Hello,
when using Tomcat with IIS, we have a security hole.
We installed Tomcat as descriped at the documentation.
The following scenario will show our problem:
We have a folder named reachable as http://outserver/secretfolder/ with NT Security permissions set.
The folder "secretfolder" can only be read by the system and by a user named "foo". Now, without tomcat, the user "foo" can access the contents of the folder "secretfolder", all other users will get "access denied". We use NTLM for authentification (so the browser [IE 5.x] automatically send the current NT user's account to the webserver).
Now, we put a file named "testme.jsp" to "secretfolder" and try to open it from an NT User's account named "bar". The IIS now redirects to TomCat without checking any permissions and tomcat returns the result of "testme.jsp". But, in our opinion, this should not happen !!!
The user "bar" also has to get an error "access denied" ! So, TomCat bypasses NT Security !
Does anybody have a solution for that ?
Bye bye
Christian Schulz
