I think that your question is really about server-side security for web apps
in general. All of your questions can apply to any web application
regardless of technology being used (e.g. asp, dhp, cfm)
A good place to start would be Java Pro Magazine. Two issues ago - cover
page about securing s
Hi Christopher,
I would be very interested in having this available for Tomcat 3.3.
Since I'm not a security expert, I'll defer to those better informed
to decide the appropriate solution. Would this "keystore security
solution" plug into Tomcat 3.3 using an interceptor? If there are
changes nee
Hi,
I'm new in this mailing list.
I'm working in tomcat 3.2.3 sources and
I just want to know:
-1- Does Tomcat 3.2.3 support corectly the use of mod_rewrite Apache's
module?
-2- Is there some problem with Session?
-3- What is the goal of the 'Set-Cookie2' header field?
Thanks in advance
Loïc Le
Hi,
I tried to unsubscribe from the list from the web site by clicing on the
link for the tomcat dev list and still getting mails, HELP
Oren Deri
___
<>
Oren Deri (E-mail).vcf
Larry Isaacs wrote:
>
> Hi Christopher,
>
> I would be very interested in having this available for Tomcat 3.3.
> Since I'm not a security expert, I'll defer to those better informed
> to decide the appropriate solution. Would this "keystore security
> solution" plug into Tomcat 3.3 using an i
On Tue, 31 Jul 2001, Christopher Cain wrote:
> Quoting Jim Seach <[EMAIL PROTECTED]>:
> >
> > I think we're in agreement. The "initial authentication" problem
> > needs to be resolved before we can talk about leveraging it to solve the
> > other problems. I like your proposal of an optional
Hi Christopher,
I just checked, and for 3.3 you don't need any change in the core or any
other place in tomcat.
All you need to do is write a simple interceptor and implement
addInterceptor() callback.
In the implementation all you have to do is ask for a password ( one
sugestion: you can add an
"Craig R. McClanahan" wrote:
>
> Not a problem ... it's just that I think you're being a little narrowly
> focused on the solution to *your* problem, and ignoring the bigger picture
> :-).
I suppose that's fair to a certain extent. I do see cert protection as a
little more critical than many of
pier01/08/01 10:14:29
Modified:webapp/support apjava.m4
Log:
Fixing errors in build for Solaris 8.
Revision ChangesPath
1.4 +3 -3 jakarta-tomcat-connectors/webapp/support/apjava.m4
Index: apjava.m4
===
Christopher Cain wrote:
>
> "Craig R. McClanahan" wrote:
> >
> > Not a problem ... it's just that I think you're being a little narrowly
> > focused on the solution to *your* problem, and ignoring the bigger picture
> > :-).
>
> I suppose that's fair to a certain extent. I do see cert protection
[EMAIL PROTECTED] wrote:
>
> Hi Christopher,
>
> I just checked, and for 3.3 you don't need any change in the core or any
> other place in tomcat.
Cool, I didn't think so. I figure that if I needed a core change for a
command-line challenge at startup, I most probably did something wrong.
=)
"Pier P. Fumagalli" wrote:
> Ok... Gotcha... So, the session _IS_ correctly handled if going thru
> cookies, but if it's URLencoded, it's not...
>
> Will dig into that tomorrow first thing in the morning (bear with me, can
> you please post a bug in BugZilla so that we can keep track of what was
jean-frederic clere wrote:
>
> Encrypting server certificates is not bad but it prevents starting the server
> automaticly.
> Storing this password is a nonsense.
> OpenSSL (for example) allows to modify this password or to have no password.
> If the server certificates is encrypted then we shou
On Wed, 1 Aug 2001, Christopher Cain wrote:
> Yep, I can certainly implement it that way if you like. How does that
> jive with the current server.xml setup, though? Isn't there still a
> separate tag in 3.3 for SSL? Does that then go away in favor
> of the Interceptor, or does the Interceptor b
I've just downloaded b6 and ran 'catalina.sh embedded' and 'catalina.sh
embedded -security' and both failed.
Have I omitted anything, or is there a bug?
