RE: request for suggestions on how to secure a web application... .
Re protection via Realms: - a useful mechanism, but by itself might not do the whole job. For example, if you need to have users log into a specific domain (e.g. different clients get different data) (as happens in many apps) where the userid isn't enough info (one value of Realms is non-unique IDs), then you need to still force people thru a specific login. Re object in a session. - Note that this can be fabricated by a hacker. For real security you need to look at encrypting it with varying keys. Frank Lawlor Athens Group, Inc. (512) 345-0600 x151 Athens Group, an employee-owned consulting firm integrating technology strategy and software solutions.
Re: request for suggestions on how to secure a web application....
Thank you for the advice, most appreciated.
-Original Message-
From: Brigger Patrick <[EMAIL PROTECTED]>
To: '[EMAIL PROTECTED]' <[EMAIL PROTECTED]>
Date: Wednesday, July 25, 2001 2:02 AM
Subject: RE: request for suggestions on how to secure a web application
>One simple solution, but works perfectly:
>
>After the login process, save the login information in an object, for
>instance a customer object.
>
>session.putValue("customer", customer);
>
>In your JSP page, read the customer object:
>
>Customer customer = (Customer) session.getValue("customer");
>
>Then do a check if the object has been initialized:
>
>if (customer == null)
>{
> redirect to login page.
>}
>else
>
>
>I usually included the return URL when I redirect to the login page so that
>this page knows where to redirect back to.
>
>Cheers,
>
>Pat
>
>-Original Message-
>From: Peter Brandt-Erichsen [mailto:[EMAIL PROTECTED]]
>Sent: Mittwoch, 25. Juli 2001 09:51
>To: [EMAIL PROTECTED]
>Subject: request for suggestions on how to secure a web application
>
>
>This posting is a request for suggestions on how best to
>secure a web application.
>
>First my setup:
>
>NT 4.0
>Apache 1.3.12
>Tomcat 3.2.1 (running behind Apache)
>servlets
>jsp pages
>static html pages
>jdk1.3
>
>
>Web-app directory structure:
>
>webapps/my_context/
>/jsp/jsp_pages
>/web-inf/classes/my_servlets
>/web-inf/classes/beans/my_java_beans
>
>My static html files reside under the apache
>document root.
>
>For servlet access I am using session cookies, as specified in
>the Java Servlet Spec, to authorize users. This works very
>well for my purposes.
>
>My concern is protecting sensitive jsp and static
>html pages.
>
>How do I stop an unauthorized user from accessing a
>jsp or html resource directly? ie: a back-door attack.
>
>For example, I am protecting my site with a login page,
>but if a user simply sidesteps the login and types
>
>http://my_domain/my_context/jsp/any_jsp_page
>
>into his browser, he will get access to any jsp page
>that resides in the specified context.
>
>I have experimented with some different approaches:
>
>1. hide the jsp directory directly under the /web-inf
>directory and let Tomcat restrict access.
>
>So I would have:
>
>/web-inf/classes/servlets
>/web-inf/jsp/jsp_pages
>
>Then provide access to jsp pages only through a
>verification servlet, which can verify the user and
>then forward the request to the correct resource.
>
>However, this is causing problems when I utilize a
>RequestDispatcher(path).forward(req, res) or
>RequestDispatcher(path).include(req, res)
>instruction.
>
>The path needs to start with a "/" and be relative to
>the context root, per the Java Servlet API docs, which makes
>it impossible(?) to provide a correct path, since my
>verification servlet, and hence the execution thread,
>is in /web-inf/classes. When I issue the forward or inlude,
>I need to provide a path that looks something like:
>
>/../jsp/jsp_page
>
>which is correctly making the JVM puke.
>
>
>2. Utilize the apache rewrite module and have apache
>rewrite all requests for http://my_domain/my_context/jsp/*.jsp
>to my verification servlet. The verification servlet can then
>do its thing and forward valid requests to the appropriate
>request.
>
>A hornet's nest of complexity here! and my nose tells
>me this is the wrong path to take.
>
>
>3. Thought a lot about utilizing the Tomcat API.
>
>ie: RequestInterceptor, Virtual Host, Valves etc.
>
>I found rudimentary information about what these
>constructs are, but very little on how to use them.
