subject:"Tomcat Config Question"

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

2013-08-09 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David,

On 8/8/13 5:47 PM, David Landis wrote:
 On Thu, Aug 8, 2013 at 5:19 PM, Christopher Schultz  
 ch...@christopherschultz.net wrote:
 
 
 ... and the SSLDisableCompression setting (when set to false)
 is intended to mitigate the CRIME attack against SSL/TLS
 compression. Feel free to read online all about the CRIME
 attack.
 
 
 That was what I was hoping it did when I asked the original
 question :)
 
 
 I haven't really done any analysis of SSL compression (that is, 
 compression as implemented by the TLS/SSL layer) alone versus 
 compression-less-SSL + gzip, but I suspect that any combination
 of compression and encryption can lead to CRIME-like attacks ...
 
 
 That seems to be true since there is now the BREACH attack:
 
 http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/

  which (I think) is compression-less-SSL + gzip.

It is compression + deflate as explained in the article, but gzip
basically works the same way (LZ77 + Huffman).

It's too bad it took a researcher a year to figure out that
compression of any kind makes encryption (where the attacker can force
random probing attacks) weak. It's not like SSL+compression and
SSL-compression+compression is that different.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSBOWnAAoJEBzwKT+lPKRYuMoP/0cFjaVbiLs+Qw3QQS/z/A0p
mq/5QTNhsUqSsRmhnjAThGSBZPCpXB9We9ecTqV1moxR9iG94x/oya/3yToYmJ1r
Msat1HB97YRotPxyWCweZ2nllTPshlkyTnhojcD18csnA0pAfn/LzqimRXFelX2f
Vnkgoygb6qL5f6fIMpVVWrjzn1BsAGQxjNQwJtteimLC1GE7sYOarQ4MuqMrQzM2
/5tqOpJQnVgZRL+IdqNLHpYWGx8FhonV6KDXlVTAkl6LOgTWpVlWNrHzq8/wFpxO
3XssLKcO2oHm2mGvD8c6ivRwvVjvZlQd1VapamJpIxGl+ezlbyLwPx0USiIUrcNO
m6uyO1I9Zq9Vw63VMwbatYqA3nTqNwKhdaMl3H7jj4KJDxVyr/0RUNIuUu4+yECZ
XLUpSucIluDL90BrXfvYaSf8yCbkRBhk5fW9IgzDOOgXFlQNsYdb5RGtFxksIb24
irmiv4naxNKqBdyvVPDvib7hXwAAX4K8xhYitv7gakpCS7JPZrWA7hFl5YCdt7H7
pnCGLXTiyMpTRhQ7WNDm7sCFLD1YL67axRHBm1nMSbxOBwR3CiZ5UINOlqyj3Wp7
ZDZQNkdF0NBK9XL5J4fyapXDGYX+N6y0ikK1bR24qncrPuVq6RNkpJ04UlWWENq9
wzgcOoLG/iO4WpuAcoJC
=iH73
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

2013-08-09 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Martin,

On 8/8/13 8:20 PM, Martin Gainty wrote:
 as earlier mentioned
 
 chrome is the only browser that supports compression on SSL
 streams

Mozilla Firefox had implemented TLS+compression for SPDY requests, and
thus was vulnerable. Since CRIME, both browsers have disabled
compression for TLS.

Disabling TLS compression whilst enabling gzip compression merely
re-enables a similar attack that had been mitigated by disabling SSL
compression in the first place.

So, it doesn't matter what browser you use, since you can usually bet
that the client supports gzip and/or deflate compression for
Content-Encoding. (Well, you don't have to bet, since the client
advertises that fact via Accept-Encoding). The point is that this is
not something most people are safe from due to their browsers'
inabilities. On the contrary: swapping TLS compression with regular
compression has given this attack much wider applicability.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSBOeeAAoJEBzwKT+lPKRY4GEQAJb9odexFRiOncyPUJpoW/Cr
yhQGyrDD606jcfhtv029BWw8RB2fRK0Efo03+0LJ8auGA9jPdD/u/aZYWBmzUcm6
w7fNR+zk288OjHpfU0PQ0c7ypK1vcEpVw57+f6aqMsdw/MaSlhQLX9ducsUZRzu2
TrHBlJPngu17HK9y5jg9i0YHJ6wMbvfD+8Dk17NoabthxgO3An9CNznp7IYSCyx2
9Y8dVT6d6W538JMgm+Ov+iAYwoZNslnKDo46bqHXbeuLo5VAn8wmisY+tW9QmbdP
cVsl6I+E2WGKGt2TvWGYwODKDCyxgDkLXjFRp13vpkpFTmYsvLSbiajJsur/kO1H
qcTq0ygdtoMe8waiB/eXbZx0aWVsfG90R7SaiUsznR3lTJfFPrDst3IuOJgafLIw
t1KvU3p1AcbFhAXZG3Oo9Ltwm3rxYvNuGi4eD8Khq8JOiMk4P+hhQwN30jCno7X6
0bV/tbIlp1SfU3SNFjUESIG4GIJGNUIOVuW8Ga1s1/8HQhMVnjHDG6eapeW0OS1h
srC3RKmPvWo0BEs4XmDanmssGqeOBZmhgO1SDGi/aY9Jl/NQVkBApzfdaJ1eDUB2
PfTzSOUz2SFEJy5nwkWR0y0S4hoN4i8sVgrqtUtmRZIzuqFr+SJlaIxfujzNWaxS
3X77ZRaLZXxUdEEV1HKR
=44Ps
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

2013-08-09 Thread Mark Thomas

On 09/08/2013 14:50, Christopher Schultz wrote:

 It's too bad it took a researcher a year to figure out that
 compression of any kind makes encryption (where the attacker can force
 random probing attacks) weak. It's not like SSL+compression and
 SSL-compression+compression is that different.

It didn't. The original CRIME presentation covered this topic. I fail to
understand why such a fuss is being made of this re-hashing.

The original CRIME presentation also (correctly) pointed out that any
attack based on this is entirely theoretical and not currently at all
practical.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

2013-08-09 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 8/9/13 9:14 AM, Mark Thomas wrote:
 On 09/08/2013 14:50, Christopher Schultz wrote:
 
 It's too bad it took a researcher a year to figure out that 
 compression of any kind makes encryption (where the attacker can
 force random probing attacks) weak. It's not like SSL+compression
 and SSL-compression+compression is that different.
 
 It didn't. The original CRIME presentation covered this topic. I
 fail to understand why such a fuss is being made of this
 re-hashing.

I wouldn't say this constitutes a fuss.

 The original CRIME presentation also (correctly) pointed out that
 any attack based on this is entirely theoretical and not currently
 at all practical.

Coffee shop + XSS? Perhaps a stretch.

