sadfasdfasdfasdfas

2016-04-19 Thread l...@bsoft.com.cn 
dfasdfasdfasdfasdfasdfasdf



-
力瓦依丁・库尔班
Mobile:18130819208
qq:895791034
WeChat:lee_vayi
Email:l...@bsoft.com.cn
Company:Bsoft software Company

sdas

2016-04-19 Thread l...@bsoft.com.cn 

dasdasdasdasd


-
力瓦依丁・库尔班
Mobile:18130819208
qq:895791034
WeChat:lee_vayi
Email:l...@bsoft.com.cn
Company:Bsoft software Company

asdfasdfa

2016-04-19 Thread l...@bsoft.com.cn 
sdfasdfasdfsa



-
力瓦依丁・库尔班
Mobile:18130819208
qq:895791034
WeChat:lee_vayi
Email:l...@bsoft.com.cn
Company:Bsoft software Company

asfasdfasd

2016-04-19 Thread l...@bsoft.com.cn 

fasdfasdfasdfsdf


-
力瓦依丁・库尔班
Mobile:18130819208
qq:895791034
WeChat:lee_vayi
Email:l...@bsoft.com.cn
Company:Bsoft software Company

sadfasdf

2016-04-19 Thread l...@bsoft.com.cn 
sdfasdfasdfasdf



-
力瓦依丁・库尔班
Mobile:18130819208
qq:895791034
WeChat:lee_vayi
Email:l...@bsoft.com.cn
Company:Bsoft software Company

sadfasdf

2016-04-19 Thread l...@bsoft.com.cn 
sdfsdfasdf



-
力瓦依丁・库尔班
Mobile:18130819208
qq:895791034
WeChat:lee_vayi
Email:l...@bsoft.com.cn
Company:Bsoft software Company

sadfasdf

2016-04-19 Thread l...@bsoft.com.cn 
asdfasdfasdfasdf



-
力瓦依丁・库尔班
Mobile:18130819208
qq:895791034
WeChat:lee_vayi
Email:l...@bsoft.com.cn
Company:Bsoft software Company

sadfasdf

2016-04-19 Thread l...@bsoft.com.cn 
asdfasdfasdfasfd



-
力瓦依丁・库尔班
Mobile:18130819208
qq:895791034
WeChat:lee_vayi
Email:l...@bsoft.com.cn
Company:Bsoft software Company

dfasdfasdfasdfasdf

2016-04-19 Thread l...@bsoft.com.cn 

asfdsadfsdf


-
力瓦依丁・库尔班
Mobile:18130819208
qq:895791034
WeChat:lee_vayi
Email:l...@bsoft.com.cn
Company:Bsoft software Company

sad

2016-04-19 Thread l...@bsoft.com.cn 
fasdfasdfasdfa



-
力瓦依丁・库尔班
Mobile:18130819208
qq:895791034
WeChat:lee_vayi
Email:l...@bsoft.com.cn
Company:Bsoft software Company

sdfasdf

2016-04-19 Thread l...@bsoft.com.cn 
sdfasdfsdfasdf



-
力瓦依丁・库尔班
Mobile:18130819208
qq:895791034
WeChat:lee_vayi
Email:l...@bsoft.com.cn
Company:Bsoft software Company

sadfasdf

2016-04-19 Thread l...@bsoft.com.cn 

asdfasdfasdfasdf


-
力瓦依丁・库尔班
Mobile:18130819208
qq:895791034
WeChat:lee_vayi
Email:l...@bsoft.com.cn
Company:Bsoft software Company

sadfasdf

2016-04-19 Thread l...@bsoft.com.cn 
asdfasdfasdf



-
力瓦依丁・库尔班
Mobile:18130819208
qq:895791034
WeChat:lee_vayi
Email:l...@bsoft.com.cn
Company:Bsoft software Company

sadfasdf

2016-04-19 Thread l...@bsoft.com.cn 
asdfasdf



-
力瓦依丁・库尔班
Mobile:18130819208
qq:895791034
WeChat:lee_vayi
Email:l...@bsoft.com.cn
Company:Bsoft software Company

