Servlet overridden by Apache Tomcat welcome page?

2016-07-02 Thread Paul Roubekas 
Servlet  overridden by Apache Tomcat welcome page?

 

Not sure I am using the proper name for what I am calling the "Apache
Tomcat welcome page".  What I am calling the "Apache Tomcat welcome
page" is the page that comes up when http://localhost:8080 is entered as
the address on an internet browser.

 

Windows 7 (development workstation)

Fedora 23 (web server)

Apache Tomcat 7.0.68

Apache TomEE 1.7.4

Eclipse Mars 2 (4.5.2)

 

I have a single instance of Tomcat.  CATALINA_BASE is not used, just
CATALINA_HOME.  The WEB-INF/web.xml has been configured as follows.

 



http://www.w3.org/2001/XMLSchema-instance";
xmlns="http://java.sun.com/xml/ns/javaee";
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"; id="WebApp_ID"
version="3.0">

 







Abc



   The web site for Abc software



 









   HomeServlet

   software.Abc.website.HomeServlet

   1

 

 



 

   HomeServlet

   /AbcLandingPage

 

 

 

 

 Protect Donation page

 /DonateServlet

 GET

 POST   

 

 

 CONFIDENTIAL

 

  

 

   







 









AbcLandingPage

index.html

index.htm

index.jsp





 

As per these instructions
(http://wiki.metawerx.net/wiki/HowToUseAServletAsYourMainWebPage) this
configuration should result in the HomeServlet being the first page
rendered when the URL http://myDomain.com is entered as the destination
address in an internet browser.  But these instructions are generic for
the Java Servlet 2.4 specification.  In this
(http://wiki.apache.org/tomcat/HowTo#How_do_I_override_the_default_home_page_loaded_by_Tomcat.3F)FAQ
for Tomcat it is suggest that meta tag refresh be used.  It seems the
Tomcat meta tag refresh instruction were written before the Java Servlet
2.4 specification was written because other research
(https://en.wikipedia.org/wiki/Meta_refresh) points out that the use of
the meta tag refresh method is gone out of use because it can prevent
the end user from being able to use the back button successfully and it
is considered as one of the Un-ethical SEO process by the Search
Engines.  The current version of the Java Servlet Specification is 3.0.
(https://jcp.org/aboutJava/communityprocess/final/jsr315/index.html). 

 

Question 1) Is my assumption correct that the reason my web.xml is not
working is because the Tomcat/Tomee welcome page is specified in such a
way that it takes precedence over the web.xml settings in my websites
.WAR file?

 

Question 2) Is there a way to have my .WAR file WEB-INF/web.xml take
precedence over the Tomcat welcome page without uninstalling the Tomcat
welcome page?

Re: Tomcat 7 and SHA-1

2016-07-02 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Daniel,

On 7/1/16 6:28 PM, Daniel Savard wrote:
> 2016-07-01 16:21 GMT-04:00 Christopher Schultz
> > :
> 
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>> 
>> Greg,
>> 
>> On 7/1/16 3:03 AM, Greg Beresnev wrote:
>>> Thanks Daniel - any idea which cipher in particular needs to
>>> be absent in order for the SHA-1-based
>>> connection/authentication was rejected/failed?
>> 
>> I'm afraid Daniel may have confused the issue, because the 
>> certificate-signing algorithm is completely independent of any
>> cipher suites that you may use for the encrypted TLS connection.
>> 
>> FWIW, at $work, we typically filter-out anything that looks like
>> this:
>> 
>> NULL|_anon_|_DHE_|EXPORT|RC4|MD5|SHA$
>> 
>> But there's no way I know of to reject the local server
>> certificate if it doesn't meet some kind of criteria.
>> 
>> I checked, and Nagios's check_http utility does NOT have a check
>> for anything about a certificate other than it's expiration date.
>> This seems like a good thing to add to that tool (along with
>> complaining about support for certain protocols like SSLv3).
>> 
>> There are other tools you could use, such as Mark's suggestion
>> of using Qualys's ssltest site.
>> 
>> 
> In fact, to enforce SHA-2 (which is the same as SHA-256) you just
> have to switch to TLSv1.2 and nothing less. As per the RFC 5246 
> https://tools.ietf.org/html/rfc5246 SHA-2 is mandatory, paragraph
> 1.2.