The point is that folks are starting to chip-away at certain aspects
of TLS. Just like they did with hashing algorithms. MD5 was great when
it came out. So was SSL. There's nothing wrong with looking toward the
future, even if the current crop of problems aren't exactly catastrophic.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSBO5wAAoJEBzwKT+lPKRYxakP/2PXSoCBrzgvVjkKrmvOh2Ag
5IVuP5eoIVpTT/ud6d8/uYDnSVSA/OI64lFZqZDwuiu11XnMC/uxDc/O4cfbCxA4
AYu0BgY/NDPUCAyPIcjujP22oBZibvYVr9RFrTFHdtmAaVT7KiLglCUaJzxuZtt7
6/A1+y4Q5X+g40fukNtIbwW7Of3hA2KNPeWt5s6aivYaUdQDfdYfMYh+kED+JMhS
HKpmaEBoj0KwOAv5iKbWaVphe+ZuFuqnLJq82GbJqWsiwQ3uykK0x/gAI9tmWe4D
SwpSszi5jwyv8SAoewyNLQr0ojNlzwkftVOrBEFyijfCAhu86xPHGDn1QghFQEpg
ALXn0oMQkeP7zVfxv4f2ID/u5iOtkT2O8G/jeq3jA08Ide7qi1+kNsWZyrvGS9r7
qkCoE9GayRgGKIEAS+mJLMhJ28ttJ4wvugSpsaSSNOu6CTWIY5mnlovbpPir18GN
uZCKMofeIn/fHAROFiHyFudP00z/uxX8r//gCCo0rcwcXRMUS/lxHZJNjYDL+ACA
QFiSWvgAlm8JWEpgF2DjckIND5ZoFvBS5KztkLlbZCeqzw9iSA/FY4r7EqfbQ0Rj
Nr9yvDGONDzgUp2BwHJIcYKIB5QQnSD1JfshVn//hv7Cm7v1GoA0b71Kkb2V+3s+
wZQf5DcDObBEck5VG2qE
=xEbv
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

2013-08-09 Thread Mark Thomas

On 09/08/2013 15:28, Christopher Schultz wrote:
 Mark,
 
 On 8/9/13 9:14 AM, Mark Thomas wrote:
 On 09/08/2013 14:50, Christopher Schultz wrote:
 
 It's too bad it took a researcher a year to figure out that 
 compression of any kind makes encryption (where the attacker can
 force random probing attacks) weak. It's not like SSL+compression
 and SSL-compression+compression is that different.
 
 It didn't. The original CRIME presentation covered this topic. I
 fail to understand why such a fuss is being made of this
 re-hashing.
 
 I wouldn't say this constitutes a fuss.

fuss was a reference to how some folks are reacting to this new
attack, BREACH. First it isn't new, second it isn't (in my view)
practical.

 The original CRIME presentation also (correctly) pointed out that
 any attack based on this is entirely theoretical and not currently
 at all practical.
 
 Coffee shop + XSS? Perhaps a stretch.

To succeed, the attacker requires:

a) The victim is using a site that uses HTTP-level compression on responses
b) The site echoes user input in HTTP response bodies
c) The response bodies contain a constant secret (eg. CSRF token)

So far, not too hard. c) is a little unusual. Session IDs are normally
in cookie headers, CSRF tokens should change on every request. That
said, there are plenty of sites that meet a) to c).

d) The attacker has the ability to view the victim's encrypted traffic.
e) The attacker has the ability to cause the victim to send HTTP
requests to the vulnerable web server.

e) is where I think this attack becomes impractical. This may change
over time but at the moment the coffee shop scenario would require
social engineering the victim or subverting the router if the site mixed
HTTP and HTTPS. A malicious ISP / $work sysadmin is another option with
mixed HTTP/HTTPS.

 The point is that folks are starting to chip-away at certain aspects
 of TLS. Just like they did with hashing algorithms. MD5 was great when
 it came out. So was SSL. There's nothing wrong with looking toward the
 future, even if the current crop of problems aren't exactly catastrophic.

Indeed. If only everyone was approaching this with the same sense of
perspective. I agree the attacks will only get better / easier / more
practical but right now there are some big obstacles and I don't see any
obvious roots to getting over them.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

2013-08-09 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 8/9/13 11:10 AM, Mark Thomas wrote:
 On 09/08/2013 15:28, Christopher Schultz wrote:
 Mark,
 
 On 8/9/13 9:14 AM, Mark Thomas wrote:
 On 09/08/2013 14:50, Christopher Schultz wrote:
 
 It's too bad it took a researcher a year to figure out that 
 compression of any kind makes encryption (where the attacker
 can force random probing attacks) weak. It's not like
 SSL+compression and SSL-compression+compression is that
 different.
 
 It didn't. The original CRIME presentation covered this topic.
 I fail to understand why such a fuss is being made of this 
 re-hashing.
 
 I wouldn't say this constitutes a fuss.
 
 fuss was a reference to how some folks are reacting to this
 new attack, BREACH. First it isn't new, second it isn't (in my
 view) practical.

Fair enough.

 The original CRIME presentation also (correctly) pointed out
 that any attack based on this is entirely theoretical and not
 currently at all practical.
 
 Coffee shop + XSS? Perhaps a stretch.
 
 To succeed, the attacker requires:
 
 a) The victim is using a site that uses HTTP-level compression on
 responses b) The site echoes user input in HTTP response bodies c)
 The response bodies contain a constant secret (eg. CSRF token)
 
 So far, not too hard. c) is a little unusual. Session IDs are
 normally in cookie headers, CSRF tokens should change on every
 request. That said, there are plenty of sites that meet a) to c).
 
 d) The attacker has the ability to view the victim's encrypted
 traffic. e) The attacker has the ability to cause the victim to
 send HTTP requests to the vulnerable web server.
 
 e) is where I think this attack becomes impractical. This may
 change over time but at the moment the coffee shop scenario would
 require social engineering the victim or subverting the router if
 the site mixed HTTP and HTTPS. A malicious ISP / $work sysadmin is
 another option with mixed HTTP/HTTPS.

I tend to agree: being able to both remotely monitor the victim's
traffic *and* remotely-control the browser means that you already have
quite a bit of control over the situation. Perhaps decrypting the SSL
stream isn't the worst thing an attacker in such a position can
accomplish.

 The point is that folks are starting to chip-away at certain
 aspects of TLS. Just like they did with hashing algorithms. MD5
 was great when it came out. So was SSL. There's nothing wrong
 with looking toward the future, even if the current crop of
 problems aren't exactly catastrophic.
 
 Indeed. If only everyone was approaching this with the same sense
 of perspective. I agree the attacks will only get better / easier /
 more practical but right now there are some big obstacles and I
 don't see any obvious roots to getting over them.

