tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject HELP: Tomcat and Security
Date Fri, 28 Sep 2001 02:32:22 GMT

Hi there,

I am building an application using Tomcat and Cocoon which is supposed to
provide Web interface to the common internet users to some very sensitive
business support systems (BSS),  In numerous discussions with our Corporate
Security I have been made aware that the only approved architecture would
be to use the Apache Web Server on the front talking ajp12 thrue the first
layer of firewalls to the Tomcat Servlet Engine which would than implement
the authentication and further establish connections to the BSS.

So far so good. The extra headache gives me the requirement that every
parameter passed thrue ajp12 MUST be checked for validity before being used
by the Tomcat.  This is commonly addressed as a Checking Engine and mainly
should prevent from the "Buffer Overflow Attacks".

Would anybody know of any documentation that I can inform myself about this
security issues?!
More importanly, is this really a threat to the Tomcat implementations
(latest 4.0 and or latest 3.2.3).  It is a little hard for me to believe
that Java would allow such an abuse :-)  I am trying to analyse the
Ajp12ConnectorHandler class to see if this would be the best place to
introduce extra checking.

Thank you in advance for your help
Drasko Kokic

View raw message