Re: tomcat security
Yes. There is the catalina.policy file in the conf/ directory. See http://jakarta.apache.org/tomcat/tomcat-5.0-doc/security-manager-howto.html for details. Ben Ricker On 8/9/05, Cengiz Yazgan [EMAIL PROTECTED] wrote: Hi everybody I have a problem about tomcat security One of my friend wrote a single code and he can travel every folder on server I wonder is there any config file for jakarta for disabiling access instead of his folder Maybe you know on php there was a security settings on php.ini for disabliling traveling Is there any config file like this? Best regards Cengiz YAZGAN Sistem Mühendisi/System Engineer DorukNet Tel / Phone : +90 212 326 92 00 Fax : +90 212 227 28 11 E-mail : [EMAIL PROTECTED] http://www.doruk.net.tr http://www.doruk.net.tr/ http://www.doruk.net.tr/english.html -- Ben Ricker He's just this guy, you know? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tomcat security
I see this config file I disabled this lines permission java.util.PropertyPermission os.name, read; permission java.util.PropertyPermission os.version, read; permission java.util.PropertyPermission os.arch, read; permission java.util.PropertyPermission file.separator, read; permission java.util.PropertyPermission path.separator, read; permission java.util.PropertyPermission line.separator, read; But i can browsing again -Original Message- From: Ben Ricker [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 09, 2005 3:33 PM To: Tomcat Users List Subject: Re: tomcat security Yes. There is the catalina.policy file in the conf/ directory. See http://jakarta.apache.org/tomcat/tomcat-5.0-doc/security-manager-howto.html for details. Ben Ricker On 8/9/05, Cengiz Yazgan [EMAIL PROTECTED] wrote: Hi everybody I have a problem about tomcat security One of my friend wrote a single code and he can travel every folder on server I wonder is there any config file for jakarta for disabiling access instead of his folder Maybe you know on php there was a security settings on php.ini for disabliling traveling Is there any config file like this? Best regards Cengiz YAZGAN Sistem Mühendisi/System Engineer DorukNet Tel / Phone : +90 212 326 92 00 Fax : +90 212 227 28 11 E-mail : [EMAIL PROTECTED] http://www.doruk.net.tr http://www.doruk.net.tr/ http://www.doruk.net.tr/english.html -- Ben Ricker He's just this guy, you know? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security realms question
The problem you describe is true of any session tracking system running over http. The solution is to use https. However, here's a question to fire back at your security team: If you are worried about an attacker physically looking at a session ID on a user's screen, what about if they decide to install a keyboard logger (physical or software) whilst they have access to the user's machine? In fact, I can think of a whole bunch of other things I could do as well that would be equally or more damaging than hijacking a single session. Fundamentally, if an attacker has physical access to a machine it is game over - they have won. Your security team knows the threat model for you situation far better than I do but it sounds to me like they are trying too hard in one area and have missed a bunch of other threats. Mark Akoulov, Alexandre [IT] wrote: Hi all I have a problem that's been raised by my security team to do with using Tomcat JDBCRealms. We're using such realms to protect restricted resources. We also have a custom login form. The steps Tomcat seems to follow when using such a setup is: 1. Check to see if the user is logged in with access to the restricted resource. 2. If they aren't, forward them to the login page and create an HTTPSession to keep track of that user. 3. Once they've logged in, add the authentication system to the HTTPSession created in step 2 to hold that info and forward them to the resource. 4. Continue using the same HTTPSession to maintain state. The problem my security team has with this is that someone could potentially steal the users HTTPSession ID before they've logged in, as this is created in the login screen. e.g. the user is forwarded to the login screen, then goes to make themselves a cup of coffee. A hacker goes to their computer and writes down the session ID. The user comes back and logs in, and the hacker pretends to be them from another computer. My question is: how can I avoid this situation and keep the security guys happy? Is it possible to have the session ID held by the browser (in JSessionID) change post-login (ie make tomcat invalidate the current session and create a new session after the user has been successfully authenticated)? Thanks for your help. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat security realms question
Thanks a lot for your reply. We'll see if we can persuade our security guys to drop this issue. Kind regards, Alex. -Original Message- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: Monday, 18 July 2005 2:50 AM To: Tomcat Users List Subject: Re: Tomcat security realms question The problem you describe is true of any session tracking system running over http. The solution is to use https. However, here's a question to fire back at your security team: If you are worried about an attacker physically looking at a session ID on a user's screen, what about if they decide to install a keyboard logger (physical or software) whilst they have access to the user's machine? In fact, I can think of a whole bunch of other things I could do as well that would be equally or more damaging than hijacking a single session. Fundamentally, if an attacker has physical access to a machine it is game over - they have won. Your security team knows the threat model for you situation far better than I do but it sounds to me like they are trying too hard in one area and have missed a bunch of other threats. Mark Akoulov, Alexandre [IT] wrote: Hi all I have a problem that's been raised by my security team to do with using Tomcat JDBCRealms. We're using such realms to protect restricted resources. We also have a custom login form. The steps Tomcat seems to follow when using such a setup is: 1. Check to see if the user is logged in with access to the restricted resource. 2. If they aren't, forward them to the login page and create an HTTPSession to keep track of that user. 3. Once they've logged in, add the authentication system to the HTTPSession created in step 2 to hold that info and forward them to the resource. 4. Continue using the same HTTPSession to maintain state. The problem my security team has with this is that someone could potentially steal the users HTTPSession ID before they've logged in, as this is created in the login screen. e.g. the user is forwarded to the login screen, then goes to make themselves a cup of coffee. A hacker goes to their computer and writes down the session ID. The user comes back and logs in, and the hacker pretends to be them from another computer. My question is: how can I avoid this situation and keep the security guys happy? Is it possible to have the session ID held by the browser (in JSessionID) change post-login (ie make tomcat invalidate the current session and create a new session after the user has been successfully authenticated)? Thanks for your help. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat security stopping log4j write to a file