>
>So, I am kinda stumped :-(
>
>I guess the next step would be to explore Basic or
>Digest Authorization, but I was hoping there would be
>a simpler way, that uses the power of servlets
>
>I would greatly welcome any and all suggestions
>
>Thank you, and keep up the great work.
>The Tomcat effort rocks!
>
>Peter
>
>
>BTW, I anticipate that the Tomcat docs will improve greatly
>in the future, and I was greatly encouraged to see the
>effort being put into making a book, and the template forming
>around v4.0
>
>I would like to suggest a section on real world examples,
>using and programming the Tomcat API and the xml config
>files, like server.xml.
>
>For an example of what I mean, the documentation
>for the Apache mod_rewrite, written by Ralf S. Engelschall,
>has a section on practical solutions.
>
>http://httpd.apache.org/docs/mod/mod_rewrite.html
>
>That's kinda what I mean.
>
>
>
>
>
>
>
>
>
>
>
>
Re: request for suggestions on how to secure a web application....
Nice, thank you, I will check it out. -Original Message- From: Andrew Robson <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Wednesday, July 25, 2001 2:58 PM Subject: Re: request for suggestions on how to secure a web application >Hi Peter, > Have you looked at Realms? This allows you to specify a set of resources >(html, jsp, servlets etc) to be protected in your web.xml file. Any >unauthorised access attempt to these files will automatically throw up >a login form. Means you don't have to code in protection to each page. >You can authorise your users against a text file (SimpleRealm) or a >database (JDBCRealm). There is an example in the examples directory. >Check out the web.xml file in there and also look for Realm in server.xml >If you want to use a database look at TOMCAT_HOME/doc/JDBCRealm.howto > >If you like the look of Realms I'm afraid you will have to upgrade to 3.2.3 >as earlier versions have a rather large security vulnerability. > >andrew > > On Wed, >25 Jul 2001, you wrote: > I'm not sure whether it'll work for you but you can >assert current session on > each jsp page that you want to protect (assuming >you store user login info in > the session) and throw an exception in case the >object is not found in the > session, then the exception can be caught by an >error jsp page. > >> hth >> >> - Boris >> >> >> > >> >This posting is a request for suggestions on how best to >> >secure a web application. >> > >> >First my setup: >> > >> >NT 4.0 >> >Apache 1.3.12 >> >Tomcat 3.2.1 (running behind Apache) >> >servlets >> >jsp pages >> >static html pages >> >jdk1.3 >> > >> > >> >Web-app directory structure: >> > >> >webapps/my_context/ >> >/jsp/jsp_pages >> >/web-inf/classes/my_servlets >> >/web-inf/classes/beans/my_java_beans >> > >> >My static html files reside under the apache >> >document root. >> > >> >For servlet access I am using session cookies, as specified in >> >the Java Servlet Spec, to authorize users. This works very >> >well for my purposes. >> > >> >My concern is protecting sensitive jsp and static >> >html pages. >> > >> >How do I stop an unauthorized user from accessing a >> >jsp or html resource directly? ie: a back-door attack. >> > >> >For example, I am protecting my site with a login page, >> >but if a user simply sidesteps the login and types >> > >> >http://my_domain/my_context/jsp/any_jsp_page >> > >> >into his browser, he will get access to any jsp page >> >that resides in the specified context. >> > >> >I have experimented with some different approaches: >> > >> >1. hide the jsp directory directly under the /web-inf >> >directory and let Tomcat restrict access. >> > >> >So I would have: >> > >> >/web-inf/classes/servlets >> >/web-inf/jsp/jsp_pages >> > >> >Then provide access to jsp pages only through a >> >verification servlet, which can verify the user and >> >then forward the request to the correct resource. >> > >> >However, this is causing problems when I utilize a >> >RequestDispatcher(path).forward(req, res) or >> >RequestDispatcher(path).include(req, res) >> >instruction. >> > >> >The path needs to start with a "/" and be relative to >> >the context root, per the Java Servlet API docs, which makes >> >it impossible(?) to provide a correct path, since my >> >verification servlet, and hence the execution thread, >> >is in /web-inf/classes. When I issue the forward or inlude, >> >I need to provide a path that looks something like: >> > >> >/../jsp/jsp_page >> > >> >which is correctly making the JVM puke. >> > >> > >> >2. Utilize the apache rewrite module and have apache >> >rewrite all requests for http://my_domain/my_context/jsp/*.jsp >> >to my verification servlet. The verification servlet can then >> >do its thing and forward valid requests to the appropriate >> >request. >> > >> >A hornet's nest of complexity here! and my nose tells >> >me this is the wrong path to take. >> > >> > >> >3. Thought a lot about utilizing the Tomcat API.
