Security problem

When trying a recently unpacked 5.5.11, started with -security, I get an exception the first time I try to check the root index.jsp. Anyone know what I am doing wrong? Cheers, -- Gunnar Brading SEVERE: Servlet.service() for servlet org.apache.jsp.index_jsp threw exception java.security.AccessC

JAAS, Cookie, Tomcat Managed Security problem

Hi, I am facing this problem while using Tomcat Managed security. I am using the JAASRealm and my own LoginModule ... works smoothly. It authenticates as well as authorizes. BUT, when a user has logged in from one computer, the another user cannot login unless the first user logs out first ... C

Declarative security problem in Tomcat 4.1.12?

Hi all! I'm seeing some strange behavior with declarative security. I've got everything set up and working correctly under jboss-3.0.4_tomcat-4.1.12, when I access a protected resource, the login page is invoked, the container goes out to the database, looks up the user, sets up the session, and

Re: Help Urgently needed, Security problem

gt; > > /secure/* > > > > > > manager > > tomcat > > CONFIDENTIAL > BASIC User Basic Authentication > > > manager > > > > > - Original Message - From: "ed banfa" To: Sent: Thursday, September 26, 2002

Re: Help Urgently needed, Security problem

; > manager > > > > > - Original Message - From: "ed banfa" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, September 26, 2002 3:23 PM Subject: Help Urgently needed, Security problem > Hi , > > How is everyone doing, hope ok.

Help Urgently needed, Security problem

Hi , How is everyone doing, hope ok. I have this problem with trying to use Basic authentication with my web app. I have Tomcat 4.1.10 up and running on win 2000 machine using j2sdk1.4. Tomcat is listening on port 8443 for SSL connnections. I would like the browser to display a login box to t

RE: Tomcat Security Problem Help (using mod_jk)

Do not mount /servlet/* but only the servlets that you application is really using. Regards, Rossen Raykov > -Original Message- > From: Ramilio D [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 25, 2002 12:30 AM > To: [EMAIL PROTECTED] > Subject: Tomcat Securi

Re: Tomcat Security Problem Help (using mod_jk)

On Wed, 25 Sep 2002, Ramilio D wrote: > Hi Everyone, > > I read in the buqraq posting that I could fix the source code > exposure vulnerablilty in tomcat by modifying the JkMount > directive. I took a quick look at some documentation but I couldn't > figure out how to allow apache serve servlets

Tomcat Security Problem Help (using mod_jk)

Hi Everyone, I read in the buqraq posting that I could fix the source code exposure vulnerablilty in tomcat by modifying the JkMount directive. I took a quick look at some documentation but I couldn't figure out how to allow apache serve servlets yet disallow those containing the org.apache.c

security problem, 4.04

Hello! I have some security problem on my web hosting using tomcat 4.04. It seems to me java classes loaded from WEB-INF/classes has much more permissions than those loaded from jars in WEB-INF/lib. My hosting admin said my policy is grant codeBase "file:/home/virtual/site16/fst/var/www

Re: Security problem?

HTTPS Alone won't help much in the described szenario. HTTPS can't enshure that the user is not manipulating the request. To disable that you have to sign the data. I think it's better to use a complete different architecture. If this has to be done with EJB as you suggest, a WebService

Re: AW: Security problem?

There's been a lot of discussion already reguarding Public Key Cryptography. Just to make sure I am reading your post correctly, the process is the following: 1. user adds items to shopping cart on e-commerce server A 2. when user is ready to check out, the following process occurs. e-commer

AW: AW: Security problem?

> Hi all, > > thanks for your advices. > > Well, I have never worked with encryption. Well I know what is > RSA, but how > can I implement it? Do I have to install something? What have I to use to > implement ansd use an RSA alghoritm? javax.crypto classes could help you. M.Schwarz -- To unsu

AW: Security problem?

> > In response to M. Schwarz, with public key encryption schemes > know the clear > text of really doesn't help very much at cracking the private key. Besides > which, the user (presumably) knows what the price of the thing > they are buy > anyway right? So they know what the cleartext of the mes

Re: AW: Security problem?

Hi all, thanks for your advices. Well, I have never worked with encryption. Well I know what is RSA, but how can I implement it? Do I have to install something? What have I to use to implement ansd use an RSA alghoritm? Thanks Laura Alle 11:33, venerdì 7 giugno 2002, Power-Netz \(Schwar

AW: Security problem?

ebService over HTTPS or any other server2server communcationis a different topic) > -Ursprüngliche Nachricht- > Von: Nikola Milutinovic [mailto:[EMAIL PROTECTED]] > Gesendet: Freitag, 7. Juni 2002 11:14 > An: Tomcat Users List > Betreff: Re: Security problem? > >

RE: Security problem?

help. Hamish -Original Message- From: Nikola Milutinovic [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 11:31 AM To: Tomcat Users List Subject: Re: Security problem? > > So, what is suggested is that the "shopping cart" server creates the final > >

Re: Security problem?

