subject:"Tomcat Security"

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mouradk,

On 10/10/12 7:49 AM, Mouradk wrote:
 I am running a servlet that reads and writes to an remote instance
 of = Hbase/Hadoop on ec2. When the security manager is off, all is
 fine. But = when the manager is on, write and read operations
 fail.
 
 I have the following permissions on my 04webapps.policy file:

04webapps.policy isn't a file I recognize as one that Tomcat reads. Is
this something that your local installation supports in some way?

 permission java.net.SocketPermission = 
 ip-10-234-X-X.eu-west-1.compute.internal:*, connect,resolve; 
 permission java.net.SocketPermission 10.234.X.X:*, = 
 connect,resolve; =20 (10.234.X.X) being the address of the remote
 instance with Hbase.
 
 I cannot track anything in the logs. No error or exception,the app
 just = freezes.

Try adding this to CATALINA_OPTS:

  -Djava.security.debug=all

This will give you a whole bunch of information about what the
SecurityManager is doing, including dumping errors when security
checks fail.

If you only want to see failures (which is usually the case), try this:

  -Djava.security.debug=access:failure

If you want to know the full range of options in your environment, run:

  java -Djava.security.debug=help

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlB1diIACgkQ9CaO5/Lv0PARYACeNGI54lL44lGSbOOArxtZ3sYB
0A8An2CM1W90Yh08C0yNMc1n8wmcR/7D
=O6NC
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Security Limitation

2012-10-10 Thread Mouradk

Hi Chris,

I am using Tomcat6 on ubuntu 10.10. I suppose when you say CATALINA_OPTS you 
mean that in /usr/share/tomcat6/bin/catalina.sh .
I have added this as such:

CATALINA_OPTS=$CATALINA_OPTS $JPDA_OPTS, -Djava.security.debug=all

I have also set the logging level to FINE in 
$CATALINA_HOME/conf/logging.properties
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = FINE

But not getting debug messages?

Thanks for you help.

Mourad





On 10 Oct 2012, at 14:20, Christopher Schultz ch...@christopherschultz.net 
wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Mouradk,
 
 On 10/10/12 7:49 AM, Mouradk wrote:
 I am running a servlet that reads and writes to an remote instance
 of = Hbase/Hadoop on ec2. When the security manager is off, all is
 fine. But = when the manager is on, write and read operations
 fail.
 
 I have the following permissions on my 04webapps.policy file:
 
 04webapps.policy isn't a file I recognize as one that Tomcat reads. Is
 this something that your local installation supports in some way?
 
 permission java.net.SocketPermission = 
 ip-10-234-X-X.eu-west-1.compute.internal:*, connect,resolve; 
 permission java.net.SocketPermission 10.234.X.X:*, = 
 connect,resolve; =20 (10.234.X.X) being the address of the remote
 instance with Hbase.
 
 I cannot track anything in the logs. No error or exception,the app
 just = freezes.
 
 Try adding this to CATALINA_OPTS:
 
  -Djava.security.debug=all
 
 This will give you a whole bunch of information about what the
 SecurityManager is doing, including dumping errors when security
 checks fail.
 
 If you only want to see failures (which is usually the case), try this:
 
  -Djava.security.debug=access:failure
 
 If you want to know the full range of options in your environment, run:
 
  java -Djava.security.debug=help
 
 Hope that helps,
 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
 
 iEYEARECAAYFAlB1diIACgkQ9CaO5/Lv0PARYACeNGI54lL44lGSbOOArxtZ3sYB
 0A8An2CM1W90Yh08C0yNMc1n8wmcR/7D
 =O6NC
 -END PGP SIGNATURE-
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Security Limitation

2012-10-10 Thread André Warnier


Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mouradk,

On 10/10/12 7:49 AM, Mouradk wrote:

I am running a servlet that reads and writes to an remote instance
of = Hbase/Hadoop on ec2. When the security manager is off, all is
fine. But = when the manager is on, write and read operations
fail.

I have the following permissions on my 04webapps.policy file:


04webapps.policy isn't a file I recognize as one that Tomcat reads. Is
this something that your local installation supports in some way?


Info: this looks very much like what the Linux Debian Tomcat package is doing : splitting 
up catalina.policy into chunks stored in /etc/tomcat/policy.d/*, which are then 
re-combined into catalina.policy by the package's Tomcat startup script just before 
launching the JVM.


Practically speaking, it is not a bad idea. catalina.policy as one big chunk is not very 
easy to read or edit.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Security Limitation

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mouradk,

On 10/10/12 10:04 AM, Mouradk wrote:
 I am using Tomcat6 on ubuntu 10.10. I suppose when you say 
 CATALINA_OPTS you mean that in /usr/share/tomcat6/bin/catalina.sh
 .

It would be better to use CATALINA_BASE/bin/setenv.sh so you don't
have to modify Tomcat's stock startup script. You can also just set it
on the command-line (using 'export CATALINA_OPTS=...') and then launch
Tomcat from the command-line.

 I have added this as such:
 
 CATALINA_OPTS=$CATALINA_OPTS $JPDA_OPTS,
 -Djava.security.debug=all
 
 I have also set the logging level to FINE in
 $CATALINA_HOME/conf/logging.properties 
 org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level
 = FINE
 
 But not getting debug messages?

Check logs/catalina.out (or whatever Ubuntu does with stdout when you
launch Tomcat).

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlB1g+wACgkQ9CaO5/Lv0PBNDQCcCVRxm22clViD8Pql/EgJGPIK
+ocAn15SFc9T4eYwm/bIwggqir69ajju
=0sVv
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Tomcat Security Limitation

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

André,

On 10/10/12 10:05 AM, André Warnier wrote:
 Christopher Schultz wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 Mouradk,
 
 On 10/10/12 7:49 AM, Mouradk wrote:
 I am running a servlet that reads and writes to an remote
 instance of = Hbase/Hadoop on ec2. When the security manager is
 off, all is fine. But = when the manager is on, write and read
 operations fail.
 
 I have the following permissions on my 04webapps.policy file:
 
 04webapps.policy isn't a file I recognize as one that Tomcat
 reads. Is this something that your local installation supports in
 some way?
 
 Info: this looks very much like what the Linux Debian Tomcat
 package is doing : splitting up catalina.policy into chunks
 stored in /etc/tomcat/policy.d/*, which are then re-combined into 
 catalina.policy by the package's Tomcat startup script just
 before launching the JVM.
 
 Practically speaking, it is not a bad idea. catalina.policy as one
 big chunk is not very easy to read or edit.

Nor is it easy to keep up-to-date when Tomcat ships with a new version
of the policy file. This happens even with point-releases so it's not
like just syncing everything up when you do a major-version upgrade
and have to re-write server.xml essentially from scratch.

In general, I would advocate for splitting Tomcat's policy up into
several files, but that significantly complicates deployment across
multiple OSs and styles of launching Tomcat. With shell scripts (which
is how *NIX services all launch), it's easy. On Windows, it's not
quite so easy and would probably lead to confusion.

So, if Debian/Ubuntu wants to split the policy file for their
package-manager version I think it makes sense, but it would just add
complexity at the stock-Tomcat level... and configuring Tomcat is
already pushing the complexity limit for a lot of its users.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlB1hMgACgkQ9CaO5/Lv0PC9/wCePhrwuTxM9HZuSllgsx4RM2uh
zqAAoIJaaAZQ6H4W1J0TDzqwJ4/0Xa+R
=LnnP
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Security Limitation

2012-10-10 Thread André Warnier

Mouradk wrote:

Hi Chris,

I am using Tomcat6 on ubuntu 10.10. I suppose when you say CATALINA_OPTS you
mean that in /usr/share/tomcat6/bin/catalina.sh .
I have added this as such:

CATALINA_OPTS=$CATALINA_OPTS $JPDA_OPTS, -Djava.security.debug=all

I have also set the logging level to FINE in
$CATALINA_HOME/conf/logging.properties
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = FINE

But not getting debug messages?

Mouradk,

Each Linux distribution has different ways of packaging software like Tomcat, and the
people on this list do not all have the same system, and they do not necessarily know
which files you are talking about on /your/ system.
(These packages have a tendency to spread the software and the settings over many
directories and files; and they all do it differently).

For that reason, most people here will tend to refer to the standard Tomcat
distribution, which is the one that you can download from the Tomcat website, and which is
know to all (and is much simpler in terms of file structure).

The following info is thus only because I happen to have Tomcat running under Linux Debian
(similar to Ubuntu), and can compare things with my system.

Then,

- in general, if you want to follow how the Tomcat6 package starts Tomcat under
Ubuntu/Debian, look at the /etc/init.d/tomcat6 script. That is the one that pulls in all
the other ones, sets the options, etc..

