RE: System call problem on Tomcat /security issue
How do you actually execute the system call. I normally use it as printed below (on Tomcat 4.0x, Apache 1.3x, Redhat 6/7/8) and it works just fine. String[] strCommand contains the single elements of the call, so ls -al would be strCommand[0] = ls, strCommand[1] = -al, while ls obviously would just be strCommand[0] = ls. However, what I'm still puzzled about is, as indicated by another reader, the security problem related to this. Everyone programming webapps for a server has basically root rights on this machine, at least with the default settings. Any suggestions how to get around this or where to start reading? private static void doSyscommand(String[] strCommand) { Process p; try { p = Runtime.getRuntime().exec(strCommand); p.waitFor(); } catch (IOException e) { System.err.println(e.getMessage()); } catch (InterruptedException e) { System.err.println(Interrupted Exception raised: + e.getMessage()); } } -Original Message- From: Richard Wong [mailto:[EMAIL PROTECTED]] Sent: 15 November 2002 05:42 AM To: [EMAIL PROTECTED] Subject: RE: System call problem on Tomcat We are still stuck with the problem. Can someone kindly help? -Original Message- From: Richard Wong [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 12, 2002 10:35 PM To: [EMAIL PROTECTED] Subject: System call problem on Tomcat Dear Sir/Madam, I have written a servlet that will make a system call using following statement: Runtime.getRuntime().exec(ls); The servlet failed (even cause tomcat to shutdown) and the following error occurs: StandardServer.await: accept: java.net.SocketException: Interrupted system call java.net.SocketException: Interrupted system call at java.net.PlainSocketImpl.socketAccept(Native Method) at java.net.PlainSocketImpl.accept(PlainSocketImpl.java:463) at java.net.ServerSocket.implAccept(ServerSocket.java:238) at java.net.ServerSocket.accept(ServerSocket.java:217) at org.apache.catalina.core.StandardServer.await(StandardServer.java:293) at org.apache.catalina.startup.Catalina.start(Catalina.java:794) at org.apache.catalina.startup.Catalina.execute(Catalina.java:681) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at java.lang.reflect.Method.invoke(Native Method) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243) I have tried several simple Linux commands and I get the same problem (eg. sleep 1). Can anyone help? The system is running on Redhat 7.2, tomcat 4.0.4 and Java 1.3.1. Regards, Richard. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: tomcat security issue
SecurityManager permission problems are much easier to debug if you start tomcat with the -Djava.security.debug=access,failure property defined, then check your logs for the string denied. Then review the stack trace and the ProtectionDomain which failed. Regards, Glenn [EMAIL PROTECTED] wrote: yes the factoryLoaderServlet is defined too complex and issue currently to restart without SecurityManager. May be able to do overnight. Other dependent apps need to be up during the day -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: tomcat security issue
I wish I could see some log files. Only file that seems to be active is catalina.out any assistance in this matter would be appreciated here is the entry for the service Service name=Tomcat-Apache13 Connector className=org.apache.ajp.tomcat4.Ajp13Connector port=8009 address=127.0.0.1 minProcessors=5 maxProcessors=75 enableLookups=true appBase=webapps acceptCount=10 debug=0/ !-- Replace localhost with what your Apache ServerName is set to -- Engine className=org.apache.catalina.connector.warp.WarpEngine name=Apache - Tomcat4 defaultHost=defaultHost debug=0 !-- This next line brings in the file that includes the various host containers -- Host name=defaultHost appbase=/var/www/html Context path= docBase= / /Host Host name=domain appBase=/home/virtual/site1/fst/var/www/html Aliasdomain/Alias !-- Global logger unless overridden at lower levels -- Logger className=org.apache.catalina.logger.FileLogger directory=/home/virtual/site1/fst/var/log prefix=alvolo_tomcat. timestamp=true/ Realm className=org.apache.catalina.realm.MemoryRealm / Context path= docBase=/home/virtual/site1/fst/var/www/html priviledged=true reloadable=true Resource name=jdbc/MySQL/AlVolo auth=Container type=javax.sql.DataSource/ ResourceParams name=jdbc/MySQL/AlVolo parameter namedriverClassName/name valueorg.gjt.mm.mysql.Driver/value /parameter parameter namedriverName/name valuejdbc:mysql://localhost/alvolo/value /parameter /ResourceParams /Context /Host /Engine /Service kind regards Warren On Thursday, Oct 24, 2002, at 10:19 Etc/GMT, Glenn Nielsen wrote: SecurityManager permission problems are much easier to debug if you start tomcat with the -Djava.security.debug=access,failure property defined, then check your logs for the string denied. Then review the stack trace and the ProtectionDomain which failed. Regards, Glenn [EMAIL PROTECTED] wrote: yes the factoryLoaderServlet is defined too complex and issue currently to restart without SecurityManager. May be able to do overnight. Other dependent apps need to be up during the day -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
tomcat security issue
