Possible Security Bug
I have a _possible_ bug involving security in Tomcat 5.0.28. I dont see it in the bug database, although it may be described in a way that I didnt search for. I would prefer to send it privately in case its real. If thats not feasible, I will post it here. Or is there a way to put it in the database but mark it private? Can anyone advise? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Possible Security Bug
John Caron wrote: I have a _possible_ bug involving security in Tomcat 5.0.28. I dont see it in the bug database, although it may be described in a way that I didnt search for. I would prefer to send it privately in case its real. If thats not feasible, I will post it here. Or is there a way to put it in the database but mark it private? Can anyone advise? Security bugs should be sent to [EMAIL PROTECTED] (who will send it on to the tomcat team). If you send it to me directly I'll take a look now. One other point, when sending a message on a new topic to the list, please don't reply to an old message and change the subject line. Thread aware mail clients still recognise your new message as part of the old thread. The correct process is to create a new message. Mark [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: jconsole security manager
Thanks for the reply,
I got it running, but I don't understand it, maybe you can help me:
Giving following permission to my tomcat (5.5.9)
grant {
permission javax.management.MBeanPermission *, *;
permission java.lang.management.ManagementPermission monitor;
permission java.util.PropertyPermission java.class.path, read;
permission java.util.PropertyPermission java.library.path, read;
permission java.net.SocketPermission intranet-lx1, resolve;
};
and I can monitor my tomcat with jconsole. But this means I give the above
permissions to all jars webapps on my tomcat. So guessed, giving these
permissions only to $JAVA_HOME jars (lib, lib/ext) and tomcat jars
(common,server,bin) should have the same result - but no I got a security
excpetion:
access: access denied (javax.management.MBeanPermission
sun.management.RuntimeImpl#-[java.lang:type=Runtime] isInstanceOf)
java.lang.Exception: Stack trace
at java.lang.Thread.dumpStack(Thread.java:1158)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:253)
at
java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.checkMBeanPermission(DefaultMBeanServerInterceptor.java:1707)
at
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.isInstanceOf(DefaultMBeanServerInterceptor.java:1328)
at
com.sun.jmx.mbeanserver.JmxMBeanServer.isInstanceOf(JmxMBeanServer.java:1074)
at
com.sun.jmx.remote.security.MBeanServerAccessController.isInstanceOf(MBeanServerAccessController.java:439)
at
javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1414)
at
javax.management.remote.rmi.RMIConnectionImpl.access$100(RMIConnectionImpl.java:81)
at
javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1245)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1348)
And now I was surprised - all the packaeges in the stack trace (above
doPrivileged) are contained in rt.jar, which do have AllPermission (and
additional permissions described above - for the paranoid)!!
Why can the above access denied exception occur??
This excpetion is also thrown, when no webapp is deployed - this means that
only $JAVA_HOME tomcat core jars are found and loaded and all of these jars
does have AllPermission?!
I'm confused,
Gernot
-Ursprüngliche Nachricht-
Von: Peter Rossbach [mailto:[EMAIL PROTECTED]
Gesendet: Sonntag, 18. September 2005 10:55
An: Tomcat Users List
Betreff: Re: jconsole security manager
You can find detail information here:
http://java.sun.com/j2se/1.5.0/docs/api/javax/management/MBeanPermission.html
Very simple config example:
http://mx4j.sourceforge.net/docs/ch03s10.html
Peter
Pfingstl Gernot schrieb:
I like to monitor my tomcat 5.5 (running on jdk 1.5.0) with jconsole.
If I run tomcat without security manager everything works well.
If I run tomcat with security manager, monitoring the tomcat mbeans works well
- but jconsoles memory view doensn't work!
Sun's doc says: If your application runs a security manager, then additional
permissions are required in the security permissions file.
But I have not found which permissions are required?
Has somebody have solved this?
Which permissions are required?
Thanks,
Gernot
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can the Tomcat authentication module use an ASP.NET security token?
From: Tracy Spratt [mailto:[EMAIL PROTECTED] Subject: Can the Tomcat authentication module use an ASP.NET security token? I have a Tomcat app (MM Flex app) that is called from an asp.net application which is secured by forms (cookie-based) authentication. (NOT NTLM / Windows Integrated) I don't want the user to have to log in again. I have a programmatic solution in mind, but it is going to be comparitively ugly. Any ideas? You're going to have to use that programmatic solution. Forms authentication (by default) sets a session-id cookie, and the asp.net worker process maintains state information such as login details internally. You can't even get to it via classic ASP on the same IIS. - Peter - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Can the Tomcat authentication module use an ASP.NET security token?
I have a Tomcat app (MM Flex app) that is called from an asp.net application which is secured by forms (cookie-based) authentication. (NOT NTLM / Windows Integrated) I don't want the user to have to log in again. I have a programmatic solution in mind, but it is going to be comparitively ugly. Any ideas? Tracy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: jconsole security manager
You can find detail information here: http://java.sun.com/j2se/1.5.0/docs/api/javax/management/MBeanPermission.html Very simple config example: http://mx4j.sourceforge.net/docs/ch03s10.html Peter Pfingstl Gernot schrieb: I like to monitor my tomcat 5.5 (running on jdk 1.5.0) with jconsole. If I run tomcat without security manager everything works well. If I run tomcat with security manager, monitoring the tomcat mbeans works well - but jconsoles memory view doensn't work! Sun's doc says: If your application runs a security manager, then additional permissions are required in the security permissions file. But I have not found which permissions are required? Has somebody have solved this? Which permissions are required? Thanks, Gernot - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
jconsole security manager
I like to monitor my tomcat 5.5 (running on jdk 1.5.0) with jconsole. If I run tomcat without security manager everything works well. If I run tomcat with security manager, monitoring the tomcat mbeans works well - but jconsoles memory view doensn't work! Sun's doc says: If your application runs a security manager, then additional permissions are required in the security permissions file. But I have not found which permissions are required? Has somebody have solved this? Which permissions are required? Thanks, Gernot - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security manager w/ manager app
All: Is it possible to start Tomcat w/ the security manager enabled if I were to use the Tomcat Web Application Manager? -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security problem
When trying a recently unpacked 5.5.11, started with -security, I get an exception the first time I try to check the root index.jsp. Anyone know what I am doing wrong? Cheers, -- Gunnar Brading SEVERE: Servlet.service() for servlet org.apache.jsp.index_jsp threw exception java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.coyote.http11) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264) at java.security.AccessController.checkPermission(AccessController.java:427) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265) at java.lang.ClassLoader.loadClass(ClassLoader.java:299) at java.lang.ClassLoader.loadClass(ClassLoader.java:299) at java.lang.ClassLoader.loadClass(ClassLoader.java:251) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319) at org.apache.coyote.http11.InternalOutputBuffer.sendStatus(InternalOutputBuffer.java:429) at org.apache.coyote.http11.Http11Processor.prepareResponse(Http11Processor.java:1602) at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:961) at org.apache.coyote.Response.action(Response.java:180) at org.apache.coyote.http11.InternalOutputBuffer.doWrite(InternalOutputBuffer.java:573) at org.apache.coyote.Response.doWrite(Response.java:555) at org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:361) at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:299) at org.apache.tomcat.util.buf.IntermediateOutputStream.write(C2BConverter.java:235) at sun.nio.cs.StreamEncoder$CharsetSE.writeBytes(StreamEncoder.java:336) at sun.nio.cs.StreamEncoder$CharsetSE.implFlushBuffer(StreamEncoder.java:404) at sun.nio.cs.StreamEncoder$CharsetSE.implFlush(StreamEncoder.java:408) at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:152) at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:213) at org.apache.tomcat.util.buf.WriteConvertor.flush(C2BConverter.java:184) at org.apache.tomcat.util.buf.C2BConverter.flushBuffer(C2BConverter.java:127) at org.apache.catalina.connector.OutputBuffer.realWriteChars(OutputBuffer.java:536) at org.apache.tomcat.util.buf.CharChunk.append(CharChunk.java:259) at org.apache.catalina.connector.OutputBuffer.write(OutputBuffer.java:456) at org.apache.catalina.connector.CoyoteWriter.write(CoyoteWriter.java:142) at org.apache.jasper.runtime.JspWriterImpl.flushBuffer(JspWriterImpl.java:118) at org.apache.jasper.runtime.JspWriterImpl.write(JspWriterImpl.java:325) at org.apache.jasper.runtime.JspWriterImpl.write(JspWriterImpl.java:341) at org.apache.jsp.index_jsp._jspService(index_jsp.java:50) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:243) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:517) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:275) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:161) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:245) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:50) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:156) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:152) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11
RE: Valve and Thread Level Security
The IBM platform has a unique capability to create a thread level security environment. I have an application requirement to do so.. I can invoke the necessary function using JNI. Someone has suggested to me that using the technique of a Custome Valve would enable me to implement the necessary code. What is a valve ?? Any help or suggestions would be appreciated. Stephen Bovy Computer Associates 6100 Center Drive Suite 700 Los Angeles, CA 90045 Tel: (310) 957-3930 Fax: (310) 957-3917 e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
help configuring security in tomcat 5.5
i have this in my ${CATALINA_HOME}/webapps/ROOT/WEB-INF/web.xml:
login-config
auth-methodFORM/auth-method
realm-nameqrm/realm-name
form-login-config
form-login-page/login/login.do?type=attempt/form-login-page
form-error-page/login/login.do?type=error/form-error-page
/form-login-config
/login-config
and this in ${CATALINA_HOME}/conf/Catalina/localhost/ROOT.xml:
Realm className=org.apache.catalina.realm.DataSourceRealm debug=99
dataSourceName=QrmDS appName=qrm
userTable=qrm_users userNameCol=user_name userCredCol=user_password
userRoleTable=qrm_roles roleNameCol=role_name/
The database is up and contains the required schema.
But I get this:
java.lang.SecurityException: Unable to locate a login configuration
Please help,
Ittay
--
===
Ittay Dror ([EMAIL PROTECTED])
Application Team Leader, RD
Qlusters Inc.
+972-3-6081994 Fax: +972-3-6081841
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Thread Security ON IBM z/OS
I am running tomcat on z/OS using JZOS. I would like to create a thread security context thru jni using pthread_security_np(). I have the following questions: 1) Does tomcat create a thread when it processes a client request ?? 2) Can tomcat create a session where one thread processes all requests from a client ?? 3) Does tomcat use light or heavy weight threading ?? (can it be configured either way ??) Stephen Bovy Computer Associates 6100 Center Drive Suite 700 Los Angeles, CA 90045 Tel: (310) 957-3930 Fax: (310) 957-3917 e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Override WAR file security settings.
By the lack of response to my question, I take it that it is not possible to override the following web.xml settings by redefining them in Tomcats server.xml security-constraint login-config security-role Any changes to those values must be made after the application has been deployed by editing the deployed web.xml. Is that correct? There is now way to override then as can be done with Environment values? Can someone confirm this or have I just missed something in the Tomcat documentation? Thanks -Original Message- From: Jim Henderson [mailto:[EMAIL PROTECTED] Sent: Monday, August 22, 2005 3:13 PM To: tomcat-user@jakarta.apache.org Subject: Override WAR file security settings. I am working on a web application that can be used in two ways at the same time depending on its URL. The original WAR file has a web.xml that defines tight security requiring form authentication with id and password. In Tomcats server.xml I have two Contexts with different paths but to the same docBase. I can override various Resource and Environment settings differently for each Context. However, the war file by default defines (among many other things): security-constraint login-config security-role In one of the server.xml context definitions, I want to undefine the above items (so the application just asks for the user ID). Is that possible? Or is there some other way to neutralize them in the server.xml file? The application works as desired if I edit the deployed applications web.XML (located in webapps/ directory after Tomcat deploys the war file) and completely remove the above settings. The other mode (Context) requires the use of the above items and that works OK. Hope the above makes sense or have I abbreviated the description too much? Thanks, Jim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Override WAR file security settings.
I can confirm that you can't override these web.xml settings in server.xml It should be simple enough in Ant to generate two .war files that only differ by the web.xml file Mark Jim Henderson wrote: By the lack of response to my question, I take it that it is not possible to override the following web.xml settings by redefining them in Tomcat’s server.xml security-constraint login-config security-role Any changes to those values must be made after the application has been deployed by editing the deployed web.xml. Is that correct? There is now way to override then as can be done with Environment values? Can someone confirm this or have I just missed something in the Tomcat documentation? Thanks -Original Message- From: Jim Henderson [mailto:[EMAIL PROTECTED] Sent: Monday, August 22, 2005 3:13 PM To: tomcat-user@jakarta.apache.org Subject: Override WAR file security settings. I am working on a web application that can be used in two ways at the same time depending on its URL. The original WAR file has a web.xml that defines tight security requiring form authentication with id and password. In Tomcat’s server.xml I have two Contexts with different paths but to the same docBase. I can override various Resource and Environment settings differently for each Context. However, the war file by default defines (among many other things): security-constraint login-config security-role In one of the server.xml context definitions, I want to undefine the above items (so the application just asks for the user ID). Is that possible? Or is there some other way to neutralize them in the server.xml file? The application works as desired if I edit the deployed application’s web.XML (located in webapps/… directory after Tomcat deploys the war file) and completely remove the above settings. The other mode (Context) requires the use of the above items and that works OK. Hope the above makes sense or have I abbreviated the description too much? Thanks, Jim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Override WAR file security settings.
Thank you, thank you, thank you! I have looked for over a day using GOOGLE, etc., just to be sure I was not missing anything! Again, thanks! -Original Message- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 23, 2005 4:00 PM To: Tomcat Users List Subject: Re: Override WAR file security settings. I can confirm that you can't override these web.xml settings in server.xml It should be simple enough in Ant to generate two .war files that only differ by the web.xml file Mark Jim Henderson wrote: By the lack of response to my question, I take it that it is not possible to override the following web.xml settings by redefining them in Tomcat’s server.xml security-constraint login-config security-role Any changes to those values must be made after the application has been deployed by editing the deployed web.xml. Is that correct? There is now way to override then as can be done with Environment values? Can someone confirm this or have I just missed something in the Tomcat documentation? Thanks -Original Message- From: Jim Henderson [mailto:[EMAIL PROTECTED] Sent: Monday, August 22, 2005 3:13 PM To: tomcat-user@jakarta.apache.org Subject: Override WAR file security settings. I am working on a web application that can be used in two ways at the same time depending on its URL. The original WAR file has a web.xml that defines tight security requiring form authentication with id and password. In Tomcat’s server.xml I have two Contexts with different paths but to the same docBase. I can override various Resource and Environment settings differently for each Context. However, the war file by default defines (among many other things): security-constraint login-config security-role In one of the server.xml context definitions, I want to undefine the above items (so the application just asks for the user ID). Is that possible? Or is there some other way to neutralize them in the server.xml file? The application works as desired if I edit the deployed application’s web.XML (located in webapps/… directory after Tomcat deploys the war file) and completely remove the above settings. The other mode (Context) requires the use of the above items and that works OK. Hope the above makes sense or have I abbreviated the description too much? Thanks, Jim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Override WAR file security settings.