Agreed.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSBRAUAAoJEBzwKT+lPKRYKMsP/3ye2X1m8oZGMxDfjhOxLr+B
xRS1SycborjXnEhAXnGAx+U1jFDzKPWQ0AdDMd2o4NKPqS6jWJTQ37CBeXN+25y2
0+FxZKP9FwrY94qY/dCNHK70nuUda6hpcGcpWRc78swh+hUnBzB0ue52WaaWjTJH
DfTPcRu1zvIeXj1zylIG4GebqKOH1+5P+NgL37+hnzoIwGmsgJ2FeVpAXELrrtZJ
wOcYguKLv0NrqkAx7CvZDmtr6a4ZpZvmyXpVGJlaoi/ejmQzDvtZDOFlsBaYOMwc
4HsweP4mEi7Ms3QYBzn9naVFXr1x+saaoO75F0jnRGE9yLJXbkhGgmpLM/+arnhO
/laV3ZMqHLXZYu+cmZvD/JsdL2liAaMPcwEB3c1ebFuTI8ro7+/7qlVx+H2inGew
2DIvWePjAXyKuudL8GqqHTcsbe6nrbpB41fqRyWCBSxtZwLbUfxgfjfXRQOfkX5e
88f2FmL7/BHq7YgO368rreZWx+RVze2SVv7nGm20M7LzEP6Dd2k7etca+K+KdS9L
ndNs4yHAtK8328dPsCsIYwcI767Y/5qTV3UIV0Bz8YDfjSYZvDQYVlCQRHs1VA/A
xisZptwRA1jZro3WrTlgzjdHfTOcxIYDaL65eZUXcjGgXB2T9YeIAfguf7PFK5wC
I6LlkxLa23oMvDL7Z2+c
=RJjz
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

2013-08-09 Thread Mark Eggers


On 8/9/2013 8:10 AM, Mark Thomas wrote:

On 09/08/2013 15:28, Christopher Schultz wrote:

Mark,

On 8/9/13 9:14 AM, Mark Thomas wrote:

On 09/08/2013 14:50, Christopher Schultz wrote:



It's too bad it took a researcher a year to figure out that
compression of any kind makes encryption (where the attacker can
force random probing attacks) weak. It's not like SSL+compression
and SSL-compression+compression is that different.



It didn't. The original CRIME presentation covered this topic. I
fail to understand why such a fuss is being made of this
re-hashing.


I wouldn't say this constitutes a fuss.


fuss was a reference to how some folks are reacting to this new
attack, BREACH. First it isn't new, second it isn't (in my view)
practical.


The original CRIME presentation also (correctly) pointed out that
any attack based on this is entirely theoretical and not currently
at all practical.


Coffee shop + XSS? Perhaps a stretch.


To succeed, the attacker requires:

a) The victim is using a site that uses HTTP-level compression on responses
b) The site echoes user input in HTTP response bodies
c) The response bodies contain a constant secret (eg. CSRF token)

So far, not too hard. c) is a little unusual. Session IDs are normally
in cookie headers, CSRF tokens should change on every request. That
said, there are plenty of sites that meet a) to c).

d) The attacker has the ability to view the victim's encrypted traffic.
e) The attacker has the ability to cause the victim to send HTTP
requests to the vulnerable web server.

e) is where I think this attack becomes impractical. This may change
over time but at the moment the coffee shop scenario would require
social engineering the victim or subverting the router if the site mixed
HTTP and HTTPS. A malicious ISP / $work sysadmin is another option with
mixed HTTP/HTTPS.


I was reading about the pineapple wifi mark iv the other day. It looks 
to be a particularly powerful piece of pen testing equipment. This tool 
in a coffee shop would probably be all you need to have a good chance at e).


In short, don't do banking (or other sensitive work) at a coffee shop 
when the pages are a mix of HTTP and HTTPS.



The point is that folks are starting to chip-away at certain aspects
of TLS. Just like they did with hashing algorithms. MD5 was great when
it came out. So was SSL. There's nothing wrong with looking toward the
future, even if the current crop of problems aren't exactly catastrophic.


Indeed. If only everyone was approaching this with the same sense of
perspective. I agree the attacks will only get better / easier / more
practical but right now there are some big obstacles and I don't see any
obvious roots to getting over them.

Mark


I'm not a security person, nor do I play one online.

. . . . just my two cents
/mde/


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

2013-08-09 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 8/9/13 12:17 PM, Mark Eggers wrote:
 On 8/9/2013 8:10 AM, Mark Thomas wrote:
 On 09/08/2013 15:28, Christopher Schultz wrote:
 Mark,
 
 On 8/9/13 9:14 AM, Mark Thomas wrote:
 On 09/08/2013 14:50, Christopher Schultz wrote:
 
 It's too bad it took a researcher a year to figure out
 that compression of any kind makes encryption (where the
 attacker can force random probing attacks) weak. It's not
 like SSL+compression and SSL-compression+compression is
 that different.
 
 It didn't. The original CRIME presentation covered this
 topic. I fail to understand why such a fuss is being made of
 this re-hashing.
 
 I wouldn't say this constitutes a fuss.
 
 fuss was a reference to how some folks are reacting to this
 new attack, BREACH. First it isn't new, second it isn't (in
 my view) practical.
 
 The original CRIME presentation also (correctly) pointed out
 that any attack based on this is entirely theoretical and not
 currently at all practical.
 
 Coffee shop + XSS? Perhaps a stretch.
 
 To succeed, the attacker requires:
 
 a) The victim is using a site that uses HTTP-level compression
 on responses b) The site echoes user input in HTTP response
 bodies c) The response bodies contain a constant secret (eg. CSRF
 token)
 
 So far, not too hard. c) is a little unusual. Session IDs are
 normally in cookie headers, CSRF tokens should change on every
 request. That said, there are plenty of sites that meet a) to
 c).
 
 d) The attacker has the ability to view the victim's encrypted
 traffic. e) The attacker has the ability to cause the victim to
 send HTTP requests to the vulnerable web server.
 
 e) is where I think this attack becomes impractical. This may
 change over time but at the moment the coffee shop scenario would
 require social engineering the victim or subverting the router if
 the site mixed HTTP and HTTPS. A malicious ISP / $work sysadmin
 is another option with mixed HTTP/HTTPS.
 
 I was reading about the pineapple wifi mark iv the other day. It
 looks to be a particularly powerful piece of pen testing equipment.
 This tool in a coffee shop would probably be all you need to have a
 good chance at e).
 
 In short, don't do banking (or other sensitive work) at a coffee
 shop when the pages are a mix of HTTP and HTTPS.

Lots of people will stupidly connect to any unencrypted WiFi when they
are out and about. I'd say this is a fairly plausible attack vector.

Note that unencrypted + encrypted traffic is not necessary. You can
just look over someone's shoulder to see what bank they're using.
These days in the US most people use one of only like 5 banks. (It's
kind of sad.) Once you know the site that is being used, just browse
there yourself and attempt to login: you can probably see what kind of
authentication / session tracking is being used without tricking the
target into revealing that kind of information to you via HTTP (i.e.
without HTTPS).

