Tomcat security during runtime
Hello all I have a question, if you setup your own security in Tomcat by using your own policy, is there anyway to modify this policy during runtime, without restarting tomcat itself? Is there any Java API you can use to modify the security manager during run time? Thanking you in advance. Matt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
tomcat security
Hi everybody I have a problem about tomcat security One of my friend wrote a single code and he can travel every folder on server I wonder is there any config file for jakarta for disabiling access instead of his folder Maybe you know on php there was a security settings on php.ini for disabliling traveling Is there any config file like this? Best regards Cengiz YAZGAN Sistem Mühendisi/System Engineer DorukNet Tel / Phone : +90 212 326 92 00 Fax : +90 212 227 28 11 E-mail : [EMAIL PROTECTED] http://www.doruk.net.tr http://www.doruk.net.tr/ http://www.doruk.net.tr/english.html
Re: tomcat security
Yes. There is the catalina.policy file in the conf/ directory. See http://jakarta.apache.org/tomcat/tomcat-5.0-doc/security-manager-howto.html for details. Ben Ricker On 8/9/05, Cengiz Yazgan [EMAIL PROTECTED] wrote: Hi everybody I have a problem about tomcat security One of my friend wrote a single code and he can travel every folder on server I wonder is there any config file for jakarta for disabiling access instead of his folder Maybe you know on php there was a security settings on php.ini for disabliling traveling Is there any config file like this? Best regards Cengiz YAZGAN Sistem Mühendisi/System Engineer DorukNet Tel / Phone : +90 212 326 92 00 Fax : +90 212 227 28 11 E-mail : [EMAIL PROTECTED] http://www.doruk.net.tr http://www.doruk.net.tr/ http://www.doruk.net.tr/english.html -- Ben Ricker He's just this guy, you know? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tomcat security
I see this config file I disabled this lines permission java.util.PropertyPermission os.name, read; permission java.util.PropertyPermission os.version, read; permission java.util.PropertyPermission os.arch, read; permission java.util.PropertyPermission file.separator, read; permission java.util.PropertyPermission path.separator, read; permission java.util.PropertyPermission line.separator, read; But i can browsing again -Original Message- From: Ben Ricker [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 09, 2005 3:33 PM To: Tomcat Users List Subject: Re: tomcat security Yes. There is the catalina.policy file in the conf/ directory. See http://jakarta.apache.org/tomcat/tomcat-5.0-doc/security-manager-howto.html for details. Ben Ricker On 8/9/05, Cengiz Yazgan [EMAIL PROTECTED] wrote: Hi everybody I have a problem about tomcat security One of my friend wrote a single code and he can travel every folder on server I wonder is there any config file for jakarta for disabiling access instead of his folder Maybe you know on php there was a security settings on php.ini for disabliling traveling Is there any config file like this? Best regards Cengiz YAZGAN Sistem Mühendisi/System Engineer DorukNet Tel / Phone : +90 212 326 92 00 Fax : +90 212 227 28 11 E-mail : [EMAIL PROTECTED] http://www.doruk.net.tr http://www.doruk.net.tr/ http://www.doruk.net.tr/english.html -- Ben Ricker He's just this guy, you know? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
FW: Tomcat security realms question
Thanks Mark. I agree, but they are the security people and I have to at least try to comply. Do you think it would be feasible for us to change the org.apache.catalina.authenticator.AuthenticatorBase for Tomcat 4.1.18 to change the session ID post logging in? We'd obviously have to recompile tomcat after doing so. Are there any hidden gotchas you can think of with doing that? Thanks Alex. -Original Message- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: Monday, 18 July 2005 2:50 AM To: Tomcat Users List Subject: Re: Tomcat security realms question The problem you describe is true of any session tracking system running over http. The solution is to use https. However, here's a question to fire back at your security team: If you are worried about an attacker physically looking at a session ID on a user's screen, what about if they decide to install a keyboard logger (physical or software) whilst they have access to the user's machine? In fact, I can think of a whole bunch of other things I could do as well that would be equally or more damaging than hijacking a single session. Fundamentally, if an attacker has physical access to a machine it is game over - they have won. Your security team knows the threat model for you situation far better than I do but it sounds to me like they are trying too hard in one area and have missed a bunch of other threats. Mark Akoulov, Alexandre [IT] wrote: Hi all I have a problem that's been raised by my security team to do with using Tomcat JDBCRealms. We're using such realms to protect restricted resources. We also have a custom login form. The steps Tomcat seems to follow when using such a setup is: 1. Check to see if the user is logged in with access to the restricted resource. 2. If they aren't, forward them to the login page and create an HTTPSession to keep track of that user. 3. Once they've logged in, add the authentication system to the HTTPSession created in step 2 to hold that info and forward them to the resource. 4. Continue using the same HTTPSession to maintain state. The problem my security team has with this is that someone could potentially steal the users HTTPSession ID before they've logged in, as this is created in the login screen. e.g. the user is forwarded to the login screen, then goes to make themselves a cup of coffee. A hacker goes to their computer and writes down the session ID. The user comes back and logs in, and the hacker pretends to be them from another computer. My question is: how can I avoid this situation and keep the security guys happy? Is it possible to have the session ID held by the browser (in JSessionID) change post-login (ie make tomcat invalidate the current session and create a new session after the user has been successfully authenticated)? Thanks for your help. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security realms question
The problem you describe is true of any session tracking system running over http. The solution is to use https. However, here's a question to fire back at your security team: If you are worried about an attacker physically looking at a session ID on a user's screen, what about if they decide to install a keyboard logger (physical or software) whilst they have access to the user's machine? In fact, I can think of a whole bunch of other things I could do as well that would be equally or more damaging than hijacking a single session. Fundamentally, if an attacker has physical access to a machine it is game over - they have won. Your security team knows the threat model for you situation far better than I do but it sounds to me like they are trying too hard in one area and have missed a bunch of other threats. Mark Akoulov, Alexandre [IT] wrote: Hi all I have a problem that's been raised by my security team to do with using Tomcat JDBCRealms. We're using such realms to protect restricted resources. We also have a custom login form. The steps Tomcat seems to follow when using such a setup is: 1. Check to see if the user is logged in with access to the restricted resource. 2. If they aren't, forward them to the login page and create an HTTPSession to keep track of that user. 3. Once they've logged in, add the authentication system to the HTTPSession created in step 2 to hold that info and forward them to the resource. 4. Continue using the same HTTPSession to maintain state. The problem my security team has with this is that someone could potentially steal the users HTTPSession ID before they've logged in, as this is created in the login screen. e.g. the user is forwarded to the login screen, then goes to make themselves a cup of coffee. A hacker goes to their computer and writes down the session ID. The user comes back and logs in, and the hacker pretends to be them from another computer. My question is: how can I avoid this situation and keep the security guys happy? Is it possible to have the session ID held by the browser (in JSessionID) change post-login (ie make tomcat invalidate the current session and create a new session after the user has been successfully authenticated)? Thanks for your help. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat security realms question
Thanks a lot for your reply. We'll see if we can persuade our security guys to drop this issue. Kind regards, Alex. -Original Message- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: Monday, 18 July 2005 2:50 AM To: Tomcat Users List Subject: Re: Tomcat security realms question The problem you describe is true of any session tracking system running over http. The solution is to use https. However, here's a question to fire back at your security team: If you are worried about an attacker physically looking at a session ID on a user's screen, what about if they decide to install a keyboard logger (physical or software) whilst they have access to the user's machine? In fact, I can think of a whole bunch of other things I could do as well that would be equally or more damaging than hijacking a single session. Fundamentally, if an attacker has physical access to a machine it is game over - they have won. Your security team knows the threat model for you situation far better than I do but it sounds to me like they are trying too hard in one area and have missed a bunch of other threats. Mark Akoulov, Alexandre [IT] wrote: Hi all I have a problem that's been raised by my security team to do with using Tomcat JDBCRealms. We're using such realms to protect restricted resources. We also have a custom login form. The steps Tomcat seems to follow when using such a setup is: 1. Check to see if the user is logged in with access to the restricted resource. 2. If they aren't, forward them to the login page and create an HTTPSession to keep track of that user. 3. Once they've logged in, add the authentication system to the HTTPSession created in step 2 to hold that info and forward them to the resource. 4. Continue using the same HTTPSession to maintain state. The problem my security team has with this is that someone could potentially steal the users HTTPSession ID before they've logged in, as this is created in the login screen. e.g. the user is forwarded to the login screen, then goes to make themselves a cup of coffee. A hacker goes to their computer and writes down the session ID. The user comes back and logs in, and the hacker pretends to be them from another computer. My question is: how can I avoid this situation and keep the security guys happy? Is it possible to have the session ID held by the browser (in JSessionID) change post-login (ie make tomcat invalidate the current session and create a new session after the user has been successfully authenticated)? Thanks for your help. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat security realms question
Hi all I have a problem that's been raised by my security team to do with using Tomcat JDBCRealms. We're using such realms to protect restricted resources. We also have a custom login form. The steps Tomcat seems to follow when using such a setup is: 1. Check to see if the user is logged in with access to the restricted resource. 2. If they aren't, forward them to the login page and create an HTTPSession to keep track of that user. 3. Once they've logged in, add the authentication system to the HTTPSession created in step 2 to hold that info and forward them to the resource. 4. Continue using the same HTTPSession to maintain state. The problem my security team has with this is that someone could potentially steal the users HTTPSession ID before they've logged in, as this is created in the login screen. e.g. the user is forwarded to the login screen, then goes to make themselves a cup of coffee. A hacker goes to their computer and writes down the session ID. The user comes back and logs in, and the hacker pretends to be them from another computer. My question is: how can I avoid this situation and keep the security guys happy? Is it possible to have the session ID held by the browser (in JSessionID) change post-login (ie make tomcat invalidate the current session and create a new session after the user has been successfully authenticated)? Thanks for your help. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE : Find login information from tomcat security
Hi, To my knowledge, you have no way to access GenericPrincipal object except if to develop your own realm. In general, you do not need to reach Principal, you have to define security constraint, or roles, authentication methods... -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Envoyé : mardi 19 avril 2005 05:41 À : Tomcat Users List Cc : Gia Thornton Objet : Re: Find login information from tomcat security I'm also interested in how to get that principal info and maybe how to overwrite or add methods. -- Original message -- From: Gia Thornton [EMAIL PROTECTED] Hi, I am using Form-based tomcat security. I use a servlet to find login information such as the principal name, all the role names for this principal. I can use request.getUserPrincipal() from javax.servlet.http.HttpServletRequest. Is there anyway I can use GenericPrincipal class from package org.apache.catalina.realm of Tomcat in servlet? Thank you for your help. regards, - Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Find login information from tomcat security
Hi, I am using Form-based tomcat security. I use a servlet to find login information such as the principal name, all the role names for this principal. I can use request.getUserPrincipal() from javax.servlet.http.HttpServletRequest. Is there anyway I can use GenericPrincipal class from package org.apache.catalina.realm of Tomcat in servlet? Thank you for your help. regards, - Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone.
