Hi Chris! Our app is happily running on Tomcat 9.0.64 on our test server. The problem is that unlike our test server which faces the web directly, our production tomcat is behind nginx server which both acts as DDOS protection mechanism as well as SSO idp server, so our users can use two apps with same login credentials(both apps use same db for user info storage). When I tried to install 9.064 on production server about year ago, I discovered that all the static data from our app (jpg,js,css etc.)doesn't get loaded. The only static data which was available was the data inlined inside the jsp pages themselves. Since that meant that we have pretty much have an unusable app and I didn't have time to investigate the root cause at the time I've reverted back to tomcat 7.0.92. Oddly enough nothing was actually changed on the nginx serverat the time of the switch. I'm hoping that next time I'll attempt the upgrade of our production server, installing latest version of 9.0 branch might fix the issue, although I'm not sure.(unfortunately nginx server is in the different department and not under my control) Thank you for the clarification and for all the help ________________________________ От: Christopher Schultz <ch...@christopherschultz.net> Отправлено: 23 октября 2023 г. 19:24 Кому: users@tomcat.apache.org <users@tomcat.apache.org> Тема: Re: CredentialHandler tomcat 7
Chuck, On 10/22/23 13:55, Chuck Caldarale wrote: >> On Oct 22, 2023, at 10:02, Усманов Азат Анварович <usma...@ieml.ru> wrote: >> >> Hi everyone! I'm trying to use CredentialHandler with tomcat to increase >> security since our db at $work still has pwd stored as md5 hashes. Some of >> our servers still use tomcat 7.092/ I was looking at this presentation by >> Christopher Shultz >> http://people.apache.org/~schultz/ApacheCon%20NA%202017/Seamless%20Upgrades%20for%20Credential%20Security%20in%20Apache%20Tomcat.pdf >> it mentions that Credention handler should be available to a web app in >> Tomcat 7.0.70+ But then I looked up source code for catalina.jar in 7.0.92 >> and 7.0.109-src I cant find class Named CredentialHandler.Am I looking at >> the wrong place or is it just not available in tomcat 7 ? Also tomcat docs >> for 7 doesn't seem to mention CredentialHandler at all.. > > > > Looks like the CredentialHandler mechanism was introduced in 8.0.15 (November > 2014), with no indication that it would ever be retrofitted to any 7.0.x > version. (The footnote on slide 30 of the cited presentation appears to be in > error.) Yeah, I have no idea where I got the 7.0.70 version number from. Maybe I guessed it while drafting and never confirmed it. Sorry, Азат, it looks like I got that one wrong. > Given that Tomcat 7.0 has not been supported for over two years and numerous > issues have been addressed in the intervening time period, it might be time > to upgrade… +1 At this point, 7.0 is essentially 2 versions back form the currently-supported version of Tomcat (8.5.x) which itself is scheduled to be retired at the end of this coming March -- a mere 5 months from now. I don't see any appetite for anybody -- myself included -- working on a back-port for this to Tomcat 7. I would encourage you to upgrade to Tomcat 9. I suspect you'll find that your application runs with very few if any issues if you just upgrade in a development environment and run a test. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
