Re: Tomcat Security Office Hours
On 01/03/2021 11:16, Rony G. Flatscher (Apache) wrote: On 24.02.2021 12:59, Mark Thomas wrote: All, Inspired by this post [1] I am going to try an experiment with running weekly office hours every Thursday. I'm going to start off by focussing on security. If there is anything you'd like to discuss and/or provide feedback on and/or ask questions about around Tomcat security then feel free to book a 20 min slot via: https://calendly.com/markt-asf Slots are available every Thursday. Booking a meeting should trigger a Zoom invite for the requested slot. This is an experiment so the number of slots, timing of slots etc are subject to change as the experiment progresses. If Tomcat security turns out to be too narrow a focus, I'll open it up to anything Tomcat related. Mark [1] https://simonwillison.net/2021/Feb/19/office-hours/ Just curious: how did it work out? No-one booked a slot. Not sure if this was due to short notice, lack of interest or something else. I'll keep the topic focussed on security for another week and if I still don't get any interest I'll open it up to anything Tomcat related. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security Office Hours
On 24.02.2021 12:59, Mark Thomas wrote: > All, > > Inspired by this post [1] I am going to try an experiment with running > weekly office hours every Thursday. > > I'm going to start off by focussing on security. If there is anything > you'd like to discuss and/or provide feedback on and/or ask questions > about around Tomcat security then feel free to book a 20 min slot via: > > https://calendly.com/markt-asf > > Slots are available every Thursday. Booking a meeting should trigger a > Zoom invite for the requested slot. > > This is an experiment so the number of slots, timing of slots etc are > subject to change as the experiment progresses. If Tomcat security turns > out to be too narrow a focus, I'll open it up to anything Tomcat related. > > Mark > > > [1] https://simonwillison.net/2021/Feb/19/office-hours/ Just curious: how did it work out? ---rony - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Security Office Hours
All, Inspired by this post [1] I am going to try an experiment with running weekly office hours every Thursday. I'm going to start off by focussing on security. If there is anything you'd like to discuss and/or provide feedback on and/or ask questions about around Tomcat security then feel free to book a 20 min slot via: https://calendly.com/markt-asf Slots are available every Thursday. Booking a meeting should trigger a Zoom invite for the requested slot. This is an experiment so the number of slots, timing of slots etc are subject to change as the experiment progresses. If Tomcat security turns out to be too narrow a focus, I'll open it up to anything Tomcat related. Mark [1] https://simonwillison.net/2021/Feb/19/office-hours/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Virtual event focussed on Tomcat Security
On 16/10/2020 14:21, Robert Hicks wrote: > On Thu, Oct 15, 2020 at 2:01 PM Mark Thomas wrote: > >> On 29/09/2020 12:25, Mark Thomas wrote: >>> Hi all, >>> >>> We (the Tomcat community) have some funding from Google to help us >>> improve Tomcat security. Our original plan was to use the funding to >>> support an in-person security focussed hackathon. As you would expect, >>> those plans are on hold for now. We would, therefore, like to explore >>> the possibility of doing something virtually. >>> >>> The purpose of this email is to gather input from the community about >>> what such an event should look like. With that input we can put together >>> a plan for the event. So, over to you. What would your ideal virtual >>> event focussed on Tomcat Security look like? >> >> Summarising the suggestions so far: >> - application security / OWASP >> - making HTTP requests *from* Tomcat >> - SSO / SAML / OpenIDConnect >> >> The first two are more application security focussed and would not have >> to be Tomcat specific. >> >> The third is more likely to Tomcat specific depending on the extent to >> which the SSO mechanism ties into Tomcat's internals. >> >> All the suggestions so far have been for conference like presentations >> (if I am reading them correctly). >> >> Other possibilities: >> - hackathon to implement (with support from committers) new security >> features (no idea what these might be - suggestions welcome) >> >> - hackathon to run $tool_of_choice against Tomcat code base, review the >> results and fix (with committer support) those that need fixing. >> Suggestions as to tools to use welcome* >> >> Anything else you'd like to suggest that is related to Tomcat and security. >> >> There hasn't been any thought given to timing yet. >> >> Mark >> >> >> >> * I'll note that over the years most if not all of the major static >> analysis tools have been run against the Tomcat code base and the >> results have been very heavy on the false positives. Most of the work is >> likely to be separating the few useful results from a lot of noise. >> >> > Has a "when" been decided yet? No. We need to talk to the ASF conferences team to see when the hopin platform will be available. Mark > > Thanks, > > Bob > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Virtual event focussed on Tomcat Security
Mark, On 10/15/20 14:01, Mark Thomas wrote: > On 29/09/2020 12:25, Mark Thomas wrote: >> Hi all, >> >> We (the Tomcat community) have some funding from Google to help us >> improve Tomcat security. Our original plan was to use the funding to >> support an in-person security focussed hackathon. As you would expect, >> those plans are on hold for now. We would, therefore, like to explore >> the possibility of doing something virtually. >> >> The purpose of this email is to gather input from the community about >> what such an event should look like. With that input we can put together >> a plan for the event. So, over to you. What would your ideal virtual >> event focussed on Tomcat Security look like? > > Summarising the suggestions so far: > - application security / OWASP > - making HTTP requests *from* Tomcat > - SSO / SAML / OpenIDConnect > > The first two are more application security focused and would not have > to be Tomcat specific. > > The third is more likely to Tomcat specific depending on the extent to > which the SSO mechanism ties into Tomcat's internals. I've built incoming single-legged SAML SSO into my own application without any external libraries, so I could led a group to work on this kind of thing. > All the suggestions so far have been for conference like presentations > (if I am reading them correctly). > > Other possibilities: > - hackathon to implement (with support from committers) new security > features (no idea what these might be - suggestions welcome) > > - hackathon to run $tool_of_choice against Tomcat code base, review the > results and fix (with committer support) those that need fixing. > Suggestions as to tools to use welcome* > > Anything else you'd like to suggest that is related to Tomcat and security. > > There hasn't been any thought given to timing yet. > > Mark > > > > * I'll note that over the years most if not all of the major static > analysis tools have been run against the Tomcat code base and the > results have been very heavy on the false positives. Most of the work is > likely to be separating the few useful results from a lot of noise. +1 It's worth running new tools against Tomcat and then having many eyes look at the list to determine false-positives. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Virtual event focussed on Tomcat Security
On Thu, Oct 15, 2020 at 2:01 PM Mark Thomas wrote: > On 29/09/2020 12:25, Mark Thomas wrote: > > Hi all, > > > > We (the Tomcat community) have some funding from Google to help us > > improve Tomcat security. Our original plan was to use the funding to > > support an in-person security focussed hackathon. As you would expect, > > those plans are on hold for now. We would, therefore, like to explore > > the possibility of doing something virtually. > > > > The purpose of this email is to gather input from the community about > > what such an event should look like. With that input we can put together > > a plan for the event. So, over to you. What would your ideal virtual > > event focussed on Tomcat Security look like? > > Summarising the suggestions so far: > - application security / OWASP > - making HTTP requests *from* Tomcat > - SSO / SAML / OpenIDConnect > > The first two are more application security focussed and would not have > to be Tomcat specific. > > The third is more likely to Tomcat specific depending on the extent to > which the SSO mechanism ties into Tomcat's internals. > > All the suggestions so far have been for conference like presentations > (if I am reading them correctly). > > Other possibilities: > - hackathon to implement (with support from committers) new security > features (no idea what these might be - suggestions welcome) > > - hackathon to run $tool_of_choice against Tomcat code base, review the > results and fix (with committer support) those that need fixing. > Suggestions as to tools to use welcome* > > Anything else you'd like to suggest that is related to Tomcat and security. > > There hasn't been any thought given to timing yet. > > Mark > > > > * I'll note that over the years most if not all of the major static > analysis tools have been run against the Tomcat code base and the > results have been very heavy on the false positives. Most of the work is > likely to be separating the few useful results from a lot of noise. > > Has a "when" been decided yet? Thanks, Bob
Re: Virtual event focussed on Tomcat Security
On 29/09/2020 12:25, Mark Thomas wrote: > Hi all, > > We (the Tomcat community) have some funding from Google to help us > improve Tomcat security. Our original plan was to use the funding to > support an in-person security focussed hackathon. As you would expect, > those plans are on hold for now. We would, therefore, like to explore > the possibility of doing something virtually. > > The purpose of this email is to gather input from the community about > what such an event should look like. With that input we can put together > a plan for the event. So, over to you. What would your ideal virtual > event focussed on Tomcat Security look like? Summarising the suggestions so far: - application security / OWASP - making HTTP requests *from* Tomcat - SSO / SAML / OpenIDConnect The first two are more application security focussed and would not have to be Tomcat specific. The third is more likely to Tomcat specific depending on the extent to which the SSO mechanism ties into Tomcat's internals. All the suggestions so far have been for conference like presentations (if I am reading them correctly). Other possibilities: - hackathon to implement (with support from committers) new security features (no idea what these might be - suggestions welcome) - hackathon to run $tool_of_choice against Tomcat code base, review the results and fix (with committer support) those that need fixing. Suggestions as to tools to use welcome* Anything else you'd like to suggest that is related to Tomcat and security. There hasn't been any thought given to timing yet. Mark * I'll note that over the years most if not all of the major static analysis tools have been run against the Tomcat code base and the results have been very heavy on the false positives. Most of the work is likely to be separating the few useful results from a lot of noise. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Virtual event focussed on Tomcat Security
Hello there, Sounds good! For the authentication of our tomcat applications we rely on a SSO solution (keycloak) using standards like SAML and OpenIDConnect. Maybe a session about this can fit in the event. I would be interested in what other folks are doing in this field. Thanks, Luis El jue., 1 oct. 2020 a las 17:19, Christopher Schultz (< ch...@christopherschultz.net>) escribió: > Raghu, > > On 9/30/20 10:35, Mysore, Raghunath wrote: > > This plan about Tomcat security is very nice. We look forward to the > meetings. > > > > Could we have a session related to " Best practices for using Tomcat > > + (Apache Web Server) Forward Proxy (FP) combo in a real production > > environment " where an application hosted in Tomcat (web) container, > > targets a destination system in the internet, through the FP ? > There are some presentations already on our "presentations" page that > might address some of your questions. Is there something specific that > is missing? > > http://tomcat.apache.org/presentations.html > > > The application communicates with the destination system on a TLS > > channel. The FP is placed in a perimeter zone. The role of FP is to > > route the intranet traffic to the destination system in internet. > > This sounds like a fairly specific use-case. Are you looking for help in > building such a system, or some suggestions for making sure that it's > secure, high-performance, etc.? > > > Is there any generalized document that makes assessment (and > > recommendations) of a Tomcat plus a Forward Proxy combo, in a real > > word set up ? > No, but it would probably be an interesting subject for a presentation. > Maybe you could work with others in the community to develop such a > presentation and in fact present it at an upcoming conference! > > -chris > > > -Original Message- > > From: Maarten van Hulsentop > > Sent: Wednesday, September 30, 2020 3:10 AM > > To: Tomcat Users List > > Subject: Re: Virtual event focussed on Tomcat Security > > > > Hi Mark, > > > > This sounds like a great idea to me. Security is a very important topic, > and the maturity of the Tomcat makes it a very secure choice for users. I > am sure a lot of people will be interested to join in. > > > > What is not completely clear to me on this event; would this event be > focussed on improving the security of Tomcat from within (as a Hackathon > suggests)? Like trying to find security flaws/improvements and get them > fixed. > > or is this meant to be an educational event where information is shared > about secure setups/hardening of the Tomcat in production systems? Or a > little of both? > > > > For the educational/hardening aspect, it could be nice to team up > with/involve OWASP? > > > > I am surely interested to pitch in on this topic! > > > > Kind regards, > > > > Maarten van Hulsentop > > > > Op di 29 sep. 2020 om 13:26 schreef Mark Thomas : > > > >> Hi all, > >> > >> We (the Tomcat community) have some funding from Google to help us > >> improve Tomcat security. Our original plan was to use the funding to > >> support an in-person security focussed hackathon. As you would expect, > >> those plans are on hold for now. We would, therefore, like to explore > >> the possibility of doing something virtually. > >> > >> The purpose of this email is to gather input from the community about > >> what such an event should look like. With that input we can put > >> together a plan for the event. So, over to you. What would your ideal > >> virtual event focussed on Tomcat Security look like? > >> > >> Thanks, > >> > >> Mark > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett
Re: Virtual event focussed on Tomcat Security
Raghu, On 9/30/20 10:35, Mysore, Raghunath wrote: > This plan about Tomcat security is very nice. We look forward to the > meetings. > > Could we have a session related to " Best practices for using Tomcat > + (Apache Web Server) Forward Proxy (FP) combo in a real production > environment " where an application hosted in Tomcat (web) container, > targets a destination system in the internet, through the FP ? There are some presentations already on our "presentations" page that might address some of your questions. Is there something specific that is missing? http://tomcat.apache.org/presentations.html > The application communicates with the destination system on a TLS > channel. The FP is placed in a perimeter zone. The role of FP is to > route the intranet traffic to the destination system in internet. This sounds like a fairly specific use-case. Are you looking for help in building such a system, or some suggestions for making sure that it's secure, high-performance, etc.? > Is there any generalized document that makes assessment (and > recommendations) of a Tomcat plus a Forward Proxy combo, in a real > word set up ? No, but it would probably be an interesting subject for a presentation. Maybe you could work with others in the community to develop such a presentation and in fact present it at an upcoming conference! -chris > -Original Message- > From: Maarten van Hulsentop > Sent: Wednesday, September 30, 2020 3:10 AM > To: Tomcat Users List > Subject: Re: Virtual event focussed on Tomcat Security > > Hi Mark, > > This sounds like a great idea to me. Security is a very important topic, and > the maturity of the Tomcat makes it a very secure choice for users. I am sure > a lot of people will be interested to join in. > > What is not completely clear to me on this event; would this event be > focussed on improving the security of Tomcat from within (as a Hackathon > suggests)? Like trying to find security flaws/improvements and get them fixed. > or is this meant to be an educational event where information is shared about > secure setups/hardening of the Tomcat in production systems? Or a little of > both? > > For the educational/hardening aspect, it could be nice to team up > with/involve OWASP? > > I am surely interested to pitch in on this topic! > > Kind regards, > > Maarten van Hulsentop > > Op di 29 sep. 2020 om 13:26 schreef Mark Thomas : > >> Hi all, >> >> We (the Tomcat community) have some funding from Google to help us >> improve Tomcat security. Our original plan was to use the funding to >> support an in-person security focussed hackathon. As you would expect, >> those plans are on hold for now. We would, therefore, like to explore >> the possibility of doing something virtually. >> >> The purpose of this email is to gather input from the community about >> what such an event should look like. With that input we can put >> together a plan for the event. So, over to you. What would your ideal >> virtual event focussed on Tomcat Security look like? >> >> Thanks, >> >> Mark >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Virtual event focussed on Tomcat Security
Greetings, Folks This plan about Tomcat security is very nice. We look forward to the meetings. Could we have a session related to " Best practices for using Tomcat + (Apache Web Server) Forward Proxy (FP) combo in a real production environment " where an application hosted in Tomcat (web) container, targets a destination system in the internet, through the FP ? The application communicates with the destination system on a TLS channel. The FP is placed in a perimeter zone. The role of FP is to route the intranet traffic to the destination system in internet. If it is desired to have TLS terminated on the FP, and a SSL (or TLS) intercept is being sought - what is the best way to accomplish this interception (so that the application's communication reaches the destination system smoothly) ? The TLS intercept portion intends to decrypt the TLS transactions, check for security compliance and then re-encrypt to push the traffic to the destination system. Is there any generalized document that makes assessment (and recommendations) of a Tomcat plus a Forward Proxy combo, in a real word set up ? Thanks, -Raghu -Original Message- From: Maarten van Hulsentop Sent: Wednesday, September 30, 2020 3:10 AM To: Tomcat Users List Subject: Re: Virtual event focussed on Tomcat Security Hi Mark, This sounds like a great idea to me. Security is a very important topic, and the maturity of the Tomcat makes it a very secure choice for users. I am sure a lot of people will be interested to join in. What is not completely clear to me on this event; would this event be focussed on improving the security of Tomcat from within (as a Hackathon suggests)? Like trying to find security flaws/improvements and get them fixed. or is this meant to be an educational event where information is shared about secure setups/hardening of the Tomcat in production systems? Or a little of both? For the educational/hardening aspect, it could be nice to team up with/involve OWASP? I am surely interested to pitch in on this topic! Kind regards, Maarten van Hulsentop Op di 29 sep. 2020 om 13:26 schreef Mark Thomas : > Hi all, > > We (the Tomcat community) have some funding from Google to help us > improve Tomcat security. Our original plan was to use the funding to > support an in-person security focussed hackathon. As you would expect, > those plans are on hold for now. We would, therefore, like to explore > the possibility of doing something virtually. > > The purpose of this email is to gather input from the community about > what such an event should look like. With that input we can put > together a plan for the event. So, over to you. What would your ideal > virtual event focussed on Tomcat Security look like? > > Thanks, > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Virtual event focussed on Tomcat Security
Hi Mark, This sounds like a great idea to me. Security is a very important topic, and the maturity of the Tomcat makes it a very secure choice for users. I am sure a lot of people will be interested to join in. What is not completely clear to me on this event; would this event be focussed on improving the security of Tomcat from within (as a Hackathon suggests)? Like trying to find security flaws/improvements and get them fixed. or is this meant to be an educational event where information is shared about secure setups/hardening of the Tomcat in production systems? Or a little of both? For the educational/hardening aspect, it could be nice to team up with/involve OWASP? I am surely interested to pitch in on this topic! Kind regards, Maarten van Hulsentop Op di 29 sep. 2020 om 13:26 schreef Mark Thomas : > Hi all, > > We (the Tomcat community) have some funding from Google to help us > improve Tomcat security. Our original plan was to use the funding to > support an in-person security focussed hackathon. As you would expect, > those plans are on hold for now. We would, therefore, like to explore > the possibility of doing something virtually. > > The purpose of this email is to gather input from the community about > what such an event should look like. With that input we can put together > a plan for the event. So, over to you. What would your ideal virtual > event focussed on Tomcat Security look like? > > Thanks, > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: Virtual event focussed on Tomcat Security
I really like the idea of this. Something similar to the ApacheCon, or a series of ZOOM meetings or such. Dream * Excel * Explore * Inspire Jon McAlexander Infrastructure Engineer Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: Mark Thomas Sent: Tuesday, September 29, 2020 6:26 AM To: Tomcat Users List Subject: Virtual event focussed on Tomcat Security Hi all, We (the Tomcat community) have some funding from Google to help us improve Tomcat security. Our original plan was to use the funding to support an in-person security focussed hackathon. As you would expect, those plans are on hold for now. We would, therefore, like to explore the possibility of doing something virtually. The purpose of this email is to gather input from the community about what such an event should look like. With that input we can put together a plan for the event. So, over to you. What would your ideal virtual event focussed on Tomcat Security look like? Thanks, Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Virtual event focussed on Tomcat Security
Hi all, We (the Tomcat community) have some funding from Google to help us improve Tomcat security. Our original plan was to use the funding to support an in-person security focussed hackathon. As you would expect, those plans are on hold for now. We would, therefore, like to explore the possibility of doing something virtually. The purpose of this email is to gather input from the community about what such an event should look like. With that input we can put together a plan for the event. So, over to you. What would your ideal virtual event focussed on Tomcat Security look like? Thanks, Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2018-8034 Apache Tomcat - Security Constraint Bypass
CVE-2018-8034 Apache Tomcat - Security Constraint Bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9 Apache Tomcat 8.5.0 to 8.5.31 Apache Tomcat 8.0.0.RC1 to 8.0.52 Apache Tomcat 7.0.35 to 7.0.88 Description: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.10 or later. - Upgrade to Apache Tomcat 8.5.32 or later. - Upgrade to Apache Tomcat 8.0.53 or later. - Upgrade to Apache Tomcat 7.0.90 or later. History: 2018-07-22 Original advisory References: [1] http://tomcat.apache.org/security-9.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[UPDATE][SECURITY] CVE-2017-7675 Apache Tomcat Security Constraint Bypass
CVE-2017-7675 Apache Tomcat Security Constraint Bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M21 Apache Tomcat 8.5.0 to 8.5.15 Description: The HTTP/2 implementation bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using an specially crafted URL. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.0.M22 or later - Upgrade to Apache Tomcat 8.5.16 or later Credit: The issue was reported as Bug 61120 and the security implications identified by the Apache Tomcat Security Team. History: 2017-08-10 Original advisory 2017-08-10 Correct copy/paste error in title References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] https://bz.apache.org/bugzilla/show_bug.cgi?id=61120 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2017-7675 Apache Tomcat Security Constraint Bypass
CVE-2017-7675 Apache Tomcat Cache Poisoning Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M21 Apache Tomcat 8.5.0 to 8.5.15 Description: The HTTP/2 implementation bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using an specially crafted URL. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.0.M22 or later - Upgrade to Apache Tomcat 8.5.16 or later Credit: The issue was reported as Bug 61120 and the security implications identified by the Apache Tomcat Security Team. History: 2017-08-10 Original advisory References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] https://bz.apache.org/bugzilla/show_bug.cgi?id=61120 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2017-5664 Apache Tomcat Security Constraint Bypass
Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M20 Apache Tomcat 8.5.0 to 8.5.14 Apache Tomcat 8.0.0.RC1 to 8.0.43 Apache Tomcat 7.0.0 to 7.0.77 Earlier, unsupported versions have not been analysed but are likely to be affected Description: The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. Tomcat's Default Servlet did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: - Unless explicitly coded otherwise, JSPs ignore the the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. - By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.0.M21 or later - Upgrade to Apache Tomcat 8.5.15 or later - Upgrade to Apache Tomcat 8.0.44 or later - Upgrade to Apache Tomcat 7.0.78 or later Credit: This issue was reported responsibly to the Apache Tomcat Security Team by Aniket Nandkishor Kulkarni from Tata Consultancy Services Ltd, Mumbai, India as a vulnerability that allowed the restrictions on OPTIONS and TRACE requests to be bypassed. The full implications of this issue were then identified by the Tomcat Security Team. History: 2017-06-06 Original advisory References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2016-6796 Apache Tomcat Security Manager Bypass
CVE-2016-6796 Apache Tomcat Security Manager Bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M9 Apache Tomcat 8.5.0 to 8.5.4 Apache Tomcat 8.0.0.RC1 to 8.0.36 Apache Tomcat 7.0.0 to 7.0.70 Apache Tomcat 6.0.0 to 6.0.45 Earlier, unsupported versions may also be affected. Description A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. Mitigation Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 9.0.0.M10 or later - Upgrade to Apache Tomcat 8.5.5 or later - Upgrade to Apache Tomcat 8.0.37 or later - Upgrade to Apache Tomcat 7.0.72 or later (Apache Tomcat 7.0.71 has the fix but was not released) - Upgrade to Apache Tomcat 6.0.47 or later (Apache Tomcat 6.0.46 has the fix but was not released) Credit: This issue was discovered by the Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2016-5018 Apache Tomcat Security Manager Bypass
CVE-2016-5018 Apache Tomcat Security Manager Bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M9 Apache Tomcat 8.5.0 to 8.5.4 Apache Tomcat 8.0.0.RC1 to 8.0.36 Apache Tomcat 7.0.0 to 7.0.70 Apache Tomcat 6.0.0 to 6.0.45 Earlier, unsupported versions may also be affected. Description A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. Mitigation Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 9.0.0.M10 or later - Upgrade to Apache Tomcat 8.5.5 or later - Upgrade to Apache Tomcat 8.0.37 or later - Upgrade to Apache Tomcat 7.0.72 or later (Apache Tomcat 7.0.71 has the fix but was not released) - Upgrade to Apache Tomcat 6.0.47 or later (Apache Tomcat 6.0.46 has the fix but was not released) Credit: This issue was discovered by Alvaro Munoz of the HP Enterprise Security Team and reported responsibly to the Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2016-6794 Apache Tomcat Security System Property Disclosure
CVE-2016-6794 Apache Tomcat System Property Disclosure Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M9 Apache Tomcat 8.5.0 to 8.5.4 Apache Tomcat 8.0.0.RC1 to 8.0.36 Apache Tomcat 7.0.0 to 7.0.70 Apache Tomcat 6.0.0 to 6.0.45 Earlier, unsupported versions may also be affected. Description When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. Mitigation Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 9.0.0.M10 or later - Upgrade to Apache Tomcat 8.5.5 or later - Upgrade to Apache Tomcat 8.0.37 or later - Upgrade to Apache Tomcat 7.0.72 or later (Apache Tomcat 7.0.71 has the fix but was not released) - Upgrade to Apache Tomcat 6.0.47 or later (Apache Tomcat 6.0.46 has the fix but was not released) Credit: This issue was discovered by the Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security Option
Could you elaborate what you mean with "security option"? There's a number of things that you can do for securing tomcat, and enabling the security manager is only one thing. If you do this, you probably want to specify the policy for the server's sandbox - e.g. which files it's allowed to access, which network connections it's allowed to open. Configuring the SecurityManager & running in a sandbox is no fun. You're probably aware of http://tomcat.apache.org/tomcat-8.0-doc/security-manager-howto.html and http://tomcat.apache.org/tomcat-8.0-doc/security-howto.html ? Olaf Am 14.04.2016 um 16:37 schrieb King Kenneth: > All, > > How do you enable the Tomcat security option, will the follow change below > enable this component? > > * Add the following text "Djava.security.manager" to the Java tab > within Tomcat Configuration in the Java Options section > > Thanks, > > Kenneth King Jr. > Booz l Allen l Hamilton > Office (202) 317-5593 > Cell (203) 450-7941 > > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Security Option
All, How do you enable the Tomcat security option, will the follow change below enable this component? * Add the following text "Djava.security.manager" to the Java tab within Tomcat Configuration in the Java Options section Thanks, Kenneth King Jr. Booz l Allen l Hamilton Office (202) 317-5593 Cell (203) 450-7941
Re: [SECURITY] CVE-2016-0763 Apache Tomcat Security Manager Bypass
El 22/02/2016 a las 06:23 a.m., Mark Thomas escribió: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2016-0763 Apache Tomcat Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 7.0.0 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 to 9.0.0.M2 Description: ResourceLinkFactory.setGlobalContext() is a public method and was accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web applications and/or read and write data owned by other web applications. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later - - Upgrade to Apache Tomcat 8.0.32 or later (8.0.31 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.68 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by The Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu+yAAoJEBDAHFovYFnnPIgP/j9nli2IrsZEyhDyJ6XqAcg9 AisYAv7iSQ63zLe27CERDdOS9BBFI9j+MwkabF0FzmTGxugLyRwpKLt8Y3BV/723 Jwgds8phJcOm5oouzblUBfx/HdFDRI8+J6q7CNoSh61yXatuKRe5upc51W9G8/Vd YS6b5XNqavBgvkQZudITIsr4N9vqxb+QVS9iMJfrACikgeq6QR6rwkJWAEcUYHrn RESKuCTPzw8yf1Q1C8Ar9BUdSx8MRFDHfV8stKmjQWslud0EOP5bObWXBsv9vrQ7 XNKVKA69Hp1Kk++ORHUPnv6B2bCRsD5mZmBwqcvi6jVMuVMKaiLgCqJqfXcJEb4+ D86kjsBCQchGWSsFEwzmoQI++wW60Mn5QRlibF90LHAJLfZLo+cCsOUZABqgv3+j xwA6HpR5ToMepO5CNcL76wDoBJDEPRXjIuVY6RhWnS7UXi4kuqp/qxtWBifn07X/ Ncbm5TWhf4ESnS5YOPMNefA5aDQJKRclymyXB37VxMwHdJ/zkY8uV48SeG9ACHNt KBaXiS7FiNKLWqbzZijsXM2a40benXn6ocxStyApF7h15k/8/pyyq4DC55TBMitK /L+RHHp9RAS+wP98xyYpFnuVI8/LkHSJwnLvTURDQlr1Fi/AJ5YIB+Y9GPE2sigA 90lXXPnmrbSsQR10jD/j =5LII -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2016-0706 Apache Tomcat Security Manager bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2016-0706 Apache Tomcat Security Manager bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.0 to 6.0.44 - - Apache Tomcat 7.0.0 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 - - Earlier, unsupported Tomcat versions may be affected Description: The StatusManagerServlet could be loaded by a web application when a security manager was configured. This servlet would then provide the web application with a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. This could have exposed sensitive information from other web applications such as session IDs to the web application. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later (9.0.0.M2 has the fix but was not released) - - Upgrade to Apache Tomcat 8.0.32 or later (8.0.31 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.68 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by The Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu9qAAoJEBDAHFovYFnny/0P/0VtkiCt56FeS3I42BlvjAne w/oqurmk/XoF/gof+VYxYuNOXMIwvgyGMjj21kZf+n2DjINXLHp9VFZ/APeSJ8kL XcnTL1EBK1JBdxsieIhGAfLMeDO04wO3uuorJHwJIBbl4ymh7N4A2fgciKgCmNyB y22TPT5Hz7iFCU8Ij6xsYJERpveUrenenAqbgjdcpILydbBoTqmZtZtWmPOFki90 cZo/2D0Av4H4SKh1PuCkzjk2DFXfyXcq+tDaX8dizPinQMQsbAX63BoYy5LrfWrJ epgY9Q0QziOyp7b5Z72AjQ3RJR7yZS/iT3wb37jceI3Dq/mpkWFggqEGkSpFdGX7 AhoqVXjFw9eakjst0k5LZ29+dD8Fqz+2umXlRwelsxInLNgDk67Z2XehqkWWb85b 64PFh3ZYj/8CxxV6ErGq0bBhpCsNHZffEzOT/Ebldjn/afHajne3Yd9SZEbbZO3U ejCSG2UziJ4t4mygnGyWaRCgKtjCrejzDZYicOICJEDE8enaPbNs0Ka8lR8fh21y U3avzYIu7MosqvqoEAleMkjXySWSufqGF0ugbtsZx1lisl9Zax0LfXbq5sLmdNMS fXhxu/1RfHfPS7NUP9YYs5OdWxCxecD/kiaxc3ArVVPdgAMSwlEyI59gSD/y7XPd fitNMHbOMz6qG/uxVfH0 =6KO+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2016-0714 Apache Tomcat Security Manager Bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2016-0714 Apache Tomcat Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.0 to 6.0.44 - - Apache Tomcat 7.0.0 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 - - Earlier, unsupported Tomcat versions may be affected Description: Tomcat provides several session persistence mechanisms. The StandardManager persists session over a restart. The PersistentManager is able to persist sessions to files, a database or a custom Store. The Cluster implementation persists sessions to one or more additional nodes in the cluster. All of these mechanisms could be exploited to bypass a security manager. Session persistence is performed by Tomcat code with the permissions assigned to Tomcat internal code. By placing a carefully crafted object into a session, a malicious web application could trigger the execution of arbitrary code. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later (9.0.0.M2 has the fix but was not released) - - Upgrade to Apache Tomcat 8.0.32 or later (8.0.31 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.68 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by The Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu9PAAoJEBDAHFovYFnnllEQAMj38sm4FeeXJ2XOK/ODpj2J SLK0VMib2gjRmMfuH15OPyYBIHPaWVD4E3ONiLz/2F9oqVAYfvswQnLfNrJ9k8oF K+ETBoWfyODb8QddYQOd3JpDslrOLPscve6dgnkx/R8hZSPOvsmo8IIG4Bwh5VQM rkAct8EFGpVuQ9ou59F8xSx7fhRMHhNKt8XwsuBIj43MwFv5P8rHhNJDbgC8hSP7 w8yKwrQ7alfeuzwQPegf11YEcauPog4TnD3JAuufcuPQefvDHRAIoKNRCwyvFbRC rVHdsV5AehWaKKHj9Yu2IJB88s+0wXWlH01hG+wYl1jSVxs3CHhhP0FS55vwItWP Igl26iz33esPlzQaVyWf5jOUOYfF0tZel4bDFcQrIQASJKS2vxCuOBgUhr+bReMD I8W1A78EdGXm5IGqmPqHNXn+qAQKfs352eVFiS4vM+5n6wdVThxRzTIt/Op0iz8k rOIm05kkZQedh7utUy4iW59MKHr9xGRQRI1r4/sdKHDIRSlzsfzJVrATqqLPxukg QhG3LL0fO+kKLb526GZOlTaAcT7hM2wdYkLytiUItpMUR8ZfozqIS/nRUPmCfDgW 8QFRZEYIgETUYELbnj9chx0NJOkSH9OICV1U7EergsKsdpXN8uCDRy609ufSPn+W M6wXyzp1l4aE2hnn22gZ =OQbe -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2016-0763 Apache Tomcat Security Manager Bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2016-0763 Apache Tomcat Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 7.0.0 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 to 9.0.0.M2 Description: ResourceLinkFactory.setGlobalContext() is a public method and was accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web applications and/or read and write data owned by other web applications. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later - - Upgrade to Apache Tomcat 8.0.32 or later (8.0.31 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.68 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by The Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu+yAAoJEBDAHFovYFnnPIgP/j9nli2IrsZEyhDyJ6XqAcg9 AisYAv7iSQ63zLe27CERDdOS9BBFI9j+MwkabF0FzmTGxugLyRwpKLt8Y3BV/723 Jwgds8phJcOm5oouzblUBfx/HdFDRI8+J6q7CNoSh61yXatuKRe5upc51W9G8/Vd YS6b5XNqavBgvkQZudITIsr4N9vqxb+QVS9iMJfrACikgeq6QR6rwkJWAEcUYHrn RESKuCTPzw8yf1Q1C8Ar9BUdSx8MRFDHfV8stKmjQWslud0EOP5bObWXBsv9vrQ7 XNKVKA69Hp1Kk++ORHUPnv6B2bCRsD5mZmBwqcvi6jVMuVMKaiLgCqJqfXcJEb4+ D86kjsBCQchGWSsFEwzmoQI++wW60Mn5QRlibF90LHAJLfZLo+cCsOUZABqgv3+j xwA6HpR5ToMepO5CNcL76wDoBJDEPRXjIuVY6RhWnS7UXi4kuqp/qxtWBifn07X/ Ncbm5TWhf4ESnS5YOPMNefA5aDQJKRclymyXB37VxMwHdJ/zkY8uV48SeG9ACHNt KBaXiS7FiNKLWqbzZijsXM2a40benXn6ocxStyApF7h15k/8/pyyq4DC55TBMitK /L+RHHp9RAS+wP98xyYpFnuVI8/LkHSJwnLvTURDQlr1Fi/AJ5YIB+Y9GPE2sigA 90lXXPnmrbSsQR10jD/j =5LII -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2014-7810: Apache Tomcat Security Manager Bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2014-7810 Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.15 - - Apache Tomcat 7.0.0 to 7.0.57 - - Apache Tomcat 6.0.0 to 6.0.43 Description: Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section. This issue only affects installations that run web applications from untrusted sources. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.17 or later (8.0.16 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.59 or later (7.0.58 has the fix but was not released) - - Upgrade to Apache Tomcat 6.0.44 or later Credit: This issue was discovered by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVVKsbAAoJEBDAHFovYFnnTkYQAMos6+1kaJ+d+h0oGeiG7CDV PxcQ/AS0LdqXZuC92dXYNv+eQTB+pD0N9ePIyIMwsyEzeS2KGyOw5R8Klsro6lcq eYKH8Tv7egIzKO9dRCqhyWTytl73KPf0h6z4nnVHr/rTJ2/7pJX6x+7fjey5jcO+ G7kCQErj6bnNzgeMM/mLLVlM7YYrbA5hbQgplCdgRO5NpxaL+3raaJ19/gFZKjP3 Mqgwg/6uopkgxTFRh8Fprj6tdoPBXZ6Vxy3qJmcuOCt0yktaypqFPLTH+JM6pnme 6/Mdk4u6PhKyGPPlmvrub0priFl32tEyJNBkghHJd2QkYkZrM6t3wcOsgUawPJxZ hJrq+nJ7CJ3FUzcj9o05M4Q/TJ7seOurhPXF8YMIPn7ibrSb1Eq2Y0yZe/NGij/k dOZX5m3I62HeS1zjCIcIhKx9i6ZFTvfoe8/bF6/LPgAqfy2AB8+HBrRGVfqUh/QB w3AdDX7BxDWJKVgz9YknJG9keuR0tLV+MOI0M0LS9LHj9wAiunmq/+x03ZUX+coc btTrKnSuZq5sjmX5Xj7rilrSlq1GftGMnQyxOHiIzjCR9b59yS/BX/OkprrFXIAM Nd42B7vxWubKuOhXlyMlDt4QpnM3RsAFaD3irNc3LAQ3kpdtvsinExr3VaCvIcJ1 IETAzUe85oPF2HojrJDu =2DTj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat security vulnerability/ or security config issue
Howdy, I have a issue with Tomcat security, please find the spec below: Server version: Apache Tomcat/6.0.35 Server built: Nov 28 2011 11:20:06 Server number: 6.0.35.0 OS Name:SunOS OS Version: 5.10 Architecture: x86 JVM Version:1.6.0_33-b03 JVM Vendor: Sun Microsystems Inc. For the problematic server, all files on the server are exposed to all users through http://masterservice_IP:8080/consistencycheck/servlet/TransformXML?xmlUrl=../../../../../location_of_the_file i.e. open Chrome, give http://10.45.224.55:8080/consistencycheck/servlet/TransformXML?xmlUrl=../../../../../var/adm/messages and press enter to see the server system log.. It happens with any browsers.. I was wondering if it is a security vulnerability of Tomcat 6.0.35, or it is a service config issue.. Can someone please have a look?.. Please let me know if any further info required.. Thanks Regards, Wen
Re: Tomcat security vulnerability/ or security config issue
On 18/04/2013 14:14, Wen Liu wrote: Howdy, I have a issue with Tomcat security, please find the spec below: Server version: Apache Tomcat/6.0.35 Server built: Nov 28 2011 11:20:06 Server number: 6.0.35.0 OS Name:SunOS OS Version: 5.10 Architecture: x86 JVM Version:1.6.0_33-b03 JVM Vendor: Sun Microsystems Inc. For the problematic server, all files on the server are exposed to all users through http://masterservice_IP:8080/consistencycheck/servlet/TransformXML?xmlUrl=../../../../../location_of_the_file i.e. open Chrome, give http://10.45.224.55:8080/consistencycheck/servlet/TransformXML?xmlUrl=../../../../../var/adm/messages and press enter to see the server system log.. It happens with any browsers.. I was wondering if it is a security vulnerability of Tomcat 6.0.35, or it is a service config issue.. Can someone please have a look?.. Please let me know if any further info required.. That is an application vulnerability, not a Tomcat vulnerability. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat security vulnerability/ or security config issue
If things are configured properly, web users won't be able to see anything outside your app hierarchy, so something clearly isn't set up properly. On 4/18/2013 9:14 AM, Wen Liu wrote: Howdy, I have a issue with Tomcat security, please find the spec below: Server version: Apache Tomcat/6.0.35 Server built: Nov 28 2011 11:20:06 Server number: 6.0.35.0 OS Name:SunOS OS Version: 5.10 Architecture: x86 JVM Version:1.6.0_33-b03 JVM Vendor: Sun Microsystems Inc. For the problematic server, all files on the server are exposed to all users through http://masterservice_IP:8080/consistencycheck/servlet/TransformXML?xmlUrl=../../../../../location_of_the_file i.e. open Chrome, give http://10.45.224.55:8080/consistencycheck/servlet/TransformXML?xmlUrl=../../../../../var/adm/messages and press enter to see the server system log.. It happens with any browsers.. I was wondering if it is a security vulnerability of Tomcat 6.0.35, or it is a service config issue.. Can someone please have a look?.. Please let me know if any further info required.. Thanks Regards, Wen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat security vulnerability/ or security config issue
From: David kerber [mailto:dcker...@verizon.net] Subject: Re: Tomcat security vulnerability/ or security config issue If things are configured properly, web users won't be able to see anything outside your app hierarchy, so something clearly isn't set up properly. This has little to do with configuration - it's the particular webapp (consistencycheck) that is blindly trusting whatever is fed to it from the outside world, and using that as a path into the local file system. A SecurityManager _may_ be able to stop it, but if the site has deployed such a dangerous webapp, it's likely they would grant excessive privileges to it as well. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Security Limitation
