I think that your question is really about server-side security for web apps in general. All of your questions can apply to any web application regardless of technology being used (e.g. asp, dhp, cfm) A good place to start would be Java Pro Magazine. Two issues ago - cover page about securing server side in Java. That's as good a place as any to start. GL! - r > -----Original Message----- > From: Greg Callaghan [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, August 01, 2001 2:26 AM > To: [EMAIL PROTECTED] > Subject: Guide to developing secure tomcat/jsp web apps - help ?? > > > Hi all, > > It would be very useful to have a checklist or guidelines to ensure a > JSP/tomcat web site one develops is secure, in particular for the > scenario > where the web application is not huge/complex &/or is developed > by part-time > developers. That is I guess I'm generally asking for the easiest way of > ensuring one develops a secure JSP/tomcat app. > > Q1 - Does anyone know of a tutorial/checklist for ensuring a > JSP/tomcat web > app is secure? The types of things I'm thinking of include the > following > items, which I've put forward as specific questions to the mail group in > their own right. > > Q2 - How do you ensure directory's under doc root can't be viewed? (ie > users see a directory listings) > - is putting in an index.html in each sub-directory a solid answer? > - can this be handled in one hit via WEB.XML entries? if so an > example if > possible? > > Above and beyond basic User Authentication checking (eg username/password > check at beginning of session) what is an easy but secure way of > checking -: > > Q3 check that user (ie specific) is allowed to access a specific > JSP page? > (assuming the web app is a totally JSP based solution, ie no controller > servlet frontend, ie and that all JSP pages are effectively > assessable under > docroot). Easy way of doing this? > eg (a) put specific check at beginning of each JSP page? > (b) other? > > and > > Q4 given that a user is allowed to access that JSP page, check that he is > allowed to view the data which he has requested? (ie stop people > determining how the URL with parameters is constructed and > manually changing > the parameters - eg changing "http://www.test/test.jsp?id=3";, manually > "http://www.test/test.jsp?id=4";. Easy way of doing this? > eg (a) put specific check at beginning of JSP page? > (b) other > > Q5 Is it generally acceptable, given appropriate precautions are > taken, to > setup a web site with all JSP files assessable under doc root, > and that the > manner in which the user navigates around the application is > based on direct > calls from the browser to the next JSP page with parameters? (again one > concern I have is eg changing "http://www.test/test.jsp?id=3";, manually > "http://www.test/test.jsp?id=4";). If this is not acceptable what is > recommended? > > (a) as above put a specific check at the beginning of the JSP page > (b) for example having to specifically put a controller servlet > as a front > end, and then direct to JSP pages which are hidden? > - in this case how can one hide specific directories under doc root? > (c) other?? > > Q6. Regarding image security I assume one really does have to store them > outside doc root and develop a small "getImage" servlet so that > requests to > images can be verified to ensure that (assuming the app lets users load > images) the end user can't see another user's image? > > Q7. Any other general checklist items for a simple JSP/tomcat web site re > security one should check for??? > > > Thanks in advance > Greg > > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > >
