VIRUS ALERT! Re: using SSL on standalone Tomcat - Urgent !
DO NOT OPEN THIS ATTACHMENT! -Original Message- From: Craig R. McClanahan [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Friday, November 17, 2000 10:26 PM Subject: Re: using SSL on standalone Tomcat - Urgent ! "Lacerda, Wellington (AFIS)" wrote: Craig, Can you send me a piece of example of the configuration ? I can't see what I'm doing wrong. I've already tested both suggestions and I didn't get that message back in any case. Thanks, Wellington Attached is the simplest web-app I can create that illustrates this thing working correctly. Put "secure-only.war" in your webapps directory, restart Tomcat, and try: http://localhost:8080/secure-only You should get a message stating "SSL required to access this page". I tested this with the most recent code from CVS, but I do not believe anything has changed (that would affect this) since beta 7. Craig PS: It also works if you change the transport guarantee from CONFIDENTIAL to INTEGRAL.
Re: VIRUS ALERT! Re: using SSL on standalone Tomcat - Urgent !
"Mark G. Franz" wrote: DO NOT OPEN THIS ATTACHMENT! The "Antigen for Exchange" virus scanner is broken, as you will discover if you scan this file with any other virus scanner. Apparently it does not know what a Java JAR file looks like. Craig McClanahan
Re: VIRUS ALERT! Re: using SSL on standalone Tomcat - Urgent !
In response; Antigen virus protection for Exchange found secure-only.war infected with CorruptedCompressedFile virus. The file is currently Deleted. The message, "Re: using SSL on standalone Tomcat - Urgent !", was sent from Craig R. McClanahan. Do you really want to risk it?... -Original Message- From: Kurt Bernhard Pruenner [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Saturday, November 18, 2000 11:21 AM Subject: Re: VIRUS ALERT! Re: using SSL on standalone Tomcat - Urgent ! "Mark G. Franz" wrote: DO NOT OPEN THIS ATTACHMENT! Jeeez... you've got to be kidding me - that file was just over 1kB in size, and contained 2 xml and 1 html file... just because your virus scanner is paranoid doesn't mean you have to be too... and there's no way you're gonna fit a JavaScript-Virus into 163 bytes of HTML, think about it, much less find an XML-virus... Just to cite some other paranoid firewall... quote Antigen virus protection for Exchange found secure-only.war infected with CorruptedCompressedFile virus. The file is currently Deleted. The message, "Re: using SSL on standalone Tomcat - Urgent !", was sent from Craig R. McClanahan and was discovered in IMC Queues\Inbound located at Genelco. /quote Now, if you also got the "corrupted compressed file" virus warning - blame your virus scanner for not being able to correctly read WAR-files, a feat even WinRAR here pulls off without problems... :/ Okay people, you _can_ open this attachment alright, move along, move along, nothing to see here... Sorry, I just had to get this off my chest... -- Kurt Pruenner - Haendelstrasse 17, 4020 Linz, Austria | Briareos at Olymp BBS: http://www.mp3.com/Leak http://www.ssw.uni-linz.ac.at | ssh [EMAIL PROTECTED] ...It might be written "Mindfuck", but it's spelt "L-A-I-N"... np: Leak - Turbs (Leaked)
Re: VIRUS ALERT! Re: using SSL on standalone Tomcat - Urgent !
"Mark G. Franz" wrote: In response; Antigen virus protection for Exchange found secure-only.war infected with CorruptedCompressedFile virus. The file is currently Deleted. The message, "Re: using SSL on standalone Tomcat - Urgent !", was sent from Craig R. McClanahan. Do you really want to risk it?... Antigen is broken. Do you want to continue to trust it? :-) Craig
Re: VIRUS ALERT! Re: using SSL on standalone Tomcat - Urgent !
"Mark G. Franz" wrote: In response; Antigen virus protection for Exchange found secure-only.war infected with CorruptedCompressedFile virus. The file is currently Deleted. The message, "Re: using SSL on standalone Tomcat - Urgent !", was sent from Craig R. McClanahan. Do you really want to risk it?... Believe me - you put too much trust in your virus scanner; a compressed file by itself (like a WAR-archive) can't be virus-infected, and when it's contents are a super-short HTML file and 2 XML files, neither being executable, the probabilty of your virusscanner being right converges asymptotically against zero... Besides, opening the file with any packer (like WinRAR) that can open ZIP files will let you have a look at the contents, without any risk. Try it, you might be surprised... :) -- Kurt Bernhard Pruenner --- Haendelstrasse 17 --- 4020 Linz --- Austria Music: http://www.mp3.com/Leak --- Work: http://www.ssw.uni-linz.ac.at ...It might be written "Mindfuck", but it's spelt "L-A-I-N"... np: Excelsior - Plug
RE: using SSL on standalone Tomcat - Urgent !
