Tomcat Security Exposure

["Lawlor, Frank" <Fr...@AthensGroup.com>]

During development and deployment I discovered
that many types of errors while reading the web.xml
file would result in the app coming up (at least
partly), but with no security.

This seems like a serious security exposure in
a production environment.

I believe this is potentially a serious security
exposure and suggest that tomcat should never
allow access to the app if it has any problems
reading the web.xml file or establishing any of
the security environment.

Frank Lawlor
Athens Group, Inc.
(512) 345-0600 x151
Athens Group, an employee-owned consulting firm integrating technology
strategy and software solutions.



--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

Using Apache SSL to send requests to tomcat 3.2.4

[Brandon Cruz <bc...@norvax.com>]

I have SSL set up in apache so that all documents that are to be secured are
placed inside the .../httpsdocs directory for each virtual host.  Inside
server.xml, I have a Host set up as follows...

<Host name="www.wbgreen.com">
<Context path=""
docBase="/usr/local/apache/vhosts/wbgreen.com/httpdocs">
crossContext="false"
debug="0"
reloadable="true"
</Context>

I need to specify a docbase somehow that points to
/usr/local/apache/vhosts/webgreen.com/httpsdocs.  Do I need to set up an
entirely new context and call it secure or something?  Is there a way that I
can specify that all https:// requests go to httpsdocs in the apache or
mod_jk config?

Thanks in advance!

Brandon


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>