Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@www.apache.org Received: (qmail 20160 invoked from network); 30 Sep 2004 18:56:15 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 30 Sep 2004 18:56:15 -0000 Received: (qmail 38152 invoked by uid 500); 30 Sep 2004 18:55:25 -0000 Delivered-To: apmail-jakarta-tomcat-user-archive@jakarta.apache.org Received: (qmail 38085 invoked by uid 500); 30 Sep 2004 18:55:24 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 38054 invoked by uid 99); 30 Sep 2004 18:55:24 -0000 X-ASF-Spam-Status: No, hits=0.1 required=10.0 tests=EXTRA_MPART_TYPE,HTML_60_70,HTML_MESSAGE X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from [209.226.175.54] (HELO tomts10-srv.bellnexxia.net) (209.226.175.54) by apache.org (qpsmtpd/0.28) with ESMTP; Thu, 30 Sep 2004 11:55:22 -0700 Received: from athlon ([64.231.167.220]) by tomts10-srv.bellnexxia.net (InterMail vM.5.01.06.10 201-253-122-130-110-20040306) with SMTP id <20040930185515.VHYZ2048.tomts10-srv.bellnexxia.net@athlon>; Thu, 30 Sep 2004 14:55:15 -0400 Message-ID: <012001c4a71f$17cc8280$0d02a8c0@athlon> From: "Rhino" To: "tomcat-user" Subject: Security of Servlets Date: Thu, 30 Sep 2004 14:55:45 -0400 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_011C_01C4A6FD.908D1BC0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N ------=_NextPart_000_011C_01C4A6FD.908D1BC0 Content-Type: multipart/alternative; boundary="----=_NextPart_001_011D_01C4A6FD.908D1BC0" ------=_NextPart_001_011D_01C4A6FD.908D1BC0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable We are giving some thought to putting a CGI-based Wiki, specifically = OddMuse, on a website that runs on a Linux server. In 'Using Linux = (Fourth Edition)', the authors warn that "The biggest cause for concern = about protecting your site from external threats is CGI scripts." They = go on to suggest various precautions that will reduce the risk. This has me wondering if servlets are equally insecure or have a much = stronger security model. I also have Jason Hunter's 'Java Servlet = Programming (Second Edition)' which has a 30 page chapter on Security = that details how various forms of authentication take place in servlets. = However, I can't find any categorical statement that says servlets are = actually any more secure than CGI.=20 I was wondering if someone with extensive experience with the security = aspects of both servlets and CGI can give me any sense of which is more = secure and why? I need this information so that we can choose the right = approach for our wiki. Also, if servlets are more secure than CGI, is anyone aware of a wiki = that runs as a servlet, preferably open source? Rhino --- rhino1 AT sympatico DOT ca "There are two ways of constructing a software design. One way is to = make it so simple that there are obviously no deficiencies. And the = other way is to make it so complicated that there are no obvious = deficiencies." - C.A.R. Hoare ------=_NextPart_001_011D_01C4A6FD.908D1BC0 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable
We are giving some thought to putting a CGI-based Wiki, = specifically=20 OddMuse, on a website that runs on a Linux server. In 'Using Linux = (Fourth=20 Edition)', the authors warn that "The biggest cause for concern about = protecting=20 your site from external threats is CGI scripts." They go on to suggest = various=20 precautions that will reduce the risk.
This has me wondering if servlets are equally insecure or have a = much=20 stronger security model. I also have Jason Hunter's 'Java Servlet = Programming=20 (Second Edition)' which has a 30 page chapter on Security that details = how=20 various forms of authentication take place in servlets. However, I can't = find=20 any categorical statement that says servlets are actually any more = secure than=20 CGI.
 
I was wondering if someone with extensive experience with the = security=20 aspects of both servlets and CGI can give me any sense of which is more = secure=20 and why? I need this information so that we can choose the right = approach=20 for our wiki.
 
Also, if servlets are more secure than CGI, is anyone aware of a = wiki that=20 runs as a servlet, preferably open source?
 
 
Rhino
---
rhino1 AT sympatico DOT ca
"There are two ways = of=20 constructing a software design. One way is to make it so simple that = there are=20 obviously no deficiencies. And the other way is to make it so = complicated that=20 there are no obvious deficiencies." - C.A.R. Hoare
------=_NextPart_001_011D_01C4A6FD.908D1BC0-- ------=_NextPart_000_011C_01C4A6FD.908D1BC0--