-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Petr,
On 3/14/15 3:32 PM, Petr Nemecek wrote:
Hello,
our webapp, that is deployed in Tomcat 8.0.18, was tested positive
as vulnerable to the slow http denial of service: By using a
single computer, it is possible to establish thousands of
On 14 Mar 2015, at 3:43 PM, Graham Leggett minf...@sharp.fm wrote:
Changing the auth-type to CLIENT-CERT shows that the username has been
replaced by the subject-DN of the cert, which is progress.
Reverse engineering tomcat showed that the tomcatAuthentication parameter
solved half the
Hello,
our webapp, that is deployed in Tomcat 8.0.18, was tested positive as
vulnerable to the slow http denial of service: By using a single computer,
it is possible to establish thousands of simultaneous connections and keep
them open for a long time. During the attack, the server was rendered
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 3/14/2015 12:32 PM, Petr Nemecek wrote:
Hello,
our webapp, that is deployed in Tomcat 8.0.18, was tested positive
as vulnerable to the slow http denial of service: By using a
single computer, it is possible to establish thousands of
On 14 Mar 2015, at 1:04 AM, Konstantin Kolinko knst.koli...@gmail.com wrote:
You are using JRE's default java.util.logging.LogManager.
You need to configure JRE to use the Tomcat JULI implementation of log
manager with
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
The
Hi all,
I have reached the point where with an auth-method of CLIENT-CERT is returning
the Subject DN of the certificate as the username.
What I need to achieve is for tomcat to honour the REMOTE_USER environment
variable as set by Apache httpd. I have noticed the tomcatAuthentication flag
On 14 Mar 2015, at 4:15 PM, Graham Leggett minf...@sharp.fm wrote:
I have reached the point where with an auth-method of CLIENT-CERT is
returning the Subject DN of the certificate as the username.
What I need to achieve is for tomcat to honour the REMOTE_USER environment
variable as set
