Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Servlet Interest »

Re: Servlet Security

Mark Galbreath

2004-09-30

Replies:

Nic,

You have not convinced me that CGI is intrinsically unsecure. Granted,
servlets are a better alternative, but Apache mod-perl and php CGI with
security policies in place make CGI just as "safe."

Mark


Nic Ferrier wrote:

>Henry Reardon <henry_reardon@(protected):
>
>
>
>>We are giving some thought to putting a CGI-based Wiki, specifically
>>OddMuse, on a website that runs on a Linux server. In 'Using Linux (Fourth
>>Edition)', the authors warn that "The biggest cause for concern about
>>protecting your site from external threats is CGI scripts." They go on to
>>suggest various precautions that will reduce the risk.
>>
>>This has me wondering if servlets are equally insecure or have a much
>>stronger security model. I also have Jason Hunter's 'Java Servlet
>>Programming (Second Edition)' which has a 30 page chapter on Security that
>>details how various forms of authentication take place in servlets. However,
>>I can't find any categorical statement that says servlets are actually any
>>more secure than CGI.
>>
>>I was wondering if someone with extensive experience with the security
>>aspects of both servlets and CGI can give me any sense of which is more
>>secure and why? I need this information so that we can choose the right
>>approach for our wiki.
>>
>>
>
>The issue with security of CGI scripts is that process execution is
>involved. Because of that, on Windows or Unix, it is possible to cause
>programs other than the intended one to run. That is clearly insecure.
>
>Servlets don't work like that. So yes, servlets are much more secure
>than CGIs. Java also has some interesting security features such as
>security features built into the dynamic linker (called a class loader
>in Java). These features are what makes applets possible but are
>rarely used in servlet engines (though they can be justified).
>
>Having said that, aside from these special dynamic loader features,
>other solutions are just as secure. The Apache mod_XXX (mod_python,
>mod_perl, etc...) all do very similar things to servlets and are just
>as secure.
>
>
>To conclude: CGIs are dangerous because the web server is calling an
>external program (which opens the system to various security
>problems). Servlets and other tools such as mod_perl or mod_python are
>more secure because they operate inside the web server process.
>
>
>--
>Nic Ferrier
>http://www.tapsellferrier.co.uk
>
>___________________________________________________________________________
>To unsubscribe, send email to listserv@(protected)
>of the message "signoff SERVLET-INTEREST".
>
>Archives: http://archives.java.sun.com/archives/servlet-interest.html
>Resources: http://java.sun.com/products/servlet/external-resources.html
>LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
>
>
>

___________________________________________________________________________
To unsubscribe, send email to listserv@(protected)
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
©2008 junlu.com - Jax Systems, LLC, U.S.A.