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSBRr1AAoJEBzwKT+lPKRYxHwP/2WZmt7P+gtsiZ2Qx/S+idmr
xN+k/XHS4kaxWOBdo8sK3lzZYE9mB5ROtsuVYQQZ1WRJaQS0Vb09/VCJ4GnpOSFf
SR9aThyAXCxnnxF2vviTZUL93Dwh0LM/HwbRGpjYy5Tns0+qXATwm1IBNK3jzarF
Mvx2SOrMAGqiTEet9CqW/7yYQV31kFpLaZGiDsdJT6FM+mBG8OrVcYstBr0b6qXF
LC2IILQshvHvcAUmAEDDPO8NRfgxCY+4uzY9M028DromKeliAQ7PO0KD4E3nErZZ
xL5ysEgSKSahd+0a1QJRXvLccb4XRLL9GCcSP9/TvUzqbOahWUDrIHgLGJWZYAfS
ql4nO2QLtVDfTdtgBUyuNQsn+AlJZHR96g/N7lHuxZU8fap5Auir8xFijWDRWrdn
LfykGonHPZ75UDlOFQmMUPM/8H6AFbymw9R8ZhpbCMwEPAU/SqVARbCLAThIVQWN
zrroWjVqMLdUTbdqvT3Xi9EnmXkPuszHGjqQRtVgt60MRRZ63bkM8+F2hnJGlSId
VpUFi6RrK0wM4TFd2viGlW7SbSbl/vSHAPruAYzwAJvkI+g2QduW8HVV4lESyZ+T
C9vVnz59BJwsokc5H3ykNCcnurkaWCBwEm70LTc9MQKlS8ICyOtKX31TugZvzPKv
EiJZhuKGsOZR/+lf3ser
=98t0
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat config question: 'compression' versus 'SSLDisableCompression'

2013-08-08 Thread David Landis

Hi,

I was wondering if someone could clarify the difference between the
configuration parameters mentioned in the subject of this email or point me
to some documentation that explains it?

Do they both refer to the same type of compression?

Based on the Tomcat docs I know the former controls whether or not the
connector uses gzip compression. Regarding the latter, the Tomcat docs say:
Disables compression if set to true and OpenSSL supports disabling
compression..  Is that referring to a different type of compression?

Here is the behavior I'm seeing:
--compression=on and SSLDisableCompression=false, the responses are gzip'd
--compression=on and SSLDisableCompression=true, the responses are gzip'd
--compression=off and SSLDisableCompression=false, the responses are not
gzip'd


Environment:

Tomcat 7.0.40
Java 7
RHEL (Linux)
APR/native connector with SSL
OpenSSL 1.0.0
APR 1.4.8

server.xml example:

?xml version='1.0' encoding='utf-8'?
Server port=8005 shutdown=SHUTDOWN
  Listener className=org.apache.catalina.core.AprLifecycleListener
SSLEngine=on /
  Listener className=org.apache.catalina.core.JasperListener /
  Service name=Catalina
Connector port= redirectPort=8443 URIEncoding=UTF-8/
Connector port=8443
scheme=https
URIEncoding=UTF-8
 secure=true
compression=on
compressableMimeType=text/html,.
 SSLEnabled=true
SSLCertificateFile=cert.pem
SSLCipherSuite=ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW:...
 SSLDisableCompression=true/
  /Service
/Server

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

2013-08-08 Thread Mark Thomas

On 08/08/2013 18:14, David Landis wrote:
 Hi,
 
 I was wondering if someone could clarify the difference between the
 configuration parameters mentioned in the subject of this email or point me
 to some documentation that explains it?
 
 Do they both refer to the same type of compression?

No.

 Based on the Tomcat docs I know the former controls whether or not the
 connector uses gzip compression. Regarding the latter, the Tomcat docs say:
 Disables compression if set to true and OpenSSL supports disabling
 compression..  Is that referring to a different type of compression?

Yes.

The Tomcat connector implements compression.

The SSL/TLS protocol has a separate compression implementation.

I'd guess (no testing to back this up) that you'd be better off with
using the connector compression as you can tailor that to the correct
mime-types.

I'd also guess that if you have one, enabling the other doesn't buy you
much.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

2013-08-08 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 8/8/13 12:45 PM, Mark Thomas wrote:
 On 08/08/2013 18:14, David Landis wrote:
 Hi,
 
 I was wondering if someone could clarify the difference between
 the configuration parameters mentioned in the subject of this
 email or point me to some documentation that explains it?
 
 Do they both refer to the same type of compression?
 
 No.
 
 Based on the Tomcat docs I know the former controls whether or
 not the connector uses gzip compression. Regarding the latter,
 the Tomcat docs say: Disables compression if set to true and
 OpenSSL supports disabling compression..  Is that referring to a
 different type of compression?
 
 Yes.
 
 The Tomcat connector implements compression.
 
 The SSL/TLS protocol has a separate compression implementation.

... and the SSLDisableCompression setting (when set to false) is
intended to mitigate the CRIME attack against SSL/TLS compression.
Feel free to read online all about the CRIME attack.

 I'd guess (no testing to back this up) that you'd be better off
 with using the connector compression as you can tailor that to the
 correct mime-types.

I tend to agree. You can also disable compression on files that are
small enough that compression doesn't really buy you anything.

 I'd also guess that if you have one, enabling the other doesn't buy
 you much.

+1

I haven't really done any analysis of SSL compression (that is,
compression as implemented by the TLS/SSL layer) alone versus
compression-less-SSL + gzip, but I suspect that any combination of
compression and encryption can lead to CRIME-like attacks ... which by
the way requires the attacker to basically have remote-control access
to the user's client (to force it to make requests to the server) and
also be able to sniff the encrypted packets at the same time (which is
of course quite a bit easier to do than client-control).

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSBAtXAAoJEBzwKT+lPKRYk3UP/jEcRvBxDLvdDT+4YGWVStmY
IQ/cjla4La2betDx6pNTXokYD9en8yFJ7hqPk0c/CyCXgzw7mH6FGjAsjKkHhGFg
m9XEkclWJ+T+uaGO9S/0wcsZ8iSs3luRhSF3qqsGnyuk2HlSSTw5nkpm22Wv1Rit
jb9iLqAzU2K9aKuZJson/xiva/0iOQuJknu9zD3MzvMxfSPB8bpUwkq/T77jFkU+
COZ+pfLYU9NbyURKNW2EREfbRYYTKQQ7WEHwVVPPrSxRlBM0lnnRaqxKoFHVR1rK
P0wRPqr4bAFAbTtQ+ylZUsInUcStAyuHkEwFzHRpWkfcEuu+uQKzDimukY7PG4d0
llblQ67KYLad+VahA6JIMZV1evuAgL9PsMaCNvOFZloxwz+1Sxnf2olk6RR6w8Ge
q/Y7K9MtTiSAkA+i0DH9Wr43RpjfR2d8LjP4IZXAaiAAEO3AXfHXX/KOJJ/px9k8
mo0eBsPxr1WRYbECxuozKf9kYjQEaw15nGtWCnTWZ4O5oPepppu2hd8GERqUIAln
9HR6NozOnPvrEGEhvjy1GG/pMfUZGKf9a/foZbjl2/ZrlQGaj+EXkDceX6DWXXrC
meQT4RmyX4SqHvYaiy2Hu8E/i9/JZM3xdccjWafO4oz6Z7olISVHM3l9PCUrjq6q
QHrVkwxu3OJeBBteSyNe
=uc9W
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

2013-08-08 Thread David Landis

On Thu, Aug 8, 2013 at 5:19 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:


 ... and the SSLDisableCompression setting (when set to false) is
 intended to mitigate the CRIME attack against SSL/TLS compression.
 Feel free to read online all about the CRIME attack.


That was what I was hoping it did when I asked the original question :)


 I haven't really done any analysis of SSL compression (that is,
 compression as implemented by the TLS/SSL layer) alone versus
 compression-less-SSL + gzip, but I suspect that any combination of
 compression and encryption can lead to CRIME-like attacks ...