I am working on a web application that can be used in two ways at the same time depending on its URL. The original WAR file has a web.xml that defines tight security requiring form authentication with id and password. In Tomcats server.xml I have two Contexts with different paths but to the same docBase. I can override various Resource and Environment settings differently for each Context. However, the war file by default defines (among many other things): security-constraint login-config security-role In one of the server.xml context definitions, I want to undefine the above items (so the application just asks for the user ID). Is that possible? Or is there some other way to neutralize them in the server.xml file? The application works as desired if I edit the deployed applications web.XML (located in webapps/ directory after Tomcat deploys the war file) and completely remove the above settings. The other mode (Context) requires the use of the above items and that works OK. Hope the above makes sense or have I abbreviated the description too much? Thanks, Jim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat Basic Security
I have been setting up BASIC security realms to limit partial site access to authorised users. The security/privacy is not too great, I just want to stop casual browser access. All works fine, with normal browser access causing the pop-up window requesting user name and password. However, accessing the same URL using a WAP browser or PDA microbrowser seems to go straight in without the request for password. Any comments or way forward here? Steve This e-mail is intended for the recipient only. If you are not the intended recipient you must not use, disclose, distribute, copy, print, or rely upon this e-mail. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail. Recipients should note that all e-mail traffic on MOD systems is subject to monitoring and auditing. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Hmmm. Well take a look at this entry from the server.xml file: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation for more information about using this. -- !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- I did not add this and from what I can tell this comes with the default config. Any info? Roberto David Smith [EMAIL PROTECTED] 08/12/2005 11:40 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat This sounds really fishy. Tomcat does not by default have any connectors configured for port 80. There must be another service or you've modified your server.xml somehow. --David Robert V. Coward/CTR/OSAGWI wrote: Having a similar issue to this with Tomcat 5. Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port 8080. According to a netstat -a only port 808 is litening, but when I run nmap against it it show 80 and 8080. I'd like to have ipfileter take block all connections and redirect packets bound for port 80 to 8080. Inother words I want to do what the T5 server seems to be doing already. Anyone have any ideas? My network admin is giving me much grief about allowing port 8080 access to the web. Thanks Paul Singleton [EMAIL PROTECTED] 08/12/2005 10:08 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Alon Belman [EMAIL PROTECTED] Subject Re: Security Questions Regarding Tomcat Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
But it's also commented out and not active. It's there as an example of a proxied port if you happen to be using Apache and mod_rewrite as a front end to tomcat. --David Robert V. Coward/CTR/OSAGWI wrote: Hmmm. Well take a look at this entry from the server.xml file: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation for more information about using this. -- !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- I did not add this and from what I can tell this comes with the default config. Any info? Roberto David Smith [EMAIL PROTECTED] 08/12/2005 11:40 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat This sounds really fishy. Tomcat does not by default have any connectors configured for port 80. There must be another service or you've modified your server.xml somehow. --David Robert V. Coward/CTR/OSAGWI wrote: Having a similar issue to this with Tomcat 5. Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port 8080. According to a netstat -a only port 808 is litening, but when I run nmap against it it show 80 and 8080. I'd like to have ipfileter take block all connections and redirect packets bound for port 80 to 8080. Inother words I want to do what the T5 server seems to be doing already. Anyone have any ideas? My network admin is giving me much grief about allowing port 8080 access to the web. Thanks Paul Singleton [EMAIL PROTECTED] 08/12/2005 10:08 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Alon Belman [EMAIL PROTECTED] Subject Re: Security Questions Regarding Tomcat Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === David Smith Network Operations Supervisor Department of Entomology College of Agriculture Life Sciences Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: 607.255.9571 Fax: 607.255.0939 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Duh. Thanks. I should have seen that. But I still do not understand how this is all working. Basically I want the to run a default deny ipfilter firewall on the host. Only allowing port 8080 and 8443 (or 4443 there seems to be some confusion with my apps guys on which one is ther real SSL proxy port) connections from internal. I then want to NAT (rdr) to redirect all incominf 80 and 443 connections to that 8080 and 8443 (or 4443) port internal. I suppose it is my lack of familiarity on ipfilter (this is so much easier to do using OBSD'd PF). I'd really like to see some other folks ipnat.conf and ipf.conf files if this is being done already. I'll do some more research and keep the group appraised of my progress. Thanks. Roberto David Smith [EMAIL PROTECTED] 08/15/2005 08:29 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat But it's also commented out and not active. It's there as an example of a proxied port if you happen to be using Apache and mod_rewrite as a front end to tomcat. --David Robert V. Coward/CTR/OSAGWI wrote: Hmmm. Well take a look at this entry from the server.xml file: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation for more information about using this. -- !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- I did not add this and from what I can tell this comes with the default config. Any info? Roberto David Smith [EMAIL PROTECTED] 08/12/2005 11:40 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat This sounds really fishy. Tomcat does not by default have any connectors configured for port 80. There must be another service or you've modified your server.xml somehow. --David Robert V. Coward/CTR/OSAGWI wrote: Having a similar issue to this with Tomcat 5. Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port 8080. According to a netstat -a only port 808 is litening, but when I run nmap against it it show 80 and 8080. I'd like to have ipfileter take block all connections and redirect packets bound for port 80 to 8080. Inother words I want to do what the T5 server seems to be doing already. Anyone have any ideas? My network admin is giving me much grief about allowing port 8080 access to the web. Thanks Paul Singleton [EMAIL PROTECTED] 08/12/2005 10:08 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Alon Belman [EMAIL PROTECTED] Subject Re: Security Questions Regarding Tomcat Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === David Smith Network Operations Supervisor Department of Entomology College of Agriculture Life Sciences Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: 607.255.9571 Fax: 607.255.0939 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Robert V. Coward/CTR/OSAGWI wrote: Hmmm. Well take a look at this entry from the server.xml file: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation for more information about using this. -- !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- I did not add this and from what I can tell this comes with the default config. Any info? About what? This is in the Fine Manual -- see the Connector documentation under tomcat-docs/config/: --- Proxy Support The proxyName and proxyPort attributes can be used when Tomcat is run behind a proxy server. These attributes modify the values returned to web applications that call the request.getServerName() and request.getServerPort() methods, which are often used to construct absolute URLs for redirects. Without configuring these attributes, the values returned would reflect the server name and port on which the connection from the proxy server was received, rather than the server name and port to whom the client directed the original request. For more information, see the Proxy Support HOW-TO. --- Though this isn't particularly relevant to your situation, since as are many of the *examples* in the default server.xml, this entry is *commented out*. HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Understood. But I do not want to use Tomcat proxying services. I just want to host 8080 locally and let my ipfilter firewall block and proxy for me. Roberto Hassan Schroeder [EMAIL PROTECTED] 08/15/2005 08:41 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat Robert V. Coward/CTR/OSAGWI wrote: Hmmm. Well take a look at this entry from the server.xml file: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation for more information about using this. -- !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- I did not add this and from what I can tell this comes with the default config. Any info? About what? This is in the Fine Manual -- see the Connector documentation under tomcat-docs/config/: --- Proxy Support The proxyName and proxyPort attributes can be used when Tomcat is run behind a proxy server. These attributes modify the values returned to web applications that call the request.getServerName() and request.getServerPort() methods, which are often used to construct absolute URLs for redirects. Without configuring these attributes, the values returned would reflect the server name and port on which the connection from the proxy server was received, rather than the server name and port to whom the client directed the original request. For more information, see the Proxy Support HOW-TO. --- Though this isn't particularly relevant to your situation, since as are many of the *examples* in the default server.xml, this entry is *commented out*. HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Robert V. Coward/CTR/OSAGWI wrote: Understood. But I do not want to use Tomcat proxying services. I just want to host 8080 locally and let my ipfilter firewall block and proxy for me. Then the default Tomcat configuration of listening on port 8080 is just what you need. I highly recommend making a copy of the original server.xml and then stripping out the examples before doing anything else; greatly improves readability. :-) If you're still uncertain about Tomcat's configuration, i.e., what port(s) it's listening on, you could run netstat and/or nmap before and after starting it, and compare the results. FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Got it. I've done that, and i figured out that i can not use ipfilter as a reflector. That is it is not very easy to use rdr to map packets from 192.168.0.20 port 80 - 192.168.0.20 port 8080. That is precisely what I wanted to do.force NAT to rewrite packets coming in on one port to another port and have tomcat answer normally. I got confused when I saw the proxying info inside the server.xml file. Looks like I'll have to get a real proxy server. Thanks. Roberto Hassan Schroeder [EMAIL PROTECTED] 08/15/2005 10:30 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat Robert V. Coward/CTR/OSAGWI wrote: Understood. But I do not want to use Tomcat proxying services. I just want to host 8080 locally and let my ipfilter firewall block and proxy for me. Then the default Tomcat configuration of listening on port 8080 is just what you need. I highly recommend making a copy of the original server.xml and then stripping out the examples before doing anything else; greatly improves readability. :-) If you're still uncertain about Tomcat's configuration, i.e., what port(s) it's listening on, you could run netstat and/or nmap before and after starting it, and compare the results. FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Regardless of what you put up in front of tomcat to act as the proxy host, you'll most likely need the proxyPort and proxyName attributes in your connector so tomcat can write urls correctly as needed (like in sending external redirects). I do this setup myself on some stuff when I'm using mod_rewrite to map servlet material into an Apache site. --David Robert V. Coward/CTR/OSAGWI wrote: Got it. I've done that, and i figured out that i can not use ipfilter as a reflector. That is it is not very easy to use rdr to map packets from 192.168.0.20 port 80 - 192.168.0.20 port 8080. That is precisely what I wanted to do.force NAT to rewrite packets coming in on one port to another port and have tomcat answer normally. I got confused when I saw the proxying info inside the server.xml file. Looks like I'll have to get a real proxy server. Thanks. Roberto Hassan Schroeder [EMAIL PROTECTED] 08/15/2005 10:30 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat Robert V. Coward/CTR/OSAGWI wrote: Understood. But I do not want to use Tomcat proxying services. I just want to host 8080 locally and let my ipfilter firewall block and proxy for me. Then the default Tomcat configuration of listening on port 8080 is just what you need. I highly recommend making a copy of the original server.xml and then stripping out the examples before doing anything else; greatly improves readability. :-) If you're still uncertain about Tomcat's configuration, i.e., what port(s) it's listening on, you could run netstat and/or nmap before and after starting it, and compare the results. FWIW! -- === David Smith Network Operations Supervisor Department of Entomology College of Agriculture Life Sciences Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: 607.255.9571 Fax: 607.255.0939 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Okay great. I'll check the docs on that once I get the server side stuff running right. Thanks for all the hel. Roberto David Smith [EMAIL PROTECTED] 08/15/2005 10:59 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat Regardless of what you put up in front of tomcat to act as the proxy host, you'll most likely need the proxyPort and proxyName attributes in your connector so tomcat can write urls correctly as needed (like in sending external redirects). I do this setup myself on some stuff when I'm using mod_rewrite to map servlet material into an Apache site. --David Robert V. Coward/CTR/OSAGWI wrote: Got it. I've done that, and i figured out that i can not use ipfilter as a reflector. That is it is not very easy to use rdr to map packets from 192.168.0.20 port 80 - 192.168.0.20 port 8080. That is precisely what I wanted to do.force NAT to rewrite packets coming in on one port to another port and have tomcat answer normally. I got confused when I saw the proxying info inside the server.xml file. Looks like I'll have to get a real proxy server. Thanks. Roberto Hassan Schroeder [EMAIL PROTECTED] 08/15/2005 10:30 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat Robert V. Coward/CTR/OSAGWI wrote: Understood. But I do not want to use Tomcat proxying services. I just want to host 8080 locally and let my ipfilter firewall block and proxy for me. Then the default Tomcat configuration of listening on port 8080 is just what you need. I highly recommend making a copy of the original server.xml and then stripping out the examples before doing anything else; greatly improves readability. :-) If you're still uncertain about Tomcat's configuration, i.e., what port(s) it's listening on, you could run netstat and/or nmap before and after starting it, and compare the results. FWIW! -- === David Smith Network Operations Supervisor Department of Entomology College of Agriculture Life Sciences Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: 607.255.9571 Fax: 607.255.0939 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Clusters - Disabling or restricting autodiscovery via multicast (security question)
OK, this is correct! Sorry, but I also thing that we must have a secretKey and a restricted IP list to register inside cluster I want implement this inside the next release. But currenly the cluster message are not crypted and when clients can connect to your network your go in trouble. At secure production sites the replication and membership traffic send over seperate network cards and switches. Thanks Peter ryan boyd schrieb: When using tomcat clusters on an untrusted subnet or using a routable multicast address, i see the potential for a rogue tomcat instance to join a cluster in order to hijack session information. This doesn't seem to be cured by any firewalling of incoming connections to the valid servers, as, from what i have read, the valid servers will do a unicast conect to the rogue sever on the address/port specified by the rogue server's multicast transmission and will transfer session data to it. If this is incorrect, I'd be grateful for an explanation. If this is correct, Is there any way to restrict autodiscovery of cluster membership to a known list of IPs or disable auto discovery alltogether? Thanks, Ryan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Clusters - Disabling or restricting autodiscovery via multicast (security question)
When using tomcat clusters on an untrusted subnet or using a routable multicast address, i see the potential for a rogue tomcat instance to join a cluster in order to hijack session information. This doesn't seem to be cured by any firewalling of incoming connections to the valid servers, as, from what i have read, the valid servers will do a unicast conect to the rogue sever on the address/port specified by the rogue server's multicast transmission and will transfer session data to it. If this is incorrect, I'd be grateful for an explanation. If this is correct, Is there any way to restrict autodiscovery of cluster membership to a known list of IPs or disable auto discovery alltogether? Thanks, Ryan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Security Questions Regarding Tomcat
I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. Ralph B. Harrell UNC Charlotte Manager, Oracle Database Administration [EMAIL PROTECTED] (704) 687-2951 -Original Message- From: Alon Belman [mailto:[EMAIL PROTECTED] Sent: Thursday, August 11, 2005 4:20 PM To: Tomcat Users List Subject: Re: Security Questions Regarding Tomcat copied share to meb/robo laters! On 8/11/05, LFM [EMAIL PROTECTED] wrote: Tim, Thanks for the reply, but I can't get in working: In conf/server.xml I added server=TEST, as shown: !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8180 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 connectionTimeout=2 useURIValidationHack=false server=TEST/ Stopped, started Tomcat. nc'ed to localhost, but still got the old server header. $ nc localhost 8180 GET / HTTP/1.0 HTTP/1.1 302 Moved Temporarily Location: http://localhost.localdomain:8180/index.jsp Content-Length: 0 Date: Thu, 11 Aug 2005 20:15:38 GMT Server: Apache-Coyote/1.1 Connection: close What I'm I doing wrong? Thanks! Leandro On Thu, 2005-08-11 at 15:56 -0400, Tim Funk wrote: The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.7/70 - Release Date: 11/Aug/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Having a similar issue to this with Tomcat 5. Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port 8080. According to a netstat -a only port 808 is litening, but when I run nmap against it it show 80 and 8080. I'd like to have ipfileter take block all connections and redirect packets bound for port 80 to 8080. Inother words I want to do what the T5 server seems to be doing already. Anyone have any ideas? My network admin is giving me much grief about allowing port 8080 access to the web. Thanks Paul Singleton [EMAIL PROTECTED] 08/12/2005 10:08 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Alon Belman [EMAIL PROTECTED] Subject Re: Security Questions Regarding Tomcat Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.7/70 - Release Date: 11/Aug/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Robert V. Coward/CTR/OSAGWI wrote: Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port 8080. Sorry, but that's simply not the case. The Connector definitions in $CATALINA_HOME/conf/server.xml control what ports (and IPs) Tomcat is listening on. I'm not familiar with 'ipfilter', but there should be a way to list the current rule set (equiv to `iptables -L`) to see what's going on. FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
See the Commons-Daemon project on the Jakarta site for starting tomcat as a non-root answer. --David Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. Ralph B. Harrell UNC Charlotte Manager, Oracle Database Administration [EMAIL PROTECTED] (704) 687-2951 -Original Message- From: Alon Belman [mailto:[EMAIL PROTECTED] Sent: Thursday, August 11, 2005 4:20 PM To: Tomcat Users List Subject: Re: Security Questions Regarding Tomcat copied share to meb/robo laters! On 8/11/05, LFM [EMAIL PROTECTED] wrote: Tim, Thanks for the reply, but I can't get in working: In conf/server.xml I added server=TEST, as shown: !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8180 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 connectionTimeout=2 useURIValidationHack=false server=TEST/ Stopped, started Tomcat. nc'ed to localhost, but still got the old server header. $ nc localhost 8180 GET / HTTP/1.0 HTTP/1.1 302 Moved Temporarily Location: http://localhost.localdomain:8180/index.jsp Content-Length: 0 Date: Thu, 11 Aug 2005 20:15:38 GMT Server: Apache-Coyote/1.1 Connection: close What I'm I doing wrong? Thanks! Leandro On Thu, 2005-08-11 at 15:56 -0400, Tim Funk wrote: The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
This sounds really fishy. Tomcat does not by default have any connectors configured for port 80. There must be another service or you've modified your server.xml somehow. --David Robert V. Coward/CTR/OSAGWI wrote: Having a similar issue to this with Tomcat 5. Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port 8080. According to a netstat -a only port 808 is litening, but when I run nmap against it it show 80 and 8080. I'd like to have ipfileter take block all connections and redirect packets bound for port 80 to 8080. Inother words I want to do what the T5 server seems to be doing already. Anyone have any ideas? My network admin is giving me much grief about allowing port 8080 access to the web. Thanks Paul Singleton [EMAIL PROTECTED] 08/12/2005 10:08 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Alon Belman [EMAIL PROTECTED] Subject Re: Security Questions Regarding Tomcat Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
I don't know -- I can see some value to the root only ports below 1024. It prevents non-privileged users from stealing trusted service ports in a mainframe environment -- not that that's a reality anymore. The best way to handle this in a production environment is to use the commons-daemon project at the Jakarta site. --David Paul Singleton wrote: Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
security-constraint not working, help please...
Hello all,
I'm ready to pull my hair out getting the security constraint to work.
Basically, I need to forward all traffic except one directory to the https
port. I've got it to work if I use the url-pattern of /*. However, when I
specify the patterns to accomplish the task, nothing matches and I can access
any page through the http port.
