Re: ContainerServlet interface

2002-12-16 Thread Craig R. McClanahan


On 16 Dec 2002, Felipe Schnack wrote:

> Date: 16 Dec 2002 15:43:09 -0200
> From: Felipe Schnack <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: Re: ContainerServlet interface
>
>   The security holes it opens are related to what programmers can do or
> related to end users of the application? Can you give me examples?
>   You kinda worried me now :-)

Setting privileged=true lets your webapp call any method on any internal
Catalina object.  Among other things, that lets you affect *other*
webapps.  After all, the Manager servlet uses this facility to deploy and
undeploy them, and the Admin webapp uses this facility to configure the
server.

Craig


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>




Re: ContainerServlet interface

2002-12-16 Thread Tim Funk
If you are writing a sniffer on SessionObjects - make sure you protect it.

Or if your Session sniffer is inside of a webapp which other programs 
may introduce code - they have the ability to bypass other security 
protections tomcat has.

In a nutshell - I don't have specifics - it personally makes me uneasy. 
YMMV.

-Tim

Felipe Schnack wrote:
  The security holes it opens are related to what programmers can do or
related to end users of the application? Can you give me examples?
  You kinda worried me now :-)

On Mon, 2002-12-16 at 15:44, Tim Funk wrote:


It is an attribute of . (The manager app and admin app have 
this attribute set) I suggest being very careful since this can open 
massive security holes (on your server) depending on your intentions.

-Tim


Felipe Schnack wrote:

 Nice to know...
 thanks a lot, but I should set which tag in server.xml? Context?
On Mon, 2002-12-16 at 15:19, Tim Funk wrote:



Because the catalina classes cannot be accessed directly by your 
classloader. This is a security feature.

Otherwise - anyone could write servlet in a webapp and loop through 
everyone else's session.

If you *really* want to do this:
1 - Look at the manager app because it does access the Sessions (at 
least the count of them)
2 - Your webapp will need to have [privileged="true"] in server.xml for 
your webapp.

-Tim

Felipe Schnack wrote:


Hi all
I implemented a servlet that implements ContainerServlet interface



from catalina.jar. I did this because I want to be able to loop through



all HttpSession objects in a server...
but for some strange reason I can't understand, when I start tomcat
now I get a InvocationTargetException, telling me that ContainerServlet
interface was not found! Why this happens? This jar is in standard
Tomcat distribution...
BTW, I'm using Tomcat 4.1.12 on RedHat Linux 7.3




--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>




--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>




Re: ContainerServlet interface

2002-12-16 Thread Felipe Schnack
  The security holes it opens are related to what programmers can do or
related to end users of the application? Can you give me examples?
  You kinda worried me now :-)

On Mon, 2002-12-16 at 15:44, Tim Funk wrote:
> It is an attribute of . (The manager app and admin app have 
> this attribute set) I suggest being very careful since this can open 
> massive security holes (on your server) depending on your intentions.
> 
> -Tim
> 
> 
> Felipe Schnack wrote:
> >   Nice to know...
> >   thanks a lot, but I should set which tag in server.xml? Context?
> > On Mon, 2002-12-16 at 15:19, Tim Funk wrote:
> > 
> >>Because the catalina classes cannot be accessed directly by your 
> >>classloader. This is a security feature.
> >>
> >>Otherwise - anyone could write servlet in a webapp and loop through 
> >>everyone else's session.
> >>
> >>If you *really* want to do this:
> >>1 - Look at the manager app because it does access the Sessions (at 
> >>least the count of them)
> >>2 - Your webapp will need to have [privileged="true"] in server.xml for 
> >>your webapp.
> >>
> >>-Tim
> >>
> >>Felipe Schnack wrote:
> >>
> >>>  Hi all
> >>>  I implemented a servlet that implements ContainerServlet interface
> >>>from catalina.jar. I did this because I want to be able to loop through
> >>>all HttpSession objects in a server...
> >>>  but for some strange reason I can't understand, when I start tomcat
> >>>now I get a InvocationTargetException, telling me that ContainerServlet
> >>>interface was not found! Why this happens? This jar is in standard
> >>>Tomcat distribution...
> >>>  BTW, I'm using Tomcat 4.1.12 on RedHat Linux 7.3
> >>>
> >>
> >>
> >>--
> >>To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> >>For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
> >>
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
> 
-- 

Felipe Schnack
Analista de Sistemas
[EMAIL PROTECTED]
Cel.: (51)91287530
Linux Counter #281893

Faculdade Ritter dos Reis
www.ritterdosreis.br
[EMAIL PROTECTED]
Fone/Fax.: (51)32303328


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>




Re: ContainerServlet interface

2002-12-16 Thread Tim Funk
It is an attribute of . (The manager app and admin app have 
this attribute set) I suggest being very careful since this can open 
massive security holes (on your server) depending on your intentions.

