You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Koon Yue Lam <ki...@gmail.com> on 2004/11/11 08:08:43 UTC
How to secure my webapp under Tomcat?
Hi, I have developed a webapp using Tomcat and MySQL
Now I DON'T want my client browse my JSPs, servlets and database
structure etc ......
I want the entire webapp (and database) deployed only by me and not by others.
Is there any methods that I can secure my webapp to ensure my client
won't deploy it to somewhere else by someone else??
Regards
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: How to secure my webapp under Tomcat?
Posted by QM <qm...@brandxdev.net>.
On Thu, Nov 11, 2004 at 03:08:43PM +0800, Koon Yue Lam wrote:
: Now I DON'T want my client browse my JSPs, servlets and database
: structure etc ......
:
: I want the entire webapp (and database) deployed only by me and not by others.
:
: Is there any methods that I can secure my webapp to ensure my client
: won't deploy it to somewhere else by someone else??
Are you giving the finished product (say, a WAR file) to the client?
Then there's not a lot you can do from a technology standpoint. You
could precompile your JSPs, remove them from the WAR, then obfuscate all
of the classes; but the database schema will still be wide-open for
viewing if it is setup on one of the client's servers.
You do have some legal options, though.
Consult with an attorney, have them draft a contract -- essentially, a
license agreement -- for the clients to sign *before* you deliver the
product. Make sure it is clearly stated what the clients can do with
the product, and what are the penalties if anyone goes outside of the
lines. (The "don't reverse-engineer this product" clause has been
standard in software for quite a while.)
You'd have a hell of a time catching someone in the act, this is true;
but this is a risk you take when the software will be run outside of
your control.
-QM
--
software -- http://www.brandxdev.net
tech news -- http://www.RoarNetworX.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
SSL Not working properly
Posted by bi...@tcs.com.
Hi,
I have done everything to implement SSL on tomcat as described in SSL HOW
-TO ..
i have placed my kestore file in the Tomcat home directory and as
metioned in the path in server.xml
but i am still getting error
please help???
[ERROR] Http11Protocol - -Error initializing endpoint
<java.io.IOException: Keys
tore was tampered with, or password was incorrect>java.io.IOException:
Keystore
was tampered with, or password was incorrect
at
sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:737)
at java.security.KeyStore.load(KeyStore.java:608)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocket
Factory.java:313)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESoc
ketFactory.java:261)
at
org.apache.tomcat.util.net.jsse.JSSE13SocketFactory.init(JSSE13Socket
Factory.java:129)
Catalina.start: LifecycleException: Protocol handler initialization
failed: jav
a.io.IOException: Keystore was tampered with, or password was incorrect
LifecycleException: Protocol handler initialization failed:
java.io.IOException
: Keystore was tampered with, or password was incorrect
at
org.apache.coyote.tomcat4.CoyoteConnector.initialize(CoyoteConnector.
java:1231)
at
org.apache.catalina.core.StandardService.initialize(StandardService.j
ava:579)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.jav
a:2246)
at org.apache.catalina.startup.Catalina.start(Catalina.java:511)
at org.apache.catalina.startup.Catalina.execute(Catalina.java:400)
at org.apache.catalina.startup.Catalina.process(Catalina.java:180)
Catalina.start: LifecycleException: Protocol handler initialization
failed: jav
a.io.IOException: Keystore was tampered with, or password was incorrect
LifecycleException: Protocol handler initialization failed:
java.io.IOException
: Keystore was tampered with, or password was incorrect
at
org.apache.coyote.tomcat4.CoyoteConnector.initialize(CoyoteConnector.
java:1231)
at
org.apache.catalina.core.StandardService.initialize(StandardService.j
ava:579)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.jav
a:2246)
at org.apache.catalina.startup.Catalina.start(Catalina.java:511)
at org.apache.catalina.startup.Catalina.execute(Catalina.java:400)
at org.apache.catalina.startup.Catalina.process(Catalina.java:180)
my server.xml is as follow :
.....
<!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8080 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8080" minProcessors="5" maxProcessors="75"
enableLookups="true" redirectPort="8443"
acceptCount="100" debug="0" connectionTimeout="20000"
useURIValidationHack="false" disableUploadTimeout="true" />
<!-- Note : To disable connection timeouts, set connectionTimeout
value
to 0 -->
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="100" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="true"
keystroreFile="c:\birendar\mykey.keystore" keystrorePass="changeit"
protocol="TLS" />
</Connector>
.....
Birendar Singh Waldiya
Tata Consultancy Services Limited
Mailto: birendar.waldiya@tcs.com
Website: http://www.tcs.com
Koon Yue Lam <ki...@gmail.com>
11/11/2004 12:38 PM
Please respond to
"Tomcat Users List" <to...@jakarta.apache.org>
To
Tomcat Users List <to...@jakarta.apache.org>
cc
Subject
How to secure my webapp under Tomcat?
Hi, I have developed a webapp using Tomcat and MySQL
Now I DON'T want my client browse my JSPs, servlets and database
structure etc ......
I want the entire webapp (and database) deployed only by me and not by
others.
Is there any methods that I can secure my webapp to ensure my client
won't deploy it to somewhere else by someone else??
Regards
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
ForwardSourceID:NT0000327A
DISCLAIMER: The information contained in this message is intended only and solely for the addressed individual or entity indicated in this message and for the exclusive use of the said addressed individual or entity indicated in this message (or responsible for delivery of the message to such person) and may contain legally privileged and confidential information belonging to Tata Consultancy Services Limited. It must not be printed, read, copied, disclosed, forwarded, distributed or used (in whatsoever manner) by any person other than the addressee. Unauthorized use, disclosure or copying is strictly prohibited and may constitute unlawful act and can possibly attract legal action, civil and/or criminal. The contents of this message need not necessarily reflect or endorse the views of Tata Consultancy Services limited on any subject matter.
Any action taken or omitted to be taken based on this message is entirely at your risk and neither the originator of this message nor Tata Consultancy Services Limited takes any responsibility or liability towards the same. Opinions, conclusions and any other information contained in this message that do not relate to the official business of Tata Consultancy Services limited shall be understood as neither given nor endorsed by Tata Consultancy Services Limited or any affiliate of Tata Consultancy Services Limited. If you have received this message in error, you should destroy this message and may please notify the sender by e-mail.
Thank you.