Re: Apache/Tomcat Security
Run Tomcat with the Java SecurityManager (-security startup option) and only grant the minimum permissions necessary to your webapp. See the Security Manager HOWTO in the Tomcat docs. Glenn Anderson, M. Paul wrote: I am preparing to launch my first web site utilizing an Apache/Tomcat configuration. The server will host a single web site, at least for now that uses servlets and jsp with a database backend. I have set up the Apache and Tomcat as discussed in the documentation with much help from people on this list. Now my question concerns whether or not I need to do anything in Apache or Tomcat to protect my site beyond what Apache and Tomcat are already set up to do. How secure can I truly expect my site to be using Apache and Tomcat as is? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Apache/Tomcat Security
For your webapp, in httpd.conf, you'll want: # Deny direct access to WEB-INF and META-INF # Location /myApp/WEB-INF/* AllowOverride None deny from all /Location Location /myApp/META-INF/* AllowOverride None deny from all /Location And for the manager on that virtual host: # Deny direct access to WEB-INF and META-INF # Location /manager/WEB-INF/* AllowOverride None deny from all /Location Location /manager/META-INF/* AllowOverride None deny from all /Location John -Original Message- From: Anderson, M. Paul [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 20, 2002 9:05 AM To: 'Tomcat Users List' Subject: Apache/Tomcat Security I am preparing to launch my first web site utilizing an Apache/Tomcat configuration. The server will host a single web site, at least for now that uses servlets and jsp with a database backend. I have set up the Apache and Tomcat as discussed in the documentation with much help from people on this list. Now my question concerns whether or not I need to do anything in Apache or Tomcat to protect my site beyond what Apache and Tomcat are already set up to do. How secure can I truly expect my site to be using Apache and Tomcat as is? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Apache Tomcat Security
Do we get contributing author credit? John -Original Message- From: Nilesh Parmar [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 10, 2002 1:56 AM To: 'Tomcat Users List ' Subject: Apache Tomcat Security Hi, I've been subscribing to the this mailing list from quite a while. I'm interested in developing a book on Apache Tomcat security. For a start, here is what i've included as a specification for the book. Can anyone please give me your valuable suggestions/ideas to make it a better book? I'd like to know that exactly the programmer wants so as to make it a great book helpfull to all. Here's what i'd like to cover in the book: Internet Security (SSH, SSL)) How secure is Tomcat Security Manager Realms (This chapter should discuss Memory Realms, and JDBC Realms) Secure connections with Databases (like MySQL) using SSL Secure connections with LDAP using SSL (??) Thanks in advance. Nilesh -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Apache Tomcat Security
Include PostgreSQL as you did with mySQL Thanks... Andrew -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Apache Tomcat Security
Ditto to the contributing author comment. Looking at your email address, you're a Wrox guy. Who's the audience for the book? Are you targeting the developer or the sysadmin? Nilesh Parmar [EMAIL PROTECTED]To: 'Tomcat Users List ' [EMAIL PROTECTED] cc: Subject: Apache Tomcat Security 10/10/2002 01:55 AM Please respond to Tomcat Users List Hi, I've been subscribing to the this mailing list from quite a while. I'm interested in developing a book on Apache Tomcat security. For a start, here is what i've included as a specification for the book. Can anyone please give me your valuable suggestions/ideas to make it a better book? I'd like to know that exactly the programmer wants so as to make it a great book helpfull to all. Here's what i'd like to cover in the book: Internet Security (SSH, SSL)) How secure is Tomcat Security Manager Realms (This chapter should discuss Memory Realms, and JDBC Realms) Secure connections with Databases (like MySQL) using SSL Secure connections with LDAP using SSL (??) Thanks in advance. Nilesh -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Apache Tomcat Security
And how would this be different from the WROX book(s) already published, as well as the two books (three if you count JBoss) by Sams? More often than not, the books available on a given subject are all the same, regardless of who publishes them. I went looking for an in-depth Tomcat + JNDI + JDBC resource in July. Every book I found, from 4 different publishers, had essentially the same code snippet (approx. 2/3 of one page) which did nothing but describe a simple JNDI setup, and aside from the values of the parameters, was identical to the example in the Tomcat docs. Not worth $50 where I come from, that's for sure. I think a couple of the publishers even used the exact same snippet. I did manage to get a little more info from a JDBC 3.0 book (about 1.5 pages), but even that was pretty sparse. I'd be interested in a book on the topics you listed, but only if it was demonstrably different than anything else. Please avoid writing or publishing a me/us too book. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 10, 2002 9:03 AM To: Tomcat Users List Cc: 'Tomcat Users List ' Subject: Re: Apache Tomcat Security Ditto to the contributing author comment. Looking at your email address, you're a Wrox guy. Who's the audience for the book? Are you targeting the developer or the sysadmin? Nilesh Parmar [EMAIL PROTECTED]To: 'Tomcat Users List ' [EMAIL PROTECTED] cc: Subject: Apache Tomcat Security 10/10/2002 01:55 AM Please respond to Tomcat Users List Hi, I've been subscribing to the this mailing list from quite a while. I'm interested in developing a book on Apache Tomcat security. For a start, here is what i've included as a specification for the book. Can anyone please give me your valuable suggestions/ideas to make it a better book? I'd like to know that exactly the programmer wants so as to make it a great book helpfull to all. Here's what i'd like to cover in the book: Internet Security (SSH, SSL)) How secure is Tomcat Security Manager Realms (This chapter should discuss Memory Realms, and JDBC Realms) Secure connections with Databases (like MySQL) using SSL Secure connections with LDAP using SSL (??) Thanks in advance. Nilesh -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Apache Tomcat Security