Here is what I'm using:
In web.xml:
security-constraint
web-resource-collection
web-resource-nameAutomatic SLL Forwarding/web-resource-name
url-pattern/Temp/*/url-pattern
url-pattern/temp/*/url-pattern
url-pattern/pictures/*/url-pattern
url-pattern/resources/*/url-pattern
url-pattern/admin/*/url-pattern
url-pattern/web/*/url-pattern
url-pattern/Operator/*/url-pattern
url-pattern/operator/*/url-pattern
url-pattern/soap/*/url-pattern
url-pattern/webtools/*/url-pattern
/web-resource-collection
user-data-constraint
transport-guarantee
CONFIDENTIAL
/transport-guarantee
/user-data-constraint
/security-constraint
In server.xml:
Server
Listener className=org.apache.catalina.mbeans.ServerLifecycleListener
descriptors=/jboss-mbeans.xml debug=0/
Service name=jboss.web
className=org.jboss.web.tomcat.tc5.StandardService
Connector port=81 address=${jboss.bind.address}
maxThreads=150 minSpareThreads=25 maxSpareThreads=75
enableLookups=false redirectPort=8443 acceptCount=100
connectionTimeout=2 disableUploadTimeout=true /
Connector port=8009 address=${jboss.bind.address}
enableLookups=false redirectPort=8443 debug=0
protocol=AJP/1.3 /
Connector port=8443 minProcessors=5 maxProcessors=200
enableLookups=true disableUploadTimeout=true
scheme=https secure=true keystorepass=changeit
keystoreFile=${jboss.server.home.dir}/conf/.keystore
acceptCount=200 debug=0
clientAuth=false sslProtocol=TLS /
Engine name=jboss.web defaultHost=localhost
Logger className=org.jboss.web.tomcat.Log4jLogger
verbosityLevel=INFORMATION
category=org.jboss.web.localhost.Engine/
Realm className=org.jboss.web.tomcat.security.JBossSecurityMgrRealm /
Host name=localhost autoDeploy=false deployOnStartup=false
deployXML=false
Valve className=org.apache.catalina.valves.AccessLogValve
prefix=localhost_access_log. suffix=.log
pattern=common directory=${jboss.server.home.dir}/log
resolveHosts=false /
DefaultContext cookies=true crossContext=true override=true /
/Host
/Engine
/Service
/Server
Is there a way to specify everything except a directory using some kind of NOT
operator?
Why won't what I'm using above forward me to the correct https port?
Thanks in advance.
___
Try Juno Platinum for Free! Then, only $9.95/month!
Unlimited Internet Access with 250MB of Email Storage.
Visit http://www.juno.com/value to sign up today!
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Tim, list: Where can I find documentation regarding limting HTTP methods using security-constraints? All I was able to do was requiere authentication in order to use some HTTP methods but I would like to limit them like it can be donde with the directive Limit in Apache. I will also appreciate any pointers to documentation regarding Tomcat Security, especially about hardening. Regards, Leandro. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Leandro Meiners wrote: Where can I find documentation regarding limting HTTP methods using security-constraints? The Security section of the Servlet 2.4 Spec (SRV.12) has some good examples -- highly recommended :-) FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security Questions Regarding Tomcat
Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). Regards! Leandro -- LFM [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Tim, Thanks for the reply, but I can't get in working: In conf/server.xml I added server=TEST, as shown: !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8180 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 connectionTimeout=2 useURIValidationHack=false server=TEST/ Stopped, started Tomcat. nc'ed to localhost, but still got the old server header. $ nc localhost 8180 GET / HTTP/1.0 HTTP/1.1 302 Moved Temporarily Location: http://localhost.localdomain:8180/index.jsp Content-Length: 0 Date: Thu, 11 Aug 2005 20:15:38 GMT Server: Apache-Coyote/1.1 Connection: close What I'm I doing wrong? Thanks! Leandro On Thu, 2005-08-11 at 15:56 -0400, Tim Funk wrote: The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
copied share to meb/robo laters! On 8/11/05, LFM [EMAIL PROTECTED] wrote: Tim, Thanks for the reply, but I can't get in working: In conf/server.xml I added server=TEST, as shown: !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8180 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 connectionTimeout=2 useURIValidationHack=false server=TEST/ Stopped, started Tomcat. nc'ed to localhost, but still got the old server header. $ nc localhost 8180 GET / HTTP/1.0 HTTP/1.1 302 Moved Temporarily Location: http://localhost.localdomain:8180/index.jsp Content-Length: 0 Date: Thu, 11 Aug 2005 20:15:38 GMT Server: Apache-Coyote/1.1 Connection: close What I'm I doing wrong? Thanks! Leandro On Thu, 2005-08-11 at 15:56 -0400, Tim Funk wrote: The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Setting the server header is a tomcat 5.5 feature. -Tim LFM wrote: Tim, Thanks for the reply, but I can't get in working: In conf/server.xml I added server=TEST, as shown: !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8180 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 connectionTimeout=2 useURIValidationHack=false server=TEST/ Stopped, started Tomcat. nc'ed to localhost, but still got the old server header. $ nc localhost 8180 GET / HTTP/1.0 HTTP/1.1 302 Moved Temporarily Location: http://localhost.localdomain:8180/index.jsp Content-Length: 0 Date: Thu, 11 Aug 2005 20:15:38 GMT Server: Apache-Coyote/1.1 Connection: close What I'm I doing wrong? Thanks! Leandro On Thu, 2005-08-11 at 15:56 -0400, Tim Funk wrote: The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat security during runtime
Hello all I have a question, if you setup your own security in Tomcat by using your own policy, is there anyway to modify this policy during runtime, without restarting tomcat itself? Is there any Java API you can use to modify the security manager during run time? Thanking you in advance. Matt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
tomcat security
Hi everybody I have a problem about tomcat security One of my friend wrote a single code and he can travel every folder on server I wonder is there any config file for jakarta for disabiling access instead of his folder Maybe you know on php there was a security settings on php.ini for disabliling traveling Is there any config file like this? Best regards Cengiz YAZGAN Sistem Mühendisi/System Engineer DorukNet Tel / Phone : +90 212 326 92 00 Fax : +90 212 227 28 11 E-mail : [EMAIL PROTECTED] http://www.doruk.net.tr http://www.doruk.net.tr/ http://www.doruk.net.tr/english.html
Re: tomcat security
Yes. There is the catalina.policy file in the conf/ directory. See http://jakarta.apache.org/tomcat/tomcat-5.0-doc/security-manager-howto.html for details. Ben Ricker On 8/9/05, Cengiz Yazgan [EMAIL PROTECTED] wrote: Hi everybody I have a problem about tomcat security One of my friend wrote a single code and he can travel every folder on server I wonder is there any config file for jakarta for disabiling access instead of his folder Maybe you know on php there was a security settings on php.ini for disabliling traveling Is there any config file like this? Best regards Cengiz YAZGAN Sistem Mühendisi/System Engineer DorukNet Tel / Phone : +90 212 326 92 00 Fax : +90 212 227 28 11 E-mail : [EMAIL PROTECTED] http://www.doruk.net.tr http://www.doruk.net.tr/ http://www.doruk.net.tr/english.html -- Ben Ricker He's just this guy, you know? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tomcat security
I see this config file I disabled this lines permission java.util.PropertyPermission os.name, read; permission java.util.PropertyPermission os.version, read; permission java.util.PropertyPermission os.arch, read; permission java.util.PropertyPermission file.separator, read; permission java.util.PropertyPermission path.separator, read; permission java.util.PropertyPermission line.separator, read; But i can browsing again -Original Message- From: Ben Ricker [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 09, 2005 3:33 PM To: Tomcat Users List Subject: Re: tomcat security Yes. There is the catalina.policy file in the conf/ directory. See http://jakarta.apache.org/tomcat/tomcat-5.0-doc/security-manager-howto.html for details. Ben Ricker On 8/9/05, Cengiz Yazgan [EMAIL PROTECTED] wrote: Hi everybody I have a problem about tomcat security One of my friend wrote a single code and he can travel every folder on server I wonder is there any config file for jakarta for disabiling access instead of his folder Maybe you know on php there was a security settings on php.ini for disabliling traveling Is there any config file like this? Best regards Cengiz YAZGAN Sistem Mühendisi/System Engineer DorukNet Tel / Phone : +90 212 326 92 00 Fax : +90 212 227 28 11 E-mail : [EMAIL PROTECTED] http://www.doruk.net.tr http://www.doruk.net.tr/ http://www.doruk.net.tr/english.html -- Ben Ricker He's just this guy, you know? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Using Tomcat 5.5 clustering, container managed security info does not propagate to other instances
hi all, we are having a problem with our Tomcat 5.5.9 cluster. We run 2 Tomcat instances on physically different machines. For security we use normal container managed security, configured in the web.xml. Session replication works fine, and session id's are same across the two instances. We only have trouble with the authentication. For instance, if you are logged in on instance1, if load balancer redirects subsequent request to instance2, you have to login again. Turning on Single Signon did not help. Does anybody know if we should be able to get this working, and how? Browsing through the Tomcat source code I noticed that very explicit the security Principal is not saved in a serialized session. Could this be the reason why login information is not propagated to other instances? Has anybody an idea why this is not done? Configuration: - OS: RH 4 - App server: Tomcat 5.5.9 - Session replication: in-memory, pooled - Load balancing via hardware load balancer (Cisco) tia, Dirk - Lost Boys creates and delivers internet mobile solutions - Dirk de Kok | Java Specialist Lost Boys B.V. | Joop Geesinkweg 209 | 1096 AV Amsterdam The Netherlands | Tel: +31 20 4604500 | Fax: +31 20 4604501 | [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] | www.lostboys.nl http://www.lostboys.nl/
Re: Security Manager
Am Dienstag, 19. Juli 2005 23:55 schrieb Ralf Schneider: Hi, I have some problems when turning the security manager of Tomcat 5.5.9 on. When I load a JSP that has to be compiled after being changed I get a strange exception: ERROR [19.07.2005 23:30:45] (ApplicationDispatcher.java:704) - Servlet.service() for servlet jsp threw exception org.xml.sax.SAXException: Internal Error: File /javax/servlet/resources/web-app_2_3.dtd not found at Hi, I found the solution by myself. The reason for this problem was the JAR file xercesImpl.jar in my WEB-INF/lib dir. Don't know why this was there, but after removing it everything works fine again. Ralf. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Manager
maybe you must include web-app_2_3_2.dtd in your WEB-INF directory, and then reload it ? On 7/31/05, Ralf Schneider [EMAIL PROTECTED] wrote: Am Dienstag, 19. Juli 2005 23:55 schrieb Ralf Schneider: Hi, I have some problems when turning the security manager of Tomcat 5.5.9on. When I load a JSP that has to be compiled after being changed I get a strange exception: ERROR [19.07.2005 23:30:45] (ApplicationDispatcher.java:704) - Servlet.service() for servlet jsp threw exception org.xml.sax.SAXException: Internal Error: File /javax/servlet/resources/web-app_2_3.dtd not found at Hi, I found the solution by myself. The reason for this problem was the JAR file xercesImpl.jar in my WEB-INF/lib dir. Don't know why this was there, but after removing it everything works fine again. Ralf. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- --- http://www.psychotazkia.or.id
Session Security
Hi All, Cookie information goes to the server in a clear text I think. I don't know it can be configured to send as a cypher text. When it goes in the network to browser, If not ssl enabled, Cookie;Jsessionid;value can be seen through Ethereal and also copied, If anybody tries with that cookie with the url. It will take the person to directly to that page.How can disable it. Please could anybody tell me how to avoid it. Thanks, Jagadeesha T __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Session Security
Simple solution: use SSL for all pages that have a session. AFAIK there's no way to keep a session secure without it all being over SSL. So the login process must be over SSL, and then everything until log-out should be over SSL also (I'm making the assumption that you're only using sessions for a restricted area of the site). See www.owasp.org for excellent information on securing web apps. http://www.owasp.org/documentation/topten/a3.html covers session management. Martin Jagadeesha T wrote: Hi All, Cookie information goes to the server in a clear text I think. I don't know it can be configured to send as a cypher text. When it goes in the network to browser, If not ssl enabled, Cookie;Jsessionid;value can be seen through Ethereal and also copied, If anybody tries with that cookie with the url. It will take the person to directly to that page.How can disable it. Please could anybody tell me how to avoid it. Thanks, Jagadeesha T __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security flag and the Tomcat Win2K Service
Hi All, Forgive me if this question is answered elsewhere but I've had no joy so far. I have created a servlet that uses RMI to communicate with my application server. This works great if I start Tomcat from the command line thus: catalina run -security However, I cannot find how to configure the Tomcat service so that it starts with the -security parameter. Any help would be greatly appreciated. Thanx, David
Security Manager
Hi, I have some problems when turning the security manager of Tomcat 5.5.9 on. When I load a JSP that has to be compiled after being changed I get a strange exception: ERROR [19.07.2005 23:30:45] (ApplicationDispatcher.java:704) - Servlet.service() for servlet jsp threw exception org.xml.sax.SAXException: Internal Error: File /javax/servlet/resources/web-app_2_3.dtd not found at org.apache.jasper.xmlparser.MyEntityResolver.resolveEntity(ParserUtils.java:205) at org.apache.xerces.util.EntityResolverWrapper.resolveEntity(Unknown Source) at org.apache.xerces.impl.XMLEntityManager.resolveEntity(Unknown Source) at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) at org.apache.xerces.parsers.DOMParser.parse(Unknown Source) at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source) at org.apache.jasper.xmlparser.ParserUtils.parseXMLDocument(ParserUtils.java:95) at org.apache.jasper.compiler.JspConfig.processWebDotXml(JspConfig.java:76) at org.apache.jasper.compiler.JspConfig.init(JspConfig.java:197) at org.apache.jasper.compiler.JspConfig.findJspProperty(JspConfig.java:249) at org.apache.jasper.compiler.Compiler.generateJava(Compiler.java:103) These are only the first few lines of the callstack. The whole exception is very long. I also turned debugging on (java.security.debug=access), but there's no AccessControlException before the SAXException above. Any ideas what might be the problem? Best regards, Ralf. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
FW: Tomcat security realms question
Thanks Mark. I agree, but they are the security people and I have to at least try to comply. Do you think it would be feasible for us to change the org.apache.catalina.authenticator.AuthenticatorBase for Tomcat 4.1.18 to change the session ID post logging in? We'd obviously have to recompile tomcat after doing so. Are there any hidden gotchas you can think of with doing that? Thanks Alex. -Original Message- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: Monday, 18 July 2005 2:50 AM To: Tomcat Users List Subject: Re: Tomcat security realms question The problem you describe is true of any session tracking system running over http. The solution is to use https. However, here's a question to fire back at your security team: If you are worried about an attacker physically looking at a session ID on a user's screen, what about if they decide to install a keyboard logger (physical or software) whilst they have access to the user's machine? In fact, I can think of a whole bunch of other things I could do as well that would be equally or more damaging than hijacking a single session. Fundamentally, if an attacker has physical access to a machine it is game over - they have won. Your security team knows the threat model for you situation far better than I do but it sounds to me like they are trying too hard in one area and have missed a bunch of other threats. Mark Akoulov, Alexandre [IT] wrote: Hi all I have a problem that's been raised by my security team to do with using Tomcat JDBCRealms. We're using such realms to protect restricted resources. We also have a custom login form. The steps Tomcat seems to follow when using such a setup is: 1. Check to see if the user is logged in with access to the restricted resource. 2. If they aren't, forward them to the login page and create an HTTPSession to keep track of that user. 3. Once they've logged in, add the authentication system to the HTTPSession created in step 2 to hold that info and forward them to the resource. 4. Continue using the same HTTPSession to maintain state. The problem my security team has with this is that someone could potentially steal the users HTTPSession ID before they've logged in, as this is created in the login screen. e.g. the user is forwarded to the login screen, then goes to make themselves a cup of coffee. A hacker goes to their computer and writes down the session ID. The user comes back and logs in, and the hacker pretends to be them from another computer. My question is: how can I avoid this situation and keep the security guys happy? Is it possible to have the session ID held by the browser (in JSessionID) change post-login (ie make tomcat invalidate the current session and create a new session after the user has been successfully authenticated)? Thanks for your help. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security realms question
The problem you describe is true of any session tracking system running over http. The solution is to use https. However, here's a question to fire back at your security team: If you are worried about an attacker physically looking at a session ID on a user's screen, what about if they decide to install a keyboard logger (physical or software) whilst they have access to the user's machine? In fact, I can think of a whole bunch of other things I could do as well that would be equally or more damaging than hijacking a single session. Fundamentally, if an attacker has physical access to a machine it is game over - they have won. Your security team knows the threat model for you situation far better than I do but it sounds to me like they are trying too hard in one area and have missed a bunch of other threats. Mark Akoulov, Alexandre [IT] wrote: Hi all I have a problem that's been raised by my security team to do with using Tomcat JDBCRealms. We're using such realms to protect restricted resources. We also have a custom login form. The steps Tomcat seems to follow when using such a setup is: 1. Check to see if the user is logged in with access to the restricted resource. 2. If they aren't, forward them to the login page and create an HTTPSession to keep track of that user. 3. Once they've logged in, add the authentication system to the HTTPSession created in step 2 to hold that info and forward them to the resource. 4. Continue using the same HTTPSession to maintain state. The problem my security team has with this is that someone could potentially steal the users HTTPSession ID before they've logged in, as this is created in the login screen. e.g. the user is forwarded to the login screen, then goes to make themselves a cup of coffee. A hacker goes to their computer and writes down the session ID. The user comes back and logs in, and the hacker pretends to be them from another computer. My question is: how can I avoid this situation and keep the security guys happy? Is it possible to have the session ID held by the browser (in JSessionID) change post-login (ie make tomcat invalidate the current session and create a new session after the user has been successfully authenticated)? Thanks for your help. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 4.x security issue in protected environment
