tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Kilbride" <j...@kilbride.com>
Subject Re: Need workaround for Tomcat security.
Date Mon, 16 Jul 2001 20:27:52 GMT
Andrew,

What version of Tomcat did this affect Form-based authentication on? I tried
the URL patterns mentioned on my Form-based Realm, and the Realm worked
correctly -- no security problems. I'm using TC 3.2.2 on Linux.

Thanks,
--jeff

----- Original Message -----
From: "Andrew Robson" <andrew@playaday.com>
To: <tomcat-user@jakarta.apache.org>
Sent: Monday, July 16, 2001 7:29 AM
Subject: Re: Need workaround for Tomcat security.


> Hi,
>   No workaround I'm afraid. I can confirm that the problem
> affects form - based JDBCRealm as well. Tried putting
> */admin/* into url pattern and broke security completely.
> I wonder whether a JkMount directive with approriately
> placed wildcards might work but haven't had time to try.
> I'd be very interested if you find a solution.
> Presumably no-one on the list has one?
>
> andrew
>
> On Sun, 15 Jul 2001, you wrote:
> > Ok, i needed to put some security constraints to a dircetory, so I added
this
> > to my web.xml:
> >  <security-constraint>
> >       <display-name>UQoS Amin Area</display-name>
> >       <web-resource-collection>
> >          <web-resource-name>UQoS Amin Area</web-resource-name>
> >            <url-pattern>/admin/*</url-pattern>
> >       </web-resource-collection>
> > I use BASIC authentication using the memory realm.
> > Works like it supposed to when someone goes to my
http://xxx/webapp/Admin/ or
> > something below, HOWEVER, if they type http://xxx/webapp//Admin/ (or
even
> > more slashes), all security checkings are bypassed, anyone arr let right
in !
> > (same things happens always, try it with the 'security' example shipped
with
> > Tomcat.
> > Sever bug!, I have posted it to BugZilla. This applies to atleast Tomcat
> > 3.2.1 and 3.2.2.
> > And I need it fixedas soon as possible. Does anyone know a workaround to
> > thisone.(I'd rather not upgrade to Tomcat 4 yet,seems like its fixed
here.)
> > --
> > Nils O. SelÄsdal
> --
>
> Andrew Robson
>
>
>


Mime
View raw message