You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Felipe Schnack <fe...@ritterdosreis.br> on 2002/12/16 18:04:08 UTC
ContainerServlet interface
Hi all
I implemented a servlet that implements ContainerServlet interface
from catalina.jar. I did this because I want to be able to loop through
all HttpSession objects in a server...
but for some strange reason I can't understand, when I start tomcat
now I get a InvocationTargetException, telling me that ContainerServlet
interface was not found! Why this happens? This jar is in standard
Tomcat distribution...
BTW, I'm using Tomcat 4.1.12 on RedHat Linux 7.3
--
Felipe Schnack
Analista de Sistemas
felipes@ritterdosreis.br
Cel.: (51)91287530
Linux Counter #281893
Faculdade Ritter dos Reis
www.ritterdosreis.br
felipes@ritterdosreis.br
Fone/Fax.: (51)32303328
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: ContainerServlet interface
Posted by Tim Funk <fu...@joedog.org>.
If you are writing a sniffer on SessionObjects - make sure you protect it.
Or if your Session sniffer is inside of a webapp which other programs
may introduce code - they have the ability to bypass other security
protections tomcat has.
In a nutshell - I don't have specifics - it personally makes me uneasy.
YMMV.
-Tim
Felipe Schnack wrote:
> The security holes it opens are related to what programmers can do or
> related to end users of the application? Can you give me examples?
> You kinda worried me now :-)
>
> On Mon, 2002-12-16 at 15:44, Tim Funk wrote:
>
>>It is an attribute of <Context>. (The manager app and admin app have
>>this attribute set) I suggest being very careful since this can open
>>massive security holes (on your server) depending on your intentions.
>>
>>-Tim
>>
>>
>>Felipe Schnack wrote:
>>
>>> Nice to know...
>>> thanks a lot, but I should set which tag in server.xml? Context?
>>>On Mon, 2002-12-16 at 15:19, Tim Funk wrote:
>>>
>>>
>>>>Because the catalina classes cannot be accessed directly by your
>>>>classloader. This is a security feature.
>>>>
>>>>Otherwise - anyone could write servlet in a webapp and loop through
>>>>everyone else's session.
>>>>
>>>>If you *really* want to do this:
>>>>1 - Look at the manager app because it does access the Sessions (at
>>>>least the count of them)
>>>>2 - Your webapp will need to have [privileged="true"] in server.xml for
>>>>your webapp.
>>>>
>>>>-Tim
>>>>
>>>>Felipe Schnack wrote:
>>>>
>>>>
>>>>> Hi all
>>>>> I implemented a servlet that implements ContainerServlet interface
>>>>
>>>>>from catalina.jar. I did this because I want to be able to loop through
>>>>
>>>>>all HttpSession objects in a server...
>>>>> but for some strange reason I can't understand, when I start tomcat
>>>>>now I get a InvocationTargetException, telling me that ContainerServlet
>>>>>interface was not found! Why this happens? This jar is in standard
>>>>>Tomcat distribution...
>>>>> BTW, I'm using Tomcat 4.1.12 on RedHat Linux 7.3
>>>>>
>>>>
>>>>
>>>>--
>>>>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>>>>For additional commands, e-mail: <ma...@jakarta.apache.org>
>>>>
>>
>>--
>>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>>For additional commands, e-mail: <ma...@jakarta.apache.org>
>>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: ContainerServlet interface
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On 16 Dec 2002, Felipe Schnack wrote:
> Date: 16 Dec 2002 15:43:09 -0200
> From: Felipe Schnack <fe...@ritterdosreis.br>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: Tomcat Users List <to...@jakarta.apache.org>
> Subject: Re: ContainerServlet interface
>
> The security holes it opens are related to what programmers can do or
> related to end users of the application? Can you give me examples?
> You kinda worried me now :-)
Setting privileged=true lets your webapp call any method on any internal
Catalina object. Among other things, that lets you affect *other*
webapps. After all, the Manager servlet uses this facility to deploy and
undeploy them, and the Admin webapp uses this facility to configure the
server.
Craig
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: ContainerServlet interface
Posted by Felipe Schnack <fe...@ritterdosreis.br>.
The security holes it opens are related to what programmers can do or
related to end users of the application? Can you give me examples?
You kinda worried me now :-)
On Mon, 2002-12-16 at 15:44, Tim Funk wrote:
> It is an attribute of <Context>. (The manager app and admin app have
> this attribute set) I suggest being very careful since this can open
> massive security holes (on your server) depending on your intentions.
>
> -Tim
>
>
> Felipe Schnack wrote:
> > Nice to know...
> > thanks a lot, but I should set which tag in server.xml? Context?
> > On Mon, 2002-12-16 at 15:19, Tim Funk wrote:
> >
> >>Because the catalina classes cannot be accessed directly by your
> >>classloader. This is a security feature.
> >>
> >>Otherwise - anyone could write servlet in a webapp and loop through
> >>everyone else's session.
> >>
> >>If you *really* want to do this:
> >>1 - Look at the manager app because it does access the Sessions (at
> >>least the count of them)
> >>2 - Your webapp will need to have [privileged="true"] in server.xml for
> >>your webapp.
