RE: System call problem on Tomcat /security issue
How do you actually execute the system call. I normally use it as printed
below (on Tomcat 4.0x, Apache 1.3x, Redhat 6/7/8) and it works just fine.
String[] strCommand contains the single elements of the call, so ls -al
would be strCommand[0] = ls, strCommand[1] = -al, while ls obviously
would just be strCommand[0] = ls. However, what I'm still puzzled about
is, as indicated by another reader, the security problem related to this.
Everyone programming webapps for a server has basically root rights on this
machine, at least with the default settings. Any suggestions how to get
around this or where to start reading?
private static void doSyscommand(String[] strCommand) {
Process p;
try {
p = Runtime.getRuntime().exec(strCommand);
p.waitFor();
} catch (IOException e) {
System.err.println(e.getMessage());
} catch (InterruptedException e) {
System.err.println(Interrupted Exception raised: +
e.getMessage());
}
}
-Original Message-
From: Richard Wong [mailto:[EMAIL PROTECTED]]
Sent: 15 November 2002 05:42 AM
To: [EMAIL PROTECTED]
Subject: RE: System call problem on Tomcat
We are still stuck with the problem. Can someone kindly help?
-Original Message-
From: Richard Wong [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 12, 2002 10:35 PM
To: [EMAIL PROTECTED]
Subject: System call problem on Tomcat
Dear Sir/Madam,
I have written a servlet that will make a system call using following
statement:
Runtime.getRuntime().exec(ls);
The servlet failed (even cause tomcat to shutdown) and the following
error occurs:
StandardServer.await: accept: java.net.SocketException: Interrupted system
call
java.net.SocketException: Interrupted system call
at java.net.PlainSocketImpl.socketAccept(Native Method)
at java.net.PlainSocketImpl.accept(PlainSocketImpl.java:463)
at java.net.ServerSocket.implAccept(ServerSocket.java:238)
at java.net.ServerSocket.accept(ServerSocket.java:217)
at
org.apache.catalina.core.StandardServer.await(StandardServer.java:293)
at org.apache.catalina.startup.Catalina.start(Catalina.java:794)
at org.apache.catalina.startup.Catalina.execute(Catalina.java:681)
at org.apache.catalina.startup.Catalina.process(Catalina.java:179)
at java.lang.reflect.Method.invoke(Native Method)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243)
I have tried several simple Linux commands and I get the same
problem (eg. sleep 1). Can anyone help?
The system is running on Redhat 7.2, tomcat 4.0.4 and Java 1.3.1.
Regards,
Richard.
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: tomcat security issue
SecurityManager permission problems are much easier to debug if you start tomcat with the -Djava.security.debug=access,failure property defined, then check your logs for the string denied. Then review the stack trace and the ProtectionDomain which failed. Regards, Glenn [EMAIL PROTECTED] wrote: yes the factoryLoaderServlet is defined too complex and issue currently to restart without SecurityManager. May be able to do overnight. Other dependent apps need to be up during the day -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: tomcat security issue
I wish I could see some log files. Only file that seems to be active is catalina.out any assistance in this matter would be appreciated here is the entry for the service Service name=Tomcat-Apache13 Connector className=org.apache.ajp.tomcat4.Ajp13Connector port=8009 address=127.0.0.1 minProcessors=5 maxProcessors=75 enableLookups=true appBase=webapps acceptCount=10 debug=0/ !-- Replace localhost with what your Apache ServerName is set to -- Engine className=org.apache.catalina.connector.warp.WarpEngine name=Apache - Tomcat4 defaultHost=defaultHost debug=0 !-- This next line brings in the file that includes the various host containers -- Host name=defaultHost appbase=/var/www/html Context path= docBase= / /Host Host name=domain appBase=/home/virtual/site1/fst/var/www/html Aliasdomain/Alias !-- Global logger unless overridden at lower levels -- Logger className=org.apache.catalina.logger.FileLogger directory=/home/virtual/site1/fst/var/log prefix=alvolo_tomcat. timestamp=true/ Realm className=org.apache.catalina.realm.MemoryRealm / Context path= docBase=/home/virtual/site1/fst/var/www/html priviledged=true reloadable=true Resource name=jdbc/MySQL/AlVolo auth=Container type=javax.sql.DataSource/ ResourceParams name=jdbc/MySQL/AlVolo parameter namedriverClassName/name valueorg.gjt.mm.mysql.Driver/value /parameter parameter namedriverName/name valuejdbc:mysql://localhost/alvolo/value /parameter /ResourceParams /Context /Host /Engine /Service kind regards Warren On Thursday, Oct 24, 2002, at 10:19 Etc/GMT, Glenn Nielsen wrote: SecurityManager permission problems are much easier to debug if you start tomcat with the -Djava.security.debug=access,failure property defined, then check your logs for the string denied. Then review the stack trace and the ProtectionDomain which failed. Regards, Glenn [EMAIL PROTECTED] wrote: yes the factoryLoaderServlet is defined too complex and issue currently to restart without SecurityManager. May be able to do overnight. Other dependent apps need to be up during the day -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
tomcat security issue
I have the following exception thrown when attempting to access tomcat app resources WarpEngine[Apache - Tomcat4]: Mapping request Security Violation, attempt to use Restricted Class: org.apache.catalina.core.ApplicationDispatcher java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core) at java.security.AccessControlContext.checkPermission(AccessControlContext. java:270) at java.security.AccessController.checkPermission(AccessController.java:401 ) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1513) at org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLo ader.java:1056) at org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLo ader.java:992) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:322) at org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applicati onContext.java:534) at org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(App licationContextFacade.java:179) at alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.jav a:280) at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilt erChain.java:197) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterC hain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja va:246) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234 3) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :180) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa lve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:174) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:429) at org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:495) at java.lang.Thread.run(Thread.java:536) StandardClassLoader: Security Violation, attempt to use Restricted Class: org.apache.catalina.core.ApplicationDispatcher Does anybody have any suggestions as to how to attack this issue Kind regards Warren -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: tomcat security issue