asfdgdsasdddddddddddddddddddddddd

2016-04-19 Thread l...@bsoft.com.cn 
sdaf



-
力瓦依丁・库尔班
Mobile:18130819208
qq:895791034
WeChat:lee_vayi
Email:l...@bsoft.com.cn
Company:Bsoft software Company

sadfasdf

2016-04-19 Thread l...@bsoft.com.cn 
asdfasdfasdfasf



-
力瓦依丁・库尔班
Mobile:18130819208
qq:895791034
WeChat:lee_vayi
Email:l...@bsoft.com.cn
Company:Bsoft software Company

sadfffffffffffffffffffffffff

2016-04-19 Thread l...@bsoft.com.cn 
asdf



-
力瓦依丁・库尔班
Mobile:18130819208
qq:895791034
WeChat:lee_vayi
Email:l...@bsoft.com.cn
Company:Bsoft software Company

sadfffffffffffffffffffffffffff

2016-04-19 Thread l...@bsoft.com.cn 
qqqegdasfcxzadfasdf



-
力瓦依丁・库尔班
Mobile:18130819208
qq:895791034
WeChat:lee_vayi
Email:l...@bsoft.com.cn
Company:Bsoft software Company

Re: Finding the Apache httpd IP address when AJP is used

2015-04-29 Thread l...@bsoft.com.cn 
Hi,Nice to meet you.



l...@bsoft.com.cn
 
From: Paul Klinkenberg
Date: 2015-04-29 21:54
To: users@tomcat.apache.org
Subject: Finding the Apache httpd IP address when AJP is used
Hi Tomcat users!
 
I have been working on an update for a Tomcat valve called mod_cfml. The 
project aims to provide automatic web context creation in Tomcat, when coming 
from a frontend webserver.
The live code base can be found at https://github.com/utdream/mod_cfml 
<https://github.com/utdream/mod_cfml>
 
One of the features I wanted to add, is adding an IP restriction in the valve 
(see github 
<https://github.com/paulklinkenberg/mod_cfml/commit/dab058b7f38f98a6e7f076323e3d23be476e6de6>).
 
While testing, I noticed that AJP works very well: it hides the IP address of 
the caller, which is the front-end Apache webserver, and instead returns the IP 
of the remote client / the client who called the frontend webserver.
I have been digging around quite a lot, but have not been able to find the 
Apache httpd IP address :-(
 
My question is hopefully simple to answer: can I retrieve the IP address which 
called the AJP connector, from within the valve?
 
My server.xml is:
 

  
  
  
  
  
  

  
  



  

  
  

  

  

 
Thanks in advance for your time!
 
Kind regards,
 
Paul Klinkenberg
The Netherlands
 
p.s. I asked this question, in other wording, on SackOverflow.com 
<http://sackoverflow.com/> as well. I hope I have better luck here ;-)
http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp
 