- in the line you show above, there is a (wrong) comma after $JPDA_OPTS.
Remove it.
- you should generally not modify the catalina.sh script
- if you make changes to environment variables like CATALINA_OPTS, put them in the
separate script setenv.sh, which you will also find in the /usr/share/tomcat6/bin/
directory. This will be read by the catalina.sh script at startup of Tomcat.

Add the line as :
CATALINA_OPTS=$CATALINA_OPTS -Djava.security.debug=all
- under Ubuntu (as under Debian), you probably need to edit another file in order to have
the JVM start with the Java security manager enabled. I don't know for Ubuntu, but under
Debian it would be /etc/default/tomcat6 and it should have a line like :

TOMCAT_SECURITY=yes (or no)

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Security Limitation

2012-10-10 Thread Mouradk

Dear all,

Thanks all for your reply. I managed to get the debug logs on and those logs of 
interest were set to WARN (warnings), they gave me an indication to the 
required security settings and I finally got it to work !!

I am experiencing another problem now. But at least I got Tomcat security 
manager out of the way…..I hope!

Many thanks,

Mourad

On 10 Oct 2012, at 15:37, André Warnier a...@ice-sa.com wrote:

 Mouradk wrote:
 Hi Chris,
 I am using Tomcat6 on ubuntu 10.10. I suppose when you say CATALINA_OPTS you 
 mean that in /usr/share/tomcat6/bin/catalina.sh .
 I have added this as such:
 CATALINA_OPTS=$CATALINA_OPTS $JPDA_OPTS, -Djava.security.debug=all
 I have also set the logging level to FINE in 
 $CATALINA_HOME/conf/logging.properties
 org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = FINE
 But not getting debug messages?
 
 Mouradk,
 
 Each Linux distribution has different ways of packaging software like 
 Tomcat, and the people on this list do not all have the same system, and they 
 do not necessarily know which files you are talking about on /your/ system.
 (These packages have a tendency to spread the software and the settings over 
 many directories and files; and they all do it differently).
 
 For that reason, most people here will tend to refer to the standard Tomcat 
 distribution, which is the one that you can download from the Tomcat website, 
 and which is know to all (and is much simpler in terms of file structure).
 
 The following info is thus only because I happen to have Tomcat running under 
 Linux Debian (similar to Ubuntu), and can compare things with my system.
 
 Then,
 
 - in general, if you want to follow how the Tomcat6 package starts Tomcat 
 under Ubuntu/Debian, look at the /etc/init.d/tomcat6 script.  That is the one 
 that pulls in all the other ones, sets the options, etc..
 - in the line you show above, there is a (wrong) comma after $JPDA_OPTS.  
 Remove it.
 - you should generally not modify the catalina.sh script
 - if you make changes to environment variables like CATALINA_OPTS, put them 
 in the separate script setenv.sh, which you will also find in the 
 /usr/share/tomcat6/bin/ directory.  This will be read by the catalina.sh 
 script at startup of Tomcat.
 Add the line as :
 CATALINA_OPTS=$CATALINA_OPTS -Djava.security.debug=all
 - under Ubuntu (as under Debian), you probably need to edit another file in 
 order to have the JVM start with the Java security manager enabled.  I don't 
 know for Ubuntu, but under Debian it would be /etc/default/tomcat6 and it 
 should have a line like :
 TOMCAT_SECURITY=yes (or no)
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Security Limitation

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mourad,

On 10/10/12 12:35 PM, Mouradk wrote:
 Thanks all for your reply. I managed to get the debug logs on and 
 those logs of interest were set to WARN (warnings), they gave me
 an indication to the required security settings and I finally got
 it to work !!

Would you care to post-back to the list to describe what you needed to
do to get it to work? You may help someone else who reads the archives.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlB1skoACgkQ9CaO5/Lv0PAviQCfRLk3F/tMo7xWU/SfJZxTF7ja
7nwAn2ESxBrcNTlVx2dGfk79SV032Uot
=ir8s
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat Security Permission Issue

2012-08-08 Thread bogdan ivascu

System: ubuntu server 11.10
  tomcat6 ( installed from apt-get not downloaded ).

Starting without -security enabled all works fine. Starting tomcat with
-security enabled gives the following:

SEVERE: Exception starting filter app
org.apache.tapestry5.ioc.internal.OperationException: Error building
service proxy for service 'RegistryStartup' (at
org.apache.tapestry5.ioc.internal.services.RegistryStartup(Logger, List)
(at RegistryStartup.java:36) via
org.apache.tapestry5.ioc.services.TapestryIOCModule.bind(ServiceBinder) (at
TapestryIOCModule.java:49)): Unable to locate class file for
'java.lang.Runnable' in class loader WebappClassLoader
  context:
  delegate: false
  repositories:
/WEB-INF/classes/
-- Parent Classloader:
org.apache.catalina.loader.StandardClassLoader@4d911540
.
at
org.apache.tapestry5.ioc.internal.OperationTrackerImpl.logAndRethrow(OperationTrackerImpl.java:121)
 ...
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: java.lang.RuntimeException: Error building service proxy for
service 'RegistryStartup' (at
org.apache.tapestry5.ioc.internal.services.RegistryStartup(Logger, List)
(at RegistryStartup.java:36) via
org.apache.tapestry5.ioc.services.TapestryIOCModule.bind(ServiceBinder) (at
TapestryIOCModule.java:49)): Unable to locate class file for
'java.lang.Runnable' in class loader WebappClassLoader
  context:
  delegate: false
  repositories:
/WEB-INF/classes/
-- Parent Classloader:
org.apache.catalina.loader.StandardClassLoader@4d911540
.
at
org.apache.tapestry5.ioc.internal.ModuleImpl$4.invoke(ModuleImpl.java:327)
at
org.apache.tapestry5.ioc.internal.OperationTrackerImpl.invoke(OperationTrackerImpl.java:74)
... 44 more
Caused by: java.lang.RuntimeException: Unable to locate class file for
'java.lang.Runnable' in class loader WebappClassLoader
  context:
  delegate: false
  repositories:
/WEB-INF/classes/
-- Parent Classloader:
org.apache.catalina.loader.StandardClassLoader@4d911540
.
...
at
org.apache.tapestry5.ioc.internal.ModuleImpl$4.invoke(ModuleImpl.java:311)
... 45 more

Below my webapp.policy file:

grant {
// Required for JNDI lookup of named JDBC DataSource's and
// javamail named MimePart DataSource used to send mail
permission java.util.PropertyPermission java.home, read;
permission java.util.PropertyPermission java.naming.*, read;
permission java.util.PropertyPermission javax.sql.*, read;

// OS Specific properties to allow read access
permission java.util.PropertyPermission os.name, read;
permission java.util.PropertyPermission os.version, read;
permission java.util.PropertyPermission os.arch, read;
permission java.util.PropertyPermission file.separator, read;
permission java.util.PropertyPermission path.separator, read;
permission java.util.PropertyPermission line.separator, read;

// JVM properties to allow read access
permission java.util.PropertyPermission java.version, read;
permission java.util.PropertyPermission java.vendor, read;
permission java.util.PropertyPermission java.vendor.url, read;
permission java.util.PropertyPermission java.class.version, read;
permission java.util.PropertyPermission java.specification.version,
read;
permission java.util.PropertyPermission java.specification.vendor,
read;
permission java.util.PropertyPermission java.specification.name,
read;

permission java.util.PropertyPermission
java.vm.specification.version, read;
permission java.util.PropertyPermission java.vm.specification.vendor,
read;
permission java.util.PropertyPermission java.vm.specification.name,
read;
permission java.util.PropertyPermission java.vm.version, read;
permission java.util.PropertyPermission java.vm.vendor, read;
permission java.util.PropertyPermission java.vm.name, read;

// Required for OpenJMX
permission java.lang.RuntimePermission getAttribute;

// Allow read of JAXP compliant XML parser debug
permission java.util.PropertyPermission jaxp.debug, read;

// Precompiled JSPs need access to this package.
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.jasper.runtime;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.jasper.runtime.*;

// Example JSPs need those to work properly
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.jasper.el;
permission java.lang.RuntimePermission accessDeclaredMembers;

// Precompiled JSPs need access to this system property.
permission java.util.PropertyPermission
org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER, read;

// java.io.tmpdir should be usable as a temporary file directory
permission java.util.PropertyPermission java.io.tmpdir, read;
permission java.io.FilePermission ${java.io.tmpdir}/-,
read,write,delete;

   //TAPESTRY SPECIFIC PERMISSIONS
   permission

Re: Tomcat Security Permission Issue

2012-08-08 Thread Konstantin Kolinko

2012/8/9 bogdan ivascu ivascu.bogdan...@gmail.com:
 System: ubuntu server 11.10
   tomcat6 ( installed from apt-get not downloaded ).