Hello, I am running a servlet that reads and writes to an remote instance of = Hbase/Hadoop on ec2. When the security manager is off, all is fine. But = when the manager is on, write and read operations fail. I have the following permissions on my 04webapps.policy file: permission java.net.SocketPermission = ip-10-234-X-X.eu-west-1.compute.internal:*, connect,resolve; permission java.net.SocketPermission 10.234.X.X:*, = connect,resolve; =20 (10.234.X.X) being the address of the remote instance with Hbase. I cannot track anything in the logs. No error or exception,the app just = freezes. Your help is much appreciated, Mourad
Re: Tomcat Security Limitation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mouradk, On 10/10/12 7:49 AM, Mouradk wrote: I am running a servlet that reads and writes to an remote instance of = Hbase/Hadoop on ec2. When the security manager is off, all is fine. But = when the manager is on, write and read operations fail. I have the following permissions on my 04webapps.policy file: 04webapps.policy isn't a file I recognize as one that Tomcat reads. Is this something that your local installation supports in some way? permission java.net.SocketPermission = ip-10-234-X-X.eu-west-1.compute.internal:*, connect,resolve; permission java.net.SocketPermission 10.234.X.X:*, = connect,resolve; =20 (10.234.X.X) being the address of the remote instance with Hbase. I cannot track anything in the logs. No error or exception,the app just = freezes. Try adding this to CATALINA_OPTS: -Djava.security.debug=all This will give you a whole bunch of information about what the SecurityManager is doing, including dumping errors when security checks fail. If you only want to see failures (which is usually the case), try this: -Djava.security.debug=access:failure If you want to know the full range of options in your environment, run: java -Djava.security.debug=help Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlB1diIACgkQ9CaO5/Lv0PARYACeNGI54lL44lGSbOOArxtZ3sYB 0A8An2CM1W90Yh08C0yNMc1n8wmcR/7D =O6NC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security Limitation
Hi Chris, I am using Tomcat6 on ubuntu 10.10. I suppose when you say CATALINA_OPTS you mean that in /usr/share/tomcat6/bin/catalina.sh . I have added this as such: CATALINA_OPTS=$CATALINA_OPTS $JPDA_OPTS, -Djava.security.debug=all I have also set the logging level to FINE in $CATALINA_HOME/conf/logging.properties org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = FINE But not getting debug messages? Thanks for you help. Mourad On 10 Oct 2012, at 14:20, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mouradk, On 10/10/12 7:49 AM, Mouradk wrote: I am running a servlet that reads and writes to an remote instance of = Hbase/Hadoop on ec2. When the security manager is off, all is fine. But = when the manager is on, write and read operations fail. I have the following permissions on my 04webapps.policy file: 04webapps.policy isn't a file I recognize as one that Tomcat reads. Is this something that your local installation supports in some way? permission java.net.SocketPermission = ip-10-234-X-X.eu-west-1.compute.internal:*, connect,resolve; permission java.net.SocketPermission 10.234.X.X:*, = connect,resolve; =20 (10.234.X.X) being the address of the remote instance with Hbase. I cannot track anything in the logs. No error or exception,the app just = freezes. Try adding this to CATALINA_OPTS: -Djava.security.debug=all This will give you a whole bunch of information about what the SecurityManager is doing, including dumping errors when security checks fail. If you only want to see failures (which is usually the case), try this: -Djava.security.debug=access:failure If you want to know the full range of options in your environment, run: java -Djava.security.debug=help Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlB1diIACgkQ9CaO5/Lv0PARYACeNGI54lL44lGSbOOArxtZ3sYB 0A8An2CM1W90Yh08C0yNMc1n8wmcR/7D =O6NC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security Limitation
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mouradk, On 10/10/12 7:49 AM, Mouradk wrote: I am running a servlet that reads and writes to an remote instance of = Hbase/Hadoop on ec2. When the security manager is off, all is fine. But = when the manager is on, write and read operations fail. I have the following permissions on my 04webapps.policy file: 04webapps.policy isn't a file I recognize as one that Tomcat reads. Is this something that your local installation supports in some way? Info: this looks very much like what the Linux Debian Tomcat package is doing : splitting up catalina.policy into chunks stored in /etc/tomcat/policy.d/*, which are then re-combined into catalina.policy by the package's Tomcat startup script just before launching the JVM. Practically speaking, it is not a bad idea. catalina.policy as one big chunk is not very easy to read or edit. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security Limitation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mouradk, On 10/10/12 10:04 AM, Mouradk wrote: I am using Tomcat6 on ubuntu 10.10. I suppose when you say CATALINA_OPTS you mean that in /usr/share/tomcat6/bin/catalina.sh . It would be better to use CATALINA_BASE/bin/setenv.sh so you don't have to modify Tomcat's stock startup script. You can also just set it on the command-line (using 'export CATALINA_OPTS=...') and then launch Tomcat from the command-line. I have added this as such: CATALINA_OPTS=$CATALINA_OPTS $JPDA_OPTS, -Djava.security.debug=all I have also set the logging level to FINE in $CATALINA_HOME/conf/logging.properties org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = FINE But not getting debug messages? Check logs/catalina.out (or whatever Ubuntu does with stdout when you launch Tomcat). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlB1g+wACgkQ9CaO5/Lv0PBNDQCcCVRxm22clViD8Pql/EgJGPIK +ocAn15SFc9T4eYwm/bIwggqir69ajju =0sVv -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Tomcat Security Limitation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 10/10/12 10:05 AM, André Warnier wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mouradk, On 10/10/12 7:49 AM, Mouradk wrote: I am running a servlet that reads and writes to an remote instance of = Hbase/Hadoop on ec2. When the security manager is off, all is fine. But = when the manager is on, write and read operations fail. I have the following permissions on my 04webapps.policy file: 04webapps.policy isn't a file I recognize as one that Tomcat reads. Is this something that your local installation supports in some way? Info: this looks very much like what the Linux Debian Tomcat package is doing : splitting up catalina.policy into chunks stored in /etc/tomcat/policy.d/*, which are then re-combined into catalina.policy by the package's Tomcat startup script just before launching the JVM. Practically speaking, it is not a bad idea. catalina.policy as one big chunk is not very easy to read or edit. Nor is it easy to keep up-to-date when Tomcat ships with a new version of the policy file. This happens even with point-releases so it's not like just syncing everything up when you do a major-version upgrade and have to re-write server.xml essentially from scratch. In general, I would advocate for splitting Tomcat's policy up into several files, but that significantly complicates deployment across multiple OSs and styles of launching Tomcat. With shell scripts (which is how *NIX services all launch), it's easy. On Windows, it's not quite so easy and would probably lead to confusion. So, if Debian/Ubuntu wants to split the policy file for their package-manager version I think it makes sense, but it would just add complexity at the stock-Tomcat level... and configuring Tomcat is already pushing the complexity limit for a lot of its users. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlB1hMgACgkQ9CaO5/Lv0PC9/wCePhrwuTxM9HZuSllgsx4RM2uh zqAAoIJaaAZQ6H4W1J0TDzqwJ4/0Xa+R =LnnP -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security Limitation
Mouradk wrote: Hi Chris, I am using Tomcat6 on ubuntu 10.10. I suppose when you say CATALINA_OPTS you mean that in /usr/share/tomcat6/bin/catalina.sh . I have added this as such: CATALINA_OPTS=$CATALINA_OPTS $JPDA_OPTS, -Djava.security.debug=all I have also set the logging level to FINE in $CATALINA_HOME/conf/logging.properties org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = FINE But not getting debug messages? Mouradk, Each Linux distribution has different ways of packaging software like Tomcat, and the people on this list do not all have the same system, and they do not necessarily know which files you are talking about on /your/ system. (These packages have a tendency to spread the software and the settings over many directories and files; and they all do it differently). For that reason, most people here will tend to refer to the standard Tomcat distribution, which is the one that you can download from the Tomcat website, and which is know to all (and is much simpler in terms of file structure). The following info is thus only because I happen to have Tomcat running under Linux Debian (similar to Ubuntu), and can compare things with my system. Then, - in general, if you want to follow how the Tomcat6 package starts Tomcat under Ubuntu/Debian, look at the /etc/init.d/tomcat6 script. That is the one that pulls in all the other ones, sets the options, etc.. - in the line you show above, there is a (wrong) comma after $JPDA_OPTS. Remove it. - you should generally not modify the catalina.sh script - if you make changes to environment variables like CATALINA_OPTS, put them in the separate script setenv.sh, which you will also find in the /usr/share/tomcat6/bin/ directory. This will be read by the catalina.sh script at startup of Tomcat. Add the line as : CATALINA_OPTS=$CATALINA_OPTS -Djava.security.debug=all - under Ubuntu (as under Debian), you probably need to edit another file in order to have the JVM start with the Java security manager enabled. I don't know for Ubuntu, but under Debian it would be /etc/default/tomcat6 and it should have a line like : TOMCAT_SECURITY=yes (or no) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security Limitation
Dear all, Thanks all for your reply. I managed to get the debug logs on and those logs of interest were set to WARN (warnings), they gave me an indication to the required security settings and I finally got it to work !! I am experiencing another problem now. But at least I got Tomcat security manager out of the way…..I hope! Many thanks, Mourad On 10 Oct 2012, at 15:37, André Warnier a...@ice-sa.com wrote: Mouradk wrote: Hi Chris, I am using Tomcat6 on ubuntu 10.10. I suppose when you say CATALINA_OPTS you mean that in /usr/share/tomcat6/bin/catalina.sh . I have added this as such: CATALINA_OPTS=$CATALINA_OPTS $JPDA_OPTS, -Djava.security.debug=all I have also set the logging level to FINE in $CATALINA_HOME/conf/logging.properties org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = FINE But not getting debug messages? Mouradk, Each Linux distribution has different ways of packaging software like Tomcat, and the people on this list do not all have the same system, and they do not necessarily know which files you are talking about on /your/ system. (These packages have a tendency to spread the software and the settings over many directories and files; and they all do it differently). For that reason, most people here will tend to refer to the standard Tomcat distribution, which is the one that you can download from the Tomcat website, and which is know to all (and is much simpler in terms of file structure). The following info is thus only because I happen to have Tomcat running under Linux Debian (similar to Ubuntu), and can compare things with my system. Then, - in general, if you want to follow how the Tomcat6 package starts Tomcat under Ubuntu/Debian, look at the /etc/init.d/tomcat6 script. That is the one that pulls in all the other ones, sets the options, etc.. - in the line you show above, there is a (wrong) comma after $JPDA_OPTS. Remove it. - you should generally not modify the catalina.sh script - if you make changes to environment variables like CATALINA_OPTS, put them in the separate script setenv.sh, which you will also find in the /usr/share/tomcat6/bin/ directory. This will be read by the catalina.sh script at startup of Tomcat. Add the line as : CATALINA_OPTS=$CATALINA_OPTS -Djava.security.debug=all - under Ubuntu (as under Debian), you probably need to edit another file in order to have the JVM start with the Java security manager enabled. I don't know for Ubuntu, but under Debian it would be /etc/default/tomcat6 and it should have a line like : TOMCAT_SECURITY=yes (or no) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security Limitation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mourad, On 10/10/12 12:35 PM, Mouradk wrote: Thanks all for your reply. I managed to get the debug logs on and those logs of interest were set to WARN (warnings), they gave me an indication to the required security settings and I finally got it to work !! Would you care to post-back to the list to describe what you needed to do to get it to work? You may help someone else who reads the archives. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlB1skoACgkQ9CaO5/Lv0PAviQCfRLk3F/tMo7xWU/SfJZxTF7ja 7nwAn2ESxBrcNTlVx2dGfk79SV032Uot =ir8s -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Security Permission Issue
