I am using Tomcat as an Apache plug in for my servlet engine. Neither of these characters will cause the jsp to show the source. Can you direct me to a resource that will inform me about these issues? I have never heard of these issues while using Tomcat as the servlet/jsp container. I would like to evaluate the security of our server. Mike
----- Original Message ----- From: "Gang Zhang" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, February 28, 2003 4:19 PM Subject: Re: Is JSP or Servlet more secure? > sometimes ago a friend of mine found that some jsp engines will show jsp > source by appending > chars like '/' or %00 (there are more examples). The cause of that is sun's > java file io package > will open a file even if there are wired stuff appended to the end. At the > same time the engine > think the requested string is not a jsp because there are things appended to > it. > > Since you brought it up I think it is a good time to put it on the mailing > list. > > Gang > > The source of the jsp could be hamfull to be seen if it contains passwords > to database systems > or other such info. It might be a good idea to use a bean to to that kind > of the stuff and just let > the jsp invoke the bean > > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, February 28, 2003 2:45 PM > Subject: Re: Is JSP or Servlet more secure? > > > > Thanks for your quick response Mike. One reason I asked this question - On > > Google, Servlet+Security gives 258,000 hits, while JSP+Security nets > > 1,240,000 hits. > > > > One reason could be that since JSPs are easier to use, and more is > > written about it. > > > > There was another reason it could be so (speculation follows). The servlet > > classes are put in WEB-INF that is only readable by server (at least in > > Tomcat). > > JSPs are generally in HTML area that are easier to get to. Even > > generated servlets > > from JSPs land up in work directory, that may be easier to get to than > > WEB-INF. > > Just wondering whether this relatively easier access to source of JSPs > > may be a > > potential vulnerability. > > > > das > > > > Mike Silvers wrote: > > > > >No. The main difference is the ease of use for creating HTML documents. > > >The jsp makes it easier to create HTML documents. When a jsp is used, > it > > >is first compiled into a servlet and then used. > > > > > >Mike > > > > > >----- Original Message ----- > > >From: <[EMAIL PROTECTED]> > > >To: <[EMAIL PROTECTED]> > > >Sent: Friday, February 28, 2003 2:12 PM > > >Subject: Is JSP or Servlet more secure? > > > > > > > > >>For creating a totally new web site, is there any difference from > > >>security point of view of using only servlets or using only JSPs? > > >> > > >>das > > >> > > > > > ___________________________________________________________________________ > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the > body > > of the message "signoff SERVLET-INTEREST". > > > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > > Resources: http://java.sun.com/products/servlet/external-resources.html > > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > > > > ___________________________________________________________________________ > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body > of the message "signoff SERVLET-INTEREST". > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > Resources: http://java.sun.com/products/servlet/external-resources.html > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > > ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
