Tomcat 3.3.1a with IIS

Toggle sidebar Toggle sidebar
J

Jack Ryan

Golden Member
Jun 11, 2004
1,353
0
0
Hi,

I am running tomcat and IIS together on a windows 2000 server. I have had a hard time using integrated windows authentication with tomcat. I just can't seem to get jsp files to recognize the security settings on the directories. Any other pages are handled by IIS, and it uses the authentication correctly.


For example:

index.jsp is available to ANYONE

index.html is available only to who I set in the security setting of the directory.

I want the *.jsp files to adhere to the security I set for the directories, anyone have any insight on what I am doing wrong?

(I spent a lot of time fiddling with the xml files, but was unsuccessful)

Thanks
 
sao123

sao123

Lifer
May 27, 2002
12,653
205
106
remove the inherited everyone from the permissions of the directory and the jsp file.
 
J

Jack Ryan

Golden Member
Jun 11, 2004
1,353
0
0
I doubled checked that, and in fact I only have the users in the permissions I want to access the files. Seems like the redirector is bypassing the security and sending it right to tomcat.
 
Scarpozzi

Scarpozzi

Lifer
Jun 13, 2000
26,392
1,780
126
I've never run IIS and Tomcat together because I don't believe in IIS. (I'm on Apache 1.3.x and 2)

You basically have 2 levels of rights here....IIS File Systems Rights and Tomcat File System Rights. If you can set the rights on the folder to only be accessible from authenticated users from IIS and make sure non of the files are given any rights through additional means (like Tomcat configs or links from other files), it should be secure.

-Scar
 
Scarpozzi

Scarpozzi

Lifer
Jun 13, 2000
26,392
1,780
126
I meant to mention that if you turn off the Follow Symbolic Links option it might prevent this access. I don't know what it's called in IIS because I don't care for Microsofts Sh!tty security implementations from versions previous to WinServer 2003. Look at the symlinks and make sure they're disabled. There is a way for users that don't normally have access to gain access via that option.

Just try to disable most options you don't really need and you'll lock down your directories a little better too. I usually turn off autoindexing as a default too. You can also turn off auto indexing, take the index.jsp out of your default page listings too...that would at least require you to type the address or link to it through an html page.
 
J

Jack Ryan

Golden Member
Jun 11, 2004
1,353
0
0
thanks for your reply, I tried what you said but I am still having issues, I just can't seem to find the setting that doesn't let the jsp files bypass the directory security.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom