Re: Security Questions Regarding Tomcat

Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat This sounds really fishy. Tomcat does not by default have any connectors configured for port 80. There must be another

Re: Security Questions Regarding Tomcat

tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat This sounds really fishy. Tomcat does not by default have any connectors configured for port 80. There must be another service or you've modified your server.xml somehow. --David Robert V. Coward/CTR/OSAGWI wrote

Re: Security Questions Regarding Tomcat

tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat But it's also commented out and not active. It's there as an example of a proxied port if you happen to be using Apache and mod_rewrite as a front end to tomcat. --David Robert V. Coward/CTR/OSAGWI wrote: Hmmm

Re: Security Questions Regarding Tomcat

Robert V. Coward/CTR/OSAGWI wrote: Hmmm. Well take a look at this entry from the server.xml file: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation for more information about using this. -- !-- Connector port=8082 maxThreads=150

Re: Security Questions Regarding Tomcat

Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat Robert V. Coward/CTR/OSAGWI wrote: Hmmm. Well take a look at this entry from the server.xml file: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation

Re: Security Questions Regarding Tomcat

Robert V. Coward/CTR/OSAGWI wrote: Understood. But I do not want to use Tomcat proxying services. I just want to host 8080 locally and let my ipfilter firewall block and proxy for me. Then the default Tomcat configuration of listening on port 8080 is just what you need. I highly recommend

Re: Security Questions Regarding Tomcat

To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat Robert V. Coward/CTR/OSAGWI wrote: Understood. But I do not want to use Tomcat proxying services. I just want to host 8080 locally and let my ipfilter firewall block and proxy for me

Re: Security Questions Regarding Tomcat

PROTECTED] 08/15/2005 10:30 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat Robert V. Coward/CTR/OSAGWI wrote: Understood. But I do not want to use Tomcat proxying

Re: Security Questions Regarding Tomcat

cc Subject Re: Security Questions Regarding Tomcat Regardless of what you put up in front of tomcat to act as the proxy host, you'll most likely need the proxyPort and proxyName attributes in your connector so tomcat can write urls correctly as needed (like in sending external redirects). I

RE: Security Questions Regarding Tomcat

-Original Message- From: Alon Belman [mailto:[EMAIL PROTECTED] Sent: Thursday, August 11, 2005 4:20 PM To: Tomcat Users List Subject: Re: Security Questions Regarding Tomcat copied share to meb/robo laters! On 8/11/05, LFM [EMAIL PROTECTED] wrote: Tim, Thanks for the reply, but I can't get

Re: Security Questions Regarding Tomcat

Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this

Re: Security Questions Regarding Tomcat

Alon Belman [EMAIL PROTECTED] Subject Re: Security Questions Regarding Tomcat Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000

Re: Security Questions Regarding Tomcat

Robert V. Coward/CTR/OSAGWI wrote: Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port

Re: Security Questions Regarding Tomcat

ports under 1000. Ralph B. Harrell UNC Charlotte Manager, Oracle Database Administration [EMAIL PROTECTED] (704) 687-2951 -Original Message- From: Alon Belman [mailto:[EMAIL PROTECTED] Sent: Thursday, August 11, 2005 4:20 PM To: Tomcat Users List Subject: Re: Security Questions Regarding

Re: Security Questions Regarding Tomcat

port 8080 access to the web. Thanks Paul Singleton [EMAIL PROTECTED] 08/12/2005 10:08 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Alon Belman [EMAIL PROTECTED] Subject Re: Security Questions Regarding Tomcat

Re: Security Questions Regarding Tomcat

I don't know -- I can see some value to the root only ports below 1024. It prevents non-privileged users from stealing trusted service ports in a mainframe environment -- not that that's a reality anymore. The best way to handle this in a production environment is to use the commons-daemon

Re: Security Questions Regarding Tomcat

Tim, list: Where can I find documentation regarding limting HTTP methods using security-constraints? All I was able to do was requiere authentication in order to use some HTTP methods but I would like to limit them like it can be donde with the directive Limit in Apache. I will also appreciate

Re: Security Questions Regarding Tomcat

Leandro Meiners wrote: Where can I find documentation regarding limting HTTP methods using security-constraints? The Security section of the Servlet 2.4 Spec (SRV.12) has some good examples -- highly recommended :-) FWIW! -- Hassan Schroeder - [EMAIL PROTECTED]

Security Questions Regarding Tomcat

Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply.