The short answers are: 1. No 2. No The longer answer is: This is categorically *not* a security issue with Tomcat. I have tested this and Tomcat continues to operate correctly after a request with a very long host header. This looks to me like an issue with your daemon. And a few tips for future postings: The phrase very long is totally useless. How long is a (very long) piece of string? You need to be specific when discussing potential bugs on tomcat-user if people are going to stand a chance of reproducing what you are seeing. Don't speculate wildly on the root cause of an issue. If you know know something, don't say anything or better yet say you don't know. Inaccurate speculation presented as fact undermines your credibility and significantly reduces your chances are receiving a response. Finally, a public mailing list is not the right place to raise potential security issues. Mark Rashma N wrote: Hi, We are using Tomcat 4.0.4 in our product. We have a daemon which is a wrapper around the tomcat. We are facing one security issue with the Tomcat. If we send a HTTP packet with a long string in the Host field, it closes the connection. EX: telnet machine port on which tomcat is running GET /index.html HTTP/1.1 Host: very long string HTTP/1.1 400 Bad Request Content-Type: text/html Date: Fri, 14 Oct 2005 05:16:57 GMT Connection: close Server: Apache Tomcat/4.0.4 (HTTP/1.1 Connector) Connection closed by foreign host. Though tomcat closes the connection, somewhere it is overwriiting the memory and not cleaning up the buffer/ memory which holds this host string. Because of this, applications which are already launched through the tomcat webserver gets the exception and our daemon dies. Can somebody help me in figuring out 1.Is this a know issue with the tomcat? 2.If yes, can I get a patch on top of Tomcat 4x where the above problem is fixed? Any pointers on this would be of great help!!! Thanks, Rashma - How much free photo storage do you get? Store your friends n family photos for FREE with Yahoo! Photos. http://in.photos.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat security realms question
Thanks a lot for your reply. We'll see if we can persuade our security guys to drop this issue. Kind regards, Alex. -Original Message- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: Monday, 18 July 2005 2:50 AM To: Tomcat Users List Subject: Re: Tomcat security realms question The problem you describe is true of any session tracking system running over http. The solution is to use https. However, here's a question to fire back at your security team: If you are worried about an attacker physically looking at a session ID on a user's screen, what about if they decide to install a keyboard logger (physical or software) whilst they have access to the user's machine? In fact, I can think of a whole bunch of other things I could do as well that would be equally or more damaging than hijacking a single session. Fundamentally, if an attacker has physical access to a machine it is game over - they have won. Your security team knows the threat model for you situation far better than I do but it sounds to me like they are trying too hard in one area and have missed a bunch of other threats. Mark Akoulov, Alexandre [IT] wrote: Hi all I have a problem that's been raised by my security team to do with using Tomcat JDBCRealms. We're using such realms to protect restricted resources. We also have a custom login form. The steps Tomcat seems to follow when using such a setup is: 1. Check to see if the user is logged in with access to the restricted resource. 2. If they aren't, forward them to the login page and create an HTTPSession to keep track of that user. 3. Once they've logged in, add the authentication system to the HTTPSession created in step 2 to hold that info and forward them to the resource. 4. Continue using the same HTTPSession to maintain state. The problem my security team has with this is that someone could potentially steal the users HTTPSession ID before they've logged in, as this is created in the login screen. e.g. the user is forwarded to the login screen, then goes to make themselves a cup of coffee. A hacker goes to their computer and writes down the session ID. The user comes back and logs in, and the hacker pretends to be them from another computer. My question is: how can I avoid this situation and keep the security guys happy? Is it possible to have the session ID held by the browser (in JSessionID) change post-login (ie make tomcat invalidate the current session and create a new session after the user has been successfully authenticated)? Thanks for your help. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat security realms question
Hi all I have a problem that's been raised by my security team to do with using Tomcat JDBCRealms. We're using such realms to protect restricted resources. We also have a custom login form. The steps Tomcat seems to follow when using such a setup is: 1. Check to see if the user is logged in with access to the restricted resource. 2. If they aren't, forward them to the login page and create an HTTPSession to keep track of that user. 3. Once they've logged in, add the authentication system to the HTTPSession created in step 2 to hold that info and forward them to the resource. 4. Continue using the same HTTPSession to maintain state. The problem my security team has with this is that someone could potentially steal the users HTTPSession ID before they've logged in, as this is created in the login screen. e.g. the user is forwarded to the login screen, then goes to make themselves a cup of coffee. A hacker goes to their computer and writes down the session ID. The user comes back and logs in, and the hacker pretends to be them from another computer. My question is: how can I avoid this situation and keep the security guys happy? Is it possible to have the session ID held by the browser (in JSessionID) change post-login (ie make tomcat invalidate the current session and create a new session after the user has been successfully authenticated)? Thanks for your help. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Clusters - Disabling or restricting autodiscovery (security question)
When using tomcat clusters on an untrusted subnet or using a routable multicast address, i see the potential for a rogue tomcat instance to join a cluster in order to hijack session information. This doesn't seem to be cured by any firewalling of incoming connections to the valid servers, as, from what i have read, the valid servers will conect to the rogue sever on the address/port specified by the rogue server's multicast transmission and will transfer session data to it. If this isn't correct, I'd be grateful for an explanation. If this is correct, Is there any way to restrict autodiscovery of cluster membership to a known list of IPs or disable auto discovery alltogether? Thanks, Ryan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 4.x security issue in protected environment
Hi, We are using Tomcat 4.0.4 in our product. We have a daemon which is a wrapper around the tomcat. We are facing one security issue with the Tomcat. If we send a HTTP packet with a long string in the Host field, it closes the connection. EX: telnet machine port on which tomcat is running GET /index.html HTTP/1.1 Host: very long string HTTP/1.1 400 Bad Request Content-Type: text/html Date: Fri, 14 Oct 2005 05:16:57 GMT Connection: close Server: Apache Tomcat/4.0.4 (HTTP/1.1 Connector) Connection closed by foreign host. Though tomcat closes the connection, somewhere it is overwriiting the memory and not cleaning up the buffer/ memory which holds this host string. Because of this, applications which are already launched through the tomcat webserver gets the exception and our daemon dies. Can somebody help me in figuring out 1.Is this a know issue with the tomcat? 2.If yes, can I get a patch on top of Tomcat 4x where the above problem is fixed? Any pointers on this would be of great help!!! Thanks, Rashma - How much free photo storage do you get? Store your friends n family photos for FREE with Yahoo! Photos. http://in.photos.yahoo.com
Problem with PNG files and security-constraint
Hello Everyone, Hope everyone is having a great weekend. I'm new at posting to the group but have been watching the serv list for a few years now. I usually can find my answers by googling or searching the archive, but I think I might have run upon something that I have not been able to find yet. I have a welcome page that has 4 .png images on it. I know that IE 5.5 and higher have an issue with displaying .png files if they have transparency enabled, the transparency turns grey. To make IE work correctly there is a JavaScript you can run in your web page and it makes it work. How ever, when I turned on security-constraint,my images would show up for a split second then they would disappear. The spots where they should be would not even work as a link like they are setup to be. If you use Firefox it works fine. It works fine being served up on a windows XP pc with tomcat 5.0.30 and java version 1.5.0_02. I'm using FreeBSD Release 4.10-p2 and tomcat 5.0.30 and have used java 1.5.0-p1 and java 1.4.2-p7 I also noticed in the tomcat log file that during startup there were some error with my servlet that I am using, but have no errors when used in windows. Page two of the PDF starts the error message. All the code and errors can be found at this link http://computingoasis.com/apache/errorlog.pdf If there is anything more that you require I would be more than happy to post what you need. Thank you for your help in advance, Dean Searle - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Webapp security by IP range
Thanks. I was hoping that was not going to be the answer though. I thought about doing it this way, but wanted to avoid the overhead of managing two application directories. Maybe it's unavoidable in tomcat. Jared. -Original Message- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: 04 July 2005 20:13 To: Tomcat Users List Subject: Re: Webapp security by IP range Cope, Jared wrote: I was wondering if it is possible to apply some webapp security that will kick in for connections made from a certain IP range, and will not kick in for another set of IP ranges. How about: - deploy the app twice under different contexts - use a remote address filter valve for the internal users - use normal web app security for the external users Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Webapp security by IP range
Hi, I was wondering if it is possible to apply some webapp security that will kick in for connections made from a certain IP range, and will not kick in for another set of IP ranges. The scenario is that I want users on our Intranet subnet to not have to authenticate, but if users visit the site from their home Internet connection then they do have to authenticate. I can't seem to find any examples in the Tomcat manual or web that define a security realm by IP range. Has anyone had any success with this? Cheers, Jared.
Re: Webapp security by IP range
Cope, Jared wrote: I was wondering if it is possible to apply some webapp security that will kick in for connections made from a certain IP range, and will not kick in for another set of IP ranges. How about: - deploy the app twice under different contexts - use a remote address filter valve for the internal users - use normal web app security for the external users Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
CSJakharia: Security Realm Authentication
Configuation -- Tommat 5.5.2 Windows XP JDK 1.5 Requirement -- I have a Security realm Authentication ready for a Web Application linking to a Database. When the user sign ups the form then he has to login into the application through the signup form instead of directly going to the application. How can this be done? Thanks in advance CSJakharia Subscribe to bermudaEmail: [input] [input] Browse Archives at groups-beta.google.com __ Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: Container Managed Security and mod_jk/Static Contents
If I use htaccess, is the user not going to be prompted an authentication dialog? That would be not so nice, if the user has already completed the form based authentication, and then has to authenticate for htaccess as well. I guess what I want to do is simply not possible and doesn't make sense. If Tomcat is bypassed by Apache for static content, how should it handle security for these requests. Edao, Aliye schrieb: Hi, Why don`t you use Apache to protect your static contents?? You might want to use .htaccess ?? http://www.csoft.net/docs/micro/htaccess.html.en Mit freundlichem Gru / kind regards Dr. Aliye Edao -Ursprngliche Nachricht- Von: Torsten Rmer [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 17. Juni 2005 00:42 An: Tomcat Users List Betreff: Container Managed Security and mod_jk/Static Contents Hello! In order to improve performance for static contents I have setup Apache with mod_jk. Now only Struts' *.do requests are served by Tomcat, the rest is done by Apache. Works fine. Now I want to restrict access to some resources using using container managed security. That also works fine, but, and that is now my question: I also want to protect static contents, but that won't work with container managed security, because these requests are handled by Apache and don't even make it to Tomcat. Of course I could just mount the contents to be protected to Tomcat, but then I'll lose the performance advantage of having them served by Apache. Do I have to live with that or do I have a stupid setup? Torsten - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container Managed Security and mod_jk/Static Contents
how do you authenticate ? basic ? form based ? - Original Message - From: Torsten Rmer [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Thursday, June 16, 2005 11:42 PM Subject: Container Managed Security and mod_jk/Static Contents Hello! In order to improve performance for static contents I have setup Apache with mod_jk. Now only Struts' *.do requests are served by Tomcat, the rest is done by Apache. Works fine. Now I want to restrict access to some resources using using container managed security. That also works fine, but, and that is now my question: I also want to protect static contents, but that won't work with container managed security, because these requests are handled by Apache and don't even make it to Tomcat. Of course I could just mount the contents to be protected to Tomcat, but then I'll lose the performance advantage of having them served by Apache. Do I have to live with that or do I have a stupid setup? Torsten - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container Managed Security and mod_jk/Static Contents
Sorry, should have mentioned that. Using form based authentication. Gurumoorthy schrieb: how do you authenticate ? basic ? form based ? - Original Message - From: Torsten Rmer [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Thursday, June 16, 2005 11:42 PM Subject: Container Managed Security and mod_jk/Static Contents Hello! In order to improve performance for static contents I have setup Apache with mod_jk. Now only Struts' *.do requests are served by Tomcat, the rest is done by Apache. Works fine. Now I want to restrict access to some resources using using container managed security. That also works fine, but, and that is now my question: I also want to protect static contents, but that won't work with container managed security, because these requests are handled by Apache and don't even make it to Tomcat. Of course I could just mount the contents to be protected to Tomcat, but then I'll lose the performance advantage of having them served by Apache. Do I have to live with that or do I have a stupid setup? Torsten - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Container Managed Security and mod_jk/Static Contents
Hello! In order to improve performance for static contents I have setup Apache with mod_jk. Now only Struts' *.do requests are served by Tomcat, the rest is done by Apache. Works fine. Now I want to restrict access to some resources using using container managed security. That also works fine, but, and that is now my question: I also want to protect static contents, but that won't work with container managed security, because these requests are handled by Apache and don't even make it to Tomcat. Of course I could just mount the contents to be protected to Tomcat, but then I'll lose the performance advantage of having them served by Apache. Do I have to live with that or do I have a stupid setup? Torsten - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: Container Managed Security and mod_jk/Static Contents
Hi, Why don`t you use Apache to protect your static contents?? You might want to use .htaccess ?? http://www.csoft.net/docs/micro/htaccess.html.en Mit freundlichem Gru / kind regards Dr. Aliye Edao -Ursprngliche Nachricht- Von: Torsten Rmer [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 17. Juni 2005 00:42 An: Tomcat Users List Betreff: Container Managed Security and mod_jk/Static Contents Hello! In order to improve performance for static contents I have setup Apache with mod_jk. Now only Struts' *.do requests are served by Tomcat, the rest is done by Apache. Works fine. Now I want to restrict access to some resources using using container managed security. That also works fine, but, and that is now my question: I also want to protect static contents, but that won't work with container managed security, because these requests are handled by Apache and don't even make it to Tomcat. Of course I could just mount the contents to be protected to Tomcat, but then I'll lose the performance advantage of having them served by Apache. Do I have to live with that or do I have a stupid setup? Torsten - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Help/Examples setting up security settings
Ah-ha! Everything I had read so far led me to think I needed to put everything under ROOT. I'm glad you guys pointed that out. It makes sense. In the meantime, to make things simpler, I set up another webapp without any of the SPID stuff I was talking about before. It's very simple and contains nothing more than a login page (login.jsp) and login error page (login_error.html), the environment page (environment.jsp) I mentioned before and an error page (error.jsp), specified in the errorPage attribute of the page directive of the JSP files. The new app. sits in [tomcat]\webapps\Simple_JSP (not under ROOT any more) and the web.xml file in the WEB-INF subdirectory has been set up to use the correct path. I also included the security-role element Frank mentioned below. The web-app portion of web.xml looks like this: web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; display-nameSimple JSP/display-name descriptionSimple JSP Test/description login-config auth-methodFORM/auth-method form-login-config form-login-page/Simple_JSP/login.jsp/form-login-page form-error-page/Simple_JSP/login_error.html/form-error-page /form-login-config /login-config security-role descriptionSecurity Role/description role-namesimple_jsp/role-name /security-role security-constraint web-resource-collection web-resource-nameSimple JSP Test/web-resource-name url-pattern/Simple_JSP/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namesimple_jsp/role-name /auth-constraint /security-constraint /web-app Of course, I set up the simple_jsp role in the tomcat-users.xml file and added that role to my user entry. Now that this is all said and done, I'm still getting behavior that I'm not expecting. If I load my environment file into the browser (http://localhost/Simple_JSP/environment.jsp), it comes up as though there were no security/authentication mechanism to put up a roadblock. The login page is never presented. I was expecting that if I were to request any page from the Simple_JSP area, that before anything is displayed, I would be prompted to provide and user name and password. Isn't that what's supposed to happen? Thanks, Joe -Original Message- From: Frank W. Zammetti [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14, 2005 6:37 PM To: Tomcat Users List Subject: Re: Help/Examples setting up security settings As Mark indicated in another post, the first problem you need to resolve is how you have installed your webapp. ROOT is itself a webapp, and although it might seem right that you want to put your webapp under it, that isn't the case. Move SPID_JSP to /webapps and you should be all set. One other thing I see is you are missing security role definitions in your web.xml. You'll want to add something like this: security-role descriptionspid_jsp/description role-namespid_jsp/role-name /security-role The role-name element maps to the role you created in tomcat-users.xml, and also maps to the security constraint's role-name element, as you already have. One other thing... the order of elements in web.xml is usually important. I think newer versions of Tomcat allow you to put things in any order you want (as one would expect with XML!), but earlier versions had a more restrictive DTD. You should see an error message when you start Tomcat if this is going to be a problem. Just wanted to warn you about it is you see it later. Frank Gagnon, Joseph M (US SSA) wrote: OK, now I'm more confused. First some background (for those of you who haven't seen the entire history). 1.I have defined a role and added myself as a user in that role to the tomcat-users.xml file (in [tomcat install dir]/conf). The role is defined as spid_jsp. (SPID is just the name of an existing application that contains ASP files that I would like to test converting to JSP.) 2.I have placed a WEB-INF directory under my test application directory ([tomcat install dir]/webapps/ROOT/SPID_JSP) and put a web.xml file in it. (SPID_JSP is where the JSP and HTML files reside.) 3.That web.xml file contains the following: web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; display-nameSPID JSP Test/display-name descriptionSPID JSP Test/description