On 6/7/02 2:30 AM, "Nikola Milutinovic" <[EMAIL PROTECTED]> wrote: > Just as Barney Hamish pointed out, with RSA (and I think DSA) keys, you can > encrypt/decript both ways. It is just that these two modes of operation have > been established as common. And yes, a signed object is not encrypted.

AW: Security problem?

> > This is one way, there are probably others. By using encryption > you can make > such a transaction secure. > If site X is where they buy the thing and site Y is your site: > > You could get site X to pass two things: > - the amount of money the user is to pay in clear text > - the amount of m

Re: Security problem?

> > So, what is suggested is that the "shopping cart" server creates the final > > payment report and signs it with it's private key/certificate. The "financial > > transaction" server would verify that *that* is an authentic request from the > > "shopping cart" server. > > Ok, it was signi

Re: Security problem?

Original Message- > From: Nikola Milutinovic [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 11:14 AM > To: Tomcat Users List > Subject: Re: Security problem? > > >> On 6/7/02 1:54 AM, "Barney Hamish" <[EMAIL PROTECTED]> wrote: >> >

RE: Security problem?

r is the public key. Both can be used to encrypt the data in analogous ways. -Original Message- From: Nikola Milutinovic [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 11:14 AM To: Tomcat Users List Subject: Re: Security problem? > On 6/7/02 1:54 AM, "Barney Hamish&quo

Re: Security problem?

On 6/7/02 2:14 AM, "Nikola Milutinovic" <[EMAIL PROTECTED]> wrote: >> On 6/7/02 1:54 AM, "Barney Hamish" <[EMAIL PROTECTED]> wrote: >> >>> - the amount of money the user is to pay encrypted with the private key of >>> site X as a digest. >>> >>> On site Y you recieve both. You decrypt the encry

Re: Security problem?

> On 6/7/02 1:54 AM, "Barney Hamish" <[EMAIL PROTECTED]> wrote: > > > - the amount of money the user is to pay encrypted with the private key of > > site X as a digest. > > > > On site Y you recieve both. You decrypt the encrypted amount with site X's > > public key. If the clear text amou

Re: Security problem?

On 6/7/02 1:54 AM, "Barney Hamish" <[EMAIL PROTECTED]> wrote: > - the amount of money the user is to pay encrypted with the private key of > site X as a digest. > > On site Y you recieve both. You decrypt the encrypted amount with site X's > public key. If the clear text amount matches the encry

RE: Security problem?

he request. If the amounts differ then you know the user has tampered with the request and it should be rejected. Hamish -Original Message- From: Laura [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 10:47 AM To: [EMAIL PROTECTED] Subject: Security problem? Hi all, it might be tha

Re: Security problem?

On 6/7/02 1:47 AM, "Laura" <[EMAIL PROTECTED]> wrote: > Hi all, > > it might be that I have a security problem and you should tell me if I am > right. > Well, I have a server with an ecommerce application: an user can buy > something a when he has to pay

AW: Security problem?

> -Ursprüngliche Nachricht- > Von: Laura [mailto:[EMAIL PROTECTED]] > Gesendet: Freitag, 7. Juni 2002 10:47 > An: [EMAIL PROTECTED] > Betreff: Security problem? > > > Hi all, > > it might be that I have a security problem and you should tell me if I am &g

Security problem?

Hi all, it might be that I have a security problem and you should tell me if I am right. Well, I have a server with an ecommerce application: an user can buy something a when he has to pay the servlet of the web application executes a redirect to my servlet (in a different server) passing me

Security problem with 4.0.2

When I start tomact 4.0.2 with the -security option I get the errors below. If I move it to server\lib the tomcat startup problems go away, but the app startup gets SAX classNotFound errors. After the error info is the first part of the output with set CATALINA_OPTS=-Djava.security.debug=all -

Security problem...

Hi I have Apache1317 and Tomcat 4.01-dev installed on SOLARIS 6. They are connected thru mod_webapp.so. All is goin well, but i don't know how to build security directives concerning the project deployed under TomcatDir/webapps dir. I mean how can i put in Apache (?) some Directives concerning

Security problem....

Hi ! When I try to run this from an applet: URL df = getCodeBase(); iconReport = new ImageIcon( new URL( df, "images/i_report.gif")); I Get: Java.security.AccessControlException: access denied (java.io.FilePermission images/i_report.gif read) at java.security.AccessControlContext.checkPermissio

Re: Weird thread/security problem

On Thu, 26 Jul 2001, Sam Joseph wrote: > > I guess I have two options, either make the servlet implement the > SingleThreadModel interface, or create some new classes to encapsulate the > appropriate data, and either store that in the session or in some instance > variable like a hashtable ...

