mpile tomcat after
doing so. Are there any hidden "gotchas" you can think of with doing that?
Thanks
Alex.
-Original Message-
From: Mark Thomas [mailto:[EMAIL PROTECTED]
Sent: Monday, 18 July 2005 2:50 AM
To: Tomcat Users List
Subject: Re: Tomcat security realms question
Thanks a lot for your reply. We'll see if we can persuade our security guys to
drop this issue.
Kind regards,
Alex.
-Original Message-
From: Mark Thomas [mailto:[EMAIL PROTECTED]
Sent: Monday, 18 July 2005 2:50 AM
To: Tomcat Users List
Subject: Re: Tomcat security realms que
The problem you describe is true of any session tracking system running
over http. The solution is to use https.
However, here's a question to fire back at your security team:
"If you are worried about an attacker physically looking at a session ID
on a user's screen, what about if they decide
Hi all
I have a problem that's been raised by my security team to do with using
Tomcat JDBCRealms. We're using such realms to protect restricted resources. We
also have a custom login form. The steps Tomcat seems to follow when using such
a setup is:
1. Check to see if the user is logged
If you switch to using a realm, you can use wildcards in the constraints
so that it applies to a whole directory?
Whether this is useful obviously depend on whether you have all your JSPs
in the same directory or you could have a *.jsp wildcard to cover all
jsps. Will depend on your naming convent
Hi,
I have a web-app that defines different roles, so a
user do not have access to all jsp/servlets in the
web-app. Depending on his role. An admin user e.g. can
see pages to edit data, while a 'normal' user can only
view it.
What's the best way to enforce this security?
I am no doing it by sto
