tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Rimov <>
Subject Re: Kind of a wierd security request
Date Wed, 09 Aug 2000 00:16:35 GMT

>This is the sort of discussion that is germane on the TOMCAT-DEV mailing list
>... you might consider subscribing there and posing these questions.  I do 
>a few scattered comments, although not really any definitive answer for you.

Very true.  After I read up on the Java security api's that you've talked 
about, I may follow up there.

>If you set up CGI environments wrong, you've got pretty much the same 
>vulnerabilities.  The language in use is by no means the only issue.
True, that's why I'm attempting to find out how to cross apply it to the 
java environment.  I don't recall ever really seeing any major posts on the 
BugTraq list regarding java-based servers, so I'm kind of fishing for 
problems that the java language in-itself doesn't take care of .

> > Because I'm talking about war files, this should take care of JSP pages
> > too, right?  The option, of course, would effectively block anything that
> > wasn't packaged in a WAR/JAR file.
> >
>You could do this too, but it's a lot more work -- Tomcat currently has to
>unpack a WAR file to actually run the application, because it has internal
>assumptions that resources like JSP pages are in disk files.

Bummer.  Thanks for the information on that.

>Check out the security model that is built in to Java -- especially the fine
>grained enhancements added with JDK 1.2.  And check out the ability to run a
>Tomcat web app under a security manager where you configure the permissions.
>You'll find that there is a lot of room to accomplish thse kinds of things,
>without touching anything other than the startup scripts for Tomcat.

Fantastic.  I really appreciate this, and I suspect that it will do a lot 
to prevent the kind of issues I'm looking at.

>serious (and most likely) issue -- where an attacker gets write access to your
>server's disk.  If they have that, they can sign WARs with the names you 
>(for example), bypassing any security you've built in.  I'm not saying "don't
>bother implementing security inside Tomcat".  I am saying "don't rely on
>implementing security inside Tomcat to protect you from all possible attacks."

That's true, of course.  And I totally agree with you.  I do look at it as 
"onion skin" security, in that I'm looking at putting on as many layers 
that have to be broken through as possible.

Thank you for your very informative reply!

View raw message