Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Servlet Interest »

Re: Servlet Security

Henry Reardon

2004-10-01


>From: Nic Ferrier <nferrier@(protected)>
>Reply-To: "A mailing list for discussion about Sun Microsystem's Java
>      Servlet API Technology." <SERVLET-INTEREST@(protected)>
>To: SERVLET-INTEREST@(protected)
>Subject: Re: Servlet Security
>Date: Fri, 1 Oct 2004 20:45:43 +0100
>
>Henry Reardon <henry_reardon@(protected):
>
> > Sorry, I should have qualified that: CGIs are OK *if* you take the
> > appropriate safeguards like using mod_cgi.
>
>No, that's incorrect. mod_cgi is Apache's way of running CGIs. That
>doesn't change the problems inherant in CGI.
>
>
> > Or have I got everything muddled up?
>
>Yes.  /8->
>
>
> > I have a conceptual knowledge of CGI and what it does and have done
> > a few programs using it, most of them Perl programs I wrote several
> > years back. I don't have any real experience with security for CGI
> > and only just heard of cgi_mod for the first time yesterday and
> > don't really understand it yet, except that it is an implementation
> > of CGI that is reputedly more secure than some other
> > implementations. I'm still not quite clear if mod_cgi is anywhere
> > near as secure as servlets.
>
>No, it isn't. The problem with CGI is that you are exposing the
>operating system directly into the request methodology. In simple
>terms, there is just too much code involved to be confident that it is
>secure.
>
>
> > Basically, I'm looking for an argument that a servlet-based wiki
> > will be substantially more secure than a CGI-based wiki - or vice
> > versa - so that I can make a case to the system administrator of a
> > Linux server on which way he should go. I was getting the impression
> > from the various responses I've had to my question (on this mailing
> > list and another) that both were quite satisfactory from a security
> > standpoint IF the appropriate steps were taken to tighten up
> > security.
>
>I think servlets (or PHP, or mod_perl, or mod_python) would inspire
>more confidence than CGI.
>
>But I repeat, it's about risk assessment and cost. What is the risk
>that you're wiki will be broken and what is the cost of that vs the
>cost of development using more secure technologies.
>
>
>Nic
>

Okay, thanks for the clarification. We shall weigh these remarks heavily in
our deliberations about which technology to choose.

'Henry'

_________________________________________________________________
Take advantage of powerful junk e-mail filters built on patented Microsoft?
SmartScreen Technology.
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
Start enjoying all the benefits of MSN? Premium right now and get the
first two months FREE*.

___________________________________________________________________________
To unsubscribe, send email to listserv@(protected)
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
©2008 junlu.com - Jax Systems, LLC, U.S.A.