Hi, Two options come to mind. Either You're running with a SecurityManager and your java.policy file doesn't specify a write permission into WEB-INF/logs. Or you've misconfigured log4j. If this is the case, post your log4j configuration file and we can help you although that's a bit off-topic for this list. Yoav Shapira http://www.yoavshapira.com -Original Message- From: Lawrence J Winkler [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 19, 2004 3:18 PM To: [EMAIL PROTECTED] Subject: Tomcat security stopping log4j write to a file I want log4j to write its output to the webapps/[application dir]/WEB-INF/logs directory. The log4j properties file is located in the WEB-INF/classes directory, as specified. Monitoring trace of log4j's process, shows log4j is unable to find (create) the requested files. I believe Tomcat is not allowing the application to write into WEB-INF/logs subdirectory. How do I direct Tomcat to allow this functionality? Tomcat 4.1.30 Thanks - Lawrence Winkler UW-Madison Division of Information Technology 608-265-4610 [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security stopping log4j write to a file
Lawrence J Winkler wrote: I want log4j to write its output to the webapps/[application dir]/WEB-INF/logs directory. The log4j properties file is located in the WEB-INF/classes directory, as specified. Monitoring trace of log4j's process, shows log4j is unable to find (create) the requested files. I believe Tomcat is not allowing the application to write into WEB-INF/logs subdirectory. How do I direct Tomcat to allow this functionality? take a look at catalina.policy in the conf directory, in the file you can find some examples. edoardo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security and virtual hosts
On 21-05-2004 11:33, wsedio wrote: Hi all, I am running Tomcat 5.0.24 on Red Hat Linux Enterprise 3 with Apache web server 2 and mod_jk 1.2. I have a few Apache/Tomcat virtual hosts: each host has its own document root and webapps. I would like to make sure that each host is not allowed to access files outside its document root and webapps. How do I configure Tomcat to secure that? Any info or link to documentation/examples would be appreciated ... Any help? Thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat security
Hi, The declarative security options offered by the Servlet Specification, those you refer to as the integrated security options, have no understanding of the client side, i.e. the browser. There is no concept of frame or browser, so you can't do what you're asking for with these declarative security directives. As to finding the mailing list: I'm troubled that you found that so difficult. Links to the mailing list are on the top apache page (www.apache.org), top jakarta page (jakarta.apache.org), top tomcat page (jakarta.apache.org/tomcat), both the binary and source apache download pages (http://jakarta.apache.org/site/binindex.cgi, and http://jakarta.apache.org/site/sourceindex.cgi), the jakarta contact us page (http://jakarta.apache.org/site/contact.html), the home page of a new tomcat installation (webapps/ROOT/index.jsp), and many other locations. Where did you look or what made it difficult to find? Yoav Shapira Millennium Research Informatics -Original Message- From: Ben Bookey [mailto:[EMAIL PROTECTED] Sent: Monday, May 17, 2004 9:12 AM To: [EMAIL PROTECTED] Subject: Tomcat security Dear List, I am using tomcats integrated security options, available inside the web.xml (see below). When ever the session times out and the user makes a request for a html/or jsp page within this protected context, appears the login.jsp page. My problem is that my app uses frames, and when the user makes a request from a sub-frame the login page shows in this sub-frame window. Is there a simple way to configure in the web.xml, that the login.jsp page always is shown in the parent frame of the browser or document, so causing the whole window to be reloaded. I guess there isnt and I must do some jscript, or fiddle around with html. I would be extremely impressed if there would be a web.xml solution. regards BB p.s. It was very hard to find as Newbie, the email address to post this mail to!! +---+ | GIStec GmbH - Ihr Partner für GIS - Technologie | | | | Ben Bookey| | [EMAIL PROTECTED] Fraunhoferstraße 5 | | Tel 0 61 51 / 155 - 254 D-64283 Darmstadt | | Fax 0 61 51 / 155 - 259 http://www.gistec-online.de | | | | http://www.ingeoic.de http://www.geo-watermarking.de | +---+ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Security Constraints
On Thu, Apr 08, 2004 at 06:36:16PM +0200, Malcolm Warren wrote: : Surely the authorization should be requested in all places and at all : times, whereever the request is coming from, even if from an include in an : unprotected page? Clearly not, if it's going through. ;) My understanding of the spec is that the security constraints are for the originally-requested URI only. It's up to the developers to make sure content doesn't get include'd or forward()'d to the wrong place. : It has happened that I forget to type https:// and type http:// instead. : So if a nasty, mean person is listening in, he can see my password : unencrypted, right? Yes. : How can I prevent this? Use all SSL, all the time. -and I'm not being facetious there. If the data is that sensitive, why not? Other than that, I believe there are auth restraints in web.xml that require SSL auth. I'd be more specific, but I'm deep into a C++ project right today so my servlet spec knowledge is a little hazy. btw, what's wrong with form auth? I don't recall it requiring that much extra programming. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat security
Howdy, We will install Tomcat 4.1.24 on a server which is behind our corporate Why not 4.1.27? Now, my question is that, what is the common practice to guard against people accessing the catalina_home directory? I plan to install Tomcat on the D drive instead of the C drive where the OS resides. Just in case if the Windows OS is compromised, it may or may not affect Tomcat. Use a security manager: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/security-manager-howto.h tml Make your security policy as restrictive as possible. Deploy a packed war and leave it packed, i.e. set unpackWARs=false in server.xml. Also autoDeploy=false to increase performance and security. Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
July 6th, turn your server off. July 7th, turn it back on. Problem solved ;) -Tim Eugene Lee wrote: Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
When was the last time Tomcat had a published exploit? On a related note, these kind of contests are fairly common, and usually don't produce any kind of real activity. --Nathan - Original Message - From: Eugene Lee [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 10:51 AM Subject: Tomcat security? Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
http://www.amazon.com/exec/obidos/tg/detail/-/1861008309/ If you're just worrying about it now, its probably too late. John On Thu, 3 Jul 2003 10:51:52 -0500, Eugene Lee [EMAIL PROTECTED] wrote: Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
AFAIK, November 2002. John On Thu, 3 Jul 2003 11:14:26 -0500, Nathan McMinn [EMAIL PROTECTED] wrote: When was the last time Tomcat had a published exploit? On a related note, these kind of contests are fairly common, and usually don't produce any kind of real activity. --Nathan - Original Message - From: Eugene Lee [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 10:51 AM Subject: Tomcat security? Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
Any idea what it was and/or what versions it affected? - Original Message - From: John Turner [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 11:13 AM Subject: Re: Tomcat security? AFAIK, November 2002. John On Thu, 3 Jul 2003 11:14:26 -0500, Nathan McMinn [EMAIL PROTECTED] wrote: When was the last time Tomcat had a published exploit? On a related note, these kind of contests are fairly common, and usually don't produce any kind of real activity. --Nathan - Original Message - From: Eugene Lee [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 10:51 AM Subject: Tomcat security? Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
The Invoker servlet source code vulnerability: http://www.securityfocus.com/bid/5786 John On Thu, 3 Jul 2003 12:04:57 -0500, Nathan McMinn [EMAIL PROTECTED] wrote: Any idea what it was and/or what versions it affected? - Original Message - From: John Turner tomcat- [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 11:13 AM Subject: Re: Tomcat security? AFAIK, November 2002. John On Thu, 3 Jul 2003 11:14:26 -0500, Nathan McMinn [EMAIL PROTECTED] wrote: When was the last time Tomcat had a published exploit? On a related note, these kind of contests are fairly common, and usually don't produce any kind of real activity. --Nathan - Original Message - From: Eugene Lee [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 10:51 AM Subject: Tomcat security? Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
I can't believe that passwords for SSL are stored in the clear. That places all responsibility of security to the OS, which may not be a good idea. What happened to defense-in-depth ?? Nathan McMinn wrote: When was the last time Tomcat had a published exploit? On a related note, these kind of contests are fairly common, and usually don't produce any kind of real activity. --Nathan - Original Message - From: Eugene Lee [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 10:51 AM Subject: Tomcat security? Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
What do you mean stored in the clear? Are you referring to tomcat-users.xml? Personally, I use a MySQL database to hold auth information for a JDBC Realm, and store them digested. As an additional layer of security, the user account that is used to access the DB for the realm is only granted read access and only to the required user and roles tables. - Original Message - From: Mark W. Webb [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 1:55 PM Subject: Re: Tomcat security? I can't believe that passwords for SSL are stored in the clear. That places all responsibility of security to the OS, which may not be a good idea. What happened to defense-in-depth ?? Nathan McMinn wrote: When was the last time Tomcat had a published exploit? On a related note, these kind of contests are fairly common, and usually don't produce any kind of real activity. --Nathan - Original Message - From: Eugene Lee [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 10:51 AM Subject: Tomcat security? Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
Plus, if one runs as a non-priviledged user account with no login privileges (i.e., locked account) and your permissions are correct, then only root and Tomcat can read the users file. If the hacker has root, the tomcat users are the least of your worries. Ben Ricker Wellinx.com On Thu, 2003-07-03 at 14:23, Nathan McMinn wrote: What do you mean stored in the clear? Are you referring to tomcat-users.xml? Personally, I use a MySQL database to hold auth information for a JDBC Realm, and store them digested. As an additional layer of security, the user account that is used to access the DB for the realm is only granted read access and only to the required user and roles tables. - Original Message - From: Mark W. Webb [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 1:55 PM Subject: Re: Tomcat security? I can't believe that passwords for SSL are stored in the clear. That places all responsibility of security to the OS, which may not be a good idea. What happened to defense-in-depth ?? Nathan McMinn wrote: When was the last time Tomcat had a published exploit? On a related note, these kind of contests are fairly common, and usually don't produce any kind of real activity. --Nathan - Original Message - From: Eugene Lee [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 10:51 AM Subject: Tomcat security? Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
There is a plugin for TC 3.3.x to force prompting for the keystore password. Largely due to lack of user interest, nobody has really tried porting it to TC 4.x-5.x. Mark W. Webb [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I can't believe that passwords for SSL are stored in the clear. That places all responsibility of security to the OS, which may not be a good idea. What happened to defense-in-depth ?? Nathan McMinn wrote: When was the last time Tomcat had a published exploit? On a related note, these kind of contests are fairly common, and usually don't produce any kind of real activity. --Nathan - Original Message - From: Eugene Lee [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 10:51 AM Subject: Tomcat security? Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tomcat security
Did you start tomcat with start security? If not, some else messed up. -Original Message- From: Maxime Colas des Francs [mailto:[EMAIL PROTECTED] Sent: June 10, 2003 3:23 PM To: [EMAIL PROTECTED] Subject: tomcat security Hi, Is there a typical security configuration for a web application in catalina.policy ? I have a lot of java.security.AccessControlException: access denied (java.lang.RuntimePermission accessDeclaredMembers) and i don't understand where it comes from tks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tomcat security
of course yes i start tomat with -security and -Djava.security.debug=access,failure for trace else no security exception At 15:16 2003-06-10 -0400, you wrote: Did you start tomcat with start security? If not, some else messed up. -Original Message- From: Maxime Colas des Francs [mailto:[EMAIL PROTECTED] Sent: June 10, 2003 3:23 PM To: [EMAIL PROTECTED] Subject: tomcat security Hi, Is there a typical security configuration for a web application in catalina.policy ? I have a lot of java.security.AccessControlException: access denied (java.lang.RuntimePermission accessDeclaredMembers) and i don't understand where it comes from tks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security concerns during start-up
I do not see this as a problem. You can lock the Tomcat account (do have to give it a shell, though) and no one should be able to get into the account. I use 'sudo' to allow others the ability to start and stop Tomcat which 'su's to the Tomcat user before executing. I myself use the Tomcat group, of which Tomcat is the only member, and apply root ownership to everything. You also need to make sure your WEB-INF is not in your docbase. HTH, Ben Ricker On Tue, 2003-03-11 at 13:20, krip pane wrote: All, I'm running 4.1.18 on solaris 2.8 - currently without any problems as id tomcat. But my issue is I've to give write permission to tomcat on the conf directory inorder for tomcat to start successfully. Is there any other way of starting tomcat without giving this permission, is this a bug?, has it been addresses in a different release. Thanks __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Ben Ricker [EMAIL PROTECTED] Wellinx.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security concerns during start-up
I'm not sure if I making a correct assumption, but isn't it possible that someone can exploit the running tomcat process and gain access as tomcat into the system (if so, having write permission on the conf dir is dangerous) --- Ben Ricker [EMAIL PROTECTED] wrote: I do not see this as a problem. You can lock the Tomcat account (do have to give it a shell, though) and no one should be able to get into the account. I use 'sudo' to allow others the ability to start and stop Tomcat which 'su's to the Tomcat user before executing. I myself use the Tomcat group, of which Tomcat is the only member, and apply root ownership to everything. You also need to make sure your WEB-INF is not in your docbase. HTH, Ben Ricker On Tue, 2003-03-11 at 13:20, krip pane wrote: All, I'm running 4.1.18 on solaris 2.8 - currently without any problems as id tomcat. But my issue is I've to give write permission to tomcat on the conf directory inorder for tomcat to start successfully. Is there any other way of starting tomcat without giving this permission, is this a bug?, has it been addresses in a different release. Thanks __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Ben Ricker [EMAIL PROTECTED] Wellinx.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat security configuration guide
Wrox Press. ISBN: 1861008309 John -Original Message- From: Manavendra Gupta [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 2:44 PM To: Tomcat Users List Subject: Tomcat security configuration guide Hi, I have begun to work on a tomcat security configuration guide as a one-stop guide for helping system administrators, security professionals and programmers to configure system user accounts and groups, file permissions, tomcat security realms, java security manager, etc in the optimal way thereby ensuring their system is not vulnerable to common security exploits. 1. Has this already been done? If yes, can someone share the document/URL where I can find more information? 2. Will there be professionals/enthusiasts out there to contribute/critique? 3. In general, what does the list think about this? Kind Regards, Manav. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003 --- Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat security issue
SecurityManager permission problems are much easier to debug if you start tomcat with the -Djava.security.debug=access,failure property defined, then check your logs for the string denied. Then review the stack trace and the ProtectionDomain which failed. Regards, Glenn [EMAIL PROTECTED] wrote: yes the factoryLoaderServlet is defined too complex and issue currently to restart without SecurityManager. May be able to do overnight. Other dependent apps need to be up during the day -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: tomcat security issue
I wish I could see some log files. Only file that seems to be active is catalina.out any assistance in this matter would be appreciated here is the entry for the service Service name=Tomcat-Apache13 Connector className=org.apache.ajp.tomcat4.Ajp13Connector port=8009 address=127.0.0.1 minProcessors=5 maxProcessors=75 enableLookups=true appBase=webapps acceptCount=10 debug=0/ !-- Replace localhost with what your Apache ServerName is set to -- Engine className=org.apache.catalina.connector.warp.WarpEngine name=Apache - Tomcat4 defaultHost=defaultHost debug=0 !-- This next line brings in the file that includes the various host containers -- Host name=defaultHost appbase=/var/www/html Context path= docBase= / /Host Host name=domain appBase=/home/virtual/site1/fst/var/www/html Aliasdomain/Alias !-- Global logger unless overridden at lower levels -- Logger className=org.apache.catalina.logger.FileLogger directory=/home/virtual/site1/fst/var/log prefix=alvolo_tomcat. timestamp=true/ Realm className=org.apache.catalina.realm.MemoryRealm / Context path= docBase=/home/virtual/site1/fst/var/www/html priviledged=true reloadable=true Resource name=jdbc/MySQL/AlVolo auth=Container type=javax.sql.DataSource/ ResourceParams name=jdbc/MySQL/AlVolo parameter namedriverClassName/name valueorg.gjt.mm.mysql.Driver/value /parameter parameter namedriverName/name valuejdbc:mysql://localhost/alvolo/value /parameter /ResourceParams /Context /Host /Engine /Service kind regards Warren On Thursday, Oct 24, 2002, at 10:19 Etc/GMT, Glenn Nielsen wrote: SecurityManager permission problems are much easier to debug if you start tomcat with the -Djava.security.debug=access,failure property defined, then check your logs for the string denied. Then review the stack trace and the ProtectionDomain which failed. Regards, Glenn [EMAIL PROTECTED] wrote: yes the factoryLoaderServlet is defined too complex and issue currently to restart without SecurityManager. May be able to do overnight. Other dependent apps need to be up during the day -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: tomcat security issue
Is alvolo.servlet.DispatcherServlet.initialiseSession try to get access to org.apache.catalina.core.ApplicationDispatcher ? That's the normal behaviour if your answer is yes. Tomcat internal classes are protected against package access/insertion. If you really want to use that class, add to your catalina.policy file the following under // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission // and JndiPermission for all files and directories in its document root. grant { [...] permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core.*; } or do not use the SecurityManager. *But* remember you are opening the Tomcat core classes to all web applications, and this is potentially a *security risk*. Also, your application is not portable across different Servlet Container when doing that. -- Jeanfrancois [EMAIL PROTECTED] wrote: I have the following exception thrown when attempting to access tomcat app resources WarpEngine[Apache - Tomcat4]: Mapping request Security Violation, attempt to use Restricted Class: org.apache.catalina.core.ApplicationDispatcher java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core) at java.security.AccessControlContext.checkPermission(AccessControlContext. java:270) at java.security.AccessController.checkPermission(AccessController.java:401 ) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1513) at org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLo ader.java:1056) at org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLo ader.java:992) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:322) at org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applicati onContext.java:534) at org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(App licationContextFacade.java:179) at alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.jav a:280) at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilt erChain.java:197) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterC hain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja va:246) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234 3) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :180) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa lve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:174) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at
Re: tomcat security issue
thanks for the reply my code that seems to cause the problem is as follows: HttpSession session = request.getSession(); session.setAttribute( customerProfile, new Profile() ); session.setAttribute( loggedIn, new Boolean( false ) ); session.setAttribute( customerOrder, new Order() ); RequestDispatcher dispatcher = null; String destination = factoryLoaderServlet; try{ dispatcher = this.getServletContext().getNamedDispatcher( destination ); this.log( Including destination = + destination ); dispatcher.include( request, response ); } catch( ServletException exception ){ //The error needs to be logged may have to redirect to page that request the user to //return at a later time this.log( Servlet threw an exception when attempting to forward to + destination, exception ); throw exception; } catch( IOException exception ){ //The error needs to be logged may have to redirect to page that request the user to //return at a later time this.log( Servlet threw an exception when attempting to forward to + destination, exception ); throw exception; } I am unwilling to get rid of the SecurityManager due to this being a public site. As can be seen by the stack trace the call to getNamedDispatcher eventually causes the ApplicationDispatcher class to be called but it is not being called from my code explictly. i have included the permission as you suggested but still get the following message in the browser (even thought the previous stack trace is not output to the catalina.out file any longer) pbroot cause/b prejava.lang.NoClassDefFoundError: org/apache/catalina/core/ApplicationDispatcher at org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applicati onContext.java:534) at org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(App licationContextFacade.java:179) at alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.jav a:280) at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilt erChain.java:197) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterC hain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja va:246) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234 3) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :180) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa lve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:174) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:429) at org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:495) at java.lang.Thread.run(Thread.java:536) /pre/p On
Re: tomcat security issue
If you run the same code without the SecurityManager, do you get the same exception? Is the factoryLoaderServlet defined in your web.xml? -- Jeanfrancois [EMAIL PROTECTED] wrote: thanks for the reply my code that seems to cause the problem is as follows: HttpSession session = request.getSession(); session.setAttribute( customerProfile, new Profile() ); session.setAttribute( loggedIn, new Boolean( false ) ); session.setAttribute( customerOrder, new Order() ); RequestDispatcher dispatcher = null; String destination = factoryLoaderServlet; try{ dispatcher = this.getServletContext().getNamedDispatcher( destination ); this.log( Including destination = + destination ); dispatcher.include( request, response ); } catch( ServletException exception ){ //The error needs to be logged may have to redirect to page that request the user to //return at a later time this.log( Servlet threw an exception when attempting to forward to + destination, exception ); throw exception; } catch( IOException exception ){ //The error needs to be logged may have to redirect to page that request the user to //return at a later time this.log( Servlet threw an exception when attempting to forward to + destination, exception ); throw exception; } I am unwilling to get rid of the SecurityManager due to this being a public site. As can be seen by the stack trace the call to getNamedDispatcher eventually causes the ApplicationDispatcher class to be called but it is not being called from my code explictly. i have included the permission as you suggested but still get the following message in the browser (even thought the previous stack trace is not output to the catalina.out file any longer) pbroot cause/b prejava.lang.NoClassDefFoundError: org/apache/catalina/core/ApplicationDispatcher at org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applicati onContext.java:534) at org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(App licationContextFacade.java:179) at alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.jav a:280) at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilt erChain.java:197) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterC hain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja va:246) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234 3) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :180) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa lve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:174) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72)
Re: tomcat security issue
yes the factoryLoaderServlet is defined too complex and issue currently to restart without SecurityManager. May be able to do overnight. Other dependent apps need to be up during the day Warren On Wednesday, October 23, 2002, at 04:19 PM, Jean-Francois Arcand wrote: If you run the same code without the SecurityManager, do you get the same exception? Is the factoryLoaderServlet defined in your web.xml? -- Jeanfrancois [EMAIL PROTECTED] wrote: thanks for the reply my code that seems to cause the problem is as follows: HttpSession session = request.getSession(); session.setAttribute( customerProfile, new Profile() ); session.setAttribute( loggedIn, new Boolean( false ) ); session.setAttribute( customerOrder, new Order() ); RequestDispatcher dispatcher = null; String destination = factoryLoaderServlet; try{ dispatcher = this.getServletContext().getNamedDispatcher( destination ); this.log( Including destination = + destination ); dispatcher.include( request, response ); } catch( ServletException exception ){ //The error needs to be logged may have to redirect to page that request the user to //return at a later time this.log( Servlet threw an exception when attempting to forward to + destination, exception ); throw exception; } catch( IOException exception ){ //The error needs to be logged may have to redirect to page that request the user to //return at a later time this.log( Servlet threw an exception when attempting to forward to + destination, exception ); throw exception; } I am unwilling to get rid of the SecurityManager due to this being a public site. As can be seen by the stack trace the call to getNamedDispatcher eventually causes the ApplicationDispatcher class to be called but it is not being called from my code explictly. i have included the permission as you suggested but still get the following message in the browser (even thought the previous stack trace is not output to the catalina.out file any longer) pbroot cause/b prejava.lang.NoClassDefFoundError: org/apache/catalina/core/ApplicationDispatcher at org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applica ti onContext.java:534) at org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(A pp licationContextFacade.java:179) at alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.j av a:280) at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli ca tionFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFi lt erChain.java:197) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilte rC hain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi lt erChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa lv e.java:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java :4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextVa lv e.java:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. ja va:566) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve. ja va:246) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java :4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2 34 3) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.ja va :180) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. ja va:566) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcher Va lve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. ja va:564) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.ja va :170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java :4 72) at
