Graham,
On 12/1/20 12:43, Graham Leggett wrote:
On 01 Dec 2020, at 13:48, Rémy Maucherat <r...@apache.org> wrote:
You still have years to plan a migration off the APR connector as it will
only be removed in 10.1 and Tomcat 9.0 continues to be supported.
This eventual removal or APR has been discussed for years. BTW, so that you
know, there are also discussions about AJP.
I am painfully aware of the discussions on the removal of AJP.
I first encountered this problem when Atlassian arbitrarily announced
removal of support for AJP (I assume off the back of the discussion),
leaving no practical way to pass certificates across to Tomcat.
RequestHeader Client-Certificate %{SSL_CLIENT_CERT}
Does that not work? Or does it require this:
For this reason I developed the RFC compliant secure base64url API here:
https://github.com/apache/apr/blob/trunk/include/apr_encode.h
<https://github.com/apache/apr/blob/trunk/include/apr_encode.h>
?
Organised the donation of and then brought the RFC compliant JSON API up to the
required security level here:
https://github.com/apache/apr/blob/trunk/include/apr_json.h
<https://github.com/apache/apr/blob/trunk/include/apr_json.h>
Added digest support to the crypto API here:
https://github.com/apache/apr-util/blob/1.7.x/include/apr_crypto.h
<https://github.com/apache/apr-util/blob/1.7.x/include/apr_crypto.h>
Add an RFC compliant JOSE implementation here:
https://github.com/apache/apr-util/blob/1.7.x/include/apr_jose.h
<https://github.com/apache/apr-util/blob/1.7.x/include/apr_jose.h>
Then added the two modules mod_auth_bearer and mod_autht_jwt here (outstanding
for want of docs):
http://apache-http-server.18135.x6.nabble.com/Patch-mod-auth-bearer-mod-autht-jwt-An-alternative-to-AJP-td5051929.html#a5051936
<http://apache-http-server.18135.x6.nabble.com/Patch-mod-auth-bearer-mod-autht-jwt-An-alternative-to-AJP-td5051929.html#a5051936>
Then created the option for Tomcat to read info from JWT here:
https://github.com/minfrin/tomcat7-jwt-authenticator
<https://github.com/minfrin/tomcat7-jwt-authenticator>
Your arm must really hurt from patting yourself on the back so hard.
Why not fix mod_proxy_http so it can "practically" send X.509
certificates (or chains) to a Tomcat back-end. you experience with
httpd, mod_proxy, and TLS ought to make it pretty easy to do that.
While it can be tempting to downplay the arbitrary removal of
capabilities from tomcat as “a few characters” change, or by telling
people they have “years” to make a change, the knock-on effect of these
changes are significant and very expensive.
Yes, and the knock-on effects of continuing to support the APR connector
are a pain in our collective behinds. Feel free to step-up and fix all
the bugs in tcnative.
I would appreciate the help minimising the impact of these changes
before I encounter them unexpectedly in an update from a vendor.
It's not an update. It's a new release. It's practically a different
product. Had we dropped APR and AJP in 7.0.107 or something like that, I
would understand your argument. But we are talking about a major release.
Did you notice that we killed BIO? That was a much bigger deal than
dropping APR.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
