2006/3/8, David Kerber <[EMAIL PROTECTED]>:
> You're welcome. That tradeoff between security and usability is a
> decision only you and your users can make, but I like to have the option
> to make that tradeoff if necessary.
>
> Dave
Thank Dave! I said that yesterday only to describe only what I w
> >
> This only applies to ressource url, not servlet url, neither filters,
> nor security-constraint.
that's what I want to confirm.
>
> >and the security problem that someone has said, I think it may not be
> >so important. If a hacker want to detect your site, I think he will
> >test all posibl
Hadraba Petr a écrit :
>Sorry,
>for my posting, but
>
>
>
>>That's not where security problem lies:
>>Let's assume your public site is at
>>http:index.jsp
>>if casesensitiveness is deactivated and you are using a case sensitive
>>filesystem (like the microsoft ones), accessing
>>
>>
>
>N
You're welcome. That tradeoff between security and usability is a
decision only you and your users can make, but I like to have the option
to make that tradeoff if necessary.
Dave
Buddy wu wrote:
2006/3/7, David Kerber <[EMAIL PROTECTED]>:
thanks a lot. it worked.
and I think som
Sorry,
for my posting, but
On 3/8/06, David Delbecq <[EMAIL PROTECTED]> wrote:
> Buddy wu a écrit :
>
> >2006/3/7, David Kerber <[EMAIL PROTECTED]>:
> >
> >
> >>
> >>
> >>
> >thanks a lot. it worked.
> >and I think someone discussed other problem of these question maybe
> >right. but my goal is on
Buddy wu a écrit :
>2006/3/7, David Kerber <[EMAIL PROTECTED]>:
>
>
>>
>>
>>
>thanks a lot. it worked.
>and I think someone discussed other problem of these question maybe
>right. but my goal is only to let tomcat's URL or URI (I don't kown
>which is wright, or all are write) case-insensitiv
2006/3/7, David Kerber <[EMAIL PROTECTED]>:
>
thanks a lot. it worked.
and I think someone discussed other problem of these question maybe
right. but my goal is only to let tomcat's URL or URI (I don't kown
which is wright, or all are write) case-insensitive. I don't care the
case-sensitive featur
Hi,
Sorry for the incorrect posting...
Regards,
VIkram
On 3/7/06, Caldarale, Charles R <[EMAIL PROTECTED]> wrote:
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> > Vikram Godse
> > Subject: Re: How can I set tomcat NOT Case Sensitive
> >
>
Peter Crowther wrote:
From: David Kerber [mailto:[EMAIL PROTECTED]
Ok, I see that, and it's kind of scary! That seems like a
pretty poor
design for the compiler not to handle that kind of change.
It ain't the compiler - the JSP compiler never gets invoked because the
mapping is case-se
> with?
>>
>>
>>
>> -Original Message-
>> From: David Kerber [mailto:[EMAIL PROTECTED] Sent: Tuesday, March
>> 07, 2006 9:35 AM
>> To: Tomcat Users List
>> Subject: Re: How can I set tomcat NOT Case Sensitive
>>
>> Yes, that was me
> From: David Kerber [mailto:[EMAIL PROTECTED]
> Ok, I see that, and it's kind of scary! That seems like a
> pretty poor
> design for the compiler not to handle that kind of change.
It ain't the compiler - the JSP compiler never gets invoked because the
mapping is case-sensitive, and the mappi
006 9:35 AM
To: Tomcat Users List
Subject: Re: How can I set tomcat NOT Case Sensitive
Yes, that was me, and that's why I chimed in here. However, still nobody
has explained in any detail how this is a security risk other than reducing
the number of guesses you have to make to find static resour
> From: Tim Lucia [mailto:[EMAIL PROTECTED]
> If you ask for /path/to/some.JSP, you will see the source
> code of the jsp,
> since the jsp compiler is mapped to *.jsp (and not *.JSP).
Presumably [I haven't tested this] detection of accesses to WEB-INF and
META-INF will also fail, exposing the we
erned
with?
