tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Schulz <>
Subject TomCat - IIS - Security
Date Tue, 27 Feb 2001 22:56:09 GMT

when using Tomcat with IIS, we have a "security hole". 

We installed Tomcat as described at the documentation. 

The following scenario may show our problem: 

We have a folder reachable as  <http://ourserver/secretfolder/>
http://ourserver/secretfolder/ with NT Security permissions set for user
"foo" and user "bar" (both have "rw"). 

We have a subfolder reachable as http://ourserver/secretfolder/moresecret
<http://ourserver/secretfolder/moresecret>  with NT Security permissions set
for user "bar" ("rw").

Both folders contain two files, test.html and test.jsp.

If the user "foo" or user "bar" call http://ourserver/secretfolder/test.html
<http://ourserver/secretfolder/test.html>  , they both can see the page. If
a user "foobar" calls the url, he get's an error because he's not

If the user "foobar" calls http://ourserver/secretfolder/test.jsp
<http://ourserver/secretfolder/test.jsp>  , he can see the page, even if he
is not permitted by NT Security !

If the user "foo" calls http://ourserver/secretfolder/moresecret/test.html
<http://ourserver/secretfolder/moresecret/test.html>  , he get's ab error
because he's not authenticated.

If the user "foo" calls http://ourserver/secretfolder/moresecret/test.jsp
<http://ourserver/secretfolder/moresecret/test.jsp>  , he can see the page,
even if he should not because he's not permitted.

I think the problem is the redirector-dll. Before checking any file based
security, the IIS passed the request (or url) to the redirector filter. If
the url contains a JSP, the filter recognizes it an passes the request to
TomCat. TomCat does no file based security check as it is possible by the
IIS an returns the response.

In my opinion, the redirector-dll has to check if there is "anonymous"
access allowed by the IIS, if so, everything is ok (really?). If "anonymous"
access is not allowed by the IIS for that file/directory, it has to check
whether the current user (which will be "anonymous" or none at the first
call) is allowed to access the file/directory and if not an
UNAUTHORIZED-Error has to be returned. If this happens, the Internet
Explorer as a Client will request the page again, but passing the current NT
User Account to the server. The redirector has to check everything again and
only return the response if the user has rights on the direcotry/file.

Am I right ? If so, is there a solution ?




View raw message