Solaris 8, jdk 1.3.1, tomcat b6
--
XmlMapper: Debug level: 3
XmlMapper: Validating = true
ContextConfig[]: Scanning web.xml tag
> > So, now I'm stuck. Which one do you think is better (lately, I'm more
> > oriented towards the second approach!)
> >
> > Pier
> >
> >
The HP Core Services Framework defines the
abstract service base class by marker interfaces as
Destroyable, Initializable, Reconfigurable, Startable, S
> public interface Service {
> public void init(ServiceContext context) throws Exception;
> public void start() throws Exception;
> public void stop() throws Exception;
> public void destroy() throws Exception;
> }
>
Allways pressing the send button (actually, the 'y' letter in
Hi there,
Does anyone know what the maximum length of the session ID value is when
using URL rewriting/encoding for session tracking (i.e.: ";jessionid=1234"
appended to the end of the URL) with the Tomcat 3.x
and 4.0 servlet containers?
Does the length vary or is it fixed? And does Tomcat enco
Incze Lajos at [EMAIL PROTECTED] wrote:
>>> So, now I'm stuck. Which one do you think is better (lately, I'm more
>>> oriented towards the second approach!)
>>>
>>> Pier
>>>
>>>
>
> The HP Core Services Framework defines the
> abstract service base class by marker interfaces as
>
> Destr
Costin:
Okay, I've looked over the whole Interceptor/Callback scheme, as well as
the HTTP and SSL-related implementation classes, and I have a question.
As I'm sure you know, it's all a little daunting for a newcomer like
myself, so please bear with me =)
I followed the whole startup routine fro
As a tomcat user, I am not so enthousiast about your idea of removing the sources from
the binaries.
Almost every user download only the binaries. Having the sources inside means bringing
more developers to the Tomcat project, just because it will be easier to take a look
at the sources (since
Yet another reason I'm anxious to get out of school and work for a
company that will expense trips to ApacheCon and the like =)
- r
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Glenn Nielsen
> Sent: Wednesday, August 01, 2001 8:44 PM
> To: [EMA
remm01/08/01 18:43:58
Modified:catalina/src/share/org/apache/catalina/connector
ResponseBase.java
Log:
- Fix for bug #2946.
The trigger for the problem is that SSLSocket doesn't behave like
a standard Socket for exception handling. This patch fixe
On Wed, 1 Aug 2001, Sasha Haghani wrote:
> Hi there,
>
> Does anyone know what the maximum length of the session ID value is when
> using URL rewriting/encoding for session tracking (i.e.: ";jessionid=1234"
> appended to the end of the URL) with the Tomcat 3.x
> and 4.0 servlet containers?
>
Quoting Fabien Le Floc'h <[EMAIL PROTECTED]>:
> As a tomcat user, I am not so enthousiast about your idea of removing
> the sources from the binaries.
>
> Almost every user download only the binaries. Having the sources inside
> means bringing more developers to the Tomcat project, just because
On Wed, 1 Aug 2001, Christopher Cain wrote:
> I followed the whole startup routine from Tomcat.startTomcat() all the
> way through where the ContextManager calls the
> ServerXMLReader.addInterceptor(). That's where the whole hairy-chested
> XML parsing begins, and my brain started hurting :-) Up
Quoting [EMAIL PROTECTED]:
> On Wed, 1 Aug 2001, Christopher Cain wrote:
>
> > I followed the whole startup routine from Tomcat.startTomcat() all
> the
> > way through where the ContextManager calls the
> > ServerXMLReader.addInterceptor(). That's where the whole
> hairy-chested
> > XML parsing
On Wed, 1 Aug 2001, Christopher Cain wrote:
> I wasn't aware that the approach was more-or-less the
> deprecated way to interface a module, which would explain some of my confusion.
> Since the newer way sounds not only ... well, newer ... but also easier, I'll
> go with that. I really dig the w
On Tue, 31 Jul 2001, Jim Seach wrote:
> What I meant was, in order to implement SSL, Tomcat must be able to
> decrypt the keystore to retrieve the private key for the cert. A
> Tomcat extension or module could be developed to use the private key
> not only to decode the SSL traffic, but also to
29 matches
Mail list logo