Re: Weird thread/security problem

Tomcat runs multiple individual threads per *request*, not per *user*. 99.9% of the time, this kind of thing is caused by application programming errors related to threading. For example, if you use an instance variable in a servlet to store information specific to a particular request, and acce

Re: Weird thread/security problem

Application wide content should be stored in the context, not as servlet variables. This is because if the servlets are load balanced across multiple jvms, or if servles implement the SingleThreadedModel then tomcat will need to ensure that all instances of servlets on all jvms share the one obje

Re: Weird thread/security problem

ursday, July 26, 2001 11:18 AM > To: [EMAIL PROTECTED] > Subject: Weird thread/security problem > > Hi, > > So I think this is a thread/security issue, but I am not sure. However > it is definitely weird. > > I have been conducting some tests with multiple users. Various

Re: Weird thread/security problem

Hi, Application-wide data (within a container in the case of balanced servers) can be put in instance variables, but access must then be synchronized. User-related data must be put in the session object... Regards, Francis Pallini At 06:18 PM 7/26/01 +0900, you wrote: >Hi, > >So I think this

RE: Weird thread/security problem

26, 2001 11:18 AM To: [EMAIL PROTECTED] Subject: Weird thread/security problem Hi, So I think this is a thread/security issue, but I am not sure. However it is definitely weird. I have been conducting some tests with multiple users. Various servlets are contacted that supply pages to each

Weird thread/security problem

Hi, So I think this is a thread/security issue, but I am not sure. However it is definitely weird. I have been conducting some tests with multiple users. Various servlets are contacted that supply pages to each user, that include information such as user name etc. The version of tomcat in use

Re: Security Problem with Tomcat

The best description I have seen is at . That's Bugtraq ID 2518. I was using Tomcat 3.2.1 on UNIX systems, and it had the bug. I have updated to Tomcat 3.2.2b2, and the bug is gone there. I am using Tomcat directly, not through Apache. I do not know

Security Problem with Tomcat

Hi, I've been reading the recent security reports concerning TOMCAT and I'm a little bit confused, so I'm hoping someone can explain them to me. I saw where you can walk the directory structure of your TOMCAT server. From what I seen, the problem was on a WIN2K box with 3.2.1 using the TOM

Re: Deny web-inf access (security problem)

pitalisation of files, but you should make sure > that at the "DOS" level, the capitalisation is actually correct. > > Regards, > > Simon > >> -Original Message----- >> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] >> Sent: Wednesday, December 20, 2000 12:58 AM

Re: Deny web-inf access (security problem)

Paul Gonin wrote: > Hi, > > I have a JSP that uses a bean. It uses the following directory structure : > webapps/myapply/myapply.jsp > webapps/myapply/web-inf/classes/mybean.class > > It works fine but I am annoyed that people can download the bean directly > and "access" its content beca

RE: Deny web-inf access (security problem)

] [SMTP:[EMAIL PROTECTED]] > Sent: Wednesday, December 20, 2000 12:58 AM > To: [EMAIL PROTECTED] > Subject: RE: Deny web-inf access (security problem) > > Set up a directory outside your tomcat directory to contain java class > files, and include that directory in you

RE: Deny web-inf access (security problem)

: [EMAIL PROTECTED] Subject: Deny web-inf access (security problem) Hi, I have a JSP that uses a bean. It uses the following directory structure : webapps/myapply/myapply.jsp webapps/myapply/web-inf/classes/mybean.class It works fine but I am annoyed that people can download the bean directly

Re: Deny web-inf access (security problem)

mcat-user | || | |+---> >---| | | | To: [EMAIL PROTECTED] | | cc: (bcc: Yanbin Ma/SYS/NYTIMES)| | Subject: Deny web-inf access (s

Re: Deny web-inf access (security problem)

Paul Gonin wrote: > > Hi, > > I have a JSP that uses a bean. It uses the following directory structure : > webapps/myapply/myapply.jsp > webapps/myapply/web-inf/classes/mybean.class > > It works fine but I am annoyed that people can download the bean directly > and "access" its conten

Deny web-inf access (security problem)

Hi, I have a JSP that uses a bean. It uses the following directory structure : webapps/myapply/myapply.jsp webapps/myapply/web-inf/classes/mybean.class It works fine but I am annoyed that people can download the bean directly and "access" its content because it contains critical informa

Re: Tomcat 4.0 Milestone 4 - cocoon security problem?

"Craig R. McClanahan" wrote: > > Could you try me an experiment? > > * Comment out the declaration > for the JSP servlet in > $CATALINA_HOME/conf/web.xml I must not be commenting correctly; if I comment this out I get "Page contains no data" on http://memes.sea.boeing.com:8080 (index.htm

Re: [ANNOUNCE] Tomcat 4.0 Milestone 4 - cocoon security problem?

Ray Allis wrote: > "Craig R. McClanahan" wrote: > > > > We're pleased to announce the availabililty of milestone 4 of the Tomcat > > 4.0 servlet container and JSP engine. Compared to milestone 3, this > > release reflects the following changes: > > > Come and get it! > > Got it! Ooops! I lost

Re: [ANNOUNCE] Tomcat 4.0 Milestone 4 - cocoon security problem?

"Craig R. McClanahan" wrote: > > We're pleased to announce the availabililty of milestone 4 of the Tomcat > 4.0 servlet container and JSP engine. Compared to milestone 3, this > release reflects the following changes: > Come and get it! Got it! Ooops! I lost cocoon! 2872427 Oct 31 09:38 ../