You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Nils O. Selåsdal" <no...@frisurf.no> on 2001/07/16 00:11:59 UTC
Need workaround for Tomcat security.
Ok, i needed to put some security constraints to a dircetory, so I added this
to my web.xml:
<security-constraint>
<display-name>UQoS Amin Area</display-name>
<web-resource-collection>
<web-resource-name>UQoS Amin Area</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
I use BASIC authentication using the memory realm.
Works like it supposed to when someone goes to my http://xxx/webapp/Admin/ or
something below, HOWEVER, if they type http://xxx/webapp//Admin/ (or even
more slashes), all security checkings are bypassed, anyone arr let right in !
(same things happens always, try it with the 'security' example shipped with
Tomcat.
Sever bug!, I have posted it to BugZilla. This applies to atleast Tomcat
3.2.1 and 3.2.2.
And I need it fixedas soon as possible. Does anyone know a workaround to
thisone.(I'd rather not upgrade to Tomcat 4 yet,seems like its fixed here.)
--
Nils O. Selåsdal
Re: Can I connect to an Access database?
Posted by Jim Cheesman <jc...@msl.es>.
At 12:26 AM 17/07/01, you wrote:
>The standard JDBC-ODBC bridge works fine (as far as it goes).
Which is not very far - given that it's not a production-level driver. That
said, access is not a production-level database, either ;)
Seriously though, if you try to have more than one (a couple?) of
connections open at once you'll start getting SQLExceptions all over the place.
Jim
> - A
>
>On Mon, Jul 16, 2001 at 03:31:28PM -0500, Brandon Cruz wrote:
> > Does anyone know of a free driver that I can use to connect via jdbc from
> > Tomcat to a Microsoft Access database? I have looked in the database on
> > java.sun.com, but there are 15 different choices. Just looking for some
> > help on which direction to go. Is this simple, or should I stay away from
> > connecting to access via jdbc entirely?
> >
> > Brandon Cruz
> > Norvax Inc.
> > www.norvax.com
>
>--
>Alex Chaffee mailto:alex@jguru.com
>jGuru - Java News and FAQs http://www.jguru.com/alex/
>Creator of Gamelan http://www.gamelan.com/
>Founder of Purple Technology http://www.purpletech.com/
>Curator of Stinky Art Collective http://www.stinky.com/
--
* Jim Cheesman *
Trabajo:
jchees@msl.es - (34)(91) 724 9200 x 2360
In retrospect it becomes clear
that hindsight is definitely overrated
Re: Can I connect to an Access database?
Posted by gu...@stinky.com.
The standard JDBC-ODBC bridge works fine (as far as it goes).
- A
On Mon, Jul 16, 2001 at 03:31:28PM -0500, Brandon Cruz wrote:
> Does anyone know of a free driver that I can use to connect via jdbc from
> Tomcat to a Microsoft Access database? I have looked in the database on
> java.sun.com, but there are 15 different choices. Just looking for some
> help on which direction to go. Is this simple, or should I stay away from
> connecting to access via jdbc entirely?
>
> Brandon Cruz
> Norvax Inc.
> www.norvax.com
--
Alex Chaffee mailto:alex@jguru.com
jGuru - Java News and FAQs http://www.jguru.com/alex/
Creator of Gamelan http://www.gamelan.com/
Founder of Purple Technology http://www.purpletech.com/
Curator of Stinky Art Collective http://www.stinky.com/
Re: Need workaround for Tomcat security.
Posted by "Nils O. Selåsdal" <no...@frisurf.no>.
On Monday 16 July 2001 21:39, you wrote:
> Jeff,
> TC 3.2.1 on linux.
> Apache and mod_jk
> It seems to me (without having had a chance to check)
> that this must be a misconfig at the apache
> and apache/tomcat end of things rather than a tomcat bug as such.
>
> Any thoughts? It would be a pretty big hole if it was a genuine
> bug.
I did not have apache or mod_jk, plain Tomcat 3.2.2 installation.
The hole is there. And is big ;(
Re: Need workaround for Tomcat security.
Posted by Jeff Kilbride <je...@kilbride.com>.
Hi Andrew,
I know that there were some security-related problems with 3.2.1 and certain
URLs. I think a bug was found and fixed right around the time of 3.2.2 beta
5. I would suggest upgrading to 3.2.2. It's very painless -- all config
files stay the same, just copy your old ones into your 3.2.2 install
directory and change TOMCAT_HOME. I'm not seeing the problem on my
installation (TC 3.2.2, Linux, apache, mod_jk).
Thanks,
--jeff
----- Original Message -----
From: "Andrew Robson" <an...@playaday.com>
To: <to...@jakarta.apache.org>
Sent: Monday, July 16, 2001 1:39 PM
Subject: Re: Need workaround for Tomcat security.
> Jeff,
> TC 3.2.1 on linux.
> Apache and mod_jk
> It seems to me (without having had a chance to check)
> that this must be a misconfig at the apache
> and apache/tomcat end of things rather than a tomcat bug as such.
>
> Any thoughts? It would be a pretty big hole if it was a genuine
> bug.
>
> andrew
>
> On Mon, 16 Jul 2001, you wrote:
> > Andrew,
> >
> > What version of Tomcat did this affect Form-based authentication on? I
tried
> > the URL patterns mentioned on my Form-based Realm, and the Realm worked
> > correctly -- no security problems. I'm using TC 3.2.2 on Linux.
> >
> > Thanks,
> > --jeff
> >
> > ----- Original Message -----
> > From: "Andrew Robson" <an...@playaday.com>
> > To: <to...@jakarta.apache.org>
> > Sent: Monday, July 16, 2001 7:29 AM
> > Subject: Re: Need workaround for Tomcat security.
> >
> >
> > > Hi,
> > > No workaround I'm afraid. I can confirm that the problem
> > > affects form - based JDBCRealm as well. Tried putting
> > > */admin/* into url pattern and broke security completely.
> > > I wonder whether a JkMount directive with approriately
> > > placed wildcards might work but haven't had time to try.
> > > I'd be very interested if you find a solution.
> > > Presumably no-one on the list has one?
> > >
> > > andrew
> > >
> > > On Sun, 15 Jul 2001, you wrote:
> > > > Ok, i needed to put some security constraints to a dircetory, so I
added
> > this
> > > > to my web.xml:
> > > > <security-constraint>
> > > > <display-name>UQoS Amin Area</display-name>
> > > > <web-resource-collection>
> > > > <web-resource-name>UQoS Amin Area</web-resource-name>
> > > > <url-pattern>/admin/*</url-pattern>
> > > > </web-resource-collection>
> > > > I use BASIC authentication using the memory realm.
> > > > Works like it supposed to when someone goes to my
> > http://xxx/webapp/Admin/ or
> > > > something below, HOWEVER, if they type http://xxx/webapp//Admin/ (or
> > even
> > > > more slashes), all security checkings are bypassed, anyone arr let
right
> > in !
> > > > (same things happens always, try it with the 'security' example
shipped
> > with
> > > > Tomcat.
> > > > Sever bug!, I have posted it to BugZilla. This applies to atleast
Tomcat
> > > > 3.2.1 and 3.2.2.
> > > > And I need it fixedas soon as possible. Does anyone know a
workaround to
> > > > thisone.(I'd rather not upgrade to Tomcat 4 yet,seems like its fixed
> > here.)
> > > > --
> > > > Nils O. Selåsdal
> > > --
> > >
> > > Andrew Robson
> > >
> > >
> > >
> --
>
>
>
Re: Need workaround for Tomcat security.
Posted by Andrew Robson <an...@playaday.com>.
Jeff,
TC 3.2.1 on linux.
Apache and mod_jk
It seems to me (without having had a chance to check)
that this must be a misconfig at the apache
and apache/tomcat end of things rather than a tomcat bug as such.
Any thoughts? It would be a pretty big hole if it was a genuine
bug.
andrew
On Mon, 16 Jul 2001, you wrote:
> Andrew,
>
> What version of Tomcat did this affect Form-based authentication on? I tried
> the URL patterns mentioned on my Form-based Realm, and the Realm worked
> correctly -- no security problems. I'm using TC 3.2.2 on Linux.
>
> Thanks,
> --jeff
>
> ----- Original Message -----
> From: "Andrew Robson" <an...@playaday.com>
> To: <to...@jakarta.apache.org>
> Sent: Monday, July 16, 2001 7:29 AM
> Subject: Re: Need workaround for Tomcat security.
