Re: Security Questions Regarding Tomcat
Hmmm. Well take a look at this entry from the server.xml file: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation for more information about using this. -- !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- I did not add this and from what I can tell this comes with the default config. Any info? Roberto David Smith [EMAIL PROTECTED] 08/12/2005 11:40 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat This sounds really fishy. Tomcat does not by default have any connectors configured for port 80. There must be another service or you've modified your server.xml somehow. --David Robert V. Coward/CTR/OSAGWI wrote: Having a similar issue to this with Tomcat 5. Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port 8080. According to a netstat -a only port 808 is litening, but when I run nmap against it it show 80 and 8080. I'd like to have ipfileter take block all connections and redirect packets bound for port 80 to 8080. Inother words I want to do what the T5 server seems to be doing already. Anyone have any ideas? My network admin is giving me much grief about allowing port 8080 access to the web. Thanks Paul Singleton [EMAIL PROTECTED] 08/12/2005 10:08 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Alon Belman [EMAIL PROTECTED] Subject Re: Security Questions Regarding Tomcat Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
But it's also commented out and not active. It's there as an example of a proxied port if you happen to be using Apache and mod_rewrite as a front end to tomcat. --David Robert V. Coward/CTR/OSAGWI wrote: Hmmm. Well take a look at this entry from the server.xml file: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation for more information about using this. -- !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- I did not add this and from what I can tell this comes with the default config. Any info? Roberto David Smith [EMAIL PROTECTED] 08/12/2005 11:40 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat This sounds really fishy. Tomcat does not by default have any connectors configured for port 80. There must be another service or you've modified your server.xml somehow. --David Robert V. Coward/CTR/OSAGWI wrote: Having a similar issue to this with Tomcat 5. Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port 8080. According to a netstat -a only port 808 is litening, but when I run nmap against it it show 80 and 8080. I'd like to have ipfileter take block all connections and redirect packets bound for port 80 to 8080. Inother words I want to do what the T5 server seems to be doing already. Anyone have any ideas? My network admin is giving me much grief about allowing port 8080 access to the web. Thanks Paul Singleton [EMAIL PROTECTED] 08/12/2005 10:08 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Alon Belman [EMAIL PROTECTED] Subject Re: Security Questions Regarding Tomcat Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === David Smith Network Operations Supervisor Department of Entomology College of Agriculture Life Sciences Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: 607.255.9571 Fax: 607.255.0939 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Duh. Thanks. I should have seen that. But I still do not understand how this is all working. Basically I want the to run a default deny ipfilter firewall on the host. Only allowing port 8080 and 8443 (or 4443 there seems to be some confusion with my apps guys on which one is ther real SSL proxy port) connections from internal. I then want to NAT (rdr) to redirect all incominf 80 and 443 connections to that 8080 and 8443 (or 4443) port internal. I suppose it is my lack of familiarity on ipfilter (this is so much easier to do using OBSD'd PF). I'd really like to see some other folks ipnat.conf and ipf.conf files if this is being done already. I'll do some more research and keep the group appraised of my progress. Thanks. Roberto David Smith [EMAIL PROTECTED] 08/15/2005 08:29 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat But it's also commented out and not active. It's there as an example of a proxied port if you happen to be using Apache and mod_rewrite as a front end to tomcat. --David Robert V. Coward/CTR/OSAGWI wrote: Hmmm. Well take a look at this entry from the server.xml file: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation for more information about using this. -- !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- I did not add this and from what I can tell this comes with the default config. Any info? Roberto David Smith [EMAIL PROTECTED] 08/12/2005 11:40 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat This sounds really fishy. Tomcat does not by default have any connectors configured for port 80. There must be another service or you've modified your server.xml somehow. --David Robert V. Coward/CTR/OSAGWI wrote: Having a similar issue to this with Tomcat 5. Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port 8080. According to a netstat -a only port 808 is litening, but when I run nmap against it it show 80 and 8080. I'd like to have ipfileter take block all connections and redirect packets bound for port 80 to 8080. Inother words I want to do what the T5 server seems to be doing already. Anyone have any ideas? My network admin is giving me much grief about allowing port 8080 access to the web. Thanks Paul Singleton [EMAIL PROTECTED] 08/12/2005 10:08 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Alon Belman [EMAIL PROTECTED] Subject Re: Security Questions Regarding Tomcat Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === David Smith Network Operations Supervisor Department of Entomology College of Agriculture Life Sciences Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: 607.255.9571 Fax: 607.255.0939 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Robert V. Coward/CTR/OSAGWI wrote: Hmmm. Well take a look at this entry from the server.xml file: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation for more information about using this. -- !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- I did not add this and from what I can tell this comes with the default config. Any info? About what? This is in the Fine Manual -- see the Connector documentation under tomcat-docs/config/: --- Proxy Support The proxyName and proxyPort attributes can be used when Tomcat is run behind a proxy server. These attributes modify the values returned to web applications that call the request.getServerName() and request.getServerPort() methods, which are often used to construct absolute URLs for redirects. Without configuring these attributes, the values returned would reflect the server name and port on which the connection from the proxy server was received, rather than the server name and port to whom the client directed the original request. For more information, see the Proxy Support HOW-TO. --- Though this isn't particularly relevant to your situation, since as are many of the *examples* in the default server.xml, this entry is *commented out*. HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Understood. But I do not want to use Tomcat proxying services. I just want to host 8080 locally and let my ipfilter firewall block and proxy for me. Roberto Hassan Schroeder [EMAIL PROTECTED] 08/15/2005 08:41 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat Robert V. Coward/CTR/OSAGWI wrote: Hmmm. Well take a look at this entry from the server.xml file: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation for more information about using this. -- !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- I did not add this and from what I can tell this comes with the default config. Any info? About what? This is in the Fine Manual -- see the Connector documentation under tomcat-docs/config/: --- Proxy Support The proxyName and proxyPort attributes can be used when Tomcat is run behind a proxy server. These attributes modify the values returned to web applications that call the request.getServerName() and request.getServerPort() methods, which are often used to construct absolute URLs for redirects. Without configuring these attributes, the values returned would reflect the server name and port on which the connection from the proxy server was received, rather than the server name and port to whom the client directed the original request. For more information, see the Proxy Support HOW-TO. --- Though this isn't particularly relevant to your situation, since as are many of the *examples* in the default server.xml, this entry is *commented out*. HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Robert V. Coward/CTR/OSAGWI wrote: Understood. But I do not want to use Tomcat proxying services. I just want to host 8080 locally and let my ipfilter firewall block and proxy for me. Then the default Tomcat configuration of listening on port 8080 is just what you need. I highly recommend making a copy of the original server.xml and then stripping out the examples before doing anything else; greatly improves readability. :-) If you're still uncertain about Tomcat's configuration, i.e., what port(s) it's listening on, you could run netstat and/or nmap before and after starting it, and compare the results. FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Got it. I've done that, and i figured out that i can not use ipfilter as a reflector. That is it is not very easy to use rdr to map packets from 192.168.0.20 port 80 - 192.168.0.20 port 8080. That is precisely what I wanted to do.force NAT to rewrite packets coming in on one port to another port and have tomcat answer normally. I got confused when I saw the proxying info inside the server.xml file. Looks like I'll have to get a real proxy server. Thanks. Roberto Hassan Schroeder [EMAIL PROTECTED] 08/15/2005 10:30 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat Robert V. Coward/CTR/OSAGWI wrote: Understood. But I do not want to use Tomcat proxying services. I just want to host 8080 locally and let my ipfilter firewall block and proxy for me. Then the default Tomcat configuration of listening on port 8080 is just what you need. I highly recommend making a copy of the original server.xml and then stripping out the examples before doing anything else; greatly improves readability. :-) If you're still uncertain about Tomcat's configuration, i.e., what port(s) it's listening on, you could run netstat and/or nmap before and after starting it, and compare the results. FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Regardless of what you put up in front of tomcat to act as the proxy host, you'll most likely need the proxyPort and proxyName attributes in your connector so tomcat can write urls correctly as needed (like in sending external