Please respond to
Tomcat Users List tomcat-user@jakarta.apache.org
To
Tomcat Users List tomcat-user@jakarta.apache.org
cc
Subject
Re: Security Questions Regarding Tomcat
This sounds really fishy. Tomcat does not by default have any
connectors configured for port 80. There must be another
tomcat-user@jakarta.apache.org
cc
Subject
Re: Security Questions Regarding Tomcat
This sounds really fishy. Tomcat does not by default have any
connectors configured for port 80. There must be another service or
you've modified your server.xml somehow.
--David
Robert V. Coward/CTR/OSAGWI wrote
tomcat-user@jakarta.apache.org
cc
Subject
Re: Security Questions Regarding Tomcat
But it's also commented out and not active. It's there as an example of
a proxied port if you happen to be using Apache and mod_rewrite as a
front end to tomcat.
--David
Robert V. Coward/CTR/OSAGWI wrote:
Hmmm
Robert V. Coward/CTR/OSAGWI wrote:
Hmmm. Well take a look at this entry from the server.xml file:
!-- Define a Proxied HTTP/1.1 Connector on port 8082 --
!-- See proxy documentation for more information about using this.
--
!--
Connector port=8082
maxThreads=150
Users List tomcat-user@jakarta.apache.org
cc
Subject
Re: Security Questions Regarding Tomcat
Robert V. Coward/CTR/OSAGWI wrote:
Hmmm. Well take a look at this entry from the server.xml file:
!-- Define a Proxied HTTP/1.1 Connector on port 8082 --
!-- See proxy documentation
Robert V. Coward/CTR/OSAGWI wrote:
Understood. But I do not want to use Tomcat proxying services. I just want
to host 8080 locally and let my ipfilter firewall block and proxy for me.
Then the default Tomcat configuration of listening on port 8080 is
just what you need. I highly recommend
To
Tomcat Users List tomcat-user@jakarta.apache.org
cc
Subject
Re: Security Questions Regarding Tomcat
Robert V. Coward/CTR/OSAGWI wrote:
Understood. But I do not want to use Tomcat proxying services. I just
want
to host 8080 locally and let my ipfilter firewall block and proxy for
me
PROTECTED]
08/15/2005 10:30 AM
Please respond to
Tomcat Users List tomcat-user@jakarta.apache.org
To
Tomcat Users List tomcat-user@jakarta.apache.org
cc
Subject
Re: Security Questions Regarding Tomcat
Robert V. Coward/CTR/OSAGWI wrote:
Understood. But I do not want to use Tomcat proxying
cc
Subject
Re: Security Questions Regarding Tomcat
Regardless of what you put up in front of tomcat to act as the proxy
host, you'll most likely need the proxyPort and proxyName attributes in
your connector so tomcat can write urls correctly as needed (like in
sending external redirects). I
-Original Message-
From: Alon Belman [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 11, 2005 4:20 PM
To: Tomcat Users List
Subject: Re: Security Questions Regarding Tomcat
copied share to meb/robo
laters!
On 8/11/05, LFM [EMAIL PROTECTED] wrote:
Tim,
Thanks for the reply, but I can't get
Harrell, Ralph wrote:
I would like to be able to start TOMCAT as a non-root
user but am unable to as we are running SSL and use
port 443 and non-root users do not have the permission
to use ports under 1000.
...not in Linux and some (all?) Unix variants, anyway.
(FWIW I think this
Alon Belman [EMAIL PROTECTED]
Subject
Re: Security Questions Regarding Tomcat
Harrell, Ralph wrote:
I would like to be able to start TOMCAT as a non-root
user but am unable to as we are running SSL and use
port 443 and non-root users do not have the permission
to use ports under 1000
Robert V. Coward/CTR/OSAGWI wrote:
Apparently T5 comes with a port 80 proxy server a special servlet
container or something. Basically I have ipfilter running and only allow
access to port 8080, but if you send a request to 80 tTomcat picks up and
does some sort of internal redirect to port
ports under 1000.
Ralph B. Harrell
UNC Charlotte
Manager, Oracle Database Administration
[EMAIL PROTECTED]
(704) 687-2951
-Original Message-
From: Alon Belman [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 11, 2005 4:20 PM
To: Tomcat Users List
Subject: Re: Security Questions Regarding
port 8080 access to
the web.
Thanks
Paul Singleton [EMAIL PROTECTED]
08/12/2005 10:08 AM
Please respond to
Tomcat Users List tomcat-user@jakarta.apache.org
To
Tomcat Users List tomcat-user@jakarta.apache.org
cc
Alon Belman [EMAIL PROTECTED]
Subject
Re: Security Questions Regarding Tomcat
I don't know -- I can see some value to the root only ports below 1024.
It prevents non-privileged users from stealing trusted service ports in
a mainframe environment -- not that that's a reality anymore. The best
way to handle this in a production environment is to use the
commons-daemon
Tim, list:
Where can I find documentation regarding limting HTTP methods using
security-constraints?
All I was able to do was requiere authentication in order to use some HTTP
methods but I would like to limit them like it can be donde with the
directive Limit in Apache.
