Lists

Terms and Conditions
Lists hosted on this site
Email the Postmaster
Tips for posting to public mailing lists

IIS and URLScan

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IIS and URLScan

Subject: IIS and URLScan
From: Don Lindsay <email@hidden>
Date: Thu, 1 May 2008 01:49:14 -0400

Hello;

I ran into an issue on a deployed application. IIS has a tool called URLScan, which refuses URLs that could exploit security flaws in IIS server. I have a tomcat 5 instance running a Web Objects 5.4.2 application, connecting to IIS using the JK connector. When running the application, any page that had a paginated worepetition and WODisplayGroup, if a user clicked the next button which called displayNextBatch they would get a 404 error message.

After a few hours I started checking the URLs both running directly from tomcat and IIS. The URLs were identical, but then I had a a thought that maybe URLScan was blocking the request.

Turns out this was right on the money. Some URLs generated by WebObjects have periods in them. URLScan, by default, is configured to refuse URLs that contain periods.

To fix this problem: Edit %WINDIR%\system32\inetsrv\urlscan \urlscan.ini Modify the option AllowDotInPath and set it equal to 1. Then goto the [AllowExtensions] and add .woa and .wo to the end of the listing. Save the file and restart the IIS services.

Thanks,

Don
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden



Prev by Date:
Re: Unable to release locks when using MultiECLockManager

Previous by thread:
Re: [slightly ot] Similarity Report

Index(es):

Date
Thread