How can I set tomcat NOT Case Sensitive

Buddy wu wrote:
I wan't to know there is any way to set tomcat NOT CASE SENSITIVE in URL
I mean: when I write in browser's 'http://localhost/test.html'
equals to 'http://localhost/TEST.htm'. Can I do it ? or just in
WINDOWS can but Linux/unix can't?

Right, url is case-insensitive under Windows because the file system
can't tell a difference between test.html and TEST.html. The difference
is there under Linux/UNIX.

Long

Buddy wu

2006-03-07 06:47:47 UTC

Post by Buddy wu
I wan't to know there is any way to set tomcat NOT CASE SENSITIVE in URL
I mean: when I write in browser's 'http://localhost/test.html'
equals to 'http://localhost/TEST.htm'. Can I do it ? or just in
WINDOWS can but Linux/unix can't?
Right, url is case-insensitive under Windows because the file system

But, the FACT is that under Windows the URL is CASW-SENSITIVE, not
case-insecsitive , why?

I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The difference
is there under Linux/UNIX.
Long
---------------------------------------------------------------------

David Kerber

2006-03-07 12:35:48 UTC

But, the FACT is that under Windows the URL is CASW-SENSITIVE, not
case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The difference
is there under Linux/UNIX.
Long
---------------------------------------------------------------------

---------------------------------------------------------------------

David Delbecq

2006-03-07 12:38:46 UTC

Be careful, there are security issues with this (jsp code disclosure!)!!

Post by David Kerber
<Context caseSensitive="false">

Post by Buddy wu
I wan't to know there is any way to set tomcat NOT CASE
SENSITIVE in URL
I mean: when I write in browser's 'http://localhost/test.html'
equals to 'http://localhost/TEST.htm'. Can I do it ? or just in
WINDOWS can but Linux/unix can't?
Right, url is case-insensitive under Windows because the file system

But, the FACT is that under Windows the URL is CASW-SENSITIVE, not
case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The difference
is there under Linux/UNIX.
Long
---------------------------------------------------------------------

---------------------------------------------------------------------

David Kerber

2006-03-07 12:55:27 UTC

I've seen that notice, but could you explain to me how that works? I
don't see how this could cause any security issues, except for slightly
reducing the number of attempts you would need in a brute-force hacking
attempt.

Dave

Post by David Delbecq
Be careful, there are security issues with this (jsp code disclosure!)!!

Post by David Kerber
<Context caseSensitive="false">

Post by Buddy wu
I wan't to know there is any way to set tomcat NOT CASE
SENSITIVE in URL
I mean: when I write in browser's 'http://localhost/test.html'
equals to 'http://localhost/TEST.htm'. Can I do it ? or just in
WINDOWS can but Linux/unix can't?
Right, url is case-insensitive under Windows because the file system

But, the FACT is that under Windows the URL is CASW-SENSITIVE, not
case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The difference
is there under Linux/UNIX.
Long
---------------------------------------------------------------------

---------------------------------------------------------------------

David Delbecq

2006-03-07 13:09:59 UTC

I suspect a call to /something.JSP will not go thru the jsp engine.
I can also guess that calls the security constraints applied on /servlet
will not apply on /SERVLET

Post by David Kerber
I've seen that notice, but could you explain to me how that works? I
don't see how this could cause any security issues, except for
slightly reducing the number of attempts you would need in a
brute-force hacking attempt.
Dave

Post by David Delbecq
Be careful, there are security issues with this (jsp code disclosure!)!!

Post by David Kerber
<Context caseSensitive="false">

Post by Buddy wu
I wan't to know there is any way to set tomcat NOT CASE
SENSITIVE in URL
I mean: when I write in browser's 'http://localhost/test.html'
equals to 'http://localhost/TEST.htm'. Can I do it ? or just in
WINDOWS can but Linux/unix can't?
Right, url is case-insensitive under Windows because the file system

But, the FACT is that under Windows the URL is CASW-SENSITIVE, not
case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The difference
is there under Linux/UNIX.
Long
---------------------------------------------------------------------

---------------------------------------------------------------------

David Kerber

2006-03-07 13:43:55 UTC

If it works that way (and I haven't tried it), then I would say that the
caseSensitive="false" flag was not working as I would expect. I would
expect that things defined for /MYNAME would work for /myname if
caseSensitive was false.

