On Wed, Apr 9, 2025 at 2:49 AM Justin Chen <ch...@msn.com> wrote: > > Hi Mark and Chris, > > As suggested, updated configurations as follows: > <web-app> > <display-name>security-tomcat-2025</display-name> > <servlet> > <servlet-name>cgi</servlet-name> > <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class> > <init-param> > <param-name>cgiPathPrefix</param-name> > <param-value>/WEB-INF/cgi</param-value> > </init-param> > <init-param> > <param-name>executable</param-name> > <param-value>C:\Perl\strawberry\perl\bin\perl.exe</param-value> > </init-param> > <load-on-startup>5</load-on-startup> > </servlet> > <servlet-mapping> > <servlet-name>cgi</servlet-name> > <url-pattern>/cgi-bin/*</url-pattern> > </servlet-mapping> > > <security-constraint> > <web-resource-collection> > <web-resource-name>admin-stuff</web-resource-name> > <url-pattern>/cgi-bin/update</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>admin</role-name> > </auth-constraint> > </security-constraint> > > <security-constraint> > <web-resource-collection> > <web-resource-name>biz-stuff</web-resource-name> > <url-pattern>/cgi-bin/updateOrder</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>biz</role-name> > </auth-constraint> > </security-constraint> > </web-app> > > Is it an appropriate security constraints and secure enough for CGI?
I disagree with that, the Servlet should always be secured with /cgi-bin/* (if the Servlet is mapped to /cgi-bin/* as well). The Servlet is doing its own thing with the path info and mapping, so any other security mapping would be open to second guesses. It is the same with any servlet that is using its path info liberally. Rémy > Chenjp > ________________________________ > From: Mark Thomas <ma...@apache.org> > Sent: Wednesday, April 9, 2025 5:40 > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: HOWTO: the right way to configure security constraints to > protect CGI scripts in web.xml > > 8 Apr 2025 21:45:50 Christopher Schultz <ch...@christopherschultz.net>: > > > Justin, > > > > On 4/8/25 3:16 AM, Justin Chen wrote: > >> Dear users and supporters, > >> Currently I have two CGI scripts: > >> 1. "/cgi-bin/update" //an administrative command, required > >> role="admin" > >> 2. "/cgi-bin/updateOrder" //update order, required role="biz" > >> In order to protect above endpoints via web.xml security-constraints > >> mechanism, how shall I do? > > > > It should be as simple as this in your web.xml: > > Whether the below is correct depends on how the CGI Servlet is mapped. > And the OP hasn't provided that information. > > Mark > > > > > > <web-app> > > .... > > > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>admin-stuff</web-resource-name> > > <url-pattern>/cgi-bin/update</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <role-name>admin</role-name> > > </auth-constraint> > > </security-constraint> > > > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>biz-stuff</web-resource-name> > > <url-pattern>/cgi-bin/updateOrder</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <role-name>biz</role-name> > > </auth-constraint> > > </security-constraint> > > </web-app> > > > > -chris > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
