Re: Question on SSL and Pragma in 7.x

2014-01-11 Thread Mark Thomas 
On 10/01/2014 22:46, Jeffrey Janner wrote:
>> -Original Message-
>> From: Mark Thomas [mailto:ma...@apache.org]
>> Sent: Thursday, January 09, 2014 4:08 PM
>> To: Tomcat Users List
>> Subject: Re: Question on SSL and Pragma in 7.x
>>
>> On 09/01/2014 18:22, Jeffrey Janner wrote:
>>> I'd like to verify something I think I'm seeing in Tomcat 7.x.
>>
>> 
>>
>>> Am I interpreting all that correctly?
>>
>> See http://markmail.org/message/2kkq4yxgacgbrwht
>>
>>> If I wanted to add a section that did use Tomcat Auth, would I
>>> need/want to add the appropriate Authenticator valve back to the
>> context.xml?
>>
>> Only if you need to change the configuration of the Authenticator.
>> Tomcat adds the correct Authenticator automatically based on the > method> defined in web.xml
>>
>> Mark
>>
> 
> Thanks Mark.  I will keep that in mind, but it looks like the defaults will 
> do it from now on.
> However, any idea about the last section of my post?
> Specifically, why the SSlAuthenticator was kicking in when the auth method 
> was defined as Basic?  (note, no SSL auth method was configured in the 
> web.xml, but the SSLAuthenticator was configured in the context.xml.)  Just 
> curious about that.

If you explicitly add an Authenticator via context.xml then it will be
treated like any other valve and be invoked for every request.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Question on SSL and Pragma in 7.x

2014-01-10 Thread Jeffrey Janner 
> -Original Message-
> From: Mark Thomas [mailto:ma...@apache.org]
> Sent: Thursday, January 09, 2014 4:08 PM
> To: Tomcat Users List
> Subject: Re: Question on SSL and Pragma in 7.x
> 
> On 09/01/2014 18:22, Jeffrey Janner wrote:
> > I'd like to verify something I think I'm seeing in Tomcat 7.x.
> 
> 
> 
> > Am I interpreting all that correctly?
> 
> See http://markmail.org/message/2kkq4yxgacgbrwht
> 
> > If I wanted to add a section that did use Tomcat Auth, would I
> > need/want to add the appropriate Authenticator valve back to the
> context.xml?
> 
> Only if you need to change the configuration of the Authenticator.
> Tomcat adds the correct Authenticator automatically based on the  method> defined in web.xml
> 
> Mark
> 

Thanks Mark.  I will keep that in mind, but it looks like the defaults will do 
it from now on.
However, any idea about the last section of my post?
Specifically, why the SSlAuthenticator was kicking in when the auth method was 
defined as Basic?  (note, no SSL auth method was configured in the web.xml, but 
the SSLAuthenticator was configured in the context.xml.)  Just curious about 
that.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question on SSL and Pragma in 7.x

2014-01-09 Thread Mark Thomas 
On 09/01/2014 18:22, Jeffrey Janner wrote:
> I'd like to verify something I think I'm seeing in Tomcat 7.x.



> Am I interpreting all that correctly?

See http://markmail.org/message/2kkq4yxgacgbrwht

> If I wanted to add a section that did use Tomcat Auth, would I need/want
> to add the appropriate Authenticator valve back to the context.xml?

Only if you need to change the configuration of the Authenticator.
Tomcat adds the correct Authenticator automatically based on the
 defined in web.xml

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Question on SSL and Pragma in 7.x

2014-01-09 Thread Jeffrey Janner 
I'd like to verify something I think I'm seeing in Tomcat 7.x.
Back in Tomcat 6.x and previous, to get around an IE bug with the Pragma 
header, we would set up an Authenticator valve with securePagesWithPragma set 
to false.  It didn't really matter which Authenticator valve, just having it 
there would do the job.
This was necessary because the SSL connector would set the headers as

  Pragma: No-cache

  Cache-Control: no-cache
but adding the valve would drop the Pragma header and change the Cache-Control 
to "private".
(Not sure it matters, but all this is using native libs on Windows.)
Empirical testing seems to show that at 7.x (7.0.42 at least), the default mode 
for SSL is to only set the Cache-Control to "private". It does not add the 
Pragma header, and therefore there should be no need for the Authenticator 
valve.  (note that all authentication is internal to the application and 
everything is run over SSL)
Am I interpreting all that correctly?
If I wanted to add a section that did use Tomcat Auth, would I need/want to add 
the appropriate Authenticator valve back to the context.xml?
For example:  Adding javamelody but limited to users from the users.xml file.  
I would add the following to the web.xml:
  
 BASIC
 Monitoring
  
  
 monitoring
  
  

  Monitoring
  /monitoring


   monitoring


  CONFIDENTIAL

  
Is the BasicAuthenticator valve necessary, and what would it do for me?

Further notes on why I'm testing this:
Our old pre-7 setup used SSLAuthenticator, even though we didn't use client 
certs just to get the Pragma header dropped. But adding the above config for 
javamelody had Tomcat refusing the connection to /monitoring because we didn't 
have client certs.  We would get a SSL error page.

Jeffrey Janner
Sr. Network Administrator
jeffrey.jan...@polydyne.com
PolyDyne Software Inc.
Main:   512.343.9100
Direct:  512.583.8930

 [cid:image002.png@01CC0FB7.4FF43CE0]

Speed, Intelligence & Savings in Sourcing