 Starting without -security enabled all works fine. Starting tomcat with
 -security enabled gives the following:

 SEVERE: Exception starting filter app
 org.apache.tapestry5.ioc.internal.OperationException: Error building
 service proxy for service 'RegistryStartup' (at
 org.apache.tapestry5.ioc.internal.services.RegistryStartup(Logger, List)
 (at RegistryStartup.java:36) via
 org.apache.tapestry5.ioc.services.TapestryIOCModule.bind(ServiceBinder) (at
 TapestryIOCModule.java:49)): Unable to locate class file for
 'java.lang.Runnable' in class loader WebappClassLoader
   context:
   delegate: false
   repositories:
 /WEB-INF/classes/
 -- Parent Classloader:
 org.apache.catalina.loader.StandardClassLoader@4d911540
 .
 at
 org.apache.tapestry5.ioc.internal.OperationTrackerImpl.logAndRethrow(OperationTrackerImpl.java:121)
  ...
 at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
 Caused by: java.lang.RuntimeException: Error building service proxy for
 service 'RegistryStartup' (at
 org.apache.tapestry5.ioc.internal.services.RegistryStartup(Logger, List)
 (at RegistryStartup.java:36) via
 org.apache.tapestry5.ioc.services.TapestryIOCModule.bind(ServiceBinder) (at
 TapestryIOCModule.java:49)): Unable to locate class file for
 'java.lang.Runnable' in class loader WebappClassLoader
   context:
   delegate: false
   repositories:
 /WEB-INF/classes/
 -- Parent Classloader:
 org.apache.catalina.loader.StandardClassLoader@4d911540
 .
 at
 org.apache.tapestry5.ioc.internal.ModuleImpl$4.invoke(ModuleImpl.java:327)
 at
 org.apache.tapestry5.ioc.internal.OperationTrackerImpl.invoke(OperationTrackerImpl.java:74)
 ... 44 more
 Caused by: java.lang.RuntimeException: Unable to locate class file for
 'java.lang.Runnable' in class loader WebappClassLoader
   context:
   delegate: false
   repositories:
 /WEB-INF/classes/
 -- Parent Classloader:
 org.apache.catalina.loader.StandardClassLoader@4d911540
 .
 ...
 at
 org.apache.tapestry5.ioc.internal.ModuleImpl$4.invoke(ModuleImpl.java:311)
 ... 45 more

 Below my webapp.policy file:

 grant {
 // Required for JNDI lookup of named JDBC DataSource's and
 // javamail named MimePart DataSource used to send mail
 permission java.util.PropertyPermission java.home, read;
 permission java.util.PropertyPermission java.naming.*, read;
 permission java.util.PropertyPermission javax.sql.*, read;

 // OS Specific properties to allow read access
 permission java.util.PropertyPermission os.name, read;
 permission java.util.PropertyPermission os.version, read;
 permission java.util.PropertyPermission os.arch, read;
 permission java.util.PropertyPermission file.separator, read;
 permission java.util.PropertyPermission path.separator, read;
 permission java.util.PropertyPermission line.separator, read;

 // JVM properties to allow read access
 permission java.util.PropertyPermission java.version, read;
 permission java.util.PropertyPermission java.vendor, read;
 permission java.util.PropertyPermission java.vendor.url, read;
 permission java.util.PropertyPermission java.class.version, read;
 permission java.util.PropertyPermission java.specification.version,
 read;
 permission java.util.PropertyPermission java.specification.vendor,
 read;
 permission java.util.PropertyPermission java.specification.name,
 read;

 permission java.util.PropertyPermission
 java.vm.specification.version, read;
 permission java.util.PropertyPermission java.vm.specification.vendor,
 read;
 permission java.util.PropertyPermission java.vm.specification.name,
 read;
 permission java.util.PropertyPermission java.vm.version, read;
 permission java.util.PropertyPermission java.vm.vendor, read;
 permission java.util.PropertyPermission java.vm.name, read;

 // Required for OpenJMX
 permission java.lang.RuntimePermission getAttribute;

 // Allow read of JAXP compliant XML parser debug
 permission java.util.PropertyPermission jaxp.debug, read;

 // Precompiled JSPs need access to this package.
 permission java.lang.RuntimePermission
 accessClassInPackage.org.apache.jasper.runtime;
 permission java.lang.RuntimePermission
 accessClassInPackage.org.apache.jasper.runtime.*;

 // Example JSPs need those to work properly
 permission java.lang.RuntimePermission
 accessClassInPackage.org.apache.jasper.el;
 permission java.lang.RuntimePermission accessDeclaredMembers;

 // Precompiled JSPs need access to this system property.
 permission java.util.PropertyPermission
 org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER, read;

 // java.io.tmpdir should be usable as a temporary file directory
 permission

Re: tomcat security authenticator

2012-06-28 Thread Konstantin Kolinko

2012/6/28 Komáromi, Zoltán komaromi.zol...@horticosoft.hu:
 Hi,

 I need to use custom authenticator, because a part of application is
 using container authentication, and unfortunately the usersernames in
 realm conflicts with usernames in application database. :(

 So I need, that if anibody is logged in to my application, then the
 authenticator automatically authorizes when needed.

 I think, if I replace the FormAuthenticator with an descendant, it'll
 solve the problem.

 To extend FormAuthenticator is simple, but how can I make Tomcat to use it?


1) Why not a Realm?
2) An Authenticator is a Valve and is configured like any other valve.
If one is present, Tomcat will not configure its own.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat security authenticator

2012-06-28 Thread Komáromi , Zoltán

1. Why not a Realm?
Because the authentication depends on session attribute, and I want to
bypass the form if user is logged in.

So is this correct?

Valve className=hu.kozo.security.MyFormAuthenticator /

The tomcat's doc says, that Java class name of the implementation to
use. This MUST be set to
org.apache.catalina.authenticator.FormAuthenticator.

Tnaks for help.

2012/6/28 Konstantin Kolinko knst.koli...@gmail.com:
 2012/6/28 Komáromi, Zoltán komaromi.zol...@horticosoft.hu:
 Hi,

 I need to use custom authenticator, because a part of application is
 using container authentication, and unfortunately the usersernames in
 realm conflicts with usernames in application database. :(

 So I need, that if anibody is logged in to my application, then the
 authenticator automatically authorizes when needed.

 I think, if I replace the FormAuthenticator with an descendant, it'll
 solve the problem.

 To extend FormAuthenticator is simple, but how can I make Tomcat to use it?


 1) Why not a Realm?
 2) An Authenticator is a Valve and is configured like any other valve.
 If one is present, Tomcat will not configure its own.

 Best regards,
 Konstantin Kolinko

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat security authenticator

2012-06-28 Thread Jose María Zaragoza

2012/6/28 Komáromi, Zoltán komaromi.zol...@horticosoft.hu:
 1. Why not a Realm?
 Because the authentication depends on session attribute, and I want to
 bypass the form if user is logged in.

When I used Tomcat's realm to authenticate users , that was a issue
than I missed : to access to session enviroment or context enviroment.
I had to try Spring Security because it implements this feature

I understand that authentication is a previous step to accessing web
application, but , sometimes, it's required to update session
enviroment . For example, to forward to a custom error page , with a
diferent message error ( user not found, user is already logged,
etc. )
Some of these things I could solve with filters  temp registers in
database, but I don't like it

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat security authenticator

2012-06-28 Thread Kris Easter


 I think, if I replace the FormAuthenticator with an descendant, it'll
 solve the problem.
 
 To extend FormAuthenticator is simple, but how can I make Tomcat to use it?

I tested this out at one time but it was never placed in production.  My
terse notes, which might be leaving something out, on doing this are:


In web.xml define auth-method as:

auth-methodFORMOIT/auth-method

Extract org/apache/catalina/startup/Authenticators.properties from
catalina.jar add line:

FORMOIT=mynewpackage.NewFormAuthenticator

Update catalina.jar

jar -uf catalina.jar
org/apache/catalina/startup/Authenticators.properties


HTH,
Kris


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat security authenticator

2012-06-28 Thread Martin Gainty


so the client will need to encrypt the data before the client puts the data on 
the wire?

in that case you'll want to take a look at configure both the client 
transmitting the secured data and server ACK or responding with encrypted resp 
via JSSE 
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
Fun Stuff
Martin 
__ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger 
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung 
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem 
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. 
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung 
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez 
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est 
interdite. Ce message sert à l'information seulement et n'aura pas n'importe 
quel effet légalement obligatoire. Étant donné que les email peuvent facilement 
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité 
pour le contenu fourni.

  Subject: Re: tomcat security authenticator
 From: kris.eas...@colorado.edu
 To: users@tomcat.apache.org
 Date: Thu, 28 Jun 2012 07:51:58 -0600
 
 
  I think, if I replace the FormAuthenticator with an descendant, it'll
  solve the problem.
  