That seems to be true since there is now the BREACH attack:

http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/

which (I think) is compression-less-SSL + gzip.

RE: Tomcat config question: 'compression' versus 'SSLDisableCompression'

2013-08-08 Thread Martin Gainty

as earlier mentioned

chrome is the only browser that supports compression on SSL streams

Martin
__
Verzicht und Vertraulichkeitanmerkung

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.

Date: Thu, 8 Aug 2013 17:47:36 -0400
Subject: Re: Tomcat config question: 'compression' versus
'SSLDisableCompression'
From: dlan...@gmail.com
To: users@tomcat.apache.org

On Thu, Aug 8, 2013 at 5:19 PM, Christopher Schultz
ch...@christopherschultz.net wrote:

... and the SSLDisableCompression setting (when set to false) is
intended to mitigate the CRIME attack against SSL/TLS compression.
Feel free to read online all about the CRIME attack.

That was what I was hoping it did when I asked the original question :)

I haven't really done any analysis of SSL compression (that is,
compression as implemented by the TLS/SSL layer) alone versus
compression-less-SSL + gzip, but I suspect that any combination of
compression and encryption can lead to CRIME-like attacks ...

That seems to be true since there is now the BREACH attack:

http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/

which (I think) is compression-less-SSL + gzip.

Re: Tomcat Config Question

2009-12-15 Thread Pid


On 15/12/2009 04:17, steflik wrote:


Chuck,

OK, I've read the document several times and still can't figure out what it
is you are trying to tell me. I'm not using WARs so /META-INF/? doesn't come
into play. If theContext  statements don't go in to server.xml where
should I put them, context.xml doesn't seem to be the appropriate place?


A web app in the form of a directory is just an exploded/uncompressed 
WAR.  Putting a META-INF directory inside the app dir still applies. 
Try it and see.


(The manager  host-manager apps preinstalled in Tomcat also use a 
META-INF directory.)



p



Dick Steflik
Binghamton University



Caldarale, Charles R wrote:



From: steflik [mailto:stef...@binghamton.edu]
Subject: Re: Tomcat Config Question

Do I just move thecontext  statements out of server.xml and into
context.xml?


It'sContext  notcontext  - case matters.


or is there something else I have to do.


Reading the doc would be a good first step:
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.









-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Config Question

2009-12-15 Thread steflik


Chuck,
I'm a little bit hesitant as a number of the students are still struggleing
to get their JSP project done. Right now the server is running and the
Context statements that define where the apps are are right at the end of
server.xml. This is an example of a Context ststement as they are
currently in server.xml:

Context  docBase=/home/alti/public_html/alti path=/alti debug=0
reloadable=true crossContext=true/Context

If this is moved out of server.xml and into
/home/alti/public_html/alti/META_INF/  how will Tomcat know where the alti
app is; I always thought that Tomcat followed the paths it found in
server.xml to figure out where all of the apps were.?  If this is where it
goes what name does the file get context.xml or alti.xml?

Dick Steflik
Binghamton University


Pid Ster wrote:
 
 On 15/12/2009 04:17, steflik wrote:

 Chuck,

 OK, I've read the document several times and still can't figure out what
 it
 is you are trying to tell me. I'm not using WARs so /META-INF/? doesn't
 come
 into play. If theContext  statements don't go in to server.xml where
 should I put them, context.xml doesn't seem to be the appropriate place?
 
 A web app in the form of a directory is just an exploded/uncompressed 
 WAR.  Putting a META-INF directory inside the app dir still applies. 
 Try it and see.
 
 (The manager  host-manager apps preinstalled in Tomcat also use a 
 META-INF directory.)
 
 
 p
 
 
 Dick Steflik
 Binghamton University



 Caldarale, Charles R wrote:

 From: steflik [mailto:stef...@binghamton.edu]
 Subject: Re: Tomcat Config Question

 Do I just move thecontext  statements out of server.xml and into
 context.xml?

 It'sContext  notcontext  - case matters.

 or is there something else I have to do.

 Reading the doc would be a good first step:
 http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

   - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail
 and its attachments from all computers.





 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 

-- 
View this message in context: 
http://old.nabble.com/Tomcat-Config-Question-tp26711131p26794592.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Config Question

2009-12-15 Thread David Smith

I'm assuming your docBase for this app is not inside tomcat's webapps
folder and in that case, you're right to wonder how tomcat finds the
context.xml file.  The Context ... .../Context element can also be
in it's own file named after the path attribute - i.e. alti.xml in
conf/Catalina/localhost.  Replace 'Catalina' with your tomcat's Service
name from server.xml and 'localhost' with your Host name, again from
server.xml.  Tomcat looks there as well for the webapp's Context
.../Context element and you can remove the path attribute.

--David

steflik wrote:
 Chuck,
 I'm a little bit hesitant as a number of the students are still struggleing
 to get their JSP project done. Right now the server is running and the
 Context statements that define where the apps are are right at the end of
 server.xml. This is an example of a Context ststement as they are
 currently in server.xml:

 Context  docBase=/home/alti/public_html/alti path=/alti debug=0
 reloadable=true crossContext=true/Context

 If this is moved out of server.xml and into
 /home/alti/public_html/alti/META_INF/  how will Tomcat know where the alti
 app is; I always thought that Tomcat followed the paths it found in
 server.xml to figure out where all of the apps were.?  If this is where it
 goes what name does the file get context.xml or alti.xml?

 Dick Steflik
 Binghamton University


 Pid Ster wrote:
   
 On 15/12/2009 04:17, steflik wrote:
 
 Chuck,

 OK, I've read the document several times and still can't figure out what
 it
 is you are trying to tell me. I'm not using WARs so /META-INF/? doesn't
 come
 into play. If theContext  statements don't go in to server.xml where
 should I put them, context.xml doesn't seem to be the appropriate place?
   
 A web app in the form of a directory is just an exploded/uncompressed 
 WAR.  Putting a META-INF directory inside the app dir still applies. 
 Try it and see.

 (The manager  host-manager apps preinstalled in Tomcat also use a 
 META-INF directory.)


 p


 
 Dick Steflik
 Binghamton University



 Caldarale, Charles R wrote:
   
 From: steflik [mailto:stef...@binghamton.edu]
 Subject: Re: Tomcat Config Question

 Do I just move thecontext  statements out of server.xml and into
 context.xml?
   
 It'sContext  notcontext  - case matters.

 
 or is there something else I have to do.
   
 Reading the doc would be a good first step:
 http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

   - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail
 and its attachments from all computers.




 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Config Question

2009-12-15 Thread Pid


On 15/12/2009 13:15, steflik wrote:


Chuck,
I'm a little bit hesitant as a number of the students are still struggleing
to get their JSP project done. Right now the server is running and the
Context  statements that define where the apps are are right at the end of
server.xml. This is an example of aContext  ststement as they are
currently in server.xml:

Context  docBase=/home/alti/public_html/alti path=/alti debug=0
reloadable=true crossContext=true/Context

If this is moved out of server.xml and into
/home/alti/public_html/alti/META_INF/  how will Tomcat know where the alti
app is; I always thought that Tomcat followed the paths it found in
server.xml to figure out where all of the apps were.?  If this is where it
goes what name does the file get context.xml or alti.xml?


