Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Servlet Interest »

Re: Servlet Security

David Potts

2004-09-30

Replies:

Henry Reardon wrote:

A baddly written serverlet is always a security risk, however its a dam
site harder to write a serverlet that will allow open access to your web
site like a badly written perl script. For example

Tricking a perl script in to executing meta characters.
Chrashing an entire web server, etc.

Dave

> We are giving some thought to putting a CGI-based Wiki, specifically
> OddMuse, on a website that runs on a Linux server. In 'Using Linux
> (Fourth
> Edition)', the authors warn that "The biggest cause for concern about
> protecting your site from external threats is CGI scripts." They go on to
> suggest various precautions that will reduce the risk.
>
> This has me wondering if servlets are equally insecure or have a much
> stronger security model. I also have Jason Hunter's 'Java Servlet
> Programming (Second Edition)' which has a 30 page chapter on Security
> that
> details how various forms of authentication take place in servlets.
> However,
> I can't find any categorical statement that says servlets are actually
> any
> more secure than CGI.
>
> I was wondering if someone with extensive experience with the security
> aspects of both servlets and CGI can give me any sense of which is more
> secure and why? I need this information so that we can choose the right
> approach for our wiki.
>
> ---
> Henry
>
> _________________________________________________________________
> Take advantage of powerful junk e-mail filters built on patented
> Microsoft?
> SmartScreen Technology.
> http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
>
> Start enjoying all the benefits of MSN? Premium right now and get the
> first two months FREE*.
>
> ___________________________________________________________________________
>
> To unsubscribe, send email to listserv@(protected)
> body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html



--
--               email       david.potts@(protected)
--               web         www.pinan.co.uk
--The opinions expressed in this article are personal and do not
--represent the views of Pinan Software.

___________________________________________________________________________
To unsubscribe, send email to listserv@(protected)
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
©2008 junlu.com - Jax Systems, LLC, U.S.A.