Hi Graham, On Tue, Dec 1, 2020 at 7:43 PM Graham Leggett <minf...@sharp.fm.invalid> wrote:
> On 01 Dec 2020, at 13:48, Rémy Maucherat <r...@apache.org> wrote: > > > You still have years to plan a migration off the APR connector as it will > > only be removed in 10.1 and Tomcat 9.0 continues to be supported. > > > > This eventual removal or APR has been discussed for years. BTW, so that > you > > know, there are also discussions about AJP. > > I am painfully aware of the discussions on the removal of AJP. > > I first encountered this problem when Atlassian arbitrarily announced > removal of support for AJP (I assume off the back of the discussion), > leaving no practical way to pass certificates across to Tomcat. > > For this reason I developed the RFC compliant secure base64url API here: > > https://github.com/apache/apr/blob/trunk/include/apr_encode.h < > https://github.com/apache/apr/blob/trunk/include/apr_encode.h> > > Organised the donation of and then brought the RFC compliant JSON API up > to the required security level here: > > https://github.com/apache/apr/blob/trunk/include/apr_json.h < > https://github.com/apache/apr/blob/trunk/include/apr_json.h> > > Added digest support to the crypto API here: > > https://github.com/apache/apr-util/blob/1.7.x/include/apr_crypto.h < > https://github.com/apache/apr-util/blob/1.7.x/include/apr_crypto.h> > > Add an RFC compliant JOSE implementation here: > > https://github.com/apache/apr-util/blob/1.7.x/include/apr_jose.h < > https://github.com/apache/apr-util/blob/1.7.x/include/apr_jose.h> > > Then added the two modules mod_auth_bearer and mod_autht_jwt here > (outstanding for want of docs): > > > http://apache-http-server.18135.x6.nabble.com/Patch-mod-auth-bearer-mod-autht-jwt-An-alternative-to-AJP-td5051929.html#a5051936 > < > http://apache-http-server.18135.x6.nabble.com/Patch-mod-auth-bearer-mod-autht-jwt-An-alternative-to-AJP-td5051929.html#a5051936 > > > > Then created the option for Tomcat to read info from JWT here: > > https://github.com/minfrin/tomcat7-jwt-authenticator < > https://github.com/minfrin/tomcat7-jwt-authenticator> > > While it can be tempting to downplay the arbitrary removal of capabilities > from tomcat as “a few characters” change, or by telling people they have > “years” to make a change, the knock-on effect of these changes are > significant and very expensive. > > I would appreciate the help minimising the impact of these changes before > I encounter them unexpectedly in an update from a vendor. > As I suggested in your PR about Unix Domain Sockets support - what about extracting the APR (and AJP ?!) code into its own project! The main work has been done over the years. Now it just needs someone to maintain it. Regards, Martin > > Regards, > Graham > — > >
