Re: Clusters - Disabling or restricting autodiscovery via multicast (security question)
OK, this is correct! Sorry, but I also thing that we must have a secretKey and a restricted IP list to register inside cluster I want implement this inside the next release. But currenly the cluster message are not crypted and when clients can connect to your network your go in trouble. At secure production sites the replication and membership traffic send over seperate network cards and switches. Thanks Peter ryan boyd schrieb: When using tomcat clusters on an untrusted subnet or using a routable multicast address, i see the potential for a rogue tomcat instance to join a cluster in order to hijack session information. This doesn't seem to be cured by any firewalling of incoming connections to the valid servers, as, from what i have read, the valid servers will do a unicast conect to the rogue sever on the address/port specified by the rogue server's multicast transmission and will transfer session data to it. If this is incorrect, I'd be grateful for an explanation. If this is correct, Is there any way to restrict autodiscovery of cluster membership to a known list of IPs or disable auto discovery alltogether? Thanks, Ryan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Clusters - Disabling or restricting autodiscovery via multicast (security question)
When using tomcat clusters on an untrusted subnet or using a routable multicast address, i see the potential for a rogue tomcat instance to join a cluster in order to hijack session information. This doesn't seem to be cured by any firewalling of incoming connections to the valid servers, as, from what i have read, the valid servers will do a unicast conect to the rogue sever on the address/port specified by the rogue server's multicast transmission and will transfer session data to it. If this is incorrect, I'd be grateful for an explanation. If this is correct, Is there any way to restrict autodiscovery of cluster membership to a known list of IPs or disable auto discovery alltogether? Thanks, Ryan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Clusters - Disabling or restricting autodiscovery (security question)
When using tomcat clusters on an untrusted subnet or using a routable multicast address, i see the potential for a rogue tomcat instance to join a cluster in order to hijack session information. This doesn't seem to be cured by any firewalling of incoming connections to the valid servers, as, from what i have read, the valid servers will conect to the rogue sever on the address/port specified by the rogue server's multicast transmission and will transfer session data to it. If this isn't correct, I'd be grateful for an explanation. If this is correct, Is there any way to restrict autodiscovery of cluster membership to a known list of IPs or disable auto discovery alltogether? Thanks, Ryan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security Question
Hi
I am using separate contexts in Tomcat 5,0, creating a XML in
CATALINA_HOME/conf/Catalina/localhost and in this not desired context
I need to forbid to some IPs, but when use this archive and make
deploy, the Tomcat does not load the modules of the Struts and nor
Tiles plugin. Somebody knows another form to make this?
My archive of context is thus:
Context path=/system docBase=${catalina.home}/webapps/system
debug=0 privileged=true
Valve className=org.apache.catalina.valves.RemoteAddrValve
allow=172.17.*/
/Context
Regards
--
/**
* @author Paulo César M. Jeveaux
* Java Consultant
* @version 21.0
* http://www.portaljava.com
* @deprecated
*/
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
NEWBIE: Application configuration security question
Hello, I have a question regarding security on Tomcat. first, some background: I'm currently assisting in the deployment of a Xerox Docushare system. This implementation DocuShare runs on Tomcat (among other platforms.) The problem I've been having with this particular app/server setup is that DocuShare security has only two notions: guest access, which does not require authentication, and a registered user, which does require authentication (in our case against an LDAP server) and requires an expensive icense. I'd like the have 3 levels of security. NO ACCESS, authenticated LDAP users but not Docushare clients (no $$ license) and licensed, authenticated users. Since this scenario is not provided for out of the box, I was wondering if its possible to connect the Docushare connector to an LDAP valve and pipe all the DocuShare traffic through another LDAP authentication container (please excuse me if I get the Apache lexicon twisted up, I'm new at this.) In a nutshell, I'm looking to intercept all trafice coming to the Tomcat server (it's not being used for anything other than DocuShare anyways, so that should make things a little simpler) and require LDAP user authentication to access the server. Authenticated users can then see the DocuShare (by default, as DocuShare guest users) app, which may, in turn, require an additional authentication step to determine if a user should have additional access rights as a licensed user. Ideally, the LDAP authentication info could be passed into the DocuShare application to automate the last step, but I'd be more than happy even if the step required another username/password combo entry by the user. Can this be done? If so, where would I start to get this off the ground? Any help is greatly appreciated. -Jake - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cross-app security question
