Hello all, I set up the authentication schema for Apache webserver version 1.3.4 and JServ version 1.0.b5 and it is asking for password now (it gives the username which I would have preferred it to have prompted but I guess it is better than nothing). However, it is still possible for somebody who knows the names of my servlets to circumvent this password window by typing the name of the servlets directory, the name of the servlet and the parameters it needs, in order to execute it. So I tried the servlet security features described at the apache site and the books as follows: In the jserv configuration file I put security.allowedAddresses=127.0.0.1 security.authentication=true security.secretKey="c:\abc\secretfile" security.challengeSize=5 I repeated the security.secretKey="c:\def\secretfile" in the mod_jserv configuration file. I also created a file called secretfile with about 100 randomly typed characters and copied it into c:\abc and c:\def directories. I used 127.0.0.1 for security.allowedAddresses parameter, thinking this would restrict access to the servlets only from the within the same machine, since both JServ and webserver reside on the same machine. All of this seems to have no effect and it is still possible to access the servlets directly. Am I doing something wrong? Am I using these parameters correctly? If they are not for the purpose I am using them for (since they seem to have no effect) what are they for? Tx much for any help or suggestions. Enis Bengul Software Engineering Center, CECOM ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
