• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Tomcat 3.3.1a with IIS

J

Jack Ryan

Golden Member
Hi,

I am running tomcat and IIS together on a windows 2000 server. I have had a hard time using integrated windows authentication with tomcat. I just can't seem to get jsp files to recognize the security settings on the directories. Any other pages are handled by IIS, and it uses the authentication correctly.


For example:

index.jsp is available to ANYONE

index.html is available only to who I set in the security setting of the directory.

I want the *.jsp files to adhere to the security I set for the directories, anyone have any insight on what I am doing wrong?

(I spent a lot of time fiddling with the xml files, but was unsuccessful)

Thanks
 
I doubled checked that, and in fact I only have the users in the permissions I want to access the files. Seems like the redirector is bypassing the security and sending it right to tomcat.
 
I've never run IIS and Tomcat together because I don't believe in IIS. (I'm on Apache 1.3.x and 2)

You basically have 2 levels of rights here....IIS File Systems Rights and Tomcat File System Rights. If you can set the rights on the folder to only be accessible from authenticated users from IIS and make sure non of the files are given any rights through additional means (like Tomcat configs or links from other files), it should be secure.

-Scar
 
I meant to mention that if you turn off the Follow Symbolic Links option it might prevent this access. I don't know what it's called in IIS because I don't care for Microsofts Sh!tty security implementations from versions previous to WinServer 2003. Look at the symlinks and make sure they're disabled. There is a way for users that don't normally have access to gain access via that option.

Just try to disable most options you don't really need and you'll lock down your directories a little better too. I usually turn off autoindexing as a default too. You can also turn off auto indexing, take the index.jsp out of your default page listings too...that would at least require you to type the address or link to it through an html page.
 
thanks for your reply, I tried what you said but I am still having issues, I just can't seem to find the setting that doesn't let the jsp files bypass the directory security.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top