Maybe this would be useful: look at User Web Applications

 http://tomcat.apache.org/tomcat-6.0-doc/config/host.html


p




Dick Steflik
Binghamton University


Pid Ster wrote:


On 15/12/2009 04:17, steflik wrote:


Chuck,

OK, I've read the document several times and still can't figure out what
it
is you are trying to tell me. I'm not using WARs so /META-INF/? doesn't
come
into play. If theContext   statements don't go in to server.xml where
should I put them, context.xml doesn't seem to be the appropriate place?


A web app in the form of a directory is just an exploded/uncompressed
WAR.  Putting a META-INF directory inside the app dir still applies.
Try it and see.

(The manager  host-manager apps preinstalled in Tomcat also use a
META-INF directory.)


p



Dick Steflik
Binghamton University



Caldarale, Charles R wrote:



From: steflik [mailto:stef...@binghamton.edu]
Subject: Re: Tomcat Config Question

Do I just move thecontext   statements out of server.xml and into
context.xml?


It'sContext   notcontext   - case matters.


or is there something else I have to do.


Reading the doc would be a good first step:
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

   - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.









-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org








-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Config Question

2009-12-15 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Dick,

On 12/15/2009 8:15 AM, steflik wrote:
 I'm a little bit hesitant as a number of the students are still struggling
 to get their JSP project done. Right now the server is running and the
 Context statements that define where the apps are are right at the end of
 server.xml.

My recommendations:

1. Have your students submit a WAR file that you install under the
auto-deploy webapps. You can call it 'cschultz.war' for me, for
example. The students (and you) can access it via http://host/cschultz/

2. No META-INF/context.xml is required if there's nothing special to
add. I see you have:

 Context  docBase=/home/alti/public_html/alti path=/alti debug=0
 reloadable=true crossContext=true/Context

If the Context is in META-INF/context.xml, then the docBase and path
attributes are forbidden. debug is meaningless (you must be looking at
old documentation if you've read anything about a debug attribute),
relodable=true is the default, and crossContext=true is probably
unnecessary (feel free to convince me).

This constitutes a Context with nothing special. As such, the webapp
/does not need to have a META-INF/context.xml file/.

So, let's say I'm you and I want to configure my server to support this.
Here's what I do:

1. Remove all Context elements from Tomcat's conf/server.xml file.
2. Make sure that there is a Host with autoDeploy=true and
appBase=somewhere (webapps is not a bad choice).
3. When a student submits a webapp WAR file (see below), drop it into
the webapps directory and it will auto-deploy.

If you are a student, you do this:

$ ls
index.jsp
my-great-example.jsp
easter-egg.jsp

$ jar cvf cschultz.war *.jsp

$ echo Professor,

Please find attached my submission for assignment 1.1.

Thanks,
- -chris | mutt -a cschultz.war stef...@binghamton.edu

Now, to answer your other questions:

 If this is moved out of server.xml and into
 /home/alti/public_html/alti/META_INF/  how will Tomcat know where the alti
 app is; I always thought that Tomcat followed the paths it found in
 server.xml to figure out where all of the apps were.?

Yes, but you can also use auto-deploy. The auto-deployer looks for
changes in the webapps directory (new directories or WAR files) and
deploys them. Any previously-deployed webapp is checked for changes
(.class or .jar file changes) and re-deployed if necessary.

Another option is to put the file into Tomcat's configuration directory
instead of within the WAR file (or exploded webapp deployment
directory). In that case, you put the file into
conf/[service]/[host]/[appname].xml

That file will have a docBase that points either to a WAR file or an
exploded WAR structure on the disk. The name of the .xml file dictates
the deployment path, so the path attribute is forbidden.

If you need to have the students copy their own WAR files (or exploded
WAR structures) somewhere specific, you could set up a webapps directory
that allowed them to do that using standard UNIX file permissions
(though you might have to sacrifice some security, or set up something
overly complicated to make it work).

Another option would be to set up a Host for each student, with it's
own auto-deploy webapps directory to which only that student has access.
Then they are responsible for their own WAR deployment.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksnuyAACgkQ9CaO5/Lv0PDn+ACgju7+0lr9idqtcnJjhxP6hxzV
Py0AoLKFb8gCWXQvUT9uhcfhYr7cVxxh
=Uo7j
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Config Question

2009-12-14 Thread steflik


Markus,
Do I just move the context statements out of server.xml and into
context.xml?
or is there something else I have to do. If thats all I have to do do I
place them before or after the watched element tag that is already in the
context.xml file?

Dick Steflik



Markus Schönhaber-10 wrote:
 
 09.12.2009 15:31, steflik:
 
 I'm teaching a Web Programming course and am using Tomcat 6 for the
 servlet/jsp portion of the course. I have created a context for each
 student
 in the server.xml file and it seems to work pretty good but if a student
 modifies the web.xml file in their application I have to restart the
 sever
 before it takes effect. Is there a way to configure Tomcat so that
 changes
 in a users web.xml file will be automatically sensed by the server and
 take
 effect immediately?
 
 Adding Contexts to server.xml is strongly discouraged nowadays. Among
 the reasons for this discouragement is exactly the problem you're facing
 now.
 See
 http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
 
 -- 
 Regards
   mks
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 

-- 
View this message in context: 
http://old.nabble.com/Tomcat-Config-Question-tp26711131p26779949.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Config Question

2009-12-14 Thread Pid


On 14/12/2009 18:46, steflik wrote:


Markus,
Do I just move thecontext  statements out of server.xml and into
context.xml?
or is there something else I have to do. If thats all I have to do do I
place them before or after the watched element tag that is already in the
context.xml file?


There should be multiple context.xml, one for each webapp, in it's 
META-INF folder.


The global conf/context.xml should contain only general settings you 
wish to apply to all webapps.



p



Dick Steflik



Markus Schönhaber-10 wrote:


09.12.2009 15:31, steflik:


I'm teaching a Web Programming course and am using Tomcat 6 for the
servlet/jsp portion of the course. I have created a context for each
student
in the server.xml file and it seems to work pretty good but if a student
modifies the web.xml file in their application I have to restart the
sever
before it takes effect. Is there a way to configure Tomcat so that
changes
in a users web.xml file will be automatically sensed by the server and
take
effect immediately?


AddingContexts to server.xml is strongly discouraged nowadays. Among
the reasons for this discouragement is exactly the problem you're facing
now.
See
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

--
Regards
   mks

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org








-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat Config Question

2009-12-14 Thread Caldarale, Charles R

 From: steflik [mailto:stef...@binghamton.edu]
 Subject: Re: Tomcat Config Question

 Do I just move the context statements out of server.xml and into
 context.xml?

It's Context not context - case matters.

 or is there something else I have to do.

Reading the doc would be a good first step:
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

RE: Tomcat Config Question

2009-12-14 Thread steflik


Chuck,

OK, I've read the document several times and still can't figure out what it
is you are trying to tell me. I'm not using WARs so /META-INF/? doesn't come
into play. If the Context statements don't go in to server.xml where
should I put them, context.xml doesn't seem to be the appropriate place?