Re: request for suggestions on how to secure a web application....
Hi Peter, Have you looked at Realms? This allows you to specify a set of resources (html, jsp, servlets etc) to be protected in your web.xml file. Any unauthorised access attempt to these files will automatically throw up a login form. Means you don't have to code in protection to each page. You can authorise your users against a text file (SimpleRealm) or a database (JDBCRealm). There is an example in the examples directory. Check out the web.xml file in there and also look for Realm in server.xml If you want to use a database look at TOMCAT_HOME/doc/JDBCRealm.howto If you like the look of Realms I'm afraid you will have to upgrade to 3.2.3 as earlier versions have a rather large security vulnerability. andrew On Wed, 25 Jul 2001, you wrote: > I'm not sure whether it'll work for you but you can assert current session on > each jsp page that you want to protect (assuming you store user login info in > the session) and throw an exception in case the object is not found in the > session, then the exception can be caught by an error jsp page. > > hth > > - Boris > > > > > >This posting is a request for suggestions on how best to > >secure a web application. > > > >First my setup: > > > >NT 4.0 > >Apache 1.3.12 > >Tomcat 3.2.1 (running behind Apache) > >servlets > >jsp pages > >static html pages > >jdk1.3 > > > > > >Web-app directory structure: > > > >webapps/my_context/ > >/jsp/jsp_pages > >/web-inf/classes/my_servlets > >/web-inf/classes/beans/my_java_beans > > > >My static html files reside under the apache > >document root. > > > >For servlet access I am using session cookies, as specified in > >the Java Servlet Spec, to authorize users. This works very > >well for my purposes. > > > >My concern is protecting sensitive jsp and static > >html pages. > > > >How do I stop an unauthorized user from accessing a > >jsp or html resource directly? ie: a back-door attack. > > > >For example, I am protecting my site with a login page, > >but if a user simply sidesteps the login and types > > > >http://my_domain/my_context/jsp/any_jsp_page > > > >into his browser, he will get access to any jsp page > >that resides in the specified context. > > > >I have experimented with some different approaches: > > > >1. hide the jsp directory directly under the /web-inf > >directory and let Tomcat restrict access. > > > >So I would have: > > > >/web-inf/classes/servlets > >/web-inf/jsp/jsp_pages > > > >Then provide access to jsp pages only through a > >verification servlet, which can verify the user and > >then forward the request to the correct resource. > > > >However, this is causing problems when I utilize a > >RequestDispatcher(path).forward(req, res) or > >RequestDispatcher(path).include(req, res) > >instruction. > > > >The path needs to start with a "/" and be relative to > >the context root, per the Java Servlet API docs, which makes > >it impossible(?) to provide a correct path, since my > >verification servlet, and hence the execution thread, > >is in /web-inf/classes. When I issue the forward or inlude, > >I need to provide a path that looks something like: > > > >/../jsp/jsp_page > > > >which is correctly making the JVM puke. > > > > > >2. Utilize the apache rewrite module and have apache > >rewrite all requests for http://my_domain/my_context/jsp/*.jsp > >to my verification servlet. The verification servlet can then > >do its thing and forward valid requests to the appropriate > >request. > > > >A hornet's nest of complexity here! and my nose tells > >me this is the wrong path to take. > > > > > >3. Thought a lot about utilizing the Tomcat API. > > > >ie: RequestInterceptor, Virtual Host, Valves etc. > > > >I found rudimentary information about what these > >constructs are, but very little on how to use them. > > > >So, I am kinda stumped :-( > > > >I guess the next step would be to explore Basic or > >Digest Authorization, but I was hoping there would be > >a simpler way, that uses the power of servlets > > > >I would greatly welcome any and all suggestions > > > >Thank you, and keep up the great work. > >The Tomcat effort rocks! > > > >Peter > > > > > >BTW, I anticipate that the Tomcat docs will improve greatly > >in the future, and I was greatly encouraged to see the > >effort being put into making a book, and the template forming > >around v4.0 > > > >I would like to suggest a section on real world examples, > >using and programming the Tomcat API and the xml config > >files, like server.xml. > > > >For an example of what I mean, the documentation > >for the Apache mod_rewrite, written by Ralf S. Engelschall, > >has a section on practical solutions. > > > >http://httpd.apache.org/docs/mod/mod_rewrite.html > > > >That's kinda what I mean. > > > > > > > > > > > > > > > > > > > > > > > > --
Re: request for suggestions on how to secure a web application....