RE: Help/Examples setting up security settings2
Although I don't think this is the source of your problem, it strikes me as odd to be protecting the root of your webapp when this is where the unprotected page are as well (i.e., login.jsp, login_error.html) I would suggest leaving those two in the root of the webapp, and move environment.jsp and error.jsp to a subdirectory, maybe /Simple_JSP/content or something, then of course update the security constraint to constrain that new directory. Actually, one other thing... the references to the login form and the login error page in the login-config element I believe are relative to the webapp root, so drop the Simple_JSP from the beginning of them so they are /login.jsp and /login_error.jsp respectively. Again, not sure this is the problem, but it could be. Some other things, and this is where hopefully some Tomcat folks more knowledgable than me can help... There seems to be a realm-name element for login-config as well, but I have never used it... does it apply here? I think it may be for basic auth, but I am unsure. Also, there are perhaps some other things you need to do to tell Tomcat to use security... anyone else, does Joseph need to do anything to set up the UserDatabase resource, or is that set up by default? Also, does he need to create a context for his app and perhaps set something to tell Tomcat to use security? This is stuff I am not familiar with, so hopefully someone else reading this can help. -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com On Wed, June 15, 2005 9:31 am, Gagnon, Joseph M \(US SSA\) said: Ah-ha! Everything I had read so far led me to think I needed to put everything under ROOT. I'm glad you guys pointed that out. It makes sense. In the meantime, to make things simpler, I set up another webapp without any of the SPID stuff I was talking about before. It's very simple and contains nothing more than a login page (login.jsp) and login error page (login_error.html), the environment page (environment.jsp) I mentioned before and an error page (error.jsp), specified in the errorPage attribute of the page directive of the JSP files. The new app. sits in [tomcat]\webapps\Simple_JSP (not under ROOT any more) and the web.xml file in the WEB-INF subdirectory has been set up to use the correct path. I also included the security-role element Frank mentioned below. The web-app portion of web.xml looks like this: web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; display-nameSimple JSP/display-name descriptionSimple JSP Test/description login-config auth-methodFORM/auth-method form-login-config form-login-page/Simple_JSP/login.jsp/form-login-page form-error-page/Simple_JSP/login_error.html/form-error-page /form-login-config /login-config security-role descriptionSecurity Role/description role-namesimple_jsp/role-name /security-role security-constraint web-resource-collection web-resource-nameSimple JSP Test/web-resource-name url-pattern/Simple_JSP/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namesimple_jsp/role-name /auth-constraint /security-constraint /web-app Of course, I set up the simple_jsp role in the tomcat-users.xml file and added that role to my user entry. Now that this is all said and done, I'm still getting behavior that I'm not expecting. If I load my environment file into the browser (http://localhost/Simple_JSP/environment.jsp), it comes up as though there were no security/authentication mechanism to put up a roadblock. The login page is never presented. I was expecting that if I were to request any page from the Simple_JSP area, that before anything is displayed, I would be prompted to provide and user name and password. Isn't that what's supposed to happen? Thanks, Joe -Original Message- From: Frank W. Zammetti [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14, 2005 6:37 PM To: Tomcat Users List Subject: Re: Help/Examples setting up security settings As Mark indicated in another post, the first problem you need to resolve is how you have installed your webapp. ROOT is itself a webapp, and although it might seem right that you want to put your webapp under it, that isn't the case. Move SPID_JSP to /webapps and you should be all set. One other thing I see is you are missing security role definitions in your web.xml. You'll want to add something like this: security
RE: Help/Examples setting up security settings2
See my comments/questions below. -Original Message- From: Frank Zammetti [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 11:37 AM To: tomcat-user@jakarta.apache.org Subject: RE: Help/Examples setting up security settings2 Although I don't think this is the source of your problem, it strikes me as odd to be protecting the root of your webapp when this is where the unprotected page are as well (i.e., login.jsp, login_error.html) [Gagnon, Joseph M] What can I say, I don't know much about what I'm doing. That is a good idea. Didn't think it would matter much for such a simple test. I would suggest leaving those two in the root of the webapp, and move environment.jsp and error.jsp to a subdirectory, maybe /Simple_JSP/content or something, then of course update the security constraint to constrain that new directory. [Gagnon, Joseph M] My first thought would be that this wouldn't have anything to do with the problem, but hey, I'm certainly not the one to know. Actually, one other thing... the references to the login form and the login error page in the login-config element I believe are relative to the webapp root, so drop the Simple_JSP from the beginning of them so they are /login.jsp and /login_error.jsp respectively. [Gagnon, Joseph M] How important is the leading slash? Again, not sure this is the problem, but it could be. [Gagnon, Joseph M] Hmm. That's an interesting point. I wasn't sure how the path rules worked here. (i.e. whether you need to specify from the server root (e.g. webapps) or if it was more from the specific webapp's root. From what you're saying, it's the latter. Some other things, and this is where hopefully some Tomcat folks more knowledgable than me can help... There seems to be a realm-name element for login-config as well, but I have never used it... does it apply here? I think it may be for basic auth, but I am unsure. Also, there are perhaps some other things you need to do to tell Tomcat to use security... anyone else, does Joseph need to do anything to set up the UserDatabase resource[Gagnon, Joseph M] I have no idea what this is., or is that set up by default? Also, does he need to create a context for his app and perhaps set something to tell Tomcat to use security? This is stuff I am not familiar with, so hopefully someone else reading this can help. -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com On Wed, June 15, 2005 9:31 am, Gagnon, Joseph M \(US SSA\) said: Ah-ha! Everything I had read so far led me to think I needed to put everything under ROOT. I'm glad you guys pointed that out. It makes sense. In the meantime, to make things simpler, I set up another webapp without any of the SPID stuff I was talking about before. It's very simple and contains nothing more than a login page (login.jsp) and login error page (login_error.html), the environment page (environment.jsp) I mentioned before and an error page (error.jsp), specified in the errorPage attribute of the page directive of the JSP files. The new app. sits in [tomcat]\webapps\Simple_JSP (not under ROOT any more) and the web.xml file in the WEB-INF subdirectory has been set up to use the correct path. I also included the security-role element Frank mentioned below. The web-app portion of web.xml looks like this: web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; display-nameSimple JSP/display-name descriptionSimple JSP Test/description login-config auth-methodFORM/auth-method form-login-config form-login-page/Simple_JSP/login.jsp/form-login-page form-error-page/Simple_JSP/login_error.html/form-error-page /form-login-config /login-config security-role descriptionSecurity Role/description role-namesimple_jsp/role-name /security-role security-constraint web-resource-collection web-resource-nameSimple JSP Test/web-resource-name url-pattern/Simple_JSP/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namesimple_jsp/role-name /auth-constraint /security-constraint /web-app Of course, I set up the simple_jsp role in the tomcat-users.xml file and added that role to my user entry. Now that this is all said and done, I'm still getting behavior that I'm not expecting. If I load my environment file into the browser (http://localhost/Simple_JSP/environment.jsp), it comes up as though there were no security/authentication mechanism to put up a roadblock
RE: Help/Examples setting up security settings2
Let's try that again so that you can see it. See my comments/questions below. -Original Message- From: Frank Zammetti [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 11:37 AM To: tomcat-user@jakarta.apache.org Subject: RE: Help/Examples setting up security settings2 Although I don't think this is the source of your problem, it strikes me as odd to be protecting the root of your webapp when this is where the unprotected page are as well (i.e., login.jsp, login_error.html) [Gagnon, Joseph M] What can I say, I don't know much about what I'm doing. That is a good idea. Didn't think it would matter much for such a simple test. I would suggest leaving those two in the root of the webapp, and move environment.jsp and error.jsp to a subdirectory, maybe /Simple_JSP/content or something, then of course update the security constraint to constrain that new directory. [Gagnon, Joseph M] My first thought would be that this wouldn't have anything to do with the problem, but hey, I'm certainly not the one to know. Actually, one other thing... the references to the login form and the login error page in the login-config element I believe are relative to the webapp root, so drop the Simple_JSP from the beginning of them so they are /login.jsp and /login_error.jsp respectively. [Gagnon, Joseph M] How important is the leading slash? Again, not sure this is the problem, but it could be. [Gagnon, Joseph M] Hmm. That's an interesting point. I wasn't sure how the path rules worked here. (i.e. whether you need to specify from the server root (e.g. webapps) or if it was more from the specific webapp's root. From what you're saying, it's the latter. Some other things, and this is where hopefully some Tomcat folks more knowledgable than me can help... There seems to be a realm-name element for login-config as well, but I have never used it... does it apply here? I think it may be for basic auth, but I am unsure. Also, there are perhaps some other things you need to do to tell Tomcat to use security... anyone else, does Joseph need to do anything to set up the UserDatabase resource [Gagnon, Joseph M] I have no idea what this is. , or is that set up by default? Also, does he need to create a context for his app and perhaps set something to tell Tomcat to use security? This is stuff I am not familiar with, so hopefully someone else reading this can help. -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com On Wed, June 15, 2005 9:31 am, Gagnon, Joseph M \(US SSA\) said: Ah-ha! Everything I had read so far led me to think I needed to put everything under ROOT. I'm glad you guys pointed that out. It makes sense. In the meantime, to make things simpler, I set up another webapp without any of the SPID stuff I was talking about before. It's very simple and contains nothing more than a login page (login.jsp) and login error page (login_error.html), the environment page (environment.jsp) I mentioned before and an error page (error.jsp), specified in the errorPage attribute of the page directive of the JSP files. The new app. sits in [tomcat]\webapps\Simple_JSP (not under ROOT any more) and the web.xml file in the WEB-INF subdirectory has been set up to use the correct path. I also included the security-role element Frank mentioned below. The web-app portion of web.xml looks like this: web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; display-nameSimple JSP/display-name descriptionSimple JSP Test/description login-config auth-methodFORM/auth-method form-login-config form-login-page/Simple_JSP/login.jsp/form-login-page form-error-page/Simple_JSP/login_error.html/form-error-page /form-login-config /login-config security-role descriptionSecurity Role/description role-namesimple_jsp/role-name /security-role security-constraint web-resource-collection web-resource-nameSimple JSP Test/web-resource-name url-pattern/Simple_JSP/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namesimple_jsp/role-name /auth-constraint /security-constraint /web-app Of course, I set up the simple_jsp role in the tomcat-users.xml file and added that role to my user entry. Now that this is all said and done, I'm still getting behavior that I'm not expecting. If I load my environment file into the browser (http://localhost/Simple_JSP/environment.jsp), it comes up as though there were
Re: Help/Examples setting up security settings2
Although I don't think this is the source of your problem, it strikes me as odd to be protecting the root of your webapp when this is where the unprotected page are as well (i.e., login.jsp, login_error.html) [Gagnon, Joseph M] What can I say, I don't know much about what I'm doing. That is a good idea. Didn't think it would matter much for such a simple test. Not a problem, we all go through a learning phase :) I'm not sure it would matter either frankly, but it seems like it might... if you request environment.jsp, the security intercept happens and tries to redirect to login.jsp, but that itself is protected, so ANOTHER intercept happens, etc. I'm not sure that will happen mind you, but I could imagine it happening, and your caught in a loop. Even if it is smart enough to avoid it there, what happens if you enter your password wrong and it tries to go to login_error.jsp? Same thing maybe, since it's protected too. Since I don't know for sure what will happen, better to avoid the unknown I figure :) Actually, one other thing... the references to the login form and the login error page in the login-config element I believe are relative to the webapp root, so drop the Simple_JSP from the beginning of them so they are /login.jsp and /login_error.jsp respectively. [Gagnon, Joseph M] How important is the leading slash? IIRC, it is required. I don't want to say what the difference is with or without it because I'm not 100% sure it's right, but the bottom line is I am reasonably sure uit has to be there. Again, not sure this is the problem, but it could be. [Gagnon, Joseph M] Hmm. That's an interesting point. I wasn't sure how the path rules worked here. (i.e. whether you need to specify from the server root (e.g. webapps) or if it was more from the specific webapp's root. From what you're saying, it's the latter. Right, it's all context-relative, and the context is whatever webapp you are in, NOT the server root (in essence you can think there is no server root really, that will simplify it a bit... pretend whatever webapp your working on is all there is and you should be OK). Also, there are perhaps some other things you need to do to tell Tomcat to use security... anyone else, does Joseph need to do anything to set up the UserDatabase resource[Gagnon, Joseph M] I have no idea what this is., or is that set up by default? In server.xml, there is a GlobalNamingResources element... in here should be a definition for UserDatabase. I *think* it is there by default, but I was hoping someone else could confirm. There is also an engine element, and within this can be a context element, one for each webapp. It is not strictly required, but it allows you to set various things. It looks like the engine has to be made aware of the UserDatabase, via a realm element. This is Tomcat-specific stuff, and while I've hacked my way through it before, there must be someone reading this that can better guide you with this particular part of the equation. It may be set up by default, it may not, I don't know. Frank - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Help/Examples setting up security settings2
The /Simple_JSP part of the URL should be left out. Always start typing from the web-app folder. (because, who knows when you want to rename the webapp?) If you remove the /Simple_JSP part of the URLs in the web.xml, I think it will work, additionally, you should try not setting restricted access on you login/error pages... Øyvind -Opprinnelig melding- Fra: Frank Zammetti [mailto:[EMAIL PROTECTED] Sendt: 15. juni 2005 17:37 Til: tomcat-user@jakarta.apache.org Emne: RE: Help/Examples setting up security settings2 Although I don't think this is the source of your problem, it strikes me as odd to be protecting the root of your webapp when this is where the unprotected page are as well (i.e., login.jsp, login_error.html) I would suggest leaving those two in the root of the webapp, and move environment.jsp and error.jsp to a subdirectory, maybe /Simple_JSP/content or something, then of course update the security constraint to constrain that new directory. Actually, one other thing... the references to the login form and the login error page in the login-config element I believe are relative to the webapp root, so drop the Simple_JSP from the beginning of them so they are /login.jsp and /login_error.jsp respectively. Again, not sure this is the problem, but it could be. Some other things, and this is where hopefully some Tomcat folks more knowledgable than me can help... There seems to be a realm-name element for login-config as well, but I have never used it... does it apply here? I think it may be for basic auth, but I am unsure. Also, there are perhaps some other things you need to do to tell Tomcat to use security... anyone else, does Joseph need to do anything to set up the UserDatabase resource, or is that set up by default? Also, does he need to create a context for his app and perhaps set something to tell Tomcat to use security? This is stuff I am not familiar with, so hopefully someone else reading this can help. -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com On Wed, June 15, 2005 9:31 am, Gagnon, Joseph M \(US SSA\) said: Ah-ha! Everything I had read so far led me to think I needed to put everything under ROOT. I'm glad you guys pointed that out. It makes sense. In the meantime, to make things simpler, I set up another webapp without any of the SPID stuff I was talking about before. It's very simple and contains nothing more than a login page (login.jsp) and login error page (login_error.html), the environment page (environment.jsp) I mentioned before and an error page (error.jsp), specified in the errorPage attribute of the page directive of the JSP files. The new app. sits in [tomcat]\webapps\Simple_JSP (not under ROOT any more) and the web.xml file in the WEB-INF subdirectory has been set up to use the correct path. I also included the security-role element Frank mentioned below. The web-app portion of web.xml looks like this: web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; display-nameSimple JSP/display-name descriptionSimple JSP Test/description login-config auth-methodFORM/auth-method form-login-config form-login-page/Simple_JSP/login.jsp/form-login-page form-error-page/Simple_JSP/login_error.html/form-error-page /form-login-config /login-config security-role descriptionSecurity Role/description role-namesimple_jsp/role-name /security-role security-constraint web-resource-collection web-resource-nameSimple JSP Test/web-resource-name url-pattern/Simple_JSP/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namesimple_jsp/role-name /auth-constraint /security-constraint /web-app Of course, I set up the simple_jsp role in the tomcat-users.xml file and added that role to my user entry. Now that this is all said and done, I'm still getting behavior that I'm not expecting. If I load my environment file into the browser (http://localhost/Simple_JSP/environment.jsp), it comes up as though there were no security/authentication mechanism to put up a roadblock. The login page is never presented. I was expecting that if I were to request any page from the Simple_JSP area, that before anything is displayed, I would be prompted to provide and user name and password. Isn't that what's supposed to happen? Thanks, Joe -Original Message- From: Frank W. Zammetti [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14