See the servlet spec. I know for version 2.3 of the spec (which is tomcat4 stuff) - security is applied only to the incoming URL. (The same went for filters too) For 2.4 - I know that filters can be applied on RequestDispatcher.include and RequestDispatcher.forward. So security constraints might also be applied on them too. In other words (I don't feel like readin it myself right now, so ..) 1) Make sure all the webapps are to the 2.4 servlet spec. (If you see 2.2 or 2.3 anywhere in web.xml) 2) Read the spec to see if there are additional parameters you can add to web.xml -Tim Michael Mehrle wrote: I do have a question regarding security across appfuse and other webapps. Currently, I have two separate web applications running under Tomcat (5.0.26): - tdx (which is a version of appfuse) - jGallery (which dynamically serves images) The way jGallery works is that it 'crossmaps' image gallery directories dynamically - it's actually pretty cool. What that means is that if I create a folder at ../tdx/mygallery and put images in it, then typing in a URL such as: http://localhost:8080/jGallery/tdx/mygallery/index.html will autogenerate an index page and also create the approprate slide pages. So far so good The problem is that that all my security settings don't work anymore this way since the images are being served by jGallery (and I don't want to manage two different security settings). Also, it's difficult to make the gallery part of my tiles configuration. I can probably point outside of my app (haven't tried that) but it gets a bit ugly. The security settings are the bigger problem however. I'd like to be able to map it somehow that everything goes through the tdx project security. So, in order to see the images and the gallery index at the URL above, users would have to log in (such as in the default appfuse installation). I was thinking that I could somehow bring jGallery inside tdx, but that would mean having to merge the two web.xml files as well as tdx.xml and jGallery.xml inside of ..conf/Catalina/localhost/. I'd rather not do that and am hoping for some elegant solution that allows me to keep the gallery generator and my main tdx webapp separate. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Cross-app security question
I do have a question regarding security across appfuse and other webapps. Currently, I have two separate web applications running under Tomcat (5.0.26): - tdx (which is a version of appfuse) - jGallery (which dynamically serves images) The way jGallery works is that it 'crossmaps' image gallery directories dynamically - it's actually pretty cool. What that means is that if I create a folder at ../tdx/mygallery and put images in it, then typing in a URL such as: http://localhost:8080/jGallery/tdx/mygallery/index.html will autogenerate an index page and also create the approprate slide pages. So far so good The problem is that that all my security settings don't work anymore this way since the images are being served by jGallery (and I don't want to manage two different security settings). Also, it's difficult to make the gallery part of my tiles configuration. I can probably point outside of my app (haven't tried that) but it gets a bit ugly. The security settings are the bigger problem however. I'd like to be able to map it somehow that everything goes through the tdx project security. So, in order to see the images and the gallery index at the URL above, users would have to log in (such as in the default appfuse installation). I was thinking that I could somehow bring jGallery inside tdx, but that would mean having to merge the two web.xml files as well as tdx.xml and jGallery.xml inside of ..conf/Catalina/localhost/. I'd rather not do that and am hoping for some elegant solution that allows me to keep the gallery generator and my main tdx webapp separate. Any suggestions? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
general security question about public / private keys
Is it possible to configure tomcat to use public / private key pairs that implement the java.security API for authentication a la ssh? I assume it is but haven't found out how yet. I'm using SSL at the moment but I need to implement a higher security environment in the same shape and form as ssh essentially. Just using public private keys. Does this require an applet for the browsers? I'm currently ploughing through what I can find on the web and haven't got that far yet. Thanks Adam -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security question
It can't be done (at least without hacking :). The servlet-spec only tells how to secure a page. There is no concept of un-securing a page. If you are using iPlanet+Tomcat, and the un-secure areas are all static content, then you can configure iPlanet to serve the un-secure areas (bypassing Tomcat's security checks). If it works, this is probably the easiest. Otherwise you probably would need to plug in your own custom Authenticator that would be smart enough to un-secure some configured set of URLs. Bob Damato [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Security for the site I'm working with was originally done via IPlanet's internal security. I'd like to move to using the webapp security in Tomcat. Under iPlanet, the security was set up with the entire site - /* - being secured, then specific uri's were explicitly declared un-secured. So, essentially we have /* - secured and say /errors/* - explicitly open to the public Is this possible to replicate using Tomcat's security? It would be excruciating to reorganize the site, so I'd love to avoid that. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security question