I'm not sure whether it'll work for you but you can assert current session on each jsp page that you want to protect (assuming you store user login info in the session) and throw an exception in case the object is not found in the session, then the exception can be caught by an error jsp page. hth - Boris > >This posting is a request for suggestions on how best to >secure a web application. > >First my setup: > >NT 4.0 >Apache 1.3.12 >Tomcat 3.2.1 (running behind Apache) >servlets >jsp pages >static html pages >jdk1.3 > > >Web-app directory structure: > >webapps/my_context/ >/jsp/jsp_pages >/web-inf/classes/my_servlets >/web-inf/classes/beans/my_java_beans > >My static html files reside under the apache >document root. > >For servlet access I am using session cookies, as specified in >the Java Servlet Spec, to authorize users. This works very >well for my purposes. > >My concern is protecting sensitive jsp and static >html pages. > >How do I stop an unauthorized user from accessing a >jsp or html resource directly? ie: a back-door attack. > >For example, I am protecting my site with a login page, >but if a user simply sidesteps the login and types > >http://my_domain/my_context/jsp/any_jsp_page > >into his browser, he will get access to any jsp page >that resides in the specified context. > >I have experimented with some different approaches: > >1. hide the jsp directory directly under the /web-inf >directory and let Tomcat restrict access. > >So I would have: > >/web-inf/classes/servlets >/web-inf/jsp/jsp_pages > >Then provide access to jsp pages only through a >verification servlet, which can verify the user and >then forward the request to the correct resource. > >However, this is causing problems when I utilize a >RequestDispatcher(path).forward(req, res) or >RequestDispatcher(path).include(req, res) >instruction. > >The path needs to start with a "/" and be relative to >the context root, per the Java Servlet API docs, which makes >it impossible(?) to provide a correct path, since my >verification servlet, and hence the execution thread, >is in /web-inf/classes. When I issue the forward or inlude, >I need to provide a path that looks something like: > >/../jsp/jsp_page > >which is correctly making the JVM puke. > > >2. Utilize the apache rewrite module and have apache >rewrite all requests for http://my_domain/my_context/jsp/*.jsp >to my verification servlet. The verification servlet can then >do its thing and forward valid requests to the appropriate >request. > >A hornet's nest of complexity here! and my nose tells >me this is the wrong path to take. > > >3. Thought a lot about utilizing the Tomcat API. > >ie: RequestInterceptor, Virtual Host, Valves etc. > >I found rudimentary information about what these >constructs are, but very little on how to use them. > >So, I am kinda stumped :-( > >I guess the next step would be to explore Basic or >Digest Authorization, but I was hoping there would be >a simpler way, that uses the power of servlets > >I would greatly welcome any and all suggestions > >Thank you, and keep up the great work. >The Tomcat effort rocks! > >Peter > > >BTW, I anticipate that the Tomcat docs will improve greatly >in the future, and I was greatly encouraged to see the >effort being put into making a book, and the template forming >around v4.0 > >I would like to suggest a section on real world examples, >using and programming the Tomcat API and the xml config >files, like server.xml. > >For an example of what I mean, the documentation >for the Apache mod_rewrite, written by Ralf S. Engelschall, >has a section on practical solutions. > >http://httpd.apache.org/docs/mod/mod_rewrite.html > >That's kinda what I mean. > > > > > > > > > > > >
RE: request for suggestions on how to secure a web application....
One simple solution, but works perfectly:
After the login process, save the login information in an object, for
instance a customer object.
session.putValue("customer", customer);
In your JSP page, read the customer object:
Customer customer = (Customer) session.getValue("customer");
Then do a check if the object has been initialized:
if (customer == null)
{
redirect to login page.
}
else
...
I usually included the return URL when I redirect to the login page so that
this page knows where to redirect back to.
Cheers,
Pat
-Original Message-
From: Peter Brandt-Erichsen [mailto:[EMAIL PROTECTED]]
Sent: Mittwoch, 25. Juli 2001 09:51
To: [EMAIL PROTECTED]
Subject: request for suggestions on how to secure a web application
This posting is a request for suggestions on how best to
secure a web application.
