In the case of DoS, I don't believe a bit on "trusted tags" and such
stuff. Why monitoring the tags at all if "while(true)" is so easy.
I mean, the front door is wide open, why care about that little
window?
The only way to close everything is by monitoring the Servlets and
allow setting some limitation on time per request. And that does not
look so hard to do since Servlets are passive entities (meaning
that they do NOT call Tomcat, Tomcat calls them) and their basic
implementation (base class) belongs to Tomcat.
The standard way to do it would be by instrumenting the Servlets,
either directly or with a wrapper using JMX. JMX is not a J2EE
exclusive and it is not that complex either.
Additional advantages of implementing JMX in Tomcat:
- Collecting other statistics;
- Diagnostics;
- Changing settings on the fly;
- etc.
BTW, I am not the first person talking about JMX in this list.
Have fun,
Paulo Gaspar
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Friday, May 18, 2001 3:02 AM
>
>
> On Thu, 17 May 2001, Glenn Nielsen wrote:
>
> > > I guess he's refering to DOS attacks ( like a while(true); in
> java code
> > > or allocating lots of memory ).
> >
> > You won't have much of a templating language if you don't allow some
> > sort of looping. Kind of hard to restrict that.
>
> True, but if you have a set of "trusted" tags, including looping tags, and
> no "untrusted" code except the one that calls the tags you could do a lot
> to control the resources.
>
> For example the tags ( or jasper generated code ) could check for time
> execution limits, or how many resources are allocated.
>
>
> > It would be nice if self monitoring were built into Tomcat so
> sysads could
> > track statistics on performance of the JVM, Tomcat in general,
> and individual
> > servlets/JSP's. Even setting thresholds when automated email
> notifications
> > could be done. Lets give sysadmins the information they need, then they
> > can take action against problem users.
>
> Yes, that would be an interesting hack..
>
> I was thinking about JPDA - it would be possible to check the memory use
> for each thread, associate it with the user code. Also, it is possible to
> store the time when entering/exiting user code, and have a deamon thread
> check if any thread is spending too much time.
>
> ( the time monitoring part can be done without jpda - but to monitor the
> memory I don't know other solution ).
>
> ( well, I know - I remember a certain tool that was used to manipluate
> bytecodes and add "instrumentation" before all allocations - but that's
> far too difficult for the time we have available ).
>
>
> > I still think that using the SecurityManager implementation in
> Tomcat with a
> > well tuned security polciy can provide one of the most secure
> environments
> > available for running web based applications. This is just my opinion,
> > feel free to try and convince me some other technology is more secure.
>
> I'll not even try :-)
>
> You're right, but there are some things that we could add to also control
> some resource usage ( memory and cpu time ).
>
> Costin
>
