Hi Andrew,
I know that there were some security-related problems with 3.2.1 and certain
URLs. I think a bug was found and fixed right around the time of 3.2.2 beta
5. I would suggest upgrading to 3.2.2. It's very painless -- all config
files stay the same, just copy your old ones into your 3.2.2 install
directory and change TOMCAT_HOME. I'm not seeing the problem on my
installation (TC 3.2.2, Linux, apache, mod_jk).
Thanks,
--jeff
----- Original Message -----
From: "Andrew Robson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, July 16, 2001 1:39 PM
Subject: Re: Need workaround for Tomcat security.
> Jeff,
> TC 3.2.1 on linux.
> Apache and mod_jk
> It seems to me (without having had a chance to check)
> that this must be a misconfig at the apache
> and apache/tomcat end of things rather than a tomcat bug as such.
>
> Any thoughts? It would be a pretty big hole if it was a genuine
> bug.
>
> andrew
>
> On Mon, 16 Jul 2001, you wrote:
> > Andrew,
> >
> > What version of Tomcat did this affect Form-based authentication on? I
tried
> > the URL patterns mentioned on my Form-based Realm, and the Realm worked
> > correctly -- no security problems. I'm using TC 3.2.2 on Linux.
> >
> > Thanks,
> > --jeff
> >
> > ----- Original Message -----
> > From: "Andrew Robson" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Monday, July 16, 2001 7:29 AM
> > Subject: Re: Need workaround for Tomcat security.
> >
> >
> > > Hi,
> > > No workaround I'm afraid. I can confirm that the problem
> > > affects form - based JDBCRealm as well. Tried putting
> > > */admin/* into url pattern and broke security completely.
> > > I wonder whether a JkMount directive with approriately
> > > placed wildcards might work but haven't had time to try.
> > > I'd be very interested if you find a solution.
> > > Presumably no-one on the list has one?
> > >
> > > andrew
> > >
> > > On Sun, 15 Jul 2001, you wrote:
> > > > Ok, i needed to put some security constraints to a dircetory, so I
added
> > this
> > > > to my web.xml:
> > > > <security-constraint>
> > > > <display-name>UQoS Amin Area</display-name>
> > > > <web-resource-collection>
> > > > <web-resource-name>UQoS Amin Area</web-resource-name>
> > > > <url-pattern>/admin/*</url-pattern>
> > > > </web-resource-collection>
> > > > I use BASIC authentication using the memory realm.
> > > > Works like it supposed to when someone goes to my
> > http://xxx/webapp/Admin/ or
> > > > something below, HOWEVER, if they type http://xxx/webapp//Admin/ (or
> > even
> > > > more slashes), all security checkings are bypassed, anyone arr let
right
> > in !
> > > > (same things happens always, try it with the 'security' example
shipped
> > with
> > > > Tomcat.
> > > > Sever bug!, I have posted it to BugZilla. This applies to atleast
Tomcat
> > > > 3.2.1 and 3.2.2.
> > > > And I need it fixedas soon as possible. Does anyone know a
workaround to
> > > > thisone.(I'd rather not upgrade to Tomcat 4 yet,seems like its fixed
> > here.)
> > > > --
> > > > Nils O. Sel�sdal
> > > --
> > >
> > > Andrew Robson
> > >
> > >
> > >
> --
>
>
>