Dick Steflik
Binghamton University

 

Caldarale, Charles R wrote:
 
 From: steflik [mailto:stef...@binghamton.edu]
 Subject: Re: Tomcat Config Question
 
 Do I just move the context statements out of server.xml and into
 context.xml?
 
 It's Context not context - case matters.
 
 or is there something else I have to do.
 
 Reading the doc would be a good first step:
 http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
 
  - Chuck
 
 
 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail
 and its attachments from all computers.
 
 
 
 

-- 
View this message in context: 
http://old.nabble.com/Tomcat-Config-Question-tp26711131p26789182.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat Config Question

2009-12-09 Thread steflik


I'm teaching a Web Programming course and am using Tomcat 6 for the
servlet/jsp portion of the course. I have created a context for each student
in the server.xml file and it seems to work pretty good but if a student
modifies the web.xml file in their application I have to restart the sever
before it takes effect. Is there a way to configure Tomcat so that changes
in a users web.xml file will be automatically sensed by the server and take
effect immediately?

Dick Steflik
Binghamton University
Binghamton, NY
-- 
View this message in context: 
http://old.nabble.com/Tomcat-Config-Question-tp26711131p26711131.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Config Question

2009-12-09 Thread Markus Schönhaber

09.12.2009 15:31, steflik:

 I'm teaching a Web Programming course and am using Tomcat 6 for the
 servlet/jsp portion of the course. I have created a context for each student
 in the server.xml file and it seems to work pretty good but if a student
 modifies the web.xml file in their application I have to restart the sever
 before it takes effect. Is there a way to configure Tomcat so that changes
 in a users web.xml file will be automatically sensed by the server and take
 effect immediately?

Adding Contexts to server.xml is strongly discouraged nowadays. Among
the reasons for this discouragement is exactly the problem you're facing
now.
See
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

-- 
Regards
  mks

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat Config Question

2009-12-09 Thread Caldarale, Charles R

 From: steflik [mailto:stef...@binghamton.edu]
 Subject: Tomcat Config Question

 I have created a context for each student in the server.xml file 

Don't do that - very strongly discouraged to have any webapp-specific 
information in server.xml.  The Context elements should be in 
conf/Catalina/[host]/[appName].xml, since you likely don't want them in each 
webapp's META-INF/context.xml file.

 but if a student modifies the web.xml file in their application 
 I have to restart the sever before it takes effect.

The global conf/context.xml file should have a WatchedResource element for 
WEB-INF/web.xml; Tomcat should automatically restart the webapp unless you've 
removed that or disabled deployOnStartup in the Host element.

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat Config Question

2009-12-09 Thread Neil Aggarwal

 The global conf/context.xml file should have a 
 WatchedResource element for WEB-INF/web.xml; Tomcat should 
 automatically restart the webapp unless you've removed that 
 or disabled deployOnStartup in the Host element.

In my experience, Tomcat has problems reloading webapps
on occasion.  This may work 80% of the time, but you
are still going to have to restart Tomcat fairly often.

Neil

--
Neil Aggarwal, (281)846-8957, http://UnmeteredVPS.net
Host your tomcat app on a CentOS VPS for only $25/month!
Unmetered bandwidth, 7 day free trial, Google Checkout


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Config Question

2009-12-09 Thread Pid


On 09/12/2009 14:52, Neil Aggarwal wrote:

The global conf/context.xml file should have a
WatchedResource  element for WEB-INF/web.xml; Tomcat should
automatically restart the webapp unless you've removed that
or disabled deployOnStartup in theHost  element.


In my experience, Tomcat has problems reloading webapps
on occasion.  This may work 80% of the time, but you
are still going to have to restart Tomcat fairly often.


Maybe that's a side effect of your app's architecture.


p



Neil

--
Neil Aggarwal, (281)846-8957, http://UnmeteredVPS.net
Host your tomcat app on a CentOS VPS for only $25/month!
Unmetered bandwidth, 7 day free trial, Google Checkout


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Config Question

2009-12-09 Thread Peter Crowther

2009/12/9 steflik stef...@binghamton.edu


 I'm teaching a Web Programming course and am using Tomcat 6 for the
 servlet/jsp portion of the course. I have created a context for each
 student
 in the server.xml file and it seems to work pretty good but if a student
 modifies the web.xml file in their application I have to restart the sever
 before it takes effect. Is there a way to configure Tomcat so that changes
 in a users web.xml file will be automatically sensed by the server and take
 effect immediately?

 Dick, I think others have commented on creating separate context files and
adding watched resources.  I'll just add the point that if I know student
code, it's going to be buggy.  This could be a bigger problem than in many
web development environments.  All the webapps in a servlet container run in
the same JVM, and they're not defended from each other.  If someone runs the
JVM out of heap, it's gone for everyone; if a request runs forever, that
thread's locked until the server restarts; if someone puts if
(errorCondition) { System.out.println(Oops, I can't carry on from here);
System.exit(1); } then the server will suddenly stop.  Yes, you can fix the
last one of these with a security manager, but there really isn't any way of
defending against buggy student code.

If you're comfortable that you can survive under those circumstances, go for
it!

- Peter

multiple Tomcat config question

2006-10-20 Thread Christopher Garwood


Hi,

I'm very new to Tomcat and web server stuff but have been asked to set up 
multiple instances of Tomcat on one server to talk to some database servers.  
I've found the existing documentation a little confusing (sorry) and was 
wondering if anyone would be able either to give me step-by-step advice or 
point me to some documentation that uses very simple language - I'm basically 
looking for the hand puppet version of things.  My scenario is as follows:

I have one web server and several database servers (possibly more to come) all 
on different machines in different parts of my building.  I have a different 
web front end for each database - this is something I can't change as it's a 
requirement.  I need to set up multiple instances of Tomcat, one for each web 
front end so that each front end can talk to its respective database.  I also 
need to have this run as a service so that if the web server needs to be 
rebooted then all my Tomcat instances will automatically restart.  My OS is 
Windows (XP I believe) and I'm using Tomcat 5.0 - I can't alter these because 
of dependencies on our current software.  I was also under the impression that 
I had to use a connector (mod_jk?) but this wasn't hugely clear to me.

My current understanding is that I need to create folders for each Tomcat 
instance and copy certain files from the main Tomcat into them.  I also believe 
that I need to change the port listings within one of the files.  However, I'm 
not much clearer on things other than that.

I'm sure this is probably very simple but any assistance would be greatly 
appreciated.  Thanks very much for your time.

Chris.



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: multiple Tomcat config question

2006-10-20 Thread Franck Borel


Hi Cristopher,

I was also under the impression that I had to use a

connector (mod_jk?) but this wasn't hugely clear to me.
You only need mod_jk if you want to connect Apache to Tomcat. If you are 
using Tomcat as standalone server, only configure Tomcat.


The most important configuration file is server.xml. You will find it 
under c:\Path To Tomcat\conf\server.xml or /Path To 
Tomcat/conf/server.xml if you are using Linux. The second important 
file is the log file under c:\Path To Tomcat\logs. Everytime something 
goes wrong take a look at it.


  My current understanding is that I need to create folders for each
Tomcat instance and copy certain files from the main Tomcat into them.  
You need only *one* Tomcat instance, but for each web application one 
context.


