Hi Mark and Chris, As suggested, updated configurations as follows: <web-app> <display-name>security-tomcat-2025</display-name> <servlet> <servlet-name>cgi</servlet-name> <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class> <init-param> <param-name>cgiPathPrefix</param-name> <param-value>/WEB-INF/cgi</param-value> </init-param> <init-param> <param-name>executable</param-name> <param-value>C:\Perl\strawberry\perl\bin\perl.exe</param-value> </init-param> <load-on-startup>5</load-on-startup> </servlet> <servlet-mapping> <servlet-name>cgi</servlet-name> <url-pattern>/cgi-bin/*</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>admin-stuff</web-resource-name> <url-pattern>/cgi-bin/update</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint>
<security-constraint> <web-resource-collection> <web-resource-name>biz-stuff</web-resource-name> <url-pattern>/cgi-bin/updateOrder</url-pattern> </web-resource-collection> <auth-constraint> <role-name>biz</role-name> </auth-constraint> </security-constraint> </web-app> Is it an appropriate security constraints and secure enough for CGI? Chenjp ________________________________ From: Mark Thomas <ma...@apache.org> Sent: Wednesday, April 9, 2025 5:40 To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: HOWTO: the right way to configure security constraints to protect CGI scripts in web.xml 8 Apr 2025 21:45:50 Christopher Schultz <ch...@christopherschultz.net>: > Justin, > > On 4/8/25 3:16 AM, Justin Chen wrote: >> Dear users and supporters, >> Currently I have two CGI scripts: >> 1. "/cgi-bin/update" //an administrative command, required >> role="admin" >> 2. "/cgi-bin/updateOrder" //update order, required role="biz" >> In order to protect above endpoints via web.xml security-constraints >> mechanism, how shall I do? > > It should be as simple as this in your web.xml: Whether the below is correct depends on how the CGI Servlet is mapped. And the OP hasn't provided that information. Mark > > <web-app> > .... > > <security-constraint> > <web-resource-collection> > <web-resource-name>admin-stuff</web-resource-name> > <url-pattern>/cgi-bin/update</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>admin</role-name> > </auth-constraint> > </security-constraint> > > <security-constraint> > <web-resource-collection> > <web-resource-name>biz-stuff</web-resource-name> > <url-pattern>/cgi-bin/updateOrder</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>biz</role-name> > </auth-constraint> > </security-constraint> > </web-app> > > -chris > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
