tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rob S." <>
Subject RE: Guide to developing secure tomcat/jsp web apps - help ??
Date Wed, 01 Aug 2001 11:57:16 GMT
I think that your question is really about server-side security for web apps
in general.  All of your questions can apply to any web application
regardless of technology being used (e.g. asp, dhp, cfm)

A good place to start would be Java Pro Magazine.  Two issues ago - cover
page about securing server side in Java.  That's as good a place as any to


- r

> -----Original Message-----
> From: Greg Callaghan []
> Sent: Wednesday, August 01, 2001 2:26 AM
> To:
> Subject: Guide to developing secure tomcat/jsp web apps - help ??
> Hi all,
> It would be very useful to have a checklist or guidelines to ensure a
> JSP/tomcat web site one develops is secure, in particular for the
> scenario
> where the web application is not huge/complex &/or is developed
> by part-time
> developers.   That is I guess I'm generally asking for the easiest way of
> ensuring one develops a secure JSP/tomcat app.
> Q1 - Does anyone know of a tutorial/checklist for ensuring a
> JSP/tomcat web
> app is secure?    The types of things I'm thinking of include the
> following
> items, which I've put forward as specific questions to the mail group in
> their own right.
> Q2 - How do you ensure directory's under doc root can't be viewed?  (ie
> users see a directory listings)
> - is putting in an index.html in each sub-directory a solid answer?
> - can this be handled in one hit via WEB.XML entries?  if so an
> example if
> possible?
> Above and beyond basic User Authentication checking (eg username/password
> check at beginning of session) what is an easy but secure way of
> checking -:
> Q3 check that user (ie specific) is allowed to access a specific
> JSP page?
> (assuming the web app is a totally JSP based solution, ie no controller
> servlet frontend, ie and that all JSP pages are effectively
> assessable under
> docroot).    Easy way of doing this?
> eg (a) put specific check at beginning of each JSP page?
>    (b) other?
> and
> Q4 given that a user is allowed to access that JSP page, check that he is
> allowed to view the data which he has requested?   (ie stop people
> determining how the URL with parameters is constructed and
> manually changing
> the parameters - eg changing "http://www.test/test.jsp?id=3", manually
> "http://www.test/test.jsp?id=4". Easy way of doing this?
> eg (a) put specific check at beginning of JSP page?
>    (b) other
> Q5 Is it generally acceptable, given appropriate precautions are
> taken, to
> setup a web site with all JSP files assessable under doc root,
> and that the
> manner in which the user navigates around the application is
> based on direct
> calls from the browser to the next JSP page with parameters?   (again one
> concern I have is eg changing "http://www.test/test.jsp?id=3", manually
> "http://www.test/test.jsp?id=4").     If this is not acceptable what is
> recommended?
> (a) as above put a specific check at the beginning of the JSP page
> (b) for example having to specifically put a controller servlet
> as a front
> end, and then direct to JSP pages which are hidden?
> - in this case how can one hide specific directories under doc root?
> (c) other??
> Q6. Regarding image security I assume one really does have to store them
> outside doc root and develop a small "getImage" servlet so that
> requests to
> images can be verified to ensure that (assuming the app lets users load
> images) the end user can't see another user's image?
> Q7. Any other general checklist items for a simple JSP/tomcat web site re
> security one should check for???
> Thanks in advance
> Greg
> _________________________________________________________________
> Get your FREE download of MSN Explorer at

View raw message