Re: Find login information from tomcat security
I'm also interested in how to get that principal info and maybe how to overwrite or add methods. -- Original message -- From: Gia Thornton [EMAIL PROTECTED] Hi, I am using Form-based tomcat security. I use a servlet to find login information such as the principal name, all the role names for this principal. I can use request.getUserPrincipal() from javax.servlet.http.HttpServletRequest. Is there anyway I can use GenericPrincipal class from package org.apache.catalina.realm of Tomcat in servlet? Thank you for your help. regards, - Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat Security Application
Hi, i've implemented an application using tomcat security FORM based, and authenticating against a database. My login page is the standard FORM: form method=POST action='%=response.encodeURL(j_security_check) %' table border=3 align=center cellpadding=3 cellspacing=1 bordercolor=#99 class=Stile1 tr td width=71pUsername:/p/td td width=176input type=text name=j_username/td /tr tr tdpPassword:/p/td tdinput type=password name=j_password/td /tr tr tdnbsp;/td td div align=left input type=submit value=Login input type=reset value=Reset /div/td /tr /table /form The problem is that when i login the page seems to authenticate correctly, but when i click the back browser button and i retry to login again it gives an error page with the message: The requested resource (/pmt/manage/j_security_check) is not available. Can anyone help me? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat security stopping log4j write to a file
I want log4j to write its output to the webapps/[application dir]/WEB-INF/logs directory. The log4j properties file is located in the WEB-INF/classes directory, as specified. Monitoring trace of log4j's process, shows log4j is unable to find (create) the requested files. I believe Tomcat is not allowing the application to write into WEB-INF/logs subdirectory. How do I direct Tomcat to allow this functionality? Tomcat 4.1.30 Thanks - Lawrence Winkler UW-Madison Division of Information Technology 608-265-4610 [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat security stopping log4j write to a file
Hi, Two options come to mind. Either You're running with a SecurityManager and your java.policy file doesn't specify a write permission into WEB-INF/logs. Or you've misconfigured log4j. If this is the case, post your log4j configuration file and we can help you although that's a bit off-topic for this list. Yoav Shapira http://www.yoavshapira.com -Original Message- From: Lawrence J Winkler [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 19, 2004 3:18 PM To: [EMAIL PROTECTED] Subject: Tomcat security stopping log4j write to a file I want log4j to write its output to the webapps/[application dir]/WEB-INF/logs directory. The log4j properties file is located in the WEB-INF/classes directory, as specified. Monitoring trace of log4j's process, shows log4j is unable to find (create) the requested files. I believe Tomcat is not allowing the application to write into WEB-INF/logs subdirectory. How do I direct Tomcat to allow this functionality? Tomcat 4.1.30 Thanks - Lawrence Winkler UW-Madison Division of Information Technology 608-265-4610 [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security stopping log4j write to a file
Lawrence J Winkler wrote: I want log4j to write its output to the webapps/[application dir]/WEB-INF/logs directory. The log4j properties file is located in the WEB-INF/classes directory, as specified. Monitoring trace of log4j's process, shows log4j is unable to find (create) the requested files. I believe Tomcat is not allowing the application to write into WEB-INF/logs subdirectory. How do I direct Tomcat to allow this functionality? take a look at catalina.policy in the conf directory, in the file you can find some examples. edoardo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security and virtual hosts
On 21-05-2004 11:33, wsedio wrote: Hi all, I am running Tomcat 5.0.24 on Red Hat Linux Enterprise 3 with Apache web server 2 and mod_jk 1.2. I have a few Apache/Tomcat virtual hosts: each host has its own document root and webapps. I would like to make sure that each host is not allowed to access files outside its document root and webapps. How do I configure Tomcat to secure that? Any info or link to documentation/examples would be appreciated ... Any help? Thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat security and virtual hosts
Hi all, I am running Tomcat 5.0.24 on Red Hat Linux Enterprise 3 with Apache web server 2 and mod_jk 1.2. I have a few Apache/Tomcat virtual hosts: each host has its own document root and webapps. I would like to make sure that each host is not allowed to access files outside its document root and webapps. How do I configure Tomcat to secure that? Any info or link to documentation/examples would be appreciated ... Thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat security
Dear List, I am using tomcats integrated security options, available inside the web.xml (see below). When ever the session times out and the user makes a request for a html/or jsp page within this protected context, appears the login.jsp page. My problem is that my app uses frames, and when the user makes a request from a sub-frame the login page shows in this sub-frame window. Is there a simple way to configure in the web.xml, that the login.jsp page always is shown in the parent frame of the browser or document, so causing the whole window to be reloaded. I guess there isnt and I must do some jscript, or fiddle around with html. I would be extremely impressed if there would be a web.xml solution. regards BB p.s. It was very hard to find as Newbie, the email address to post this mail to!! +---+ | GIStec GmbH - Ihr Partner für GIS - Technologie | | | | Ben Bookey| | [EMAIL PROTECTED] Fraunhoferstraße 5 | | Tel 0 61 51 / 155 - 254 D-64283 Darmstadt | | Fax 0 61 51 / 155 - 259 http://www.gistec-online.de | | | | http://www.ingeoic.de http://www.geo-watermarking.de | +---+ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat security
Hi, The declarative security options offered by the Servlet Specification, those you refer to as the integrated security options, have no understanding of the client side, i.e. the browser. There is no concept of frame or browser, so you can't do what you're asking for with these declarative security directives. As to finding the mailing list: I'm troubled that you found that so difficult. Links to the mailing list are on the top apache page (www.apache.org), top jakarta page (jakarta.apache.org), top tomcat page (jakarta.apache.org/tomcat), both the binary and source apache download pages (http://jakarta.apache.org/site/binindex.cgi, and http://jakarta.apache.org/site/sourceindex.cgi), the jakarta contact us page (http://jakarta.apache.org/site/contact.html), the home page of a new tomcat installation (webapps/ROOT/index.jsp), and many other locations. Where did you look or what made it difficult to find? Yoav Shapira Millennium Research Informatics -Original Message- From: Ben Bookey [mailto:[EMAIL PROTECTED] Sent: Monday, May 17, 2004 9:12 AM To: [EMAIL PROTECTED] Subject: Tomcat security Dear List, I am using tomcats integrated security options, available inside the web.xml (see below). When ever the session times out and the user makes a request for a html/or jsp page within this protected context, appears the login.jsp page. My problem is that my app uses frames, and when the user makes a request from a sub-frame the login page shows in this sub-frame window. Is there a simple way to configure in the web.xml, that the login.jsp page always is shown in the parent frame of the browser or document, so causing the whole window to be reloaded. I guess there isnt and I must do some jscript, or fiddle around with html. I would be extremely impressed if there would be a web.xml solution. regards BB p.s. It was very hard to find as Newbie, the email address to post this mail to!! +---+ | GIStec GmbH - Ihr Partner für GIS - Technologie | | | | Ben Bookey| | [EMAIL PROTECTED] Fraunhoferstraße 5 | | Tel 0 61 51 / 155 - 254 D-64283 Darmstadt | | Fax 0 61 51 / 155 - 259 http://www.gistec-online.de | | | | http://www.ingeoic.de http://www.geo-watermarking.de | +---+ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: Tomcat security
Hi Yoav Shapira, Thanks for the reply. I know my question is client based, but I thought the web.xml might have an option to specify target=_self or something similar, for the login.jsp (that should be theoretically poss.?) woops. as regards mailing list, I have v. little xp with lists (at all) , and am not honestly sure how they work. I joined the list [EMAIL PROTECTED] because I thought then I would get an email to which I could post to (this email was not in this list either as far as I could see). In addition on this Tomcat website about mailing lists http://jakarta.apache.org/site/mail2.html#Tomcat I could not find reference to [EMAIL PROTECTED] Do I need to be registered (somehow- either digest or high traffic) to post questions to this list? regards Ben -Ursprüngliche Nachricht- Von: Shapira, Yoav [mailto:[EMAIL PROTECTED] Gesendet: Montag, 17. Mai 2004 15:25 An: Tomcat Users List; [EMAIL PROTECTED] Betreff: RE: Tomcat security Hi, The declarative security options offered by the Servlet Specification, those you refer to as the integrated security options, have no understanding of the client side, i.e. the browser. There is no concept of frame or browser, so you can't do what you're asking for with these declarative security directives. As to finding the mailing list: I'm troubled that you found that so difficult. Links to the mailing list are on the top apache page (www.apache.org), top jakarta page (jakarta.apache.org), top tomcat page (jakarta.apache.org/tomcat), both the binary and source apache download pages (http://jakarta.apache.org/site/binindex.cgi, and http://jakarta.apache.org/site/sourceindex.cgi), the jakarta contact us page (http://jakarta.apache.org/site/contact.html), the home page of a new tomcat installation (webapps/ROOT/index.jsp), and many other locations. Where did you look or what made it difficult to find? Yoav Shapira Millennium Research Informatics -Original Message- From: Ben Bookey [mailto:[EMAIL PROTECTED] Sent: Monday, May 17, 2004 9:12 AM To: [EMAIL PROTECTED] Subject: Tomcat security Dear List, I am using tomcats integrated security options, available inside the web.xml (see below). When ever the session times out and the user makes a request for a html/or jsp page within this protected context, appears the login.jsp page. My problem is that my app uses frames, and when the user makes a request from a sub-frame the login page shows in this sub-frame window. Is there a simple way to configure in the web.xml, that the login.jsp page always is shown in the parent frame of the browser or document, so causing the whole window to be reloaded. I guess there isnt and I must do some jscript, or fiddle around with html. I would be extremely impressed if there would be a web.xml solution. regards BB p.s. It was very hard to find as Newbie, the email address to post this mail to!! +---+ | GIStec GmbH - Ihr Partner für GIS - Technologie | | | | Ben Bookey| | [EMAIL PROTECTED] Fraunhoferstraße 5 | | Tel 0 61 51 / 155 - 254 D-64283 Darmstadt | | Fax 0 61 51 / 155 - 259 http://www.gistec-online.de | | | | http://www.ingeoic.de http://www.geo-watermarking.de | +---+ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
IIS and Tomcat Security
Can I get user role ( request.isUserInRole() ) from a user authenticated by IIS ( windows integrated authentication (NTLM) ). I already get user name, but I dont know how to configure the file 'tomcat-users.xml' to set the user's roles. Using only IIS, it's easy. I only need to configure the directory permissions, and then, IIS allow or deny access to my web pages. Any help? Thanks Maurício Kanada
Vedr.: IIS and Tomcat security
Yes it does. request.getRemoteUser() in your JSP gives you the IIS authenticated user. Make sure your IIS is set to Integrated Windows authentication and insert request.tomcatAuthentication=false in your jk2.properties file. /Thomas Insyde [EMAIL PROTECTED] 15-04-2004 18:06 Besvar venligst til Tomcat Users List Til:[EMAIL PROTECTED] cc: Vedr.: IIS and Tomcat security Hi Does JK2 connector pass a security information to Tomcat, like the authenticated user? I coudn't find any information about this in JK2 documentation. In my project, I need that the IIS authenticates the users, and then, the Tomcat executes my web application with users and roles information. Thanks Maurício Kanada FONT SIZE=1 FACE=Arial___ Vi gør opmærksom på, at denne e-mail kan indeholde fortrolig information. Hvis du ved en fejltagelse modtager e-mailen, beder vi dig venligst informere afsender om fejlen ved at bruge svar-funktionen. Samtidig beder vi dig slette e-mailen i dit system uden at videresende eller kopiere den. Selv om e-mailen og ethvert vedhæftet bilag efter vores overbevisning er fri for virus og andre fejl, som kan påvirke computeren eller it-systemet, hvori den modtages og læses, åbnes den på modtagerens eget ansvar. Vi påtager os ikke noget ansvar for tab og skade, som er opstået i forbindelse med at modtage og bruge e-mailen. ___ Please note that this message may contain confidential information. If you have received this message by mistake, please inform the sender of the mistake by sending a reply, then delete the message from your system without making, distributing or retaining any copies of it. Although we believe that the message and any attachments are free from viruses and other errors that might affect the computer or IT system where it is received and read, the recipient opens the message at his or her own risk. We assume no responsibility for any loss or damage arising from the receipt or use of this message. /FONT
Re: Vedr.: IIS and Tomcat security