First my setup:
NT 4.0
Apache 1.3.12
Tomcat 3.2.1 (running behind Apache)
servlets
jsp pages
static html pages
jdk1.3
Web-app directory structure:
webapps/my_context/
/jsp/jsp_pages
/web-inf/classes/my_servlets
/web-inf/classes/beans/my_java_beans
My static html files reside under the apache
document root.
For servlet access I am using session cookies, as specified in
the Java Servlet Spec, to authorize users. This works very
well for my purposes.
My concern is protecting sensitive jsp and static
html pages.
How do I stop an unauthorized user from accessing a
jsp or html resource directly? ie: a back-door attack.
For example, I am protecting my site with a login page,
but if a user simply sidesteps the login and types
http://my_domain/my_context/jsp/any_jsp_page
into his browser, he will get access to any jsp page
that resides in the specified context.
I have experimented with some different approaches:
1. hide the jsp directory directly under the /web-inf
directory and let Tomcat restrict access.
So I would have:
/web-inf/classes/servlets
/web-inf/jsp/jsp_pages
Then provide access to jsp pages only through a
verification servlet, which can verify the user and
then forward the request to the correct resource.
However, this is causing problems when I utilize a
RequestDispatcher(path).forward(req, res) or
RequestDispatcher(path).include(req, res)
instruction.
The path needs to start with a "/" and be relative to
the context root, per the Java Servlet API docs, which makes
it impossible(?) to provide a correct path, since my
verification servlet, and hence the execution thread,
is in /web-inf/classes. When I issue the forward or inlude,
I need to provide a path that looks something like:
/../jsp/jsp_page
which is correctly making the JVM puke.
2. Utilize the apache rewrite module and have apache
rewrite all requests for http://my_domain/my_context/jsp/*.jsp
to my verification servlet. The verification servlet can then
do its thing and forward valid requests to the appropriate
request.
A hornet's nest of complexity here! and my nose tells
me this is the wrong path to take.
3. Thought a lot about utilizing the Tomcat API.
ie: RequestInterceptor, Virtual Host, Valves etc.
I found rudimentary information about what these
constructs are, but very little on how to use them.
So, I am kinda stumped :-(
I guess the next step would be to explore Basic or
Digest Authorization, but I was hoping there would be
a simpler way, that uses the power of servlets
I would greatly welcome any and all suggestions
Thank you, and keep up the great work.
The Tomcat effort rocks!
Peter
BTW, I anticipate that the Tomcat docs will improve greatly
in the future, and I was greatly encouraged to see the
effort being put into making a book, and the template forming
around v4.0
I would like to suggest a section on real world examples,
using and programming the Tomcat API and the xml config
files, like server.xml.
For an example of what I mean, the documentation
for the Apache mod_rewrite, written by Ralf S. Engelschall,
has a section on practical solutions.
http://httpd.apache.org/docs/mod/mod_rewrite.html
That's kinda what I mean.
Re: request for suggestions on how to secure a web application....
You can try this: When the user logs on to the system - you place his/hers username and password in Session variables. Then you create an include file - for instance: validateusersec.jsp, which purpose is to control if the Session variables that holds the username and password is not empty or is valid data (exists in database, XML ..). This file includes at the top of each of your secure pages. If the include file finds empty or non-valid Session variables then it redirects the user back to start or logon page. If the data is correct the rest of the page is shown to the user. But remember: when users are sending data with port 80 (standard http) then it is possible to 'sniff' the users data. Therefor it might be a good idea to use SSL with your solution - so that it is not possible to sniff the datas. Lars Nielsen Lind - Original Message - From: "Peter Brandt-Erichsen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 25, 2001 9:51 AM Subject: request for suggestions on how to secure a web application > This posting is a request for suggestions on how best to > secure a web application. > > First my setup: > > NT 4.0 > Apache 1.3.12 > Tomcat 3.2.1 (running behind Apache) > servlets > jsp pages > static html pages > jdk1.3 > > > Web-app directory structure: > > webapps/my_context/ > /jsp/jsp_pages > /web-inf/classes/my_servlets > /web-inf/classes/beans/my_java_beans > > My static html files reside under the apache > document root. > > For servlet access I am using session cookies, as specified in > the Java Servlet Spec, to authorize users. This works very > well for my purposes. > > My concern is protecting sensitive jsp and static > html pages. > > How do I stop an unauthorized user from accessing a > jsp or html