tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Malcolm Warren <malc...@villeinitalia.com>
Subject Tomcat Security Constraints
Date Thu, 08 Apr 2004 16:36:16 GMT
Hi,

I have been using basic authorization with SSL in Tomcat for some time, 
quite satisfactorily.

However I have found what I feel to be some strange behaviour on the part 
of Tomcat (I have 4.1.30) in one case.
Here's an example:
I have a folder, let's say http://www.mysite.com/prot/. I put a 
security-constraint on this folder in web.xml so that it is protected and 
requires basic authorization. So far so good.

But I have discovered that if you include a document from that protected 
folder inside a document from an unprotected folder using a <jsp:include>, 
then basic authorization is no longer requested by the browser for the 
protected page.

Surely the authorization should be requested in all places and at all 
times, whereever the request is coming from, even if from an include in an 
unprotected page?

-----------------------

This leads on to my second question.
I have been trying to solve one small though potentially dangerous problem 
with Basic Authorization/SSL.
If I want to access a protected area of our site from outside the firewall 
I write an address similar to the following:
https://mysslsite.com/pagerequired.jsp.

It has happened that I forget to type https:// and type http:// instead.
So if a nasty, mean person is listening in, he can see my password 
unencrypted, right?
How can I prevent this? The problem is that the login window with basic 
authorization pops up before you arrive at the page itself.

I thought of FORM authorization, because the .jsp used for the Login form 
can check the port requested (must be 443) and refuse to request the 
password if it's wrong. But FORM authorization requires lots of extra 
programming to give many of the useful extras that BASIC authorization 
offers included (e.g. remembering your user name and password).
Then I thought of including the protected page in an unprotected page that 
checks if you are in https before doing the include. But since Tomcat has 
this strange behaviour I mentioned above, after a couple of days of 
fiddling with this possibility I've had to give that up too.

Anybody got any ideas?

Thanks for your time,
Malcolm Warren


   

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message