Thomas I can't get the 'remote user' information in my web application. I think that is some wrong configuration. Can you send me workers2.properties and jk2.properties example files? Thanks Maurício Kanada - Original Message - From: Thomas Nybro Bolding [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, April 16, 2004 4:28 AM Subject: Vedr.: IIS and Tomcat security Yes it does. request.getRemoteUser() in your JSP gives you the IIS authenticated user. Make sure your IIS is set to Integrated Windows authentication and insert request.tomcatAuthentication=false in your jk2.properties file. /Thomas Insyde [EMAIL PROTECTED] 15-04-2004 18:06 Besvar venligst til Tomcat Users List Til:[EMAIL PROTECTED] cc: Vedr.: IIS and Tomcat security Hi Does JK2 connector pass a security information to Tomcat, like the authenticated user? I coudn't find any information about this in JK2 documentation. In my project, I need that the IIS authenticates the users, and then, the Tomcat executes my web application with users and roles information. Thanks Maurício Kanada FONT SIZE=1 FACE=Arial___ Vi gør opmærksom på, at denne e-mail kan indeholde fortrolig information. Hvis du ved en fejltagelse modtager e-mailen, beder vi dig venligst informere afsender om fejlen ved at bruge svar-funktionen. Samtidig beder vi dig slette e-mailen i dit system uden at videresende eller kopiere den. Selv om e-mailen og ethvert vedhæftet bilag efter vores overbevisning er fri for virus og andre fejl, som kan påvirke computeren eller it-systemet, hvori den modtages og læses, åbnes den på modtagerens eget ansvar. Vi påtager os ikke noget ansvar for tab og skade, som er opstået i forbindelse med at modtage og bruge e-mailen. ___ Please note that this message may contain confidential information. If you have received this message by mistake, please inform the sender of the mistake by sending a reply, then delete the message from your system without making, distributing or retaining any copies of it. Although we believe that the message and any attachments are free from viruses and other errors that might affect the computer or IT system where it is received and read, the recipient opens the message at his or her own risk. We assume no responsibility for any loss or damage arising from the receipt or use of this message. /FONT - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Vedr.: IIS and Tomcat security
Hi, Just wanted to add one thing : If I remember correctly, IIS only returns remoteUser on the authenticating request. If you want to use it's userid, you must grabb that in the first request and put it into the session, and use it from there afterwards. If my understanding of the matter is correct, the NTLM (windows intergrated authentication) the connection is authenticated, but not the request as usual, there for the userid is not sent (by the client usually MS Internet Explorer) when the connection has been authenticated. Then this connection is held untill the browser disconnects, or the server disconnects it. That's why you only get the userid on the authenticating request (first request into the realm). hope it helps [EMAIL PROTECTED] Insyde wrote: Thomas I can't get the 'remote user' information in my web application. I think that is some wrong configuration. Can you send me workers2.properties and jk2.properties example files? Thanks Maurício Kanada - Original Message - From: Thomas Nybro Bolding [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, April 16, 2004 4:28 AM Subject: Vedr.: IIS and Tomcat security Yes it does. request.getRemoteUser() in your JSP gives you the IIS authenticated user. Make sure your IIS is set to Integrated Windows authentication and insert request.tomcatAuthentication=false in your jk2.properties file. /Thomas Insyde [EMAIL PROTECTED] 15-04-2004 18:06 Besvar venligst til Tomcat Users List Til:[EMAIL PROTECTED] cc: Vedr.: IIS and Tomcat security Hi Does JK2 connector pass a security information to Tomcat, like the authenticated user? I coudn't find any information about this in JK2 documentation. In my project, I need that the IIS authenticates the users, and then, the Tomcat executes my web application with users and roles information. Thanks Maurício Kanada FONT SIZE=1 FACE=Arial___ Vi gør opmærksom på, at denne e-mail kan indeholde fortrolig information. Hvis du ved en fejltagelse modtager e-mailen, beder vi dig venligst informere afsender om fejlen ved at bruge svar-funktionen. Samtidig beder vi dig slette e-mailen i dit system uden at videresende eller kopiere den. Selv om e-mailen og ethvert vedhæftet bilag efter vores overbevisning er fri for virus og andre fejl, som kan påvirke computeren eller it-systemet, hvori den modtages og læses, åbnes den på modtagerens eget ansvar. Vi påtager os ikke noget ansvar for tab og skade, som er opstået i forbindelse med at modtage og bruge e-mailen. ___ Please note that this message may contain confidential information. If you have received this message by mistake, please inform the sender of the mistake by sending a reply, then delete the message from your system without making, distributing or retaining any copies of it. Although we believe that the message and any attachments are free from viruses and other errors that might affect the computer or IT system where it is received and read, the recipient opens the message at his or her own risk. We assume no responsibility for any loss or damage arising from the receipt or use of this message. /FONT - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
IIS and Tomcat security
Hi Does JK2 connector pass a security information to Tomcat, like the authenticated user? I coudn't find any information about this in JK2 documentation. In my project, I need that the IIS authenticates the users, and then, the Tomcat executes my web application with users and roles information. Thanks Maurício Kanada
Tomcat Security Constraints
Hi, I have been using basic authorization with SSL in Tomcat for some time, quite satisfactorily. However I have found what I feel to be some strange behaviour on the part of Tomcat (I have 4.1.30) in one case. Here's an example: I have a folder, let's say http://www.mysite.com/prot/. I put a security-constraint on this folder in web.xml so that it is protected and requires basic authorization. So far so good. But I have discovered that if you include a document from that protected folder inside a document from an unprotected folder using a jsp:include, then basic authorization is no longer requested by the browser for the protected page. Surely the authorization should be requested in all places and at all times, whereever the request is coming from, even if from an include in an unprotected page? --- This leads on to my second question. I have been trying to solve one small though potentially dangerous problem with Basic Authorization/SSL. If I want to access a protected area of our site from outside the firewall I write an address similar to the following: https://mysslsite.com/pagerequired.jsp. It has happened that I forget to type https:// and type http:// instead. So if a nasty, mean person is listening in, he can see my password unencrypted, right? How can I prevent this? The problem is that the login window with basic authorization pops up before you arrive at the page itself. I thought of FORM authorization, because the .jsp used for the Login form can check the port requested (must be 443) and refuse to request the password if it's wrong. But FORM authorization requires lots of extra programming to give many of the useful extras that BASIC authorization offers included (e.g. remembering your user name and password). Then I thought of including the protected page in an unprotected page that checks if you are in https before doing the include. But since Tomcat has this strange behaviour I mentioned above, after a couple of days of fiddling with this possibility I've had to give that up too. Anybody got any ideas? Thanks for your time, Malcolm Warren - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Security Constraints
On Thu, Apr 08, 2004 at 06:36:16PM +0200, Malcolm Warren wrote: : Surely the authorization should be requested in all places and at all : times, whereever the request is coming from, even if from an include in an : unprotected page? Clearly not, if it's going through. ;) My understanding of the spec is that the security constraints are for the originally-requested URI only. It's up to the developers to make sure content doesn't get include'd or forward()'d to the wrong place. : It has happened that I forget to type https:// and type http:// instead. : So if a nasty, mean person is listening in, he can see my password : unencrypted, right? Yes. : How can I prevent this? Use all SSL, all the time. -and I'm not being facetious there. If the data is that sensitive, why not? Other than that, I believe there are auth restraints in web.xml that require SSL auth. I'd be more specific, but I'm deep into a C++ project right today so my servlet spec knowledge is a little hazy. btw, what's wrong with form auth? I don't recall it requiring that much extra programming. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache security certificate vs. Tomcat security certificate
Hollerman Geralyn M [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I currently have Tomcat 5.0.16 running using the SSL connector and a self-signed certificate - I followed the directions in the Tomcat SSL HOW-TO in how to create the certificate and set up Tomcat for SSL. This is running with no problems in my development environment. I have been asked to put SSL on our production Tomcat. It is also v 5.0.16. My sysadmin gave me two files he uses for Apache, running with SSL, on another system; he said he thought I would need them. They are called server.crt and server.key - he said he was giving me the certificate and the key for it. How do I intergrate this with Tomcat? How does this correspond to what I've got for Tomcat - I presume that the .crt file is like the .cer file I exported from cacerts.jks (my keystore), but what does the .key file correspond to? How does that fit in? The '.key' file is the private key corresponding to the public key stored in the '.crt' file. IMHO, the easiest way to integrate your Apache cert with Tomcat is to export the cert and the key to a PKCS12 file (see the Prepare the Certificate Keystore section of the Tomcat ssl-howto for an example of how to do this), and just use this file as your keystoreFile in Tomcat (remembering to set keystoreType=PKCS12 as well :). There are also utilities floating around the net to import Apache certs into a JKS keystore (e.g. http://www.comu.de/docs/tomcat_ssl.htm). You can try Google and/or searching the archives for other solutions (since this topic comes up a lot :). Thanks! -- Lynn Hollerman. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Apache security certificate vs. Tomcat security certificate
I currently have Tomcat 5.0.16 running using the SSL connector and a self-signed certificate - I followed the directions in the Tomcat SSL HOW-TO in how to create the certificate and set up Tomcat for SSL. This is running with no problems in my development environment. I have been asked to put SSL on our production Tomcat. It is also v 5.0.16. My sysadmin gave me two files he uses for Apache, running with SSL, on another system; he said he thought I would need them. They are called server.crt and server.key - he said he was giving me the certificate and the key for it. How do I intergrate this with Tomcat? How does this correspond to what I've got for Tomcat - I presume that the .crt file is like the .cer file I exported from cacerts.jks (my keystore), but what does the .key file correspond to? How does that fit in? Thanks! -- Lynn Hollerman. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
tomcat security constraint with jk and apache
I have Apache2 running as the front end handling all the client PKI authentication. Then Tomcat 4.1 using security constraints in the web.xml. Now I use jk to connect them together and it works fine, sort of. I can access protected files inside of Tomcat from Apache. Specifically any file that is not mapped with a JkMount entry is served up by Apache which ignores my web.xml. Do I have to use Apache to protect them as well as Tomcat? Or should I just make tomcat serve all the files? Does anybody have this issue? How do you deal with it? Thanks
[Off-Topic] Recommendation for Tomcat Security book
Are there any recommendations for a tomcat security book? I've found this one on amazon.com, but there are no reviews on the book so I thought I would run it by the list first before I buy itany other suggestions Thanx for any insight http://www.amazon.com/exec/obidos/tg/detail/-/1861008309/104-7975513-6438339 ?v=glance http://www.amazon.com/exec/obidos/tg/detail/-/1861008309/104-7975513-643833 9?v=glance
Re: [Off-Topic] Recommendation for Tomcat Security book
Are there any recommendations for a tomcat security book? I've found this one on amazon.com, but there are no reviews on the book so I thought I would run it by the list first before I buy itany other suggestions Thanx for any insight http://www.amazon.com/exec/obidos/tg/detail/-/1861008309/104-7975513-6438339 ?v=glance http://www.amazon.com/exec/obidos/tg/detail/-/1861008309/104-7975513-643833 9?v=glance Chapter 1 from this book is available @ TSS: http://www.theserverside.com/resources/articles/TomcatSecurity/TomcatSecurity.pdf Cheers, Yann - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [Off-Topic] Recommendation for Tomcat Security book
The Servlet Spec is also good :-) http://www.jcp.org/en/jsr/detail?id=154 -- Jeanfrancois Yann ? wrote: Are there any recommendations for a tomcat security book? I've found this one on amazon.com, but there are no reviews on the book so I thought I would run it by the list first before I buy itany other suggestions Thanx for any insight http://www.amazon.com/exec/obidos/tg/detail/-/1861008309/104-7975513-6438339 ?v=glance http://www.amazon.com/exec/obidos/tg/detail/-/1861008309/104-7975513-643833 9?v=glance Chapter 1 from this book is available @ TSS: http://www.theserverside.com/resources/articles/TomcatSecurity/TomcatSecurity.pdf Cheers, Yann - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat security
Hello All, My web application is currently in System Testing Phase. I am planning for the production implementation and I like to get some expert opinion from you all. We will install Tomcat 4.1.24 on a server which is behind our corporate firewall. The port that Tomcat uses, e.g. port , will be open to public due to the fact that this application will be accessed from our offices all over the world thru the internet. Now, my question is that, what is the common practice to guard against people accessing the catalina_home directory? I plan to install Tomcat on the D drive instead of the C drive where the OS resides. Just in case if the Windows OS is compromised, it may or may not affect Tomcat. Since this is the first time I have application used by people outside our corporate firewall, I like to hear your thoughts. Thank you very much.