redirects). I do this setup myself on some stuff when I'm using mod_rewrite to map servlet material into an Apache site. --David Robert V. Coward/CTR/OSAGWI wrote: Got it. I've done that, and i figured out that i can not use ipfilter as a reflector. That is it is not very easy to use rdr to map packets from 192.168.0.20 port 80 - 192.168.0.20 port 8080. That is precisely what I wanted to do.force NAT to rewrite packets coming in on one port to another port and have tomcat answer normally. I got confused when I saw the proxying info inside the server.xml file. Looks like I'll have to get a real proxy server. Thanks. Roberto Hassan Schroeder [EMAIL PROTECTED] 08/15/2005 10:30 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat Robert V. Coward/CTR/OSAGWI wrote: Understood. But I do not want to use Tomcat proxying services. I just want to host 8080 locally and let my ipfilter firewall block and proxy for me. Then the default Tomcat configuration of listening on port 8080 is just what you need. I highly recommend making a copy of the original server.xml and then stripping out the examples before doing anything else; greatly improves readability. :-) If you're still uncertain about Tomcat's configuration, i.e., what port(s) it's listening on, you could run netstat and/or nmap before and after starting it, and compare the results. FWIW! -- === David Smith Network Operations Supervisor Department of Entomology College of Agriculture Life Sciences Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: 607.255.9571 Fax: 607.255.0939 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Okay great. I'll check the docs on that once I get the server side stuff running right. Thanks for all the hel. Roberto David Smith [EMAIL PROTECTED] 08/15/2005 10:59 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat Regardless of what you put up in front of tomcat to act as the proxy host, you'll most likely need the proxyPort and proxyName attributes in your connector so tomcat can write urls correctly as needed (like in sending external redirects). I do this setup myself on some stuff when I'm using mod_rewrite to map servlet material into an Apache site. --David Robert V. Coward/CTR/OSAGWI wrote: Got it. I've done that, and i figured out that i can not use ipfilter as a reflector. That is it is not very easy to use rdr to map packets from 192.168.0.20 port 80 - 192.168.0.20 port 8080. That is precisely what I wanted to do.force NAT to rewrite packets coming in on one port to another port and have tomcat answer normally. I got confused when I saw the proxying info inside the server.xml file. Looks like I'll have to get a real proxy server. Thanks. Roberto Hassan Schroeder [EMAIL PROTECTED] 08/15/2005 10:30 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat Robert V. Coward/CTR/OSAGWI wrote: Understood. But I do not want to use Tomcat proxying services. I just want to host 8080 locally and let my ipfilter firewall block and proxy for me. Then the default Tomcat configuration of listening on port 8080 is just what you need. I highly recommend making a copy of the original server.xml and then stripping out the examples before doing anything else; greatly improves readability. :-) If you're still uncertain about Tomcat's configuration, i.e., what port(s) it's listening on, you could run netstat and/or nmap before and after starting it, and compare the results. FWIW! -- === David Smith Network Operations Supervisor Department of Entomology College of Agriculture Life Sciences Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: 607.255.9571 Fax: 607.255.0939 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Security Questions Regarding Tomcat
I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. Ralph B. Harrell UNC Charlotte Manager, Oracle Database Administration [EMAIL PROTECTED] (704) 687-2951 -Original Message- From: Alon Belman [mailto:[EMAIL PROTECTED] Sent: Thursday, August 11, 2005 4:20 PM To: Tomcat Users List Subject: Re: Security Questions Regarding Tomcat copied share to meb/robo laters! On 8/11/05, LFM [EMAIL PROTECTED] wrote: Tim, Thanks for the reply, but I can't get in working: In conf/server.xml I added server=TEST, as shown: !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8180 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 connectionTimeout=2 useURIValidationHack=false server=TEST/ Stopped, started Tomcat. nc'ed to localhost, but still got the old server header. $ nc localhost 8180 GET / HTTP/1.0 HTTP/1.1 302 Moved Temporarily Location: http://localhost.localdomain:8180/index.jsp Content-Length: 0 Date: Thu, 11 Aug 2005 20:15:38 GMT Server: Apache-Coyote/1.1 Connection: close What I'm I doing wrong? Thanks! Leandro On Thu, 2005-08-11 at 15:56 -0400, Tim Funk wrote: The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.7/70 - Release Date: 11/Aug/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Having a similar issue to this with Tomcat 5. Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port 8080. According to a netstat -a only port 808 is litening, but when I run nmap against it it show 80 and 8080. I'd like to have ipfileter take block all connections and redirect packets bound for port 80 to 8080. Inother words I want to do what the T5 server seems to be doing already. Anyone have any ideas? My network admin is giving me much grief about allowing port 8080 access to the web. Thanks Paul Singleton [EMAIL PROTECTED] 08/12/2005 10:08 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Alon Belman [EMAIL PROTECTED] Subject Re: Security Questions Regarding Tomcat Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.7/70 - Release Date: 11/Aug/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Robert V. Coward/CTR/OSAGWI wrote: Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port 8080. Sorry, but that's simply not the case. The Connector definitions in $CATALINA_HOME/conf/server.xml control what ports (and IPs) Tomcat is listening on. I'm not familiar with 'ipfilter', but there should be a way to list the current rule set (equiv to `iptables -L`) to see what's going on. FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
See the Commons-Daemon project on the Jakarta site for starting tomcat as a non-root answer. --David Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. Ralph B. Harrell UNC Charlotte Manager, Oracle Database Administration [EMAIL PROTECTED] (704) 687-2951 -Original Message- From: Alon Belman [mailto:[EMAIL PROTECTED] Sent: Thursday, August 11, 2005 4:20 PM To: Tomcat Users List Subject: Re: Security Questions Regarding Tomcat copied share to meb/robo laters! On 8/11/05, LFM [EMAIL PROTECTED] wrote: Tim, Thanks for the reply, but I can't get in working: In conf/server.xml I added server=TEST, as shown: !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8180 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 connectionTimeout=2 useURIValidationHack=false server=TEST/ Stopped, started Tomcat. nc'ed to localhost, but still got the old server header. $ nc localhost 8180 GET / HTTP/1.0 HTTP/1.1 302 Moved Temporarily Location: http://localhost.localdomain:8180/index.jsp Content-Length: 0 Date: Thu, 11 Aug 2005 20:15:38 GMT Server: Apache-Coyote/1.1 Connection: close What I'm I doing wrong? Thanks! Leandro On Thu, 2005-08-11 at 15:56 -0400, Tim Funk wrote: The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
This sounds really fishy. Tomcat does not by default have any connectors configured for port 80. There must be another service or you've modified your server.xml somehow. --David Robert V. Coward/CTR/OSAGWI wrote: Having a similar issue to this with Tomcat 5. Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port 8080. According to a netstat -a only port 808 is litening, but when I run nmap against it it show 80 and 8080. I'd like to have ipfileter take block all connections and redirect packets bound for port 80 to 8080. Inother words I want to do what the T5 server seems to be doing already. Anyone have any ideas? My network admin is giving me much grief about allowing port 8080 access to the web. Thanks Paul Singleton [EMAIL PROTECTED] 08/12/2005 10:08 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Alon Belman [EMAIL PROTECTED] Subject Re: Security Questions Regarding Tomcat Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
I don't know -- I can see some value to the root only ports below 1024. It prevents non-privileged users from stealing trusted service ports in a mainframe environment -- not that that's a reality anymore. The best way to handle this in a production environment is to use the commons-daemon project at the Jakarta site. --David Paul Singleton wrote: Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Tim, list: Where can I find documentation regarding limting HTTP methods using security-constraints? All I was able to do was requiere authentication in order to use some HTTP methods but I would like to limit them like it can be donde with the directive Limit in Apache. I will also appreciate any pointers to documentation regarding Tomcat Security, especially about hardening. Regards, Leandro. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Leandro Meiners wrote: Where can I find documentation regarding limting HTTP methods using security-constraints? The Security section of the Servlet 2.4 Spec (SRV.12) has some good examples -- highly recommended :-) FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security Questions Regarding Tomcat
Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). Regards! Leandro -- LFM [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Tim, Thanks for the reply, but I can't get in working: In conf/server.xml I added server=TEST, as shown: !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8180 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 connectionTimeout=2 useURIValidationHack=false server=TEST/ Stopped, started Tomcat. nc'ed to localhost, but still got the old server header. $ nc localhost 8180 GET / HTTP/1.0 HTTP/1.1 302 Moved Temporarily Location: http://localhost.localdomain:8180/index.jsp Content-Length: 0 Date: Thu, 11 Aug 2005 20:15:38 GMT Server: Apache-Coyote/1.1 Connection: close What I'm I doing wrong? Thanks! Leandro On Thu, 2005-08-11 at 15:56 -0400, Tim Funk wrote: The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