Security for the site I'm working with was originally done via IPlanet's internal security. I'd like to move to using the webapp security in Tomcat. Under iPlanet, the security was set up with the entire site - /* - being secured, then specific uri's were explicitly declared un-secured. So, essentially we have /* - secured and say /errors/* - explicitly open to the public Is this possible to replicate using Tomcat's security? It would be excruciating to reorganize the site, so I'd love to avoid that. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security Question
I have a server with Apache 2.0.44 and Jakarta-Tomcat 4.1.18. I am using OpenSSL 0.9.7a with Apache. Question: If the user activates a jsp page with a javabean component with access to a PostgreSQL database server (communicates with port 5432) from the secure area (https) - is it then possible to 'sniff' the communication between the component and the database server or is this communication encrypted by apache with ssl? If it is possible to 'sniff' the communication - how do I best prevent this? Best regards, Lars Nielsen Lind
Re: Security Question
Here are the channels of communication. For a typical web page there are 3 socket connections that can be concurrently open. A: Web Browser -- Apache B: Apache -- Tomcat C: Tomcat -- Database Now onto the security ... A: If ssl then secure B: If ssl, then secure. If not ssl, then someone between tomcat and apache might be able to sniff the line. If tomcat apache on the same box and someone can sniff - you have bigger problems. C: It depends on the database protocol which is database specific. Each vendor can tell you this. In a usual case a database should be hidden from the world (via firewall) so this communucation is usually secure by means of only trusted people are on that network segment, but they could sniff the line if they wanted to. -Tim Lars Nielsen Lind wrote: I have a server with Apache 2.0.44 and Jakarta-Tomcat 4.1.18. I am using OpenSSL 0.9.7a with Apache. Question: If the user activates a jsp page with a javabean component with access to a PostgreSQL database server (communicates with port 5432) from the secure area (https) - is it then possible to 'sniff' the communication between the component and the database server or is this communication encrypted by apache with ssl? If it is possible to 'sniff' the communication - how do I best prevent this? Best regards, Lars Nielsen Lind - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Security Question
Only the communication between browser and apache server is ssl encrypted. Both the communications between apache and tomcat and tomcat and database are not. At least not without further action. So make sure that your server does not open the ajp13 connector (mod_jk or whatever) port and db server port to the outside world. Secure your servers, intranet, ports, use firewalls or secure the communications, etc. Securing the system from outside can be done mostly by closing unnecessary ports. If you cannot trust your internal network however it might be more effort because you might consider to encrypt the communications yourself. Michael -Original Message- From: Lars Nielsen Lind [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 5. Mrz 2003 10:45 To: Tomcat Users List Subject: Security Question I have a server with Apache 2.0.44 and Jakarta-Tomcat 4.1.18. I am using OpenSSL 0.9.7a with Apache. Question: If the user activates a jsp page with a javabean component with access to a PostgreSQL database server (communicates with port 5432) from the secure area (https) - is it then possible to 'sniff' the communication between the component and the database server or is this communication encrypted by apache with ssl? If it is possible to 'sniff' the communication - how do I best prevent this? Best regards, Lars Nielsen Lind - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security question
Hi David, if it weren't Apache I would say: try HttpServletRequest.getUserPrincipal().getName(). Maybe it could be that this also works with Apache... Andreas I'm trying to retrieve the userid that logged into apache and accessed the current JSP page. How can I get this info? Explanation: I'm implementing a very crude security system on my site for right now (mainly to just keep people from accessing the email addresses and photos on the site), but I need to implement a password change page. So what I did (and yes I know it's a hack 8), I implemented a JNI interface to call htpasswd in the background. I'm trying to have an html page (that's in a secured area of course) post the new password to a jsp page which will in turn retrieve the logged in userID and call the interface class. Any help would be appreciated, David J -- If you only compete with yourself, you can always be a winner. - David Jenkins Of course, you could always be a loser too. - Miles Thornton -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Security question
I'm trying to retrieve the userid that logged into apache and accessed the current JSP page. How can I get this info? Explanation: I'm implementing a very crude security system on my site for right now (mainly to just keep people from accessing the email addresses and photos on the site), but I need to implement a password change page. So what I did (and yes I know it's a hack 8), I implemented a JNI interface to call htpasswd in the background. I'm trying to have an html page (that's in a secured area of course) post the new password to a jsp page which will in turn retrieve the logged in userID and call the interface class. Any help would be appreciated, David J -- If you only compete with yourself, you can always be a winner. - David Jenkins Of course, you could always be a loser too. - Miles Thornton -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Jboss Tomcat integrated security question.