I will also appreciate
Leandro Meiners wrote:
Where can I find documentation regarding limting HTTP methods using
security-constraints?
The Security section of the Servlet 2.4 Spec (SRV.12) has some good
examples -- highly recommended :-)
FWIW!
--
Hassan Schroeder - [EMAIL PROTECTED]
Hi!
I'm hardening a Web Server running Tomcat for a client, but I'm having
difficulty in finding information on how to accomplish the following
tasks (bored of googling so I decided to ask here):
1. Remove/modify the banner presented by the coyote connector on the
server header of an http reply.
The Server header can be configured in the Connector declaration.
server='Sun Solaris IIS/6.0'
To limit the HTTP methods this can be done a few ways;
1) Use a servlet filter
2) Use web.xml and security constraints on those method types
3) ???
-Tim
LFM wrote:
Hi!
I'm hardening a Web Server
Tim,
Thanks for the reply, but I can't get in working:
In conf/server.xml I added server=TEST, as shown:
!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 --
Connector className=org.apache.coyote.tomcat4.CoyoteConnector
port=8180 minProcessors=5 maxProcessors=75
enableLookups=true
copied share to meb/robo
laters!
On 8/11/05, LFM [EMAIL PROTECTED] wrote:
Tim,
Thanks for the reply, but I can't get in working:
In conf/server.xml I added server=TEST, as shown:
!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 --
Connector
Setting the server header is a tomcat 5.5 feature.
-Tim
LFM wrote:
Tim,
Thanks for the reply, but I can't get in working:
In conf/server.xml I added server=TEST, as shown:
!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 --
Connector
Hello;
When creating a realm does the table name have to be 'user'?
Realm className=org.apache.catalina.realm.JDBCRealm debug=99
driverName=org.gjt.mm.mysql.Driver
connectionURL=jdbc:mysql://localhost/tomcatusers?user=dbUseramp;password=d
bUser
userTable=tomcatusers
Hi, all
I am running tomcat as application server and using
session to store objects which will determine what
dynamic content will be displayed. It's typical, but I
have the following question:
1. Where is the session variable stored? server side
or client cookie?
2. If variables stored in
PROTECTED]
Subject: session security questions?
Hi, all
I am running tomcat as application server and using
session to store objects which will determine what
dynamic content will be displayed. It's typical, but I
have the following question:
1. Where is the session variable stored? server side
Andreas,
1. Where is the session variable stored? server side or client
cookie?
However,
the sessionid is passed back and forth between the server and the
client, of course. But that should not be a problem, because of the
(pseudo) random and quite complex nature of sessionids it would be
hard
-Original Message-
From: Christopher Schultz [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 13, 2003 2:16 PM
To: Tomcat Users List
Subject: Re: session security questions?
Andreas,
1. Where is the session variable stored? server side or client
cookie?
However,
the sessionid is passed back
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Hi
First off all I would like to know how can i find out what information Tomcat
sends back in its header response when quized?
Second question can I control the header response?
Thirdlly can one set the response so that it only gives the server name and
nothing else ?
Finally from a
On Thu, Sep 20, 2001 at 02:27:33PM -0500, Jonathan Eric Miller wrote:
I'm wondering if anyone has any suggestions on how to best setup Tomcat for
maximum security?
Against what threat? Are you worried about:
- DoS attacks
- Attacks exploiting weaknesses in Tomcat itself (eg directory
For some reason this didn't seem to go through the first time...
Jon
- Original Message -
From: Jonathan Eric Miller [EMAIL PROTECTED]
To: Tomcat User List [EMAIL PROTECTED]
Sent: Wednesday, September 19, 2001 10:11 PM
Subject: Tomcat security questions
I'm wondering if anyone has
I'm wondering if anyone has any suggestions on how to best setup Tomcat for
maximum security? Currently, I'm running Tomcat in a chrooted environment.
I see that there is also a way to run Tomcat as a non-root user. I'm
wondering what the best configuration is.
It seems like running it chrooted
What is the default password for the admin context?
It's in tomcat/conf/tomcat-users.xml .
where can I find documentation on implementing security with tomcat?
Start with the servlet specification at
http://java.sun.com/products/servlet/ . You could also look at JDBCRealm
(sources and
Thanks very much.
-Original Message-
From: William Kaufman [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 30, 2001 5:00 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Security questions
What is the default password for the admin context?
It's in tomcat/conf/tomcat-users.xml .
where can I
Hi!
I have Tomcat setup, actually running with JBoss,
and I am looking at security.
I can setup an application with a login-conf in
web.xml, but I cannot see who or what handles that. Is it Tomcat directly, or
some loaded subsystem?
In detail: In my server.xml file I have
thefollowing:
I
don't seem to have a simple xml file, should I?
You
do: it's named $TOMCAT_HOME/conf/tomcat-users.xml
.
-- Bill K.
-Original Message-From: Gerry Duhig
[mailto:[EMAIL PROTECTED]]Sent: Wednesday, May 30, 2001
4:00 AMTo: [EMAIL PROTECTED]Subject:
Security Questions
Hi!
37 matches
Mail list logo