System: ubuntu server 11.10 tomcat6 ( installed from apt-get not downloaded ). Starting without -security enabled all works fine. Starting tomcat with -security enabled gives the following: SEVERE: Exception starting filter app org.apache.tapestry5.ioc.internal.OperationException: Error building service proxy for service 'RegistryStartup' (at org.apache.tapestry5.ioc.internal.services.RegistryStartup(Logger, List) (at RegistryStartup.java:36) via org.apache.tapestry5.ioc.services.TapestryIOCModule.bind(ServiceBinder) (at TapestryIOCModule.java:49)): Unable to locate class file for 'java.lang.Runnable' in class loader WebappClassLoader context: delegate: false repositories: /WEB-INF/classes/ -- Parent Classloader: org.apache.catalina.loader.StandardClassLoader@4d911540 . at org.apache.tapestry5.ioc.internal.OperationTrackerImpl.logAndRethrow(OperationTrackerImpl.java:121) ... at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Caused by: java.lang.RuntimeException: Error building service proxy for service 'RegistryStartup' (at org.apache.tapestry5.ioc.internal.services.RegistryStartup(Logger, List) (at RegistryStartup.java:36) via org.apache.tapestry5.ioc.services.TapestryIOCModule.bind(ServiceBinder) (at TapestryIOCModule.java:49)): Unable to locate class file for 'java.lang.Runnable' in class loader WebappClassLoader context: delegate: false repositories: /WEB-INF/classes/ -- Parent Classloader: org.apache.catalina.loader.StandardClassLoader@4d911540 . at org.apache.tapestry5.ioc.internal.ModuleImpl$4.invoke(ModuleImpl.java:327) at org.apache.tapestry5.ioc.internal.OperationTrackerImpl.invoke(OperationTrackerImpl.java:74) ... 44 more Caused by: java.lang.RuntimeException: Unable to locate class file for 'java.lang.Runnable' in class loader WebappClassLoader context: delegate: false repositories: /WEB-INF/classes/ -- Parent Classloader: org.apache.catalina.loader.StandardClassLoader@4d911540 . ... at org.apache.tapestry5.ioc.internal.ModuleImpl$4.invoke(ModuleImpl.java:311) ... 45 more Below my webapp.policy file: grant { // Required for JNDI lookup of named JDBC DataSource's and // javamail named MimePart DataSource used to send mail permission java.util.PropertyPermission java.home, read; permission java.util.PropertyPermission java.naming.*, read; permission java.util.PropertyPermission javax.sql.*, read; // OS Specific properties to allow read access permission java.util.PropertyPermission os.name, read; permission java.util.PropertyPermission os.version, read; permission java.util.PropertyPermission os.arch, read; permission java.util.PropertyPermission file.separator, read; permission java.util.PropertyPermission path.separator, read; permission java.util.PropertyPermission line.separator, read; // JVM properties to allow read access permission java.util.PropertyPermission java.version, read; permission java.util.PropertyPermission java.vendor, read; permission java.util.PropertyPermission java.vendor.url, read; permission java.util.PropertyPermission java.class.version, read; permission java.util.PropertyPermission java.specification.version, read; permission java.util.PropertyPermission java.specification.vendor, read; permission java.util.PropertyPermission java.specification.name, read; permission java.util.PropertyPermission java.vm.specification.version, read; permission java.util.PropertyPermission java.vm.specification.vendor, read; permission java.util.PropertyPermission java.vm.specification.name, read; permission java.util.PropertyPermission java.vm.version, read; permission java.util.PropertyPermission java.vm.vendor, read; permission java.util.PropertyPermission java.vm.name, read; // Required for OpenJMX permission java.lang.RuntimePermission getAttribute; // Allow read of JAXP compliant XML parser debug permission java.util.PropertyPermission jaxp.debug, read; // Precompiled JSPs need access to this package. permission java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.runtime; permission java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.runtime.*; // Example JSPs need those to work properly permission java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.el; permission java.lang.RuntimePermission accessDeclaredMembers; // Precompiled JSPs need access to this system property. permission java.util.PropertyPermission org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER, read; // java.io.tmpdir should be usable as a temporary file directory permission java.util.PropertyPermission java.io.tmpdir, read; permission java.io.FilePermission ${java.io.tmpdir}/-, read,write,delete; //TAPESTRY SPECIFIC PERMISSIONS permission
Re: Tomcat Security Permission Issue
2012/8/9 bogdan ivascu ivascu.bogdan...@gmail.com: System: ubuntu server 11.10 tomcat6 ( installed from apt-get not downloaded ). Starting without -security enabled all works fine. Starting tomcat with -security enabled gives the following: SEVERE: Exception starting filter app org.apache.tapestry5.ioc.internal.OperationException: Error building service proxy for service 'RegistryStartup' (at org.apache.tapestry5.ioc.internal.services.RegistryStartup(Logger, List) (at RegistryStartup.java:36) via org.apache.tapestry5.ioc.services.TapestryIOCModule.bind(ServiceBinder) (at TapestryIOCModule.java:49)): Unable to locate class file for 'java.lang.Runnable' in class loader WebappClassLoader context: delegate: false repositories: /WEB-INF/classes/ -- Parent Classloader: org.apache.catalina.loader.StandardClassLoader@4d911540 . at org.apache.tapestry5.ioc.internal.OperationTrackerImpl.logAndRethrow(OperationTrackerImpl.java:121) ... at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Caused by: java.lang.RuntimeException: Error building service proxy for service 'RegistryStartup' (at org.apache.tapestry5.ioc.internal.services.RegistryStartup(Logger, List) (at RegistryStartup.java:36) via org.apache.tapestry5.ioc.services.TapestryIOCModule.bind(ServiceBinder) (at TapestryIOCModule.java:49)): Unable to locate class file for 'java.lang.Runnable' in class loader WebappClassLoader context: delegate: false repositories: /WEB-INF/classes/ -- Parent Classloader: org.apache.catalina.loader.StandardClassLoader@4d911540 . at org.apache.tapestry5.ioc.internal.ModuleImpl$4.invoke(ModuleImpl.java:327) at org.apache.tapestry5.ioc.internal.OperationTrackerImpl.invoke(OperationTrackerImpl.java:74) ... 44 more Caused by: java.lang.RuntimeException: Unable to locate class file for 'java.lang.Runnable' in class loader WebappClassLoader context: delegate: false repositories: /WEB-INF/classes/ -- Parent Classloader: org.apache.catalina.loader.StandardClassLoader@4d911540 . ... at org.apache.tapestry5.ioc.internal.ModuleImpl$4.invoke(ModuleImpl.java:311) ... 45 more Below my webapp.policy file: grant { // Required for JNDI lookup of named JDBC DataSource's and // javamail named MimePart DataSource used to send mail permission java.util.PropertyPermission java.home, read; permission java.util.PropertyPermission java.naming.*, read; permission java.util.PropertyPermission javax.sql.*, read; // OS Specific properties to allow read access permission java.util.PropertyPermission os.name, read; permission java.util.PropertyPermission os.version, read; permission java.util.PropertyPermission os.arch, read; permission java.util.PropertyPermission file.separator, read; permission java.util.PropertyPermission path.separator, read; permission java.util.PropertyPermission line.separator, read; // JVM properties to allow read access permission java.util.PropertyPermission java.version, read; permission java.util.PropertyPermission java.vendor, read; permission java.util.PropertyPermission java.vendor.url, read; permission java.util.PropertyPermission java.class.version, read; permission java.util.PropertyPermission java.specification.version, read; permission java.util.PropertyPermission java.specification.vendor, read; permission java.util.PropertyPermission java.specification.name, read; permission java.util.PropertyPermission java.vm.specification.version, read; permission java.util.PropertyPermission java.vm.specification.vendor, read; permission java.util.PropertyPermission java.vm.specification.name, read; permission java.util.PropertyPermission java.vm.version, read; permission java.util.PropertyPermission java.vm.vendor, read; permission java.util.PropertyPermission java.vm.name, read; // Required for OpenJMX permission java.lang.RuntimePermission getAttribute; // Allow read of JAXP compliant XML parser debug permission java.util.PropertyPermission jaxp.debug, read; // Precompiled JSPs need access to this package. permission java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.runtime; permission java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.runtime.*; // Example JSPs need those to work properly permission java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.el; permission java.lang.RuntimePermission accessDeclaredMembers; // Precompiled JSPs need access to this system property. permission java.util.PropertyPermission org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER, read; // java.io.tmpdir should be usable as a temporary file directory permission
Re: tomcat security authenticator
2012/6/28 Komáromi, Zoltán komaromi.zol...@horticosoft.hu: Hi, I need to use custom authenticator, because a part of application is using container authentication, and unfortunately the usersernames in realm conflicts with usernames in application database. :( So I need, that if anibody is logged in to my application, then the authenticator automatically authorizes when needed. I think, if I replace the FormAuthenticator with an descendant, it'll solve the problem. To extend FormAuthenticator is simple, but how can I make Tomcat to use it? 1) Why not a Realm? 2) An Authenticator is a Valve and is configured like any other valve. If one is present, Tomcat will not configure its own. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat security authenticator
1. Why not a Realm? Because the authentication depends on session attribute, and I want to bypass the form if user is logged in. So is this correct? Valve className=hu.kozo.security.MyFormAuthenticator / The tomcat's doc says, that Java class name of the implementation to use. This MUST be set to org.apache.catalina.authenticator.FormAuthenticator. Tnaks for help. 2012/6/28 Konstantin Kolinko knst.koli...@gmail.com: 2012/6/28 Komáromi, Zoltán komaromi.zol...@horticosoft.hu: Hi, I need to use custom authenticator, because a part of application is using container authentication, and unfortunately the usersernames in realm conflicts with usernames in application database. :( So I need, that if anibody is logged in to my application, then the authenticator automatically authorizes when needed. I think, if I replace the FormAuthenticator with an descendant, it'll solve the problem. To extend FormAuthenticator is simple, but how can I make Tomcat to use it? 1) Why not a Realm? 2) An Authenticator is a Valve and is configured like any other valve. If one is present, Tomcat will not configure its own. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat security authenticator
2012/6/28 Komáromi, Zoltán komaromi.zol...@horticosoft.hu: 1. Why not a Realm? Because the authentication depends on session attribute, and I want to bypass the form if user is logged in. When I used Tomcat's realm to authenticate users , that was a issue than I missed : to access to session enviroment or context enviroment. I had to try Spring Security because it implements this feature I understand that authentication is a previous step to accessing web application, but , sometimes, it's required to update session enviroment . For example, to forward to a custom error page , with a diferent message error ( user not found, user is already logged, etc. ) Some of these things I could solve with filters temp registers in database, but I don't like it - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat security authenticator
I think, if I replace the FormAuthenticator with an descendant, it'll solve the problem. To extend FormAuthenticator is simple, but how can I make Tomcat to use it? I tested this out at one time but it was never placed in production. My terse notes, which might be leaving something out, on doing this are: In web.xml define auth-method as: auth-methodFORMOIT/auth-method Extract org/apache/catalina/startup/Authenticators.properties from catalina.jar add line: FORMOIT=mynewpackage.NewFormAuthenticator Update catalina.jar jar -uf catalina.jar org/apache/catalina/startup/Authenticators.properties HTH, Kris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat security authenticator
so the client will need to encrypt the data before the client puts the data on the wire? in that case you'll want to take a look at configure both the client transmitting the secured data and server ACK or responding with encrypted resp via JSSE http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html Fun Stuff Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Subject: Re: tomcat security authenticator From: kris.eas...@colorado.edu To: users@tomcat.apache.org Date: Thu, 28 Jun 2012 07:51:58 -0600 I think, if I replace the FormAuthenticator with an descendant, it'll solve the problem. To extend FormAuthenticator is simple, but how can I make Tomcat to use it? I tested this out at one time but it was never placed in production. My terse notes, which might be leaving something out, on doing this are: In web.xml define auth-method as: auth-methodFORMOIT/auth-method Extract org/apache/catalina/startup/Authenticators.properties from catalina.jar add line: FORMOIT=mynewpackage.NewFormAuthenticator Update catalina.jar jar -uf catalina.jar org/apache/catalina/startup/Authenticators.properties HTH, Kris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat security authenticator
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Zoltán, On 6/28/12 4:08 AM, Komáromi, Zoltán wrote: 1. Why not a Realm? Because the authentication depends on session attribute, and I want to bypass the form if user is logged in. So is this correct? Valve className=hu.kozo.security.MyFormAuthenticator / The tomcat's doc says, that Java class name of the implementation to use. This MUST be set to org.apache.catalina.authenticator.FormAuthenticator. You must use FormAuthenticator if you want to use Tomcat's FORM authentication. It doesn't mean it's the only valid value for the class attribute. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/s9GsACgkQ9CaO5/Lv0PDUawCeIvQA5lwB5eNyld/vdQ1cTXXP CmIAn3DeIW/bPeAThNunF4VI7J83EMlK =F8Im -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass
On 5/17/2011 5:46 AM, Mark Thomas wrote: CVE-2011-1582 Apache Tomcat security constraint bypass Description: An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that security constraints configured via annotations were ignored on the first request to a Servlet. Subsequent requests were secured correctly. I had seen this exact behavior myself and was not sure if it was a bug in my code or not. Anyway, glad it's fixed! Keep up the good work. -Mike - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-1582 Apache Tomcat security constraint bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.12-7.0.13 - - Earlier versions are not affected Description: An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that security constraints configured via annotations were ignored on the first request to a Servlet. Subsequent requests were secured correctly. Mitigation: Users of affected versions should apply one of the following mitigations: - - Upgrade to a Tomcat 7.0.14 or later - - Define all security constraints in web.xml Credit: This issue was identified by the Apache Tomcat security team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJN0m4vAAoJEBDAHFovYFnn5NkQAOBocyvRk9fTGX569Ga95yDJ vV84ZS3D1jCP3VQ1swh1Ouzd9NdP9pRGVWysTjz6N1bsZ+BMpGIyT/GpMqhfPAPx OzzbkM2cNow8MR/PG3rFbYjQH1r6D400zSu+drHDtTzrOY2uXS2ClL0UuxUg9LcN tUfidh9629OMVtuWqA2jwTSrc7fDdye5Ti1HZ0g5vUG5Cvab4LCcRdwh2VWT7g3T LKUTr6AZAz0mQ/7+QNJOOykX+FJcOL99Q46NLVZzeLPWFoEBZn/BRs8O9WehYnLV EEZtARSaUzTjssePo/O+oV4xYW5JIA1+5sKG7+xIvIaWKMbIPbdrPEPZusK/X0QR LjdLbMUGcGzDUVNP0hGzpArIDXcWmslJKJ3YFTCg3VdeamULh12bqxw3AtliAzI9 pSTcMcVNOMWZOUl/Czc2I3t5ehWaOGr5j3D7No8mEFMCcRoQoRTNS7hKqqqKsyY4 hTxMJV9dXox5mIuDY8hLaGY9KuUFIo2AXWnr7lqIBrKGrziVAySuIpKSnzuFvz2z q2DjPnXrFo/5W2ZVfUk0utCjyJX/NJdizKmW9PdQu4aT2BJdEgjjiW+qzPi20kZy HgySY8kEFbI8CyM6PqD6Yb5nzA/xR1YAYRQx1pWTrE5Y0B5MTctAaPCIJQoc3nIA GZ0Ziz0q/PX/x7ug1TnP =srIH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2011-1183 Apache Tomcat security constraint bypass