Is there a list of security related changes made to Jboss and Tomcat between 2.4.1-3.2.3 and the most recent stable releases? We're trying to compile a list of security related reasons for upgrading. TIA -- Austin Gonyou [EMAIL PROTECTED] Coremetrics, Inc. signature.asc Description: This is a digitally signed message part
Realm Security Question
Ok here is a straight forward question: I understand how to change my server.xml and setup my web.xml files so that security reaml on my server uses odbc to verify the roles / passwords. The catch is im not very happy with having to edit the server.xml file. I would like to know if their is anyway to accomplish the same results by editing only files that are contained in the webapps directory. ( the idead behind this is im creating war files and do not wish to have editing the server.xml file as part of the installation procedure of my application) Thanks, j.
Re: Realm Security Question
On Mon, 22 Jul 2002, Jamie M. Guillemette wrote: Date: Mon, 22 Jul 2002 14:54:17 -0400 From: Jamie M. Guillemette [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Realm Security Question Ok here is a straight forward question: I understand how to change my server.xml and setup my web.xml files so that security reaml on my server uses odbc to verify the roles / passwords. Off topic comment -- you probably do not want to use ODBC for this, at least not with the standard JDBC-ODBC driver which is not thread safe. The catch is im not very happy with having to edit the server.xml file. I would like to know if their is anyway to accomplish the same results by editing only files that are contained in the webapps directory. ( the idead behind this is im creating war files and do not wish to have editing the server.xml file as part of the installation procedure of my application) Tomcat 4.1.x lets you have a thing called a context configuration file that is separate from server.xml, and store one of these in webapps if you want to (or deploy it via the Manager webapp). Basically, a context configuration file takes the Context element, and all its nested elements, out of server.xml into a separately maintainable file -- so you can still configure all the stuff that requires nested elements in a Context element, without having to physically modify the server.xml file. And, if you put such a file in the webapps directory, the corresponding app is auto-deployed just like if you had put a directory or WAR file there. In a standard 4.1.x release, the admin and manager webapps are both auto-deployed from such a context configuration file -- see $CATALINA_HOME/webapps/admin.xml and $CATALINA_HOME/webapps/manager.xml for examples of the kinds of things you can do. And no, none of this stuff works (or ever will work) on 4.0.x -- it's a new 4.1.x feature. Thanks, j. Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
jsp:include security question
Hello -- I am trying to get a new Tomcat system configured for my school's CS department. We want to use version 4 (I am working with 4.0.2). We need a system that lets students keep their files private, to make sure that nobody cheats by stealing somebody's servlets or jsp. I am testing it out to make sure that student1 cannot access the files of student2. Also I should note that students will not be logging in to this box so standard file permissions will not cut it. Students will upload all files through a script utility, so all files will be owned bt that user. The problem is this: with a more-or-less default installation of Tomcat using the security manager, in a jsp:include you can access outside of your context using ../../../ . Note that in other forms of reading the files, the security manager correctly prohibits access (both in a jsp:include giving the real path, and in standard programmatic file opening with real and ../ paths). It's just in the case of the include with relative path that it allows access to others' files. Here's a sample line of a jsp that should generate an error, but doesn't. The contexts are foo1/ and foo2/, they are defined in separate context tags. This line is from a file in foo1/. jsp:include page=../../../foo2/jsp/include/junk.txt/ That line allows the script in foo1 to access the file in foo2/. The same path in a BufferedReader causes an error. Somebody please help me. Is this a configuration error, a bug, or am I just being thick-headed about it??? Thanks for your time. --==pat schaider==-- [EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Security question
You could always use Referrer to see where the request is coming from. I am not sure if this would work if you used a dispatcher. Pritpal Dhaliwal - Original Message - From: Laurent Michenaud [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 15, 2001 7:38 AM Subject: Security question Hi, It is possible de verify that a servlet has been called by a specific servlet or jsp and that it can't be called by another one. Michenaud Laurent - Adeuza - [ Développeur Web - Administrateur Réseau ] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Fixed - Repost:HELP! Security question - grant entries
Hi,
Got it to work, permissions for JSPs can only be given at the context
root level. I was trying to be more fine grained which is not possible.
Antony
Antony Bowesman wrote:
Hi,
How can you assign permissions to code compiled from a JSP, it is
possible or do you have to put all code that performs actions that may
encounter security checks inside a bean and then allocate permissions to
the bean class?
I tried adding
grant codeBase
file:${catalina.home}/work/localhost/examples/jsp/security/protected/-
{
permission java.security.AllPermission;
};
to the conf/catalina.policy but I get an AccessControlException because
the compiled code in the stack frame
org.apache.jsp.index$jsp._jspService(index$jsp.java:116)
does not have permission.
It's tomcat 4.0
Any ideas?
Antony
--
To unsubscribe: mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]
--
Antony Bowesman
Teamware Group
[EMAIL PROTECTED]
phone: +358 9 5128 2562
fax : +358 9 5128 2705
intra / extra / Internet solutions at www.teamware.com
--
To unsubscribe: mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]
Security question
Hi, It is possible de verify that a servlet has been called by a specific servlet or jsp and that it can't be called by another one. Michenaud Laurent - Adeuza - [ Développeur Web - Administrateur Réseau ] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Security question
You can pass (possibly encrypted) information that only the two parties know. This is essentially authentication like your username/password. Frank Lawlor Athens Group, Inc. (512) 345-0600 x151 Athens Group, an employee-owned consulting firm integrating technology strategy and software solutions. -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Security question - grant entries
Hi,
How do you grant permissions in the policy file to jsp pages. I've tried
grant codeBase
file:${catalina.home}/work/localhost/examples/jsp/security/protected/-
{
permission java.security.AllPermission;
};
but I get an AccessControlException when some code in the jsp tries to
do something that requires certain permission.
It's tomcat 4.0
Any ideas?
Antony
--
To unsubscribe: mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]
Repost:HELP! Security question - grant entries
Hi,
How can you assign permissions to code compiled from a JSP, it is
possible or do you have to put all code that performs actions that may
encounter security checks inside a bean and then allocate permissions to
the bean class?
I tried adding
grant codeBase
file:${catalina.home}/work/localhost/examples/jsp/security/protected/-
{
permission java.security.AllPermission;
};
to the conf/catalina.policy but I get an AccessControlException because
the compiled code in the stack frame
org.apache.jsp.index$jsp._jspService(index$jsp.java:116)
does not have permission.
It's tomcat 4.0
Any ideas?
Antony
--
To unsubscribe: mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Security Question
I've started looking at some of the security issues but I'm still behind where you are in the area of your questions. Where did you find this document that has section 8 on Existing Risks and Problems Thanks, Frank Lawlor Athens Group, Inc. (512) 345-0600 x151 Athens Group, an employee-owned consulting firm integrating technology strategy and software solutions.
