Re: No need for catalina.policy?

Wed, 27 Aug 2003 05:09:44 +0000 

 
How does a malicious foreign applet come to be on my linux/apache2
web-server where only two ports are listening and most services disabled
?
The only way the applets can communicate with the servlets is through an
a2s http-tunnel!
Does this relate a "threat mode" where the threat comes from within the
rank and file ?
Assuming single sign-on is available on TC4.0.x (I haven't looked yet),
that's two sign-on's that a user needs to get to the goodies, and that
is excluding the network sign on.
:-o


"Shapira, Yoav" wrote:
> 
> Howdy,
> No, you're not right.  The two provide different views of security.
> Httpd.conf controls apache, not tomcat, and does nothing to prevent, for
> example, the execution of malicious applets.  Catalina.policy or
> whatever you want to call the policy file is used by the JVM security
> manager to enforce its policies, including for example applet
> sandboxing.  If you're not clear what the security manager does, read up
> the JDK documentation for it.
> 
> If should use them both if you're concerned about security.
> 
> Yoav Shapira
> Millennium ChemInformatics
> 
> >-----Original Message-----
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> >Sent: Tuesday, August 26, 2003 12:14 AM
> >To: [EMAIL PROTECTED]
> >Subject: No need for catalina.policy?
> >
> >Hi
> >Please tell me once more.
> >Am I right in assumng that I don't really need catalina.policy if I use
> >httpd.conf to control access ?
> >If t, how do they interact ?
> >TIA :-)
> 
> This e-mail, including any attachments, is a confidential business communication, 
> and may contain information that is confidential, proprietary and/or privileged.  
> This e-mail is intended only for the individual(s) to whom it is addressed, and may 
> not be saved, copied, printed, disclosed or used by anyone else.  If you are not 
> the(an) intended recipient, please immediately delete this e-mail from your computer 
> system and notify the sender.  Thank you.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to