RE: Tomcat security
Howdy, We will install Tomcat 4.1.24 on a server which is behind our corporate Why not 4.1.27? Now, my question is that, what is the common practice to guard against people accessing the catalina_home directory? I plan to install Tomcat on the D drive instead of the C drive where the OS resides. Just in case if the Windows OS is compromised, it may or may not affect Tomcat. Use a security manager: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/security-manager-howto.h tml Make your security policy as restrictive as possible. Deploy a packed war and leave it packed, i.e. set unpackWARs=false in server.xml. Also autoDeploy=false to increase performance and security. Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Newbie question on Tomcat security
First, no direct requests for anything under WEB-INF is allowed. Second, check out the welcome-file element in web.xml. Make sure it says index.jsp. Third, check out the listings parameter, make sure it is set to off or false. Fourth, TURN OFF the Invoker, and DON'T use it. Fifth, use the security manager. Sixth, don't put ANYTHING confidential in a JSP...move it (like a database connection URL, a username, or a password) to web.xml or server.xml, or a properties file under WEB-INF. Seventh, if you really want to obscure paths when people view HTML source, simply make all URLs a call to a servlet with a parameter. This is a lot of extra work for not much benefit, but it can be done. The servlet reads the file from a protected area (like WEB-INF/*), sets the appropriate Content-Type, and spools the file to the client. This will work for any file, CSS, GIF, JPEG, whatever, as in a sense your servlet will just be a web server...the client doesn't care where the file is coming from, as long as the request is satisfied and the Content-Type is correct. Thus, when viewing HTML source, the path to a CSS file would not be myApp/my.css but soemthing like /servlet/fileGet?file=my.css. And, if you still want more info, consider the Apache Tomcat Security Handbook published by Wrox Press. John On Mon, 14 Jul 2003 19:05:18 -0500, epyonne [EMAIL PROTECTED] wrote: Thanks for the reply. Actually, I don't worry about people can do view source. I just don't like the fact that they can type in the folder and list the whole directory tree on the browser. They can open any file on the directory and potentially alter the code. Most web sites I've been to, if you type in the folder directory, you will get an access deny or something like that. I am wondering if I can set up something similar in Tomcat? By the way, I do have an index.jsp. Thanks. - Original Message - From: Reginald Oake [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Monday, July 14, 2003 5:58 PM Subject: Re: Newbie question on Tomcat security Hi. I'm not certain about this but it seems to me that it would be next to impossible to keep the html source from being viewed by someone using any browser (this is not a server side issue). The source has to be uploaded to the browser and, once it is uploaded anyone can view source on the page. As far as keeping your directory structure at least a little bit more obscured you can do two things. You can never fully obscure the directory structure as the browser requires this information to load images, style sheets and links. The first is to put an index.jsp or index.html file in so that people cannot view your directory structure directly (there is probably a better way to do this). The second is to use servlet mappings. I'm not sure if this needs to be said but even though people can determine your directory structure with fairly little effort this does not, in itself, pose a security risk. Thanx Reg On Mon, 2003-07-14 at 15:49, substring wrote: Hello All, I just developed a JSP application called myapp, running on Tomcat 4.1.24. How can I keep people from accessing my files under tomcat/webapps/myapp? For example, people can do a simple view source and find the path to my css file, then they can type in the path on the browser to access my files. What kind of security that I should set up for that? I am pretty new to Tomcat so I need help. By the way, my OS is Windows 2000 Pro. Any help will be very much appreciated. __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Newbie question on Tomcat security
Hello All, I just developed a JSP application called myapp, running on Tomcat 4.1.24. How can I keep people from accessing my files under tomcat/webapps/myapp? For example, people can do a simple view source and find the path to my css file, then they can type in the path on the browser to access my files. What kind of security that I should set up for that? I am pretty new to Tomcat so I need help. By the way, my OS is Windows 2000 Pro. Any help will be very much appreciated. __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
newbie question on Tomcat security
Hello All, I just developed a JSP application called myapp, running on Tomcat 4.1.24. How can I keep people from accessing my files under tomcat/webapps/myapp? For example, people can do a simple view source and find the path to my css file, then they can type in the path on the browser to access my files. What kind of security that I should set up for that? I am pretty new to Tomcat so I need help. By the way, my OS is Windows 2000 Pro. Any help will be very much appreciated. _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Newbie question on Tomcat security
Hi. I'm not certain about this but it seems to me that it would be next to impossible to keep the html source from being viewed by someone using any browser (this is not a server side issue). The source has to be uploaded to the browser and, once it is uploaded anyone can view source on the page. As far as keeping your directory structure at least a little bit more obscured you can do two things. You can never fully obscure the directory structure as the browser requires this information to load images, style sheets and links. The first is to put an index.jsp or index.html file in so that people cannot view your directory structure directly (there is probably a better way to do this). The second is to use servlet mappings. I'm not sure if this needs to be said but even though people can determine your directory structure with fairly little effort this does not, in itself, pose a security risk. Thanx Reg On Mon, 2003-07-14 at 15:49, substring wrote: Hello All, I just developed a JSP application called myapp, running on Tomcat 4.1.24. How can I keep people from accessing my files under tomcat/webapps/myapp? For example, people can do a simple view source and find the path to my css file, then they can type in the path on the browser to access my files. What kind of security that I should set up for that? I am pretty new to Tomcat so I need help. By the way, my OS is Windows 2000 Pro. Any help will be very much appreciated. __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Newbie question on Tomcat security
Thanks for the reply. Actually, I don't worry about people can do view source. I just don't like the fact that they can type in the folder and list the whole directory tree on the browser. They can open any file on the directory and potentially alter the code. Most web sites I've been to, if you type in the folder directory, you will get an access deny or something like that. I am wondering if I can set up something similar in Tomcat? By the way, I do have an index.jsp. Thanks. - Original Message - From: Reginald Oake [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Monday, July 14, 2003 5:58 PM Subject: Re: Newbie question on Tomcat security Hi. I'm not certain about this but it seems to me that it would be next to impossible to keep the html source from being viewed by someone using any browser (this is not a server side issue). The source has to be uploaded to the browser and, once it is uploaded anyone can view source on the page. As far as keeping your directory structure at least a little bit more obscured you can do two things. You can never fully obscure the directory structure as the browser requires this information to load images, style sheets and links. The first is to put an index.jsp or index.html file in so that people cannot view your directory structure directly (there is probably a better way to do this). The second is to use servlet mappings. I'm not sure if this needs to be said but even though people can determine your directory structure with fairly little effort this does not, in itself, pose a security risk. Thanx Reg On Mon, 2003-07-14 at 15:49, substring wrote: Hello All, I just developed a JSP application called myapp, running on Tomcat 4.1.24. How can I keep people from accessing my files under tomcat/webapps/myapp? For example, people can do a simple view source and find the path to my css file, then they can type in the path on the browser to access my files. What kind of security that I should set up for that? I am pretty new to Tomcat so I need help. By the way, my OS is Windows 2000 Pro. Any help will be very much appreciated. __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Newbie question on Tomcat security
Hi. I don't know if this will be helpful but I have heard of people putting their JSPs and other ancilliary files inside the WEB-INF directory. I'm not sure what you have to do to make this work but it may well be worth looking into. Reg - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: newbie question on Tomcat security
Actually, it is easier than that: They can just go the the browser's cache folder and view it from there. As such, you should consider that your .css files are public info, and leave it at that. epyonne =) [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello All, I just developed a JSP application called myapp, running on Tomcat 4.1.24. How can I keep people from accessing my files under tomcat/webapps/myapp? For example, people can do a simple view source and find the path to my css file, then they can type in the path on the browser to access my files. What kind of security that I should set up for that? I am pretty new to Tomcat so I need help. By the way, my OS is Windows 2000 Pro. Any help will be very much appreciated. _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Newbie question on Tomcat security
Look here: http://jakarta.apache.org/tomcat/faq/misc.html#listing At 19:05 14.07.2003 -0500, you wrote: Thanks for the reply. Actually, I don't worry about people can do view source. I just don't like the fact that they can type in the folder and list the whole directory tree on the browser. They can open any file on the directory and potentially alter the code. Most web sites I've been to, if you type in the folder directory, you will get an access deny or something like that. I am wondering if I can set up something similar in Tomcat? By the way, I do have an index.jsp. Thanks. - Original Message - From: Reginald Oake [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Monday, July 14, 2003 5:58 PM Subject: Re: Newbie question on Tomcat security Hi. I'm not certain about this but it seems to me that it would be next to impossible to keep the html source from being viewed by someone using any browser (this is not a server side issue). The source has to be uploaded to the browser and, once it is uploaded anyone can view source on the page. As far as keeping your directory structure at least a little bit more obscured you can do two things. You can never fully obscure the directory structure as the browser requires this information to load images, style sheets and links. The first is to put an index.jsp or index.html file in so that people cannot view your directory structure directly (there is probably a better way to do this). The second is to use servlet mappings. I'm not sure if this needs to be said but even though people can determine your directory structure with fairly little effort this does not, in itself, pose a security risk. Thanx Reg On Mon, 2003-07-14 at 15:49, substring wrote: Hello All, I just developed a JSP application called myapp, running on Tomcat 4.1.24. How can I keep people from accessing my files under tomcat/webapps/myapp? For example, people can do a simple view source and find the path to my css file, then they can type in the path on the browser to access my files. What kind of security that I should set up for that? I am pretty new to Tomcat so I need help. By the way, my OS is Windows 2000 Pro. Any help will be very much appreciated. __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat security?
Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
July 6th, turn your server off. July 7th, turn it back on. Problem solved ;) -Tim Eugene Lee wrote: Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
When was the last time Tomcat had a published exploit? On a related note, these kind of contests are fairly common, and usually don't produce any kind of real activity. --Nathan - Original Message - From: Eugene Lee [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 10:51 AM Subject: Tomcat security? Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
http://www.amazon.com/exec/obidos/tg/detail/-/1861008309/ If you're just worrying about it now, its probably too late. John On Thu, 3 Jul 2003 10:51:52 -0500, Eugene Lee [EMAIL PROTECTED] wrote: Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
AFAIK, November 2002. John On Thu, 3 Jul 2003 11:14:26 -0500, Nathan McMinn [EMAIL PROTECTED] wrote: When was the last time Tomcat had a published exploit? On a related note, these kind of contests are fairly common, and usually don't produce any kind of real activity. --Nathan - Original Message - From: Eugene Lee [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 10:51 AM Subject: Tomcat security? Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
Any idea what it was and/or what versions it affected? - Original Message - From: John Turner [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 11:13 AM Subject: Re: Tomcat security? AFAIK, November 2002. John On Thu, 3 Jul 2003 11:14:26 -0500, Nathan McMinn [EMAIL PROTECTED] wrote: When was the last time Tomcat had a published exploit? On a related note, these kind of contests are fairly common, and usually don't produce any kind of real activity. --Nathan - Original Message - From: Eugene Lee [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 10:51 AM Subject: Tomcat security? Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
The Invoker servlet source code vulnerability: http://www.securityfocus.com/bid/5786 John On Thu, 3 Jul 2003 12:04:57 -0500, Nathan McMinn [EMAIL PROTECTED] wrote: Any idea what it was and/or what versions it affected? - Original Message - From: John Turner tomcat- [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 11:13 AM Subject: Re: Tomcat security? AFAIK, November 2002. John On Thu, 3 Jul 2003 11:14:26 -0500, Nathan McMinn [EMAIL PROTECTED] wrote: When was the last time Tomcat had a published exploit? On a related note, these kind of contests are fairly common, and usually don't produce any kind of real activity. --Nathan - Original Message - From: Eugene Lee [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 10:51 AM Subject: Tomcat security? Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
I can't believe that passwords for SSL are stored in the clear. That places all responsibility of security to the OS, which may not be a good idea. What happened to defense-in-depth ?? Nathan McMinn wrote: When was the last time Tomcat had a published exploit? On a related note, these kind of contests are fairly common, and usually don't produce any kind of real activity. --Nathan - Original Message - From: Eugene Lee [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 10:51 AM Subject: Tomcat security? Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
What do you mean stored in the clear? Are you referring to tomcat-users.xml? Personally, I use a MySQL database to hold auth information for a JDBC Realm, and store them digested. As an additional layer of security, the user account that is used to access the DB for the realm is only granted read access and only to the required user and roles tables. - Original Message - From: Mark W. Webb [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 1:55 PM Subject: Re: Tomcat security? I can't believe that passwords for SSL are stored in the clear. That places all responsibility of security to the OS, which may not be a good idea. What happened to defense-in-depth ?? Nathan McMinn wrote: When was the last time Tomcat had a published exploit? On a related note, these kind of contests are fairly common, and usually don't produce any kind of real activity. --Nathan - Original Message - From: Eugene Lee [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 10:51 AM Subject: Tomcat security? Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
Plus, if one runs as a non-priviledged user account with no login privileges (i.e., locked account) and your permissions are correct, then only root and Tomcat can read the users file. If the hacker has root, the tomcat users are the least of your worries. Ben Ricker Wellinx.com On Thu, 2003-07-03 at 14:23, Nathan McMinn wrote: What do you mean stored in the clear? Are you referring to tomcat-users.xml? Personally, I use a MySQL database to hold auth information for a JDBC Realm, and store them digested. As an additional layer of security, the user account that is used to access the DB for the realm is only granted read access and only to the required user and roles tables. - Original Message - From: Mark W. Webb [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 1:55 PM Subject: Re: Tomcat security? I can't believe that passwords for SSL are stored in the clear. That places all responsibility of security to the OS, which may not be a good idea. What happened to defense-in-depth ?? Nathan McMinn wrote: When was the last time Tomcat had a published exploit? On a related note, these kind of contests are fairly common, and usually don't produce any kind of real activity. --Nathan - Original Message - From: Eugene Lee [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 10:51 AM Subject: Tomcat security? Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security?
