You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Christian Schulz <Sc...@Devcon-Mail.de> on 2001/02/27 23:56:09 UTC

TomCat - IIS - Security

Hello, 

when using Tomcat with IIS, we have a "security hole". 

We installed Tomcat as described at the documentation. 

The following scenario may show our problem: 

We have a folder reachable as  <http://ourserver/secretfolder/>
http://ourserver/secretfolder/ with NT Security permissions set for user
"foo" and user "bar" (both have "rw"). 

We have a subfolder reachable as http://ourserver/secretfolder/moresecret
<http://ourserver/secretfolder/moresecret>  with NT Security permissions set
for user "bar" ("rw").

Both folders contain two files, test.html and test.jsp.

If the user "foo" or user "bar" call http://ourserver/secretfolder/test.html
<http://ourserver/secretfolder/test.html>  , they both can see the page. If
a user "foobar" calls the url, he get's an error because he's not
authenticated.

If the user "foobar" calls http://ourserver/secretfolder/test.jsp
<http://ourserver/secretfolder/test.jsp>  , he can see the page, even if he
is not permitted by NT Security !

If the user "foo" calls http://ourserver/secretfolder/moresecret/test.html
<http://ourserver/secretfolder/moresecret/test.html>  , he get's ab error
because he's not authenticated.

If the user "foo" calls http://ourserver/secretfolder/moresecret/test.jsp
<http://ourserver/secretfolder/moresecret/test.jsp>  , he can see the page,
even if he should not because he's not permitted.

I think the problem is the redirector-dll. Before checking any file based
security, the IIS passed the request (or url) to the redirector filter. If
the url contains a JSP, the filter recognizes it an passes the request to
TomCat. TomCat does no file based security check as it is possible by the
IIS an returns the response.

In my opinion, the redirector-dll has to check if there is "anonymous"
access allowed by the IIS, if so, everything is ok (really?). If "anonymous"
access is not allowed by the IIS for that file/directory, it has to check
whether the current user (which will be "anonymous" or none at the first
call) is allowed to access the file/directory and if not an
UNAUTHORIZED-Error has to be returned. If this happens, the Internet
Explorer as a Client will request the page again, but passing the current NT
User Account to the server. The redirector has to check everything again and
only return the response if the user has rights on the direcotry/file.

Am I right ? If so, is there a solution ?

Bye

    Christian