<http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp>

Re: Re: Finding the Apache httpd IP address when AJP is used

2015-04-29 Thread l...@bsoft.com.cn 
> Paul Klinkenberg wrote:
>> Hi Tomcat users!
>> I have been working on an update for a Tomcat valve called mod_cfml. The 
>> project aims to provide automatic web context creation in Tomcat, when 
>> coming from a frontend webserver.
>> The live code base can be found at https://github.com/utdream/mod_cfml 
>> 
>> One of the features I wanted to add, is adding an IP restriction in the 
>> valve (see github 
>> ).
>>  While testing, I noticed that AJP works very well: it hides the IP address 
>> of the caller, which is the front-end Apache webserver, and instead returns 
>> the IP of the remote client / the client who called the frontend webserver.
>> I have been digging around quite a lot, but have not been able to find the 
>> Apache httpd IP address :-(
>> My question is hopefully simple to answer: can I retrieve the IP address 
>> which called the AJP connector, from within the valve?
>> My server.xml is:
>> 
>>  
>>  > SSLEngine="on" />
>>  > className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
>>  > className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
>>  > className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
>>  
>>>  type="org.apache.catalina.UserDatabase"
>>  description="User database that can be updated and saved"
>>  factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>>  pathname="conf/tomcat-users.xml" />
>>  
>>  
>>>   connectionTimeout="2"
>>   redirectPort="8443" />
>>
>>
>>  
>>>   resourceName="UserDatabase"/>
>>  
>>  > autoDeploy="true">
>>>className="mod_cfml.core"
>>loggingEnabled="true"
>>waitForContext="10"
>>maxContexts=""
>>timeBetweenContexts="0"
>>scanClassPaths="false"
>>allowedIPs="127.0.0.1,192.168.1.52" />
>>  
>>
>>  
>> 
>> Thanks in advance for your time!
>> Kind regards,
>> Paul Klinkenberg
>> The Netherlands
>> p.s. I asked this question, in other wording, on SackOverflow.com 
>>  as well. I hope I have better luck here ;-)
>> http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp
>>  
>> 
> Hi.
> With Apache httpd and mod_jk as front-end, you have (at least) 2 options :
> - set an additional HTTP request header at the Apache httpd level, before the 
> request is proxied to the back-end Tomcat
> - set a "JkEnvVar" value at the at the Apache httpd level, before the request 
> is proxied to Tomcat
> You can then retrieve these set values at the Tomcat level, either by parsing 
> the request headers, or by retrieving a "request attribute" corresponding to 
> the JkEnvVar.
> The JkEnvVar/attribute method is probably more efficient in a mod_jk context; 
> the HTTP header solution is more portable, since it does not depend on 
> specifically mod_jk being used as a connector.
> 
> Presumably, when at the Apache httpd level you decide to proxy a request to a 
> back-end Tomcat, you know through which interface you'll do it, and what its 
> IP address is, and you can put it into one of the things above.
> 
> Is that enough info to get you started ?
> 
> Caveat : one part I am not quite sure of, is what things you do have easy 
> access to, at the level of a Valve.  The above is what you'd do at a webapp 
> level, I hope it is also accessible at your Valve level.
> 

Hi André,

Thanks for the response, much appreciated.
The reason I want to add the IP restriction in the valve, is to make 100% sure 
that the request (for creating a new Tomcat context) is indeed coming from the 
frontend webserver. This valve is a setup not just for me, where I could tweak 
server settings and such, but for anyone who uses the mod_cfml connector. It is 
installed by default by the Railo/Lucee installers (getrailo.org 
 / lucee.org )

Therefor, I cannot rely on an incoming header, as it could originate from 
anywhere.
Also, a remote system could call the AJP endpoint on the Tomcat server, with 
this JkEnvVar set to a spoofed value. (if the port is not firewalled off course)
So the problem with both options is, that they cannot be fully trusted.

If I am able to find out where the AJP request came from, then I can validate 
the caller.

Maybe you know which path to follow to get to the AJP request data?

Thanks,

Paul Klinkenberg

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail

Re: RE: Tomcat valve JAAS : form error page displayed first before response reaches back to Tomcat valve

2015-05-19 Thread l...@bsoft.com.cn 
good question.lol



l...@bsoft.com.cn
 
From: Kim Ming Yap
Date: 2015-05-19 06:23
To: Tomcat Users List
Subject: RE: Tomcat valve JAAS : form error page displayed first before 
response reaches back to Tomcat valve
I think Tomcat should provide interfaces for different scenarios .. that's my 
opinion.
So coming back to my web form-based authentication problem, is there a solution 
to it?
 
I still want to solve my problem 
Please advice.Thanks.
 
