O'Reilly logo

Java Servlet Programming by Jason Hunter

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Running Servlets Securely

CGI programs and C++-based plug-ins operate with relatively unfettered access to the server machine on which they execute (limited on Unix machines by the user account permissions of the web server process). This isn’t so bad for an isolated programmer developing for a single web server, but it’s a security nightmare for internet service providers (ISPs), corporations, schools, and everyone else running shared web servers.

For these sites, the problem isn’t just protecting the server from malicious CGI programmers. The more troublesome problem is protecting from careless CGI programmers. There are dozens of well-known CGI programming mistakes that could let a malicious client gain unauthorized access to the server machine. One innocuous-looking but poorly written Perl eval function is all it takes. For an extensive list of CGI security gotchas, see Chapter 6 of The WWW Security FAQ at http://www.w3.org/Security/Faq/www-security-faq.html.

To better understand the situation, imagine you’re an ISP and want to give your customers the ability to generate dynamic content using CGI programs. What can you do to protect yourself? Historically, ISPs have chosen one of three options:

Have blind faith in the customer.

He’s a good guy and a smart programmer, and besides, we have his credit card number.

Educate the customer.

If he reads the WWW Security FAQ and passes a written test, we’ll let him write CGI programs for our server.

Review all code.

Before we install ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required