Re: Tomcat Security Problem Help (using mod_jk)
On Wed, 25 Sep 2002, Ramilio D wrote: Hi Everyone, I read in the buqraq posting that I could fix the source code exposure vulnerablilty in tomcat by modifying the JkMount directive. I took a quick look at some documentation but I couldn't figure out how to allow apache serve servlets yet disallow those containing the org.apache.catalina.servlets.DefaultServlet string. Any help would be greatly appreciated I believe the report about it that was sent to this list (one of them, at least) had some detailed instructions about how to do this. I suggest checking the list archives. Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat Security Problem Help (using mod_jk)
Do not mount /servlet/* but only the servlets that you application is really using. Regards, Rossen Raykov -Original Message- From: Ramilio D [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 25, 2002 12:30 AM To: [EMAIL PROTECTED] Subject: Tomcat Security Problem Help (using mod_jk) Hi Everyone, I read in the buqraq posting that I could fix the source code exposure vulnerablilty in tomcat by modifying the JkMount directive. I took a quick look at some documentation but I couldn't figure out how to allow apache serve servlets yet disallow those containing the org.apache.catalina.servlets.DefaultServlet string. Any help would be greatly appreciated Cheers, _ Send and receive Hotmail on your mobile device: http://mobile.msn.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: tomcat security
Take a look on Running Tomcat with SecurityManager. I'm sure you can find a lot of docs on the net. On Thu, 19 Sep 2002 15:23:09 -0400, Steven Garrett [EMAIL PROTECTED] escreveu : De: Steven Garrett [EMAIL PROTECTED] Data: Thu, 19 Sep 2002 15:23:09 -0400 Para: 'Tomcat Users List' [EMAIL PROTECTED] Assunto: tomcat security Hi, I'm relatively new to admining tomcat and have been looking for some ways to secure tomcat. I haven't found much of anything useful. Are there any docs on known security issues with tomcat, or any howto's when configuring security? We're running tomcat 4.0.3, apache 1.3.26 and mod_jk. Thanks in advance, steve -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: tomcat security
The Tomcat site contains the following: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/security-manager-howto.html and http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html The security manager is probably the first place to start. -- Jeanfrancois Steven Garrett wrote: Hi, I'm relatively new to admining tomcat and have been looking for some ways to secure tomcat. I haven't found much of anything useful. Are there any docs on known security issues with tomcat, or any howto's when configuring security? We're running tomcat 4.0.3, apache 1.3.26 and mod_jk. Thanks in advance, steve -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat security question
You would probably be best off implementing it in a servlet. The servlet can authenticate the user, determine the specific file, and then send the file (not redirect) to the client. Since you are sending the file the files can reside anywhere on the system or even on another system. Randy -Original Message- From: Hamish Barney [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 19, 2001 10:56 AM To: '[EMAIL PROTECTED]' Subject: Tomcat security question Just hoping someone can help me deal with this question... In the application I'm developing I need to restrict access to a bunch of binary files (sound recordings). Each user should only be able to download their own files. Files and users will be added and deleted dynamically. The realm based security in Tomcat doesn't seem to support the security model I require (creating a new role for every single user and associating that with their files isn't really practical). Does anyone have an idea as to how acheive the required security within a Tomcat framework. Thanks, Hamish
RE: tomcat security, JDBCRealm, SimpleRealm readable passwords
Hi, I've set up tomcat 3.3 and almost everything works fine. I've set up a mySQL database 'authority' to authenticate against in a simple test webapplication. And now I have the following question and maybe someone can help me. I don't like having passwords on my filesystem readable to people who have fileaccess. If I'm using SimpleRealm I have users/passwords in clear text in a file and thats not secure. If I use JDBCRealm I can store encrypted passwords in the table, but I don't know how tomcat can read them. So in the table I have to use passwords that are not encrypted. On the other hand if I let tomcat connect to the database as user 'tomcat' for example with some password anyone who will find out about the password will be able to connect to the database and read all the authentication information without a problem. So my question is: Is there anyway to use password encryption in tomcats authentication mechanism? I'd greatly appreciate any help, None of these methods really support credential encryption in their current state. But as you may well know;) Tomcat is open source, therefore if you take a look at org.apache.tomcat.request.JDBCRealm.java in the src tree and the method authenticate(String, String) you will see where users are authenticated. You could modify this class in any manner you see fit to authenticate against encrypted passwords in the database table. I was actually planning on doing this myself for our use but haven't gotten to it just yet. --- Michael Wentzel Software Developer Software As We Think - http://www.aswethink.com
RE: Tomcat Security Architecture and RSA ACE authentication
Hi, My client is going to adopt RSA ACE security infrastructure which to my understanding will require users to append a hardware generated number to their passwords when they authenticate. So we will have system where password changes every 15 seconds and it can not be cached in tomcat and used for subsequent accesses to LDAP (unless your software is RSA ACE aware and can deal with it somehow) (- I am not really familiar with RSA ACE security so I might be missing something here -) If I understand correctly, tomcat 3.x has following security architecture: 1. Extract user/password from user Session for Form based authentication (from headers for Basic authentication) 2. For *every request* perform authentication and authorization This might be a problem if password on backend changes constantly. Cached password will expire in lets say 15 second and that will break tomcat's security One solution to the problem would be to cache all authentication/authorization info in user session (you already caching username and password for form based authentication there) and use it as a poof of successful authentication for all subsequent request. Do you see any problems with this approach? The RSA ACE security infrastructure permits you to logon using your known password plus a generated number (as you almost correctly stated). This one can be generated using ALSO a soft generator (instead a hardware one). I know that such ones exist for Windows, PalmOS, Nokia 9210, Ericsson R380s,etc. (and are provided by RSA), but I don't know if they have a Java based one (for more info take a look at http://www.rsasecurity.com/products/securid/index.html) http://www.rsasecurity.com/products/securid/index.html) With this in mind you only need to cache the password and take the generated number each time you need to pass the credentials to LDAP. Hope this helps. -- Vctor A. Rodrguez ( http://www.bit-man.com.ar http://www.bit-man.com.ar/ ) Telefnica de Argentina - http://www.Telefonica.com.ar http://www.Telefonica.com.ar Tel. (54-11) 4333-7305 - Fax: (54-11) 4303-5586 int. 1680
Re: Tomcat Security Architecture and RSA ACE authentication
On Mon, 26 Mar 2001, Roytman, Alex wrote: Hello, I wrote JNDI(LDAP) realm for tomcat 3.x based similar to JDBCRealm provided with tomcat Would you be interested in contributing this code to the Tomcat 3 (and/or 4) code bases? My client is going to adopt RSA ACE security infrastructure which to my understanding will require users to append a hardware generated number to their passwords when they authenticate. So we will have system where password changes every 15 seconds and it can not be cached in tomcat and used for subsequent accesses to LDAP (unless your software is RSA ACE aware and can deal with it somehow) (- I am not really familiar with RSA ACE security so I might be missing something here -) If I understand correctly, tomcat 3.x has following security architecture: 1. Extract user/password from user Session for Form based authentication (from headers for Basic authentication) 2. For *every request* perform authentication and authorization This might be a problem if password on backend changes constantly. Cached password will expire in lets say 15 second and that will break tomcat's security One solution to the problem would be to cache all authentication/authorization info in user session (you already caching username and password for form based authentication there) and use it as a poof of successful authentication for all subsequent request. Do you see any problems with this approach? Does tomcat4 security architecture handles this better? In Tomcat 4.0, if you are running under a session (which is automatic if you use form-based login), the user principal object retrieved from the Realm is cached in the Session the first time that it is authenticated, so the Realm is consulted only once. This sounds to me like it operates in exactly the way you are proposing. In 3.x, it should be conceptually feasible to do the same thing -- I don't know that code base well enough (at the moment) to know whether this would require modification to the session implementation object or not. Craig
RE: Tomcat Security Architecture and RSA ACE authentication
Title: RE: Tomcat Security Architecture and RSA ACE authentication -Original Message- From: Roytman, Alex Sent: Monday, March 26, 2001 1:38 PM To: '[EMAIL PROTECTED]' Subject: RE: Tomcat Security Architecture and RSA ACE authentication Craig, Thank you for such a prompt reply I will be glad to contribute my code as soon as I resolve the issue I outlined. If I can store authentication/authorization info in users session then my staff is a little bit to complicated for the task in hand. I was trying to accommodate tomcat3.x architecture and not to store security info in user session so I developed special cache for LDAP data which expires after specified time (let say every 5 minutes) which causes re-authentication and refetching user roles from LDAP If we cache security info in user session all this LDAP caching staff would be useless Could tomcat 3.x guys comment on this please? Alex -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: Monday, March 26, 2001 1:28 PM To: '[EMAIL PROTECTED]' Subject: Re: Tomcat Security Architecture and RSA ACE authentication On Mon, 26 Mar 2001, Roytman, Alex wrote: Hello, I wrote JNDI(LDAP) realm for tomcat 3.x based similar to JDBCRealm provided with tomcat Would you be interested in contributing this code to the Tomcat 3 (and/or 4) code bases? My client is going to adopt RSA ACE security infrastructure which to my understanding will require users to append a hardware generated number to their passwords when they authenticate. So we will have system where password changes every 15 seconds and it can not be cached in tomcat and used for subsequent accesses to LDAP (unless your software is RSA ACE aware and can deal with it somehow) (- I am not really familiar with RSA ACE security so I might be missing something here -) If I understand correctly, tomcat 3.x has following security architecture: 1. Extract user/password from user Session for Form based authentication (from headers for Basic authentication) 2. For *every request* perform authentication and authorization This might be a problem if password on backend changes constantly. Cached password will expire in lets say 15 second and that will break tomcat's security One solution to the problem would be to cache all authentication/authorization info in user session (you already caching username and password for form based authentication there) and use it as a poof of successful authentication for all subsequent request. Do you see any problems with this approach? Does tomcat4 security architecture handles this better? In Tomcat 4.0, if you are running under a session (which is automatic if you use form-based login), the user principal object retrieved from the Realm is cached in the Session the first time that it is authenticated, so the Realm is consulted only once. This sounds to me like it operates in exactly the way you are proposing. In 3.x, it should be conceptually feasible to do the same thing -- I don't know that code base well enough (at the moment) to know whether this would require modification to the session implementation object or not. Craig
Re: Tomcat Security example and Admin Tool
Yep, for Context admin add a user with role admin to tomcat-users.xml Boon Yeo wrote: Has anyone successfully got the Tomcat JSP Security example running? What about Tomcat Context Admin Tools? -Boon
Re: Tomcat Security example and Admin Tool
What's puzzling is that I don't get the user/password request. I get to the "Context Administration" page directly, and then for any button pressed would give a HTTP 404 - File not found. But I am very certain that contextAdmin.jsp is there -- I have checked and rechecked many times. Weird. -Boon - Original Message - From: "Vladimir Grishchenko" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 15, 2001 3:40 PM Subject: Re: Tomcat Security example and Admin Tool Yep, for Context admin add a user with role admin to tomcat-users.xml Boon Yeo wrote: Has anyone successfully got the Tomcat JSP Security example running? What about Tomcat Context Admin Tools? -Boon
Re: Tomcat security.