copied share to meb/robo laters! On 8/11/05, LFM [EMAIL PROTECTED] wrote: Tim, Thanks for the reply, but I can't get in working: In conf/server.xml I added server=TEST, as shown: !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8180 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 connectionTimeout=2 useURIValidationHack=false server=TEST/ Stopped, started Tomcat. nc'ed to localhost, but still got the old server header. $ nc localhost 8180 GET / HTTP/1.0 HTTP/1.1 302 Moved Temporarily Location: http://localhost.localdomain:8180/index.jsp Content-Length: 0 Date: Thu, 11 Aug 2005 20:15:38 GMT Server: Apache-Coyote/1.1 Connection: close What I'm I doing wrong? Thanks! Leandro On Thu, 2005-08-11 at 15:56 -0400, Tim Funk wrote: The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Setting the server header is a tomcat 5.5 feature. -Tim LFM wrote: Tim, Thanks for the reply, but I can't get in working: In conf/server.xml I added server=TEST, as shown: !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8180 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 connectionTimeout=2 useURIValidationHack=false server=TEST/ Stopped, started Tomcat. nc'ed to localhost, but still got the old server header. $ nc localhost 8180 GET / HTTP/1.0 HTTP/1.1 302 Moved Temporarily Location: http://localhost.localdomain:8180/index.jsp Content-Length: 0 Date: Thu, 11 Aug 2005 20:15:38 GMT Server: Apache-Coyote/1.1 Connection: close What I'm I doing wrong? Thanks! Leandro On Thu, 2005-08-11 at 15:56 -0400, Tim Funk wrote: The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security Questions
Hello; When creating a realm does the table name have to be 'user'? Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://localhost/tomcatusers?user=dbUseramp;password=d bUser userTable=tomcatusers userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name / With this realm I get a 403, but no login prompt. Before I go through with recreating the DB and the users I wanted to be sure this was the problem. Also, the web.xml in my projects WEB-INF contains the following: !-- security -- security-constraint web-resource-collection web-resource-namefw/web-resource-name url-pattern*.do/url-pattern http-methodPOST/http-method http-methodGET/http-method /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint login-config auth-methodBASIC/auth-method /login-config /security-constraint Right now I don't want any one to use a servlet that is not authorized first. What I was expecting was a standard login prompt with the basic (just getting a 403 as discribed above). However, once I got BASIC working I wanted to shift to a custom form login: login-config auth-methodFORM/auth-method form-login-page/loginpage.html/form-login-page form-error-page/loginpage.html/form-error-page /login-config Can I do this with the url-pattern of *.do? Or do I need to put an actual directory? The reason I ask is how will Tomcat find the login pages? My last question is about this: user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint Is it a good idea to have this? I understand it encrypts all data that is sent to the server. It seems to me that no system should be without. But I wanted to check with someone more experienced first whether there were concerns or limitations I am unaware off. Thanks, Luke - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
session security questions?
Hi, all I am running tomcat as application server and using session to store objects which will determine what dynamic content will be displayed. It's typical, but I have the following question: 1. Where is the session variable stored? server side or client cookie? 2. If variables stored in server side, is it possible to fake it and is there a proof of concept exists? 3. If variable stored in client cookie, I have the same question for point 2. Thanks, Vincent - Yahoo! http://tw.promo.yahoo.com/mail_premium/stationery.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: session security questions?
Vincent, 1. If you put some object into session-scope, it will be stored on the server (in the memory occupied by the java-process executing your webapp). Some persistence mechanisms may save it to disk or into a database. But you would know if that is the case for you. However, the sessionid is passed back and forth between the server and the client, of course. But that should not be a problem, because of the (pseudo) random and quite complex nature of sessionids it would be hard to guess someone else's sessionid. 2. I do not know of such a possibilitie, and it would certainly be a serious bug. However, anyone having root/administrator-access to your machine could probably tamper with the memory and thereby manipulating you session-state. But that would be the least of your problems, then. 3. If that would be the case, you would have to trust what the client sends you. This is generally a very bad idea for security reasons (anyone can fake what he sends to you if he knows what he's doing). But luckily this is not the case. Greetings Andreas Mohrig -Original Message- From: Vincent Chen [mailto:[EMAIL PROTECTED] Sent: Thursday, November 13, 2003 11:37 AM To: [EMAIL PROTECTED] Subject: session security questions? Hi, all I am running tomcat as application server and using session to store objects which will determine what dynamic content will be displayed. It's typical, but I have the following question: 1. Where is the session variable stored? server side or client cookie? 2. If variables stored in server side, is it possible to fake it and is there a proof of concept exists? 3. If variable stored in client cookie, I have the same question for point 2. Thanks, Vincent - Yahoo! http://tw.promo.yahoo.com/mail_premium/stationery.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: session security questions?
