You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by James Crosson <ja...@gmail.com> on 2006/11/16 21:25:23 UTC
Filters, Security, Tomcat and Configuration
Greetings,
I am attempting to configure Tomcat (5.5.9) to disregard URL requests that
contain "../" and similar high-risk expressions. So far I have been
unsuccesful. I recognize two possibilities here:
A. Use <url-pattern> in the web.xml to identify this URL and disregard it
B. Configure a filter that intercepts requests and dissects the URL.
I am wondering if anybody has had experience using Tomcat in this manner,
and if there may be some examples, working filters/strategies that I could
view to get me going.
I believe that a <url-pattern> strategy will be more trouble than it is
worth beacuse it seems you can't pass a regular expression, but so far I
have not been able to nail down a Filter.
James Crosson
---------------------------
James.Crosson@GMail.com
Google Talk: James Crosson
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Filters, Security, Tomcat and Configuration
Posted by Martin Gainty <mg...@hotmail.com>.
http://www.docjar.com/docs/api/javax/servlet/http/HttpServletRequest.html
try getRequestURI
(instead of getURI)
HTH,
M-
This e-mail communication and any attachments may contain confidential and privileged information for the use of the
designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received
this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its
contents
----- Original Message -----
From: "James Crosson" <ja...@gmail.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Friday, November 17, 2006 3:01 PM
Subject: Re: Filters, Security, Tomcat and Configuration
Thanks for your kind reply. I am having a bear of a time figuring out why
I can't compile my filter. It is giving me the simple java error:
com\xxxxx\view\filters\AccountFilter2.java:20: cannot find symbol
symbol : method getURI()
location: interface javax.servlet.http.HttpServletRequest
String URI = ((HttpServletRequest)request).getURI();
I've quadruple checked what I'm including:
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
Any idea what my deal could be? My classpath includes the main class
tomcat's servlet-api.jar and I'm also tried including servlet.jar to no
avail.
James
On Thu, 16 Nov 2006 16:05:43 -0500, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> James,
>
> James Crosson wrote:
>> I believe that a <url-pattern> strategy will be more trouble than it is
>> worth beacuse it seems you can't pass a regular expression, but so far I
>> have not been able to nail down a Filter.
>
> Filters are really the way to go, here, and they're relatively easy to
> write and use. First, you have to write your filter, which is pretty
> simple, right?
>
> public class BadURLFilter
> implements Filter
> {
> public void doFilter(ServletRequest request,
> ServletResponse response,
> FilterChain chain)
> throws IOException, ServletException
> {
> // Check the URL -- need an HttpServletRequest for that
> if(request instanceof HttpServletRequest)
> {
> String URI = ((HttpServletRequest)request).getURI();
>
> // Bomb if there is a "bad" URI
> if(URI.contains(".."))
> {
> // Not sure what you want to do here.
>
> ((HttpServletResponse)response)
> .sendError(HttpServletResponse.SC_FORBIDDEN);
>
> return;
> }
> }
>
> chain.doFilter(request, response);
> }
> }
>
>
> That's the simplest filter that could possibly work. A few things to
> consider:
>
> 1. What do you want to do when you find a bad URL. I simply
> return a 403 FORBIDDEN status code.
> 2. Are there any URIs that might be okay to contain ".."?
> For instance, if you have a servlet that uses the "extra
> path info" to do something might allow a URI to contain
> "..", in which case this filter will break your app.
>
> I hope that can get you started.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFXNKn9CaO5/Lv0PARAp9QAJ96nP3rLSMlmO8+4I9ALz7ikHi6OACfSKnm
> 2oXR665ulKq5ePCON3C2RAI=
> =GJPM
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
http://www.JamesCrosson.net
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Filters, Security, Tomcat and Configuration
Posted by Gregor Schneider <rc...@googlemail.com>.
ooops - must have overlooked that one...
maybe one hint:
try to use a free ide with automatic method-completion, i.e. eclipse
(http://www.eclipse.org), and you'll get around those problems in the
future
cheers
greg
--
what's puzzlin' you, is the nature of my game
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Filters, Security, Tomcat and Configuration
Posted by James Crosson <ja...@gmail.com>.
Thanks so much for your help.
The reason for the error is beacuse the method is called getRequestURI. I
figured it out shortly after posting. Sorry to post too much.
James
On 11/17/06, Gregor Schneider <rc...@googlemail.com> wrote:
>
> Actually I doubt that you've got the file servlet-api.jar in your
> classpath - it wouldn't come up with such an error-message than.
>
> You might want to use an antscript to compile your servlet, here's a
> snippet from mine:
>
> <target name="compile" depends="init" description="compile servlet
> ">
> <delete dir="${servletDir}/${build}" failonerror="false"/>
> <mkdir dir="${servletDir}/${build}"/>
> <path id="java.classpath">
> <fileset file="${tomcatDir}/${servletAPI}"/>
> </path>
> <echo message="compiling using javac version ${
> ant.java.version}"/>
> <javac srcdir="${servletDir}/${src}"
> destdir="${servletDir}/${build}"
> compiler="javac1.4"
> memoryInitialSize="512M"
> memoryMaximumSize="2048M"
> debug="true"
> debuglevel="${DEBUGLEVEL}"
> verbose="false"
> fork="false">
> <classpath refid="java.classpath"/>
> </javac>
> </target>
>
> hth
>
> greg
> --
> what's puzzlin' you, is the nature of my game
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Filters, Security, Tomcat and Configuration
Posted by Gregor Schneider <rc...@googlemail.com>.
