On Tue, 31 Jul 2001, Jim Seach wrote:
> What I meant was, in order to implement SSL, Tomcat must be able to
> decrypt the keystore to retrieve the private key for the cert. A
> Tomcat extension or module could be developed to use the private key
> not only to decode the SSL traffic, but also to
On Wed, 1 Aug 2001, Christopher Cain wrote:
> I wasn't aware that the approach was more-or-less the
> deprecated way to interface a module, which would explain some of my confusion.
> Since the newer way sounds not only ... well, newer ... but also easier, I'll
> go with that. I really dig the w
Quoting [EMAIL PROTECTED]:
> On Wed, 1 Aug 2001, Christopher Cain wrote:
>
> > I followed the whole startup routine from Tomcat.startTomcat() all
> the
> > way through where the ContextManager calls the
> > ServerXMLReader.addInterceptor(). That's where the whole
> hairy-chested
> > XML parsing
On Wed, 1 Aug 2001, Christopher Cain wrote:
> I followed the whole startup routine from Tomcat.startTomcat() all the
> way through where the ContextManager calls the
> ServerXMLReader.addInterceptor(). That's where the whole hairy-chested
> XML parsing begins, and my brain started hurting :-) Up
Quoting Fabien Le Floc'h <[EMAIL PROTECTED]>:
> As a tomcat user, I am not so enthousiast about your idea of removing
> the sources from the binaries.
>
> Almost every user download only the binaries. Having the sources inside
> means bringing more developers to the Tomcat project, just because
On Wed, 1 Aug 2001, Sasha Haghani wrote:
> Hi there,
>
> Does anyone know what the maximum length of the session ID value is when
> using URL rewriting/encoding for session tracking (i.e.: ";jessionid=1234"
> appended to the end of the URL) with the Tomcat 3.x
> and 4.0 servlet containers?
>
remm01/08/01 18:43:58
Modified:catalina/src/share/org/apache/catalina/connector
ResponseBase.java
Log:
- Fix for bug #2946.
The trigger for the problem is that SSLSocket doesn't behave like
a standard Socket for exception handling. This patch fixe
Yet another reason I'm anxious to get out of school and work for a
company that will expense trips to ApacheCon and the like =)
- r
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Glenn Nielsen
> Sent: Wednesday, August 01, 2001 8:44 PM
> To: [EMA
As a tomcat user, I am not so enthousiast about your idea of removing the sources from
the binaries.
Almost every user download only the binaries. Having the sources inside means bringing
more developers to the Tomcat project, just because it will be easier to take a look
at the sources (since
Costin:
Okay, I've looked over the whole Interceptor/Callback scheme, as well as
the HTTP and SSL-related implementation classes, and I have a question.
As I'm sure you know, it's all a little daunting for a newcomer like
myself, so please bear with me =)
I followed the whole startup routine fro
Incze Lajos at [EMAIL PROTECTED] wrote:
>>> So, now I'm stuck. Which one do you think is better (lately, I'm more
>>> oriented towards the second approach!)
>>>
>>> Pier
>>>
>>>
>
> The HP Core Services Framework defines the
> abstract service base class by marker interfaces as
>
> Destr
Hi there,
Does anyone know what the maximum length of the session ID value is when
using URL rewriting/encoding for session tracking (i.e.: ";jessionid=1234"
appended to the end of the URL) with the Tomcat 3.x
and 4.0 servlet containers?
Does the length vary or is it fixed? And does Tomcat enco
> public interface Service {
> public void init(ServiceContext context) throws Exception;
> public void start() throws Exception;
> public void stop() throws Exception;
> public void destroy() throws Exception;
> }
>
Allways pressing the send button (actually, the 'y' letter in
> > So, now I'm stuck. Which one do you think is better (lately, I'm more
> > oriented towards the second approach!)
> >
> > Pier
> >
> >
The HP Core Services Framework defines the
abstract service base class by marker interfaces as
Destroyable, Initializable, Reconfigurable, Startable, S
I've just downloaded b6 and ran 'catalina.sh embedded' and 'catalina.sh
embedded -security' and both failed.
Have I omitted anything, or is there a bug?