  To extend FormAuthenticator is simple, but how can I make Tomcat to use it?
 
 I tested this out at one time but it was never placed in production.  My
 terse notes, which might be leaving something out, on doing this are:
 
 
 In web.xml define auth-method as:
 
 auth-methodFORMOIT/auth-method
 
 Extract org/apache/catalina/startup/Authenticators.properties from
 catalina.jar add line:
 
 FORMOIT=mynewpackage.NewFormAuthenticator
 
 Update catalina.jar
 
 jar -uf catalina.jar
 org/apache/catalina/startup/Authenticators.properties
 
 
 HTH,
 Kris
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat security authenticator

2012-06-28 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Zoltán,

On 6/28/12 4:08 AM, Komáromi, Zoltán wrote:
 1. Why not a Realm? Because the authentication depends on session
 attribute, and I want to bypass the form if user is logged in.
 
 So is this correct?
 
 Valve className=hu.kozo.security.MyFormAuthenticator /
 
 The tomcat's doc says, that Java class name of the implementation
 to use. This MUST be set to 
 org.apache.catalina.authenticator.FormAuthenticator.

You must use FormAuthenticator if you want to use Tomcat's FORM
authentication. It doesn't mean it's the only valid value for the
class attribute.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/s9GsACgkQ9CaO5/Lv0PDUawCeIvQA5lwB5eNyld/vdQ1cTXXP
CmIAn3DeIW/bPeAThNunF4VI7J83EMlK
=F8Im
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass

2011-05-20 Thread Michael McCutcheon


On 5/17/2011 5:46 AM, Mark Thomas wrote:

CVE-2011-1582 Apache Tomcat security constraint bypass

Description:
An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that
security constraints configured via annotations were ignored on the
first request to a Servlet. Subsequent requests were secured correctly.


I had seen this exact behavior myself and was not sure if it was a bug 
in my code or not.


Anyway, glad it's fixed!

Keep up the good work.

-Mike


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass

2011-05-17 Thread Mark Thomas

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CVE-2011-1582 Apache Tomcat security constraint bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.12-7.0.13
- - Earlier versions are not affected

Description:
An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that
security constraints configured via annotations were ignored on the
first request to a Servlet. Subsequent requests were secured correctly.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Upgrade to a Tomcat 7.0.14 or later
- - Define all security constraints in web.xml

Credit:
This issue was identified by the Apache Tomcat security team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJN0m4vAAoJEBDAHFovYFnn5NkQAOBocyvRk9fTGX569Ga95yDJ
vV84ZS3D1jCP3VQ1swh1Ouzd9NdP9pRGVWysTjz6N1bsZ+BMpGIyT/GpMqhfPAPx
OzzbkM2cNow8MR/PG3rFbYjQH1r6D400zSu+drHDtTzrOY2uXS2ClL0UuxUg9LcN
tUfidh9629OMVtuWqA2jwTSrc7fDdye5Ti1HZ0g5vUG5Cvab4LCcRdwh2VWT7g3T
LKUTr6AZAz0mQ/7+QNJOOykX+FJcOL99Q46NLVZzeLPWFoEBZn/BRs8O9WehYnLV
EEZtARSaUzTjssePo/O+oV4xYW5JIA1+5sKG7+xIvIaWKMbIPbdrPEPZusK/X0QR
LjdLbMUGcGzDUVNP0hGzpArIDXcWmslJKJ3YFTCg3VdeamULh12bqxw3AtliAzI9
pSTcMcVNOMWZOUl/Czc2I3t5ehWaOGr5j3D7No8mEFMCcRoQoRTNS7hKqqqKsyY4
hTxMJV9dXox5mIuDY8hLaGY9KuUFIo2AXWnr7lqIBrKGrziVAySuIpKSnzuFvz2z
q2DjPnXrFo/5W2ZVfUk0utCjyJX/NJdizKmW9PdQu4aT2BJdEgjjiW+qzPi20kZy
HgySY8kEFbI8CyM6PqD6Yb5nzA/xR1YAYRQx1pWTrE5Y0B5MTctAaPCIJQoc3nIA
GZ0Ziz0q/PX/x7ug1TnP
=srIH
-END PGP SIGNATURE-



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[SECURITY] CVE-2011-1183 Apache Tomcat security constraint bypass

2011-04-06 Thread Mark Thomas

CVE-2011-1183 Apache Tomcat security constraint bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.11
- Earlier versions are not affected

Description:
A regression in the fix for CVE-2011-1088 meant that security
constraints were ignored when no login configuration was present in the
web.xml and the web application was marked as meta-data complete.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Upgrade to a Tomcat 7.0.12 or later
- Ensure a login configuration is defined in web.xml

Credit:
This issue was identified by the Apache Tomcat security team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[SECURITY] CVE-2011-1088 Apache Tomcat security constraint bypass

2011-03-15 Thread Mark Thomas

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CVE-2011-1088 Apache Tomcat security constraint bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.10
- - Earlier versions are not affected

Description:
When a web application was started, @ServletSecurity annotations were
ignored. This meant that some areas of the application may not have been
protected as expected.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Upgrade to a Tomcat version where this issue is fixed
- - Define security constraints via an alternative mechanism such as web.xml

Credit:
This issue was reported publicly on the Tomcat users mailing list.
The Apache Tomcat security requests that security vulnerability reports
are made privately to secur...@tomcat.apache.org in the first instance.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNfycmAAoJEBDAHFovYFnn3jgP/0aecIt4uUYHWbmzUPA0FNan
tzjVfPskwPYrSuNbHjHuxPknmxUPSFiCdO3V1LLtnCX2y5+cNancWRjLX7lDbt8H
sL+9AaoI8HDShG1wgYsnh/3fIKczhE28pTtyo0GtG4HpQVLcT/OH2Qhb6+mG3jwo
SCia1eSTJuhj5HM3n2fb5X33n/UEkX/cCALDrt1DRfKV69MaZbMiZh7XfpyVDpdN
LePYIeuOoxg9CVjkDYCVIaK5Bi0uzPD8yCc73dOU3YobgbDDaLSN7Awd1/RhO5TR
fpWVbl0gbmMlPnMy52B9qZL+H9HwcNnYPqbtpquE2a6ik29QT4LMTNo0mr25XxmP
K3Jb7VTcVb/P1pxFOsTyMWy25IFubMEBW4c3kafBZGUI3Q25QmNizBXZ5wvn1vex
kBzDZrnKmkzvhnCy6RnTKk9BYGRWEw9ImTqLOaLxmtXJw9bnWgoeusnje1k/24QI
3+pw/g5OjwG7hqtStrscFeo8tc/snXBojn1d21txsnLggQ0E6+9+vUVym5tBD16I
MfzN7FSd620AFSmVUo5mEfEpDe+RTkA8y/7BnYHoguBQ7WLlxejCgRpaf91vBns6
ZEQGntzx7EW7M+P2GNHy1mrVGTQ7Glk/5tnAFyqgMOHzYyN11Y3OWO1XBv+1um8q
kadENSXz4mY0vKtvaeuT
=i/HJ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat Security Problem

2011-02-16 Thread jamana ramesh

Hi,

I am new to Tomcat server. I have installed Tomcat 6 and deployed a web
application. This application has to decrypt some files and store in a temp
folder. I have created a folder with name temp' in WEB-INF folder of my
applciation. But When I am running my application, at the time of
decryption, I am getting Access Denied exception. Through Tomcat security
features, I came to know that we need to grant the permission in
catalina.policy in conf folder. Below is the line I have added in it. But
still I am getting the same exception.

grant codeBase http://localhost:8080/lanwan/-; {
  permission java.io.FilePermission C:\\Program Files\\Apache Software
Foundation\\Tomcat 6.0\\webapps\\lanwan\\WEB-INF\\docs\\temp\\-,
read,write,delete;
}

Please help me how to configure this security settings.

Thanks in advance,
Ramesh

Re: Tomcat security problem..please help

2010-12-30 Thread André Warnier


Yaragalla, Muralidhar wrote:

Hi all , I have added security manager in a filter initialization method in my 
webb app. I have deployed webapp in tomcat and when I start tomcat it is 
throwing the following error. Kindly help me in this.
How to avoid this?What should I do in the security policy?


Reading the on-line documentation at

http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html

would be a good first step.

A second one, in your next post, would be to indicate which version of Tomcat you are 
running, on which platform, under which JVM.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat security problem..please help

2010-12-30 Thread Yaragalla, Muralidhar

Thank you so much. I will do that.

