User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.6) Gecko/20040113
Lotsa Cabo wrote:
> Any issues with IIS and WebObjects running on the same box? Any
> special considerations? Why is the sky blue? Do I need Apache?
> Should I send this now?
We've deployed on Windows 2K Server with IIS & WO (4.5 & 5) and whilst I
wouldn't recommend it if you don't *have* to do it, it shouldn't cause you any
particular problems.
But ... you knew there had to be a 'but' didn't you ... be aware that IIS is
the target of a lot of the more serious Windows attacks, so you'd be wise to
run the IISLockDown (I think that's the right name) patch from Microsoft. And
there's a gotcha with that too. See my attached email of my previous comments
on this subject.
Best of luck!
--
Regards
Dr Ben Ketteridge
Team Leader
Ext. 228
email@hidden
ProAct International Ltd
P.O Box 100
Denbigh
LL16 5BQ
Tel: +44 (0) 1745 816315
Fax +44 (0) 1745 815096
Web site: www.proact.net
email@hidden
DISCLAIMER
Information contained in this email is intended for the use of the
addressee only, and is private and confidential. Any dissemination,
distribution, copying or use of this communication without prior
permission of the addressee is therefore strictly prohibited and
may constitute a breach of civil or criminal law. If you are not
the intended recipient, please notify us by replying to the
original sender.
While every reasonable precaution to minimise software virus
infection has been taken, we cannot accept liability for any damage
which you may sustain as a result of software viruses. You should
ensure you carry out your own virus checks before opening any
attachments
Message-ID: <email@hidden>
Date: Wed, 07 Apr 2004 09:23:16 +0100
From: Ben Ketteridge <email@hidden>
Reply-To: email@hidden
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.6)
Gecko/20040113
X-Accept-Language: en
MIME-Version: 1.0
To: WebObjects Developers <email@hidden>
Subject: Deploying under IIS with IIS Security Lockdown
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
A tale of woa... with a happy ending.
I've just spent a full day trying to find out why a piece of JavaScript wasn't
working on a deployed system. Aside from the obvious statement that deploying
under Win2K and IIS is a sub-optimal way to do things (not my decision), we've
discovered a nasty gotcha if you do decide to do it that way.
Microsoft provides a tool known as the IIS Lockdown tool - basically it
removes some of the more obvious security holes in the default configuration
of IIS, and adds a URLScan filter to the system. All hunky-dorey so far.
However, we have some pages in our application that use a JavaScript to open a
new window for an Advanced Search function. This requires a JavaScript tag in
the HTML Body, which loads the script from a central location
('/WebObjects/App.woa/Contents/WebServerResources/scripts.js'). This works
just great all over our company (inside our Intranet), now that it's been
deployed on a fully secured IIS, suddenly it's stopped working. Huh?
The client's browser settings are fine. The file is in the right place, with
no typos in the directory path. The locale of the client PCs may be unusual,
but no other aspect of our HTML/JavaScript (when used directly in the page,
rather than by file reference) is having problems.
A collegue and I finally tracked it down to a single configuration option on
this URLScan filter. It's .ini file is in /Winnt/System32/inetsvr/urlscan for
anyone who's interested - and it contains a line (about line 8, from memory)
that says
AllowDotInPathName = 0
which causes the URLScan logfiles to be filled with comments about denying
requests for '/WebObjects/App.woa/Contents/WebServerResources/scripts.js'. The
'App.woa' clause is the guilty party.
So we've switched URLScan to allow dots in the path... and everything's fine
once more. After much hair pulling & agonising about stupid f***ing IIS. ;)
The moral of this story is, of course, don't deploy on Win2K and IIS, but
then, them's the breaks when 'business decisions' have to lead the way.
--
Kind Regards
Ben.
_______________________________________________
webobjects-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/webobjects-dev
Do not post admin requests to the list. They will be ignored.