-Tim


Felipe Schnack wrote:
  Nice to know...
  thanks a lot, but I should set which tag in server.xml? Context?
On Mon, 2002-12-16 at 15:19, Tim Funk wrote:


Because the catalina classes cannot be accessed directly by your 
classloader. This is a security feature.

Otherwise - anyone could write servlet in a webapp and loop through 
everyone else's session.

If you *really* want to do this:
1 - Look at the manager app because it does access the Sessions (at 
least the count of them)
2 - Your webapp will need to have [privileged="true"] in server.xml for 
your webapp.

-Tim

Felipe Schnack wrote:

 Hi all
 I implemented a servlet that implements ContainerServlet interface
from catalina.jar. I did this because I want to be able to loop through
all HttpSession objects in a server...
 but for some strange reason I can't understand, when I start tomcat
now I get a InvocationTargetException, telling me that ContainerServlet
interface was not found! Why this happens? This jar is in standard
Tomcat distribution...
 BTW, I'm using Tomcat 4.1.12 on RedHat Linux 7.3




--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>




--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>




Re: ContainerServlet interface

2002-12-16 Thread Felipe Schnack
  Nice to know...
  thanks a lot, but I should set which tag in server.xml? Context?
On Mon, 2002-12-16 at 15:19, Tim Funk wrote:
> Because the catalina classes cannot be accessed directly by your 
> classloader. This is a security feature.
> 
> Otherwise - anyone could write servlet in a webapp and loop through 
> everyone else's session.
> 
> If you *really* want to do this:
> 1 - Look at the manager app because it does access the Sessions (at 
> least the count of them)
> 2 - Your webapp will need to have [privileged="true"] in server.xml for 
> your webapp.
> 
> -Tim
> 
> Felipe Schnack wrote:
> >   Hi all
> >   I implemented a servlet that implements ContainerServlet interface
> > from catalina.jar. I did this because I want to be able to loop through
> > all HttpSession objects in a server...
> >   but for some strange reason I can't understand, when I start tomcat
> > now I get a InvocationTargetException, telling me that ContainerServlet
> > interface was not found! Why this happens? This jar is in standard
> > Tomcat distribution...
> >   BTW, I'm using Tomcat 4.1.12 on RedHat Linux 7.3
> > 
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
> 
-- 

Felipe Schnack
Analista de Sistemas
[EMAIL PROTECTED]
Cel.: (51)91287530
Linux Counter #281893

Faculdade Ritter dos Reis
www.ritterdosreis.br
[EMAIL PROTECTED]
Fone/Fax.: (51)32303328


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>




Re: ContainerServlet interface

2002-12-16 Thread Tim Funk
Because the catalina classes cannot be accessed directly by your 
classloader. This is a security feature.

Otherwise - anyone could write servlet in a webapp and loop through 
everyone else's session.

If you *really* want to do this:
1 - Look at the manager app because it does access the Sessions (at 
least the count of them)
2 - Your webapp will need to have [privileged="true"] in server.xml for 
your webapp.

-Tim

Felipe Schnack wrote:
  Hi all
  I implemented a servlet that implements ContainerServlet interface
from catalina.jar. I did this because I want to be able to loop through
all HttpSession objects in a server...
  but for some strange reason I can't understand, when I start tomcat
now I get a InvocationTargetException, telling me that ContainerServlet
interface was not found! Why this happens? This jar is in standard
Tomcat distribution...
  BTW, I'm using Tomcat 4.1.12 on RedHat Linux 7.3




--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>




ContainerServlet interface

2002-12-16 Thread Felipe Schnack
  Hi all
  I implemented a servlet that implements ContainerServlet interface
from catalina.jar. I did this because I want to be able to loop through
all HttpSession objects in a server...
  but for some strange reason I can't understand, when I start tomcat
now I get a InvocationTargetException, telling me that ContainerServlet
interface was not found! Why this happens? This jar is in standard
Tomcat distribution...
  BTW, I'm using Tomcat 4.1.12 on RedHat Linux 7.3

-- 

Felipe Schnack
Analista de Sistemas
[EMAIL PROTECTED]
Cel.: (51)91287530
Linux Counter #281893

Faculdade Ritter dos Reis
www.ritterdosreis.br
[EMAIL PROTECTED]
Fone/Fax.: (51)32303328


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>