Return-Path: Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 76815 invoked from network); 27 Feb 2001 22:56:36 -0000 Received: from wotan.kpnet.de (212.172.220.254) by h31.sny.collab.net with SMTP; 27 Feb 2001 22:56:36 -0000 Received: from spock.devcon-mail.de [217.80.1.122] by wotan.kpnet.de with ESMTP (SMTPD32-6.06) id A1158101E6; Tue, 27 Feb 2001 23:58:29 +0100 Received: by spock.devcon-mail.de with Internet Mail Service (5.5.2650.21) id ; Tue, 27 Feb 2001 23:56:11 +0100 Message-ID: <39263289EF99D311BB2B000021CDA86C1548E3@spock.devcon-mail.de> From: Christian Schulz To: tomcat-dev@jakarta.apache.org Cc: Thomas Dingel Subject: TomCat - IIS - Security Date: Tue, 27 Feb 2001 23:56:09 +0100 Importance: high X-Priority: 1 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0A110.79B0EA40" X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N ------_=_NextPart_001_01C0A110.79B0EA40 Content-Type: text/plain; charset="iso-8859-1" Hello, when using Tomcat with IIS, we have a "security hole". We installed Tomcat as described at the documentation. The following scenario may show our problem: We have a folder reachable as http://ourserver/secretfolder/ with NT Security permissions set for user "foo" and user "bar" (both have "rw"). We have a subfolder reachable as http://ourserver/secretfolder/moresecret with NT Security permissions set for user "bar" ("rw"). Both folders contain two files, test.html and test.jsp. If the user "foo" or user "bar" call http://ourserver/secretfolder/test.html , they both can see the page. If a user "foobar" calls the url, he get's an error because he's not authenticated. If the user "foobar" calls http://ourserver/secretfolder/test.jsp , he can see the page, even if he is not permitted by NT Security ! If the user "foo" calls http://ourserver/secretfolder/moresecret/test.html , he get's ab error because he's not authenticated. If the user "foo" calls http://ourserver/secretfolder/moresecret/test.jsp , he can see the page, even if he should not because he's not permitted. I think the problem is the redirector-dll. Before checking any file based security, the IIS passed the request (or url) to the redirector filter. If the url contains a JSP, the filter recognizes it an passes the request to TomCat. TomCat does no file based security check as it is possible by the IIS an returns the response. In my opinion, the redirector-dll has to check if there is "anonymous" access allowed by the IIS, if so, everything is ok (really?). If "anonymous" access is not allowed by the IIS for that file/directory, it has to check whether the current user (which will be "anonymous" or none at the first call) is allowed to access the file/directory and if not an UNAUTHORIZED-Error has to be returned. If this happens, the Internet Explorer as a Client will request the page again, but passing the current NT User Account to the server. The redirector has to check everything again and only return the response if the user has rights on the direcotry/file. Am I right ? If so, is there a solution ? Bye Christian ------_=_NextPart_001_01C0A110.79B0EA40 Content-Type: text/html; charset="iso-8859-1"

Hello,

when using Tomcat with IIS, we have a "security hole".

We installed Tomcat as described at the documentation.

The following scenario may show our problem:

We have a folder reachable as http://ourserver/secretfolder/ with NT Security permissions set for user "foo" and user "bar" (both have "rw").

We have a subfolder reachable as http://ourserver/secretfolder/moresecret with NT Security permissions set for user "bar" ("rw").

Both folders contain two files, test.html and test.jsp.

If the user "foo" or user "bar" call http://ourserver/secretfolder/test.html , they both can see the page. If a user "foobar" calls the url, he get's an error because he's not authenticated.

If the user "foobar" calls http://ourserver/secretfolder/test.jsp , he can see the page, even if he is not permitted by NT Security !

If the user "foo" calls http://ourserver/secretfolder/moresecret/test.html , he get's ab error because he's not authenticated.

If the user "foo" calls http://ourserver/secretfolder/moresecret/test.jsp , he can see the page, even if he should not because he's not permitted.

I think the problem is the redirector-dll. Before checking any file based security, the IIS passed the request (or url) to the redirector filter. If the url contains a JSP, the filter recognizes it an passes the request to TomCat. TomCat does no file based security check as it is possible by the IIS an returns the response.

In my opinion, the redirector-dll has to check if there is "anonymous" access allowed by the IIS, if so, everything is ok (really?). If "anonymous" access is not allowed by the IIS for that file/directory, it has to check whether the current user (which will be "anonymous" or none at the first call) is allowed to access the file/directory and if not an UNAUTHORIZED-Error has to be returned. If this happens, the Internet Explorer as a Client will request the page again, but passing the current NT User Account to the server. The redirector has to check everything again and only return the response if the user has rights on the direcotry/file.

Am I right ? If so, is there a solution ?

Bye

Christian

------_=_NextPart_001_01C0A110.79B0EA40--