RE: Help/Examples setting up security settings2
The /Simple_JSP part of the URL should be left out. Always start typing from the web-app folder. (because, who knows when you want to rename the webapp?) If you remove the /Simple_JSP part of the URLs in the web.xml, I think it will work, additionally, you should try not setting restricted access on you login/error pages... Øyvind -Opprinnelig melding- Fra: Frank Zammetti [mailto:[EMAIL PROTECTED] Sendt: 15. juni 2005 17:37 Til: tomcat-user@jakarta.apache.org Emne: RE: Help/Examples setting up security settings2 Although I don't think this is the source of your problem, it strikes me as odd to be protecting the root of your webapp when this is where the unprotected page are as well (i.e., login.jsp, login_error.html) I would suggest leaving those two in the root of the webapp, and move environment.jsp and error.jsp to a subdirectory, maybe /Simple_JSP/content or something, then of course update the security constraint to constrain that new directory. Actually, one other thing... the references to the login form and the login error page in the login-config element I believe are relative to the webapp root, so drop the Simple_JSP from the beginning of them so they are /login.jsp and /login_error.jsp respectively. Again, not sure this is the problem, but it could be. Some other things, and this is where hopefully some Tomcat folks more knowledgable than me can help... There seems to be a realm-name element for login-config as well, but I have never used it... does it apply here? I think it may be for basic auth, but I am unsure. Also, there are perhaps some other things you need to do to tell Tomcat to use security... anyone else, does Joseph need to do anything to set up the UserDatabase resource, or is that set up by default? Also, does he need to create a context for his app and perhaps set something to tell Tomcat to use security? This is stuff I am not familiar with, so hopefully someone else reading this can help. -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com On Wed, June 15, 2005 9:31 am, Gagnon, Joseph M \(US SSA\) said: Ah-ha! Everything I had read so far led me to think I needed to put everything under ROOT. I'm glad you guys pointed that out. It makes sense. In the meantime, to make things simpler, I set up another webapp without any of the SPID stuff I was talking about before. It's very simple and contains nothing more than a login page (login.jsp) and login error page (login_error.html), the environment page (environment.jsp) I mentioned before and an error page (error.jsp), specified in the errorPage attribute of the page directive of the JSP files. The new app. sits in [tomcat]\webapps\Simple_JSP (not under ROOT any more) and the web.xml file in the WEB-INF subdirectory has been set up to use the correct path. I also included the security-role element Frank mentioned below. The web-app portion of web.xml looks like this: web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; display-nameSimple JSP/display-name descriptionSimple JSP Test/description login-config auth-methodFORM/auth-method form-login-config form-login-page/Simple_JSP/login.jsp/form-login-page form-error-page/Simple_JSP/login_error.html/form-error-page /form-login-config /login-config security-role descriptionSecurity Role/description role-namesimple_jsp/role-name /security-role security-constraint web-resource-collection web-resource-nameSimple JSP Test/web-resource-name url-pattern/Simple_JSP/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namesimple_jsp/role-name /auth-constraint /security-constraint /web-app Of course, I set up the simple_jsp role in the tomcat-users.xml file and added that role to my user entry. Now that this is all said and done, I'm still getting behavior that I'm not expecting. If I load my environment file into the browser (http://localhost/Simple_JSP/environment.jsp), it comes up as though there were no security/authentication mechanism to put up a roadblock. The login page is never presented. I was expecting that if I were to request any page from the Simple_JSP area, that before anything is displayed, I would be prompted to provide and user name and password. Isn't that what's supposed to happen? Thanks, Joe -Original Message- From: Frank W. Zammetti [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14
RE: Help/Examples setting up security settings
Although I don't think this is the source of your problem, it strikes me as odd to be protecting the root of your webapp when this is where the unprotected page are as well (i.e., login.jsp, login_error.html) I would suggest leaving those two in the root of the webapp, and move environment.jsp and error.jsp to a subdirectory, maybe /Simple_JSP/content or something, then of course update the security constraint to constrain that new directory. Actually, one other thing... the references to the login form and the login error page in the login-config element I believe are relative to the webapp root, so drop the Simple_JSP from the beginning of them so they are /login.jsp and /login_error.jsp respectively. Again, not sure this is the problem, but it could be. Some other things, and this is where hopefully some Tomcat folks more knowledgable than me can help... There seems to be a realm-name element for login-config as well, but I have never used it... does it apply here? I think it may be for basic auth, but I am unsure. Also, there are perhaps some other things you need to do to tell Tomcat to use security... anyone else, does Joseph need to do anything to set up the UserDatabase resource, or is that set up by default? Also, does he need to create a context for his app and perhaps set something to tell Tomcat to use security? This is stuff I am not familiar with, so hopefully someone else reading this can help. -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com On Wed, June 15, 2005 9:31 am, Gagnon, Joseph M \(US SSA\) said: Ah-ha! Everything I had read so far led me to think I needed to put everything under ROOT. I'm glad you guys pointed that out. It makes sense. In the meantime, to make things simpler, I set up another webapp without any of the SPID stuff I was talking about before. It's very simple and contains nothing more than a login page (login.jsp) and login error page (login_error.html), the environment page (environment.jsp) I mentioned before and an error page (error.jsp), specified in the errorPage attribute of the page directive of the JSP files. The new app. sits in [tomcat]\webapps\Simple_JSP (not under ROOT any more) and the web.xml file in the WEB-INF subdirectory has been set up to use the correct path. I also included the security-role element Frank mentioned below. The web-app portion of web.xml looks like this: web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; display-nameSimple JSP/display-name descriptionSimple JSP Test/description login-config auth-methodFORM/auth-method form-login-config form-login-page/Simple_JSP/login.jsp/form-login-page form-error-page/Simple_JSP/login_error.html/form-error-page /form-login-config /login-config security-role descriptionSecurity Role/description role-namesimple_jsp/role-name /security-role security-constraint web-resource-collection web-resource-nameSimple JSP Test/web-resource-name url-pattern/Simple_JSP/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namesimple_jsp/role-name /auth-constraint /security-constraint /web-app Of course, I set up the simple_jsp role in the tomcat-users.xml file and added that role to my user entry. Now that this is all said and done, I'm still getting behavior that I'm not expecting. If I load my environment file into the browser (http://localhost/Simple_JSP/environment.jsp), it comes up as though there were no security/authentication mechanism to put up a roadblock. The login page is never presented. I was expecting that if I were to request any page from the Simple_JSP area, that before anything is displayed, I would be prompted to provide and user name and password. Isn't that what's supposed to happen? Thanks, Joe -Original Message- From: Frank W. Zammetti [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14, 2005 6:37 PM To: Tomcat Users List Subject: Re: Help/Examples setting up security settings As Mark indicated in another post, the first problem you need to resolve is how you have installed your webapp. ROOT is itself a webapp, and although it might seem right that you want to put your webapp under it, that isn't the case. Move SPID_JSP to /webapps and you should be all set. One other thing I see is you are missing security role definitions in your web.xml. You'll want to add something like this: security-role descriptionspid_jsp/description
RE: Help/Examples setting up security settings1
Although I don't think this is the source of your problem, it strikes me as odd to be protecting the root of your webapp when this is where the unprotected page are as well (i.e., login.jsp, login_error.html) I would suggest leaving those two in the root of the webapp, and move environment.jsp and error.jsp to a subdirectory, maybe /Simple_JSP/content or something, then of course update the security constraint to constrain that new directory. Actually, one other thing... the references to the login form and the login error page in the login-config element I believe are relative to the webapp root, so drop the Simple_JSP from the beginning of them so they are /login.jsp and /login_error.jsp respectively. Again, not sure this is the problem, but it could be. Some other things, and this is where hopefully some Tomcat folks more knowledgable than me can help... There seems to be a realm-name element for login-config as well, but I have never used it... does it apply here? I think it may be for basic auth, but I am unsure. Also, there are perhaps some other things you need to do to tell Tomcat to use security... anyone else, does Joseph need to do anything to set up the UserDatabase resource, or is that set up by default? Also, does he need to create a context for his app and perhaps set something to tell Tomcat to use security? This is stuff I am not familiar with, so hopefully someone else reading this can help. -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com On Wed, June 15, 2005 9:31 am, Gagnon, Joseph M \(US SSA\) said: Ah-ha! Everything I had read so far led me to think I needed to put everything under ROOT. I'm glad you guys pointed that out. It makes sense. In the meantime, to make things simpler, I set up another webapp without any of the SPID stuff I was talking about before. It's very simple and contains nothing more than a login page (login.jsp) and login error page (login_error.html), the environment page (environment.jsp) I mentioned before and an error page (error.jsp), specified in the errorPage attribute of the page directive of the JSP files. The new app. sits in [tomcat]\webapps\Simple_JSP (not under ROOT any more) and the web.xml file in the WEB-INF subdirectory has been set up to use the correct path. I also included the security-role element Frank mentioned below. The web-app portion of web.xml looks like this: web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; display-nameSimple JSP/display-name descriptionSimple JSP Test/description login-config auth-methodFORM/auth-method form-login-config form-login-page/Simple_JSP/login.jsp/form-login-page form-error-page/Simple_JSP/login_error.html/form-error-page /form-login-config /login-config security-role descriptionSecurity Role/description role-namesimple_jsp/role-name /security-role security-constraint web-resource-collection web-resource-nameSimple JSP Test/web-resource-name url-pattern/Simple_JSP/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namesimple_jsp/role-name /auth-constraint /security-constraint /web-app Of course, I set up the simple_jsp role in the tomcat-users.xml file and added that role to my user entry. Now that this is all said and done, I'm still getting behavior that I'm not expecting. If I load my environment file into the browser (http://localhost/Simple_JSP/environment.jsp), it comes up as though there were no security/authentication mechanism to put up a roadblock. The login page is never presented. I was expecting that if I were to request any page from the Simple_JSP area, that before anything is displayed, I would be prompted to provide and user name and password. Isn't that what's supposed to happen? Thanks, Joe -Original Message- From: Frank W. Zammetti [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14, 2005 6:37 PM To: Tomcat Users List Subject: Re: Help/Examples setting up security settings As Mark indicated in another post, the first problem you need to resolve is how you have installed your webapp. ROOT is itself a webapp, and although it might seem right that you want to put your webapp under it, that isn't the case. Move SPID_JSP to /webapps and you should be all set. One other thing I see is you are missing security role definitions in your web.xml. You'll want to add something like this: security
security role 'any'?
Hello, In a security-contraint section of my web.xml, i'll like to state that any authentified user is allowed to access, no matter his role. I search the net and found suggestion about using auth-constraint role-name*/role-name /auth-constraint or auth-constraint role-nameany/role-name /auth-constraint but none seems to work, i am authentified but i get an access denied. Do you have any suggestion? -- David Delbecq Royal Meteorological Institute of Belgium - Is there life after /sbin/halt -p? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Help/Examples setting up security settings
Frank, First of all, thanks for the detailed information. At about the same time your response came through, I also managed to locate similar info from Marty Hall's web site (http://courses.coreservlets.com/Course-Materials/msajsp.html). Using both sources of information, I made the following additions/changes to the following files: (Remember, I'm using Tomcat 5.5.9) [tomcat_install_dir]/conf/tomcat-users.xml: ?xml version='1.0' encoding='utf-8'? tomcat-users ... role rolename=spid_jsp/ user username=[my user name] password=[my password] roles=spid_jsp/ /tomcat-users [tomcat_install_dir]/webapps/ROOT/SPID_JSP/WEB-INF/web.xml: web-app display-nameSPID JSP Test/display-name descriptionSPID JSP Test/description login-config auth-methodFORM/auth-method form-login-page/SPID_JSP/login.jsp/form-login-page form-error-page/SPID_JSP/login_error.html/form-error-page /login-config security-constraint web-resource-collection web-resource-nameSPID JSP Test/web-resource-name url-pattern/SPID_JSP/*/url-pattern /web-resource-collection auth-constraint role-namespid_jsp/role-name /auth-constraint /security-constraint /web-app [tomcat_install_dir]/webapps/ROOT/SPID_JSP/login.jsp: %@ page contentType=text/html; charset=iso-8859-1 language=java import=java.sql.* errorPage= % !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN http://www.w3.org/TR/html4/loose.dtd; html head titleSPID_JSP Login Page/title /head body form action=j_security_check method=post name=login_form table width=30% border=0 cellpadding=1 cellspacing=1 tr td width=30%User name:/td tdinput name=j_username type=text/td /tr tr td width=30%Password:/td tdinput name=j_password type=password/td /tr tr td width=30%nbsp;/td tdinput name=submit type=submit value=Login/td /tr /table /form /body /html [tomcat_install_dir]/webapps/ROOT/SPID_JSP/login_error.html: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN http://www.w3.org/TR/html4/loose.dtd; html head titleSPID JSP Login Error/title /head body Nope. Wrong password. a href=login.jspTry again/a /body /html Very simple stuff. However, when I try to login (by loading the login.jsp page), I get the following error from Tomcat: HTTP Status 404 - /SPID_JSP/j_security_check type Status report message /SPID_JSP/j_security_check description The requested resource (/SPID_JSP/j_security_check) is not available. Apache Tomcat/5.5.9 Obviously, there are some other things that I need to do, but I don't know what they are. Also, I'm curious how to direct control to the success page once authentication passes and the login succeeds. I'm really very new at web programming, so I'm sure there are either a lot of stupid things I'm doing, or stuff I need to do, but am not. Any help would be appreciated. Thanks, Joe -Original Message- From: Frank W. Zammetti [mailto:[EMAIL PROTECTED] Sent: Monday, June 13, 2005 3:06 PM To: Tomcat Users List Cc: Tomcat Users List Subject: Re: Help/Examples setting up security settings Having just spent a couple of weeks integrating a new security framework into an existing app, a framework that works in concert with J2EE security, let me see if I can help... Hang on, this is going to be a long post!... J2EE security (I *thimk* that's what it's called this week!) works with the concept of constrained resources... think of it this way... a server's job, be it a web server, app server, Quake server, whatever, is to SERVE. Therefore, the baseline assumption is that resources should be AVAILABLE, and you will be defining which are constrained in some way. This is actually backwards for how many people think of it, so it is worth noteing. Now, in terms of actually configuring it, it comes down to two things... well, I guess three really... (1) Define what resources you want to constrain (2) Define who will be allowed to access those resources (3) Tell your app server how to authenticate a user for a given resource The first two are standard, the third is app server-specific. Let's say for the sake of example that you have a bunch of administration-type JSPs in your application, for setting up users or something. Let's assume they are all in the directory /admin in the root of your webapp. Now, let's do step (1) and define a rule that says we want anything in that directory to be constrained. Here's the web.xml entry: security-constraint display-nameAdminConstraint/display-name web-resource-collection web-resource-nameAdminConstraint/web-resource-name url-pattern/admin
RE: Help/Examples setting up security settings
On Tue, June 14, 2005 9:26 am, Gagnon, Joseph M \(US SSA\) said: Very simple stuff. However, when I try to login (by loading the login.jsp page), I get the following error from Tomcat: HTTP Status 404 - /SPID_JSP/j_security_check type Status report message /SPID_JSP/j_security_check description The requested resource (/SPID_JSP/j_security_check) is not available. Apache Tomcat/5.5.9 Obviously, there are some other things that I need to do, but I don't know what they are. Also, I'm curious how to direct control to the success page once authentication passes and the login succeeds. Hmmm... The only thing that strikes me odd is what is being requested... Every time I've seen it, j_security_check is in the root... I wonder if Tomcat doesn't recognize j_security_check as being a special servlet if it isn't in the root? Just for chuckles, move your JSPs to the root of your webapp, that should result in /j_security_check being what the form is submitted to, see if that solves the problem (I *think* you could make the action of your form ../j_security_check instead of moving everything, that should do the same thing and would be easier). If that doesn't work then there is probably something else specific to Tomcat that needs to be done to enable that servlet that I am not aware of. As for the question of directing control to the success page, this is one of those things that is a bit confusing at first... you really don't direct control anywhere... what should happen is the URL your users should access *IS* the success page, assuming the succcess page is a constrained resource... in other words, write your application with the assumption that a user is already authenticated and that really the login page IS NOT part of your application. Then, when they try to access the success page, the request will be intercepted and the login page shown. If they enter valid credentials, THEN the success page will be returned to them automatically. That part usually confuses people at first (I think it did me too for a few minutes when I first dealt with this). Just remember, it's an intercept-based security mechanism... when the user tries to hit a protected resource, the request is intercepted and they are challenged to authenticate themselves. Conceptually, think of the original request as having been put on hold. Once they authenticate, the request continues where it left off, you have nothing special to do. I'm really very new at web programming, so I'm sure there are either a lot of stupid things I'm doing, or stuff I need to do, but am not. No, I think you've managed to get pretty far essentially on your own... Good job! :) Frank - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Help/Examples setting up security settings