Can anybody tell me definitively how this security risk works?

Post by David Delbecq
I suspect a call to /something.JSP will not go thru the jsp engine.
I can also guess that calls the security constraints applied on /servlet
will not apply on /SERVLET

Post by David Delbecq
Be careful, there are security issues with this (jsp code disclosure!)!!

Post by David Kerber
<Context caseSensitive="false">

Post by Buddy wu
I wan't to know there is any way to set tomcat NOT CASE
SENSITIVE in URL
I mean: when I write in browser's 'http://localhost/test.html'
equals to 'http://localhost/TEST.htm'. Can I do it ? or just in
WINDOWS can but Linux/unix can't?
Right, url is case-insensitive under Windows because the file system

But, the FACT is that under Windows the URL is CASW-SENSITIVE, not
case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The difference
is there under Linux/UNIX.
Long

David Delbecq

2006-03-07 14:03:39 UTC

Looking at code, it seems the casesensitive flag is used when a
ressources is loaded from filesystem (amongst others).
if casesensitive is true, the absolute filename of loaded ressource is
compared to the requested ressource (in filedircontext). If
casesensitive is removed, anything accepted by new file() is returned as
is. I don't know if the casesensistive flag is used by anything else
then file loading.

Post by David Kerber
If it works that way (and I haven't tried it), then I would say that
the caseSensitive="false" flag was not working as I would expect. I
would expect that things defined for /MYNAME would work for /myname if
caseSensitive was false.
Can anybody tell me definitively how this security risk works?

Post by David Delbecq
I suspect a call to /something.JSP will not go thru the jsp engine.
I can also guess that calls the security constraints applied on /servlet
will not apply on /SERVLET

Post by David Delbecq
Be careful, there are security issues with this (jsp code
disclosure!)!!

Post by David Kerber
<Context caseSensitive="false">

But, the FACT is that under Windows the URL is CASW-SENSITIVE, not
case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The difference
is there under Linux/UNIX.
Long

---------------------------------------------------------------------

David Kerber

2006-03-07 14:19:09 UTC

Would that mean that it only applies to stuff being read off the
filesystem, like .jsp's and other files? Therefore it wouldn't apply to
context paths, servlets, etc?

Thanks!
Dave

Post by David Delbecq
Looking at code, it seems the casesensitive flag is used when a
ressources is loaded from filesystem (amongst others).
if casesensitive is true, the absolute filename of loaded ressource is
compared to the requested ressource (in filedircontext). If
casesensitive is removed, anything accepted by new file() is returned as
is. I don't know if the casesensistive flag is used by anything else
then file loading.

Post by David Delbecq
I suspect a call to /something.JSP will not go thru the jsp engine.
I can also guess that calls the security constraints applied on /servlet
will not apply on /SERVLET

Post by David Delbecq
Be careful, there are security issues with this (jsp code
disclosure!)!!

Post by David Kerber
<Context caseSensitive="false">

But, the FACT is that under Windows the URL is CASW-SENSITIVE, not
case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The difference
is there under Linux/UNIX.
Long

Tim Lucia

2006-03-07 14:25:05 UTC

I am sure I have seen this before on this list, and the answer I remember is
that the case sensitivity part is only for file names. Servlet mappings are
case-sensitive regardless because the spec says so.

Read this as well, although it says "all case sensitivity checks will be
disabled" it doesn't define "case sensitivity checks".

http://tomcat.apache.org/tomcat-5.5-doc/config/context.html

Read this too

http://marc.theaimsgroup.com/?l=tomcat-user&m=114002237714355&w=2

(David Kerber started this one.)