I also believe that I need to change the port listings within one of the 
files.  However, I'm not much clearer on things other than that.
You need an connector who is listen to Port 80 or Port 8080. Open the 
main configuration file server.xml and add following entry:



 Connector port = 80
   maxHttpHeaderSize= 8192
   maxThreads   = 150
   minSpareThreads  = 25
   maxSpareThreads  = 75
   enableLookups= false
   redirectPort = 8443
   acceptCount  = 100
   connectionTimeout= 2
   disableUploadTimeout = true /

This must be placed in the block Service/. Be shure that you run only 
one Tomcat and no web server, who listen to Port 80. This will cause 
problems. You can add other ports like 443 or 8443 to secure your 
connection, but try this only after you get some meanfull results :-).


-- Franck


--

Dipl.-Hyd. Franck Borel   Universitaetsbibliothek Freiburg
EMail: [EMAIL PROTECTED]   EDV-Dezernat
Tel. : +49-761 / 203-3908 Werthmannplatz 2 | Postfach 1629
Fax  : +49-761 / 203-3987 79098 Freiburg   | 79016 Freiburg

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: multiple Tomcat config question

2006-10-20 Thread Christopher Schultz

Chris (Garwood),

 I need to set up multiple instances
 of Tomcat, one for each web front end so that each front end can talk to
 its respective database.

As someone else on the the list mentioned, you can probably run a single
instance of Tomcat with multiple contexts (webapps) defined. It's not
entirely clear based upon your original message if multiple Tomcats is a
requirement, but here's how to do it. I'll quote myself from a message I
wrote yesterday to this same list:

 1. Create a directory structure for each webapp (outside of Tomcat's
 installation directory) like this:
 
 struts-dev-1/
 struts-dev-1/conf
 struts-dev-1/conf/server.xml
 struts-dev-1/conf/web.xml
 struts-dev-1/webapps
 struts-dev-1/logs
 struts-dev-1/temp
 
 ** Make sure to set your port numbers for your shutdown and connector
 ports to something unique among your webapps. I usually use 8x85 for the
 ajp13 connector port and 8x86 for the shutdown port.
 
 2. Install your webapp to the directory struts-dev-1/webapps/struts-dev-1
 
 3. Configure Tomcat to use struts-dev-1 as your root webapp (usually
 by specifying that the path is  instead of /struts-dev-1).
 
 4. Start each Tomcat instance like this:
 
 $ export JAVA_HOME=...
 $ export CATALINA_HOME=/path/to/full/tomcat/install
 $ export CATALINA_BASE=/path/to/struts-dev-1
 $ export CATALINA_TMPDIR=/path/th/struts-dev-1/temp
 $ /path/to/full/tomcat/install/bin/startup.sh
 
 This setup allows you to have separate root webapps (or any other kind
 of setup). You also have the benefit (I choose to see it as a benefit)
 of separate JVMs and Tomcat instances. You can take one down without
 bothering the others.

Hope that helps.

 I also need to have this run as a service so
 that if the web server needs to be rebooted then all my Tomcat instances
 will automatically restart.

I'm not an expert on running Tomcat as a service on Windows. My
understanding is that there is a utility out there that can turn any
program or script into a service. Someone else on the list will have to
help with that; sorry.

-chris (Schultz)



signature.asc
Description: OpenPGP digital signature

RE: How use the archives and a TomCat config question

2005-12-13 Thread Caldarale, Charles R

 From: Carl T. Dreher [mailto:[EMAIL PROTECTED] 
 Subject: How use the archives and a TomCat config question

 I found the archives for this list, but it consists of about 
 14K messages and no search mechanism.

Try this one:
http://marc.theaimsgroup.com/?l=tomcat-userr=1w=2

The search mechanism seems quite effective.

 But how do I selectively ENABLE directory listing for 
 certain applications?

Turn off listings in the global web.xml, and add servlet and
servlet-mapping tags to the web.xml files of each app for which you
want listings.  For example:

  servlet
servlet-nameMyAppDefault/servlet-name

servlet-classorg.apache.catalina.servlets.DefaultServlet/servlet-clas
s
init-param
  param-namedebug/param-name
  param-value0/param-value
/init-param
init-param
  param-namelistings/param-name
  param-valuetrue/param-value
/init-param
load-on-startup1/load-on-startup
  /servlet
  servlet-mapping
servlet-nameMyAppDefault/servlet-name
url-pattern//url-pattern
  /servlet-mapping

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How use the archives and a TomCat config question

2005-12-13 Thread Mark Thomas

Carl T. Dreher wrote:
snip
 I'm sure this has been answered before, but as I said, the archives
 aren't much use.  (By the way, it took me TWO DAYS to successfully
 subscribe to this list.  The TomCat site has links to pages that list a
 variety of mailings lists.  Every one I tried before this one came back
 as a mail failure, including, ironically, the help with this mailing
 list address.  Also, there are zero, and I do mean ZERO, instructions
 on just how to subscribe.
snip

http://tomcat.apache.org/lists.html seems clear to me. With the
mailto: links as well all you have to do is click on a link. What
changes would you suggest are required to improve the clarity?

This page also lists MARC as an archive which has a pretty good search
interface (search was disabled for a short while recently after a
system crash but this was the first time I remeber it being down).

Mark


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How use the archives and a TomCat config question

2005-12-13 Thread Tim Funk

I did notice that http://tomcat.apache.org/faq/tomcatuser.html could use some 
cleaning. I'll try fix that soon. (Unless someone beats me too it)


-Tim

Mark Thomas wrote:

Carl T. Dreher wrote:
snip


I'm sure this has been answered before, but as I said, the archives
aren't much use.  (By the way, it took me TWO DAYS to successfully
subscribe to this list.  The TomCat site has links to pages that list a
variety of mailings lists.  Every one I tried before this one came back
as a mail failure, including, ironically, the help with this mailing
list address.  Also, there are zero, and I do mean ZERO, instructions
on just how to subscribe.


snip

http://tomcat.apache.org/lists.html seems clear to me. With the
mailto: links as well all you have to do is click on a link. What
changes would you suggest are required to improve the clarity?

This page also lists MARC as an archive which has a pretty good search
interface (search was disabled for a short while recently after a
system crash but this was the first time I remeber it being down).



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

Tomcat config question: 'compression' versus 'SSLDisableCompression'

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

RE: Tomcat config question: 'compression' versus 'SSLDisableCompression'

Re: Tomcat Config Question

Re: Tomcat Config Question

Re: Tomcat Config Question

Re: Tomcat Config Question

Re: Tomcat Config Question

Re: Tomcat Config Question

Re: Tomcat Config Question

RE: Tomcat Config Question

RE: Tomcat Config Question

Tomcat Config Question

Re: Tomcat Config Question

RE: Tomcat Config Question

RE: Tomcat Config Question

Re: Tomcat Config Question

Re: Tomcat Config Question

multiple Tomcat config question

Re: multiple Tomcat config question

Re: multiple Tomcat config question

RE: How use the archives and a TomCat config question

Re: How use the archives and a TomCat config question

Re: How use the archives and a TomCat config question

34 matches

Site Navigation

Mail list logo

Footer information