Is alvolo.servlet.DispatcherServlet.initialiseSession try to get access
to org.apache.catalina.core.ApplicationDispatcher ? That's the normal
behaviour if your answer is yes. Tomcat internal classes are protected
against package access/insertion. If you really want to use that class,
add to your catalina.policy file the following under
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant {
[...]
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.core.*;
}
or do not use the SecurityManager.
*But* remember you are opening the Tomcat core classes to all web
applications, and this is potentially a *security risk*. Also, your
application is not portable across different Servlet Container when
doing that.
-- Jeanfrancois
[EMAIL PROTECTED] wrote:
I have the following exception thrown when attempting to access
tomcat app resources
WarpEngine[Apache - Tomcat4]: Mapping request
Security Violation, attempt to use Restricted Class:
org.apache.catalina.core.ApplicationDispatcher
java.security.AccessControlException: access denied
(java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.core)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.
java:270)
at
java.security.AccessController.checkPermission(AccessController.java:401 )
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1513)
at
org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLo
ader.java:1056)
at
org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLo
ader.java:992)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:322)
at
org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applicati
onContext.java:534)
at
org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(App
licationContextFacade.java:179)
at
alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.jav
a:280)
at
alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:247)
at
org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilt
erChain.java:197)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterC
hain.java:176)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:172)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:243)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:566)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
72)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:190)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:566)
at
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja
va:246)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:564)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
72)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234
3)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:180)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:566)
at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa
lve.java:170)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:564)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:170)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:564)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
72)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:174)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:566)
at
Re: tomcat security issue
thanks for the reply
my code that seems to cause the problem is as follows:
HttpSession session = request.getSession();
session.setAttribute( customerProfile, new Profile() );
session.setAttribute( loggedIn, new Boolean( false ) );
session.setAttribute( customerOrder, new Order() );
RequestDispatcher dispatcher = null;
String destination = factoryLoaderServlet;
try{
dispatcher = this.getServletContext().getNamedDispatcher(
destination );
this.log( Including destination = + destination );
dispatcher.include( request, response );
}
catch( ServletException exception ){
//The error needs to be logged may have to redirect to page
that request the user to
//return at a later time
this.log( Servlet threw an exception when attempting to
forward to + destination, exception );
throw exception;
}
catch( IOException exception ){
//The error needs to be logged may have to redirect to page
that request the user to
//return at a later time
this.log( Servlet threw an exception when attempting to
forward to + destination, exception );
throw exception;
}
I am unwilling to get rid of the SecurityManager due to this being a
public site. As can be seen by the stack trace the call to
getNamedDispatcher eventually causes the ApplicationDispatcher class to
be called but it is not being called from my code explictly. i have
included the permission as you suggested but still get the following
message in the browser (even thought the previous stack trace is not
output to the catalina.out file any longer)
pbroot cause/b prejava.lang.NoClassDefFoundError:
org/apache/catalina/core/ApplicationDispatcher
at
org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applicati
onContext.java:534)
at
org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(App
licationContextFacade.java:179)
at
alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.jav
a:280)
at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:247)
at
org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilt
erChain.java:197)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterC
hain.java:176)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:172)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:243)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:566)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
72)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:190)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:566)
at
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja
va:246)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:564)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
72)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234
3)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:180)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:566)
at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa
lve.java:170)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:564)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:170)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:564)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
72)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:174)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:566)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
72)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at
org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:429)
at org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:495)
at java.lang.Thread.run(Thread.java:536)
/pre/p
On
Re: tomcat security issue
If you run the same code without the SecurityManager, do you get the
same exception? Is the factoryLoaderServlet defined in your web.xml?