Security Question
Hi there, I have read the Existing Risks and Problems (Chapter 8 in the internal document of the TC-3.3) and spotted that there is a potentional security risk in using Tomcat as a platform for the Application Gateway to an enterprise business support system. One of very important subprojects I still need to solve is providing a secure environment and currently we are constructing a sort of Checking Engine that basically test every parameter against predescribed conditions and reject all invalid requests. Has anybody already thought about this or eventually produced some code/concept? I hope some of original contributors will also read this post. I have some development resources allocated to this task, but would prefer if we could join forces with other interested parties as this must be a very important issue. Drasko
Fw: Security Question
I am using Tomcat with JBoss and JBoss is handling security. Everything works fine and each time a secured component is accessed I see two lines in the logs: User: name is authenticated User: name is authorized There are now thousands of these lines! How do I get rid of them? There are so many it must be a significant impact on performance and its over-filling the logs. Help please Gerry
RE: Security Question
What is your debug level in the context? Darrell -Original Message- From: Gerry Duhig [mailto:[EMAIL PROTECTED]] Sent: Friday, October 19, 2001 9:34 AM To: [EMAIL PROTECTED] Subject: Fw: Security Question I am using Tomcat with JBoss and JBoss is handling security. Everything works fine and each time a secured component is accessed I see two lines in the logs: User: name is authenticated User: name is authorized There are now thousands of these lines! How do I get rid of them? There are so many it must be a significant impact on performance and its over-filling the logs. Help please Gerry
Re: Security Question
In server.xml, Context Manager, I have debug=0 and showDebugInfo=false. In the same file, all logging verbosity levels are set to ERROR. These messages seem to be on stdout or sterr not a specific log file. Gerry - Original Message - From: Darrell Porter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 19, 2001 5:56 PM Subject: RE: Security Question What is your debug level in the context? Darrell -Original Message- From: Gerry Duhig [mailto:[EMAIL PROTECTED]] Sent: Friday, October 19, 2001 9:34 AM To: [EMAIL PROTECTED] Subject: Fw: Security Question I am using Tomcat with JBoss and JBoss is handling security. Everything works fine and each time a secured component is accessed I see two lines in the logs: User: name is authenticated User: name is authorized There are now thousands of these lines! How do I get rid of them? There are so many it must be a significant impact on performance and its over-filling the logs. Help please Gerry
Re: Security question
On Wed, 29 Aug 2001, Achim Baier wrote: Now my question: Am I wrong-minded, is it bug or is it a jsp/servlet/j2ee-feature? Any comments? Security constraints that you mention in your web.xml deployment descriptor are *only* applied to the original request URI, *not* to any request URI that is included by your servlet or JSP page. That is by design. If the content from a particular include should not be displayed to a particular user (because they don't have a required role), you should not be doing the include in the first place. Thanks in advance, Achim Craig McClanahan
Security question
Hello everybody, I just tried to make a HTTPS connection to a web-application on tomcat 3.2.2. Because of the documentation it was not difficult but I recognized something I want to ask about. I have a directory /secure/. Every resource inside is protected by web.xml security constraint (pattern /secure/* transport-guarantee CONFIDENTIAL). In this directory I have 2 files (index_1.jsp and component.jsp). I also have another JSP page (index_2.jsp) outside the secured directory. index_1.jsp makes a jsp:include page=component.jsp. If I try to view index_1.jsp (or component.jsp directly) I have to use HTTPS and to login. But if index_2.jsp also does a jsp:include page=component.jsp I'm able to view the page with HTTP and without login. Because jsp:include is executed at request time it should (be able to) check permissions. I could use userInRole and check the schema inside component.jsp but this would break my goal to just use declarative security. My business layer objects could check this (if I use EJBs I could also use declaratice security) but I still have a bad feeling about that. It will be possible to view secured content within every JSP-page. It's not enough to look at the deployment descriptor and the page/component which should be protected but also to every other page. Now my question: Am I wrong-minded, is it bug or is it a jsp/servlet/j2ee-feature? Any comments? Thanks in advance, Achim
Tomcat security question
Just hoping someone can help me deal with this question... In the application I'm developing I need to restrict access to a bunch of binary files (sound recordings). Each user should only be able to download their own files. Files and users will be added and deleted dynamically. The realm based security in Tomcat doesn't seem to support the security model I require (creating a new role for every single user and associating that with their files isn't really practical). Does anyone have an idea as to how acheive the required security within a Tomcat framework. Thanks, Hamish