resource directly? ie: a back-door attack. > > For example, I am protecting my site with a login page, > but if a user simply sidesteps the login and types > > http://my_domain/my_context/jsp/any_jsp_page > > into his browser, he will get access to any jsp page > that resides in the specified context. > > I have experimented with some different approaches: > > 1. hide the jsp directory directly under the /web-inf > directory and let Tomcat restrict access. > > So I would have: > > /web-inf/classes/servlets > /web-inf/jsp/jsp_pages > > Then provide access to jsp pages only through a > verification servlet, which can verify the user and > then forward the request to the correct resource. > > However, this is causing problems when I utilize a > RequestDispatcher(path).forward(req, res) or > RequestDispatcher(path).include(req, res) > instruction. > > The path needs to start with a "/" and be relative to > the context root, per the Java Servlet API docs, which makes > it impossible(?) to provide a correct path, since my > verification servlet, and hence the execution thread, > is in /web-inf/classes. When I issue the forward or inlude, > I need to provide a path that looks something like: > > /../jsp/jsp_page > > which is correctly making the JVM puke. > > > 2. Utilize the apache rewrite module and have apache > rewrite all requests for http://my_domain/my_context/jsp/*.jsp > to my verification servlet. The verification servlet can then > do its thing and forward valid requests to the appropriate > request. > > A hornet's nest of complexity here! and my nose tells > me this is the wrong path to take. > > > 3. Thought a lot about utilizing the Tomcat API. > > ie: RequestInterceptor, Virtual Host, Valves etc. > > I found rudimentary information about what these > constructs are, but very little on how to use them. > > So, I am kinda stumped :-( > > I guess the next step would be to explore Basic or > Digest Authorization, but I was hoping there would be > a simpler way, that uses the power of servlets > > I would greatly welcome any and all suggestions > > Thank you, and keep up the great work. > The Tomcat effort rocks! > > Peter > > > BTW, I anticipate that the Tomcat docs will improve greatly > in the future, and I was greatly encouraged to see the > effort being put into making a book, and the template forming > around v4.0 > > I would like to suggest a section on real world examples, > using and programming the Tomcat API and the xml config > files, like server.xml. > > For an example of what I mean, the documentation > for the Apache mod_rewrite, written by Ralf S. Engelschall, > has a section on practical solutions. > > http://httpd.apache.org/docs/mod/mod_rewrite.html > > That's kinda what I mean. > > > > > > > > > > > > > >
AW: request for suggestions on how to secure a web application....
Your JSP can check if there's a valid login before processing. In our application we use a login object with user information for authenticated users and store it in the user session. (BTW we use a servlet as a controller and Velocity to handle the view - so it's impossible to access directly a page without passing the controller) Reto -Ursprüngliche Nachricht- Von: Peter Brandt-Erichsen [mailto:[EMAIL PROTECTED]] Gesendet: Mittwoch, 25. Juli 2001 09:51 An: [EMAIL PROTECTED] Betreff: request for suggestions on how to secure a web application This posting is a request for suggestions on how best to secure a web application. First my setup: NT 4.0 Apache 1.3.12 Tomcat 3.2.1 (running behind Apache) servlets jsp pages static html pages jdk1.3 Web-app directory structure: webapps/my_context/ /jsp/jsp_pages /web-inf/classes/my_servlets /web-inf/classes/beans/my_java_beans My static html files reside under the apache document root. For servlet access I am using session cookies, as specified in the Java Servlet Spec, to authorize users. This works very well for my purposes. My concern is protecting sensitive jsp and static html pages. How do I stop an unauthorized user from accessing a jsp or html resource directly? ie: a back-door attack. For example, I am protecting my site with a login page, but if a user simply sidesteps the login and types http://my_domain/my_context/jsp/any_jsp_page into his browser, he will get access to any jsp page that resides in the specified context. I have experimented with some different approaches: 1. hide the jsp directory directly under the /web-inf directory and let Tomcat restrict access. So I would have: /web-inf/classes/servlets /web-inf/jsp/jsp_pages Then provide access to jsp pages only through a verification servlet, which can verify the user and then forward the request to the correct resource. However, this is causing problems when I utilize a RequestDispatcher(path).forward(req, res) or RequestDispatcher(path).include(req, res) instruction. The path needs to start with a "/" and be relative to the context root, per the Java Servlet API docs, which