-----Original Message-----
From: David Delbecq [mailto:***@oma.be]
Sent: Tuesday, March 07, 2006 9:04 AM
To: Tomcat Users List
Subject: Re: How can I set tomcat NOT Case Sensitive

Looking at code, it seems the casesensitive flag is used when a ressources
is loaded from filesystem (amongst others).
if casesensitive is true, the absolute filename of loaded ressource is
compared to the requested ressource (in filedircontext). If casesensitive is
removed, anything accepted by new file() is returned as is. I don't know if
the casesensistive flag is used by anything else then file loading.

Post by David Delbecq
I suspect a call to /something.JSP will not go thru the jsp engine.
I can also guess that calls the security constraints applied on
/servlet will not apply on /SERVLET

Post by David Kerber
I've seen that notice, but could you explain to me how that works?
I don't see how this could cause any security issues, except for
slightly reducing the number of attempts you would need in a
brute-force hacking attempt.
Dave

Post by David Delbecq
Be careful, there are security issues with this (jsp code
disclosure!)!!

Post by David Kerber
<Context caseSensitive="false">

But, the FACT is that under Windows the URL is CASW-SENSITIVE,
not case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The
difference is there under Linux/UNIX.
Long

---------------------------------------------------------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

David Kerber

2006-03-07 14:34:44 UTC

Yes, that was me, and that's why I chimed in here. However, still
nobody has explained in any detail how this is a security risk other
than reducing the number of guesses you have to make to find static
resources in a brute-force hacking attempt...

Post by Tim Lucia
I am sure I have seen this before on this list, and the answer I remember is
that the case sensitivity part is only for file names. Servlet mappings are
case-sensitive regardless because the spec says so.
Read this as well, although it says "all case sensitivity checks will be
disabled" it doesn't define "case sensitivity checks".
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html
Read this too
http://marc.theaimsgroup.com/?l=tomcat-user&m=114002237714355&w=2
(David Kerber started this one.)
-----Original Message-----
Sent: Tuesday, March 07, 2006 9:04 AM
To: Tomcat Users List
Subject: Re: How can I set tomcat NOT Case Sensitive
Looking at code, it seems the casesensitive flag is used when a ressources
is loaded from filesystem (amongst others).
if casesensitive is true, the absolute filename of loaded ressource is
compared to the requested ressource (in filedircontext). If casesensitive is
removed, anything accepted by new file() is returned as is. I don't know if
the casesensistive flag is used by anything else then file loading.

Post by David Delbecq
I suspect a call to /something.JSP will not go thru the jsp engine.
I can also guess that calls the security constraints applied on
/servlet will not apply on /SERVLET

Post by David Kerber
I've seen that notice, but could you explain to me how that works?
I don't see how this could cause any security issues, except for
slightly reducing the number of attempts you would need in a
brute-force hacking attempt.
Dave

Post by David Delbecq
Be careful, there are security issues with this (jsp code
disclosure!)!!

Post by David Kerber
<Context caseSensitive="false">

But, the FACT is that under Windows the URL is CASW-SENSITIVE,
not case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The
difference is there under Linux/UNIX.
Long

Tim Lucia

2006-03-07 14:44:47 UTC

If you ask for /path/to/some.JSP, you will see the source code of the jsp,
since the jsp compiler is mapped to *.jsp (and not *.JSP).

Thus, someone can see the internal workings of your jsp and make 'better'
hacking attempts. Is there something else about security you are concerned
with?

-----Original Message-----
From: David Kerber [mailto:***@verizon.net]
Sent: Tuesday, March 07, 2006 9:35 AM
To: Tomcat Users List
Subject: Re: How can I set tomcat NOT Case Sensitive

Yes, that was me, and that's why I chimed in here. However, still nobody
has explained in any detail how this is a security risk other than reducing
the number of guesses you have to make to find static resources in a
brute-force hacking attempt...

Post by Tim Lucia
I am sure I have seen this before on this list, and the answer I
remember is that the case sensitivity part is only for file names.
Servlet mappings are case-sensitive regardless because the spec says so.
Read this as well, although it says "all case sensitivity checks will
be disabled" it doesn't define "case sensitivity checks".
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html
Read this too
http://marc.theaimsgroup.com/?l=tomcat-user&m=114002237714355&w=2
(David Kerber started this one.)
-----Original Message-----
Sent: Tuesday, March 07, 2006 9:04 AM
To: Tomcat Users List
Subject: Re: How can I set tomcat NOT Case Sensitive
Looking at code, it seems the casesensitive flag is used when a
ressources is loaded from filesystem (amongst others).
if casesensitive is true, the absolute filename of loaded ressource is
compared to the requested ressource (in filedircontext). If
casesensitive is removed, anything accepted by new file() is returned
as is. I don't know if the casesensistive flag is used by anything else

then file loading.

Post by Tim Lucia

Post by David Delbecq
I suspect a call to /something.JSP will not go thru the jsp engine.
I can also guess that calls the security constraints applied on
/servlet will not apply on /SERVLET

Post by David Kerber
I've seen that notice, but could you explain to me how that works?
I don't see how this could cause any security issues, except for
slightly reducing the number of attempts you would need in a
brute-force hacking attempt.
Dave

Post by David Delbecq
Be careful, there are security issues with this (jsp code
disclosure!)!!

Post by David Kerber
<Context caseSensitive="false">

But, the FACT is that under Windows the URL is CASW-SENSITIVE,
not case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The
difference is there under Linux/UNIX.
Long

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

David Kerber

2006-03-07 15:17:45 UTC

Ok, I see that, and it's kind of scary! That seems like a pretty poor
design for the compiler not to handle that kind of change.

Thanks for explaining...
Dave

Post by Tim Lucia
If you ask for /path/to/some.JSP, you will see the source code of the jsp,
since the jsp compiler is mapped to *.jsp (and not *.JSP).
Thus, someone can see the internal workings of your jsp and make 'better'
hacking attempts. Is there something else about security you are concerned
with?
-----Original Message-----
Sent: Tuesday, March 07, 2006 9:35 AM
To: Tomcat Users List
Subject: Re: How can I set tomcat NOT Case Sensitive
Yes, that was me, and that's why I chimed in here. However, still nobody
has explained in any detail how this is a security risk other than reducing
the number of guesses you have to make to find static resources in a
brute-force hacking attempt...

Post by Tim Lucia
I am sure I have seen this before on this list, and the answer I
remember is that the case sensitivity part is only for file names.
Servlet mappings are case-sensitive regardless because the spec says so.
Read this as well, although it says "all case sensitivity checks will
be disabled" it doesn't define "case sensitivity checks".
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html
Read this too
http://marc.theaimsgroup.com/?l=tomcat-user&m=114002237714355&w=2
(David Kerber started this one.)
-----Original Message-----
Sent: Tuesday, March 07, 2006 9:04 AM
To: Tomcat Users List
Subject: Re: How can I set tomcat NOT Case Sensitive
Looking at code, it seems the casesensitive flag is used when a
ressources is loaded from filesystem (amongst others).
if casesensitive is true, the absolute filename of loaded ressource is
compared to the requested ressource (in filedircontext). If
casesensitive is removed, anything accepted by new file() is returned
as is. I don't know if the casesensistive flag is used by anything else

then file loading.

Post by Tim Lucia

Post by David Delbecq
I suspect a call to /something.JSP will not go thru the jsp engine.
I can also guess that calls the security constraints applied on
/servlet will not apply on /SERVLET

Post by David Kerber
I've seen that notice, but could you explain to me how that works?
I don't see how this could cause any security issues, except for
slightly reducing the number of attempts you would need in a
brute-force hacking attempt.
Dave

Post by David Delbecq
Be careful, there are security issues with this (jsp code
disclosure!)!!