There is a plugin for TC 3.3.x to force prompting for the keystore password. Largely due to lack of user interest, nobody has really tried porting it to TC 4.x-5.x. Mark W. Webb [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I can't believe that passwords for SSL are stored in the clear. That places all responsibility of security to the OS, which may not be a good idea. What happened to defense-in-depth ?? Nathan McMinn wrote: When was the last time Tomcat had a published exploit? On a related note, these kind of contests are fairly common, and usually don't produce any kind of real activity. --Nathan - Original Message - From: Eugene Lee [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, July 03, 2003 10:51 AM Subject: Tomcat security? Anyone want to discuss hardening Tomcat servers? Hacking Contest Threatens Web Sites By George V. Hulme, InformationWeek Updated Wednesday, July 2, 2003, 3:00 PM EDT A hacking contest slated for this weekend could produce a rash of Web-site defacements worldwide, according to a warning issued Wednesday by security companies and government Internet security groups. The hacker defacement contest is expected to kick off on Sunday. The contest supposedly will award free hosting services, Web mail, unlimited E-mail forwarding, and a domain name of choice for the triumphant hackers, according to a Web site promoting the contest. ... More details at: http://www.internetweek.com/story/showArticle.jhtml?articleID=10818014 -- Eugene Lee http://www.coxar.pwp.blueyonder.co.uk/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
tomcat security
Hi, Is there a typical security configuration for a web application in catalina.policy ? I have a lot of java.security.AccessControlException: access denied (java.lang.RuntimePermission accessDeclaredMembers) and i don't understand where it comes from tks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tomcat security
Did you start tomcat with start security? If not, some else messed up. -Original Message- From: Maxime Colas des Francs [mailto:[EMAIL PROTECTED] Sent: June 10, 2003 3:23 PM To: [EMAIL PROTECTED] Subject: tomcat security Hi, Is there a typical security configuration for a web application in catalina.policy ? I have a lot of java.security.AccessControlException: access denied (java.lang.RuntimePermission accessDeclaredMembers) and i don't understand where it comes from tks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tomcat security
of course yes i start tomat with -security and -Djava.security.debug=access,failure for trace else no security exception At 15:16 2003-06-10 -0400, you wrote: Did you start tomcat with start security? If not, some else messed up. -Original Message- From: Maxime Colas des Francs [mailto:[EMAIL PROTECTED] Sent: June 10, 2003 3:23 PM To: [EMAIL PROTECTED] Subject: tomcat security Hi, Is there a typical security configuration for a web application in catalina.policy ? I have a lot of java.security.AccessControlException: access denied (java.lang.RuntimePermission accessDeclaredMembers) and i don't understand where it comes from tks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat security concerns during start-up
All, I'm running 4.1.18 on solaris 2.8 - currently without any problems as id tomcat. But my issue is I've to give write permission to tomcat on the conf directory inorder for tomcat to start successfully. Is there any other way of starting tomcat without giving this permission, is this a bug?, has it been addresses in a different release. Thanks __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security concerns during start-up
I do not see this as a problem. You can lock the Tomcat account (do have to give it a shell, though) and no one should be able to get into the account. I use 'sudo' to allow others the ability to start and stop Tomcat which 'su's to the Tomcat user before executing. I myself use the Tomcat group, of which Tomcat is the only member, and apply root ownership to everything. You also need to make sure your WEB-INF is not in your docbase. HTH, Ben Ricker On Tue, 2003-03-11 at 13:20, krip pane wrote: All, I'm running 4.1.18 on solaris 2.8 - currently without any problems as id tomcat. But my issue is I've to give write permission to tomcat on the conf directory inorder for tomcat to start successfully. Is there any other way of starting tomcat without giving this permission, is this a bug?, has it been addresses in a different release. Thanks __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Ben Ricker [EMAIL PROTECTED] Wellinx.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security concerns during start-up
I'm not sure if I making a correct assumption, but isn't it possible that someone can exploit the running tomcat process and gain access as tomcat into the system (if so, having write permission on the conf dir is dangerous) --- Ben Ricker [EMAIL PROTECTED] wrote: I do not see this as a problem. You can lock the Tomcat account (do have to give it a shell, though) and no one should be able to get into the account. I use 'sudo' to allow others the ability to start and stop Tomcat which 'su's to the Tomcat user before executing. I myself use the Tomcat group, of which Tomcat is the only member, and apply root ownership to everything. You also need to make sure your WEB-INF is not in your docbase. HTH, Ben Ricker On Tue, 2003-03-11 at 13:20, krip pane wrote: All, I'm running 4.1.18 on solaris 2.8 - currently without any problems as id tomcat. But my issue is I've to give write permission to tomcat on the conf directory inorder for tomcat to start successfully. Is there any other way of starting tomcat without giving this permission, is this a bug?, has it been addresses in a different release. Thanks __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Ben Ricker [EMAIL PROTECTED] Wellinx.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[Announce] New book Tomcat Security Handbook
Announcing the release of a new book- Tomcat Security Handbook (Wrox Press) http://www.wrox.com/books/1861008309.htm What does this book cover? This book is targeted at production deployments of Tomcat, and is a good complement to the Professional Apache Tomcat book (also Wrox Press). It covers: * Understanding Tomcat Security Tomcat vulnerability overview and common security problems. * Tightening File System Screws Planning security permissions for Tomcat's files and directories. * Java Security Manager Discusses the Java Security Manager and its role in Tomcat, and explains the Tomcat security policy file in detail. * Security Realms Discusses how Realms are used to add security to web applications. Covers Memory, UserDatabase, JDBC, JNDI and JAAS realms. * Secure sockets and Tomcat Covers PKI and SSL; using Tomcat standalone with SSL, as well as with an Apache front end. * Application Security A guide to building secure web applications and safeguarding against exploits such as code injection attacks, SQL injection attacks, source exposure, among others. __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat security configuration guide
Wrox Press. ISBN: 1861008309 John -Original Message- From: Manavendra Gupta [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 2:44 PM To: Tomcat Users List Subject: Tomcat security configuration guide Hi, I have begun to work on a tomcat security configuration guide as a one-stop guide for helping system administrators, security professionals and programmers to configure system user accounts and groups, file permissions, tomcat security realms, java security manager, etc in the optimal way thereby ensuring their system is not vulnerable to common security exploits. 1. Has this already been done? If yes, can someone share the document/URL where I can find more information? 2. Will there be professionals/enthusiasts out there to contribute/critique? 3. In general, what does the list think about this? Kind Regards, Manav. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003 --- Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat security configuration guide
Hi, I have begun to work on a tomcat security configuration guide as a one-stop guide for helping system administrators, security professionals and programmers to configure system user accounts and groups, file permissions, tomcat security realms, java security manager, etc in the optimal way thereby ensuring their system is not vulnerable to common security exploits. 1. Has this already been done? If yes, can someone share the document/URL where I can find more information? 2. Will there be professionals/enthusiasts out there to contribute/critique? 3. In general, what does the list think about this? Kind Regards, Manav. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: IIS+Tomcat security constraint = Unauthorized: Logon Failed
Where have you defined the user and password that you believe you should be a valid user? What is the role constraint that you have defined on the web resource? Is the user in question set up for that role? Sean Dockery [EMAIL PROTECTED] Certified Java Web Component Developer Certified Delphi Programmer SBD Consultants http://www.sbdconsultants.com - Original Message - From: Felipe Crochik [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, February 09, 2003 21:34 Subject: IIS+Tomcat security constraint = Unauthorized: Logon Failed I am trying to use the tomcat security constraints behind an IIS web server. I know tomcat and the ISAPI filter are working. Also, Tomcat authorization is working bypassing IIS using port 8080. When I try to reach the exactly same application through IIS (port 80) I get the user validation dialog box and after I try to login with a valid user and password I get HTTP 401.1 - Unauthorized: Logon Failed. TIA, Felipe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: IIS+Tomcat security constraint = Unauthorized: Logon Failed
Yes. I have defined the user, password and role and everything else needed to make it work on tomcat. What seems to be the problem is that IIS is trying to authenticate the user by itself instead of forwarding the user/password information to tomcat. (It allow me to try 3 times and then give me the Unauthorized: Logon Failed error page regardless the valid user and password). I know the ISAPI filter is working because if I remove the security constraint from tomcat I can get to it and I know the tomcat security constraint is working because if I can get to it using the stand alone port. Have you seen this scenario working before? I found some posts with this issue but no reply to any of them. Thanks, Felipe -Original Message- From: Sean Dockery [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 8:05 AM To: Tomcat Users List Subject: Re: IIS+Tomcat security constraint = Unauthorized: Logon Failed Where have you defined the user and password that you believe you should be a valid user? What is the role constraint that you have defined on the web resource? Is the user in question set up for that role? Sean Dockery [EMAIL PROTECTED] Certified Java Web Component Developer Certified Delphi Programmer SBD Consultants http://www.sbdconsultants.com - Original Message - From: Felipe Crochik [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, February 09, 2003 21:34 Subject: IIS+Tomcat security constraint = Unauthorized: Logon Failed I am trying to use the tomcat security constraints behind an IIS web server. I know tomcat and the ISAPI filter are working. Also, Tomcat authorization is working bypassing IIS using port 8080. When I try to reach the exactly same application through IIS (port 80) I get the user validation dialog box and after I try to login with a valid user and password I get HTTP 401.1 - Unauthorized: Logon Failed. TIA, Felipe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: IIS+Tomcat security constraint = Unauthorized: Logon Failed
Can you authenticate through the Tomcat standalone port? Or does that fail as well? What method of authentication are you using? BASIC or DIGEST? If you are currently using DIGEST, try BASIC (for testing purposes). What type of Realm are you authenticating against? MemoryRealm, JDBC, or JNDI? Sean Dockery [EMAIL PROTECTED] Certified Java Web Component Developer Certified Delphi Programmer SBD Consultants http://www.sbdconsultants.com - Original Message - From: Felipe [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Monday, February 10, 2003 09:08 Subject: RE: IIS+Tomcat security constraint = Unauthorized: Logon Failed Yes. I have defined the user, password and role and everything else needed to make it work on tomcat. What seems to be the problem is that IIS is trying to authenticate the user by itself instead of forwarding the user/password information to tomcat. (It allow me to try 3 times and then give me the Unauthorized: Logon Failed error page regardless the valid user and password). I know the ISAPI filter is working because if I remove the security constraint from tomcat I can get to it and I know the tomcat security constraint is working because if I can get to it using the stand alone port. Have you seen this scenario working before? I found some posts with this issue but no reply to any of them. Thanks, Felipe -Original Message- From: Sean Dockery [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 8:05 AM To: Tomcat Users List Subject: Re: IIS+Tomcat security constraint = Unauthorized: Logon Failed Where have you defined the user and password that you believe you should be a valid user? What is the role constraint that you have defined on the web resource? Is the user in question set up for that role? Sean Dockery [EMAIL PROTECTED] Certified Java Web Component Developer Certified Delphi Programmer SBD Consultants http://www.sbdconsultants.com - Original Message - From: Felipe Crochik [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, February 09, 2003 21:34 Subject: IIS+Tomcat security constraint = Unauthorized: Logon Failed I am trying to use the tomcat security constraints behind an IIS web server. I know tomcat and the ISAPI filter are working. Also, Tomcat authorization is working bypassing IIS using port 8080. When I try to reach the exactly same application through IIS (port 80) I get the user validation dialog box and after I try to login with a valid user and password I get HTTP 401.1 - Unauthorized: Logon Failed. TIA, Felipe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: IIS+Tomcat security constraint = Unauthorized: Logon Failed