Andreas, 1. Where is the session variable stored? server side or client cookie? However, the sessionid is passed back and forth between the server and the client, of course. But that should not be a problem, because of the (pseudo) random and quite complex nature of sessionids it would be hard to guess someone else's sessionid. Yes, it's hard to guess the id of a session. However, if you were to snoop HTTP traffic and intercepted someone's HTTP header, then you could easily use that session id to hijack someone else's session by submitting the same cookie header to the server. You can try other techniques of preventing this from happening, including comparing IP addresses from requests (see the archives for a discussion of this; including how it doesn't always work!). -chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: session security questions?
Chris, I just had a discussion with Harry Mantheakis concerning the same point. Of course it is always good (and often necessary) to secure the sessionid (with SSL). In the time of mega-proxies with more than one IP address comparing IP addresses won't be of much use. Andreas Mohrig -Original Message- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Thursday, November 13, 2003 2:16 PM To: Tomcat Users List Subject: Re: session security questions? Andreas, 1. Where is the session variable stored? server side or client cookie? However, the sessionid is passed back and forth between the server and the client, of course. But that should not be a problem, because of the (pseudo) random and quite complex nature of sessionids it would be hard to guess someone else's sessionid. Yes, it's hard to guess the id of a session. However, if you were to snoop HTTP traffic and intercepted someone's HTTP header, then you could easily use that session id to hijack someone else's session by submitting the same cookie header to the server. You can try other techniques of preventing this from happening, including comparing IP addresses from requests (see the archives for a discussion of this; including how it doesn't always work!). -chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security questions on header information
-- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
security questions on header information
Hi First off all I would like to know how can i find out what information Tomcat sends back in its header response when quized? Second question can I control the header response? Thirdlly can one set the response so that it only gives the server name and nothing else ? Finally from a security perspective does it matter if browsers can access info like tomcat 4.0 with mod_jk etc etc running on ip address ... ? Many Thanxs Amran -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Fw: Tomcat security questions
On Thu, Sep 20, 2001 at 02:27:33PM -0500, Jonathan Eric Miller wrote: I'm wondering if anyone has any suggestions on how to best setup Tomcat for maximum security? Against what threat? Are you worried about: - DoS attacks - Attacks exploiting weaknesses in Tomcat itself (eg directory traversal) - Webapps doing nasty stuff I presume it's up to how you configure the connector to prevent DoS attacks. Tomcat's HTTP1.1 connector has a acceptCount attribute, which can stop endless requests from being queued when Tomcat is fully loaded already. Tomcat has had quite a few directory traversal type attacks, where a weirdly formatted request gained you access to files you shouldn't. I suppose a chrooted environment helps here. It won't help for bugs allowing access to uninterpreted JSPs, or access to WEB-INF/*. So don't put passwords in JSPs :P Webapps doing nasty stuff can be prevented by starting Tomcat with a security manager ('./startup.sh -security'), and properly setting your policy file. Currently, I'm running Tomcat in a chrooted environment. I see that there is also a way to run Tomcat as a non-root user. I'm wondering what the best configuration is. It seems like running it chrooted is probably the best way to go. Also, I'm wondering how much of an issue buffer overflows are for Tomcat considering it's written in Java which as far as I know makes them close to impossible. You would have to basically find an over flow in the JVM, right? I think so. Even if there was an overflow in the JVM, you probably couldn't exploit it, since the language is strictly defined, and all bytecode gets validated before being run. But then, there was that Netscape exploit a while ago.. can't remember how that worked. Any other suggestions on how Tomcat should be configured for security?i.e. removing sample applications, etc. It's only as secure as the operating system you run it on. You know what that implies.. ;) Stuff to read: Low Level Security in Java http://java.sun.com/sfaq/verifier.html The class file format http://java.sun.com/docs/books/vmspec/html/ClassFile.doc.html --Jeff Jon
Fw: Tomcat security questions
For some reason this didn't seem to go through the first time... Jon - Original Message - From: Jonathan Eric Miller [EMAIL PROTECTED] To: Tomcat User List [EMAIL PROTECTED] Sent: Wednesday, September 19, 2001 10:11 PM Subject: Tomcat security questions I'm wondering if anyone has any suggestions on how to best setup Tomcat for maximum security? Currently, I'm running Tomcat in a chrooted environment. I see that there is also a way to run Tomcat as a non-root user. I'm wondering what the best configuration is. It seems like running it chrooted is probably the best way to go. Also, I'm wondering how much of an issue buffer overflows are for Tomcat considering it's written in Java which as far as I know makes them close to impossible. You would have to basically find an over flow in the JVM, right? Any other suggestions on how Tomcat should be configured for security? i.e. removing sample applications, etc. Jon
Tomcat security questions
I'm wondering if anyone has any suggestions on how to best setup Tomcat for maximum security? Currently, I'm running Tomcat in a chrooted environment. I see that there is also a way to run Tomcat as a non-root user. I'm wondering what the best configuration is. It seems like running it chrooted is probably the best way to go. Also, I'm wondering how much of an issue buffer overflows are for Tomcat considering it's written in Java which as far as I know makes them close to impossible. You would have to basically find an over flow in the JVM, right? Any other suggestions on how Tomcat should be configured for security? i.e. removing sample applications, etc. Jon
RE: Security questions
What is the default password for the admin context? It's in tomcat/conf/tomcat-users.xml . where can I find documentation on implementing security with tomcat? Start with the servlet specification at http://java.sun.com/products/servlet/ . You could also look at JDBCRealm (sources and docs available at http://jakarta.apache.org/) as a sample implementation. -- Bill K.