-Original Message-
From: David Kerber [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 07, 2006 9:35 AM
To: Tomcat Users List
Subject: Re: How can I set tomcat NOT Case Sensitive
Yes, that was me, and that's why I chimed in here. However, still nobody
has explained in any detai
D]
Sent: Tuesday, March 07, 2006 9:04 AM
To: Tomcat Users List
Subject: Re: How can I set tomcat NOT Case Sensitive
Looking at code, it seems the casesensitive flag is used when a ressources
is loaded from filesystem (amongst others).
if casesensitive is true, the absolute filename of loaded
q [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 07, 2006 9:04 AM
To: Tomcat Users List
Subject: Re: How can I set tomcat NOT Case Sensitive
Looking at code, it seems the casesensitive flag is used when a ressources
is loaded from filesystem (amongst others).
if casesensitive is true, the absolut
Would that mean that it only applies to stuff being read off the
filesystem, like .jsp's and other files? Therefore it wouldn't apply to
context paths, servlets, etc?
Thanks!
Dave
David Delbecq wrote:
Looking at code, it seems the casesensitive flag is used when a
ressources is loaded from
Looking at code, it seems the casesensitive flag is used when a
ressources is loaded from filesystem (amongst others).
if casesensitive is true, the absolute filename of loaded ressource is
compared to the requested ressource (in filedircontext). If
casesensitive is removed, anything accepted by ne
If it works that way (and I haven't tried it), then I would say that the
caseSensitive="false" flag was not working as I would expect. I would
expect that things defined for /MYNAME would work for /myname if
caseSensitive was false.
Can anybody tell me definitively how this security risk work
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Vikram Godse
> Subject: Re: How can I set tomcat NOT Case Sensitive
>
> Can anybody tell me where the problem lies?
The problem lies in hijacking someone else's mailing list thread. Start
your own if you
Hi,
I am running Apache Tomcat/5.5.12 with JVM 1.5.0-b64.My O/S is RHEL4.0
ES.My hardware configuration is as follows
Intel Xeon 3.0Ghz Dual CPU
RAM 4gb
I am running an JSP and Servlets based application with connectivity
to MySQL 5 for database access.
I am facing a problem, when my user sessions(
I suspect a call to /something.JSP will not go thru the jsp engine.
I can also guess that calls the security constraints applied on /servlet
will not apply on /SERVLET
David Kerber a écrit :
> I've seen that notice, but could you explain to me how that works? I
> don't see how this could cause
I've seen that notice, but could you explain to me how that works? I
don't see how this could cause any security issues, except for slightly
reducing the number of attempts you would need in a brute-force hacking
attempt.
Dave
David Delbecq wrote:
Be careful, there are security issues wit
Be careful, there are security issues with this (jsp code disclosure!)!!
David Kerber a écrit :
>
>
>
> Buddy wu wrote:
>
>> 2006/3/7, Long <[EMAIL PROTECTED]>:
>>
>>
>>> Buddy wu wrote:
>>> I wan't to know there is any way to set tomcat NOT CASE
>>> SENSITIVE in URL
>>> I mean: when I
I believe the case sensitivity is per spec and there aren't any settings
to change it.
One possibility (this is untested) is to wrap the request in your own
request wrapper and then over ride the methods that provide different
components of the request URI to normalize case. Use a request filter
Buddy wu wrote:
2006/3/7, Long <[EMAIL PROTECTED]>:
Buddy wu wrote:
I wan't to know there is any way to set tomcat NOT CASE SENSITIVE in URL
I mean: when I write in browser's 'http://localhost/test.html'
equals to 'http://localhost/TEST.htm'. Can I do it ? or just in
WINDOWS can
2006/3/7, Long <[EMAIL PROTECTED]>:
> Buddy wu wrote:
> I wan't to know there is any way to set tomcat NOT CASE SENSITIVE in URL
> I mean: when I write in browser's 'http://localhost/test.html'
> equals to 'http://localhost/TEST.htm'. Can I do it ? or just in
> WINDOWS can but Linux/unix
Buddy wu wrote:
I wan't to know there is any way to set tomcat NOT CASE SENSITIVE in URL
I mean: when I write in browser's 'http://localhost/test.html'
equals to 'http://localhost/TEST.htm'. Can I do it ? or just in
WINDOWS can but Linux/unix can't?
Right, url is case-insensitive under
I wan't to know there is any way to set tomcat NOT CASE SENSITIVE in URL
I mean: when I write in browser's 'http://localhost/test.html'
equals to 'http://localhost/TEST.htm'. Can I do it ? or just in
WINDOWS can but Linux/unix can't?
thanks
-
29 matches
Mail list logo
