Re: Slow http denial of service

2015-03-14 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Petr, On 3/14/15 3:32 PM, Petr Nemecek wrote: > Hello, > > our webapp, that is deployed in Tomcat 8.0.18, was tested positive > as vulnerable to the slow http denial of service: "By using a > single computer, it is possible to establish thousands o

Re: Tomcat7: debugging realms - a howto?

2015-03-14 Thread Graham Leggett
On 14 Mar 2015, at 3:43 PM, Graham Leggett wrote: > Changing the auth-type to CLIENT-CERT shows that the username has been > replaced by the subject-DN of the cert, which is progress. Reverse engineering tomcat showed that the tomcatAuthentication parameter solved half the problem - when the w

Re: Slow http denial of service

2015-03-14 Thread Mark Eggers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 3/14/2015 12:32 PM, Petr Nemecek wrote: > Hello, > > our webapp, that is deployed in Tomcat 8.0.18, was tested positive > as vulnerable to the slow http denial of service: "By using a > single computer, it is possible to establish thousands of > si

Slow http denial of service

2015-03-14 Thread Petr Nemecek
Hello, our webapp, that is deployed in Tomcat 8.0.18, was tested positive as vulnerable to the slow http denial of service: "By using a single computer, it is possible to establish thousands of simultaneous connections and keep them open for a long time. During the attack, the server was rendered

Re: Getting tomcat to honour REMOTE_USER as provided via mod_proxy_ajp

2015-03-14 Thread Graham Leggett
On 14 Mar 2015, at 4:15 PM, Graham Leggett wrote: > I have reached the point where with an auth-method of CLIENT-CERT is > returning the Subject DN of the certificate as the username. > > What I need to achieve is for tomcat to honour the REMOTE_USER environment > variable as set by Apache htt

Getting tomcat to honour REMOTE_USER as provided via mod_proxy_ajp

2015-03-14 Thread Graham Leggett
Hi all, I have reached the point where with an auth-method of CLIENT-CERT is returning the Subject DN of the certificate as the username. What I need to achieve is for tomcat to honour the REMOTE_USER environment variable as set by Apache httpd. I have noticed the tomcatAuthentication flag can

Re: Tomcat7: debugging realms - a howto?

2015-03-14 Thread Graham Leggett
On 14 Mar 2015, at 1:04 AM, Konstantin Kolinko wrote: > You are using JRE's default java.util.logging.LogManager. > > You need to configure JRE to use the Tomcat JULI implementation of log > manager with > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > > The JRE class is us