-- Jeanfrancois
[EMAIL PROTECTED] wrote:
thanks for the reply
my code that seems to cause the problem is as follows:
HttpSession session = request.getSession();
session.setAttribute( customerProfile, new Profile() );
session.setAttribute( loggedIn, new Boolean( false ) );
session.setAttribute( customerOrder, new Order() );
RequestDispatcher dispatcher = null;
String destination = factoryLoaderServlet;
try{
dispatcher = this.getServletContext().getNamedDispatcher(
destination );
this.log( Including destination = + destination );
dispatcher.include( request, response );
}
catch( ServletException exception ){
//The error needs to be logged may have to redirect to
page that request the user to
//return at a later time
this.log( Servlet threw an exception when attempting to
forward to + destination, exception );
throw exception;
}
catch( IOException exception ){
//The error needs to be logged may have to redirect to
page that request the user to
//return at a later time
this.log( Servlet threw an exception when attempting to
forward to + destination, exception );
throw exception;
}
I am unwilling to get rid of the SecurityManager due to this being a
public site. As can be seen by the stack trace the call to
getNamedDispatcher eventually causes the ApplicationDispatcher class
to be called but it is not being called from my code explictly. i
have included the permission as you suggested but still get the
following message in the browser (even thought the previous stack
trace is not output to the catalina.out file any longer)
pbroot cause/b prejava.lang.NoClassDefFoundError:
org/apache/catalina/core/ApplicationDispatcher
at
org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applicati
onContext.java:534)
at
org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(App
licationContextFacade.java:179)
at
alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.jav
a:280)
at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:247)
at
org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilt
erChain.java:197)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterC
hain.java:176)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:172)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:243)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:566)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
72)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:190)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:566)
at
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja
va:246)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:564)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
72)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234
3)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:180)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:566)
at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa
lve.java:170)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:564)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:170)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:564)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
72)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:174)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja
va:566)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
72)
Re: tomcat security issue
yes the factoryLoaderServlet is defined
too complex and issue currently to restart without SecurityManager.
May be able to do overnight. Other dependent apps need to be up during
the day
Warren
On Wednesday, October 23, 2002, at 04:19 PM, Jean-Francois Arcand wrote:
If you run the same code without the SecurityManager, do you get the
same exception? Is the factoryLoaderServlet defined in your web.xml?
-- Jeanfrancois
[EMAIL PROTECTED] wrote:
thanks for the reply
my code that seems to cause the problem is as follows:
HttpSession session = request.getSession();
session.setAttribute( customerProfile, new Profile() );
session.setAttribute( loggedIn, new Boolean( false ) );
session.setAttribute( customerOrder, new Order() );
RequestDispatcher dispatcher = null;
String destination = factoryLoaderServlet;
try{
dispatcher = this.getServletContext().getNamedDispatcher(
destination );
this.log( Including destination = + destination );
dispatcher.include( request, response );
}
catch( ServletException exception ){
//The error needs to be logged may have to redirect to
page that request the user to
//return at a later time
this.log( Servlet threw an exception when attempting to
forward to + destination, exception );
throw exception;
}
catch( IOException exception ){
//The error needs to be logged may have to redirect to
page that request the user to
//return at a later time
this.log( Servlet threw an exception when attempting to
forward to + destination, exception );
throw exception;
}
I am unwilling to get rid of the SecurityManager due to this being a
public site. As can be seen by the stack trace the call to
getNamedDispatcher eventually causes the ApplicationDispatcher class
to be called but it is not being called from my code explictly. i
have included the permission as you suggested but still get the
following message in the browser (even thought the previous stack
trace is not output to the catalina.out file any longer)
pbroot cause/b prejava.lang.NoClassDefFoundError:
org/apache/catalina/core/ApplicationDispatcher
at
org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applica
ti onContext.java:534)
at
org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(A
pp licationContextFacade.java:179)
at
alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.j
av a:280)
at
alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
ca tionFilterChain.java:247)
at
org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFi
lt erChain.java:197)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilte
rC hain.java:176)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
lt erChain.java:172)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa
lv e.java:243)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.
