tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Jackson" <mjack...@cdi-hq.com>
Subject RE: Need Help plz
Date Thu, 30 May 2002 23:15:28 GMT
You probably wouldn't have this problem if you used apache I think, if the
apache module does checking then it'll probably figure out that since the
*.jsp file is just that a *.jsp file and if you're using mod_jk or probably
mod_webapp (I haven't used this yet), it'll see in it's config that its
supposed to hand those over to tomcat.  But then again I could be wrong, I
don't have one of those environments to play with.

--mikej
-=-----
mike jackson
mjackson@cdi-hq.com

> -----Original Message-----
> From: Phillip Morelock [mailto:subscriptions@phillipmorelock.com]
> Sent: Thursday, May 30, 2002 3:57 PM
> To: Tomcat Users List
> Subject: Re: Need Help plz
>
>
> > 1) Get off of windows :)
>
> Excellent point (just kidding) but actually, thanks for pointing the
> case-problem-fix out.
>
> This also happens on Mac OS X (which has a case-respecting,
> case-insensitive
> filesystem that annoys me frequently when working in the Unix
> side).  Apple
> distributes an Apache module which fixes the associated security problems
> for httpd, but I didn't even think to check this under Tomcat.
> Good thing I
> only deploy on Linux.  ;)
>
> So, Mac OS X users beware.
>
> I wonder how receptive the Tomcat committers would be to patches /
> automatically enabled workarounds for resolving / protecting against this
> issue.
>
> cheers
> fillup
>
>
> On 5/30/02 3:43 PM, "Mike Jackson" <mjackson@cdi-hq.com> wrote:
>
> > 1) Get off of windows :)
> >
> >  Or add the following to web.xml under $TOMCAT_HOME/conf, unless I'm
> > mistaken that should cover all of the possible miss-cases of "jsp".
> >
> > <servlet-mapping>
> >   <servlet-name>jsp</servlet-name>
> >   <url-pattern>*.Jsp</url-pattern>
> > </servlet-mapping>
> > <servlet-mapping>
> >   <servlet-name>jsp</servlet-name>
> >   <url-pattern>*.JSp</url-pattern>
> > </servlet-mapping>
> > <servlet-mapping>
> >   <servlet-name>jsp</servlet-name>
> >   <url-pattern>*.JsP</url-pattern>
> > </servlet-mapping>
> > <servlet-mapping>
> >   <servlet-name>jsp</servlet-name>
> >   <url-pattern>*.JSP</url-pattern>
> > </servlet-mapping>
> > <servlet-mapping>
> >   <servlet-name>jsp</servlet-name>
> >   <url-pattern>*.jSp</url-pattern>
> > </servlet-mapping>
> > <servlet-mapping>
> >   <servlet-name>jsp</servlet-name>
> >   <url-pattern>*.jSP</url-pattern>
> > </servlet-mapping>
> > <servlet-mapping>
> >   <servlet-name>jsp</servlet-name>
> >   <url-pattern>*.jsP</url-pattern>
> > </servlet-mapping>
> >
> > 2) You'll probably have to do this in your application I think.
>  If it were
> > me I'd create a singleton class that stored a list of login
> attempts with ip
> > address of the source, and prior to allowing some client to
> attempt login
> > I'd check the list.
> >
> > --mikej
> > -=-----
> > mike jackson
> > mjackson@cdi-hq.com
> >
> >> -----Original Message-----
> >> From: Walid Mohamed Al Abbadi [mailto:wabbadi@eng.aast.edu]
> >> Sent: Thursday, May 30, 2002 3:24 PM
> >> To: tomcat-user@jakarta.apache.org
> >> Subject: Need Help plz
> >>
> >>
> >>
> >> Hi ,
> >>
> >>       i need  help please in two subjects .. My problems are what
> >> configuration I should have to do in the server to prevent:
> >>
> >>  1)       Prohibit downloading the *.jsp files from any client on the
> >> internet... [ I noticed that if  I wrote the URL of my site ending with
> >> myFile.JSP  [ JSP in Capital letters] the page not opened ! , but  the
> >> server offered me to download the file it self ! ..Which I
> >> don&#8217;t want
> >> any user knows this property to download my own source-code jsp files!
> >>
> >>  2)       My application  is  depend on a password
> authentication  , which
> >> I don&#8217;t want  any cracker to keep trying usernames/passwords for
> >> many tries ..  How should I tell the server to block an ip
> after 3 times
> >> tries [for example] and for how long this ip will be blocked!
> >>
> >>   are thses problems related with the Apache server or Tomcat
> >> serve or both
> >> of them !!.. does anyone face like these problems ?!
> >>
> >>
> >>  Java_lover : Walid
> >>
> >> --
> >> To unsubscribe, e-mail:
> >> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> >> For additional commands, e-mail:
> >> <mailto:tomcat-user-help@jakarta.apache.org>
> >>
> >
> >
> > --
> > To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>
>


--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message