Re: ContainerServlet interface
On 16 Dec 2002, Felipe Schnack wrote: > Date: 16 Dec 2002 15:43:09 -0200 > From: Felipe Schnack <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: Re: ContainerServlet interface > > The security holes it opens are related to what programmers can do or > related to end users of the application? Can you give me examples? > You kinda worried me now :-) Setting privileged=true lets your webapp call any method on any internal Catalina object. Among other things, that lets you affect *other* webapps. After all, the Manager servlet uses this facility to deploy and undeploy them, and the Admin webapp uses this facility to configure the server. Craig -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
Re: ContainerServlet interface
If you are writing a sniffer on SessionObjects - make sure you protect it. Or if your Session sniffer is inside of a webapp which other programs may introduce code - they have the ability to bypass other security protections tomcat has. In a nutshell - I don't have specifics - it personally makes me uneasy. YMMV. -Tim Felipe Schnack wrote: The security holes it opens are related to what programmers can do or related to end users of the application? Can you give me examples? You kinda worried me now :-) On Mon, 2002-12-16 at 15:44, Tim Funk wrote: It is an attribute of . (The manager app and admin app have this attribute set) I suggest being very careful since this can open massive security holes (on your server) depending on your intentions. -Tim Felipe Schnack wrote: Nice to know... thanks a lot, but I should set which tag in server.xml? Context? On Mon, 2002-12-16 at 15:19, Tim Funk wrote: Because the catalina classes cannot be accessed directly by your classloader. This is a security feature. Otherwise - anyone could write servlet in a webapp and loop through everyone else's session. If you *really* want to do this: 1 - Look at the manager app because it does access the Sessions (at least the count of them) 2 - Your webapp will need to have [privileged="true"] in server.xml for your webapp. -Tim Felipe Schnack wrote: Hi all I implemented a servlet that implements ContainerServlet interface from catalina.jar. I did this because I want to be able to loop through all HttpSession objects in a server... but for some strange reason I can't understand, when I start tomcat now I get a InvocationTargetException, telling me that ContainerServlet interface was not found! Why this happens? This jar is in standard Tomcat distribution... BTW, I'm using Tomcat 4.1.12 on RedHat Linux 7.3 -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
Re: ContainerServlet interface
The security holes it opens are related to what programmers can do or related to end users of the application? Can you give me examples? You kinda worried me now :-) On Mon, 2002-12-16 at 15:44, Tim Funk wrote: > It is an attribute of . (The manager app and admin app have > this attribute set) I suggest being very careful since this can open > massive security holes (on your server) depending on your intentions. > > -Tim > > > Felipe Schnack wrote: > > Nice to know... > > thanks a lot, but I should set which tag in server.xml? Context? > > On Mon, 2002-12-16 at 15:19, Tim Funk wrote: > > > >>Because the catalina classes cannot be accessed directly by your > >>classloader. This is a security feature. > >> > >>Otherwise - anyone could write servlet in a webapp and loop through > >>everyone else's session. > >> > >>If you *really* want to do this: > >>1 - Look at the manager app because it does access the Sessions (at > >>least the count of them) > >>2 - Your webapp will need to have [privileged="true"] in server.xml for > >>your webapp. > >> > >>-Tim > >> > >>Felipe Schnack wrote: > >> > >>> Hi all > >>> I implemented a servlet that implements ContainerServlet interface > >>>from catalina.jar. I did this because I want to be able to loop through > >>>all HttpSession objects in a server... > >>> but for some strange reason I can't understand, when I start tomcat > >>>now I get a InvocationTargetException, telling me that ContainerServlet > >>>interface was not found! Why this happens? This jar is in standard > >>>Tomcat distribution... > >>> BTW, I'm using Tomcat 4.1.12 on RedHat Linux 7.3 > >>> > >> > >> > >>-- > >>To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > >>For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > >> > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- Felipe Schnack Analista de Sistemas [EMAIL PROTECTED] Cel.: (51)91287530 Linux Counter #281893 Faculdade Ritter dos Reis www.ritterdosreis.br [EMAIL PROTECTED] Fone/Fax.: (51)32303328 -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
