You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Price, Erik" <ep...@ptc.com> on 2002/12/04 16:36:49 UTC
hiding servlet URLs in JSPs
Hi, simple question (I hope):
Does it really matter if someone can see the naked path to a servlet in the
"action" attribute of an HTML <form> tag? I mean, if I have this form:
<form method="POST" action="./servlet/SomeServlet">
<!-- some input tags go here -->
</form>
anyone can see the URL to my servlet and attempt to send it data directly.
At first I thought that this was a security problem and that I should
obfuscate the path to the servlet somehow, but on second thought it strikes
me that this is no different than someone seeing the path to a CGI script in
a form either.
Any advice?
Erik
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
TC/Apache session tracking
Posted by Matt Sales <sa...@motoworld.com>.
Hello,
I've got a problem tracking sessions from Tomcat 4.1.12/Apache 2.0.40.
I can do all of the regular session stuff within Tomcat, but when I include
a tomcat page in a static html page, sessions are not persisted. I'm using
mod_jk2 to connect the two...
ex:
<!--#include virtual="/tcapp/servlet/myServlet" -->
I get the output from myServlet, but every pass of the
session.isNew()
method returns true.
The sessions don't persist even if I include two servlets from the same
.shtml page. This can't be right... Is there a setting I'm missing?
Thanks in advance,
Matt
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: hiding servlet URLs in JSPs
Posted by Pae Choi <pa...@earthlink.net>.
For the servlet part, the common use is 'alias'. And either you use
CGI or Servlet if you get the DDOS attack, you are out of luck.
Pae
----- Original Message -----
From: "Price, Erik" <ep...@ptc.com>
To: <to...@jakarta.apache.org>
Sent: Wednesday, December 04, 2002 10:36 AM
Subject: hiding servlet URLs in JSPs
Hi, simple question (I hope):
Does it really matter if someone can see the naked path to a servlet in the
"action" attribute of an HTML <form> tag? I mean, if I have this form:
<form method="POST" action="./servlet/SomeServlet">
<!-- some input tags go here -->
</form>
anyone can see the URL to my servlet and attempt to send it data directly.
At first I thought that this was a security problem and that I should
obfuscate the path to the servlet somehow, but on second thought it strikes
me that this is no different than someone seeing the path to a CGI script in
a form either.
Any advice?
Erik
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: hiding servlet URLs in JSPs
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Wed, 4 Dec 2002, Price, Erik wrote:
> Date: Wed, 4 Dec 2002 10:36:49 -0500
> From: "Price, Erik" <ep...@ptc.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: tomcat-user@jakarta.apache.org
> Subject: hiding servlet URLs in JSPs
>
> Hi, simple question (I hope):
>
> Does it really matter if someone can see the naked path to a servlet in the
> "action" attribute of an HTML <form> tag? I mean, if I have this form:
>
> <form method="POST" action="./servlet/SomeServlet">
> <!-- some input tags go here -->
> </form>
>
> anyone can see the URL to my servlet and attempt to send it data directly.
> At first I thought that this was a security problem and that I should
> obfuscate the path to the servlet somehow, but on second thought it strikes
> me that this is no different than someone seeing the path to a CGI script in
> a form either.
>
It is definitely true that malicious people can see the destination URL
and might try to maliciously send data. Your application needs to include
measures to prevent this from causing you grief.
It is definitely not true that obfuscating the destination URL would make
a bit of difference -- your attacker can still see the obfuscated URL in
the action attribute of the <form> element, and make exactly the same
attack.
> Any advice?
>
>
> Erik
>
Craig
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>