Thanks and Regards,
Muralidhar Yaragalla,
Senior Software Specialist,
Patni Computer Systems Ltd,
B-45/B-46, SIPCOT IT Park,
Rajiv Gandhi Salai (IT Highway),
Siruseri,Chennai - 603 103.
Tel: 91 44  4744  x  2224
Link Line: 9 613 4516
Mobile : 9791174806


-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Thursday, December 30, 2010 3:12 PM
To: Tomcat Users List
Subject: Re: Tomcat security problem..please help

Yaragalla, Muralidhar wrote:
 Hi all , I have added security manager in a filter initialization method in 
 my webb app. I have deployed webapp in tomcat and when I start tomcat it is 
 throwing the following error. Kindly help me in this.
 How to avoid this?What should I do in the security policy?

Reading the on-line documentation at

http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html

would be a good first step.

A second one, in your next post, would be to indicate which version of Tomcat 
you are
running, on which platform, under which JVM.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


Information contained and transmitted by this e-mail is confidential and 
proprietary to Patni Computer Systems Ltd and its affiliates (hitherto referred 
as Patni Computers) and is intended for use only by the recipient. If you are 
not the intended recipient , you are hereby notified that any dissemination, 
distribution,  copying or use of this e-mail is strictly prohibited and you are 
requested to delete this e-mail immediately and notify the originator or 
netad...@patni.com. Patni Computers does not enter into any agreement with any 
party by e-mail. Any views expressed by an individual do not necessarily 
reflect the view of Patni Computers. Patni Computers is not responsible for the 
consequences of any actions taken on the basis of information provided, through 
this email. The contents of an attachment to this e-mail may contain software 
viruses, which could damage your own computer system. While Patni Computers has 
taken every reasonable precaution to minimise this risk, we cannot accept 
liability for any damage which you sustain as a result of software viruses. You 
should carry out your own virus checks before opening an attachment. To know 
more about Patni Computers please visit www.patni.com.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat security problem..please help

2010-12-29 Thread Yaragalla, Muralidhar

Hi all , I have added security manager in a filter initialization method in my 
webb app. I have deployed webapp in tomcat and when I start tomcat it is 
throwing the following error. Kindly help me in this.
How to avoid this?What should I do in the security policy?

Dec 30, 2010 11:41:25 AM org.apache.tomcat.util.modeler.Registry 
registerComponent
SEVERE: Error registering 
Catalina:j2eeType=Filter,name=jaas,WebModule=//localhost/cskip,J2EEApplication=none,J2EEServer=none
java.security.AccessControlException: access denied 
(javax.management.MBeanPermission 
org.apache.tomcat.util.modeler.BaseModelMBean#-[Catalina:J2EEApplication=none,J2EEServer=none,WebModule=//localhost/cskip,j2eeType=Filter,name=jaas]
 registerMBean)
at 
java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at 
java.security.AccessController.checkPermission(AccessController.java:546)
at 
java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.checkMBeanPermission(DefaultMBeanServerInterceptor.java:1806)
at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerMBean(DefaultMBeanServerInterceptor.java:309)
at 
com.sun.jmx.mbeanserver.JmxMBeanServer.registerMBean(JmxMBeanServer.java:482)
at 
org.apache.tomcat.util.modeler.Registry.registerComponent(Registry.java:806)
at 
org.apache.catalina.core.ApplicationFilterConfig.registerJMX(ApplicationFilterConfig.java:457)
at 
org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:299)
at 
org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:422)
at 
org.apache.catalina.core.ApplicationFilterConfig.init(ApplicationFilterConfig.java:115)
at 
org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4001)
at 
org.apache.catalina.core.StandardContext.start(StandardContext.java:4651)
at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at 
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546)
at 
org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:905)
at 
org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:740)
at 
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:500)
at 
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at 
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at 
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at 
org.apache.catalina.core.StandardHost.start(StandardHost.java:785)
at 
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at 
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:445)
at 
org.apache.catalina.core.StandardService.start(StandardService.java:519)
at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Dec 30, 2010 11:41:25 AM org.apache.catalina.core.ApplicationFilterConfig 
registerJMX
INFO: JMX registration failed for filter of type 
[com.ge.capital.cskip.jaas.filter.JAASFilter] and name [jaas]
java.security.AccessControlException: access denied 
(javax.management.MBeanPermission 
org.apache.tomcat.util.modeler.BaseModelMBean#-[Catalina:J2EEApplication=none,J2EEServer=none,WebModule=//localhost/cskip,j2eeType=Filter,name=jaas]
 registerMBean)
at 
java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at 
java.security.AccessController.checkPermission(AccessController.java:546)
at 
java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.checkMBeanPermission(DefaultMBeanServerInterceptor.java:1806)
at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerMBean(DefaultMBeanServerInterceptor.java:309)
at

Re: Help on upgrade tomcat bundled with JBoss for resolving tomcat security issue -[SECURITY] CVE-2008-5515 RequestDispatcher directory traversal vulnerability

2010-10-30 Thread Pid

On 26/10/2010 03:42, ww...@ogcio.gov.hk wrote:
 
 Dear Sir/Madam,
 
 Recently it has been checked that there is security vulnerability for
 the tomcat (version 5.0.9) shipped with the JBoss 4.0.3SP1.
 
 From the link below, it is recommended to upgrade to 5.5.28.
 
 http://marc.info/?l=tomcat-userm=124449799021571w=2
 
 We have tried to upgrade the some tomcat library for version 5.5.31 by
 following with the steps we found in the web in
 http://itapproaches.blogspot.com/2010/08/upgrading-tomcat-in-jboss-405.html
 
 Yet we have encountered the exception (as attached for your reference).

 Should we upgrade the tomcat only, without upgrading the JBoss AS?

This question is probably better addressed to JBoss support.


p



0x62590808.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Help on upgrade tomcat bundled with JBoss for resolving tomcat security issue -[SECURITY] CVE-2008-5515 RequestDispatcher directory traversal vulnerability

2010-10-25 Thread wwtfu

Dear Sir/Madam, 

Recently it has been checked that there is security vulnerability for the 
tomcat (version 5.0.9) shipped with the JBoss 4.0.3SP1. 

From the link below, it is recommended to upgrade to 5.5.28. 

http://marc.info/?l=tomcat-userm=124449799021571w=2 

We have tried to upgrade the some tomcat library for version 5.5.31 by 
following with the steps we found in the web in 
http://itapproaches.blogspot.com/2010/08/upgrading-tomcat-in-jboss-405.html 


Yet we have encountered the exception (as attached for your reference). 

Should we upgrade the tomcat only, without upgrading the JBoss AS? 

We would much appreciate it if you could advise you how we could resolve 
the situation,  so as to address the security vulnerability at your 
earliest convenience. 

Thanks for your effort in advance. 

Again, here is our configuration:
JBoss 4.0.3SP1
Tomcat 5.5.9

Many thanks!
Wilson Fu 
HTTP Status 500 -

type Exception report

message

description The server encountered an internal error () that prevented it from 
fulfilling this request.

exception

javax.servlet.ServletException: 
org.jboss.web.tomcat.tc5.jasper.JspServletOptions.isCaching()Z
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267)
javax.servlet.http.HttpServlet.service(HttpServlet.java:810)

org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)

root cause

java.lang.AbstractMethodError: 
org.jboss.web.tomcat.tc5.jasper.JspServletOptions.isCaching()Z
org.apache.jasper.compiler.Parser.parseTaglibDirective(Parser.java:425)
org.apache.jasper.compiler.Parser.parseDirective(Parser.java:499)
org.apache.jasper.compiler.Parser.parseElements(Parser.java:1558)
org.apache.jasper.compiler.Parser.parse(Parser.java:130)

org.apache.jasper.compiler.ParserController.doParse(ParserController.java:245)

org.apache.jasper.compiler.ParserController.parse(ParserController.java:101)
org.apache.jasper.compiler.Compiler.generateJava(Compiler.java:176)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:317)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:298)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:286)

org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:565)

org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:309)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:308)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:259)
javax.servlet.http.HttpServlet.service(HttpServlet.java:810)

org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Help on upgrade tomcat bundled with JBoss for resolving tomcat security issue -[SECURITY] CVE-2008-5515 RequestDispatcher directory traversal vulnerability

2010-10-25 Thread wwtfu

Yes.

Thanks  regards,
Wilson Fu
Tel: 3182 6675





ww...@ogcio.gov.hk 
26.10.2010 10:42
Please respond to
Tomcat Users List users@tomcat.apache.org


To
users@tomcat.apache.org
cc

Subject
Help on upgrade tomcat bundled with JBoss for resolving tomcat security 
issue -[SECURITY] CVE-2008-5515 RequestDispatcher directory traversal 
vulnerability















Dear Sir/Madam, 

Recently it has been checked that there is security vulnerability for the 
tomcat (version 5.0.9) shipped with the JBoss 4.0.3SP1. 