I have the following exception thrown when attempting to access tomcat app resources WarpEngine[Apache - Tomcat4]: Mapping request Security Violation, attempt to use Restricted Class: org.apache.catalina.core.ApplicationDispatcher java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core) at java.security.AccessControlContext.checkPermission(AccessControlContext. java:270) at java.security.AccessController.checkPermission(AccessController.java:401 ) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1513) at org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLo ader.java:1056) at org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLo ader.java:992) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:322) at org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applicati onContext.java:534) at org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(App licationContextFacade.java:179) at alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.jav a:280) at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilt erChain.java:197) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterC hain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja va:246) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234 3) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :180) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa lve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:174) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:429) at org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:495) at java.lang.Thread.run(Thread.java:536) StandardClassLoader: Security Violation, attempt to use Restricted Class: org.apache.catalina.core.ApplicationDispatcher Does anybody have any suggestions as to how to attack this issue Kind regards Warren -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: tomcat security issue
Is alvolo.servlet.DispatcherServlet.initialiseSession try to get access to org.apache.catalina.core.ApplicationDispatcher ? That's the normal behaviour if your answer is yes. Tomcat internal classes are protected against package access/insertion. If you really want to use that class, add to your catalina.policy file the following under // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission // and JndiPermission for all files and directories in its document root. grant { [...] permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core.*; } or do not use the SecurityManager. *But* remember you are opening the Tomcat core classes to all web applications, and this is potentially a *security risk*. Also, your application is not portable across different Servlet Container when doing that. -- Jeanfrancois [EMAIL PROTECTED] wrote: I have the following exception thrown when attempting to access tomcat app resources WarpEngine[Apache - Tomcat4]: Mapping request Security Violation, attempt to use Restricted Class: org.apache.catalina.core.ApplicationDispatcher java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core) at java.security.AccessControlContext.checkPermission(AccessControlContext. java:270) at java.security.AccessController.checkPermission(AccessController.java:401 ) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1513) at org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLo ader.java:1056) at org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLo ader.java:992) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:322) at org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applicati onContext.java:534) at org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(App licationContextFacade.java:179) at alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.jav a:280) at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilt erChain.java:197) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterC hain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja va:246) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234 3) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :180) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa lve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:174) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at
Re: tomcat security issue
thanks for the reply my code that seems to cause the problem is as follows: HttpSession session = request.getSession(); session.setAttribute( customerProfile, new Profile() ); session.setAttribute( loggedIn, new Boolean( false ) ); session.setAttribute( customerOrder, new Order() ); RequestDispatcher dispatcher = null; String destination = factoryLoaderServlet; try{ dispatcher = this.getServletContext().getNamedDispatcher( destination ); this.log( Including destination = + destination ); dispatcher.include( request, response ); } catch( ServletException exception ){ //The error needs to be logged may have to redirect to page that request the user to //return at a later time this.log( Servlet threw an exception when attempting to forward to + destination, exception ); throw exception; } catch( IOException exception ){ //The error needs to be logged may have to redirect to page that request the user to //return at a later time this.log( Servlet threw an exception when attempting to forward to + destination, exception ); throw exception; } I am unwilling to get rid of the SecurityManager due to this being a public site. As can be seen by the stack trace the call to getNamedDispatcher eventually causes the ApplicationDispatcher class to be called but it is not being called from my code explictly. i have included the permission as you suggested but still get the following message in the browser (even thought the previous stack trace is not output to the catalina.out file any longer) pbroot cause/b prejava.lang.NoClassDefFoundError: org/apache/catalina/core/ApplicationDispatcher at org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applicati onContext.java:534) at org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(App licationContextFacade.java:179) at alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.jav a:280) at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilt erChain.java:197) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterC hain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja va:246) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234 3) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :180) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa lve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:174) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:429) at org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:495) at java.lang.Thread.run(Thread.java:536) /pre/p On
