Sorry, but, normally the webserver should not response anything other than "Error 404 - Access Denied". The IIS does not check the permissions, it redirects with the use of the apache redirection dll to TomCat. And TomCat does not respect any file permissions !
But, when it could also be a problem of IIS or the Redirector-DLL. When using Apache Webserver and HTAccess, the Apache Webserver FIRST checks the permissions of .htaccess and then redirects to TomCat. The IIS (or Redirector-DLL) seems not to check anything, redirect unchecked.
C.S.
-----Originalnachricht-----
Von: Thomas Bezdicek
An: [EMAIL PROTECTED]
Gesendet: 27.02.01 14:36
Betreff: AW: TomCat - IIS - Security
Hi,
I dont think so, if you use NTLM for authentification so you must use it
in your JSP also and test there
if the user is allowed or not.
not tomcat is bypassing the nt security, the application is doing it,
because you let tomcat run as a
different user, this would mean in otherwords every service would have
to run once for each user.
so try to get a interface for NTLM authentification and include it in
your jsp, this is the way it
works, and it works with corba, ldap, x509, kerberos and other OPEN!!!
standards.
regards, tom
-----Urspr�ngliche Nachricht-----
Von: Christian Schulz [mailto:[EMAIL PROTECTED]]
Gesendet: Dienstag, 27. Februar 2001 14:17
An: '[EMAIL PROTECTED]'
Cc: Thomas Dingel
Betreff: TomCat - IIS - Security
Wichtigkeit: Hoch
Hello,
when using Tomcat with IIS, we have a security hole.
We installed Tomcat as descriped at the documentation.
The following scenario will show our problem:
We have a folder named reachable as http://outserver/secretfolder/
<http://outserver/secretfolder/> with NT Security permissions set.
The folder "secretfolder" can only be read by the system and by a user
named "foo". Now, without tomcat, the user "foo" can access the contents
of the folder "secretfolder", all other users will get "access denied".
We use NTLM for authentification (so the browser [IE 5.x] automatically
send the current NT user's account to the webserver).
Now, we put a file named "testme.jsp" to "secretfolder" and try to open
it from an NT User's account named "bar". The IIS now redirects to
TomCat without checking any permissions and tomcat returns the result of
"testme.jsp". But, in our opinion, this should not happen !!!
The user "bar" also has to get an error "access denied" ! So, TomCat
bypasses NT Security !
Does anybody have a solution for that ?
Bye bye
Christian Schulz