> >>
> >>-Tim
> >>
> >>Felipe Schnack wrote:
> >>
> >>> Hi all
> >>> I implemented a servlet that implements ContainerServlet interface
> >>>from catalina.jar. I did this because I want to be able to loop through
> >>>all HttpSession objects in a server...
> >>> but for some strange reason I can't understand, when I start tomcat
> >>>now I get a InvocationTargetException, telling me that ContainerServlet
> >>>interface was not found! Why this happens? This jar is in standard
> >>>Tomcat distribution...
> >>> BTW, I'm using Tomcat 4.1.12 on RedHat Linux 7.3
> >>>
> >>
> >>
> >>--
> >>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> >>For additional commands, e-mail: <ma...@jakarta.apache.org>
> >>
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
--
Felipe Schnack
Analista de Sistemas
felipes@ritterdosreis.br
Cel.: (51)91287530
Linux Counter #281893
Faculdade Ritter dos Reis
www.ritterdosreis.br
felipes@ritterdosreis.br
Fone/Fax.: (51)32303328
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: ContainerServlet interface
Posted by Tim Funk <fu...@joedog.org>.
It is an attribute of <Context>. (The manager app and admin app have
this attribute set) I suggest being very careful since this can open
massive security holes (on your server) depending on your intentions.
-Tim
Felipe Schnack wrote:
> Nice to know...
> thanks a lot, but I should set which tag in server.xml? Context?
> On Mon, 2002-12-16 at 15:19, Tim Funk wrote:
>
>>Because the catalina classes cannot be accessed directly by your
>>classloader. This is a security feature.
>>
>>Otherwise - anyone could write servlet in a webapp and loop through
>>everyone else's session.
>>
>>If you *really* want to do this:
>>1 - Look at the manager app because it does access the Sessions (at
>>least the count of them)
>>2 - Your webapp will need to have [privileged="true"] in server.xml for
>>your webapp.
>>
>>-Tim
>>
>>Felipe Schnack wrote:
>>
>>> Hi all
>>> I implemented a servlet that implements ContainerServlet interface
>>>from catalina.jar. I did this because I want to be able to loop through
>>>all HttpSession objects in a server...
>>> but for some strange reason I can't understand, when I start tomcat
>>>now I get a InvocationTargetException, telling me that ContainerServlet
>>>interface was not found! Why this happens? This jar is in standard
>>>Tomcat distribution...
>>> BTW, I'm using Tomcat 4.1.12 on RedHat Linux 7.3
>>>
>>
>>
>>--
>>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>>For additional commands, e-mail: <ma...@jakarta.apache.org>
>>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: ContainerServlet interface
Posted by Felipe Schnack <fe...@ritterdosreis.br>.
Nice to know...
thanks a lot, but I should set which tag in server.xml? Context?
On Mon, 2002-12-16 at 15:19, Tim Funk wrote:
> Because the catalina classes cannot be accessed directly by your
> classloader. This is a security feature.
>
> Otherwise - anyone could write servlet in a webapp and loop through
> everyone else's session.
>
> If you *really* want to do this:
> 1 - Look at the manager app because it does access the Sessions (at
> least the count of them)
> 2 - Your webapp will need to have [privileged="true"] in server.xml for
> your webapp.
>
> -Tim
>
> Felipe Schnack wrote:
> > Hi all
> > I implemented a servlet that implements ContainerServlet interface
> > from catalina.jar. I did this because I want to be able to loop through
> > all HttpSession objects in a server...
> > but for some strange reason I can't understand, when I start tomcat
> > now I get a InvocationTargetException, telling me that ContainerServlet
> > interface was not found! Why this happens? This jar is in standard
> > Tomcat distribution...
> > BTW, I'm using Tomcat 4.1.12 on RedHat Linux 7.3
> >
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
--
Felipe Schnack
Analista de Sistemas
felipes@ritterdosreis.br
Cel.: (51)91287530
Linux Counter #281893
Faculdade Ritter dos Reis
www.ritterdosreis.br
felipes@ritterdosreis.br
Fone/Fax.: (51)32303328
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: ContainerServlet interface
Posted by Tim Funk <fu...@joedog.org>.
Because the catalina classes cannot be accessed directly by your
classloader. This is a security feature.
Otherwise - anyone could write servlet in a webapp and loop through
everyone else's session.
If you *really* want to do this:
1 - Look at the manager app because it does access the Sessions (at
least the count of them)
2 - Your webapp will need to have [privileged="true"] in server.xml for
your webapp.
-Tim
Felipe Schnack wrote:
> Hi all
> I implemented a servlet that implements ContainerServlet interface
> from catalina.jar. I did this because I want to be able to loop through
> all HttpSession objects in a server...
> but for some strange reason I can't understand, when I start tomcat
> now I get a InvocationTargetException, telling me that ContainerServlet
> interface was not found! Why this happens? This jar is in standard
> Tomcat distribution...
> BTW, I'm using Tomcat 4.1.12 on RedHat Linux 7.3
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>