Post by David Kerber
<Context caseSensitive="false">

But, the FACT is that under Windows the URL is CASW-SENSITIVE,
not case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The
difference is there under Linux/UNIX.
Long

David Delbecq

2006-03-07 15:47:55 UTC

The compiler does exactly what his job is, compiling *.jsp, not *.Jsp
not *.jSp or alike, following the specs. The casesensitive flag is there
only to deactivate tomcat internal checks on case sensitive filesystems
(where this check is just taking cpu time with no need).

Post by David Kerber
Ok, I see that, and it's kind of scary! That seems like a pretty poor
design for the compiler not to handle that kind of change.
Thanks for explaining...
Dave

Post by Tim Lucia
If you ask for /path/to/some.JSP, you will see the source code of the jsp,
since the jsp compiler is mapped to *.jsp (and not *.JSP).
Thus, someone can see the internal workings of your jsp and make 'better'
hacking attempts. Is there something else about security you are concerned
with?
-----Original Message-----
07, 2006 9:35 AM
To: Tomcat Users List
Subject: Re: How can I set tomcat NOT Case Sensitive
Yes, that was me, and that's why I chimed in here. However, still nobody
has explained in any detail how this is a security risk other than reducing
the number of guesses you have to make to find static resources in a
brute-force hacking attempt...

Post by Tim Lucia
I am sure I have seen this before on this list, and the answer I
remember is that the case sensitivity part is only for file names.
Servlet mappings are case-sensitive regardless because the spec says so.
Read this as well, although it says "all case sensitivity checks
will be disabled" it doesn't define "case sensitivity checks".
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html
Read this too
http://marc.theaimsgroup.com/?l=tomcat-user&m=114002237714355&w=2
(David Kerber started this one.)
-----Original Message-----
Sent: Tuesday, March 07, 2006 9:04 AM
To: Tomcat Users List
Subject: Re: How can I set tomcat NOT Case Sensitive
Looking at code, it seems the casesensitive flag is used when a
ressources is loaded from filesystem (amongst others).
if casesensitive is true, the absolute filename of loaded ressource
is compared to the requested ressource (in filedircontext). If
casesensitive is removed, anything accepted by new file() is
returned as is. I don't know if the casesensistive flag is used by
anything else

then file loading.

Post by Tim Lucia

Post by David Kerber
If it works that way (and I haven't tried it), then I would say
that the caseSensitive="false" flag was not working as I would
expect. I would expect that things defined for /MYNAME would work
for /myname if caseSensitive was false.
Can anybody tell me definitively how this security risk works?

Post by David Delbecq
I suspect a call to /something.JSP will not go thru the jsp engine.
I can also guess that calls the security constraints applied on
/servlet will not apply on /SERVLET

Post by David Kerber
I've seen that notice, but could you explain to me how that
works? I don't see how this could cause any security issues,
except for slightly reducing the number of attempts you would
need in a brute-force hacking attempt.
Dave

Post by David Delbecq
Be careful, there are security issues with this (jsp code
disclosure!)!!

Post by David Kerber
<Context caseSensitive="false">

Post by Buddy wu
I wan't to know there is any way to set tomcat NOT CASE SENSITIVE in URL
I mean: when I write in browser's 'http://localhost/test.html'
equals to 'http://localhost/TEST.htm'. Can I do it ? or just
in WINDOWS can but Linux/unix can't?
Right, url is case-insensitive under Windows because the file system

But, the FACT is that under Windows the URL is CASW-SENSITIVE,
not case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent
in tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The
difference is there under Linux/UNIX.
Long

---------------------------------------------------------------------

Vikram Godse

2006-03-07 13:14:58 UTC

Hi,
I am running Apache Tomcat/5.5.12 with JVM 1.5.0-b64.My O/S is RHEL4.0
ES.My hardware configuration is as follows
Intel Xeon 3.0Ghz Dual CPU
RAM 4gb
I am running an JSP and Servlets based application with connectivity
to MySQL 5 for database access.
I am facing a problem, when my user sessions(in tomcat) go beyond 1000
the tomcat server stop serving requests and just displays a blank
page.What i have observed that, though there are only 150 users
actually accessing the website the number of sessions are atleast
800-900.
Can anybody tell me where the problem lies? i have been trying a lot
but no solution yet.
Thanks & Regards,
VIkram

Post by David Kerber
I've seen that notice, but could you explain to me how that works? I
don't see how this could cause any security issues, except for slightly
reducing the number of attempts you would need in a brute-force hacking
attempt.
Dave

Post by David Delbecq
Be careful, there are security issues with this (jsp code disclosure!)!!

Post by David Kerber
<Context caseSensitive="false">

But, the FACT is that under Windows the URL is CASW-SENSITIVE, not
case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The difference
is there under Linux/UNIX.
Long
---------------------------------------------------------------------

---------------------------------------------------------------------

--
Try not do or do not, there is no try !

Buddy wu

2006-03-08 02:54:03 UTC

Post by David Kerber
<Context caseSensitive="false">

thanks a lot. it worked.
and I think someone discussed other problem of these question maybe
right. but my goal is only to let tomcat's URL or URI (I don't kown
which is wright, or all are write) case-insensitive. I don't care the
case-sensitive feature in jsp or servlet file can work( maybe it MUST
case-sensitive, because of java language, but I don't care about
these. I just need URL is CASE-INSENSITIVE, And it will be ok to me)

and the security problem that someone has said, I think it may not be
so important. If a hacker want to detect your site, I think he will
test all posibles JSP Jsp jSP and others.

but thanks again ,everyone

But, the FACT is that under Windows the URL is CASW-SENSITIVE, not
case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The difference
is there under Linux/UNIX.
Long
---------------------------------------------------------------------

---------------------------------------------------------------------

David Delbecq

2006-03-08 09:51:09 UTC

Post by David Kerber
<Context caseSensitive="false">

This only applies to ressource url, not servlet url, neither filters,
nor security-constraint.

Post by Buddy wu
and the security problem that someone has said, I think it may not be
so important. If a hacker want to detect your site, I think he will
test all posibles JSP Jsp jSP and others.

That's not where security problem lies:
Let's assume your public site is at
http://<yourserver>/<yourwebapp>/index.jsp
if casesensitiveness is deactivated and you are using a case sensitive
filesystem (like the microsoft ones), accessing
http://<yourserver>/<yourwebapp>/index.jsP will point to same filesystem
ressouce, but with one exception, it will not be handled by jsp engine
and requester will simply get the jsp source instead of generated html
(a jsp source could contain potentially critical informations like
database connection informations)

More dangerous, suppose your application have an admin interface located at
http://<yourserver>/<yourwebapp>/admin/
with a security-constraint in web.xml mapped to 'admin/*', any anonymous
user can have his browser point at 'AdMiN/' and will have access to
admin interface without authentification, bypassing securities!

Of course it's not a problem if you don't have jsps, neither servlets,
nor security constraints, that if you are serving static content. But
then ,why using tomcat?

Post by Buddy wu
but thanks again ,everyone

But, the FACT is that under Windows the URL is CASW-SENSITIVE, not
case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The difference
is there under Linux/UNIX.
Long
---------------------------------------------------------------------

---------------------------------------------------------------------

Hadraba Petr

2006-03-08 10:48:23 UTC

Sorry,
for my posting, but

Post by David Delbecq

Post by David Kerber
<Context caseSensitive="false">

This only applies to ressource url, not servlet url, neither filters,
nor security-constraint.

Post by Buddy wu
and the security problem that someone has said, I think it may not be
so important. If a hacker want to detect your site, I think he will
test all posibles JSP Jsp jSP and others.

