subject:"RE\: Apache\/Tomcat security issue \-\- URGENT"

Re: Apache/Tomcat security issue -- URGENT

2002-03-21 Thread todd tredeau


This is sort of easy... of course you run your site through Apache... 
which in turns does this connection

deny from all "somedirectory"

in your application or code...

include something from "somedirectory"

todd
http://www.wiserlabz.com
collaborative effort to promote Novell and Open Source solutions
include ... www.link-tool.com on your site

Surya Suravarapu wrote:

>I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000.
>
>I've a context called WebApp whose docBase="E:\WebApp". So, when I 
>point my browser to http://localhost/WebApp/main it will take me to the 
>login screen of the application.
>
>There is a folder called "Reports" in my E:\WebApp. Some part of my 
>application is using Response.sendRedirect() and displaying the 
>requested file (from the Reports folder) to the browser. That's fine. I 
>want to show the files from that folder only through the application 
>and I have to configure my web server in such a way that it denies 
>requests if a User enters the file name manually like 
>http://localhost/WebApp/Reports/some-file.xls. Please help me if you 
>have a solution for this.
>
>Thanks.
>-Surya
>
>
>--
>To unsubscribe:   
>For additional commands: 
>Troubles with the list: 
>
>




--
To unsubscribe:   
For additional commands: 
Troubles with the list:

RE: Apache/Tomcat security issue -- URGENT

2002-03-21 Thread Barney Hamish


I had a similar problem. I kept the files out of the webapps folder. I wrote
a servlet that checks the username before serving up the file. If the user
has access to the file then it sends it otherwise it blocks access.

Hamish

-Original Message-
From: Surya Suravarapu [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 21, 2002 1:18 PM
To: Tomcat Users List
Subject: Re: Apache/Tomcat security issue -- URGENT


I didn't get any responses, so I'm reposting with some summary. I'm 
pretty sure some body might have a solution for this.

Summary:
Is it possible to protect a resource in a particular folder which is 
under web application context? By protection I mean, only my 
application has to use that resource and if any body else accesses it 
manually he must either get "access denied" or a "dialog box" with 
username and password.

Please see below for more details.

Thanks.
-Surya

- Original Message -
From: "Surya Suravarapu" <[EMAIL PROTECTED]>
Date: Wednesday, March 20, 2002 8:57 pm
Subject: Apache/Tomcat security issue -- URGENT

> I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000.
> 
> I've a context called WebApp whose docBase="E:\WebApp". So, when I 
> point my browser to http://localhost/WebApp/main it will take me 
> to the 
> login screen of the application.
> 
> There is a folder called "Reports" in my E:\WebApp. Some part of 
> my 
> application is using Response.sendRedirect() and displaying the 
> requested file (from the Reports folder) to the browser. That's 
> fine. I 
> want to show the files from that folder only through the 
> application 
> and I have to configure my web server in such a way that it denies 
> requests if a User enters the file name manually like 
> http://localhost/WebApp/Reports/some-file.xls. Please help me if 
> you 
> have a solution for this.
> 
> Thanks.
> -Surya
> 
> 
> --
> To unsubscribe:   <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
> 
> 


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Re: Apache/Tomcat security issue -- URGENT

2002-03-21 Thread Surya Suravarapu


I didn't get any responses, so I'm reposting with some summary. I'm 
pretty sure some body might have a solution for this.

Summary:
Is it possible to protect a resource in a particular folder which is 
under web application context? By protection I mean, only my 
application has to use that resource and if any body else accesses it 
manually he must either get "access denied" or a "dialog box" with 
username and password.

Please see below for more details.

Thanks.
-Surya

- Original Message -
From: "Surya Suravarapu" <[EMAIL PROTECTED]>
Date: Wednesday, March 20, 2002 8:57 pm
Subject: Apache/Tomcat security issue -- URGENT

> I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000.
> 
> I've a context called WebApp whose docBase="E:\WebApp". So, when I 
> point my browser to http://localhost/WebApp/main it will take me 
> to the 
> login screen of the application.
> 
> There is a folder called "Reports" in my E:\WebApp. Some part of 
> my 
> application is using Response.sendRedirect() and displaying the 
> requested file (from the Reports folder) to the browser. That's 
> fine. I 
> want to show the files from that folder only through the 
> application 
> and I have to configure my web server in such a way that it denies 
> requests if a User enters the file name manually like 
> http://localhost/WebApp/Reports/some-file.xls. Please help me if 
> you 
> have a solution for this.
> 
> Thanks.
> -Surya
> 
> 
> --
> To unsubscribe:   
> For additional commands: 
> Troubles with the list: 
> 
> 


--
To unsubscribe:   
For additional commands: 
Troubles with the list:

Re: Apache/Tomcat security issue -- URGENT

RE: Apache/Tomcat security issue -- URGENT

Re: Apache/Tomcat security issue -- URGENT

3 matches

Site Navigation

Mail list logo

Footer information