Re: Heavy Security Issue

[Marco Caramma <marco () etrading-colombia com>]

On Thu, 2005-08-04 at 08:20 -0500, Dan Simon wrote:
> Two thoughts:
>
> 1.  Please do let us know what servlet engine you are using (as someone
> else suggested).
>
> 2.  I would also recommend that you look into implementing a proper MVC
> architecture for your code.  I prefer the Spring Framework
> (www.springframework.org), but that's just me...I find it clean, simple,
> and elegant.
>
> By implementing a proper MVC architecture for your JSP application, you
> can prevent access to the JSP files entirely -- with only the servlet
> engine itself allowed to view the files.  It also encourages proper
> separation of code from the UI.  Some very, very nice ideas for the
> security-minded.

just to complement the information ... IMHO a full set of tools to have
J2EE development done in the wright way - "clean, simple, elegant and
security-minded" - is using all together
 Spring Framework + Hibernate ORM + Apache Tapestry + Acegi Security

> Dan Simon
> C|EH, SCJP, SCJD
> Remington Associates, Ltd.
> http://www.remingtonltd.com
>
> > Hi Guys!
> >
> > My name is Jonathan, I am really pleased to let you
> > know that I love your security site, it really help us
> > the developers to find out many of our security
> > doubts.
> >
> > One more time I am recurring for your help, the issue
> > is the following:
> >
> > I have an apache server and an app. running on it, but
> > I recently found a little problem that consist in the
> > following:
> >
> > - When I make a request for the following JSP for
> > example:
> > http://XX.XX.XX.XX:8081/en/dynapage/scripts/page.jsp
> > the Jsp is interpreted and the request is successful
> > an html is displayed in the browser.
> >
> > - But at the time I add a forward slash ether after
> > the "en" or "dynapage" for example request must look
> > as the following:
> > http://XX.XX.XX.XX:8081/en//dynapage/scripts/page.jsp
> > http://XX.XX.XX.XX:8081//en/dynapage/scripts/page.jsp
> > what I get is a "download file" window that lets me
> > download the .jsp file and view the source code :(
> >
> > Could you please help me know if this is a missing
> > configuration in my apache httpd or if is a bug of
> > this same technology.
> >
> > Thank you in advance guys!
> > hope to hear you soon
> >
> > Jonathan Orlando
> >
> >
> >
> > ____________________________________________________
> > Start your day with Yahoo! - make it your home page
> > http://www.yahoo.com/r/hs
-- 
Marco Caramma
J2EE Architect Developer
IT Security Consultant
www.etrading-colombia.com