From the link below, it is recommended to upgrade to 5.5.28. 

http://marc.info/?l=tomcat-userm=124449799021571w=2 

We have tried to upgrade the some tomcat library for version 5.5.31 by 
following with the steps we found in the web in 
http://itapproaches.blogspot.com/2010/08/upgrading-tomcat-in-jboss-405.html 


Yet we have encountered the exception (as attached for your reference). 

Should we upgrade the tomcat only, without upgrading the JBoss AS? 

We would much appreciate it if you could advise you how we could resolve 
the situation,  so as to address the security vulnerability at your 
earliest convenience. 

Thanks for your effort in advance. 

Again, here is our configuration: 
JBoss 4.0.3SP1 
Tomcat 5.5.9

Many thanks!
Wilson Fu [attachment error.txt deleted by Wilson WT FU/OGCIO/HKSARG] 
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to reproduce tomcat security vulnerabilities

2010-09-24 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Viola,

On 9/22/2010 11:29 PM, viola lu wrote:
 thanks. I tried it on tomcat 6.0.26, and 6.0.29, it worked for the second
 one, i can get correct response headers on tomcat 6.0.26 and tomcat 6.0.29:
 tomcat 6.0.26

What is the first one and the second one? The bugs you mentioned in
your first post? Remember, not everyone is thinking what you're
thinking: please be clear when posting.

 suse10sp268:~ # wget -S -O - --post-data='test send post'
 http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor
 --07:21:33--  http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor
= `-'
 Connecting to 9.125.1.248:8080... connected.
 HTTP request sent, awaiting response...
   HTTP/1.1 401 Unauthorized
   Server: Apache-Coyote/1.1
   *WWW-Authenticate: Basic realm=9.125.1.248:8080*

Good: this reproduces the bug.

 *tomcat 6.0.29:*
 suse10sp268:~ # wget -S -O - --post-data='test send post'
 http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor
 --07:24:02--  http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor
 = `-'
 Connecting to 9.125.1.248:8080... connected.
 HTTP request sent, awaiting response...
   HTTP/1.1 401 Unauthorized
   Server: Apache-Coyote/1.1
   *WWW-Authenticate: Basic realm=Authentication required*

...and this shows that the bug has been fixed: no IP and port.

  But for the first one, both got the same response: 200 OK as below:
 suse10sp268:~ # wget -S -O - --header='Transfer-Encoding:unsupported'
 --post-data='test send post'
 http://9.125.1.248:8080/SecurityTomcat/SecurityServlet
 --07:12:16--  http://9.125.1.248:8080/SecurityTomcat/SecurityServlet
= `-'
 Connecting to 9.125.1.248:8080... connected.
 HTTP request sent, awaiting response...
   HTTP/1.1 200 OK
   Server: Apache-Coyote/1.1
   Content-Type: text/html
   Content-Length: 61
   Date: Thu, 23 Sep 2010 03:09:09 GMT
   Connection: keep-alive
 Length: 61 [text/html]
  0%
 [
 ] 0 --.--K/s unsupported
 application/x-www-form-urlencoded
 9.125.1.248
 100%[=]
 61--.--K/s
 
 07:12:16 (7.27 MB/s) - `-' saved [61/61]
 
 Seems no difference on tomcat 6.0.26 and tomcat 6.0.29, is there something
 wrong?

Maybe this is sensitive to other conditions as well.

On 9/24/2010 12:57 AM, viola lu wrote:
 After debug into tomcat source code, i found that if transfer-encode is set
 as 'buffered', tomcat 6.0.26 will report null pointer exception in buffered
 filter recycle, but in tomcat 6.0.29 , directly report 501 error. But not
 sure attackers how to obtain sensitive information via a crafted header?

When buffers are not recycled properly, information /can/ leak across
requests. This means that, under the right conditions, an attacker
/might/ be able to exploit the server to disclose information.

Just because a vulnerability does not have an exploit doesn't mean it's
not a vulnerability: the possibility exists that information can be
disclosed. It's not absolutely necessary to be able to actually steal
information from a server to be considered a vulnerability.

This one might not be reproducible in any predictable way.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkycrgEACgkQ9CaO5/Lv0PDJMgCfZbZmJQzqGKx8vwQ6m7IGd+HV
OR4AnjjvmJ37pfrQFtii+lUaRPruYaKD
=vKvJ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to reproduce tomcat security vulnerabilities

2010-09-24 Thread viola lu

Got it.
Appreciate your clarification, Christopher. I will keep post clear to
understand.:)


On Fri, Sep 24, 2010 at 9:56 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Viola,

 On 9/22/2010 11:29 PM, viola lu wrote:
  thanks. I tried it on tomcat 6.0.26, and 6.0.29, it worked for the second
  one, i can get correct response headers on tomcat 6.0.26 and tomcat
 6.0.29:
  tomcat 6.0.26

 What is the first one and the second one? The bugs you mentioned in
 your first post? Remember, not everyone is thinking what you're
 thinking: please be clear when posting.

  suse10sp268:~ # wget -S -O - --post-data='test send post'
  http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor
  --07:21:33--
 http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor
 = `-'
  Connecting to 9.125.1.248:8080... connected.
  HTTP request sent, awaiting response...
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
*WWW-Authenticate: Basic realm=9.125.1.248:8080*

 Good: this reproduces the bug.

  *tomcat 6.0.29:*
  suse10sp268:~ # wget -S -O - --post-data='test send post'
  http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor
  --07:24:02--
 http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor
  = `-'
  Connecting to 9.125.1.248:8080... connected.
  HTTP request sent, awaiting response...
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
*WWW-Authenticate: Basic realm=Authentication required*

 ...and this shows that the bug has been fixed: no IP and port.

   But for the first one, both got the same response: 200 OK as below:
  suse10sp268:~ # wget -S -O - --header='Transfer-Encoding:unsupported'
  --post-data='test send post'
  http://9.125.1.248:8080/SecurityTomcat/SecurityServlet
  --07:12:16--  http://9.125.1.248:8080/SecurityTomcat/SecurityServlet
 = `-'
  Connecting to 9.125.1.248:8080... connected.
  HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Length: 61
Date: Thu, 23 Sep 2010 03:09:09 GMT
Connection: keep-alive
  Length: 61 [text/html]
   0%
  [
  ] 0 --.--K/s unsupported
  application/x-www-form-urlencoded
  9.125.1.248
 
 100%[=]
  61--.--K/s
 
  07:12:16 (7.27 MB/s) - `-' saved [61/61]
 
  Seems no difference on tomcat 6.0.26 and tomcat 6.0.29, is there
 something
  wrong?

 Maybe this is sensitive to other conditions as well.

 On 9/24/2010 12:57 AM, viola lu wrote:
  After debug into tomcat source code, i found that if transfer-encode is
 set
  as 'buffered', tomcat 6.0.26 will report null pointer exception in
 buffered
  filter recycle, but in tomcat 6.0.29 , directly report 501 error. But not
  sure attackers how to obtain sensitive information via a crafted header?

 When buffers are not recycled properly, information /can/ leak across
 requests. This means that, under the right conditions, an attacker
 /might/ be able to exploit the server to disclose information.

 Just because a vulnerability does not have an exploit doesn't mean it's
 not a vulnerability: the possibility exists that information can be
 disclosed. It's not absolutely necessary to be able to actually steal
 information from a server to be considered a vulnerability.

 This one might not be reproducible in any predictable way.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.10 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEYEARECAAYFAkycrgEACgkQ9CaO5/Lv0PDJMgCfZbZmJQzqGKx8vwQ6m7IGd+HV
 OR4AnjjvmJ37pfrQFtii+lUaRPruYaKD
 =vKvJ
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




-- 
viola

Re: How to reproduce tomcat security vulnerabilities

2010-09-23 Thread viola lu

After debug into tomcat source code, i found that if transfer-encode is set
as 'buffered', tomcat 6.0.26 will report null pointer exception in buffered
filter recycle, but in tomcat 6.0.29 , directly report 501 error. But not
sure attackers how to obtain sensitive information via a crafted header?

On Thu, Sep 23, 2010 at 11:29 AM, viola lu viola...@gmail.com wrote:

 thanks. I tried it on tomcat 6.0.26, and 6.0.29, it worked for the second
 one, i can get correct response headers on tomcat 6.0.26 and tomcat 6.0.29:
 tomcat 6.0.26
 suse10sp268:~ # wget -S -O - --post-data='test send post'
 http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor
 --07:21:33--
 http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor
= `-'
 Connecting to 9.125.1.248:8080... connected.
 HTTP request sent, awaiting response...
   HTTP/1.1 401 Unauthorized
   Server: Apache-Coyote/1.1
   *WWW-Authenticate: Basic realm=9.125.1.248:8080*

 *tomcat 6.0.29:*
 suse10sp268:~ # wget -S -O - --post-data='test send post'
 http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor
 --07:24:02--
 http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor   =
 `-'
 Connecting to 9.125.1.248:8080... connected.
 HTTP request sent, awaiting response...
   HTTP/1.1 401 Unauthorized
   Server: Apache-Coyote/1.1
   *WWW-Authenticate: Basic realm=Authentication required*

  But for the first one, both got the same repsonse: 200 OK as below:
 suse10sp268:~ # wget -S -O - --header='Transfer-Encoding:unsupported'
 --post-data='test send post'
 http://9.125.1.248:8080/SecurityTomcat/SecurityServlet
 --07:12:16--  http://9.125.1.248:8080/SecurityTomcat/SecurityServlet
= `-'
 Connecting to 9.125.1.248:8080... connected.
 HTTP request sent, awaiting response...
   HTTP/1.1 200 OK
   Server: Apache-Coyote/1.1
   Content-Type: text/html
   Content-Length: 61
   Date: Thu, 23 Sep 2010 03:09:09 GMT
   Connection: keep-alive
 Length: 61 [text/html]
  0%
 [
 ] 0 --.--K/s unsupported

 application/x-www-form-urlencoded
 9.125.1.248
 100%[=]
 61--.--K/s

 07:12:16 (7.27 MB/s) - `-' saved [61/61]

 Seems no difference on tomcat 6.0.26 and tomcat 6.0.29, is there something
 wrong?
 Appreciate if you can provide more help!


 On Thu, Sep 23, 2010 at 2:25 AM, Christopher Schultz 
 ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Viola,

 On 9/21/2010 10:13 PM, viola lu wrote:
  Here is my client:

 [snip]

 Note that your client can be replaced by this one-liner:

 $ wget -S -O - --header='Transfer-Encoding: unsupported' \
   --post-data='test send post' \
http://localhost:8080/SecurityTomcat/SecurityServlet

 It also has the added advantages of not stripping newlines from the
 response, and including the response headers in the output.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.10 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEYEARECAAYFAkyaShYACgkQ9CaO5/Lv0PBzFgCeMVSEXNtPhBFe0ae+M3Ip0aOT
 6SgAnAihZq7v3w6icGiPeceYFjnAPN21
 =LoyH
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




 --
 viola




-- 
viola

Re: How to reproduce tomcat security vulnerabilities

2010-09-22 Thread Mark Thomas

On 21/09/2010 19:13, viola lu wrote:
 Can someone give some hints?

Take a look at the security pages.

Mark



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to reproduce tomcat security vulnerabilities

2010-09-22 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Viola,

On 9/21/2010 10:13 PM, viola lu wrote:
 Here is my client:

[snip]

Note that your client can be replaced by this one-liner:

$ wget -S -O - --header='Transfer-Encoding: unsupported' \
   --post-data='test send post' \
   http://localhost:8080/SecurityTomcat/SecurityServlet

It also has the added advantages of not stripping newlines from the
response, and including the response headers in the output.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyaShYACgkQ9CaO5/Lv0PBzFgCeMVSEXNtPhBFe0ae+M3Ip0aOT
6SgAnAihZq7v3w6icGiPeceYFjnAPN21
=LoyH
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to reproduce tomcat security vulnerabilities

2010-09-22 Thread viola lu

thanks. I tried it on tomcat 6.0.26, and 6.0.29, it worked for the second
one, i can get correct response headers on tomcat 6.0.26 and tomcat 6.0.29:
tomcat 6.0.26
suse10sp268:~ # wget -S -O - --post-data='test send post'
http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor
--07:21:33--  http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor
   = `-'
Connecting to 9.125.1.248:8080... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 401 Unauthorized
  Server: Apache-Coyote/1.1
  *WWW-Authenticate: Basic realm=9.125.1.248:8080*

*tomcat 6.0.29:*
suse10sp268:~ # wget -S -O - --post-data='test send post'
http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor
--07:24:02--  http://9.125.1.248:8080/BasicAuthor_without_realm/BasicAuthor
= `-'
Connecting to 9.125.1.248:8080... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 401 Unauthorized
  Server: Apache-Coyote/1.1
  *WWW-Authenticate: Basic realm=Authentication required*

 But for the first one, both got the same repsonse: 200 OK as below:
suse10sp268:~ # wget -S -O - --header='Transfer-Encoding:unsupported'
--post-data='test send post'
http://9.125.1.248:8080/SecurityTomcat/SecurityServlet
--07:12:16--  http://9.125.1.248:8080/SecurityTomcat/SecurityServlet
   = `-'
Connecting to 9.125.1.248:8080... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Content-Type: text/html
  Content-Length: 61
  Date: Thu, 23 Sep 2010 03:09:09 GMT
  Connection: keep-alive
Length: 61 [text/html]
 0%
[
] 0 --.--K/s unsupported
application/x-www-form-urlencoded
9.125.1.248
100%[=]
61--.--K/s

07:12:16 (7.27 MB/s) - `-' saved [61/61]

Seems no difference on tomcat 6.0.26 and tomcat 6.0.29, is there something
wrong?
Appreciate if you can provide more help!

On Thu, Sep 23, 2010 at 2:25 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Viola,

 On 9/21/2010 10:13 PM, viola lu wrote:
  Here is my client:

 [snip]

 Note that your client can be replaced by this one-liner:

 $ wget -S -O - --header='Transfer-Encoding: unsupported' \
   --post-data='test send post' \
http://localhost:8080/SecurityTomcat/SecurityServlet

 It also has the added advantages of not stripping newlines from the
 response, and including the response headers in the output.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.10 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEYEARECAAYFAkyaShYACgkQ9CaO5/Lv0PBzFgCeMVSEXNtPhBFe0ae+M3Ip0aOT
 6SgAnAihZq7v3w6icGiPeceYFjnAPN21
 =LoyH
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




-- 
viola

How to reproduce tomcat security vulnerabilities

2010-09-21 Thread viola lu

Hi,
From tomcat 6.0.28 fix list:
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.28,
there are two security vulnerabilities fixed, but i have no idea how to
trigger these flaws in tomcat 6.0.27 and what's the failure should be after
several trial
for example the first one:*Remote Denial Of Service and Information
Disclosure Vulnerability
I created a client sending a POST request whose Transfer-encoding is
unsupported to a servlet,  the servlet will return
Server returned HTTP response code: 501, is this the failure symptom?Here
is my client:
URL url = new URL(http://localhost:8080/SecurityTomcat/SecurityServlet;);
URLConnection connection = url.openConnection();
((HttpURLConnection) connection).setRequestMethod(POST);
connection.setDoOutput(true);
connection.setDoInput(true); // Only if you expect to read a
response...
connection.setUseCaches(false); // Highly recommended...
connection.setRequestProperty(Content-Type,
application/x-www-form-urlencoded);
//connection.setRequestProperty(Transfer-Encoding,
unsupported);
connection.setRequestProperty(Transfer-Encoding,
unsupported);
PrintWriter output;
output = new PrintWriter(new
OutputStreamWriter(connection.getOutputStream()));

output.write(test send post);
   // output.write(request);
output.flush();
BufferedReader reader = new BufferedReader(new
InputStreamReader(connection.getInputStream()));

StringBuilder sb = new StringBuilder();
String line = reader.readLine();
while (line!=null  line.length()  0) {
sb.append(line);
line = reader.readLine();
}
System.out.println(sb.toString());
output.close();
reader.close();

} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (ProtocolException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}

The second one,**Information disclosure in authentication headers,** in my
opinion,  this is reproduced by sending an unauthorized request, and then
401 status code returns,  if i can catch *WWW-Authenticate http header
content, server hostname will be printed out, am i right?
Can someone give some hints? Thanks in advance!*


*
-- 
viola

Re: Tomcat Security

2010-02-05 Thread Bill Barker




ronald.wagen...@quicknet.nl wrote in message 
news:fb91a4c0c0682.4b6a8...@quicknet.nl...
We are running a few web applications on Tomcat 6 on a Windows Server 2003 
system in a Windows 2003 Active Directory Forest.

How to make the Tomcat environment secure (hardening)?

I read about security manager, but how to add the web applications in the 
cataline.policy?

Is it possible to use Windows Authentication?
Are there more possibilities?

If they are your apps, then a security manager just adds overhead in 
production (although it's not a bad idea to run it in development).  After 
all, you can just fire the developer that inserted a back door into the app 
;).






Ronald 




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat Security

2010-02-03 Thread ronald . wagenaar

We are running a few web applications on Tomcat 6 on a Windows Server 2003 
system in a Windows 2003 Active Directory Forest.
How to make the Tomcat environment secure (hardening)?

I read about security manager, but how to add the web applications in the 
cataline.policy?
Is it possible to use Windows Authentication?
Are there more possibilities? 