Solaris 8, jdk 1.3.1, tomcat b6
--
XmlMapper: Debug level: 3
XmlMapper: Validating = true
ContextConfig[]: Scanning web.xml tag
On Wed, 1 Aug 2001, Christopher Cain wrote:
> Yep, I can certainly implement it that way if you like. How does that
> jive with the current server.xml setup, though? Isn't there still a
> separate tag in 3.3 for SSL? Does that then go away in favor
> of the Interceptor, or does the Interceptor b
jean-frederic clere wrote:
>
> Encrypting server certificates is not bad but it prevents starting the server
> automaticly.
> Storing this password is a nonsense.
> OpenSSL (for example) allows to modify this password or to have no password.
> If the server certificates is encrypted then we shou
"Pier P. Fumagalli" wrote:
> Ok... Gotcha... So, the session _IS_ correctly handled if going thru
> cookies, but if it's URLencoded, it's not...
>
> Will dig into that tomorrow first thing in the morning (bear with me, can
> you please post a bug in BugZilla so that we can keep track of what was
[EMAIL PROTECTED] wrote:
>
> Hi Christopher,
>
> I just checked, and for 3.3 you don't need any change in the core or any
> other place in tomcat.
Cool, I didn't think so. I figure that if I needed a core change for a
command-line challenge at startup, I most probably did something wrong.
=)
Christopher Cain wrote:
>
> "Craig R. McClanahan" wrote:
> >
> > Not a problem ... it's just that I think you're being a little narrowly
> > focused on the solution to *your* problem, and ignoring the bigger picture
> > :-).
>
> I suppose that's fair to a certain extent. I do see cert protection
pier01/08/01 10:14:29
Modified:webapp/support apjava.m4
Log:
Fixing errors in build for Solaris 8.
Revision ChangesPath
1.4 +3 -3 jakarta-tomcat-connectors/webapp/support/apjava.m4
Index: apjava.m4
===
"Craig R. McClanahan" wrote:
>
> Not a problem ... it's just that I think you're being a little narrowly
> focused on the solution to *your* problem, and ignoring the bigger picture
> :-).
I suppose that's fair to a certain extent. I do see cert protection as a
little more critical than many of
Hi Christopher,
I just checked, and for 3.3 you don't need any change in the core or any
other place in tomcat.
All you need to do is write a simple interceptor and implement
addInterceptor() callback.
In the implementation all you have to do is ask for a password ( one
sugestion: you can add an
On Tue, 31 Jul 2001, Christopher Cain wrote:
> Quoting Jim Seach <[EMAIL PROTECTED]>:
> >
> > I think we're in agreement. The "initial authentication" problem
> > needs to be resolved before we can talk about leveraging it to solve the
> > other problems. I like your proposal of an optional
Larry Isaacs wrote:
>
> Hi Christopher,
>
> I would be very interested in having this available for Tomcat 3.3.
> Since I'm not a security expert, I'll defer to those better informed
> to decide the appropriate solution. Would this "keystore security
> solution" plug into Tomcat 3.3 using an i
Hi,
I tried to unsubscribe from the list from the web site by clicing on the
link for the tomcat dev list and still getting mails, HELP
Oren Deri
___
<>
Oren Deri (E-mail).vcf
Hi,
I'm new in this mailing list.
I'm working in tomcat 3.2.3 sources and
I just want to know:
-1- Does Tomcat 3.2.3 support corectly the use of mod_rewrite Apache's
module?
-2- Is there some problem with Session?
-3- What is the goal of the 'Set-Cookie2' header field?
Thanks in advance
Loïc Le
Hi Christopher,
I would be very interested in having this available for Tomcat 3.3.
Since I'm not a security expert, I'll defer to those better informed
to decide the appropriate solution. Would this "keystore security
solution" plug into Tomcat 3.3 using an interceptor? If there are
changes nee
I think that your question is really about server-side security for web apps
in general. All of your questions can apply to any web application
regardless of technology being used (e.g. asp, dhp, cfm)
A good place to start would be Java Pro Magazine. Two issues ago - cover
page about securing s
29 matches
Mail list logo
