Re: Protecting mysql access (was: re: mySQL again)
On our server, we basically grant NO remote access privileges to ANY users, including root. This means that any access to the database has to be done from the localhost. So instead of doing the two normal grants you might do, like this: GRANT SELECT,INSERT,UPDATE ON *.* TO soandso@localhost IDENTIFIED BY 'password'; GRANT SELECT,INSERT,UPDATE ON *.* TO soandso@"%" IDENTIFIED BY 'password'; The first allows access from the localhost. The second allows remote access. Just don't do the second. Then someone has to hack in and get local access to the database somehow and if they can do that, then you've got other security problems besides MySql! At 08:01 AM 3/1/2001 -0800, you wrote: >Slightly off topic, but important! > >Having seen way too much in terms of hacking and system compromises, might >I suggest you create another, and far less privileged user than root, for >accessing mysql. Unless you've gone into the grant tables and creatd a >different mysql superuser and reduced root's priv, then the root login to >mysql is like root on unix, superuser, God, etc. If multiple users have >shell access to the tomcat host system, and those same users are not >authorized as mysql root, than I know of no way to keep unauthorized eyes >from looking at the server.xml file other than by making it sysroot >protected. But to do that, you need to run tomcat under root. > >If anyone has a good mechanism for securing the server's and/or servlet's >credential for db access, I'd certainly love to hear it. That issue has >been my one and only thorn in the side since I began switching for >perl/cgi (where the solution to that issue is a no-brainer) to using tomcat. > >-- Rob > >--On Thursday, March 01, 2001 10:19:13 AM +0100 [EMAIL PROTECTED] wrote: > >>>Hi! >>>My connectionURL in server.xml now looks like this: >>>"jdbc:mysql://localhost/auth?user=root&password=somepassword" >>> >>>and tomcat doesn't start up (although there is no error msg or >>>anything) and when i execute tomcat stop i get the following >>>exception: >>>org.xml.sax.SAXParseException: Next character must be ";" terminating >>>reference to entity "password" and a stack trace follows... >>> >>>why is that? >> >>I guess you should escape the "&" character in your connectionURL by >>replacing it with "&", as the XML parser will parse entities like >>"<" or ""e;" or things like that... >> >>Try >> >>jdbc:mysql://localhost/auth?user=root&password=somepassword >> >>instead, that should work... >> >>np: Flanger - Nightbeat 1 (Midnight Sound) >> >>- >>Sent through MailGateway - http://www.ssw.uni-linz.ac.at:2000/ >>Send or read your emails anywhere. >>- >> >>- >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, email: [EMAIL PROTECTED] > > > > > _ _ _ _ __ _ _ _ _ > /\_\_\_\_\/\_\ /\_\_\_\_\_\ > /\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ QUIDQUID LATINE DICTUM SIT, > /\/_/__\/_/ __/\/_//\/_/ PROFUNDUM VIDITUR > /\/_/_/_/_/ /\_\ /\/_//\/_/ > /\/_/ \/_/ /\/_/_/\/_//\/_/ (Whatever is said in Latin > \/_/ \/_/ \/_/_/_/_/ \/_/ appears profound) > > Rob Tanner > McMinnville, Oregon > [EMAIL PROTECTED] > > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, email: [EMAIL PROTECTED] > -- Rick Herrick [EMAIL PROTECTED] Nothing is amusing in zero gravity... PGP: http://www.rickherrick.com/pgpkey - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Calling within and across webapp contexts
I asked the question earlier and never received a response, so I'll try again! We have a JSP app that's currently running in JRun 2.3.3 (JSP 1.0 compliant). When we refer to different directories within the app, we always preface with the "context" name, or really the top-level virtual directory. So if you want a common file, you do this: The problem is that, testing under Tomcat, this doesn't work. It tries to prepend the context name onto the path, so that this becomes /CpsAdmin/CpsAdmin/Common/loginForm.jsp. My questions are: * Is this part of the JSP 1.1 spec? It flies in the face of conventional usage of path names across the board, i.e. anything that starts with '/' means you go to the top-level of the server hierarchy. What's the rationale? * Is there anyway to change this and make Tomcat do the "right" thing, i.e. see '/' as the server root? * Does this also mean that you can't call across contexts? That is, we produce our tools as separate items, since customers may install some pieces and not others. But if two tools are installed, they can work together and then would need to call across contexts. I can think of no good reason why this shouldn't be permitted, but based on this behavior, it does look as if it would. Thanks in advance for any feedback! Getting this worked out will help save me a TON of time porting over our apps! Rick Herrick, AKA [EMAIL PROTECTED] In zero gravity, nothing is amusing. PGP: http://www.rickherrick.com/pgpkey - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Question about context paths
First, config info. This is using Tomcat 3.2.1 with its own built-in Web
server on W2K. I've looked through the FAQ and mailing list archives and
can't find an answer to this question (I can't find the question, either,
which I think is kinda weird, but there you are...).
I have a web application set up in its own top-level context, let's say
/myapp. So I can refer to pages within that context with
http://myserver/myapp/page.jsp. That works fine as a URL provided in an
HREF. The problem comes when I forward to files within that context. I
use some static members stored in a bean to provide configurable mapping to
components within that app. So I'll have this:
public class MyBean
{
public static StringkstrMyRootDir = "/myapp";
public static StringkstrMyComp1 = kstrMyRootDir + "/comp1";
public static StringkstrMyComp2 = kstrMyRootDir + "/comp2";
public static StringkstrMyComp3 = kstrMyRootDir + "/comp3";
}
Then I can do stuff like:
This works fine using JRun 2.3.3. This directive would forward the page to
/myapp/comp1/page.jsp. Now I'm trying to move this app to work on Tomcat
and I don't get the same behavior. Instead, the above directive tries to
forward to /myapp/myapp/comp1/page.jsp. This is bad.
So obviously Tomcat appends the context name onto forward directives. This
includes when I tear the call down and do it directly in code like this:
pageContext.forward (kstrMyComp1 + "/page.jsp");
The string arithmetic gives me the proper page and path, i.e.
/myapp/comp1/page.jsp, so this happens somewhere that I can't directly
affect through code. Now, this seems stupid to me, since the fact that the
path begins with '/' indicates that it should go to the server root, NOT
the context root. So:
* Is there a good explanation as to why this is done this way? I know
there's some restriction about switching from context to context, i.e.
/app1 to /app2. Is this an upshot of that restriction?
* Regardless of the explanation, good or not, is there any way to make this
go away? I don't want to have to retool my code to work with this if I can
help it. There will be a lot of forwards to fix and I expect that includes
work the same way, although I haven't tested it yet.
Thanks for any info you may have on this! It's driving me up a wall!
--
Rick Herrick
[EMAIL PROTECTED]
Nothing is amusing in zero gravity...
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