Re: tomcat security issue
If you run the same code without the SecurityManager, do you get the same exception? Is the factoryLoaderServlet defined in your web.xml? -- Jeanfrancois [EMAIL PROTECTED] wrote: thanks for the reply my code that seems to cause the problem is as follows: HttpSession session = request.getSession(); session.setAttribute( customerProfile, new Profile() ); session.setAttribute( loggedIn, new Boolean( false ) ); session.setAttribute( customerOrder, new Order() ); RequestDispatcher dispatcher = null; String destination = factoryLoaderServlet; try{ dispatcher = this.getServletContext().getNamedDispatcher( destination ); this.log( Including destination = + destination ); dispatcher.include( request, response ); } catch( ServletException exception ){ //The error needs to be logged may have to redirect to page that request the user to //return at a later time this.log( Servlet threw an exception when attempting to forward to + destination, exception ); throw exception; } catch( IOException exception ){ //The error needs to be logged may have to redirect to page that request the user to //return at a later time this.log( Servlet threw an exception when attempting to forward to + destination, exception ); throw exception; } I am unwilling to get rid of the SecurityManager due to this being a public site. As can be seen by the stack trace the call to getNamedDispatcher eventually causes the ApplicationDispatcher class to be called but it is not being called from my code explictly. i have included the permission as you suggested but still get the following message in the browser (even thought the previous stack trace is not output to the catalina.out file any longer) pbroot cause/b prejava.lang.NoClassDefFoundError: org/apache/catalina/core/ApplicationDispatcher at org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applicati onContext.java:534) at org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(App licationContextFacade.java:179) at alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.jav a:280) at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilt erChain.java:197) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterC hain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja va:246) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234 3) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :180) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa lve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:174) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72)
Re: tomcat security issue
yes the factoryLoaderServlet is defined too complex and issue currently to restart without SecurityManager. May be able to do overnight. Other dependent apps need to be up during the day Warren On Wednesday, October 23, 2002, at 04:19 PM, Jean-Francois Arcand wrote: If you run the same code without the SecurityManager, do you get the same exception? Is the factoryLoaderServlet defined in your web.xml? -- Jeanfrancois [EMAIL PROTECTED] wrote: thanks for the reply my code that seems to cause the problem is as follows: HttpSession session = request.getSession(); session.setAttribute( customerProfile, new Profile() ); session.setAttribute( loggedIn, new Boolean( false ) ); session.setAttribute( customerOrder, new Order() ); RequestDispatcher dispatcher = null; String destination = factoryLoaderServlet; try{ dispatcher = this.getServletContext().getNamedDispatcher( destination ); this.log( Including destination = + destination ); dispatcher.include( request, response ); } catch( ServletException exception ){ //The error needs to be logged may have to redirect to page that request the user to //return at a later time this.log( Servlet threw an exception when attempting to forward to + destination, exception ); throw exception; } catch( IOException exception ){ //The error needs to be logged may have to redirect to page that request the user to //return at a later time this.log( Servlet threw an exception when attempting to forward to + destination, exception ); throw exception; } I am unwilling to get rid of the SecurityManager due to this being a public site. As can be seen by the stack trace the call to getNamedDispatcher eventually causes the ApplicationDispatcher class to be called but it is not being called from my code explictly. i have included the permission as you suggested but still get the following message in the browser (even thought the previous stack trace is not output to the catalina.out file any longer) pbroot cause/b prejava.lang.NoClassDefFoundError: org/apache/catalina/core/ApplicationDispatcher at org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applica ti onContext.java:534) at org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(A pp licationContextFacade.java:179) at alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.j av a:280) at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli ca tionFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFi lt erChain.java:197) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilte rC hain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi lt erChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa lv e.java:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java :4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextVa lv e.java:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. ja va:566) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve. ja va:246) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java :4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2 34 3) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.ja va :180) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. ja va:566) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcher Va lve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. ja va:564) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.ja va :170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java :4 72) at