Actually I doubt that you've got the file servlet-api.jar in your
classpath - it wouldn't come up with such an error-message than.
You might want to use an antscript to compile your servlet, here's a
snippet from mine:
<target name="compile" depends="init" description="compile servlet ">
<delete dir="${servletDir}/${build}" failonerror="false"/>
<mkdir dir="${servletDir}/${build}"/>
<path id="java.classpath">
<fileset file="${tomcatDir}/${servletAPI}"/>
</path>
<echo message="compiling using javac version ${ant.java.version}"/>
<javac srcdir="${servletDir}/${src}"
destdir="${servletDir}/${build}"
compiler="javac1.4"
memoryInitialSize="512M"
memoryMaximumSize="2048M"
debug="true"
debuglevel="${DEBUGLEVEL}"
verbose="false"
fork="false">
<classpath refid="java.classpath"/>
</javac>
</target>
hth
greg
--
what's puzzlin' you, is the nature of my game
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Filters, Security, Tomcat and Configuration
Posted by James Crosson <ja...@gmail.com>.
Thanks for your kind reply. I am having a bear of a time figuring out why
I can't compile my filter. It is giving me the simple java error:
com\xxxxx\view\filters\AccountFilter2.java:20: cannot find symbol
symbol : method getURI()
location: interface javax.servlet.http.HttpServletRequest
String URI = ((HttpServletRequest)request).getURI();
I've quadruple checked what I'm including:
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
Any idea what my deal could be? My classpath includes the main class
tomcat's servlet-api.jar and I'm also tried including servlet.jar to no
avail.
James
On Thu, 16 Nov 2006 16:05:43 -0500, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> James,
>
> James Crosson wrote:
>> I believe that a <url-pattern> strategy will be more trouble than it is
>> worth beacuse it seems you can't pass a regular expression, but so far I
>> have not been able to nail down a Filter.
>
> Filters are really the way to go, here, and they're relatively easy to
> write and use. First, you have to write your filter, which is pretty
> simple, right?
>
> public class BadURLFilter
> implements Filter
> {
> public void doFilter(ServletRequest request,
> ServletResponse response,
> FilterChain chain)
> throws IOException, ServletException
> {
> // Check the URL -- need an HttpServletRequest for that
> if(request instanceof HttpServletRequest)
> {
> String URI = ((HttpServletRequest)request).getURI();
>
> // Bomb if there is a "bad" URI
> if(URI.contains(".."))
> {
> // Not sure what you want to do here.
>
> ((HttpServletResponse)response)
> .sendError(HttpServletResponse.SC_FORBIDDEN);
>
> return;
> }
> }
>
> chain.doFilter(request, response);
> }
> }
>
>
> That's the simplest filter that could possibly work. A few things to
> consider:
>
> 1. What do you want to do when you find a bad URL. I simply
> return a 403 FORBIDDEN status code.
> 2. Are there any URIs that might be okay to contain ".."?
> For instance, if you have a servlet that uses the "extra
> path info" to do something might allow a URI to contain
> "..", in which case this filter will break your app.
>
> I hope that can get you started.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFXNKn9CaO5/Lv0PARAp9QAJ96nP3rLSMlmO8+4I9ALz7ikHi6OACfSKnm
> 2oXR665ulKq5ePCON3C2RAI=
> =GJPM
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
http://www.JamesCrosson.net
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Filters, Security, Tomcat and Configuration
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
James,
James Crosson wrote:
> I believe that a <url-pattern> strategy will be more trouble than it is
> worth beacuse it seems you can't pass a regular expression, but so far I
> have not been able to nail down a Filter.
Filters are really the way to go, here, and they're relatively easy to
write and use. First, you have to write your filter, which is pretty
simple, right?
public class BadURLFilter
implements Filter
{
public void doFilter(ServletRequest request,
ServletResponse response,
FilterChain chain)
throws IOException, ServletException
{
// Check the URL -- need an HttpServletRequest for that
if(request instanceof HttpServletRequest)
{
String URI = ((HttpServletRequest)request).getURI();
// Bomb if there is a "bad" URI
if(URI.contains(".."))
{
// Not sure what you want to do here.
((HttpServletResponse)response)
.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
}
chain.doFilter(request, response);
}
}
That's the simplest filter that could possibly work. A few things to
consider:
1. What do you want to do when you find a bad URL. I simply
return a 403 FORBIDDEN status code.
2. Are there any URIs that might be okay to contain ".."?
For instance, if you have a servlet that uses the "extra
path info" to do something might allow a URI to contain
"..", in which case this filter will break your app.
I hope that can get you started.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFXNKn9CaO5/Lv0PARAp9QAJ96nP3rLSMlmO8+4I9ALz7ikHi6OACfSKnm
2oXR665ulKq5ePCON3C2RAI=
=GJPM
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org