If you ask for /path/to/some.JSP, you will see the source code of the jsp, since the jsp compiler is mapped to *.jsp (and not *.JSP).
Thus, someone can see the internal workings of your jsp and make 'better' hacking attempts. Is there something else about security you are concerned with? -----Original Message----- From: David Kerber [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 07, 2006 9:35 AM To: Tomcat Users List Subject: Re: How can I set tomcat NOT Case Sensitive Yes, that was me, and that's why I chimed in here. However, still nobody has explained in any detail how this is a security risk other than reducing the number of guesses you have to make to find static resources in a brute-force hacking attempt... Tim Lucia wrote: >I am sure I have seen this before on this list, and the answer I >remember is that the case sensitivity part is only for file names. >Servlet mappings are case-sensitive regardless because the spec says so. > >Read this as well, although it says "all case sensitivity checks will >be disabled" it doesn't define "case sensitivity checks". > >http://tomcat.apache.org/tomcat-5.5-doc/config/context.html > >Read this too > >http://marc.theaimsgroup.com/?l=tomcat-user&m=114002237714355&w=2 > >(David Kerber started this one.) > > >-----Original Message----- >From: David Delbecq [mailto:[EMAIL PROTECTED] >Sent: Tuesday, March 07, 2006 9:04 AM >To: Tomcat Users List >Subject: Re: How can I set tomcat NOT Case Sensitive > >Looking at code, it seems the casesensitive flag is used when a >ressources is loaded from filesystem (amongst others). >if casesensitive is true, the absolute filename of loaded ressource is >compared to the requested ressource (in filedircontext). If >casesensitive is removed, anything accepted by new file() is returned >as is. I don't know if the casesensistive flag is used by anything else then file loading. > >David Kerber a écrit : > > > >>If it works that way (and I haven't tried it), then I would say that >>the caseSensitive="false" flag was not working as I would expect. I >>would expect that things defined for /MYNAME would work for /myname if >>caseSensitive was false. >> >>Can anybody tell me definitively how this security risk works? >> >> >>David Delbecq wrote: >> >> >> >>>I suspect a call to /something.JSP will not go thru the jsp engine. >>>I can also guess that calls the security constraints applied on >>>/servlet will not apply on /SERVLET >>> >>> >>>David Kerber a écrit : >>> >>> >>> >>> >>> >>>>I've seen that notice, but could you explain to me how that works? >>>>I don't see how this could cause any security issues, except for >>>>slightly reducing the number of attempts you would need in a >>>>brute-force hacking attempt. >>>> >>>>Dave >>>> >>>> >>>>David Delbecq wrote: >>>> >>>> >>>> >>>> >>>> >>>>>Be careful, there are security issues with this (jsp code >>>>>disclosure!)!! >>>>>David Kerber a écrit : >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>><Context caseSensitive="false"> >>>>>> >>>>>> >>>>>>Buddy wu wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>>2006/3/7, Long <[EMAIL PROTECTED]>: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>Buddy wu wrote: >>>>>>>> I wan't to know there is any way to set tomcat NOT CASE >>>>>>>>SENSITIVE in URL >>>>>>>> I mean: when I write in browser's 'http://localhost/test.html' >>>>>>>>equals to 'http://localhost/TEST.htm'. Can I do it ? or just in >>>>>>>>WINDOWS can but Linux/unix can't? >>>>>>>> >>>>>>>>Right, url is case-insensitive under Windows because the file >>>>>>>>system >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>But, the FACT is that under Windows the URL is CASW-SENSITIVE, >>>>>>>not case-insecsitive , why? >>>>>>> >>>>>>>I've tried, under Windows, test.html and TEST.html is diffrent in >>>>>>>tomcat server. Is there a parameter to set?? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>can't tell a difference between test.html and TEST.html. The >>>>>>>>difference is there under Linux/UNIX. >>>>>>>> >>>>>>>>Long >>>>>>>> >>>>>>>> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
