Sorry, for my posting, but On 3/8/06, David Delbecq <[EMAIL PROTECTED]> wrote: > Buddy wu a écrit : > > >2006/3/7, David Kerber <[EMAIL PROTECTED]>: > > > > > >><Context caseSensitive="false"> > >> > >> > >thanks a lot. it worked. > >and I think someone discussed other problem of these question maybe > >right. but my goal is only to let tomcat's URL or URI (I don't kown > >which is wright, or all are write) case-insensitive. I don't care the > >case-sensitive feature in jsp or servlet file can work( maybe it MUST > >case-sensitive, because of java language, but I don't care about > >these. I just need URL is CASE-INSENSITIVE, And it will be ok to me) > > > > > > > This only applies to ressource url, not servlet url, neither filters, > nor security-constraint. > > >and the security problem that someone has said, I think it may not be > >so important. If a hacker want to detect your site, I think he will > >test all posibles JSP Jsp jSP and others. > > > > > > > That's not where security problem lies: > Let's assume your public site is at > http://<yourserver>/<yourwebapp>/index.jsp > if casesensitiveness is deactivated and you are using a case sensitive > filesystem (like the microsoft ones), accessing
NTFS, FAT -- mayby they are case sensitive, but the filesystem layer not. Try to create two files in one directory; one named a.txt and the second A.txt. The billboard ocures! On Unix systems is this possible -- Makefile is not makefile;-) > http://<yourserver>/<yourwebapp>/index.jsP will point to same filesystem > ressouce, but with one exception, it will not be handled by jsp engine > and requester will simply get the jsp source instead of generated html > (a jsp source could contain potentially critical informations like > database connection informations) > > More dangerous, suppose your application have an admin interface located at > http://<yourserver>/<yourwebapp>/admin/ > with a security-constraint in web.xml mapped to 'admin/*', any anonymous > user can have his browser point at 'AdMiN/' and will have access to > admin interface without authentification, bypassing securities! > > Of course it's not a problem if you don't have jsps, neither servlets, > nor security constraints, that if you are serving static content. But > then ,why using tomcat? > > >but thanks again ,everyone > > > > > >>Buddy wu wrote: > >> > >> > >> > >>>2006/3/7, Long <[EMAIL PROTECTED]>: > >>> > >>> > >>> > >>> > >>>>Buddy wu wrote: > >>>> I wan't to know there is any way to set tomcat NOT CASE SENSITIVE in > >>>> URL > >>>> I mean: when I write in browser's 'http://localhost/test.html' > >>>>equals to 'http://localhost/TEST.htm'. Can I do it ? or just in > >>>>WINDOWS can but Linux/unix can't? > >>>> > >>>>Right, url is case-insensitive under Windows because the file system > >>>> > >>>> > >>>> > >>>> > >>>But, the FACT is that under Windows the URL is CASW-SENSITIVE, not > >>>case-insecsitive , why? > >>> > >>>I've tried, under Windows, test.html and TEST.html is diffrent in > >>>tomcat server. Is there a parameter to set?? > >>> > >>> > >>> > >>> > >>> > >>>>can't tell a difference between test.html and TEST.html. The difference > >>>>is there under Linux/UNIX. > >>>> > >>>>Long > >>>> > >>>> > >>>>--------------------------------------------------------------------- > >>>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>>For additional commands, e-mail: [EMAIL PROTECTED] > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>--------------------------------------------------------------------- > >>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>For additional commands, e-mail: [EMAIL PROTECTED] > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >> > >>--------------------------------------------------------------------- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > >> > >> > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
