On Wed, Apr 9, 2025 at 2:49 AM Justin Chen <[email protected]> wrote: > > Hi Mark and Chris, > > As suggested, updated configurations as follows: > <web-app> > <display-name>security-tomcat-2025</display-name> > <servlet> > <servlet-name>cgi</servlet-name> > <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class> > <init-param> > <param-name>cgiPathPrefix</param-name> > <param-value>/WEB-INF/cgi</param-value> > </init-param> > <init-param> > <param-name>executable</param-name> > <param-value>C:\Perl\strawberry\perl\bin\perl.exe</param-value> > </init-param> > <load-on-startup>5</load-on-startup> > </servlet> > <servlet-mapping> > <servlet-name>cgi</servlet-name> > <url-pattern>/cgi-bin/*</url-pattern> > </servlet-mapping> > > <security-constraint> > <web-resource-collection> > <web-resource-name>admin-stuff</web-resource-name> > <url-pattern>/cgi-bin/update</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>admin</role-name> > </auth-constraint> > </security-constraint> > > <security-constraint> > <web-resource-collection> > <web-resource-name>biz-stuff</web-resource-name> > <url-pattern>/cgi-bin/updateOrder</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>biz</role-name> > </auth-constraint> > </security-constraint> > </web-app> > > Is it an appropriate security constraints and secure enough for CGI?
I disagree with that, the Servlet should always be secured with /cgi-bin/* (if the Servlet is mapped to /cgi-bin/* as well). The Servlet is doing its own thing with the path info and mapping, so any other security mapping would be open to second guesses. It is the same with any servlet that is using its path info liberally. Rémy > Chenjp > ________________________________ > From: Mark Thomas <[email protected]> > Sent: Wednesday, April 9, 2025 5:40 > To: Tomcat Users List <[email protected]> > Subject: Re: HOWTO: the right way to configure security constraints to > protect CGI scripts in web.xml > > 8 Apr 2025 21:45:50 Christopher Schultz <[email protected]>: > > > Justin, > > > > On 4/8/25 3:16 AM, Justin Chen wrote: > >> Dear users and supporters, > >> Currently I have two CGI scripts: > >> 1. "/cgi-bin/update" //an administrative command, required > >> role="admin" > >> 2. "/cgi-bin/updateOrder" //update order, required role="biz" > >> In order to protect above endpoints via web.xml security-constraints > >> mechanism, how shall I do? > > > > It should be as simple as this in your web.xml: > > Whether the below is correct depends on how the CGI Servlet is mapped. > And the OP hasn't provided that information. > > Mark > > > > > > <web-app> > > .... > > > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>admin-stuff</web-resource-name> > > <url-pattern>/cgi-bin/update</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <role-name>admin</role-name> > > </auth-constraint> > > </security-constraint> > > > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>biz-stuff</web-resource-name> > > <url-pattern>/cgi-bin/updateOrder</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <role-name>biz</role-name> > > </auth-constraint> > > </security-constraint> > > </web-app> > > > > -chris > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