Re: Security Questions Regarding Tomcat

The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server

Re: Security Questions Regarding Tomcat

Tim, Thanks for the reply, but I can't get in working: In conf/server.xml I added server=TEST, as shown: !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8180 minProcessors=5 maxProcessors=75 enableLookups=true

Re: Security Questions Regarding Tomcat

copied share to meb/robo laters! On 8/11/05, LFM [EMAIL PROTECTED] wrote: Tim, Thanks for the reply, but I can't get in working: In conf/server.xml I added server=TEST, as shown: !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -- Connector

Re: Security Questions Regarding Tomcat

Setting the server header is a tomcat 5.5 feature. -Tim LFM wrote: Tim, Thanks for the reply, but I can't get in working: In conf/server.xml I added server=TEST, as shown: !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -- Connector

Security Questions

Hello; When creating a realm does the table name have to be 'user'? Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://localhost/tomcatusers?user=dbUseramp;password=d bUser userTable=tomcatusers

session security questions?

Hi, all I am running tomcat as application server and using session to store objects which will determine what dynamic content will be displayed. It's typical, but I have the following question: 1. Where is the session variable stored? server side or client cookie? 2. If variables stored in

RE: session security questions?

PROTECTED] Subject: session security questions? Hi, all I am running tomcat as application server and using session to store objects which will determine what dynamic content will be displayed. It's typical, but I have the following question: 1. Where is the session variable stored? server side

Re: session security questions?

Andreas, 1. Where is the session variable stored? server side or client cookie? However, the sessionid is passed back and forth between the server and the client, of course. But that should not be a problem, because of the (pseudo) random and quite complex nature of sessionids it would be hard

RE: session security questions?

-Original Message- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Thursday, November 13, 2003 2:16 PM To: Tomcat Users List Subject: Re: session security questions? Andreas, 1. Where is the session variable stored? server side or client cookie? However, the sessionid is passed back

Re: security questions on header information

-- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]

security questions on header information

Hi First off all I would like to know how can i find out what information Tomcat sends back in its header response when quized? Second question can I control the header response? Thirdlly can one set the response so that it only gives the server name and nothing else ? Finally from a

Re: Fw: Tomcat security questions

On Thu, Sep 20, 2001 at 02:27:33PM -0500, Jonathan Eric Miller wrote: I'm wondering if anyone has any suggestions on how to best setup Tomcat for maximum security? Against what threat? Are you worried about: - DoS attacks - Attacks exploiting weaknesses in Tomcat itself (eg directory

Fw: Tomcat security questions

For some reason this didn't seem to go through the first time... Jon - Original Message - From: Jonathan Eric Miller [EMAIL PROTECTED] To: Tomcat User List [EMAIL PROTECTED] Sent: Wednesday, September 19, 2001 10:11 PM Subject: Tomcat security questions I'm wondering if anyone has

Tomcat security questions

I'm wondering if anyone has any suggestions on how to best setup Tomcat for maximum security? Currently, I'm running Tomcat in a chrooted environment. I see that there is also a way to run Tomcat as a non-root user. I'm wondering what the best configuration is. It seems like running it chrooted

RE: Security questions

What is the default password for the admin context? It's in tomcat/conf/tomcat-users.xml . where can I find documentation on implementing security with tomcat? Start with the servlet specification at http://java.sun.com/products/servlet/ . You could also look at JDBCRealm (sources and

RE: Security questions

Thanks very much. -Original Message- From: William Kaufman [mailto:[EMAIL PROTECTED]] Sent: Monday, July 30, 2001 5:00 PM To: '[EMAIL PROTECTED]' Subject: RE: Security questions What is the default password for the admin context? It's in tomcat/conf/tomcat-users.xml . where can I

Security Questions

Hi! I have Tomcat setup, actually running with JBoss, and I am looking at security. I can setup an application with a login-conf in web.xml, but I cannot see who or what handles that. Is it Tomcat directly, or some loaded subsystem? In detail: In my server.xml file I have thefollowing:

RE: Security Questions

I don't seem to have a simple xml file, should I? You do: it's named $TOMCAT_HOME/conf/tomcat-users.xml . -- Bill K. -Original Message-From: Gerry Duhig [mailto:[EMAIL PROTECTED]]Sent: Wednesday, May 30, 2001 4:00 AMTo: [EMAIL PROTECTED]Subject: Security Questions Hi!