OK, now I'm more confused. First some background (for those of you who haven't seen the entire history). 1. I have defined a role and added myself as a user in that role to the tomcat-users.xml file (in [tomcat install dir]/conf). The role is defined as spid_jsp. (SPID is just the name of an existing application that contains ASP files that I would like to test converting to JSP.) 2. I have placed a WEB-INF directory under my test application directory ([tomcat install dir]/webapps/ROOT/SPID_JSP) and put a web.xml file in it. (SPID_JSP is where the JSP and HTML files reside.) 3. That web.xml file contains the following: web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; display-nameSPID JSP Test/display-name descriptionSPID JSP Test/description login-config auth-methodFORM/auth-method form-login-config form-login-page/SPID_JSP/login.jsp/form-login-page form-error-page/SPID_JSP/login_error.html/form-error-page /form-login-config /login-config security-constraint web-resource-collection web-resource-nameSPID JSP Test/web-resource-name url-pattern/SPID_JSP/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namespid_jsp/role-name /auth-constraint /security-constraint /web-app 4. I have set up login.jsp and login_error.html files (in [tomcat install dir]/webapps/ROOT/SPID_JSP) to provide a login form and login error page, respectively. The login.jsp file specifies j_security_check for the form action and j_username and j_password as the names of the user name and password fields on the form. 5. I have another JSP file named environment.jsp that basically prints out the results from calling various methods available from implicit objects available (e.g. session, request, etc.). This just allows me to 1) display something as a JSP page and 2) show me some information about the environment. OK, my understanding (as poor as that is) of this authentication/security process is that based upon the setup just described, if I try to access a page in my SPID_JSP area, I should be presented with the login page. If I provide the correct user name/password, I should then be logged in and be able to see the page I requested. If not, then I should get the login error page. That's not the case for me. If I enter http://localhost/SPID_JSP/environment.jsp in my browser, one of two things ends up happening (why two things, rather than just one, I have no idea, but it's just one more thing on my stack of don't-know-whys). 1. I get the standard HTTP 500 message: This page cannot be displayed. If I do a reload of the page, my environment dump magically appears (although the page header still shows HTTP 500 Internal server error. I can do multiple reloads and the information appears to be updated each time (i.e. I don't think it's coming out of cache). Oddly, this only seems to occur when I bring up a fresh browser and load the page directly for the first time. 2. If, however, I enter just the application root directory (i.e. http://localhost/SPID_JSP) in the browser, I get a listing of the files in that directory (The environment.jsp file is listed among them.). If I click on its link, again I get my environment dump, except this time, the page header shows what I expect: Get Environment Data. First, why didn't I get presented with the login page? Isn't that what was supposed to happen? Second, I don't understand the dual behavior observed above. Why should I get what happens in scenario 1? The file requested exists at the location specified. What gives? Why does scenario 2 allow me to access my page as I would expect to? Obviously, I don't know diddly-squat about how this technology works and is meant to be used. Everything I try ends up either a drop dead failure or confuses me even more than I already was. There does not seem to be any consistency to the behaviors I've been seeing. If someone asked me right now whether to recommend using JSP, I'd have to say No. I can't even get a simple test scenario to work. I'm trying to hold off on buying any books on the subject, because I'm not sure which ones would be the best to get (although I have some ideas) and more importantly, because I am trying to evaluate the technology and the feasibility (not to mention the do-ability) of potentially
Re: Help/Examples setting up security settings
Gagnon, Joseph M (US SSA) wrote: snip 2. I have placed a WEB-INF directory under my test application directory ([tomcat install dir]/webapps/ROOT/SPID_JSP) and put a web.xml file in it. (SPID_JSP is where the JSP and HTML files reside.) snip You will need to fix this before anything stands a chance of working. The ROOT web application and SPID_JSP web application should be in separate directories. You should have [tomcat install dir]/webapps/ROOT/ for the root context and [tomcat install dir]/webapps/SPID_JSP for your app. HTH, Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Help/Examples setting up security settings
As Mark indicated in another post, the first problem you need to resolve is how you have installed your webapp. ROOT is itself a webapp, and although it might seem right that you want to put your webapp under it, that isn't the case. Move SPID_JSP to /webapps and you should be all set. One other thing I see is you are missing security role definitions in your web.xml. You'll want to add something like this: security-role descriptionspid_jsp/description role-namespid_jsp/role-name /security-role The role-name element maps to the role you created in tomcat-users.xml, and also maps to the security constraint's role-name element, as you already have. One other thing... the order of elements in web.xml is usually important. I think newer versions of Tomcat allow you to put things in any order you want (as one would expect with XML!), but earlier versions had a more restrictive DTD. You should see an error message when you start Tomcat if this is going to be a problem. Just wanted to warn you about it is you see it later. Frank Gagnon, Joseph M (US SSA) wrote: OK, now I'm more confused. First some background (for those of you who haven't seen the entire history). 1. I have defined a role and added myself as a user in that role to the tomcat-users.xml file (in [tomcat install dir]/conf). The role is defined as spid_jsp. (SPID is just the name of an existing application that contains ASP files that I would like to test converting to JSP.) 2. I have placed a WEB-INF directory under my test application directory ([tomcat install dir]/webapps/ROOT/SPID_JSP) and put a web.xml file in it. (SPID_JSP is where the JSP and HTML files reside.) 3. That web.xml file contains the following: web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; display-nameSPID JSP Test/display-name descriptionSPID JSP Test/description login-config auth-methodFORM/auth-method form-login-config form-login-page/SPID_JSP/login.jsp/form-login-page form-error-page/SPID_JSP/login_error.html/form-error-page /form-login-config /login-config security-constraint web-resource-collection web-resource-nameSPID JSP Test/web-resource-name url-pattern/SPID_JSP/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namespid_jsp/role-name /auth-constraint /security-constraint /web-app 4. I have set up login.jsp and login_error.html files (in [tomcat install dir]/webapps/ROOT/SPID_JSP) to provide a login form and login error page, respectively. The login.jsp file specifies j_security_check for the form action and j_username and j_password as the names of the user name and password fields on the form. 5. I have another JSP file named environment.jsp that basically prints out the results from calling various methods available from implicit objects available (e.g. session, request, etc.). This just allows me to 1) display something as a JSP page and 2) show me some information about the environment. OK, my understanding (as poor as that is) of this authentication/security process is that based upon the setup just described, if I try to access a page in my SPID_JSP area, I should be presented with the login page. If I provide the correct user name/password, I should then be logged in and be able to see the page I requested. If not, then I should get the login error page. That's not the case for me. If I enter http://localhost/SPID_JSP/environment.jsp in my browser, one of two things ends up happening (why two things, rather than just one, I have no idea, but it's just one more thing on my stack of don't-know-whys). 1. I get the standard HTTP 500 message: This page cannot be displayed. If I do a reload of the page, my environment dump magically appears (although the page header still shows HTTP 500 Internal server error. I can do multiple reloads and the information appears to be updated each time (i.e. I don't think it's coming out of cache). Oddly, this only seems to occur when I bring up a fresh browser and load the page directly for the first time. 2. If, however, I enter just the application root directory (i.e. http://localhost/SPID_JSP) in the browser, I get a listing of the files in that directory (The environment.jsp file is listed among them.). If I click on its link, again I get my environment
Help/Examples setting up security settings
Hello, Does anyone have any examples of how to set up my deployment descriptor (web.xml in Tomcat 5.5.9) to do BASIC authentication (of any of the other methods, for that matter)? I've looked at various sources of information on the web (including some of Sun's sites), but have not yet found good examples (more than one would be great), from soup to nuts, with good explanations along the way, describing the various elements involved (what they do and why (or why not) they are needed). A lot of these sources provide copious amounts of information, but not good working examples that I can either use directly, or at least learn from. Many times example chunks of code are provided, but it's not made clear what each element does. Also, quite often only one example of a specific usage (say: FORM based authentication) is provided, but others are not. I guess the basic gripe I have is that there's a lot of information provided for this technology, but very little information provided that actually helps someone who's just learning this stuff, actually learn HOW to use it. Now there's a caveat: I'm investigating possibly using JSP for a work-related project. I am looking at adding some functionality to an existing web application that is currently written as an ASP app. Among other things, I am trying to evaluate JSP to see what advantages it may (or may not) provide over the existing ASP. At this point, I'm trying to take a small part (essentially the front end) of the ASP app. and JSP-icize it to see what's involved in creating the same (or similar) functionality. Unfortunately I keep running into problems that for the most part, result from my lack of knowledge in this technology area. I do not want to spend money on books (at least not at this time), since we have not reached a decision on whether we will go with JSP, or stick with ASP. I'm not sure which books would be the best ones to get in any case. What I've found so far on the web, has not helped me out at all, and in general, is way over my head (at this point anyway). Does anybody have any examples they could provide that might help me along? It would be greatly appreciated. Thanks, Joe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Help/Examples setting up security settings
Having just spent a couple of weeks integrating a new security framework into an existing app, a framework that works in concert with J2EE security, let me see if I can help... Hang on, this is going to be a long post!... J2EE security (I *thimk* that's what it's called this week!) works with the concept of constrained resources... think of it this way... a server's job, be it a web server, app server, Quake server, whatever, is to SERVE. Therefore, the baseline assumption is that resources should be AVAILABLE, and you will be defining which are constrained in some way. This is actually backwards for how many people think of it, so it is worth noteing. Now, in terms of actually configuring it, it comes down to two things... well, I guess three really... (1) Define what resources you want to constrain (2) Define who will be allowed to access those resources (3) Tell your app server how to authenticate a user for a given resource The first two are standard, the third is app server-specific. Let's say for the sake of example that you have a bunch of administration-type JSPs in your application, for setting up users or something. Let's assume they are all in the directory /admin in the root of your webapp. Now, let's do step (1) and define a rule that says we want anything in that directory to be constrained. Here's the web.xml entry: security-constraint display-nameAdminConstraint/display-name web-resource-collection web-resource-nameAdminConstraint/web-resource-name url-pattern/admin/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nameAdminRole/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint Ok, so there's really 3 things being done here... (1) We are saying that anything in the /admin directory (/admin/*), based on that URL pattern, is to be constrained. So, http://mysite.com/admin/page1.jsp will be constrained, http://mysite.com/jsp/page1.jsp WILL NOT. Further, we are saying that only the GET and POST methods are being constrained. In other words, if someone tries to use an HTTP method other than GET and POST on a resource in that directory, THEY WILL GET TO IT WITHOUT HINDERANCE. Note that the display-name element is for IDE purposes... it is optional. Also, web-resource-name is for your own purposes, it can be whatever you want. (2) The next part is defining who will be able to access those resources. In this example we are saying that something called the AdminRole will be allowed to get to it (potentially, assuming they are validated). We'll get to what that AdminRole is in a minute... (3) We are saying that we want the resource to be served under SSL. That's what the CONFIDENTIAL transport-guarantee does. IIRC, this part is optional. There are three setting, CONFIDENTIAL, INTEGRAL (I think) and NONE. The first two are close to the same, so close in fact that I don't rememeber the difference :) None, as the name implies, means no guarantee about transport is made (i.e., serve it in the clear). Ok, so that's the first part of the equation. The next part is to make that AdminRole mean something. We do this by another entry in web.xml: security-role descriptionAdminRole/description role-nameAdminRole/role-name /security-role This is saying that there is a role (read: group) that a user can be in called AdminRole. Just like almost any other security mechanism out there, a user is assigned to a group (or a number of groups). This helps determine what rights they have. In this case we are saying that if a user tries to access a resource in the /admin directory, and if they are in the AdminRole group, then they are elligible to get at that resource. Ok, now we get to the third part... Somehow, your app server has to know about that AdrminRole and what users are in it. As I said, this part is server-specific. But, the bottom line is that you will see the name AdminRole defined somewhere, and probably with a list of users in it (or it might be a reference to an LDAP directory that contains that information, etc.) I guess there really is one other piece in web.xml: login-config auth-methodFORM/auth-method form-login-config form-login-page/login/doLogin.do/form-login-page form-error-page/login/loginError.do/form-error-page /form-login-config /login-config This basically turns on security, more or less... Here I am sayingt to use form-based authentication (i.e., a form with the fields j_username and j_password that submits to j_security_check as the action), and I'm also saying that if the user tries to access a constrained resource, display the page /logon/doLogin.do (probably a Struts Action in this case) or send them to /login/loginError.do if they do not get authenticated. So, what happens in a web app
RE: [OT] Help/Examples setting up security settings
From: Frank W. Zammetti [mailto:[EMAIL PROTECTED] Subject: Re: Help/Examples setting up security settings Having just spent a couple of weeks integrating a new security framework into an existing app, a framework that works in concert with J2EE security, let me see if I can help... Hang on, this is going to be a long post!... Frank - I've been perusing this list for some time now, and I have to say that you provide some of the most concise and lucid explanations I've ever seen. It's a pleasure to read them. Thank you very much. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [OT] Help/Examples setting up security settings
Thanks very much Chuck! I'm glad I can help whenever I can. I know how overwhelming some of this stuff can be, to me as much as anyone else, and I also know how it feels to not be able to find explanations that are easy to understand. If I can make that situation just a little better, I am happy to do so. :) -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com On Mon, June 13, 2005 3:45 pm, Caldarale, Charles R said: From: Frank W. Zammetti [mailto:[EMAIL PROTECTED] Subject: Re: Help/Examples setting up security settings Having just spent a couple of weeks integrating a new security framework into an existing app, a framework that works in concert with J2EE security, let me see if I can help... Hang on, this is going to be a long post!... Frank - I've been perusing this list for some time now, and I have to say that you provide some of the most concise and lucid explanations I've ever seen. It's a pleasure to read them. Thank you very much. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problem with security?
Hello, I'm new to JSP development (and to dynamic web development as a whole) so please bear with me. I'm investigating using JSP/Java for a project at my workplace. My system (test server, if you will) is a PC running Windows XP Pro and I am using Tomcat 5.5.9. I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. Specifically, what I've been trying to do is call the request.getRemoteUser() method to ID the requesting user. When I do so, I keep getting null. After reading in the JSP and Java servlet specifications, I see that this call would return null if the user is not authenticated. Reading further, I get the impression that by default, no authentication is needed to access resources. If a security mechanism is specified in the deployment descriptor (which I take to be my webapps\ROOT\WEB-INF\web.xml file), then authentication would be required. Now, I'm not sure that I understand all the nuances of the terminology (not to mention the technology), but it seems that what I've been trying to do should have worked. The web.xml file indicated above contains only the following (and this is the way it came - I added nothing): ?xml version=1.0 encoding=ISO-8859-1? !-- Copyright 2004 The Apache Software Foundation Licensed under the Apache License, Version 2.0 (the License); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -- web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; version=2.4 display-nameWelcome to Tomcat/display-name description Welcome to Tomcat /description !-- JSPC servlet mappings start -- servlet servlet-nameorg.apache.jsp.index_jsp/servlet-name servlet-classorg.apache.jsp.index_jsp/servlet-class /servlet servlet-mapping servlet-nameorg.apache.jsp.index_jsp/servlet-name url-pattern/index.jsp/url-pattern /servlet-mapping !-- JSPC servlet mappings end -- /web-app Does anyone have any suggestions as to why this doesn't work -or- any suggestions for an alternate method? Also, in a more general sense, any information regarding good sources of information for learning how to do JSP/Servlet programming (web, books, etc.) would be appreciated. Please keep in mind that I am new at this, so examples of some obscure objective or expert level programming will probably be over my head. Thanks, Joe Gagnon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with security?
