Re: Security question
It can't be done (at least without hacking :). The servlet-spec only tells how to secure a page. There is no concept of un-securing a page. If you are using iPlanet+Tomcat, and the un-secure areas are all static content, then you can configure iPlanet to serve the un-secure areas (bypassing Tomcat's security checks). If it works, this is probably the easiest. Otherwise you probably would need to plug in your own custom Authenticator that would be smart enough to un-secure some configured set of URLs. Bob Damato [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Security for the site I'm working with was originally done via IPlanet's internal security. I'd like to move to using the webapp security in Tomcat. Under iPlanet, the security was set up with the entire site - /* - being secured, then specific uri's were explicitly declared un-secured. So, essentially we have /* - secured and say /errors/* - explicitly open to the public Is this possible to replicate using Tomcat's security? It would be excruciating to reorganize the site, so I'd love to avoid that. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Question
Here are the channels of communication. For a typical web page there are 3 socket connections that can be concurrently open. A: Web Browser -- Apache B: Apache -- Tomcat C: Tomcat -- Database Now onto the security ... A: If ssl then secure B: If ssl, then secure. If not ssl, then someone between tomcat and apache might be able to sniff the line. If tomcat apache on the same box and someone can sniff - you have bigger problems. C: It depends on the database protocol which is database specific. Each vendor can tell you this. In a usual case a database should be hidden from the world (via firewall) so this communucation is usually secure by means of only trusted people are on that network segment, but they could sniff the line if they wanted to. -Tim Lars Nielsen Lind wrote: I have a server with Apache 2.0.44 and Jakarta-Tomcat 4.1.18. I am using OpenSSL 0.9.7a with Apache. Question: If the user activates a jsp page with a javabean component with access to a PostgreSQL database server (communicates with port 5432) from the secure area (https) - is it then possible to 'sniff' the communication between the component and the database server or is this communication encrypted by apache with ssl? If it is possible to 'sniff' the communication - how do I best prevent this? Best regards, Lars Nielsen Lind - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Security Question
Only the communication between browser and apache server is ssl encrypted. Both the communications between apache and tomcat and tomcat and database are not. At least not without further action. So make sure that your server does not open the ajp13 connector (mod_jk or whatever) port and db server port to the outside world. Secure your servers, intranet, ports, use firewalls or secure the communications, etc. Securing the system from outside can be done mostly by closing unnecessary ports. If you cannot trust your internal network however it might be more effort because you might consider to encrypt the communications yourself. Michael -Original Message- From: Lars Nielsen Lind [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 5. Mrz 2003 10:45 To: Tomcat Users List Subject: Security Question I have a server with Apache 2.0.44 and Jakarta-Tomcat 4.1.18. I am using OpenSSL 0.9.7a with Apache. Question: If the user activates a jsp page with a javabean component with access to a PostgreSQL database server (communicates with port 5432) from the secure area (https) - is it then possible to 'sniff' the communication between the component and the database server or is this communication encrypted by apache with ssl? If it is possible to 'sniff' the communication - how do I best prevent this? Best regards, Lars Nielsen Lind - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security question
Hi David, if it weren't Apache I would say: try HttpServletRequest.getUserPrincipal().getName(). Maybe it could be that this also works with Apache... Andreas I'm trying to retrieve the userid that logged into apache and accessed the current JSP page. How can I get this info? Explanation: I'm implementing a very crude security system on my site for right now (mainly to just keep people from accessing the email addresses and photos on the site), but I need to implement a password change page. So what I did (and yes I know it's a hack 8), I implemented a JNI interface to call htpasswd in the background. I'm trying to have an html page (that's in a secured area of course) post the new password to a jsp page which will in turn retrieve the logged in userID and call the interface class. Any help would be appreciated, David J -- If you only compete with yourself, you can always be a winner. - David Jenkins Of course, you could always be a loser too. - Miles Thornton -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Security question
You could always use Referrer to see where the request is coming from. I am not sure if this would work if you used a dispatcher. Pritpal Dhaliwal - Original Message - From: Laurent Michenaud [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 15, 2001 7:38 AM Subject: Security question Hi, It is possible de verify that a servlet has been called by a specific servlet or jsp and that it can't be called by another one. Michenaud Laurent - Adeuza - [ Développeur Web - Administrateur Réseau ] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Security question
You can pass (possibly encrypted) information that only the two parties know. This is essentially authentication like your username/password. Frank Lawlor Athens Group, Inc. (512) 345-0600 x151 Athens Group, an employee-owned consulting firm integrating technology strategy and software solutions. -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Security Question
I've started looking at some of the security issues but I'm still behind where you are in the area of your questions. Where did you find this document that has section 8 on Existing Risks and Problems Thanks, Frank Lawlor Athens Group, Inc. (512) 345-0600 x151 Athens Group, an employee-owned consulting firm integrating technology strategy and software solutions.