Let's assume your public site is at
http://<yourserver>/<yourwebapp>/index.jsp
if casesensitiveness is deactivated and you are using a case sensitive
filesystem (like the microsoft ones), accessing

NTFS, FAT -- mayby they are case sensitive, but the filesystem layer
not. Try to create two files in one directory; one named a.txt and the
second A.txt. The billboard ocures! On Unix systems is this possible
-- Makefile is not makefile;-)

Post by David Delbecq
http://<yourserver>/<yourwebapp>/index.jsP will point to same filesystem
ressouce, but with one exception, it will not be handled by jsp engine
and requester will simply get the jsp source instead of generated html
(a jsp source could contain potentially critical informations like
database connection informations)
More dangerous, suppose your application have an admin interface located at
http://<yourserver>/<yourwebapp>/admin/
with a security-constraint in web.xml mapped to 'admin/*', any anonymous
user can have his browser point at 'AdMiN/' and will have access to
admin interface without authentification, bypassing securities!
Of course it's not a problem if you don't have jsps, neither servlets,
nor security constraints, that if you are serving static content. But
then ,why using tomcat?

Post by Buddy wu
but thanks again ,everyone

But, the FACT is that under Windows the URL is CASW-SENSITIVE, not
case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The difference
is there under Linux/UNIX.
Long
---------------------------------------------------------------------

---------------------------------------------------------------------

David Delbecq

2006-03-08 12:36:51 UTC

Post by Hadraba Petr
Sorry,
for my posting, but

Post by David Delbecq
Let's assume your public site is at
http://<yourserver>/<yourwebapp>/index.jsp
if casesensitiveness is deactivated and you are using a case sensitive
filesystem (like the microsoft ones), accessing

Sorry for mistake, please read "a case insensitive filesystem" in my
previous mail (2 letters were stuck in keyboard).

Buddy wu

2006-03-09 01:33:32 UTC

Post by David Delbecq
This only applies to ressource url, not servlet url, neither filters,
nor security-constraint.

that's what I want to confirm.

Post by David Delbecq

Post by Buddy wu
and the security problem that someone has said, I think it may not be
so important. If a hacker want to detect your site, I think he will
test all posibles JSP Jsp jSP and others.

Let's assume your public site is at
http://<yourserver>/<yourwebapp>/index.jsp
if casesensitiveness is deactivated and you are using a case sensitive
filesystem (like the microsoft ones), accessing
http://<yourserver>/<yourwebapp>/index.jsP will point to same filesystem
ressouce, but with one exception, it will not be handled by jsp engine
and requester will simply get the jsp source instead of generated html
(a jsp source could contain potentially critical informations like
database connection informations)

oh, you mean that someone can get my SOURCE jsp file instead of a
generated html file? right? I think it is a security problem, thanks I
don't realize it before

Post by David Delbecq
More dangerous, suppose your application have an admin interface located at
http://<yourserver>/<yourwebapp>/admin/
with a security-constraint in web.xml mapped to 'admin/*', any anonymous
user can have his browser point at 'AdMiN/' and will have access to
admin interface without authentification, bypassing securities!

really? and why can it bypassing the securities? only because can't
handle by jsp engine? then if can't handle by jsp engine, how can use
the admin tools under 'admin/*'. can you explain more detealed? thanks

Post by David Delbecq
Of course it's not a problem if you don't have jsps, neither servlets,
nor security constraints, that if you are serving static content. But
then ,why using tomcat?

I use this to set ArcIMS service, and I write in servlet or I use
tomcat as a servlet engine. And I don't want to combine tomcat with
apache or IIS to serve static html and servlet separately. but the in
some ArcIMS pages, the link address they write(Some htm page or
generated html file) are small letter (described right?) like
"install/install.htm" but the real file path not small letter, it's
'Install/Install.htm", so I can't only use tomcat to serve it

I don't know that what I doing will harmfull to my service. Is there
anybody can help me to explain it?

David Kerber

2006-03-08 12:30:49 UTC

You're welcome. That tradeoff between security and usability is a
decision only you and your users can make, but I like to have the option
to make that tradeoff if necessary.