makes it impossible(?) to provide a correct path, since my verification servlet, and hence the execution thread, is in /web-inf/classes. When I issue the forward or inlude, I need to provide a path that looks something like: /../jsp/jsp_page which is correctly making the JVM puke. 2. Utilize the apache rewrite module and have apache rewrite all requests for http://my_domain/my_context/jsp/*.jsp to my verification servlet. The verification servlet can then do its thing and forward valid requests to the appropriate request. A hornet's nest of complexity here! and my nose tells me this is the wrong path to take. 3. Thought a lot about utilizing the Tomcat API. ie: RequestInterceptor, Virtual Host, Valves etc. I found rudimentary information about what these constructs are, but very little on how to use them. So, I am kinda stumped :-( I guess the next step would be to explore Basic or Digest Authorization, but I was hoping there would be a simpler way, that uses the power of servlets I would greatly welcome any and all suggestions Thank you, and keep up the great work. The Tomcat effort rocks! Peter BTW, I anticipate that the Tomcat docs will improve greatly in the future, and I was greatly encouraged to see the effort being put into making a book, and the template forming around v4.0 I would like to suggest a section on real world examples, using and programming the Tomcat API and the xml config files, like server.xml. For an example of what I mean, the documentation for the Apache mod_rewrite, written by Ralf S. Engelschall, has a section on practical solutions. http://httpd.apache.org/docs/mod/mod_rewrite.html That's kinda what I mean.
request for suggestions on how to secure a web application....
This posting is a request for suggestions on how best to secure a web application. First my setup: NT 4.0 Apache 1.3.12 Tomcat 3.2.1 (running behind Apache) servlets jsp pages static html pages jdk1.3 Web-app directory structure: webapps/my_context/ /jsp/jsp_pages /web-inf/classes/my_servlets /web-inf/classes/beans/my_java_beans My static html files reside under the apache document root. For servlet access I am using session cookies, as specified in the Java Servlet Spec, to authorize users. This works very well for my purposes. My concern is protecting sensitive jsp and static html pages. How do I stop an unauthorized user from accessing a jsp or html resource directly? ie: a back-door attack. For example, I am protecting my site with a login page, but if a user simply sidesteps the login and types http://my_domain/my_context/jsp/any_jsp_page into his browser, he will get access to any jsp page that resides in the specified context. I have experimented with some different approaches: 1. hide the jsp directory directly under the /web-inf directory and let Tomcat restrict access. So I would have: /web-inf/classes/servlets /web-inf/jsp/jsp_pages Then provide access to jsp pages only through a verification servlet, which can verify the user and then forward the request to the correct resource. However, this is causing problems when I utilize a RequestDispatcher(path).forward(req, res) or RequestDispatcher(path).include(req, res) instruction. The path needs to start with a "/" and be relative to the context root, per the Java Servlet API docs, which makes it impossible(?) to provide a correct path, since my verification servlet, and hence the execution thread, is in /web-inf/classes. When I issue the forward or inlude, I need to provide a path that looks something like: /../jsp/jsp_page which is correctly making the JVM puke. 2. Utilize the apache rewrite module and have apache rewrite all requests for http://my_domain/my_context/jsp/*.jsp to my verification servlet. The verification servlet can then do its thing and forward valid requests to the appropriate request. A hornet's nest of complexity here! and my nose tells me this is the wrong path to take. 3. Thought a lot about utilizing the Tomcat API. ie: RequestInterceptor, Virtual Host, Valves etc. I found rudimentary information about what these constructs are, but very little on how to use them. So, I am kinda stumped :-( I guess the next step would be to explore Basic or Digest Authorization, but I was hoping there would be a simpler way, that uses the power of servlets I would greatly welcome any and all suggestions Thank you, and keep up the great work. The Tomcat effort rocks! Peter BTW, I anticipate that the Tomcat docs will improve greatly in the future, and I was greatly encouraged to see the effort being put into making a book, and the template forming around v4.0 I would like to suggest a section on real world examples, using and programming the Tomcat API and the xml config files, like server.xml. For an example of what I mean, the documentation for the Apache mod_rewrite, written by Ralf S. Engelschall, has a section on practical solutions. http://httpd.apache.org/docs/mod/mod_rewrite.html That's kinda what I mean.