>
>
> > Hi,
> > No workaround I'm afraid. I can confirm that the problem
> > affects form - based JDBCRealm as well. Tried putting
> > */admin/* into url pattern and broke security completely.
> > I wonder whether a JkMount directive with approriately
> > placed wildcards might work but haven't had time to try.
> > I'd be very interested if you find a solution.
> > Presumably no-one on the list has one?
> >
> > andrew
> >
> > On Sun, 15 Jul 2001, you wrote:
> > > Ok, i needed to put some security constraints to a dircetory, so I added
> this
> > > to my web.xml:
> > > <security-constraint>
> > > <display-name>UQoS Amin Area</display-name>
> > > <web-resource-collection>
> > > <web-resource-name>UQoS Amin Area</web-resource-name>
> > > <url-pattern>/admin/*</url-pattern>
> > > </web-resource-collection>
> > > I use BASIC authentication using the memory realm.
> > > Works like it supposed to when someone goes to my
> http://xxx/webapp/Admin/ or
> > > something below, HOWEVER, if they type http://xxx/webapp//Admin/ (or
> even
> > > more slashes), all security checkings are bypassed, anyone arr let right
> in !
> > > (same things happens always, try it with the 'security' example shipped
> with
> > > Tomcat.
> > > Sever bug!, I have posted it to BugZilla. This applies to atleast Tomcat
> > > 3.2.1 and 3.2.2.
> > > And I need it fixedas soon as possible. Does anyone know a workaround to
> > > thisone.(I'd rather not upgrade to Tomcat 4 yet,seems like its fixed
> here.)
> > > --
> > > Nils O. Sel�sdal
> > --
> >
> > Andrew Robson
> >
> >
> >
--
Can I connect to an Access database?
Posted by Brandon Cruz <bc...@norvax.com>.
Does anyone know of a free driver that I can use to connect via jdbc from
Tomcat to a Microsoft Access database? I have looked in the database on
java.sun.com, but there are 15 different choices. Just looking for some
help on which direction to go. Is this simple, or should I stay away from
connecting to access via jdbc entirely?
Brandon Cruz
Norvax Inc.
www.norvax.com
Re: Need workaround for Tomcat security.
Posted by Jeff Kilbride <je...@kilbride.com>.
Andrew,
What version of Tomcat did this affect Form-based authentication on? I tried
the URL patterns mentioned on my Form-based Realm, and the Realm worked
correctly -- no security problems. I'm using TC 3.2.2 on Linux.
Thanks,
--jeff
----- Original Message -----
From: "Andrew Robson" <an...@playaday.com>
To: <to...@jakarta.apache.org>
Sent: Monday, July 16, 2001 7:29 AM
Subject: Re: Need workaround for Tomcat security.
> Hi,
> No workaround I'm afraid. I can confirm that the problem
> affects form - based JDBCRealm as well. Tried putting
> */admin/* into url pattern and broke security completely.
> I wonder whether a JkMount directive with approriately
> placed wildcards might work but haven't had time to try.
> I'd be very interested if you find a solution.
> Presumably no-one on the list has one?
>
> andrew
>
> On Sun, 15 Jul 2001, you wrote:
> > Ok, i needed to put some security constraints to a dircetory, so I added
this
> > to my web.xml:
> > <security-constraint>
> > <display-name>UQoS Amin Area</display-name>
> > <web-resource-collection>
> > <web-resource-name>UQoS Amin Area</web-resource-name>
> > <url-pattern>/admin/*</url-pattern>
> > </web-resource-collection>
> > I use BASIC authentication using the memory realm.
> > Works like it supposed to when someone goes to my
http://xxx/webapp/Admin/ or
> > something below, HOWEVER, if they type http://xxx/webapp//Admin/ (or
even
> > more slashes), all security checkings are bypassed, anyone arr let right
in !
> > (same things happens always, try it with the 'security' example shipped
with
> > Tomcat.
> > Sever bug!, I have posted it to BugZilla. This applies to atleast Tomcat
> > 3.2.1 and 3.2.2.
> > And I need it fixedas soon as possible. Does anyone know a workaround to
> > thisone.(I'd rather not upgrade to Tomcat 4 yet,seems like its fixed
here.)