RE: Security questions
Thanks very much. -Original Message- From: William Kaufman [mailto:[EMAIL PROTECTED]] Sent: Monday, July 30, 2001 5:00 PM To: '[EMAIL PROTECTED]' Subject: RE: Security questions What is the default password for the admin context? It's in tomcat/conf/tomcat-users.xml . where can I find documentation on implementing security with tomcat? Start with the servlet specification at http://java.sun.com/products/servlet/ . You could also look at JDBCRealm (sources and docs available at http://jakarta.apache.org/) as a sample implementation. -- Bill K.
Security Questions
Hi! I have Tomcat setup, actually running with JBoss, and I am looking at security. I can setup an application with a login-conf in web.xml, but I cannot see who or what handles that. Is it Tomcat directly, or some loaded subsystem? In detail: In my server.xml file I have thefollowing: RequestInterceptorclassName="org.apache.tomcat.request.AccessInterceptor" debug="0" / What is this actually saying or doing? I also have: !-- Check permissions using the simple xml file. You can plug more advanced authentication modules. -- RequestInterceptor className="org.apache.tomcat.request.SimpleRealm" debug="0" / Same question! What's it for, what's it do? I don't seem to have a simple xml file, should I? Gerry
RE: Security Questions
RequestInterceptorclassName="org.apache.tomcat.request.AccessInterceptor" debug="0" / From that class' javadoc: * Access control - find if a request matches any web-resource-collection* and set the "required" attributes.** The spec requires additive checking ( i.e. there is no "best match"* defined, but "all requests that contain a request path that mathces the* URL pattern in the resource collection are subject to the constraing" ).** In "integrated" mode this interceptor will be no-op, we'll use the* web server ( assuming we can map the security to web-server equivalent* concepts - I think we can do that, but need to experiment with that) RequestInterceptor className="org.apache.tomcat.request.SimpleRealm" debug="0" / From that class' javadoc: * Memory based realm - will authenticate and check the permissions* for a request using a simple, in-memory list of users.* This is for "demo" purpose only, to allow auth in standalone tomcat* for developers.** There are no restrictions or rules on how to authenticate - you have* full control over the process. I don't seem to have a simple xml file, should I? You do: it's named $TOMCAT_HOME/conf/tomcat-users.xml . -- Bill K. -Original Message-From: Gerry Duhig [mailto:[EMAIL PROTECTED]]Sent: Wednesday, May 30, 2001 4:00 AMTo: [EMAIL PROTECTED]Subject: Security Questions Hi! I have Tomcat setup, actually running with JBoss, and I am looking at security. I can setup an application with a login-conf in web.xml, but I cannot see who or what handles that. Is it Tomcat directly, or some loaded subsystem? In detail: In my server.xml file I have thefollowing: RequestInterceptorclassName="org.apache.tomcat.request.AccessInterceptor" debug="0" / What is this actually saying or doing? I also have: !-- Check permissions using the simple xml file. You can plug more advanced authentication modules. -- RequestInterceptor className="org.apache.tomcat.request.SimpleRealm" debug="0" / Same question! What's it for, what's it do? I don't seem to have a simple xml file, should I? Gerry