Yes. I can authenticate through the tomcat standalone port. I am using the BASIC with a MemoryRealm. Everything as simple as it can get! Do you know if it is possible to have IIS to leave the authentication to tomcat? Thanks, Felipe -Original Message- From: Sean Dockery [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 3:50 PM To: Tomcat Users List Subject: Re: IIS+Tomcat security constraint = Unauthorized: Logon Failed Can you authenticate through the Tomcat standalone port? Or does that fail as well? What method of authentication are you using? BASIC or DIGEST? If you are currently using DIGEST, try BASIC (for testing purposes). What type of Realm are you authenticating against? MemoryRealm, JDBC, or JNDI? Sean Dockery [EMAIL PROTECTED] Certified Java Web Component Developer Certified Delphi Programmer SBD Consultants http://www.sbdconsultants.com - Original Message - From: Felipe [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Monday, February 10, 2003 09:08 Subject: RE: IIS+Tomcat security constraint = Unauthorized: Logon Failed Yes. I have defined the user, password and role and everything else needed to make it work on tomcat. What seems to be the problem is that IIS is trying to authenticate the user by itself instead of forwarding the user/password information to tomcat. (It allow me to try 3 times and then give me the Unauthorized: Logon Failed error page regardless the valid user and password). I know the ISAPI filter is working because if I remove the security constraint from tomcat I can get to it and I know the tomcat security constraint is working because if I can get to it using the stand alone port. Have you seen this scenario working before? I found some posts with this issue but no reply to any of them. Thanks, Felipe -Original Message- From: Sean Dockery [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 8:05 AM To: Tomcat Users List Subject: Re: IIS+Tomcat security constraint = Unauthorized: Logon Failed Where have you defined the user and password that you believe you should be a valid user? What is the role constraint that you have defined on the web resource? Is the user in question set up for that role? Sean Dockery [EMAIL PROTECTED] Certified Java Web Component Developer Certified Delphi Programmer SBD Consultants http://www.sbdconsultants.com - Original Message - From: Felipe Crochik [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, February 09, 2003 21:34 Subject: IIS+Tomcat security constraint = Unauthorized: Logon Failed I am trying to use the tomcat security constraints behind an IIS web server. I know tomcat and the ISAPI filter are working. Also, Tomcat authorization is working bypassing IIS using port 8080. When I try to reach the exactly same application through IIS (port 80) I get the user validation dialog box and after I try to login with a valid user and password I get HTTP 401.1 - Unauthorized: Logon Failed. TIA, Felipe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: IIS+Tomcat security constraint = Unauthorized: Logon Failed
It seems unlikely that IIS would arbitrarily intercept a request that it has been instructed to forward, but I do not know enough about integrating IIS with Tomcat to know for sure. Perhaps you can turn on the RequestDumper Value in Tomcat to see what headers are being submitted when you access Tomcat through the standalone port versus accessing Tomcat through IIS. That might give you more information that you have now. :-) Sean Dockery [EMAIL PROTECTED] Certified Java Web Component Developer Certified Delphi Programmer SBD Consultants http://www.sbdconsultants.com - Original Message - From: Felipe [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Monday, February 10, 2003 14:39 Subject: RE: IIS+Tomcat security constraint = Unauthorized: Logon Failed Yes. I can authenticate through the tomcat standalone port. I am using the BASIC with a MemoryRealm. Everything as simple as it can get! Do you know if it is possible to have IIS to leave the authentication to tomcat? Thanks, Felipe -Original Message- From: Sean Dockery [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 3:50 PM To: Tomcat Users List Subject: Re: IIS+Tomcat security constraint = Unauthorized: Logon Failed Can you authenticate through the Tomcat standalone port? Or does that fail as well? What method of authentication are you using? BASIC or DIGEST? If you are currently using DIGEST, try BASIC (for testing purposes). What type of Realm are you authenticating against? MemoryRealm, JDBC, or JNDI? Sean Dockery [EMAIL PROTECTED] Certified Java Web Component Developer Certified Delphi Programmer SBD Consultants http://www.sbdconsultants.com - Original Message - From: Felipe [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Monday, February 10, 2003 09:08 Subject: RE: IIS+Tomcat security constraint = Unauthorized: Logon Failed Yes. I have defined the user, password and role and everything else needed to make it work on tomcat. What seems to be the problem is that IIS is trying to authenticate the user by itself instead of forwarding the user/password information to tomcat. (It allow me to try 3 times and then give me the Unauthorized: Logon Failed error page regardless the valid user and password). I know the ISAPI filter is working because if I remove the security constraint from tomcat I can get to it and I know the tomcat security constraint is working because if I can get to it using the stand alone port. Have you seen this scenario working before? I found some posts with this issue but no reply to any of them. Thanks, Felipe -Original Message- From: Sean Dockery [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 8:05 AM To: Tomcat Users List Subject: Re: IIS+Tomcat security constraint = Unauthorized: Logon Failed Where have you defined the user and password that you believe you should be a valid user? What is the role constraint that you have defined on the web resource? Is the user in question set up for that role? Sean Dockery [EMAIL PROTECTED] Certified Java Web Component Developer Certified Delphi Programmer SBD Consultants http://www.sbdconsultants.com - Original Message - From: Felipe Crochik [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, February 09, 2003 21:34 Subject: IIS+Tomcat security constraint = Unauthorized: Logon Failed I am trying to use the tomcat security constraints behind an IIS web server. I know tomcat and the ISAPI filter are working. Also, Tomcat authorization is working bypassing IIS using port 8080. When I try to reach the exactly same application through IIS (port 80) I get the user validation dialog box and after I try to login with a valid user and password I get HTTP 401.1 - Unauthorized: Logon Failed. TIA, Felipe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
IIS+Tomcat security constraint = Unauthorized: Logon Failed
I am trying to use the tomcat security constraints behind an IIS web server. I know tomcat and the ISAPI filter are working. Also, Tomcat authorization is working bypassing IIS using port 8080. When I try to reach the exactly same application through IIS (port 80) I get the user validation dialog box and after I try to login with a valid user and password I get HTTP 401.1 - Unauthorized: Logon Failed. TIA, Felipe
How do I take care of the Tomcat security realm
Hi, When tomcat starts up, it displays all the information initially itself specific to a web application (all the tables information) Here is the context path I have given in server.xml Context path=/ormap cookies=true docBase=D:\Tomcat\webapps\ormap reloadable=true crossContext=true Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=com.codestudio.sql.PoolMan connectionURL=jdbc:poolman://epam1 userTable=EPAM_LOGIN_MS userNameCol=LM_USER_ID userCredCol=LM_USER_PWD userRoleTable=EPAM_LOGIN_MS roleNameCol=RM_ROLE_ID/ /Context Eg, This is a part of tomcat display when is started : Form: login_ms Field: key= LM_USER_ID property=LM_USER_ID indexedProperty= null indexedListProperty= null depends= required page=0 fieldOrder= 0 Vars: Field: key= RM_ROLE_ID property=RM_ROLE_ID indexedProperty= null indexedListProperty= null depends= required page=0 fieldOrder= 0 Vars: How do i make it in such a way so that all this is displayed only when I call upon a web application say http://localhost:8080/ormap , and not initially at tomcat startup itself. Any suggestions would be of great help Regards, Preethi _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Apache/Tomcat Security
Run Tomcat with the Java SecurityManager (-security startup option) and only grant the minimum permissions necessary to your webapp. See the Security Manager HOWTO in the Tomcat docs. Glenn Anderson, M. Paul wrote: I am preparing to launch my first web site utilizing an Apache/Tomcat configuration. The server will host a single web site, at least for now that uses servlets and jsp with a database backend. I have set up the Apache and Tomcat as discussed in the documentation with much help from people on this list. Now my question concerns whether or not I need to do anything in Apache or Tomcat to protect my site beyond what Apache and Tomcat are already set up to do. How secure can I truly expect my site to be using Apache and Tomcat as is? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Apache/Tomcat Security
I am preparing to launch my first web site utilizing an Apache/Tomcat configuration. The server will host a single web site, at least for now that uses servlets and jsp with a database backend. I have set up the Apache and Tomcat as discussed in the documentation with much help from people on this list. Now my question concerns whether or not I need to do anything in Apache or Tomcat to protect my site beyond what Apache and Tomcat are already set up to do. How secure can I truly expect my site to be using Apache and Tomcat as is? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Apache/Tomcat Security
For your webapp, in httpd.conf, you'll want: # Deny direct access to WEB-INF and META-INF # Location /myApp/WEB-INF/* AllowOverride None deny from all /Location Location /myApp/META-INF/* AllowOverride None deny from all /Location And for the manager on that virtual host: # Deny direct access to WEB-INF and META-INF # Location /manager/WEB-INF/* AllowOverride None deny from all /Location Location /manager/META-INF/* AllowOverride None deny from all /Location John -Original Message- From: Anderson, M. Paul [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 20, 2002 9:05 AM To: 'Tomcat Users List' Subject: Apache/Tomcat Security I am preparing to launch my first web site utilizing an Apache/Tomcat configuration. The server will host a single web site, at least for now that uses servlets and jsp with a database backend. I have set up the Apache and Tomcat as discussed in the documentation with much help from people on this list. Now my question concerns whether or not I need to do anything in Apache or Tomcat to protect my site beyond what Apache and Tomcat are already set up to do. How secure can I truly expect my site to be using Apache and Tomcat as is? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: System call problem on Tomcat /security issue
How do you actually execute the system call. I normally use it as printed below (on Tomcat 4.0x, Apache 1.3x, Redhat 6/7/8) and it works just fine. String[] strCommand contains the single elements of the call, so ls -al would be strCommand[0] = ls, strCommand[1] = -al, while ls obviously would just be strCommand[0] = ls. However, what I'm still puzzled about is, as indicated by another reader, the security problem related to this. Everyone programming webapps for a server has basically root rights on this machine, at least with the default settings. Any suggestions how to get around this or where to start reading? private static void doSyscommand(String[] strCommand) { Process p; try { p = Runtime.getRuntime().exec(strCommand); p.waitFor(); } catch (IOException e) { System.err.println(e.getMessage()); } catch (InterruptedException e) { System.err.println(Interrupted Exception raised: + e.getMessage()); } } -Original Message- From: Richard Wong [mailto:[EMAIL PROTECTED]] Sent: 15 November 2002 05:42 AM To: [EMAIL PROTECTED] Subject: RE: System call problem on Tomcat We are still stuck with the problem. Can someone kindly help? -Original Message- From: Richard Wong [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 12, 2002 10:35 PM To: [EMAIL PROTECTED] Subject: System call problem on Tomcat Dear Sir/Madam, I have written a servlet that will make a system call using following statement: Runtime.getRuntime().exec(ls); The servlet failed (even cause tomcat to shutdown) and the following error occurs: StandardServer.await: accept: java.net.SocketException: Interrupted system call java.net.SocketException: Interrupted system call at java.net.PlainSocketImpl.socketAccept(Native Method) at java.net.PlainSocketImpl.accept(PlainSocketImpl.java:463) at java.net.ServerSocket.implAccept(ServerSocket.java:238) at java.net.ServerSocket.accept(ServerSocket.java:217) at org.apache.catalina.core.StandardServer.await(StandardServer.java:293) at org.apache.catalina.startup.Catalina.start(Catalina.java:794) at org.apache.catalina.startup.Catalina.execute(Catalina.java:681) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at java.lang.reflect.Method.invoke(Native Method) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243) I have tried several simple Linux commands and I get the same problem (eg. sleep 1). Can anyone help? The system is running on Redhat 7.2, tomcat 4.0.4 and Java 1.3.1. Regards, Richard. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: tomcat security issue
SecurityManager permission problems are much easier to debug if you start tomcat with the -Djava.security.debug=access,failure property defined, then check your logs for the string denied. Then review the stack trace and the ProtectionDomain which failed. Regards, Glenn [EMAIL PROTECTED] wrote: yes the factoryLoaderServlet is defined too complex and issue currently to restart without SecurityManager. May be able to do overnight. Other dependent apps need to be up during the day -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: tomcat security issue
I wish I could see some log files. Only file that seems to be active is catalina.out any assistance in this matter would be appreciated here is the entry for the service Service name=Tomcat-Apache13 Connector className=org.apache.ajp.tomcat4.Ajp13Connector port=8009 address=127.0.0.1 minProcessors=5 maxProcessors=75 enableLookups=true appBase=webapps acceptCount=10 debug=0/ !-- Replace localhost with what your Apache ServerName is set to -- Engine className=org.apache.catalina.connector.warp.WarpEngine name=Apache - Tomcat4 defaultHost=defaultHost debug=0 !-- This next line brings in the file that includes the various host containers -- Host name=defaultHost appbase=/var/www/html Context path= docBase= / /Host Host name=domain appBase=/home/virtual/site1/fst/var/www/html Aliasdomain/Alias !-- Global logger unless overridden at lower levels -- Logger className=org.apache.catalina.logger.FileLogger directory=/home/virtual/site1/fst/var/log prefix=alvolo_tomcat. timestamp=true/ Realm className=org.apache.catalina.realm.MemoryRealm / Context path= docBase=/home/virtual/site1/fst/var/www/html priviledged=true reloadable=true Resource name=jdbc/MySQL/AlVolo auth=Container type=javax.sql.DataSource/ ResourceParams name=jdbc/MySQL/AlVolo parameter namedriverClassName/name valueorg.gjt.mm.mysql.Driver/value /parameter parameter namedriverName/name valuejdbc:mysql://localhost/alvolo/value /parameter /ResourceParams /Context /Host /Engine /Service kind regards Warren On Thursday, Oct 24, 2002, at 10:19 Etc/GMT, Glenn Nielsen wrote: SecurityManager permission problems are much easier to debug if you start tomcat with the -Djava.security.debug=access,failure property defined, then check your logs for the string denied. Then review the stack trace and the ProtectionDomain which failed. Regards, Glenn [EMAIL PROTECTED] wrote: yes the factoryLoaderServlet is defined too complex and issue currently to restart without SecurityManager. May be able to do overnight. Other dependent apps need to be up during the day -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