I think you are misreading that RFC: there is no requirement in
TLSv1.2 that certificates must be signed using SHA-2.

What it says is that all new cipher suites defined by TLSv1.2 use
SHA256, not that the old cipher suites cannot be used.

For example, Microsoft.com will happily establish a TLSv1.2 connection
using any of the following ciphers:

SSL_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

For example (ECDHE-RSA-AES128-SHA is what OpenSSL calls
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA):

$ openssl s_client -cipher ECDHE-RSA-AES128-SHA \
  -connect microsoft.com:443
[...]
- ---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-AES128-SHA

> Chris, you are right, the cipher suite is something different from
> the HMAC for the certificate itself. However, if the user wants to
> ban the SHA-1 from the negociated symmetric encryption algorithm,
> he will have to set a proper cipher suite to exclude anything
> without SHA-256 and more from the accepted ciphers. You have to
> experiment with the openssl cipher command to find out a proper
> combination.

There are hashing algorithms supported which are neither SHA-1 nor
SHA-256, so everyone should be aware of that, too. Obvious examples
are the other SHA-2 hashes (SHA384, SHA512). I thought there were
others, but it appears I was thinking of PGP (RIPEMD-160 came to
mind). Section 7.4.1.4.1 defines the signature algorithms to be NULL,
MD5, SHA1, SHA224, SHA256, SHA384, and SHA512.

Greg only mentioned that he wants to enforce the use of
better-than-SHA1 certificate-signing algorithms, presumably for both
server certificates as well as client certificates. The easiest way to
do that is to revoke all certificates that used SHA-1 as the signing
algorithm, or, better yet, revoke the certificate that was used to
sign all of those client-certificates and create a new certificate to
sign using the SHA256 algorithm.

Mark's suggestion of using the X509UsernameRetrieverClassName is
probably the best way to implement this, because you can just extend
the default X509UsernameRetriever, check the certificate for whatever
requirements you have, and then delegate the "real work" to the
superclass (which is pretty trivial, since it's just grabbing the CN
from the certificate).

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXd/1tAAoJEBzwKT+lPKRYxs0P/021QUjfxCbjsHWmhZeUW2NV
BBKcDx6X4bdZDWLe9m39KW8ryufSFusxIAmq0h4k7KQ8B2i7tfqZqrOkyjzXE4DV
6YB0KYvPujnQzPW75GjQeWq3xPqp/iM4pwIaNHwliTlQDrVT5azcKym6b0jXIcp1
GM+bxdXFgy1L3E4sGiR0Ip5h8c45T0OTLLvFGn6MpKTnpeNsmFtqtAFZ6zmrIwUA
+zGfpZC7YOKMgbeBSQx2b5C+08UHi7kCy3DiXOpwjmdYfYv5OHxLgy0hRGpjPW2v
EZqnLpvuTWNBB7VqYju8jIUxg7IjkgjVQ+0Bat5ucBO6GgAZ7VzvHMD0cTPmyTj+
ASOFITX59YPY1N4hGz+dGhUE/0mTxsUuVmGFlkmtL3HkDBe0hYLij2RSO4KCsW9x
HyW2OlwF+ORLMG8nSdkiwVFHcZ6kB+k+wa+JGWQrU7yU12CvjJ80QiY9c9MJEw0r
HYuWew0SzVXfjPaE97LVqD1eh3p9IPyq9H7LC7yJAd5N8Yt+nTKDrBH3IY3Wudsz
qvM0HRpf6X/nEfNfLRn4bGxi5mjZlYRg4iwQuOxgMpwws5NMRgae6X9T9UEYyagq
khkio0i898nb2YAk4hfn47vSpX3ECZqMSo59ZwaTx2qk0CgyviD429iR/wjOBvGg
5gmz1HTlgll3PKbVTyDU
=s0e0
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: user