Dave

Post by David Kerber
<Context caseSensitive="false">

thanks a lot. it worked.
and I think someone discussed other problem of these question maybe
right. but my goal is only to let tomcat's URL or URI (I don't kown
which is wright, or all are write) case-insensitive. I don't care the
case-sensitive feature in jsp or servlet file can work( maybe it MUST
case-sensitive, because of java language, but I don't care about
these. I just need URL is CASE-INSENSITIVE, And it will be ok to me)
and the security problem that someone has said, I think it may not be
so important. If a hacker want to detect your site, I think he will
test all posibles JSP Jsp jSP and others.
but thanks again ,everyone

But, the FACT is that under Windows the URL is CASW-SENSITIVE, not
case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The difference
is there under Linux/UNIX.
Long

Buddy wu

2006-03-09 01:36:43 UTC

Post by David Kerber
You're welcome. That tradeoff between security and usability is a
decision only you and your users can make, but I like to have the option
to make that tradeoff if necessary.
Dave

Thank Dave! I said that yesterday only to describe only what I want to
do, may be there are some mistakes is my saying. so If it has I
really want to know . Thanks again

Post by David Kerber
<Context caseSensitive="false">

thanks a lot. it worked.
and I think someone discussed other problem of these question maybe
right. but my goal is only to let tomcat's URL or URI (I don't kown
which is wright, or all are write) case-insensitive. I don't care the
case-sensitive feature in jsp or servlet file can work( maybe it MUST
case-sensitive, because of java language, but I don't care about
these. I just need URL is CASE-INSENSITIVE, And it will be ok to me)
and the security problem that someone has said, I think it may not be
so important. If a hacker want to detect your site, I think he will
test all posibles JSP Jsp jSP and others.
but thanks again ,everyone

But, the FACT is that under Windows the URL is CASW-SENSITIVE, not
case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The difference
is there under Linux/UNIX.
Long

---------------------------------------------------------------------

David Smith

2006-03-07 12:34:11 UTC

I believe the case sensitivity is per spec and there aren't any settings
to change it.

One possibility (this is untested) is to wrap the request in your own
request wrapper and then over ride the methods that provide different
components of the request URI to normalize case. Use a request filter
to instantiate the wrapper and pass it on.

--David

But, the FACT is that under Windows the URL is CASW-SENSITIVE, not
case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??

Post by Buddy wu
can't tell a difference between test.html and TEST.html. The difference
is there under Linux/UNIX.
Long
---------------------------------------------------------------------

---------------------------------------------------------------------

Caldarale, Charles R

2006-03-07 13:23:58 UTC

Vikram Godse
Subject: Re: How can I set tomcat NOT Case Sensitive
Can anybody tell me where the problem lies?

The problem lies in hijacking someone else's mailing list thread. Start
your own if you have a new issue to discuss.

- Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

Vikram Godse

2006-03-07 18:23:33 UTC

Post by Caldarale, Charles R

Hi,
Sorry for the incorrect posting...
Regards,
VIkram

Vikram Godse
Subject: Re: How can I set tomcat NOT Case Sensitive
Can anybody tell me where the problem lies?

The problem lies in hijacking someone else's mailing list thread. Start
your own if you have a new issue to discuss.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------

--
Try not do or do not, there is no try !

Peter Crowther

2006-03-07 14:47:58 UTC

Post by Tim Lucia
If you ask for /path/to/some.JSP, you will see the source
code of the jsp,
since the jsp compiler is mapped to *.jsp (and not *.JSP).

Presumably [I haven't tested this] detection of accesses to WEB-INF and
META-INF will also fail, exposing the webapp's configuration files to
scrutiny. These can include database connection details, passwords, and
similar, even if those are not present in the JSPs.

- Peter

Peter Crowther

2006-03-07 15:47:39 UTC

Post by David Kerber
Ok, I see that, and it's kind of scary! That seems like a
pretty poor
design for the compiler not to handle that kind of change.

It ain't the compiler - the JSP compiler never gets invoked because the
mapping is case-sensitive, and the mapping is case-sensitive because the
servlet spec states that it is - and as Tomcat is the reference
implementation of the servlet spec, it adheres to the spec even where
the spec is poor. You could get round the problem by putting multiple
mappings into web.xml, so that jsp, JSP, Jsp, jSp and all the other
permutations get mapped to the compiler.

- Peter

David Kerber

2006-03-07 15:53:17 UTC