user and > > hijack his session. > > > > As a result, search engines like Google, Yahoo, etc. have the cache on > > a different address, so that the scripts can not steal the cookies set > > by the domains like google.com, yahoo.com, etc. The same practice has > > to be followed with Nutch too, if the website it is hosted on, > > contains such sensitive cookies. > > > > I am not sure whether it is possible to extract only the cache details > > from crawl DB and take it to a different server. So, currently I can > > imagine the following method only to do this:- > > > > 1. Delete 'cached.jsp' from the $CATALINA_HOME/webapps/ROOT > > 2. Take a copy of 'crawl' DB and take it to a different server. > > 3. Modify 'search.jsp' so that the the 'Cached' link points to > > 'cached.jsp' in the other server. > > 4. Run two instances of tomcat server with Nutch, one for the web GUI > > for search and the other for the cached.jsp only. > > > > Is there a better way to achieve this? If not, shouldn't the link to > > 'cached.jsp' be made configurable? I would appreciate if someone can > > suggest something regarding this issue. > > > > Regards, > > Susam Pal > > http://susam.in/ > > >