CVE-2011-1183 Apache Tomcat security constraint bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.11 - Earlier versions are not affected Description: A regression in the fix for CVE-2011-1088 meant that security constraints were ignored when no login configuration was present in the web.xml and the web application was marked as meta-data complete. Mitigation: Users of affected versions should apply one of the following mitigations: - Upgrade to a Tomcat 7.0.12 or later - Ensure a login configuration is defined in web.xml Credit: This issue was identified by the Apache Tomcat security team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2011-1088 Apache Tomcat security constraint bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-1088 Apache Tomcat security constraint bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.10 - - Earlier versions are not affected Description: When a web application was started, @ServletSecurity annotations were ignored. This meant that some areas of the application may not have been protected as expected. Mitigation: Users of affected versions should apply one of the following mitigations: - - Upgrade to a Tomcat version where this issue is fixed - - Define security constraints via an alternative mechanism such as web.xml Credit: This issue was reported publicly on the Tomcat users mailing list. The Apache Tomcat security requests that security vulnerability reports are made privately to secur...@tomcat.apache.org in the first instance. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNfycmAAoJEBDAHFovYFnn3jgP/0aecIt4uUYHWbmzUPA0FNan tzjVfPskwPYrSuNbHjHuxPknmxUPSFiCdO3V1LLtnCX2y5+cNancWRjLX7lDbt8H sL+9AaoI8HDShG1wgYsnh/3fIKczhE28pTtyo0GtG4HpQVLcT/OH2Qhb6+mG3jwo SCia1eSTJuhj5HM3n2fb5X33n/UEkX/cCALDrt1DRfKV69MaZbMiZh7XfpyVDpdN LePYIeuOoxg9CVjkDYCVIaK5Bi0uzPD8yCc73dOU3YobgbDDaLSN7Awd1/RhO5TR fpWVbl0gbmMlPnMy52B9qZL+H9HwcNnYPqbtpquE2a6ik29QT4LMTNo0mr25XxmP K3Jb7VTcVb/P1pxFOsTyMWy25IFubMEBW4c3kafBZGUI3Q25QmNizBXZ5wvn1vex kBzDZrnKmkzvhnCy6RnTKk9BYGRWEw9ImTqLOaLxmtXJw9bnWgoeusnje1k/24QI 3+pw/g5OjwG7hqtStrscFeo8tc/snXBojn1d21txsnLggQ0E6+9+vUVym5tBD16I MfzN7FSd620AFSmVUo5mEfEpDe+RTkA8y/7BnYHoguBQ7WLlxejCgRpaf91vBns6 ZEQGntzx7EW7M+P2GNHy1mrVGTQ7Glk/5tnAFyqgMOHzYyN11Y3OWO1XBv+1um8q kadENSXz4mY0vKtvaeuT =i/HJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Security Problem
Hi, I am new to Tomcat server. I have installed Tomcat 6 and deployed a web application. This application has to decrypt some files and store in a temp folder. I have created a folder with name temp' in WEB-INF folder of my applciation. But When I am running my application, at the time of decryption, I am getting Access Denied exception. Through Tomcat security features, I came to know that we need to grant the permission in catalina.policy in conf folder. Below is the line I have added in it. But still I am getting the same exception. grant codeBase http://localhost:8080/lanwan/-; { permission java.io.FilePermission C:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\webapps\\lanwan\\WEB-INF\\docs\\temp\\-, read,write,delete; } Please help me how to configure this security settings. Thanks in advance, Ramesh
Re: Tomcat security problem..please help
Yaragalla, Muralidhar wrote: Hi all , I have added security manager in a filter initialization method in my webb app. I have deployed webapp in tomcat and when I start tomcat it is throwing the following error. Kindly help me in this. How to avoid this?What should I do in the security policy? Reading the on-line documentation at http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html would be a good first step. A second one, in your next post, would be to indicate which version of Tomcat you are running, on which platform, under which JVM. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat security problem..please help
Thank you so much. I will do that. Thanks and Regards, Muralidhar Yaragalla, Senior Software Specialist, Patni Computer Systems Ltd, B-45/B-46, SIPCOT IT Park, Rajiv Gandhi Salai (IT Highway), Siruseri,Chennai - 603 103. Tel: 91 44 4744 x 2224 Link Line: 9 613 4516 Mobile : 9791174806 -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Thursday, December 30, 2010 3:12 PM To: Tomcat Users List Subject: Re: Tomcat security problem..please help Yaragalla, Muralidhar wrote: Hi all , I have added security manager in a filter initialization method in my webb app. I have deployed webapp in tomcat and when I start tomcat it is throwing the following error. Kindly help me in this. How to avoid this?What should I do in the security policy? Reading the on-line documentation at http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html would be a good first step. A second one, in your next post, would be to indicate which version of Tomcat you are running, on which platform, under which JVM. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Information contained and transmitted by this e-mail is confidential and proprietary to Patni Computer Systems Ltd and its affiliates (hitherto referred as Patni Computers) and is intended for use only by the recipient. If you are not the intended recipient , you are hereby notified that any dissemination, distribution, copying or use of this e-mail is strictly prohibited and you are requested to delete this e-mail immediately and notify the originator or netad...@patni.com. Patni Computers does not enter into any agreement with any party by e-mail. Any views expressed by an individual do not necessarily reflect the view of Patni Computers. Patni Computers is not responsible for the consequences of any actions taken on the basis of information provided, through this email. The contents of an attachment to this e-mail may contain software viruses, which could damage your own computer system. While Patni Computers has taken every reasonable precaution to minimise this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should carry out your own virus checks before opening an attachment. To know more about Patni Computers please visit www.patni.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat security problem..please help
Hi all , I have added security manager in a filter initialization method in my webb app. I have deployed webapp in tomcat and when I start tomcat it is throwing the following error. Kindly help me in this. How to avoid this?What should I do in the security policy? Dec 30, 2010 11:41:25 AM org.apache.tomcat.util.modeler.Registry registerComponent SEVERE: Error registering Catalina:j2eeType=Filter,name=jaas,WebModule=//localhost/cskip,J2EEApplication=none,J2EEServer=none java.security.AccessControlException: access denied (javax.management.MBeanPermission org.apache.tomcat.util.modeler.BaseModelMBean#-[Catalina:J2EEApplication=none,J2EEServer=none,WebModule=//localhost/cskip,j2eeType=Filter,name=jaas] registerMBean) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.checkMBeanPermission(DefaultMBeanServerInterceptor.java:1806) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerMBean(DefaultMBeanServerInterceptor.java:309) at com.sun.jmx.mbeanserver.JmxMBeanServer.registerMBean(JmxMBeanServer.java:482) at org.apache.tomcat.util.modeler.Registry.registerComponent(Registry.java:806) at org.apache.catalina.core.ApplicationFilterConfig.registerJMX(ApplicationFilterConfig.java:457) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:299) at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:422) at org.apache.catalina.core.ApplicationFilterConfig.init(ApplicationFilterConfig.java:115) at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4001) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4651) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:905) at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:740) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:500) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardHost.start(StandardHost.java:785) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:445) at org.apache.catalina.core.StandardService.start(StandardService.java:519) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:581) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Dec 30, 2010 11:41:25 AM org.apache.catalina.core.ApplicationFilterConfig registerJMX INFO: JMX registration failed for filter of type [com.ge.capital.cskip.jaas.filter.JAASFilter] and name [jaas] java.security.AccessControlException: access denied (javax.management.MBeanPermission org.apache.tomcat.util.modeler.BaseModelMBean#-[Catalina:J2EEApplication=none,J2EEServer=none,WebModule=//localhost/cskip,j2eeType=Filter,name=jaas] registerMBean) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.checkMBeanPermission(DefaultMBeanServerInterceptor.java:1806) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerMBean(DefaultMBeanServerInterceptor.java:309) at
Re: Help on upgrade tomcat bundled with JBoss for resolving tomcat security issue -[SECURITY] CVE-2008-5515 RequestDispatcher directory traversal vulnerability
On 26/10/2010 03:42, ww...@ogcio.gov.hk wrote: Dear Sir/Madam, Recently it has been checked that there is security vulnerability for the tomcat (version 5.0.9) shipped with the JBoss 4.0.3SP1. From the link below, it is recommended to upgrade to 5.5.28. http://marc.info/?l=tomcat-userm=124449799021571w=2 We have tried to upgrade the some tomcat library for version 5.5.31 by following with the steps we found in the web in http://itapproaches.blogspot.com/2010/08/upgrading-tomcat-in-jboss-405.html Yet we have encountered the exception (as attached for your reference). Should we upgrade the tomcat only, without upgrading the JBoss AS? This question is probably better addressed to JBoss support. p 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Help on upgrade tomcat bundled with JBoss for resolving tomcat security issue -[SECURITY] CVE-2008-5515 RequestDispatcher directory traversal vulnerability
Dear Sir/Madam, Recently it has been checked that there is security vulnerability for the tomcat (version 5.0.9) shipped with the JBoss 4.0.3SP1. From the link below, it is recommended to upgrade to 5.5.28. http://marc.info/?l=tomcat-userm=124449799021571w=2 We have tried to upgrade the some tomcat library for version 5.5.31 by following with the steps we found in the web in http://itapproaches.blogspot.com/2010/08/upgrading-tomcat-in-jboss-405.html Yet we have encountered the exception (as attached for your reference). Should we upgrade the tomcat only, without upgrading the JBoss AS? We would much appreciate it if you could advise you how we could resolve the situation, so as to address the security vulnerability at your earliest convenience. Thanks for your effort in advance. Again, here is our configuration: JBoss 4.0.3SP1 Tomcat 5.5.9 Many thanks! Wilson Fu HTTP Status 500 - type Exception report message description The server encountered an internal error () that prevented it from fulfilling this request. exception javax.servlet.ServletException: org.jboss.web.tomcat.tc5.jasper.JspServletOptions.isCaching()Z org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267) javax.servlet.http.HttpServlet.service(HttpServlet.java:810) org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81) root cause java.lang.AbstractMethodError: org.jboss.web.tomcat.tc5.jasper.JspServletOptions.isCaching()Z org.apache.jasper.compiler.Parser.parseTaglibDirective(Parser.java:425) org.apache.jasper.compiler.Parser.parseDirective(Parser.java:499) org.apache.jasper.compiler.Parser.parseElements(Parser.java:1558) org.apache.jasper.compiler.Parser.parse(Parser.java:130) org.apache.jasper.compiler.ParserController.doParse(ParserController.java:245) org.apache.jasper.compiler.ParserController.parse(ParserController.java:101) org.apache.jasper.compiler.Compiler.generateJava(Compiler.java:176) org.apache.jasper.compiler.Compiler.compile(Compiler.java:317) org.apache.jasper.compiler.Compiler.compile(Compiler.java:298) org.apache.jasper.compiler.Compiler.compile(Compiler.java:286) org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:565) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:309) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:308) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:259) javax.servlet.http.HttpServlet.service(HttpServlet.java:810) org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Help on upgrade tomcat bundled with JBoss for resolving tomcat security issue -[SECURITY] CVE-2008-5515 RequestDispatcher directory traversal vulnerability
