> > > This only applies to ressource url, not servlet url, neither filters, > nor security-constraint. that's what I want to confirm.
> > >and the security problem that someone has said, I think it may not be > >so important. If a hacker want to detect your site, I think he will > >test all posibles JSP Jsp jSP and others. > > > > > > > That's not where security problem lies: > Let's assume your public site is at > http://<yourserver>/<yourwebapp>/index.jsp > if casesensitiveness is deactivated and you are using a case sensitive > filesystem (like the microsoft ones), accessing > http://<yourserver>/<yourwebapp>/index.jsP will point to same filesystem > ressouce, but with one exception, it will not be handled by jsp engine > and requester will simply get the jsp source instead of generated html > (a jsp source could contain potentially critical informations like > database connection informations) oh, you mean that someone can get my SOURCE jsp file instead of a generated html file? right? I think it is a security problem, thanks I don't realize it before > > More dangerous, suppose your application have an admin interface located at > http://<yourserver>/<yourwebapp>/admin/ > with a security-constraint in web.xml mapped to 'admin/*', any anonymous > user can have his browser point at 'AdMiN/' and will have access to > admin interface without authentification, bypassing securities! really? and why can it bypassing the securities? only because can't handle by jsp engine? then if can't handle by jsp engine, how can use the admin tools under 'admin/*'. can you explain more detealed? thanks > Of course it's not a problem if you don't have jsps, neither servlets, > nor security constraints, that if you are serving static content. But > then ,why using tomcat? > I use this to set ArcIMS service, and I write in servlet or I use tomcat as a servlet engine. And I don't want to combine tomcat with apache or IIS to serve static html and servlet separately. but the in some ArcIMS pages, the link address they write(Some htm page or generated html file) are small letter (described right?) like "install/install.htm" but the real file path not small letter, it's 'Install/Install.htm", so I can't only use tomcat to serve it I don't know that what I doing will harmfull to my service. Is there anybody can help me to explain it? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