Ronald 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat Security and Struts

Tomcat 6Struts 1.3
OS: MacOS X - Leopard

Hi,

I am trying to make sure my app requires a login. So I configured the
following in my deployment descriptor:

 security-constraint

   web-resource-collection

   web-resource-nameadmin/web-resource-name

   url-pattern*.do/url-pattern

   http-methodPOST/http-method

   /web-resource-collection



   auth-constraint

   role-namemember/role-name

   /auth-constraint



   user-data-constraint

   transport-guaranteeCONFIDENTIAL/transport-guarantee

   /user-data-constraint

  /security-constraint



  login-config

   auth-methodFORM/auth-method

   form-login-config

   form-login-page/WEB-INF/JSP/login.jsp/form-login-page

   form-error-page/WEB-INF/JSP/loginError.jsp/form-error-page

   /form-login-config

  /login-config


However, when I follow the links in my app the login page doesn't come in.


Any ideas as to what I am doing wrong?


Thanks.

Re: Tomcat Security and Struts

2009-04-22 Thread Mikolaj Rydzewski


Mighty Tornado wrote:

   http-methodPOST/http-method
  
Why do you want to restrict access only to requests with POST method? I 
usually do not use http-method element.

   form-login-page/WEB-INF/JSP/login.jsp/form-login-page
  
I'm not sure if login page will work if it is located under WEB-INF 
directory.


--
Mikolaj Rydzewski m...@ceti.pl


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Security and Struts

2009-04-22 Thread Mark Thomas

Mighty Tornado wrote:
 Tomcat 6Struts 1.3
 OS: MacOS X - Leopard
 
 Hi,
 
 I am trying to make sure my app requires a login. So I configured the
url-pattern*.do/url-pattern
url-pattern/*/url-pattern will protect everything.

http-methodPOST/http-method
This only protects the POST method. GETs will not be restricted. I'd
remove this line.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat Security and Struts

 From: Mighty Tornado [mailto:mighty.torn...@gmail.com]
 Subject: Tomcat Security and Struts

 I am trying to make sure my app requires a login. So I configured the
 following in my deployment descriptor:

  security-constraint
web-resource-collection
web-resource-nameadmin/web-resource-name
url-pattern*.do/url-pattern
http-methodPOST/http-method
/web-resource-collection
auth-constraint
role-namemember/role-name
/auth-constraint
user-data-constraint
transport-guaranteeCONFIDENTIAL/transport-guarantee
/user-data-constraint
   /security-constraint
   login-config
auth-methodFORM/auth-method
form-login-config
form-login-page/WEB-INF/JSP/login.jsp/form-login-page
form-error-page/WEB-INF/JSP/loginError.jsp/form-error-page
/form-login-config
   /login-config

Where is your security-role section?

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Security and Struts

You are right:
I just fixed this mistake - added

security-role

  role-namemember/role-name

  /security-role


into my web.xml


However, when I try to access my URL the browser gives me the following
message:


Data Transfer Interrupted

On Wed, Apr 22, 2009 at 10:26 AM, Caldarale, Charles R 
chuck.caldar...@unisys.com wrote:

  From: Mighty Tornado [mailto:mighty.torn...@gmail.com]
  Subject: Tomcat Security and Struts
 
  I am trying to make sure my app requires a login. So I configured the
  following in my deployment descriptor:
 
   security-constraint
 web-resource-collection
 web-resource-nameadmin/web-resource-name
 url-pattern*.do/url-pattern
 http-methodPOST/http-method
 /web-resource-collection
 auth-constraint
 role-namemember/role-name
 /auth-constraint
 user-data-constraint
 transport-guaranteeCONFIDENTIAL/transport-guarantee
 /user-data-constraint
/security-constraint
login-config
 auth-methodFORM/auth-method
 form-login-config
 form-login-page/WEB-INF/JSP/login.jsp/form-login-page
 form-error-page/WEB-INF/JSP/loginError.jsp/form-error-page
 /form-login-config
/login-config

 Where is your security-role section?

  - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you received
 this in error, please contact the sender and delete the e-mail and its
 attachments from all computers.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Security and Struts

2009-04-22 Thread Mikolaj Rydzewski


Mark Thomas wrote:

url-pattern/*/url-pattern will protect everything.
  
If  your login page uses any external assets (images, stylesheets, etc), 
it will become corrupted (assets won't load).


--
Mikolaj Rydzewski m...@ceti.pl


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Security and Struts

2009-04-22 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mikolaj,

On 4/22/2009 9:58 AM, Mikolaj Rydzewski wrote:
 Mighty Tornado wrote:
 I'm not sure if login page will work if it is located under WEB-INF
 directory.

Of course it will. There's nothing special about the WEB-INF directory
that would prevent it from working.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAknvQKEACgkQ9CaO5/Lv0PCZ+ACgibpOwt8pKTsKZ0uVIqcRA3O+
yVAAn0BoEp255y/eXE3owWSWNRhs/s52
=Er+e
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat Security and Struts

 From: Mikolaj Rydzewski [mailto:m...@ceti.pl]
 Subject: Re: Tomcat Security and Struts

 Mark Thomas wrote:
  url-pattern/*/url-pattern will protect everything.

 If  your login page uses any external assets (images, stylesheets,
 etc), it will become corrupted (assets won't load).

Care to explain that?  The above construct seems to work fine for our static 
resources.

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Security and Struts

2009-04-22 Thread André Warnier

Caldarale, Charles R wrote:

From: Mikolaj Rydzewski [mailto:m...@ceti.pl]
Subject: Re: Tomcat Security and Struts

Mark Thomas wrote:

url-pattern/*/url-pattern will protect everything.

If  your login page uses any external assets (images, stylesheets,
etc), it will become corrupted (assets won't load).

Care to explain that?  The above construct seems to work fine for our static 
resources.

Maybe this : if the login page itself contains a link to a gif located 
in the same area, trying to load that gif will also hit the 
authentication bit, and trigger another login page, before the first 
even finishes displaying ?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat Security and Struts

 From: André Warnier [mailto:a...@ice-sa.com]
 Subject: Re: Tomcat Security and Struts

 Maybe this : if the login page itself contains a link to a gif located
 in the same area, trying to load that gif will also hit the
 authentication bit, and trigger another login page, before the first
 even finishes displaying ?

Of course; I was thinking basic authentication, not form.

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Security and Struts

I think the following might be a problem. When I access the application I
get this error in the browser:Firefox can't establish a connection to the
server at localhost:8443

But Tomcat is supposed to listen on port 8080 - and it has been for my app,
until I put in the security feature.

any way around this?

On Wed, Apr 22, 2009 at 1:05 PM, Caldarale, Charles R 
chuck.caldar...@unisys.com wrote:

  From: André Warnier [mailto:a...@ice-sa.com]
  Subject: Re: Tomcat Security and Struts
 
  Maybe this : if the login page itself contains a link to a gif located
  in the same area, trying to load that gif will also hit the
  authentication bit, and trigger another login page, before the first
  even finishes displaying ?

 Of course; I was thinking basic authentication, not form.

  - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you received
 this in error, please contact the sender and delete the e-mail and its
 attachments from all computers.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Security and Struts

2009-04-22 Thread Hassan Schroeder

On Wed, Apr 22, 2009 at 11:16 AM, Mighty Tornado
mighty.torn...@gmail.com wrote:
 I think the following might be a problem. When I access the application I
 get this error in the browser:Firefox can't establish a connection to the
 server at localhost:8443

 But Tomcat is supposed to listen on port 8080 - and it has been for my app,
 until I put in the security feature.

 any way around this?

Er, way around? You're *telling* it to use an SSL connection:

  user-data-constraint
  transport-guaranteeCONFIDENTIAL/transport-guarantee
  /user-data-constraint

If you don't want it to, don't do that. Pretty simple, really.  :-)

-- 
Hassan Schroeder  hassan.schroe...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Security and Struts

How can I make the request to port 8443 actually succeed?

On Wed, Apr 22, 2009 at 2:40 PM, Hassan Schroeder 
hassan.schroe...@gmail.com wrote:

 On Wed, Apr 22, 2009 at 11:16 AM, Mighty Tornado
 mighty.torn...@gmail.com wrote:
  I think the following might be a problem. When I access the application I
  get this error in the browser:Firefox can't establish a connection to the
  server at localhost:8443
 
  But Tomcat is supposed to listen on port 8080 - and it has been for my
 app,
  until I put in the security feature.
 
  any way around this?

 Er, way around? You're *telling* it to use an SSL connection:

  user-data-constraint
  transport-guaranteeCONFIDENTIAL/transport-guarantee
  /user-data-constraint

 If you don't want it to, don't do that. Pretty simple, really.  :-)

 --
 Hassan Schroeder  hassan.schroe...@gmail.com

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat Security and Struts