Craig, Can you send me a piece of example of the configuration ? I can't see what I'm doing wrong. I've already tested both suggestions and I didn't get that message back in any case. Thanks, Wellington -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: 16 November 2000 19:06 To: [EMAIL PROTECTED] Subject:Re: using SSL on standalone Tomcat - Urgent ! Kurt Bernhard Pruenner wrote: "Lacerda, Wellington (AFIS)" wrote: web-app security-constraint web-resource-collection web-resource-namea/web-resource-name url-pattern/wlss1/*/url-pattern Change this to "/*". The url-pattern setting is relative to your context, not to the server root. AFAIK, the spec says to use "/" instead of "/*" - give that a try, I'd say. In a security constraint, a "/" pattern would only match the "welcome" page for an application, not any of its contents. If you want to protect the entire application, you need to use "/*". If configured properly, I know this works because I've tested it (3.2b7) -- you get an error message back that says "SSL is required for this context". -- Kurt Pruenner - Haendelstrasse 17, 4020 Linz, Austria | Briareos at Olymp BBS: http://www.mp3.com/Leak http://www.ssw.uni-linz.ac.at | ssh [EMAIL PROTECTED] ...It might be written "Mindfuck", but it's spelt "L-A-I-N"... np: Kendall Jackman - Weightless (ambient.01@hyperreal comp.) Craig McClanahan
Re: using SSL on standalone Tomcat - Urgent !
"Lacerda, Wellington (AFIS)" wrote: Craig, Can you send me a piece of example of the configuration ? I can't see what I'm doing wrong. I've already tested both suggestions and I didn't get that message back in any case. Thanks, Wellington Attached is the simplest web-app I can create that illustrates this thing working correctly. Put "secure-only.war" in your webapps directory, restart Tomcat, and try: http://localhost:8080/secure-only You should get a message stating "SSL required to access this page". I tested this with the most recent code from CVS, but I do not believe anything has changed (that would affect this) since beta 7. Craig PS: It also works if you change the transport guarantee from CONFIDENTIAL to INTEGRAL. secure-only.war
RE: using SSL on standalone Tomcat - Urgent !
High Craigh, Didn't work. I still can do http://localhost:8080/wlss/another_page.jsp http://localhost:8080/wlss/another_page.jsp , which is not SSL, and get answered. I was expecting a NOT FOUND error on port 8080. Is this the expected behaviour ? The logs don't show anything either. Version 3.2b7 on NT4.0sp6 JDK 1.3 JSSE1.0.2. Do I need a test certificate from a cert auth to get this running (don't think so)? Thanks, Wellington -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: 16 November 2000 04:19 To: [EMAIL PROTECTED] Subject:Re: using SSL on standalone Tomcat - Urgent ! "Lacerda, Wellington (AFIS)" wrote: Hi All, I've set up SSL on a 3.2b7 instance. Also I defined a context, say /wlss, with a directory and a resource, say /wlss1/index.htm inside that context. I want to configure that context in such a way that the access to /wlss1/index.htm is only allowed if the transport is guaranteed at confidential level(SSL). I read the spec and created this web.xml to do the job: web-app security-constraint web-resource-collection web-resource-namea/web-resource-name url-pattern/wlss1/*/url-pattern Change this to "/*". The url-pattern setting is relative to your context, not to the server root. http-methodGET/http-method http-methodPOST/http-method user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /web-resource-collection /security-constraint /web-app By my understanding, I'm allowing access to the resource collection "a" - mapped to /wlss1/anything with GET or POST only through a confidential transport - SSL. It's not working at all. I can still access it through normal http. Am I missing something here ? Another question - how to impose confidential transport to the entire context ? Thanks in advance for any help, Wellington Silva UN/FAO Craig McClanahan
Re: using SSL on standalone Tomcat - Urgent !
"Lacerda, Wellington (AFIS)" wrote: web-app security-constraint web-resource-collection web-resource-namea/web-resource-name url-pattern/wlss1/*/url-pattern Change this to "/*". The url-pattern setting is relative to your context, not to the server root. AFAIK, the spec says to use "/" instead of "/*" - give that a try, I'd say. -- Kurt Pruenner - Haendelstrasse 17, 4020 Linz, Austria | Briareos at Olymp BBS: http://www.mp3.com/Leak http://www.ssw.uni-linz.ac.at | ssh [EMAIL PROTECTED] ...It might be written "Mindfuck", but it's spelt "L-A-I-N"... np: Kendall Jackman - Weightless (ambient.01@hyperreal comp.)
RE: using SSL on standalone Tomcat - Urgent !
No, I'm sorry, it failed again. (thanks anyway) Maybe I found a bug ? Wellington -Original Message- From: Kurt Bernhard Pruenner [mailto:[EMAIL PROTECTED]] Sent: 16 November 2000 17:13 To: [EMAIL PROTECTED] Subject:Re: using SSL on standalone Tomcat - Urgent ! "Lacerda, Wellington (AFIS)" wrote: web-app security-constraint web-resource-collection web-resource-namea/web-resource-name url-pattern/wlss1/*/url-pattern Change this to "/*". The url-pattern setting is relative to your context, not to the server root. AFAIK, the spec says to use "/" instead of "/*" - give that a try, I'd say. -- Kurt Pruenner - Haendelstrasse 17, 4020 Linz, Austria | Briareos at Olymp BBS: http://www.mp3.com/Leak http://www.ssw.uni-linz.ac.at | ssh [EMAIL PROTECTED] ...It might be written "Mindfuck", but it's spelt "L-A-I-N"... np: Kendall Jackman - Weightless (ambient.01@hyperreal comp.)
Re: using SSL on standalone Tomcat - Urgent !
"Lacerda, Wellington (AFIS)" wrote: No, I'm sorry, it failed again. (thanks anyway) Maybe I found a bug ? Can you send me (or re-send if you've already done so and I missed it) a simple test webapp that illustrates this? It worked for me in every test scenario I can come up with, so there's obviously something you are doing differently that we need to identify. Wellington Craig McClanahan