Yes. Thanks regards, Wilson Fu Tel: 3182 6675 ww...@ogcio.gov.hk 26.10.2010 10:42 Please respond to Tomcat Users List users@tomcat.apache.org To users@tomcat.apache.org cc Subject Help on upgrade tomcat bundled with JBoss for resolving tomcat security issue -[SECURITY] CVE-2008-5515 RequestDispatcher directory traversal vulnerability Dear Sir/Madam, Recently it has been checked that there is security vulnerability for the tomcat (version 5.0.9) shipped with the JBoss 4.0.3SP1. From the link below, it is recommended to upgrade to 5.5.28. http://marc.info/?l=tomcat-userm=124449799021571w=2 We have tried to upgrade the some tomcat library for version 5.5.31 by following with the steps we found in the web in http://itapproaches.blogspot.com/2010/08/upgrading-tomcat-in-jboss-405.html Yet we have encountered the exception (as attached for your reference). Should we upgrade the tomcat only, without upgrading the JBoss AS? We would much appreciate it if you could advise you how we could resolve the situation, so as to address the security vulnerability at your earliest convenience. Thanks for your effort in advance. Again, here is our configuration: JBoss 4.0.3SP1 Tomcat 5.5.9 Many thanks! Wilson Fu [attachment error.txt deleted by Wilson WT FU/OGCIO/HKSARG] - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to reproduce tomcat security vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Viola, On 9/22/2010 11:29 PM, viola lu wrote: thanks. I tried it on tomcat 6.0.26, and 6.0.29, it worked for the second one, i can get correct response headers on tomcat 6.0.26 and tomcat 6.0.29: tomcat 6.0.26 What is the first one and the second one? The bugs you mentioned in your first post? Remember, not everyone is thinking what you're thinking: please be clear when posting. suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:21:33-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=9.125.1.248:8080* Good: this reproduces the bug. *tomcat 6.0.29:* suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:24:02-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=Authentication required* ...and this shows that the bug has been fixed: no IP and port. But for the first one, both got the same response: 200 OK as below: suse10sp268:~ # wget -S -O - --header='Transfer-Encoding:unsupported' --post-data='test send post' http://9.125.1.248:8080/SecurityTomcat/SecurityServlet --07:12:16-- http://9.125.1.248:8080/SecurityTomcat/SecurityServlet = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html Content-Length: 61 Date: Thu, 23 Sep 2010 03:09:09 GMT Connection: keep-alive Length: 61 [text/html] 0% [ ] 0 --.--K/s unsupported application/x-www-form-urlencoded 9.125.1.248 100%[=] 61--.--K/s 07:12:16 (7.27 MB/s) - `-' saved [61/61] Seems no difference on tomcat 6.0.26 and tomcat 6.0.29, is there something wrong? Maybe this is sensitive to other conditions as well. On 9/24/2010 12:57 AM, viola lu wrote: After debug into tomcat source code, i found that if transfer-encode is set as 'buffered', tomcat 6.0.26 will report null pointer exception in buffered filter recycle, but in tomcat 6.0.29 , directly report 501 error. But not sure attackers how to obtain sensitive information via a crafted header? When buffers are not recycled properly, information /can/ leak across requests. This means that, under the right conditions, an attacker /might/ be able to exploit the server to disclose information. Just because a vulnerability does not have an exploit doesn't mean it's not a vulnerability: the possibility exists that information can be disclosed. It's not absolutely necessary to be able to actually steal information from a server to be considered a vulnerability. This one might not be reproducible in any predictable way. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkycrgEACgkQ9CaO5/Lv0PDJMgCfZbZmJQzqGKx8vwQ6m7IGd+HV OR4AnjjvmJ37pfrQFtii+lUaRPruYaKD =vKvJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to reproduce tomcat security vulnerabilities
Got it. Appreciate your clarification, Christopher. I will keep post clear to understand.:) On Fri, Sep 24, 2010 at 9:56 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Viola, On 9/22/2010 11:29 PM, viola lu wrote: thanks. I tried it on tomcat 6.0.26, and 6.0.29, it worked for the second one, i can get correct response headers on tomcat 6.0.26 and tomcat 6.0.29: tomcat 6.0.26 What is the first one and the second one? The bugs you mentioned in your first post? Remember, not everyone is thinking what you're thinking: please be clear when posting. suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:21:33-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=9.125.1.248:8080* Good: this reproduces the bug. *tomcat 6.0.29:* suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:24:02-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=Authentication required* ...and this shows that the bug has been fixed: no IP and port. But for the first one, both got the same response: 200 OK as below: suse10sp268:~ # wget -S -O - --header='Transfer-Encoding:unsupported' --post-data='test send post' http://9.125.1.248:8080/SecurityTomcat/SecurityServlet --07:12:16-- http://9.125.1.248:8080/SecurityTomcat/SecurityServlet = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html Content-Length: 61 Date: Thu, 23 Sep 2010 03:09:09 GMT Connection: keep-alive Length: 61 [text/html] 0% [ ] 0 --.--K/s unsupported application/x-www-form-urlencoded 9.125.1.248 100%[=] 61--.--K/s 07:12:16 (7.27 MB/s) - `-' saved [61/61] Seems no difference on tomcat 6.0.26 and tomcat 6.0.29, is there something wrong? Maybe this is sensitive to other conditions as well. On 9/24/2010 12:57 AM, viola lu wrote: After debug into tomcat source code, i found that if transfer-encode is set as 'buffered', tomcat 6.0.26 will report null pointer exception in buffered filter recycle, but in tomcat 6.0.29 , directly report 501 error. But not sure attackers how to obtain sensitive information via a crafted header? When buffers are not recycled properly, information /can/ leak across requests. This means that, under the right conditions, an attacker /might/ be able to exploit the server to disclose information. Just because a vulnerability does not have an exploit doesn't mean it's not a vulnerability: the possibility exists that information can be disclosed. It's not absolutely necessary to be able to actually steal information from a server to be considered a vulnerability. This one might not be reproducible in any predictable way. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkycrgEACgkQ9CaO5/Lv0PDJMgCfZbZmJQzqGKx8vwQ6m7IGd+HV OR4AnjjvmJ37pfrQFtii+lUaRPruYaKD =vKvJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- viola
Re: How to reproduce tomcat security vulnerabilities
After debug into tomcat source code, i found that if transfer-encode is set as 'buffered', tomcat 6.0.26 will report null pointer exception in buffered filter recycle, but in tomcat 6.0.29 , directly report 501 error. But not sure attackers how to obtain sensitive information via a crafted header? On Thu, Sep 23, 2010 at 11:29 AM, viola lu viola...@gmail.com wrote: thanks. I tried it on tomcat 6.0.26, and 6.0.29, it worked for the second one, i can get correct response headers on tomcat 6.0.26 and tomcat 6.0.29: tomcat 6.0.26 suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:21:33-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=9.125.1.248:8080* *tomcat 6.0.29:* suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:24:02-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=Authentication required* But for the first one, both got the same repsonse: 200 OK as below: suse10sp268:~ # wget -S -O - --header='Transfer-Encoding:unsupported' --post-data='test send post' http://9.125.1.248:8080/SecurityTomcat/SecurityServlet --07:12:16-- http://9.125.1.248:8080/SecurityTomcat/SecurityServlet = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html Content-Length: 61 Date: Thu, 23 Sep 2010 03:09:09 GMT Connection: keep-alive Length: 61 [text/html] 0% [ ] 0 --.--K/s unsupported application/x-www-form-urlencoded 9.125.1.248 100%[=] 61--.--K/s 07:12:16 (7.27 MB/s) - `-' saved [61/61] Seems no difference on tomcat 6.0.26 and tomcat 6.0.29, is there something wrong? Appreciate if you can provide more help! On Thu, Sep 23, 2010 at 2:25 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Viola, On 9/21/2010 10:13 PM, viola lu wrote: Here is my client: [snip] Note that your client can be replaced by this one-liner: $ wget -S -O - --header='Transfer-Encoding: unsupported' \ --post-data='test send post' \ http://localhost:8080/SecurityTomcat/SecurityServlet It also has the added advantages of not stripping newlines from the response, and including the response headers in the output. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyaShYACgkQ9CaO5/Lv0PBzFgCeMVSEXNtPhBFe0ae+M3Ip0aOT 6SgAnAihZq7v3w6icGiPeceYFjnAPN21 =LoyH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- viola -- viola
Re: How to reproduce tomcat security vulnerabilities
On 21/09/2010 19:13, viola lu wrote: Can someone give some hints? Take a look at the security pages. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to reproduce tomcat security vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Viola, On 9/21/2010 10:13 PM, viola lu wrote: Here is my client: [snip] Note that your client can be replaced by this one-liner: $ wget -S -O - --header='Transfer-Encoding: unsupported' \ --post-data='test send post' \ http://localhost:8080/SecurityTomcat/SecurityServlet It also has the added advantages of not stripping newlines from the response, and including the response headers in the output. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyaShYACgkQ9CaO5/Lv0PBzFgCeMVSEXNtPhBFe0ae+M3Ip0aOT 6SgAnAihZq7v3w6icGiPeceYFjnAPN21 =LoyH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to reproduce tomcat security vulnerabilities
thanks. I tried it on tomcat 6.0.26, and 6.0.29, it worked for the second one, i can get correct response headers on tomcat 6.0.26 and tomcat 6.0.29: tomcat 6.0.26 suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:21:33-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=9.125.1.248:8080* *tomcat 6.0.29:* suse10sp268:~ # wget -S -O - --post-data='test send post' http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor --07:24:02-- http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 *WWW-Authenticate: Basic realm=Authentication required* But for the first one, both got the same repsonse: 200 OK as below: suse10sp268:~ # wget -S -O - --header='Transfer-Encoding:unsupported' --post-data='test send post' http://9.125.1.248:8080/SecurityTomcat/SecurityServlet --07:12:16-- http://9.125.1.248:8080/SecurityTomcat/SecurityServlet = `-' Connecting to 9.125.1.248:8080... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html Content-Length: 61 Date: Thu, 23 Sep 2010 03:09:09 GMT Connection: keep-alive Length: 61 [text/html] 0% [ ] 0 --.--K/s unsupported application/x-www-form-urlencoded 9.125.1.248 100%[=] 61--.--K/s 07:12:16 (7.27 MB/s) - `-' saved [61/61] Seems no difference on tomcat 6.0.26 and tomcat 6.0.29, is there something wrong? Appreciate if you can provide more help! On Thu, Sep 23, 2010 at 2:25 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Viola, On 9/21/2010 10:13 PM, viola lu wrote: Here is my client: [snip] Note that your client can be replaced by this one-liner: $ wget -S -O - --header='Transfer-Encoding: unsupported' \ --post-data='test send post' \ http://localhost:8080/SecurityTomcat/SecurityServlet It also has the added advantages of not stripping newlines from the response, and including the response headers in the output. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyaShYACgkQ9CaO5/Lv0PBzFgCeMVSEXNtPhBFe0ae+M3Ip0aOT 6SgAnAihZq7v3w6icGiPeceYFjnAPN21 =LoyH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- viola
How to reproduce tomcat security vulnerabilities
Hi, From tomcat 6.0.28 fix list: http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.28, there are two security vulnerabilities fixed, but i have no idea how to trigger these flaws in tomcat 6.0.27 and what's the failure should be after several trial for example the first one:*Remote Denial Of Service and Information Disclosure Vulnerability I created a client sending a POST request whose Transfer-encoding is unsupported to a servlet, the servlet will return Server returned HTTP response code: 501, is this the failure symptom?Here is my client: URL url = new URL(http://localhost:8080/SecurityTomcat/SecurityServlet;); URLConnection connection = url.openConnection(); ((HttpURLConnection) connection).setRequestMethod(POST); connection.setDoOutput(true); connection.setDoInput(true); // Only if you expect to read a response... connection.setUseCaches(false); // Highly recommended... connection.setRequestProperty(Content-Type, application/x-www-form-urlencoded); //connection.setRequestProperty(Transfer-Encoding, unsupported); connection.setRequestProperty(Transfer-Encoding, unsupported); PrintWriter output; output = new PrintWriter(new OutputStreamWriter(connection.getOutputStream())); output.write(test send post); // output.write(request); output.flush(); BufferedReader reader = new BufferedReader(new InputStreamReader(connection.getInputStream())); StringBuilder sb = new StringBuilder(); String line = reader.readLine(); while (line!=null line.length() 0) { sb.append(line); line = reader.readLine(); } System.out.println(sb.toString()); output.close(); reader.close(); } catch (UnsupportedEncodingException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (ProtocolException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); } The second one,**Information disclosure in authentication headers,** in my opinion, this is reproduced by sending an unauthorized request, and then 401 status code returns, if i can catch *WWW-Authenticate http header content, server hostname will be printed out, am i right? Can someone give some hints? Thanks in advance!* * -- viola
Re: Tomcat Security
ronald.wagen...@quicknet.nl wrote in message news:fb91a4c0c0682.4b6a8...@quicknet.nl... We are running a few web applications on Tomcat 6 on a Windows Server 2003 system in a Windows 2003 Active Directory Forest. How to make the Tomcat environment secure (hardening)? I read about security manager, but how to add the web applications in the cataline.policy? Is it possible to use Windows Authentication? Are there more possibilities? If they are your apps, then a security manager just adds overhead in production (although it's not a bad idea to run it in development). After all, you can just fire the developer that inserted a back door into the app ;). Ronald - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Security
We are running a few web applications on Tomcat 6 on a Windows Server 2003 system in a Windows 2003 Active Directory Forest. How to make the Tomcat environment secure (hardening)? I read about security manager, but how to add the web applications in the cataline.policy? Is it possible to use Windows Authentication? Are there more possibilities? Ronald - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Security and Struts
Tomcat 6Struts 1.3 OS: MacOS X - Leopard Hi, I am trying to make sure my app requires a login. So I configured the following in my deployment descriptor: security-constraint web-resource-collection web-resource-nameadmin/web-resource-name url-pattern*.do/url-pattern http-methodPOST/http-method /web-resource-collection auth-constraint role-namemember/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/WEB-INF/JSP/login.jsp/form-login-page form-error-page/WEB-INF/JSP/loginError.jsp/form-error-page /form-login-config /login-config However, when I follow the links in my app the login page doesn't come in. Any ideas as to what I am doing wrong? Thanks.