RE: Security Question
What is your debug level in the context? Darrell -Original Message- From: Gerry Duhig [mailto:[EMAIL PROTECTED]] Sent: Friday, October 19, 2001 9:34 AM To: [EMAIL PROTECTED] Subject: Fw: Security Question I am using Tomcat with JBoss and JBoss is handling security. Everything works fine and each time a secured component is accessed I see two lines in the logs: User: name is authenticated User: name is authorized There are now thousands of these lines! How do I get rid of them? There are so many it must be a significant impact on performance and its over-filling the logs. Help please Gerry
Re: Security Question
In server.xml, Context Manager, I have debug=0 and showDebugInfo=false. In the same file, all logging verbosity levels are set to ERROR. These messages seem to be on stdout or sterr not a specific log file. Gerry - Original Message - From: Darrell Porter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 19, 2001 5:56 PM Subject: RE: Security Question What is your debug level in the context? Darrell -Original Message- From: Gerry Duhig [mailto:[EMAIL PROTECTED]] Sent: Friday, October 19, 2001 9:34 AM To: [EMAIL PROTECTED] Subject: Fw: Security Question I am using Tomcat with JBoss and JBoss is handling security. Everything works fine and each time a secured component is accessed I see two lines in the logs: User: name is authenticated User: name is authorized There are now thousands of these lines! How do I get rid of them? There are so many it must be a significant impact on performance and its over-filling the logs. Help please Gerry
Re: Security question
On Wed, 29 Aug 2001, Achim Baier wrote: Now my question: Am I wrong-minded, is it bug or is it a jsp/servlet/j2ee-feature? Any comments? Security constraints that you mention in your web.xml deployment descriptor are *only* applied to the original request URI, *not* to any request URI that is included by your servlet or JSP page. That is by design. If the content from a particular include should not be displayed to a particular user (because they don't have a required role), you should not be doing the include in the first place. Thanks in advance, Achim Craig McClanahan
Re: security question
Hello Jeff, Hello List, thank you very much for your reply. A look at this example would have prevent me from spending a lot of time and writeing the other mail. The build in example doesn't work at my installation. That j_security_check stuff is missing. But that doesn't matter, I try to use basic auth for the first throw. I copied the parts of examples web.xml to my context and modified the path. If I try to surf to that "secret" path the password box pops up. The password box then only accepts the valid users, so far everything is o.k. But then there is a 404 Error. The Browser points to the right file in the right directory but there is a 404 not found. How is that possible? What do I do wrong? thannks in advance, Sascha
Re: security question
It's all defined in the servlet spec, downloadable from http://java.sun.com/products/servlet/index.html. Tomcat comes with a preconfigured example (examples/jsp/security) demonstrating this. --Jeff On Fri, Apr 06, 2001 at 09:49:38AM +0800, [EMAIL PROTECTED] wrote: Hello everybody, the "problem" is that I should have some security on my site. I think of authentifikation by a username and password and then access rights for special areas of the site. so far, so good. I started looking arround. I know have a login form, a jsp to chaeck username and password and a bean to store weather the user is loged in or not. OK. but that didn't help me, because I have cocoon-generated html pages on my site. And as far as I know in html beans can not be used. What I thinkis, that you can configure tomcat to check those security things. I've been to the faq but the security section is empty, i've read the userguide many times but this points I couldn't find. So the questions are: 1.) How to set up (for example) basic security in tomcat? 2.) Do I need my own login forms, and how would they work together with tomcat? 3.) Do I have to check somewhere if a user is loged on? 4.) Is there any FAQ or Tutorial about webserver security? so thanks for reading this, feel free to answer, Sascha