Re: ContainerServlet interface
It is an attribute of . (The manager app and admin app have this attribute set) I suggest being very careful since this can open massive security holes (on your server) depending on your intentions. -Tim Felipe Schnack wrote: Nice to know... thanks a lot, but I should set which tag in server.xml? Context? On Mon, 2002-12-16 at 15:19, Tim Funk wrote: Because the catalina classes cannot be accessed directly by your classloader. This is a security feature. Otherwise - anyone could write servlet in a webapp and loop through everyone else's session. If you *really* want to do this: 1 - Look at the manager app because it does access the Sessions (at least the count of them) 2 - Your webapp will need to have [privileged="true"] in server.xml for your webapp. -Tim Felipe Schnack wrote: Hi all I implemented a servlet that implements ContainerServlet interface from catalina.jar. I did this because I want to be able to loop through all HttpSession objects in a server... but for some strange reason I can't understand, when I start tomcat now I get a InvocationTargetException, telling me that ContainerServlet interface was not found! Why this happens? This jar is in standard Tomcat distribution... BTW, I'm using Tomcat 4.1.12 on RedHat Linux 7.3 -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
Re: ContainerServlet interface
Nice to know... thanks a lot, but I should set which tag in server.xml? Context? On Mon, 2002-12-16 at 15:19, Tim Funk wrote: > Because the catalina classes cannot be accessed directly by your > classloader. This is a security feature. > > Otherwise - anyone could write servlet in a webapp and loop through > everyone else's session. > > If you *really* want to do this: > 1 - Look at the manager app because it does access the Sessions (at > least the count of them) > 2 - Your webapp will need to have [privileged="true"] in server.xml for > your webapp. > > -Tim > > Felipe Schnack wrote: > > Hi all > > I implemented a servlet that implements ContainerServlet interface > > from catalina.jar. I did this because I want to be able to loop through > > all HttpSession objects in a server... > > but for some strange reason I can't understand, when I start tomcat > > now I get a InvocationTargetException, telling me that ContainerServlet > > interface was not found! Why this happens? This jar is in standard > > Tomcat distribution... > > BTW, I'm using Tomcat 4.1.12 on RedHat Linux 7.3 > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- Felipe Schnack Analista de Sistemas [EMAIL PROTECTED] Cel.: (51)91287530 Linux Counter #281893 Faculdade Ritter dos Reis www.ritterdosreis.br [EMAIL PROTECTED] Fone/Fax.: (51)32303328 -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
Re: ContainerServlet interface
Because the catalina classes cannot be accessed directly by your classloader. This is a security feature. Otherwise - anyone could write servlet in a webapp and loop through everyone else's session. If you *really* want to do this: 1 - Look at the manager app because it does access the Sessions (at least the count of them) 2 - Your webapp will need to have [privileged="true"] in server.xml for your webapp. -Tim Felipe Schnack wrote: Hi all I implemented a servlet that implements ContainerServlet interface from catalina.jar. I did this because I want to be able to loop through all HttpSession objects in a server... but for some strange reason I can't understand, when I start tomcat now I get a InvocationTargetException, telling me that ContainerServlet interface was not found! Why this happens? This jar is in standard Tomcat distribution... BTW, I'm using Tomcat 4.1.12 on RedHat Linux 7.3 -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
ContainerServlet interface
Hi all I implemented a servlet that implements ContainerServlet interface from catalina.jar. I did this because I want to be able to loop through all HttpSession objects in a server... but for some strange reason I can't understand, when I start tomcat now I get a InvocationTargetException, telling me that ContainerServlet interface was not found! Why this happens? This jar is in standard Tomcat distribution... BTW, I'm using Tomcat 4.1.12 on RedHat Linux 7.3 -- Felipe Schnack Analista de Sistemas [EMAIL PROTECTED] Cel.: (51)91287530 Linux Counter #281893 Faculdade Ritter dos Reis www.ritterdosreis.br [EMAIL PROTECTED] Fone/Fax.: (51)32303328 -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>