> > --
> > Nils O. Selåsdal
> --
>
> Andrew Robson
>
>
>
Integrating tomcat with a notes server
Posted by Brandon Cruz <bc...@norvax.com>.
Does anyone have any experience integrating tomcat with a lotus notes
server. I am looking to do this for and intranet application and wanted to
see if anyone has experience with this...
Brandon Cruz
Norvax Inc.
www.norvax.com
Re: Need workaround for Tomcat security.
Posted by Andrew Robson <an...@playaday.com>.
Hi,
No workaround I'm afraid. I can confirm that the problem
affects form - based JDBCRealm as well. Tried putting
*/admin/* into url pattern and broke security completely.
I wonder whether a JkMount directive with approriately
placed wildcards might work but haven't had time to try.
I'd be very interested if you find a solution.
Presumably no-one on the list has one?
andrew
On Sun, 15 Jul 2001, you wrote:
> Ok, i needed to put some security constraints to a dircetory, so I added this
> to my web.xml:
> <security-constraint>
> <display-name>UQoS Amin Area</display-name>
> <web-resource-collection>
> <web-resource-name>UQoS Amin Area</web-resource-name>
> <url-pattern>/admin/*</url-pattern>
> </web-resource-collection>
> I use BASIC authentication using the memory realm.
> Works like it supposed to when someone goes to my http://xxx/webapp/Admin/ or
> something below, HOWEVER, if they type http://xxx/webapp//Admin/ (or even
> more slashes), all security checkings are bypassed, anyone arr let right in !
> (same things happens always, try it with the 'security' example shipped with
> Tomcat.
> Sever bug!, I have posted it to BugZilla. This applies to atleast Tomcat
> 3.2.1 and 3.2.2.
> And I need it fixedas soon as possible. Does anyone know a workaround to
> thisone.(I'd rather not upgrade to Tomcat 4 yet,seems like its fixed here.)
> --
> Nils O. Sel�sdal
--
Andrew Robson
Tomcat & Frames
Posted by RV Tobin <rv...@home.com>.
Corey, have you had a response to that bug report you filed regarding the
problem with Tomcat and frames not loading correctly? It seems that the
problem gets better for a while, which makes you think that something you
did fixed it, when in reality, it is just lying dormant like some gestating
alien life form waiting for the right point in development where it can
burst forth again.
Sometimes, restarting Tomcat and Apache helps. Sometimes I reboot the whole
machine, and other times, even that does not work. Then, I just have to
wait until it decides to play nice again. It is always the .jsp pages that
don't load, though. The frame containing the .html page loads fine, and
that has a link to another .html page which also loads fine when clicked.
Val
Re: Need workaround for Tomcat security.
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Sun, 15 Jul 2001, Nils O. Selåsdal wrote:
> Ok, i needed to put some security constraints to a dircetory, so I added this
> to my web.xml:
> <security-constraint>
> <display-name>UQoS Amin Area</display-name>
> <web-resource-collection>
> <web-resource-name>UQoS Amin Area</web-resource-name>
> <url-pattern>/admin/*</url-pattern>
> </web-resource-collection>
> I use BASIC authentication using the memory realm.
> Works like it supposed to when someone goes to my http://xxx/webapp/Admin/ or
> something below, HOWEVER, if they type http://xxx/webapp//Admin/ (or even
> more slashes), all security checkings are bypassed, anyone arr let right in !
> (same things happens always, try it with the 'security' example shipped with
> Tomcat.
> Sever bug!, I have posted it to BugZilla. This applies to atleast Tomcat
> 3.2.1 and 3.2.2.
> And I need it fixedas soon as possible. Does anyone know a workaround to
> thisone.(I'd rather not upgrade to Tomcat 4 yet,seems like its fixed here.)
It's not completely fixed in 4 -- some request URI paths still let you in.
> --
> Nils O. Selåsdal
>
Yep ... it is a serious bug, affecting all versions of Tomcat, and there
is no workaround. The problem relates to the fact that "normalization" of
the request URI (i.e. removing "//" and "/./", and compacting "/../") is
not being performed consistently. This is going to be fixed (in all
versions) such that the request URI received by the server will be
normalized *before* being used to map to a servlet, or to select a
security constraint. As a side effect, the value returned when you call
request.getRequestURI() will always be normalized.
Look for announcements of the availability of patched versions shortly.
Craig McClanahan