Do you mean encrypt the information the user enters in the jsp, ie encrypting the info sent from client desktop to web server? In which case, SSL is the best bet, although I don't think this is what you mean :-) We have a system wehereby a servlet has to send information to a (potentially) remote java process which does the interface with the database. We use very strong encryption - 1024 bits. Not that simple, and I didn't write it. If this is what your after, I could get some more info on it for you. sam - Original Message - From: Thomas O' Connor [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 09, 2001 4:21 PM Subject: Tomcat security. Does anyone know a simple way to encrypt information sent from a jsp page hosted on tomcat and then decrypt the info when it reaches the database(ms access). Any help appreciated. Tom. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Tomcat security.
Date: Fri, 09 Mar 2001 16:21:43 To: [EMAIL PROTECTED] From: "Thomas O' Connor" [EMAIL PROTECTED] Subject: Tomcat security. Message-ID: [EMAIL PROTECTED] Does anyone know a simple way to encrypt information sent from a jsp page hosted on tomcat and then decrypt the info when it reaches the database(ms access). Any help appreciated. Tom. Typically the information isn't sent from the jsp page it's sent by the client's browser. If you are sending sensitive information as well as receiving it your simplest option is SSL :-) It isn't that difficult to set up considering the possible security holes or development overhead in the alternatives. There are various applet/servlet methods that would allow you to encrypt two way communications between the browser and Tomcat. I believe there are also Javascript methods to do the same. The problem with those is they don't work with Netscape (in my experience you can't modify a hidden field on Netscape which would force you to fall back to opening and populating a new browser window (min size 100 x 100) with the encrypted data and then posting that. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Tomcat security.
Tom, I'm not a PC kinda guy, and don't deal with ms access. But, I asked a couple of the PC support folk here, and no one is aware of any native crypto support in ms access. My guess is that you'll need to write a java component on the host running ms access that can talk to the database, and then either talk sockets or use an RMI interface to talk to it. So long as it's Java on both ends you can do just about any kind of encryption you want from within Java (of course, you'll need to install JSSE and JCE packages). The other option would be if there's a type-3 JDBC driver -- which normally will have a server component on the dbhost and a client component on your client machine, in this case the server hosting the jsp. And then the question you'll want to ask is whether there are any that do encryption between the client and the server. Go to http://industry.java.sun.com/products/jdbc/drivers, and from there you can do a search for drivers that Sun is aware of -- I think the search returned 11 different vendors. There may also be other web sources for the information, but the Sun page is the only one I've checked out. Since type-3 drivers talk their own proprietary protocols between the client and server components, it's certainly possible that one or more of them can use TLS or some other encryption mechanism. I wish I had a more helpful answer for you, but all I can really tell you is where I'd look. -- Rob --On Friday, March 09, 2001 04:21:43 PM + Thomas O' Connor [EMAIL PROTECTED] wrote: Does anyone know a simple way to encrypt information sent from a jsp page hosted on tomcat and then decrypt the info when it reaches the database(ms access). Any help appreciated. Tom. _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] _ _ _ _ __ _ _ _ _ /\_\_\_\_\/\_\ /\_\_\_\_\_\ /\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ QUIDQUID LATINE DICTUM SIT, /\/_/__\/_/ __/\/_//\/_/ PROFUNDUM VIDITUR /\/_/_/_/_/ /\_\ /\/_//\/_/ /\/_/ \/_/ /\/_/_/\/_//\/_/ (Whatever is said in Latin \/_/ \/_/ \/_/_/_/_/ \/_/ appears profound) Rob Tanner McMinnville, Oregon [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Tomcat Security
Jim Urban wrote: I am running Tomcat with Apache on NT. I have a servlet context which contains three servlets and their supporting classes. All the .class files have been "jared" and the .jar file placed in the web-inf/lib directory. I have set up my web.xml file to find the servlets an pass them init params just fine. I now need to limit access to the servlets to different groups of users. How do I set this up? Can someone please send me a sample of "security-constraint" section (is this where it gets done?) of a web.xml file? The "examples" web application that comes with Tomcat has a security-constraint set up on the path http://localhost:8080/jsp/security/protected which will trigger form-based login. See "$TOMCAT_HOME/webapps/examples/web.xml". The requirements (and another example) are found in the Servlet Specification, version 2.2, at http://java.sun.com/products/servlet/download.html. For Tomcat, the default location for information describing users, passwords, and roles is in a text file named $TOMCAT_HOME/conf/tomcat-users.xml. It is also possible to configure Tomcat to use a database for username lookups (using the JDBCRealm class), or to write your own custom Realm implementation to look anywhere else. NOTE: If you are running Tomcat behind Apache in the usual fashion (i.e. having Apache serve static resources), *only* the dynamic requests that are actually forwarded to Tomcat will be protected by these constraints. Jim Urban Craig McClanahan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]