> Date: Mon, 18 May 2015 18:01:31 -0400
> From: ch...@christopherschultz.net
> To: users@tomcat.apache.org
> Subject: Re: Tomcat valve JAAS : form error page displayed first before 
> response reaches back to Tomcat valve
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Ming Yap,
> 
> On 5/18/15 4:56 PM, Kim Ming Yap wrote:
> > Now here's comes to crucial point and question when comes to JAAS.
> > 
> > I know the benefit of JAAS - a pluggable authentication and 
> > authorization module.
> > 
> > Why and in JavaEE's name have a JAAS realm (eg in Tomcat) where
> > the loginmodule has no access to those most important objects -
> > sessions, request etc?
> 
> ... because JAAS does not require you to be running within a web
> context. You can use JAAS in a think client. Or from a command-line
> client. Or whatever. In those cases, what would you use for the
> request or session?
> 
> > I did a bit of research .. hence other web container like JBoss, 
> > Oracle WebLogic has to build an extended version of their 
> > authentication module to capture those important objects ..
> > 
> > I just don't comprehend this.This is mind boggling.
> 
> Pluggable authentication and authorization is kind of an unattainable
> goal when you want it to work across any use case. You just happen to
> be thinking of the web-based authentication use case, here, and it's
> not matching up with your expectations.
> 
> What if you wanted to use some information about a TLS certificate for
> authentication? Does the JAAS module now need to have access to the
> X.509 certificate as well? What about a Smart Card? Where does that
> fit into your web-based view of JAAS?
> 
> It's just more complicated than you think, unfortunately.
> 
> > I have spent almost 4 weeks on trying to solve this basic problem 
> > when comes to form based authentication using JAAS.
> > 
> > 1. Valid credential -> no issue2. Credential disabled due to gt 3 
> > retry -> This message propagate to the error page3. Invalid user
> > id -> This message propagate to error page4. Invalid password ->
> > This message propagate to error page
> 
> You should do some reading about user-enumeration vulnerabilities and
> similar things. You probably don't want to give this kind of
> information to a user. Hint: the user might be an adversary, and any
> information you give them them is something they can use to gain
> access to your system.
> 
> For example: if I enter ob...@whitehouse.gov as my username and you
> tell me "user does not exist", I can keep trying usernames until I get
> one that does exist. Great, now I know the user exists and I can keep
> trying passwords until I get in. If you tell me "credentials
> disabled", then I will know when I've tripped some kind of maximum
> login-attempt trigger that will (likely) disable the user for a while.
> So, I'll adjust my attack strategy so that I only try each user 3
> times because I know that after that, they will be disabled.
> 
> If you have a hard business requirement to tell the user why they
> aren't being permitted to login, you might want to go back to whoever
> wrote those requirements and ask them to review them from a security
> perspective.
> 
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> Comment: GPGTools - http://gpgtools.org
> 
> iQIcBAEBCAAGBQJVWmE7AAoJEBzwKT+lPKRYLHsP/0SjF8xJlXoZUPLRZVKAvJ9U
> Lf4c5eokEFOjQdbMx4e3vLnTfYK2dWnq0d1Te3n+Zk6fWahy4ijiHHZsdvsQxHCt
> VDFmXZe6FcBu1bFzcU9JNnr2RqRDEBd3St7wWlReB49LpgQaXh3jvKQgPK67ChR9
> K0kBAgzV9BRXzKRLjkEHhC+Q3jFgzmd2J3HerDCgKB6jSFw6dn8NdZJqCfAIAG6R
> xtbYvryRrQEVaMNs0Z0eDRsRy3iTAZAA1FZOUGSxVfAWapcj12RtnbKfB6tX+wc1
> ghy6ZZW3efQSirvZ4BbYqsptBYzsA3oU25zbJG5jdz170okYLphx9vbtbP7wFQFJ
> CPANIDWLj/aTKCch+SCOMLlOXCBAR69HobDG3Tzi0riaeZAxNuBV61SZjIUhA+Bl
> tVfihOoLxZQcPk7s4VoR4w1SD7nBqMSkzbwTJujbjM7UKi311lRr6LqO6DvYEsg1
> eX4qpKELndniJ035wrZXjbGtMS6JWDRjmeIJkVc0+6XsdMJ7c1bzaImfJg9dv6x9
> ZlKpiTbW4n5jC6jrvu5elRuAudf0Me467y9JDZq6ujMmcPVr3BcQQKb4cHXnPRzh
> BpHqXcn19LZGatyx0wpz8nf5ZjHQiyeaWOgSjLyk8yJXXz6EyA4SZ8Ndi8O5Z/tb
> kgPkqUPohzH02HWcg6E2
> =q5gu
> -END PGP SIGNATURE-
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>