Re: Filters, Security, Tomcat and Configuration

2006-11-17 Thread James Crosson 
Thanks for your kind reply. I am having a bear of a time figuring out why  
I can't compile my filter. It is giving me the simple java error:


com\x\view\filters\AccountFilter2.java:20: cannot find symbol
symbol  : method getURI()
location: interface javax.servlet.http.HttpServletRequest
  String URI = ((HttpServletRequest)request).getURI();


I've quadruple checked what I'm including:

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;

Any idea what my deal could be? My classpath includes the main class  
tomcat's servlet-api.jar and I'm also tried including servlet.jar to no  
avail.


James


On Thu, 16 Nov 2006 16:05:43 -0500, Christopher Schultz  
[EMAIL PROTECTED] wrote:



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

James,

James Crosson wrote:

I believe that a url-pattern strategy will be more trouble than it is
worth beacuse it seems you can't pass a regular expression, but so far I
have not been able to nail down a Filter.


Filters are really the way to go, here, and they're relatively easy to
write and use. First, you have to write your filter, which is pretty
simple, right?

public class BadURLFilter
   implements Filter
{
   public void doFilter(ServletRequest request,
ServletResponse response,
FilterChain chain)
 throws IOException, ServletException
   {
  // Check the URL -- need an HttpServletRequest for that
  if(request instanceof HttpServletRequest)
  {
  String URI = ((HttpServletRequest)request).getURI();

  // Bomb if there is a bad URI
  if(URI.contains(..))
  {
  // Not sure what you want to do here.

  ((HttpServletResponse)response)
.sendError(HttpServletResponse.SC_FORBIDDEN);

  return;
  }
  }

  chain.doFilter(request, response);
   }
}


That's the simplest filter that could possibly work. A few things to
consider:

1. What do you want to do when you find a bad URL. I simply
   return a 403 FORBIDDEN status code.
2. Are there any URIs that might be okay to contain ..?
   For instance, if you have a servlet that uses the extra
   path info to do something might allow a URI to contain
   .., in which case this filter will break your app.

I hope that can get you started.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFXNKn9CaO5/Lv0PARAp9QAJ96nP3rLSMlmO8+4I9ALz7ikHi6OACfSKnm
2oXR665ulKq5ePCON3C2RAI=
=GJPM
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





--
http://www.JamesCrosson.net

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Filters, Security, Tomcat and Configuration

2006-11-17 Thread James Crosson 

Thanks so much for your help.

The reason for the error is beacuse the method is called getRequestURI. I
figured it out shortly after posting. Sorry to post too much.
James


On 11/17/06, Gregor Schneider [EMAIL PROTECTED] wrote:


Actually I doubt that you've got the file servlet-api.jar in your
classpath - it wouldn't come up with such an error-message than.

You might want to use an antscript to compile your servlet, here's a
snippet from mine:

   target name=compile depends=init description=compile servlet

   delete dir=${servletDir}/${build} failonerror=false/
   mkdir dir=${servletDir}/${build}/
   path id=java.classpath
   fileset file=${tomcatDir}/${servletAPI}/
   /path
   echo message=compiling using javac version ${
ant.java.version}/
   javac  srcdir=${servletDir}/${src}
   destdir=${servletDir}/${build}
   compiler=javac1.4
   memoryInitialSize=512M
   memoryMaximumSize=2048M
   debug=true
   debuglevel=${DEBUGLEVEL}
   verbose=false
   fork=false
   classpath refid=java.classpath/
   /javac
   /target

hth

greg
--
what's puzzlin' you, is the nature of my game

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Filters, Security, Tomcat and Configuration

2006-11-16 Thread James Crosson 

Greetings,

I am attempting to configure Tomcat (5.5.9) to disregard URL requests that  
contain ../ and similar high-risk expressions. So far I have been  
unsuccesful. I recognize two possibilities here:


A. Use url-pattern in the web.xml to identify this URL and disregard it
B. Configure a filter that intercepts requests and dissects the URL.

I am wondering if anybody has had experience using Tomcat in this manner,  
and if there may be some examples, working filters/strategies that I could  
view to get me going.


I believe that a url-pattern strategy will be more trouble than it is  
worth beacuse it seems you can't pass a regular expression, but so far I  
have not been able to nail down a Filter.


James Crosson

---
[EMAIL PROTECTED]
Google Talk: James Crosson



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]