Hello, From my JSP, I need to establish a telnet session to my server to enable user to execute applications from the unix shell. We have a user id and password for these users.. My question is, What are the security issues in this design? How can I handle this if possible so that my users have access to only their directories... Thanks RHP
Marty Hall
Author
Ranch Hand
Joined: Jan 02, 2003
Posts: 111
posted
0
From my JSP, I need to establish a telnet session to my server to enable user to execute applications from the unix shell.
I'm confused by what you mean by "from my JSP." Do you mean "from the JSP (really servlet) as it executes"? If so, you are already running on the server. Or do you mean "from the browser"? If so, I don't see what JSP has to do with this: JSP doesn't run in the browser and doesn't affect the kind of content that can. Can you clarify what you mean, please? Cheers- - Marty
Java training and consulting<br /><a href="http://www.coreservlets.com/" target="_blank" rel="nofollow">http://www.coreservlets.com/</a>
Priya Raj
Greenhorn
Joined: Jan 20, 2003
Posts: 8
posted
0
Hello Marty, I mean from the browser. I used "JSP" since I was handling login functions in the JSP. To rephrase the question, what would be the security issues when allowing a user to "telnet" to the webserver from the browser? I am trying to do this by an available telnet applet "JTA". Is this a good practice at all? I know I have not seen browsers allowing users to telnet to any servers... but i wanted to know what the security issues are before ruling out this completely... Thanks RHP
Actually, I think what you mean is you're trying to run a telnet session via a web browser. Telnet security from client to server is low. UserID and password are not encrypted. However, if you're having the user type stuff into an input control in an HTML page (or an equivalent structure in an applet), then the back-end security isn't so important. Instead what's important is the ability to secure the actual web page that the end-user's going to be using. Telnet, BTW isn't all that well suited for use over HTTP. It's not totally synchronous, and even in cases where it is, the response time for a telneted app may exceed the browser's timeout limit which could potentially lead to all sorts of confusion.
One of the most odious afflictions that Business has inflicted on the modern English language is "pro-active". Most of the time it's simply redundantly used in place of the simple old word "active". And a good deal of the rest of the time it means "You're not overworked enough yet, so go out and find more!"
Priya Raj
Greenhorn
Joined: Jan 20, 2003
Posts: 8
posted
0
Thanks for all the clarifications.
subject: Suggestions on security issues when using telnet
0