Re: Tomcat Security and Struts
Mighty Tornado wrote: http-methodPOST/http-method Why do you want to restrict access only to requests with POST method? I usually do not use http-method element. form-login-page/WEB-INF/JSP/login.jsp/form-login-page I'm not sure if login page will work if it is located under WEB-INF directory. -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
Mighty Tornado wrote: Tomcat 6Struts 1.3 OS: MacOS X - Leopard Hi, I am trying to make sure my app requires a login. So I configured the url-pattern*.do/url-pattern url-pattern/*/url-pattern will protect everything. http-methodPOST/http-method This only protects the POST method. GETs will not be restricted. I'd remove this line. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat Security and Struts
From: Mighty Tornado [mailto:mighty.torn...@gmail.com] Subject: Tomcat Security and Struts I am trying to make sure my app requires a login. So I configured the following in my deployment descriptor: security-constraint web-resource-collection web-resource-nameadmin/web-resource-name url-pattern*.do/url-pattern http-methodPOST/http-method /web-resource-collection auth-constraint role-namemember/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/WEB-INF/JSP/login.jsp/form-login-page form-error-page/WEB-INF/JSP/loginError.jsp/form-error-page /form-login-config /login-config Where is your security-role section? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
You are right: I just fixed this mistake - added security-role role-namemember/role-name /security-role into my web.xml However, when I try to access my URL the browser gives me the following message: Data Transfer Interrupted On Wed, Apr 22, 2009 at 10:26 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Mighty Tornado [mailto:mighty.torn...@gmail.com] Subject: Tomcat Security and Struts I am trying to make sure my app requires a login. So I configured the following in my deployment descriptor: security-constraint web-resource-collection web-resource-nameadmin/web-resource-name url-pattern*.do/url-pattern http-methodPOST/http-method /web-resource-collection auth-constraint role-namemember/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/WEB-INF/JSP/login.jsp/form-login-page form-error-page/WEB-INF/JSP/loginError.jsp/form-error-page /form-login-config /login-config Where is your security-role section? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
Mark Thomas wrote: url-pattern/*/url-pattern will protect everything. If your login page uses any external assets (images, stylesheets, etc), it will become corrupted (assets won't load). -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mikolaj, On 4/22/2009 9:58 AM, Mikolaj Rydzewski wrote: Mighty Tornado wrote: I'm not sure if login page will work if it is located under WEB-INF directory. Of course it will. There's nothing special about the WEB-INF directory that would prevent it from working. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknvQKEACgkQ9CaO5/Lv0PCZ+ACgibpOwt8pKTsKZ0uVIqcRA3O+ yVAAn0BoEp255y/eXE3owWSWNRhs/s52 =Er+e -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat Security and Struts
From: Mikolaj Rydzewski [mailto:m...@ceti.pl] Subject: Re: Tomcat Security and Struts Mark Thomas wrote: url-pattern/*/url-pattern will protect everything. If your login page uses any external assets (images, stylesheets, etc), it will become corrupted (assets won't load). Care to explain that? The above construct seems to work fine for our static resources. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
Caldarale, Charles R wrote: From: Mikolaj Rydzewski [mailto:m...@ceti.pl] Subject: Re: Tomcat Security and Struts Mark Thomas wrote: url-pattern/*/url-pattern will protect everything. If your login page uses any external assets (images, stylesheets, etc), it will become corrupted (assets won't load). Care to explain that? The above construct seems to work fine for our static resources. Maybe this : if the login page itself contains a link to a gif located in the same area, trying to load that gif will also hit the authentication bit, and trigger another login page, before the first even finishes displaying ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat Security and Struts
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Tomcat Security and Struts Maybe this : if the login page itself contains a link to a gif located in the same area, trying to load that gif will also hit the authentication bit, and trigger another login page, before the first even finishes displaying ? Of course; I was thinking basic authentication, not form. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
I think the following might be a problem. When I access the application I get this error in the browser:Firefox can't establish a connection to the server at localhost:8443 But Tomcat is supposed to listen on port 8080 - and it has been for my app, until I put in the security feature. any way around this? On Wed, Apr 22, 2009 at 1:05 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Tomcat Security and Struts Maybe this : if the login page itself contains a link to a gif located in the same area, trying to load that gif will also hit the authentication bit, and trigger another login page, before the first even finishes displaying ? Of course; I was thinking basic authentication, not form. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
On Wed, Apr 22, 2009 at 11:16 AM, Mighty Tornado mighty.torn...@gmail.com wrote: I think the following might be a problem. When I access the application I get this error in the browser:Firefox can't establish a connection to the server at localhost:8443 But Tomcat is supposed to listen on port 8080 - and it has been for my app, until I put in the security feature. any way around this? Er, way around? You're *telling* it to use an SSL connection: user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint If you don't want it to, don't do that. Pretty simple, really. :-) -- Hassan Schroeder hassan.schroe...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
How can I make the request to port 8443 actually succeed? On Wed, Apr 22, 2009 at 2:40 PM, Hassan Schroeder hassan.schroe...@gmail.com wrote: On Wed, Apr 22, 2009 at 11:16 AM, Mighty Tornado mighty.torn...@gmail.com wrote: I think the following might be a problem. When I access the application I get this error in the browser:Firefox can't establish a connection to the server at localhost:8443 But Tomcat is supposed to listen on port 8080 - and it has been for my app, until I put in the security feature. any way around this? Er, way around? You're *telling* it to use an SSL connection: user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint If you don't want it to, don't do that. Pretty simple, really. :-) -- Hassan Schroeder hassan.schroe...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat Security and Struts
From: Mighty Tornado [mailto:mighty.torn...@gmail.com] Subject: Re: Tomcat Security and Struts Firefox can't establish a connection to the server at localhost:8443 You need to define a secure Connector for port 8443. But Tomcat is supposed to listen on port 8080 You can't run both HTTP and HTTPS on the same port. Since you specified a transport-guarantee of CONFIDENTIAL, you're requiring use of HTTPS. Your HTTP Connector is likely configured to forward secure requests to 8443. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
On Wed, Apr 22, 2009 at 11:43 AM, Mighty Tornado mighty.torn...@gmail.com wrote: How can I make the request to port 8443 actually succeed? Configure an https Connector. -- Hassan Schroeder hassan.schroe...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
Mighty Tornado wrote: I think the following might be a problem. When I access the application I get this error in the browser:Firefox can't establish a connection to the server at localhost:8443 But did you not ask for this ? transport-guaranteeCONFIDENTIAL/transport-guarantee - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 4/22/2009 12:37 PM, André Warnier wrote: Caldarale, Charles R wrote: From: Mikolaj Rydzewski [mailto:m...@ceti.pl] Subject: Re: Tomcat Security and Struts Mark Thomas wrote: url-pattern/*/url-pattern will protect everything. If your login page uses any external assets (images, stylesheets, etc), it will become corrupted (assets won't load). Care to explain that? The above construct seems to work fine for our static resources. Maybe this : if the login page itself contains a link to a gif located in the same area, trying to load that gif will also hit the authentication bit, and trigger another login page, before the first even finishes displaying ? Precisely. Unfortunately, this actually makes things worse than you might think, since (some versions of) Tomcat stores the most recent request as the one to re-play after successful authentication. I have seen Tomcat respond post-authentication by serving a CSS file or graphic rather than the expected original request (usually an HTML page). The solution, of course, is to leave your (appropriate) static content unprotected. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAknvbEkACgkQ9CaO5/Lv0PAavQCYj4ULwKXkFPd5K1wu1nJXpz+C fQCgoRTZnjyJaoEFQE1pkMgJ+bb7MjQ= =ewii -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Security and Struts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hassan, On 4/22/2009 2:45 PM, Hassan Schroeder wrote: On Wed, Apr 22, 2009 at 11:43 AM, Mighty Tornado mighty.torn...@gmail.com wrote: How can I make the request to port 8443 actually succeed? Configure an https Connector. And correctly set your redirectPort in the non-secure Connector. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknvbKAACgkQ9CaO5/Lv0PDclACgvKUqGHp2wqFbxMqw5xdcZenG 5ccAmwdPTj5V3EeJKccuJ3Kz6Gr9uCPh =w34K -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat announce / tomcat security mailing list
Stephanie Wullbieter wrote: Because there isn't one. You can use one of the searchable lists to find announcements (e.g., http://marc.info/?l=tomcat-user, search for ANN), or searching for a subject ann does not work for me on the above link. the results are from other lists. look on the appropriate web page for security: http://tomcat.apache.org/security.html I want to be informed passively because i have other things to than hunting. I use digest mailing list tomcat user so i cannot configure a subject filter. I would have to register a second mail account. That's all too complicated. Why don't You just create one more mailing list. Dear Stephanie, the people on this list sincerely apologise for wasting Your precious time. We all regret that You do not find here the list that fits Your particular needs, avoids inconveniencing You and is less complicated. Of course You still have the option to create Your own Tomcat mailing list, on Your server of choice. That would have the additional advantage that You would be able to tailor its contents exactly to Your personal needs, and that nobody else would post messages on it irrelevant to You, making Your searches so much more efficient. It would also free the time of the generally helpful volunteer people on this list, for answering genuine questions of interest to the majority of us. Have a very nice, very personal Christmas, and may Santa grant all your wishes (as I'm sure he does every year) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat announce / tomcat security mailing list
Stephanie, Charles did not recommend to search the list for ann but for ANN - please notice the difference. If that's all too complicated for you maybe this suggestion helps: - Subscribe to the Tomcat-Users-Mailinglist (not the digest) - create the following filter: if (from == users@tomcat.apache.org AND topic contains ANN) move mail into folder TOMCAT-ANNOUNCE else if (from == users@tomcat.apache.org) move mail to trash end-if - hope you're aware that the above is just a bit pseudo-code, however, usually it's easy to implement with most common mail-readers. If GMX doesn't offer such options, get your GMail-account: There it works like charm. Regards Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
tomcat announce / tomcat security mailing list
Hello, did not find a tomcat announce and/or tomcat security mailing list. That would be fine, because there is so much noise on this users mailing list. What's about that? Best regards, Stephanie -- Sensationsangebot verlängert: GMX FreeDSL - Telefonanschluss + DSL für nur 16,37 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K1308T4569a - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat announce / tomcat security mailing list
From: Stephanie Wullbieter [mailto:swu...@gmx.de] Subject: tomcat announce / tomcat security mailing list did not find a tomcat announce and/or tomcat security mailing list. Because there isn't one. You can use one of the searchable lists to find announcements (e.g., http://marc.info/?l=tomcat-user, search for ANN), or look on the appropriate web page for security: http://tomcat.apache.org/security.html You can also use the searchable lists to hunt for SECURITY, but the above web page is better for that. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RE: tomcat announce / tomcat security mailing list
Because there isn't one. You can use one of the searchable lists to find announcements (e.g., http://marc.info/?l=tomcat-user, search for ANN), or searching for a subject ann does not work for me on the above link. the results are from other lists. look on the appropriate web page for security: http://tomcat.apache.org/security.html I want to be informed passively because i have other things to than hunting. I use digest mailing list tomcat user so i cannot configure a subject filter. I would have to register a second mail account. That's all too complicated. Why don't You just create one more mailing list. -- Pt! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Security
Rainer, Michael, (*) do you know this place ? (in German) http://www.bsi.bund.de/literat/index.htm Look for A (for Apache) and T (for Tomcat). The one for Tomcat relates to 5.5.9, but is still interesting reading. (*) and also Chuck, Chris, Mark etc.., but I wouldn't presume. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Security
It's a pitty das mein Deutsch nicht so gut ist! ;) On Thu, 2008-11-27 at 09:04 +0100, André Warnier wrote: Rainer, Michael, (*) do you know this place ? (in German) http://www.bsi.bund.de/literat/index.htm Look for A (for Apache) and T (for Tomcat). The one for Tomcat relates to 5.5.9, but is still interesting reading. (*) and also Chuck, Chris, Mark etc.., but I wouldn't presume. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat Security
Rainer, Michael, (*) do you know this place ? (in German) http://www.bsi.bund.de/literat/index.htm Look for A (for Apache) and T (for Tomcat). The one for Tomcat relates to 5.5.9, but is still interesting reading. (*) and also Chuck, Chris, Mark etc.., but I wouldn't presume. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat Security
From: Pieter Temmerman [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat Security It's a pitty das mein Deutsch nicht so gut ist! ;) Ja, nach vierzig Jahren Nichtanwendung, mein Deutsch ist groß unbrauchbar. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Exception while running web application with Tomcat security manager enabled
From: Vijayaraghavan Amirisetty [mailto:[EMAIL PROTECTED] Subject: Re: Exception while running web application with Tomcat security manager enabled Does the Tomcat Security Manager use any native libraries for it's operations? No. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Exception while running web application with Tomcat security manager enabled
hello, I am trying to run a simple webapp on tomcat 5.0 with the security manager enabled i.e with the additional options -Djava.security.manager -Djava.security.policy=%CATALINA_BASE%\conf\catalina.policy for the tomcat JVM. I get the following Stack Trace when I point the browser to my webapp exception: javax.servlet.ServletException: Servlet.init() for servlet struts-controller threw exception at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799) Root Cause: java.lang.NullPointerException at java.security.AccessControlContext.init(AccessControlContext.java:68) at javax.security.auth.Subject$5.run(Subject.java:728) at java.security.AccessController.doPrivileged(AccessController.java:147) at javax.security.auth.Subject.createContext(Subject.java:718) at javax.security.auth.Subject.doAsPrivileged(Subject.java:709) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:268) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:157) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:110) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160) I tried digging into the code of AccessController [ http://www.docjar.com/html/api/java/security/AccessController.java.html]http://www.docjar.com/html/api/java/security/AccessController.java.html where I gathered that public static native T T doPrivileged(PrivilegedActionT action); throws a NullPointerException in case the action is null I am not able to understand the reason for the action being null. Has it something to do with missing native library files? I have given all permissions to the webapp in catalina.policy. hence I feel that missing privileges should not be an issue. grant codeBase file:${catalina.home}/webapps/adminconsole/- { permission java.security.AllPermission; }; I am trying running tomcat on Lin 64 an the Java version is 1.4.2 Please help vijay
RE: Exception while running web application with Tomcat security manager enabled
From: Vijayaraghavan Amirisetty [mailto:[EMAIL PROTECTED] Subject: Exception while running web application with Tomcat security manager enabled I am trying to run a simple webapp on tomcat 5.0 The 5.0 branch is no longer supported; can you try it on 5.5 or 6.0? i.e with the additional options -Djava.security.manager -Djava.security.policy=%CATALINA_BASE%\conf\catalina.policy I am trying running tomcat on Lin 64 an the Java version is 1.4.2 If you're on Linux, why does the path to the policy file have back slashes in it? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Exception while running web application with Tomcat security manager enabled
Hi Charles, The additional On Thu, Oct 9, 2008 at 1:49 AM, Caldarale, Charles R [EMAIL PROTECTED] wrote: From: Vijayaraghavan Amirisetty [mailto:[EMAIL PROTECTED] Subject: Exception while running web application with Tomcat security manager enabled I am trying to run a simple webapp on tomcat 5.0 The 5.0 branch is no longer supported; can you try it on 5.5 or 6.0? I tried it on 5.5.23 and it worked fine. But I need to make it work on Tomcat 5.0 as it is a production setup and I cannot change the Tomcat setup. i.e with the additional options -Djava.security.manager -Djava.security.policy=%CATALINA_BASE%\conf\catalina.policy I am trying running tomcat on Lin 64 an the Java version is 1.4.2 If you're on Linux, why does the path to the policy file have back slashes in it? aah .. This was for windows.. For linux I am using -Djava.security.manager \ -Djava.security.policy=${CATALINA_BASE}/conf/catalina.policy \ Still trying to figure it out .. Does the Tomcat Security Manager use any native libraries for it's operations? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Exception while running web application with Tomcat security manager enabled
Adding some more findings.-The java.security.AccessController.doPrivileged(AccessController.java:147) is a native method. -Using java 1.5.0 to start the tomcat with Security Manager enabled works fine. Figuring out what has changed in java.security across 1.4.2 and 1.5 On Thu, Oct 9, 2008 at 4:55 AM, Vijayaraghavan Amirisetty [EMAIL PROTECTED] wrote: Hi Charles, The additional On Thu, Oct 9, 2008 at 1:49 AM, Caldarale, Charles R [EMAIL PROTECTED] wrote: From: Vijayaraghavan Amirisetty [mailto:[EMAIL PROTECTED] Subject: Exception while running web application with Tomcat security manager enabled I am trying to run a simple webapp on tomcat 5.0 The 5.0 branch is no longer supported; can you try it on 5.5 or 6.0? I tried it on 5.5.23 and it worked fine. But I need to make it work on Tomcat 5.0 as it is a production setup and I cannot change the Tomcat setup. i.e with the additional options -Djava.security.manager -Djava.security.policy=%CATALINA_BASE%\conf\catalina.policy I am trying running tomcat on Lin 64 an the Java version is 1.4.2 If you're on Linux, why does the path to the policy file have back slashes in it? aah .. This was for windows.. For linux I am using -Djava.security.manager \ -Djava.security.policy=${CATALINA_BASE}/conf/catalina.policy \ Still trying to figure it out .. Does the Tomcat Security Manager use any native libraries for it's operations? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]