Hi Andrew, Why do you think we need to include PostgreSQL? I think MySQL is more popular than PostgreSQL and is widely used. thanks, Nilesh -Original Message- From: Andres Ledesma [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 10, 2002 6:32 PM To: Tomcat Users List Subject: Re: Apache Tomcat Security Include PostgreSQL as you did with mySQL Thanks... Andrew -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Peer Information India Pvt Ltd, Mumbai, India -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Apache Tomcat Security
Yes, The target autience for the book are developers. I'd like to concenterate on building secure applications. thanks, Nilesh. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 10, 2002 6:33 PM To: Tomcat Users List Cc: 'Tomcat Users List ' Subject: Re: Apache Tomcat Security Ditto to the contributing author comment. Looking at your email address, you're a Wrox guy. Who's the audience for the book? Are you targeting the developer or the sysadmin? Nilesh Parmar [EMAIL PROTECTED]To: 'Tomcat Users List ' [EMAIL PROTECTED] cc: Subject: Apache Tomcat Security 10/10/2002 01:55 AM Please respond to Tomcat Users List Hi, I've been subscribing to the this mailing list from quite a while. I'm interested in developing a book on Apache Tomcat security. For a start, here is what i've included as a specification for the book. Can anyone please give me your valuable suggestions/ideas to make it a better book? I'd like to know that exactly the programmer wants so as to make it a great book helpfull to all. Here's what i'd like to cover in the book: Internet Security (SSH, SSL)) How secure is Tomcat Security Manager Realms (This chapter should discuss Memory Realms, and JDBC Realms) Secure connections with Databases (like MySQL) using SSL Secure connections with LDAP using SSL (??) Thanks in advance. Nilesh -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Peer Information India Pvt Ltd, Mumbai, India -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Apache/Tomcat security issue -- URGENT
I didn't get any responses, so I'm reposting with some summary. I'm pretty sure some body might have a solution for this. Summary: Is it possible to protect a resource in a particular folder which is under web application context? By protection I mean, only my application has to use that resource and if any body else accesses it manually he must either get access denied or a dialog box with username and password. Please see below for more details. Thanks. -Surya - Original Message - From: Surya Suravarapu [EMAIL PROTECTED] Date: Wednesday, March 20, 2002 8:57 pm Subject: Apache/Tomcat security issue -- URGENT I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000. I've a context called WebApp whose docBase=E:\WebApp. So, when I point my browser to http://localhost/WebApp/main it will take me to the login screen of the application. There is a folder called Reports in my E:\WebApp. Some part of my application is using Response.sendRedirect() and displaying the requested file (from the Reports folder) to the browser. That's fine. I want to show the files from that folder only through the application and I have to configure my web server in such a way that it denies requests if a User enters the file name manually like http://localhost/WebApp/Reports/some-file.xls. Please help me if you have a solution for this. Thanks. -Surya -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Apache/Tomcat security issue -- URGENT
I had a similar problem. I kept the files out of the webapps folder. I wrote a servlet that checks the username before serving up the file. If the user has access to the file then it sends it otherwise it blocks access. Hamish -Original Message- From: Surya Suravarapu [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 21, 2002 1:18 PM To: Tomcat Users List Subject: Re: Apache/Tomcat security issue -- URGENT I didn't get any responses, so I'm reposting with some summary. I'm pretty sure some body might have a solution for this. Summary: Is it possible to protect a resource in a particular folder which is under web application context? By protection I mean, only my application has to use that resource and if any body else accesses it manually he must either get access denied or a dialog box with username and password. Please see below for more details. Thanks. -Surya - Original Message - From: Surya Suravarapu [EMAIL PROTECTED] Date: Wednesday, March 20, 2002 8:57 pm Subject: Apache/Tomcat security issue -- URGENT I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000. I've a context called WebApp whose docBase=E:\WebApp. So, when I point my browser to http://localhost/WebApp/main it will take me to the login screen of the application. There is a folder called Reports in my E:\WebApp. Some part of my application is using Response.sendRedirect() and displaying the requested file (from the Reports folder) to the browser. That's fine. I want to show the files from that folder only through the application and I have to configure my web server in such a way that it denies requests if a User enters the file name manually like http://localhost/WebApp/Reports/some-file.xls. Please help me if you have a solution for this. Thanks. -Surya -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Apache/Tomcat security issue -- URGENT
This is sort of easy... of course you run your site through Apache... which in turns does this connection deny from all somedirectory in your application or code... include something from somedirectory todd http://www.wiserlabz.com collaborative effort to promote Novell and Open Source solutions include ... www.link-tool.com on your site Surya Suravarapu wrote: I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000. I've a context called WebApp whose docBase=E:\WebApp. So, when I point my browser to http://localhost/WebApp/main it will take me to the login screen of the application. There is a folder called Reports in my E:\WebApp. Some part of my application is using Response.sendRedirect() and displaying the requested file (from the Reports folder) to the browser. That's fine. I want to show the files from that folder only through the application and I have to configure my web server in such a way that it denies requests if a User enters the file name manually like http://localhost/WebApp/Reports/some-file.xls. Please help me if you have a solution for this. Thanks. -Surya -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