RE: Tomcat security question
You would probably be best off implementing it in a servlet. The servlet can authenticate the user, determine the specific file, and then send the file (not redirect) to the client. Since you are sending the file the files can reside anywhere on the system or even on another system. Randy -Original Message- From: Hamish Barney [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 19, 2001 10:56 AM To: '[EMAIL PROTECTED]' Subject: Tomcat security question Just hoping someone can help me deal with this question... In the application I'm developing I need to restrict access to a bunch of binary files (sound recordings). Each user should only be able to download their own files. Files and users will be added and deleted dynamically. The realm based security in Tomcat doesn't seem to support the security model I require (creating a new role for every single user and associating that with their files isn't really practical). Does anyone have an idea as to how acheive the required security within a Tomcat framework. Thanks, Hamish
Newbie security question
Hi guys, I have a very simple problem: how can I prevent Tomcat from displaying a directory listing ? My servlets are installed in webapps/app directory and asking for the URL http://localhost:8080/app/ just displays the content of the directory, which I obviously do not want. Thanks for your answer * Ce message et toutes les pieces jointes (ci-apres le message) sont confidentiels et etablis a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee est interdite. Tout message electronique est susceptible d'alteration. La SOCIETE GENERALE et ses filiales declinent toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie. This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. E-mails are susceptible to alteration. Neither SOCIETE GENERALE nor any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified. *
Re: security question
Hello Jeff, Hello List, thank you very much for your reply. A look at this example would have prevent me from spending a lot of time and writeing the other mail. The build in example doesn't work at my installation. That j_security_check stuff is missing. But that doesn't matter, I try to use basic auth for the first throw. I copied the parts of examples web.xml to my context and modified the path. If I try to surf to that "secret" path the password box pops up. The password box then only accepts the valid users, so far everything is o.k. But then there is a 404 Error. The Browser points to the right file in the right directory but there is a 404 not found. How is that possible? What do I do wrong? thannks in advance, Sascha
security question
Hello everybody, the "problem" is that I should have some security on my site. I think of authentifikation by a username and password and then access rights for special areas of the site. so far, so good. I started looking arround. I know have a login form, a jsp to chaeck username and password and a bean to store weather the user is loged in or not. OK. but that didn't help me, because I have cocoon-generated html pages on my site. And as far as I know in html beans can not be used. What I thinkis, that you can configure tomcat to check those security things. I've been to the faq but the security section is empty, i've read the userguide many times but this points I couldn't find. So the questions are: 1.) How to set up (for example) basic security in tomcat? 2.) Do I need my own login forms, and how would they work together with tomcat? 3.) Do I have to check somewhere if a user is loged on? 4.) Is there any FAQ or Tutorial about webserver security? so thanks for reading this, feel free to answer, Sascha
Re: security question
It's all defined in the servlet spec, downloadable from http://java.sun.com/products/servlet/index.html. Tomcat comes with a preconfigured example (examples/jsp/security) demonstrating this. --Jeff On Fri, Apr 06, 2001 at 09:49:38AM +0800, [EMAIL PROTECTED] wrote: Hello everybody, the "problem" is that I should have some security on my site. I think of authentifikation by a username and password and then access rights for special areas of the site. so far, so good. I started looking arround. I know have a login form, a jsp to chaeck username and password and a bean to store weather the user is loged in or not. OK. but that didn't help me, because I have cocoon-generated html pages on my site. And as far as I know in html beans can not be used. What I thinkis, that you can configure tomcat to check those security things. I've been to the faq but the security section is empty, i've read the userguide many times but this points I couldn't find. So the questions are: 1.) How to set up (for example) basic security in tomcat? 2.) Do I need my own login forms, and how would they work together with tomcat? 3.) Do I have to check somewhere if a user is loged on? 4.) Is there any FAQ or Tutorial about webserver security? so thanks for reading this, feel free to answer, Sascha