tomcat security issue
I have the following exception thrown when attempting to access tomcat app resources WarpEngine[Apache - Tomcat4]: Mapping request Security Violation, attempt to use Restricted Class: org.apache.catalina.core.ApplicationDispatcher java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core) at java.security.AccessControlContext.checkPermission(AccessControlContext. java:270) at java.security.AccessController.checkPermission(AccessController.java:401 ) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1513) at org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLo ader.java:1056) at org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLo ader.java:992) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:322) at org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applicati onContext.java:534) at org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(App licationContextFacade.java:179) at alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.jav a:280) at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilt erChain.java:197) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterC hain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja va:246) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234 3) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :180) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa lve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:174) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:429) at org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:495) at java.lang.Thread.run(Thread.java:536) StandardClassLoader: Security Violation, attempt to use Restricted Class: org.apache.catalina.core.ApplicationDispatcher Does anybody have any suggestions as to how to attack this issue Kind regards Warren -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: tomcat security issue
Is alvolo.servlet.DispatcherServlet.initialiseSession try to get access to org.apache.catalina.core.ApplicationDispatcher ? That's the normal behaviour if your answer is yes. Tomcat internal classes are protected against package access/insertion. If you really want to use that class, add to your catalina.policy file the following under // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission // and JndiPermission for all files and directories in its document root. grant { [...] permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core.*; } or do not use the SecurityManager. *But* remember you are opening the Tomcat core classes to all web applications, and this is potentially a *security risk*. Also, your application is not portable across different Servlet Container when doing that. -- Jeanfrancois [EMAIL PROTECTED] wrote: I have the following exception thrown when attempting to access tomcat app resources WarpEngine[Apache - Tomcat4]: Mapping request Security Violation, attempt to use Restricted Class: org.apache.catalina.core.ApplicationDispatcher java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core) at java.security.AccessControlContext.checkPermission(AccessControlContext. java:270) at java.security.AccessController.checkPermission(AccessController.java:401 ) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1513) at org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLo ader.java:1056) at org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLo ader.java:992) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:322) at org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applicati onContext.java:534) at org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(App licationContextFacade.java:179) at alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.jav a:280) at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilt erChain.java:197) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterC hain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja va:246) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234 3) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :180) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa lve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:174) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at
Re: tomcat security issue
thanks for the reply my code that seems to cause the problem is as follows: HttpSession session = request.getSession(); session.setAttribute( customerProfile, new Profile() ); session.setAttribute( loggedIn, new Boolean( false ) ); session.setAttribute( customerOrder, new Order() ); RequestDispatcher dispatcher = null; String destination = factoryLoaderServlet; try{ dispatcher = this.getServletContext().getNamedDispatcher( destination ); this.log( Including destination = + destination ); dispatcher.include( request, response ); } catch( ServletException exception ){ //The error needs to be logged may have to redirect to page that request the user to //return at a later time this.log( Servlet threw an exception when attempting to forward to + destination, exception ); throw exception; } catch( IOException exception ){ //The error needs to be logged may have to redirect to page that request the user to //return at a later time this.log( Servlet threw an exception when attempting to forward to + destination, exception ); throw exception; } I am unwilling to get rid of the SecurityManager due to this being a public site. As can be seen by the stack trace the call to getNamedDispatcher eventually causes the ApplicationDispatcher class to be called but it is not being called from my code explictly. i have included the permission as you suggested but still get the following message in the browser (even thought the previous stack trace is not output to the catalina.out file any longer) pbroot cause/b prejava.lang.NoClassDefFoundError: org/apache/catalina/core/ApplicationDispatcher at org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applicati onContext.java:534) at org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(App licationContextFacade.java:179) at alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.jav a:280) at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilt erChain.java:197) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterC hain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja va:246) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234 3) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :180) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa lve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:174) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:429) at org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:495) at java.lang.Thread.run(Thread.java:536) /pre/p On
Re: tomcat security issue
If you run the same code without the SecurityManager, do you get the same exception? Is the factoryLoaderServlet defined in your web.xml? -- Jeanfrancois [EMAIL PROTECTED] wrote: thanks for the reply my code that seems to cause the problem is as follows: HttpSession session = request.getSession(); session.setAttribute( customerProfile, new Profile() ); session.setAttribute( loggedIn, new Boolean( false ) ); session.setAttribute( customerOrder, new Order() ); RequestDispatcher dispatcher = null; String destination = factoryLoaderServlet; try{ dispatcher = this.getServletContext().getNamedDispatcher( destination ); this.log( Including destination = + destination ); dispatcher.include( request, response ); } catch( ServletException exception ){ //The error needs to be logged may have to redirect to page that request the user to //return at a later time this.log( Servlet threw an exception when attempting to forward to + destination, exception ); throw exception; } catch( IOException exception ){ //The error needs to be logged may have to redirect to page that request the user to //return at a later time this.log( Servlet threw an exception when attempting to forward to + destination, exception ); throw exception; } I am unwilling to get rid of the SecurityManager due to this being a public site. As can be seen by the stack trace the call to getNamedDispatcher eventually causes the ApplicationDispatcher class to be called but it is not being called from my code explictly. i have included the permission as you suggested but still get the following message in the browser (even thought the previous stack trace is not output to the catalina.out file any longer) pbroot cause/b prejava.lang.NoClassDefFoundError: org/apache/catalina/core/ApplicationDispatcher at org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applicati onContext.java:534) at org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(App licationContextFacade.java:179) at alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.jav a:280) at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilt erChain.java:197) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterC hain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja va:246) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234 3) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :180) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa lve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:174) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 72)
Re: tomcat security issue
yes the factoryLoaderServlet is defined too complex and issue currently to restart without SecurityManager. May be able to do overnight. Other dependent apps need to be up during the day Warren On Wednesday, October 23, 2002, at 04:19 PM, Jean-Francois Arcand wrote: If you run the same code without the SecurityManager, do you get the same exception? Is the factoryLoaderServlet defined in your web.xml? -- Jeanfrancois [EMAIL PROTECTED] wrote: thanks for the reply my code that seems to cause the problem is as follows: HttpSession session = request.getSession(); session.setAttribute( customerProfile, new Profile() ); session.setAttribute( loggedIn, new Boolean( false ) ); session.setAttribute( customerOrder, new Order() ); RequestDispatcher dispatcher = null; String destination = factoryLoaderServlet; try{ dispatcher = this.getServletContext().getNamedDispatcher( destination ); this.log( Including destination = + destination ); dispatcher.include( request, response ); } catch( ServletException exception ){ //The error needs to be logged may have to redirect to page that request the user to //return at a later time this.log( Servlet threw an exception when attempting to forward to + destination, exception ); throw exception; } catch( IOException exception ){ //The error needs to be logged may have to redirect to page that request the user to //return at a later time this.log( Servlet threw an exception when attempting to forward to + destination, exception ); throw exception; } I am unwilling to get rid of the SecurityManager due to this being a public site. As can be seen by the stack trace the call to getNamedDispatcher eventually causes the ApplicationDispatcher class to be called but it is not being called from my code explictly. i have included the permission as you suggested but still get the following message in the browser (even thought the previous stack trace is not output to the catalina.out file any longer) pbroot cause/b prejava.lang.NoClassDefFoundError: org/apache/catalina/core/ApplicationDispatcher at org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applica ti onContext.java:534) at org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(A pp licationContextFacade.java:179) at alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.j av a:280) at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli ca tionFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFi lt erChain.java:197) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilte rC hain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi lt erChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa lv e.java:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. ja va:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java :4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextVa lv e.java:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. ja va:566) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve. ja va:246) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java :4 72) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2 34 3) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.ja va :180) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. ja va:566) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcher Va lve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. ja va:564) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.ja va :170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. ja va:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java :4 72) at
Re: Multiple Tomcat Security Realms
On Sat, 19 Oct 2002, grenoml wrote: Date: Sat, 19 Oct 2002 13:33:16 -0700 (PDT) From: grenoml [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: Multiple Tomcat Security Realms I went through the REALM HOW-TO also. It just tells you how to setup the various realm types but not how to configure multiple realms. It's there, but sort of subtle. The key point is that you can nest a Realm element in three different places in server.xml, to get three different results: * Nest inside Engine to affect all webapps on all virtual hosts. This is how things are set up in the default Tomcat server.xml file. * Nest inside Host to affect all webapps on that virtual host, but no others. * Nest inside Context to affect only that single webapp. The search for the relevant realm is hierarchical, starting from the most specific to the least specific. So, one way to deal with your scenario would be to simply leave the default setup alone (so that it supports the admin and manager webapps as it does currently), then define a Context element for each of your specific applications -- and nest a Realm inside each of those Context elements to configure its own security setup. An alternate approach would be appropriate if you wanted to use the same JDBCRealm for all apps *except* admin and manager: * Move the existing Realm element from inside the Engine to inside new Context elements for the admin and manager webapps * Make your JDBCRealm the default one (nested in the Engine element) for all other apps. Craig -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Multiple Tomcat Security Realms
