tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Robson <and...@playaday.com>
Subject Re: Need workaround for Tomcat security.
Date Mon, 16 Jul 2001 20:39:08 GMT
Jeff,
   TC 3.2.1 on linux. 
   Apache and mod_jk
It seems to me (without having had a chance to check)
that this must be a misconfig at the apache  
and apache/tomcat end of things rather than a tomcat bug as such.

Any thoughts? It would be a pretty big hole if it was a genuine
bug.

andrew
  
On Mon, 16 Jul 2001, you wrote:
> Andrew,
> 
> What version of Tomcat did this affect Form-based authentication on? I tried
> the URL patterns mentioned on my Form-based Realm, and the Realm worked
> correctly -- no security problems. I'm using TC 3.2.2 on Linux.
> 
> Thanks,
> --jeff
> 
> ----- Original Message -----
> From: "Andrew Robson" <andrew@playaday.com>
> To: <tomcat-user@jakarta.apache.org>
> Sent: Monday, July 16, 2001 7:29 AM
> Subject: Re: Need workaround for Tomcat security.
> 
> 
> > Hi,
> >   No workaround I'm afraid. I can confirm that the problem
> > affects form - based JDBCRealm as well. Tried putting
> > */admin/* into url pattern and broke security completely.
> > I wonder whether a JkMount directive with approriately
> > placed wildcards might work but haven't had time to try.
> > I'd be very interested if you find a solution.
> > Presumably no-one on the list has one?
> >
> > andrew
> >
> > On Sun, 15 Jul 2001, you wrote:
> > > Ok, i needed to put some security constraints to a dircetory, so I added
> this
> > > to my web.xml:
> > >  <security-constraint>
> > >       <display-name>UQoS Amin Area</display-name>
> > >       <web-resource-collection>
> > >          <web-resource-name>UQoS Amin Area</web-resource-name>
> > >            <url-pattern>/admin/*</url-pattern>
> > >       </web-resource-collection>
> > > I use BASIC authentication using the memory realm.
> > > Works like it supposed to when someone goes to my
> http://xxx/webapp/Admin/ or
> > > something below, HOWEVER, if they type http://xxx/webapp//Admin/ (or
> even
> > > more slashes), all security checkings are bypassed, anyone arr let right
> in !
> > > (same things happens always, try it with the 'security' example shipped
> with
> > > Tomcat.
> > > Sever bug!, I have posted it to BugZilla. This applies to atleast Tomcat
> > > 3.2.1 and 3.2.2.
> > > And I need it fixedas soon as possible. Does anyone know a workaround to
> > > thisone.(I'd rather not upgrade to Tomcat 4 yet,seems like its fixed
> here.)
> > > --
> > > Nils O. Selåsdal
> > --
> >
> > Andrew Robson
> >
> >
> >
-- 




Mime
View raw message