tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phillip Morelock <subscripti...@phillipmorelock.com>
Subject Re: Need Help plz
Date Thu, 30 May 2002 23:28:30 GMT
> You probably wouldn't have this problem if you used apache I think, if the
> apache module does checking then it'll probably figure out that since the

The response (to you and Mr. Nicholas Orr) is simply that you I guess you're
both right, but I am a firm believer in Tomcat standalone in many
situations. This here is a bit of a problem, one that I didn't think of
before since Apache is "smart" about this.  I made the ridiculous assumption
that Tomcat was equally perceptive (not a crack at Tomcat, just a small
grumble).  

Fault in my brain:
Tomcat == Apache Project == same case-sensitivity awareness

cheers
fillup

On 5/30/02 4:15 PM, "Mike Jackson" <mjackson@cdi-hq.com> wrote:

> You probably wouldn't have this problem if you used apache I think, if the
> apache module does checking then it'll probably figure out that since the
> *.jsp file is just that a *.jsp file and if you're using mod_jk or probably
> mod_webapp (I haven't used this yet), it'll see in it's config that its
> supposed to hand those over to tomcat.  But then again I could be wrong, I
> don't have one of those environments to play with.
> 
> --mikej
> -=-----
> mike jackson
> mjackson@cdi-hq.com
> 
>> -----Original Message-----
>> From: Phillip Morelock [mailto:subscriptions@phillipmorelock.com]
>> Sent: Thursday, May 30, 2002 3:57 PM
>> To: Tomcat Users List
>> Subject: Re: Need Help plz
>> 
>> 
>>> 1) Get off of windows :)
>> 
>> Excellent point (just kidding) but actually, thanks for pointing the
>> case-problem-fix out.
>> 
>> This also happens on Mac OS X (which has a case-respecting,
>> case-insensitive
>> filesystem that annoys me frequently when working in the Unix
>> side).  Apple
>> distributes an Apache module which fixes the associated security problems
>> for httpd, but I didn't even think to check this under Tomcat.
>> Good thing I
>> only deploy on Linux.  ;)
>> 
>> So, Mac OS X users beware.
>> 
>> I wonder how receptive the Tomcat committers would be to patches /
>> automatically enabled workarounds for resolving / protecting against this
>> issue.
>> 
>> cheers
>> fillup
>> 
>> 
>> On 5/30/02 3:43 PM, "Mike Jackson" <mjackson@cdi-hq.com> wrote:
>> 
>>> 1) Get off of windows :)
>>> 
>>>  Or add the following to web.xml under $TOMCAT_HOME/conf, unless I'm
>>> mistaken that should cover all of the possible miss-cases of "jsp".
>>> 
>>> <servlet-mapping>
>>>   <servlet-name>jsp</servlet-name>
>>>   <url-pattern>*.Jsp</url-pattern>
>>> </servlet-mapping>
>>> <servlet-mapping>
>>>   <servlet-name>jsp</servlet-name>
>>>   <url-pattern>*.JSp</url-pattern>
>>> </servlet-mapping>
>>> <servlet-mapping>
>>>   <servlet-name>jsp</servlet-name>
>>>   <url-pattern>*.JsP</url-pattern>
>>> </servlet-mapping>
>>> <servlet-mapping>
>>>   <servlet-name>jsp</servlet-name>
>>>   <url-pattern>*.JSP</url-pattern>
>>> </servlet-mapping>
>>> <servlet-mapping>
>>>   <servlet-name>jsp</servlet-name>
>>>   <url-pattern>*.jSp</url-pattern>
>>> </servlet-mapping>
>>> <servlet-mapping>
>>>   <servlet-name>jsp</servlet-name>
>>>   <url-pattern>*.jSP</url-pattern>
>>> </servlet-mapping>
>>> <servlet-mapping>
>>>   <servlet-name>jsp</servlet-name>
>>>   <url-pattern>*.jsP</url-pattern>
>>> </servlet-mapping>
>>> 
>>> 2) You'll probably have to do this in your application I think.
>>  If it were
>>> me I'd create a singleton class that stored a list of login
>> attempts with ip
>>> address of the source, and prior to allowing some client to
>> attempt login
>>> I'd check the list.
>>> 
>>> --mikej
>>> -=-----
>>> mike jackson
>>> mjackson@cdi-hq.com
>>> 
>>>> -----Original Message-----
>>>> From: Walid Mohamed Al Abbadi [mailto:wabbadi@eng.aast.edu]
>>>> Sent: Thursday, May 30, 2002 3:24 PM
>>>> To: tomcat-user@jakarta.apache.org
>>>> Subject: Need Help plz
>>>> 
>>>> 
>>>> 
>>>> Hi ,
>>>> 
>>>>       i need  help please in two subjects .. My problems are what
>>>> configuration I should have to do in the server to prevent:
>>>> 
>>>>  1)       Prohibit downloading the *.jsp files from any client on the
>>>> internet... [ I noticed that if  I wrote the URL of my site ending with
>>>> myFile.JSP  [ JSP in Capital letters] the page not opened ! , but  the
>>>> server offered me to download the file it self ! ..Which I
>>>> don&#8217;t want
>>>> any user knows this property to download my own source-code jsp files!
>>>> 
>>>>  2)       My application  is  depend on a password
>> authentication  , which
>>>> I don&#8217;t want  any cracker to keep trying usernames/passwords for
>>>> many tries ..  How should I tell the server to block an ip
>> after 3 times
>>>> tries [for example] and for how long this ip will be blocked!
>>>> 
>>>>   are thses problems related with the Apache server or Tomcat
>>>> serve or both
>>>> of them !!.. does anyone face like these problems ?!
>>>> 
>>>> 
>>>>  Java_lover : Walid
>>>> 
>>>> --
>>>> To unsubscribe, e-mail:
>>>> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>>>> For additional commands, e-mail:
>>>> <mailto:tomcat-user-help@jakarta.apache.org>
>>>> 
>>> 
>>> 
>>> --
>>> To unsubscribe, e-mail:
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>> For additional commands, e-mail:
> <mailto:tomcat-user-help@jakarta.apache.org>
>> 
> 
> 
> --
> To unsubscribe, e-mail:
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
> <mailto:tomcat-user-help@jakarta.apache.org>
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
> 


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message