From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] Subject: Problem with security? I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. Those seem to be rather contradictory requirements. How do you expect to determine identity without some form of login? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with security?
From: Gagnon, Joseph M (US SSA) I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. OK. So what identity can the browser present that you wish to discover? Are all your users on Windows, for example, and you wish to discover their Windows username? On UNIX? The way HTTP works is that your servlet has to refuse access to a resource before it can obtain any information at all about the user at the other end of the connection. So at the very least, you'll have to investigate creating a servlet that requires authentication. You can then have some control over the kinds of authentication you say you'll accept, and therefore whether the user's browser tries to satisfy the request behind the scenes or whether it pops up that ugly dialog box requesting a username and password. If you're on Windows and want the user's Windows authentication, take a look at the NTLM Authentication Filter - see http://jcifs.samba.org/src/docs/ntlmhttpauth.html for details. Note that I've never used this and can't help any further than these pointers. - Peter - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with security?
Look into the ServletRequest interface. That interface, which is extended in HttpServletRequest. You can call the getRemoteAddr(), getRemoteHost(), etc. methods. You receive null in your getRemoteUser because the user hasn't been 'authenticated' yet. On 10 Jun 2005, Gagnon, Joseph M (US SSA) wrote: Hello, I'm new to JSP development (and to dynamic web development as a whole) so please bear with me. I'm investigating using JSP/Java for a project at my workplace. My system (test server, if you will) is a PC running Windows XP Pro and I am using Tomcat 5.5.9. I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. Specifically, what I've been trying to do is call the request.getRemoteUser() method to ID the requesting user. When I do so, I keep getting null. After reading in the JSP and Java servlet specifications, I see that this call would return null if the user is not authenticated. Reading further, I get the impression that by default, no authentication is needed to access resources. If a security mechanism is specified in the deployment descriptor (which I take to be my webapps\ROOT\WEB-INF\web.xml file), then authentication would be required. Now, I'm not sure that I understand all the nuances of the terminology (not to mention the technology), but it seems that what I've been trying to do should have worked. The web.xml file indicated above contains only the following (and this is the way it came - I added nothing): ?xml version=3D1.0 encoding=3DISO-8859-1? !-- Copyright 2004 The Apache Software Foundation Licensed under the Apache License, Version 2.0 (the License); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -- web-app xmlns=3Dhttp://java.sun.com/xml/ns/j2ee; xmlns:xsi=3Dhttp://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=3Dhttp://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; version=3D2.4 display-nameWelcome to Tomcat/display-name description Welcome to Tomcat /description !-- JSPC servlet mappings start -- servlet servlet-nameorg.apache.jsp.index_jsp/servlet-name servlet-classorg.apache.jsp.index_jsp/servlet-class /servlet servlet-mapping servlet-nameorg.apache.jsp.index_jsp/servlet-name url-pattern/index.jsp/url-pattern /servlet-mapping !-- JSPC servlet mappings end -- /web-app Does anyone have any suggestions as to why this doesn't work -or- any suggestions for an alternate method? Also, in a more general sense, any information regarding good sources of information for learning how to do JSP/Servlet programming (web, books, etc.) would be appreciated. Please keep in mind that I am new at this, so examples of some obscure objective or expert level programming will probably be over my head. Thanks, Joe Gagnon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with security?
I believe I've covered that all in my original message. Read further. -Original Message- From: egan0019 [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:10 AM To: Tomcat Users List Subject: Re: Problem with security? Look into the ServletRequest interface. That interface, which is extended in HttpServletRequest. You can call the getRemoteAddr(), getRemoteHost(), etc. methods. You receive null in your getRemoteUser because the user hasn't been 'authenticated' yet. On 10 Jun 2005, Gagnon, Joseph M (US SSA) wrote: Hello, I'm new to JSP development (and to dynamic web development as a whole) so please bear with me. I'm investigating using JSP/Java for a project at my workplace. My system (test server, if you will) is a PC running Windows XP Pro and I am using Tomcat 5.5.9. I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. Specifically, what I've been trying to do is call the request.getRemoteUser() method to ID the requesting user. When I do so, I keep getting null. After reading in the JSP and Java servlet specifications, I see that this call would return null if the user is not authenticated. Reading further, I get the impression that by default, no authentication is needed to access resources. If a security mechanism is specified in the deployment descriptor (which I take to be my webapps\ROOT\WEB-INF\web.xml file), then authentication would be required. Now, I'm not sure that I understand all the nuances of the terminology (not to mention the technology), but it seems that what I've been trying to do should have worked. The web.xml file indicated above contains only the following (and this is the way it came - I added nothing): ?xml version=3D1.0 encoding=3DISO-8859-1? !-- Copyright 2004 The Apache Software Foundation Licensed under the Apache License, Version 2.0 (the License); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -- web-app xmlns=3Dhttp://java.sun.com/xml/ns/j2ee; xmlns:xsi=3Dhttp://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=3Dhttp://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; version=3D2.4 display-nameWelcome to Tomcat/display-name description Welcome to Tomcat /description !-- JSPC servlet mappings start -- servlet servlet-nameorg.apache.jsp.index_jsp/servlet-name servlet-classorg.apache.jsp.index_jsp/servlet-class /servlet servlet-mapping servlet-nameorg.apache.jsp.index_jsp/servlet-name url-pattern/index.jsp/url-pattern /servlet-mapping !-- JSPC servlet mappings end -- /web-app Does anyone have any suggestions as to why this doesn't work -or- any suggestions for an alternate method? Also, in a more general sense, any information regarding good sources of information for learning how to do JSP/Servlet programming (web, books, etc.) would be appreciated. Please keep in mind that I am new at this, so examples of some obscure objective or expert level programming will probably be over my head. Thanks, Joe Gagnon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with security?
I think you have missed the point that you cannot get user information unless the user authenticates. You don't want to have a user authenticate but you want to get user information. These are mutually exclusive tasks. If the user does not authenticate, you can only get the external IP address of the requestor. In order to get user information, you must have the user authenticate. You might have your users sent to a page that gathers the user ID and then store it in a cookie. You cannot count on the browser sending user information because the logged in user may and often is not the actual user. I don't know how you can call it secure if you don't require a key to open the door. You may be encrypted in your transfer over SSL but if you don't have the user log in, you are not secure. Robert S. Harper Information Access Technology, Inc. -Original Message- From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 8:43 AM To: Tomcat Users List Subject: RE: Problem with security? I believe I've covered that all in my original message. Read further. -Original Message- From: egan0019 [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:10 AM To: Tomcat Users List Subject: Re: Problem with security? Look into the ServletRequest interface. That interface, which is extended in HttpServletRequest. You can call the getRemoteAddr(), getRemoteHost(), etc. methods. You receive null in your getRemoteUser because the user hasn't been 'authenticated' yet. On 10 Jun 2005, Gagnon, Joseph M (US SSA) wrote: Hello, I'm new to JSP development (and to dynamic web development as a whole) so please bear with me. I'm investigating using JSP/Java for a project at my workplace. My system (test server, if you will) is a PC running Windows XP Pro and I am using Tomcat 5.5.9. I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. Specifically, what I've been trying to do is call the request.getRemoteUser() method to ID the requesting user. When I do so, I keep getting null. After reading in the JSP and Java servlet specifications, I see that this call would return null if the user is not authenticated. Reading further, I get the impression that by default, no authentication is needed to access [Robert Harper] [snip] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with security?
Did I not say that I'm new to this? I made no mention to whether or not I was trying to make it secure. This is only meant to be used within my company's intranet and my intention was to take the user account and then compare it with a set of registered users in the application's DB. I am beginning to see that at the very least I need to create some kind of mechanism (although I don't understand yet how to go about that, or how many different ways it can be done) to perform user authentication. If anyone can provide information on how to do this (keep in mind I'm new at this), please let me know. -Original Message- From: Robert Harper [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:59 AM To: 'Tomcat Users List' Subject: RE: Problem with security? I think you have missed the point that you cannot get user information unless the user authenticates. You don't want to have a user authenticate but you want to get user information. These are mutually exclusive tasks. If the user does not authenticate, you can only get the external IP address of the requestor. In order to get user information, you must have the user authenticate. You might have your users sent to a page that gathers the user ID and then store it in a cookie. You cannot count on the browser sending user information because the logged in user may and often is not the actual user. I don't know how you can call it secure if you don't require a key to open the door. You may be encrypted in your transfer over SSL but if you don't have the user log in, you are not secure. Robert S. Harper Information Access Technology, Inc. -Original Message- From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 8:43 AM To: Tomcat Users List Subject: RE: Problem with security? I believe I've covered that all in my original message. Read further. -Original Message- From: egan0019 [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:10 AM To: Tomcat Users List Subject: Re: Problem with security? Look into the ServletRequest interface. That interface, which is extended in HttpServletRequest. You can call the getRemoteAddr(), getRemoteHost(), etc. methods. You receive null in your getRemoteUser because the user hasn't been 'authenticated' yet. On 10 Jun 2005, Gagnon, Joseph M (US SSA) wrote: Hello, I'm new to JSP development (and to dynamic web development as a whole) so please bear with me. I'm investigating using JSP/Java for a project at my workplace. My system (test server, if you will) is a PC running Windows XP Pro and I am using Tomcat 5.5.9. I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. Specifically, what I've been trying to do is call the request.getRemoteUser() method to ID the requesting user. When I do so, I keep getting null. After reading in the JSP and Java servlet specifications, I see that this call would return null if the user is not authenticated. Reading further, I get the impression that by default, no authentication is needed to access [Robert Harper] [snip] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with security?
Try basic authentication. The browser will cache the user name and password and it will only expire when the browse closes. Read in the documents on how to configure the authentication. You might require authentication for all protocols and use BASIC authentication. This will make it easier for the user with a single login and then they can go wherever you allow them and not have to login again until they close the browser. Robert S. Harper Information Access Technology, Inc. -Original Message- From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 9:19 AM To: Tomcat Users List Subject: RE: Problem with security? Did I not say that I'm new to this? I made no mention to whether or not I was trying to make it secure. This is only meant to be used within my company's intranet and my intention was to take the user account and then compare it with a set of registered users in the application's DB. I am beginning to see that at the very least I need to create some kind of mechanism (although I don't understand yet how to go about that, or how many different ways it can be done) to perform user authentication. If anyone can provide information on how to do this (keep in mind I'm new at this), please let me know. -Original Message- From: Robert Harper [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:59 AM To: 'Tomcat Users List' Subject: RE: Problem with security? I think you have missed the point that you cannot get user information unless the user authenticates. You don't want to have a user authenticate but you want to get user information. These are mutually exclusive tasks. If the user does not authenticate, you can only get the external IP address of the requestor. In order to get user information, you must have the user authenticate. You might have your users sent to a page that gathers the user ID and then store it in a cookie. You cannot count on the browser sending user information because the logged in user may and often is not the actual user. I don't know how you can call it secure if you don't require a key to open the door. You may be encrypted in your transfer over SSL but if you don't have the user log in, you are not secure. Robert S. Harper Information Access Technology, Inc. -Original Message- From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 8:43 AM To: Tomcat Users List Subject: RE: Problem with security? I believe I've covered that all in my original message. Read further. -Original Message- From: egan0019 [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:10 AM To: Tomcat Users List Subject: Re: Problem with security? Look into the ServletRequest interface. That interface, which is extended in HttpServletRequest. You can call the getRemoteAddr(), getRemoteHost(), etc. methods. You receive null in your getRemoteUser because the user hasn't been 'authenticated' yet. On 10 Jun 2005, Gagnon, Joseph M (US SSA) wrote: Hello, I'm new to JSP development (and to dynamic web development as a whole) so please bear with me. I'm investigating using JSP/Java for a project at my workplace. My system (test server, if you will) is a PC running Windows XP Pro and I am using Tomcat 5.5.9. I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. Specifically, what I've been trying to do is call the request.getRemoteUser() method to ID the requesting user. When I do so, I keep getting null. After reading in the JSP and Java servlet specifications, I see that this call would return null if the user is not authenticated. Reading further, I get the impression that by default, no authentication is needed to access [Robert Harper] [snip] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with security?
Hi Joe, To summarize the point that all of these others folks were making; Tomcat by itself has no way of interrogating the operating system of the connecting machine or noticing through the information that it gets from then browser that the user is a particular person. Tomcat can only tell you for sure about the physical connection (IP, and possibly hostname... either of which may be useful to me, but I'll get there in a minute). I don't have the tomcat source in front of me right now, but I'm pretty sure that the getRemoteUser() method is a typical java 'getter' method; the part of tomcat that manages sessions looks at the incoming cookie and notices that this request is part of an existing, validated session and does essentially 'setRemoteUser()'... nothing automagical about it. So, back to what you *can* do. So, you know their IP/host; you could use this to query a windows domain controller, which would be able to report which real user is logged onto which machine -- I believe that's what Pete's suggestion was as well; seems like there's some potential there. You can just trust the IP address or hostname (if physical access to the computer is strong enough authentication for you... it really shouldn't be though, because names/IPs can be changed). So, bottom line, you're gonna have to put some work in. If you *do* find a solution that works, make sure to report it back to the list so that everyone can benefit. Cheers, Patrick On 6/10/05, Gagnon, Joseph M (US SSA) [EMAIL PROTECTED] wrote: Did I not say that I'm new to this? I made no mention to whether or not I was trying to make it secure. This is only meant to be used within my company's intranet and my intention was to take the user account and then compare it with a set of registered users in the application's DB. I am beginning to see that at the very least I need to create some kind of mechanism (although I don't understand yet how to go about that, or how many different ways it can be done) to perform user authentication. If anyone can provide information on how to do this (keep in mind I'm new at this), please let me know. -Original Message- From: Robert Harper [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:59 AM To: 'Tomcat Users List' Subject: RE: Problem with security? I think you have missed the point that you cannot get user information unless the user authenticates. You don't want to have a user authenticate but you want to get user information. These are mutually exclusive tasks. If the user does not authenticate, you can only get the external IP address of the requestor. In order to get user information, you must have the user authenticate. You might have your users sent to a page that gathers the user ID and then store it in a cookie. You cannot count on the browser sending user information because the logged in user may and often is not the actual user. I don't know how you can call it secure if you don't require a key to open the door. You may be encrypted in your transfer over SSL but if you don't have the user log in, you are not secure. Robert S. Harper Information Access Technology, Inc. -Original Message- From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 8:43 AM To: Tomcat Users List Subject: RE: Problem with security? I believe I've covered that all in my original message. Read further. -Original Message- From: egan0019 [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:10 AM To: Tomcat Users List Subject: Re: Problem with security? Look into the ServletRequest interface. That interface, which is extended in HttpServletRequest. You can call the getRemoteAddr(), getRemoteHost(), etc. methods. You receive null in your getRemoteUser because the user hasn't been 'authenticated' yet. On 10 Jun 2005, Gagnon, Joseph M (US SSA) wrote: Hello, I'm new to JSP development (and to dynamic web development as a whole) so please bear with me. I'm investigating using JSP/Java for a project at my workplace. My system (test server, if you will) is a PC running Windows XP Pro and I am using Tomcat 5.5.9. I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. Specifically, what I've been trying to do is call the request.getRemoteUser() method to ID the requesting user. When I do so, I keep getting null. After reading in the JSP and Java servlet specifications, I see that this call would return null if the user is not authenticated. Reading further, I get the impression that by default, no authentication is needed to access [Robert Harper] [snip] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL
Re: Problem with security?
There are some pretty good resources for getting started on Servlet/JSP stuff; try the O'Reilly books, especially the latest version of their JSP book. I suggest that you need to think of what you are wanting to do in 2 phases: 1. Login 2. Authenticate (using values supplied by login). There are a couple of alternatives if you want to save your user's from having to type in passwords over and over; since I'm kind of bored, here's a brief list: 1. If you're users are on Windows desktops, then NTLM Auth can get the User information from the browser (either IE or Firefox) without the user having to login (see http://jcifs.samba.org/src/docs/ntlmhttpauth.html) 2. If you have then deployed, then you could use client-certificates to authenticate users. 3. You could use a 'remember-me' library (typically uses cookies so that user only has to login once). Gagnon, Joseph M (US SSA) wrote: Did I not say that I'm new to this? I made no mention to whether or not I was trying to make it secure. This is only meant to be used within my company's intranet and my intention was to take the user account and then compare it with a set of registered users in the application's DB. I am beginning to see that at the very least I need to create some kind of mechanism (although I don't understand yet how to go about that, or how many different ways it can be done) to perform user authentication. If anyone can provide information on how to do this (keep in mind I'm new at this), please let me know. -Original Message- From: Robert Harper [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:59 AM To: 'Tomcat Users List' Subject: RE: Problem with security? -- Robert r. Sanders Chief Technologist iPOV (334) 821-5412 www.ipov.net - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
