tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Kilbride" <j...@kilbride.com>
Subject Re: Need workaround for Tomcat security.
Date Mon, 16 Jul 2001 20:55:03 GMT
Hi Andrew,

I know that there were some security-related problems with 3.2.1 and certain
URLs. I think a bug was found and fixed right around the time of 3.2.2 beta
5. I would suggest upgrading to 3.2.2. It's very painless -- all config
files stay the same, just copy your old ones into your 3.2.2 install
directory and change TOMCAT_HOME. I'm not seeing the problem on my
installation (TC 3.2.2, Linux, apache, mod_jk).

Thanks,
--jeff

----- Original Message -----
From: "Andrew Robson" <andrew@playaday.com>
To: <tomcat-user@jakarta.apache.org>
Sent: Monday, July 16, 2001 1:39 PM
Subject: Re: Need workaround for Tomcat security.


> Jeff,
>    TC 3.2.1 on linux.
>    Apache and mod_jk
> It seems to me (without having had a chance to check)
> that this must be a misconfig at the apache
> and apache/tomcat end of things rather than a tomcat bug as such.
>
> Any thoughts? It would be a pretty big hole if it was a genuine
> bug.
>
> andrew
>
> On Mon, 16 Jul 2001, you wrote:
> > Andrew,
> >
> > What version of Tomcat did this affect Form-based authentication on? I
tried
> > the URL patterns mentioned on my Form-based Realm, and the Realm worked
> > correctly -- no security problems. I'm using TC 3.2.2 on Linux.
> >
> > Thanks,
> > --jeff
> >
> > ----- Original Message -----
> > From: "Andrew Robson" <andrew@playaday.com>
> > To: <tomcat-user@jakarta.apache.org>
> > Sent: Monday, July 16, 2001 7:29 AM
> > Subject: Re: Need workaround for Tomcat security.
> >
> >
> > > Hi,
> > >   No workaround I'm afraid. I can confirm that the problem
> > > affects form - based JDBCRealm as well. Tried putting
> > > */admin/* into url pattern and broke security completely.
> > > I wonder whether a JkMount directive with approriately
> > > placed wildcards might work but haven't had time to try.
> > > I'd be very interested if you find a solution.
> > > Presumably no-one on the list has one?
> > >
> > > andrew
> > >
> > > On Sun, 15 Jul 2001, you wrote:
> > > > Ok, i needed to put some security constraints to a dircetory, so I
added
> > this
> > > > to my web.xml:
> > > >  <security-constraint>
> > > >       <display-name>UQoS Amin Area</display-name>
> > > >       <web-resource-collection>
> > > >          <web-resource-name>UQoS Amin Area</web-resource-name>
> > > >            <url-pattern>/admin/*</url-pattern>
> > > >       </web-resource-collection>
> > > > I use BASIC authentication using the memory realm.
> > > > Works like it supposed to when someone goes to my
> > http://xxx/webapp/Admin/ or
> > > > something below, HOWEVER, if they type http://xxx/webapp//Admin/ (or
> > even
> > > > more slashes), all security checkings are bypassed, anyone arr let
right
> > in !
> > > > (same things happens always, try it with the 'security' example
shipped
> > with
> > > > Tomcat.
> > > > Sever bug!, I have posted it to BugZilla. This applies to atleast
Tomcat
> > > > 3.2.1 and 3.2.2.
> > > > And I need it fixedas soon as possible. Does anyone know a
workaround to
> > > > thisone.(I'd rather not upgrade to Tomcat 4 yet,seems like its fixed
> > here.)
> > > > --
> > > > Nils O. SelÄsdal
> > > --
> > >
> > > Andrew Robson
> > >
> > >
> > >
> --
>
>
>


Mime
View raw message