I'm using Tomcat 4.1.9. Can someone point me to a document or provide an explanation of how the security realms work in Tomcat and how to implement multiple realms? I've been through the Manager HOW-TO. Still doesn't answer my question. Is it possible to declare more than one realm at a time in server.xml? Say for instance that I want to use the tomcat-users.xml file to authenticate users for the manager and admin apps but also want to use a couple of JDBCRealms to authenticate users to different mySQL databases for different apps. When I add all the realm types that I want to server.xml then Tomcat refuses to start unless I have just one and only one Realm declared. Is what I'm trying to do possible? Any help appreciated. Thanks. __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: Multiple Tomcat Security Realms
I went through the REALM HOW-TO also. It just tells you how to setup the various realm types but not how to configure multiple realms. --- grenoml [EMAIL PROTECTED] wrote: I'm using Tomcat 4.1.9. Can someone point me to a document or provide an explanation of how the security realms work in Tomcat and how to implement multiple realms? I've been through the Manager HOW-TO. Still doesn't answer my question. Is it possible to declare more than one realm at a time in server.xml? Say for instance that I want to use the tomcat-users.xml file to authenticate users for the manager and admin apps but also want to use a couple of JDBCRealms to authenticate users to different mySQL databases for different apps. When I add all the realm types that I want to server.xml then Tomcat refuses to start unless I have just one and only one Realm declared. Is what I'm trying to do possible? Any help appreciated. Thanks. __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
RE: Apache Tomcat Security
Do we get contributing author credit? John -Original Message- From: Nilesh Parmar [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 10, 2002 1:56 AM To: 'Tomcat Users List ' Subject: Apache Tomcat Security Hi, I've been subscribing to the this mailing list from quite a while. I'm interested in developing a book on Apache Tomcat security. For a start, here is what i've included as a specification for the book. Can anyone please give me your valuable suggestions/ideas to make it a better book? I'd like to know that exactly the programmer wants so as to make it a great book helpfull to all. Here's what i'd like to cover in the book: Internet Security (SSH, SSL)) How secure is Tomcat Security Manager Realms (This chapter should discuss Memory Realms, and JDBC Realms) Secure connections with Databases (like MySQL) using SSL Secure connections with LDAP using SSL (??) Thanks in advance. Nilesh -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Apache Tomcat Security
Include PostgreSQL as you did with mySQL Thanks... Andrew -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Apache Tomcat Security
Ditto to the contributing author comment. Looking at your email address, you're a Wrox guy. Who's the audience for the book? Are you targeting the developer or the sysadmin? Nilesh Parmar [EMAIL PROTECTED]To: 'Tomcat Users List ' [EMAIL PROTECTED] cc: Subject: Apache Tomcat Security 10/10/2002 01:55 AM Please respond to Tomcat Users List Hi, I've been subscribing to the this mailing list from quite a while. I'm interested in developing a book on Apache Tomcat security. For a start, here is what i've included as a specification for the book. Can anyone please give me your valuable suggestions/ideas to make it a better book? I'd like to know that exactly the programmer wants so as to make it a great book helpfull to all. Here's what i'd like to cover in the book: Internet Security (SSH, SSL)) How secure is Tomcat Security Manager Realms (This chapter should discuss Memory Realms, and JDBC Realms) Secure connections with Databases (like MySQL) using SSL Secure connections with LDAP using SSL (??) Thanks in advance. Nilesh -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Apache Tomcat Security
And how would this be different from the WROX book(s) already published, as well as the two books (three if you count JBoss) by Sams? More often than not, the books available on a given subject are all the same, regardless of who publishes them. I went looking for an in-depth Tomcat + JNDI + JDBC resource in July. Every book I found, from 4 different publishers, had essentially the same code snippet (approx. 2/3 of one page) which did nothing but describe a simple JNDI setup, and aside from the values of the parameters, was identical to the example in the Tomcat docs. Not worth $50 where I come from, that's for sure. I think a couple of the publishers even used the exact same snippet. I did manage to get a little more info from a JDBC 3.0 book (about 1.5 pages), but even that was pretty sparse. I'd be interested in a book on the topics you listed, but only if it was demonstrably different than anything else. Please avoid writing or publishing a me/us too book. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 10, 2002 9:03 AM To: Tomcat Users List Cc: 'Tomcat Users List ' Subject: Re: Apache Tomcat Security Ditto to the contributing author comment. Looking at your email address, you're a Wrox guy. Who's the audience for the book? Are you targeting the developer or the sysadmin? Nilesh Parmar [EMAIL PROTECTED]To: 'Tomcat Users List ' [EMAIL PROTECTED] cc: Subject: Apache Tomcat Security 10/10/2002 01:55 AM Please respond to Tomcat Users List Hi, I've been subscribing to the this mailing list from quite a while. I'm interested in developing a book on Apache Tomcat security. For a start, here is what i've included as a specification for the book. Can anyone please give me your valuable suggestions/ideas to make it a better book? I'd like to know that exactly the programmer wants so as to make it a great book helpfull to all. Here's what i'd like to cover in the book: Internet Security (SSH, SSL)) How secure is Tomcat Security Manager Realms (This chapter should discuss Memory Realms, and JDBC Realms) Secure connections with Databases (like MySQL) using SSL Secure connections with LDAP using SSL (??) Thanks in advance. Nilesh -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Apache Tomcat Security
Hi Andrew, Why do you think we need to include PostgreSQL? I think MySQL is more popular than PostgreSQL and is widely used. thanks, Nilesh -Original Message- From: Andres Ledesma [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 10, 2002 6:32 PM To: Tomcat Users List Subject: Re: Apache Tomcat Security Include PostgreSQL as you did with mySQL Thanks... Andrew -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Peer Information India Pvt Ltd, Mumbai, India -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Apache Tomcat Security
Yes, The target autience for the book are developers. I'd like to concenterate on building secure applications. thanks, Nilesh. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 10, 2002 6:33 PM To: Tomcat Users List Cc: 'Tomcat Users List ' Subject: Re: Apache Tomcat Security Ditto to the contributing author comment. Looking at your email address, you're a Wrox guy. Who's the audience for the book? Are you targeting the developer or the sysadmin? Nilesh Parmar [EMAIL PROTECTED]To: 'Tomcat Users List ' [EMAIL PROTECTED] cc: Subject: Apache Tomcat Security 10/10/2002 01:55 AM Please respond to Tomcat Users List Hi, I've been subscribing to the this mailing list from quite a while. I'm interested in developing a book on Apache Tomcat security. For a start, here is what i've included as a specification for the book. Can anyone please give me your valuable suggestions/ideas to make it a better book? I'd like to know that exactly the programmer wants so as to make it a great book helpfull to all. Here's what i'd like to cover in the book: Internet Security (SSH, SSL)) How secure is Tomcat Security Manager Realms (This chapter should discuss Memory Realms, and JDBC Realms) Secure connections with Databases (like MySQL) using SSL Secure connections with LDAP using SSL (??) Thanks in advance. Nilesh -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Peer Information India Pvt Ltd, Mumbai, India -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Apache Tomcat Security
Hi, I've been subscribing to the this mailing list from quite a while. I'm interested in developing a book on Apache Tomcat security. For a start, here is what i've included as a specification for the book. Can anyone please give me your valuable suggestions/ideas to make it a better book? I'd like to know that exactly the programmer wants so as to make it a great book helpfull to all. Here's what i'd like to cover in the book: Internet Security (SSH, SSL)) How secure is Tomcat Security Manager Realms (This chapter should discuss Memory Realms, and JDBC Realms) Secure connections with Databases (like MySQL) using SSL Secure connections with LDAP using SSL (??) Thanks in advance. Nilesh -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat Security Problem Help (using mod_jk)
On Wed, 25 Sep 2002, Ramilio D wrote: Hi Everyone, I read in the buqraq posting that I could fix the source code exposure vulnerablilty in tomcat by modifying the JkMount directive. I took a quick look at some documentation but I couldn't figure out how to allow apache serve servlets yet disallow those containing the org.apache.catalina.servlets.DefaultServlet string. Any help would be greatly appreciated I believe the report about it that was sent to this list (one of them, at least) had some detailed instructions about how to do this. I suggest checking the list archives. Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat Security Problem Help (using mod_jk)
Do not mount /servlet/* but only the servlets that you application is really using. Regards, Rossen Raykov -Original Message- From: Ramilio D [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 25, 2002 12:30 AM To: [EMAIL PROTECTED] Subject: Tomcat Security Problem Help (using mod_jk) Hi Everyone, I read in the buqraq posting that I could fix the source code exposure vulnerablilty in tomcat by modifying the JkMount directive. I took a quick look at some documentation but I couldn't figure out how to allow apache serve servlets yet disallow those containing the org.apache.catalina.servlets.DefaultServlet string. Any help would be greatly appreciated Cheers, _ Send and receive Hotmail on your mobile device: http://mobile.msn.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Tomcat Security Problem Help (using mod_jk)
Hi Everyone, I read in the buqraq posting that I could fix the source code exposure vulnerablilty in tomcat by modifying the JkMount directive. I took a quick look at some documentation but I couldn't figure out how to allow apache serve servlets yet disallow those containing the org.apache.catalina.servlets.DefaultServlet string. Any help would be greatly appreciated Cheers, _ Send and receive Hotmail on your mobile device: http://mobile.msn.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
tomcat security
Hi, I'm relatively new to admining tomcat and have been looking for some ways to secure tomcat. I haven't found much of anything useful. Are there any docs on known security issues with tomcat, or any howto's when configuring security? We're running tomcat 4.0.3, apache 1.3.26 and mod_jk. Thanks in advance, steve -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: tomcat security
Take a look on Running Tomcat with SecurityManager. I'm sure you can find a lot of docs on the net. On Thu, 19 Sep 2002 15:23:09 -0400, Steven Garrett [EMAIL PROTECTED] escreveu : De: Steven Garrett [EMAIL PROTECTED] Data: Thu, 19 Sep 2002 15:23:09 -0400 Para: 'Tomcat Users List' [EMAIL PROTECTED] Assunto: tomcat security Hi, I'm relatively new to admining tomcat and have been looking for some ways to secure tomcat. I haven't found much of anything useful. Are there any docs on known security issues with tomcat, or any howto's when configuring security? We're running tomcat 4.0.3, apache 1.3.26 and mod_jk. Thanks in advance, steve -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: tomcat security
The Tomcat site contains the following: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/security-manager-howto.html and http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html The security manager is probably the first place to start. -- Jeanfrancois Steven Garrett wrote: Hi, I'm relatively new to admining tomcat and have been looking for some ways to secure tomcat. I haven't found much of anything useful. Are there any docs on known security issues with tomcat, or any howto's when configuring security? We're running tomcat 4.0.3, apache 1.3.26 and mod_jk. Thanks in advance, steve -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
HELP! IIS and Tomcat Security
Hi, I am using IIS5 and Tomcat 4.0.2. I am using FORM-BASED authentication for my webapp. The login form is loaded when I access the secured area using localhost:8080 but I get below error when accessing the page through IIS (localhost). I am using ajp13. Should that make any difference? I am so lost. Error: Apache Tomcat/4.0.2 - HTTP Status 403 - Access to the requested resource has been denied _ type Status report message Access to the requested resource has been denied description Access to the specified resource (Access to the requested resource has been denied) has been forbidden. Thanks very much. Bao-Ha Dam Bui [EMAIL PROTECTED] S. Jude Medical, Inc 651.765.1018
AW: HELP! IIS and Tomcat Security
I guess this is only a question of configuration. I haven't found the solution either - Something with the security manager Sombody how has configured this the right way should write a how to to be added to the tomcat docs. mit freundlichen Grussen Galexis AG Beat Friedli . SW-Entwicklung (DDIS/ASW) Grubenstrasse 11 . CH-3322 Schoenbuehl tel: +41 (0)31 858 72 32 . fax: +41 (0)31 858 78 81 -Ursprungliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Gesendet: Dienstag, 11. Juni 2002 18:24 An: [EMAIL PROTECTED] Betreff: HELP! IIS and Tomcat Security Hi, I am using IIS5 and Tomcat 4.0.2. I am using FORM-BASED authentication for my webapp. The login form is loaded when I access the secured area using localhost:8080 but I get below error when accessing the page through IIS (localhost). I am using ajp13. Should that make any difference? I am so lost. Error: Apache Tomcat/4.0.2 - HTTP Status 403 - Access to the requested resource has been denied _ type Status report message Access to the requested resource has been denied description Access to the specified resource (Access to the requested resource has been denied) has been forbidden. Thanks very much. Bao-Ha Dam Bui [EMAIL PROTECTED] S. Jude Medical, Inc 651.765.1018 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Tomcat security Guidelines and Checklist
Dear All We are going to install tomact 4 under Windows2000 servers in the production servers . So what is the security checklist should I follow to secure Tomcat ? Thanks in Advance Waiting your reply