ja va:566)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java
:4 72)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextVa
lv e.java:190)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.
ja va:566)
at
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.
ja va:246)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.
ja va:564)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java
:4 72)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2
34 3)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.ja
va :180)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.
ja va:566)
at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcher
Va lve.java:170)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.
ja va:564)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.ja
va :170)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.
ja va:564)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java
:4 72)
at
Re: Apache/Tomcat security issue -- URGENT
I didn't get any responses, so I'm reposting with some summary. I'm pretty sure some body might have a solution for this. Summary: Is it possible to protect a resource in a particular folder which is under web application context? By protection I mean, only my application has to use that resource and if any body else accesses it manually he must either get access denied or a dialog box with username and password. Please see below for more details. Thanks. -Surya - Original Message - From: Surya Suravarapu [EMAIL PROTECTED] Date: Wednesday, March 20, 2002 8:57 pm Subject: Apache/Tomcat security issue -- URGENT I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000. I've a context called WebApp whose docBase=E:\WebApp. So, when I point my browser to http://localhost/WebApp/main it will take me to the login screen of the application. There is a folder called Reports in my E:\WebApp. Some part of my application is using Response.sendRedirect() and displaying the requested file (from the Reports folder) to the browser. That's fine. I want to show the files from that folder only through the application and I have to configure my web server in such a way that it denies requests if a User enters the file name manually like http://localhost/WebApp/Reports/some-file.xls. Please help me if you have a solution for this. Thanks. -Surya -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Apache/Tomcat security issue -- URGENT
I had a similar problem. I kept the files out of the webapps folder. I wrote a servlet that checks the username before serving up the file. If the user has access to the file then it sends it otherwise it blocks access. Hamish -Original Message- From: Surya Suravarapu [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 21, 2002 1:18 PM To: Tomcat Users List Subject: Re: Apache/Tomcat security issue -- URGENT I didn't get any responses, so I'm reposting with some summary. I'm pretty sure some body might have a solution for this. Summary: Is it possible to protect a resource in a particular folder which is under web application context? By protection I mean, only my application has to use that resource and if any body else accesses it manually he must either get access denied or a dialog box with username and password. Please see below for more details. Thanks. -Surya - Original Message - From: Surya Suravarapu [EMAIL PROTECTED] Date: Wednesday, March 20, 2002 8:57 pm Subject: Apache/Tomcat security issue -- URGENT I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000. I've a context called WebApp whose docBase=E:\WebApp. So, when I point my browser to http://localhost/WebApp/main it will take me to the login screen of the application. There is a folder called Reports in my E:\WebApp. Some part of my application is using Response.sendRedirect() and displaying the requested file (from the Reports folder) to the browser. That's fine. I want to show the files from that folder only through the application and I have to configure my web server in such a way that it denies requests if a User enters the file name manually like http://localhost/WebApp/Reports/some-file.xls. Please help me if you have a solution for this. Thanks. -Surya -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Apache/Tomcat security issue -- URGENT
This is sort of easy... of course you run your site through Apache... which in turns does this connection deny from all somedirectory in your application or code... include something from somedirectory todd http://www.wiserlabz.com collaborative effort to promote Novell and Open Source solutions include ... www.link-tool.com on your site Surya Suravarapu wrote: I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000. I've a context called WebApp whose docBase=E:\WebApp. So, when I point my browser to http://localhost/WebApp/main it will take me to the login screen of the application. There is a folder called Reports in my E:\WebApp. Some part of my application is using Response.sendRedirect() and displaying the requested file (from the Reports folder) to the browser. That's fine. I want to show the files from that folder only through the application and I have to configure my web server in such a way that it denies requests if a User enters the file name manually like http://localhost/WebApp/Reports/some-file.xls. Please help me if you have a solution for this. Thanks. -Surya -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Apache/Tomcat security issue -- URGENT
I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000. I've a context called WebApp whose docBase=E:\WebApp. So, when I point my browser to http://localhost/WebApp/main it will take me to the login screen of the application. There is a folder called Reports in my E:\WebApp. Some part of my application is using Response.sendRedirect() and displaying the requested file (from the Reports folder) to the browser. That's fine. I want to show the files from that folder only through the application and I have to configure my web server in such a way that it denies requests if a User enters the file name manually like http://localhost/WebApp/Reports/some-file.xls. Please help me if you have a solution for this. Thanks. -Surya -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