Re: Apache/Tomcat security issue -- URGENT
I didn't get any responses, so I'm reposting with some summary. I'm pretty sure some body might have a solution for this. Summary: Is it possible to protect a resource in a particular folder which is under web application context? By protection I mean, only my application has to use that resource and if any body else accesses it manually he must either get access denied or a dialog box with username and password. Please see below for more details. Thanks. -Surya - Original Message - From: Surya Suravarapu [EMAIL PROTECTED] Date: Wednesday, March 20, 2002 8:57 pm Subject: Apache/Tomcat security issue -- URGENT I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000. I've a context called WebApp whose docBase=E:\WebApp. So, when I point my browser to http://localhost/WebApp/main it will take me to the login screen of the application. There is a folder called Reports in my E:\WebApp. Some part of my application is using Response.sendRedirect() and displaying the requested file (from the Reports folder) to the browser. That's fine. I want to show the files from that folder only through the application and I have to configure my web server in such a way that it denies requests if a User enters the file name manually like http://localhost/WebApp/Reports/some-file.xls. Please help me if you have a solution for this. Thanks. -Surya -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Apache/Tomcat security issue -- URGENT
I had a similar problem. I kept the files out of the webapps folder. I wrote a servlet that checks the username before serving up the file. If the user has access to the file then it sends it otherwise it blocks access. Hamish -Original Message- From: Surya Suravarapu [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 21, 2002 1:18 PM To: Tomcat Users List Subject: Re: Apache/Tomcat security issue -- URGENT I didn't get any responses, so I'm reposting with some summary. I'm pretty sure some body might have a solution for this. Summary: Is it possible to protect a resource in a particular folder which is under web application context? By protection I mean, only my application has to use that resource and if any body else accesses it manually he must either get access denied or a dialog box with username and password. Please see below for more details. Thanks. -Surya - Original Message - From: Surya Suravarapu [EMAIL PROTECTED] Date: Wednesday, March 20, 2002 8:57 pm Subject: Apache/Tomcat security issue -- URGENT I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000. I've a context called WebApp whose docBase=E:\WebApp. So, when I point my browser to http://localhost/WebApp/main it will take me to the login screen of the application. There is a folder called Reports in my E:\WebApp. Some part of my application is using Response.sendRedirect() and displaying the requested file (from the Reports folder) to the browser. That's fine. I want to show the files from that folder only through the application and I have to configure my web server in such a way that it denies requests if a User enters the file name manually like http://localhost/WebApp/Reports/some-file.xls. Please help me if you have a solution for this. Thanks. -Surya -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Apache/Tomcat security issue -- URGENT
This is sort of easy... of course you run your site through Apache... which in turns does this connection deny from all somedirectory in your application or code... include something from somedirectory todd http://www.wiserlabz.com collaborative effort to promote Novell and Open Source solutions include ... www.link-tool.com on your site Surya Suravarapu wrote: I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000. I've a context called WebApp whose docBase=E:\WebApp. So, when I point my browser to http://localhost/WebApp/main it will take me to the login screen of the application. There is a folder called Reports in my E:\WebApp. Some part of my application is using Response.sendRedirect() and displaying the requested file (from the Reports folder) to the browser. That's fine. I want to show the files from that folder only through the application and I have to configure my web server in such a way that it denies requests if a User enters the file name manually like http://localhost/WebApp/Reports/some-file.xls. Please help me if you have a solution for this. Thanks. -Surya -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Apache/Tomcat security issue -- URGENT
I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000. I've a context called WebApp whose docBase=E:\WebApp. So, when I point my browser to http://localhost/WebApp/main it will take me to the login screen of the application. There is a folder called Reports in my E:\WebApp. Some part of my application is using Response.sendRedirect() and displaying the requested file (from the Reports folder) to the browser. That's fine. I want to show the files from that folder only through the application and I have to configure my web server in such a way that it denies requests if a User enters the file name manually like http://localhost/WebApp/Reports/some-file.xls. Please help me if you have a solution for this. Thanks. -Surya -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]