All,
As promised, today's webinar "Apache Tomcat 9: HTTP/2 Quick Start" is
now available on the Apache Tomcat YouTube channel:
https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g
Mark
-
To unsubscribe, e-mail: users-unsubs
Roel,
On 11/24/15 2:19 PM, Roel Storms wrote:
> When I am in a hurry to get a website up and running and I have no
> resources to do so, security is going to be my last concern.
This item should be listed as #1 on OWASP's list of the Most Critical
Application Security Risks.
-chris
Joleen,
On 11/24/15 4:31 PM, Joleen Barker wrote:
> I have setup the logrotate using cron in the past and it was very
> successful on the Linux boxes but I could not find an equivalent setup for
> AIX. Things seem so much easier on Linux. The company wants a universal
> approach so that left that
Thank you so much Christopher for all that information. I will look in to
the various options you've presented.
I have setup the logrotate using cron in the past and it was very
successful on the Linux boxes but I could not find an equivalent setup for
AIX. Things seem so much easier on Linux. The
The only way cookie based session management is secure, is when
you apply a number of countermeasures:
Correct flags, path and domain attributes, no un-trusted applications
on subdomains (solved by origin cookies), ...
You run it over TLS to withstand sniffers.
There is no clean mechanism to share
My config is pretty vanilla.
This fails, because of the three problematic ciphers.
As far as I know I'm not using any system properties to control JSSE.
On Tue, Nov 24, 2015 at 10:16 AM, Christopher Schultz
wrote:
> Mark,
>
> On 11/24/15 12:36 PM, Mark Robinson wrote:
>> I'm having this
Mark,
On 11/24/15 12:36 PM, Mark Robinson wrote:
> I'm having this problem with TLS in Firefox and Chrome. Some of my
> requests are failing with an SSL MAC Bad Read error. I'm using Tomcat
> 8.0.24 on Java 8.0_u66 / Ubuntu 14.04. So it works fine with IE, and
> if I disable some ciphers then i
Roel,
On 11/24/15 10:43 AM, Roel Storms wrote:
> 2015-11-24 16:11 GMT+01:00 Christopher Schultz > :
>
>> Roel,
>>
>> On 11/24/15 9:44 AM, Roel Storms wrote:
>>> I am trying to protect the client from:
>>>
>>> Session fixation
>>
>> Tomcat already provides session-fixation protection when using UR
I'm having this problem with TLS in Firefox and Chrome. Some of my
requests are failing with an SSL MAC Bad Read error. I'm using Tomcat
8.0.24 on Java 8.0_u66 / Ubuntu 14.04. So it works fine with IE, and
if I disable some ciphers then it works.
If I disable these ciphers TLS_RSA_WITH_AES_128_
2015-11-24 16:11 GMT+01:00 Christopher Schultz :
> Roel,
>
> On 11/24/15 9:44 AM, Roel Storms wrote:
> > I am trying to protect the client from:
> >
> > Session fixation
>
> Tomcat already provides session-fixation protection when using URL-based
> or cookie-based session-tracking. When authentica
Roel,
On 11/24/15 9:44 AM, Roel Storms wrote:
> I am trying to protect the client from:
>
> Session fixation
Tomcat already provides session-fixation protection when using URL-based
or cookie-based session-tracking. When authentication occurs, Tomcat
will change the session identifier, effective
I am trying to protect the client from:
Session fixation
Session hijacking
Assure that requests that are received in an established session can't be
modified in transit (integrity of requests).
Maybe I also want to check integrity of the response since otherwise an
active MitM attack can still mod
Roel,
On 11/24/15 9:17 AM, Roel Storms wrote:
> TLS will sign everything and therefor will not allow fine-grained integrity
> checking. Why do we want this? Middleboxes might alter some non-security
> sensitive information and I don't want to drop those requests. But I am
> looking into TLS alread
Roel,
On 11/24/15 5:12 AM, Roel Storms wrote:
> It's to implement a new session mechanism that guarantees integrity of the
> requests sent in the session and also protect the session from attacks
> based on stealing or replacing the session identifier. This is a thesis I'm
> working on and this To
André,
On 11/23/15 11:18 AM, André Warnier (tomcat) wrote:
> On 23.11.2015 16:31, Mark Thomas wrote:
>> On 23/11/2015 14:30, Roel Storms wrote:
>>> Hello,
>>>
>>> I am working on a Valve that does some integrity checking on HTTP
>>> requests
>>> (the details aren't important) where I need this val
TLS will sign everything and therefor will not allow fine-grained integrity
checking. Why do we want this? Middleboxes might alter some non-security
sensitive information and I don't want to drop those requests. But I am
looking into TLS already to see if I can use it for my purpose. We
certainly d
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Subject: Re: Fwd:
> > First of all, I have a context.xml file in the WEB-INF folder of my
> > application (call it "myApplication" henceforth) that looks like:
Also note that WEB-INF is not the correct directory for context.xml.
Yuval,
On 11/23/15 8:38 AM, Yuval Schwartz wrote:
> I am using tomcat 8.0.22.0
> Language: Java
> development: Windows, NetBeans.
> deployment: ec2 linux
>
> I am still having trouble understanding/working with "path" and "docBase"
> of context element.
>
> I have two questions:
>
> First of all
On 24/11/2015 10:12, Roel Storms wrote:
> It's to implement a new session mechanism that guarantees integrity of the
> requests sent in the session and also protect the session from attacks
> based on stealing or replacing the session identifier. This is a thesis I'm
> working on and this Tomcat va
It's to implement a new session mechanism that guarantees integrity of the
requests sent in the session and also protect the session from attacks
based on stealing or replacing the session identifier. This is a thesis I'm
working on and this Tomcat valve should prove that migration from cookie
base
20 matches
Mail list logo
