On Tue, Apr 28, 2009 at 3:19 AM, Mark Thomas wrote:
> Bill Higgins wrote:
>> We have a servlet that acts as a proxy to other URLs from different
>> origins. E.g. via your web app you could get to the Google home page
>> via a URL like:
>>
>> http:/
pec.
I have more questions on how to respond to this Tomcat behavior, but
I'm hoping someone could provide more input on the rationale behind
the current fix for CVE-2007-0450 to provide additional context for my
other questions.
--
Thanks,
- Bill Higgins (IBM Rational)
--
We currently have a proxy server that has both Apache HTTP Server and Tomcat
installed, with httpd acting as both a proxy for the local Tomcat
installation, and also for a number of downstream servers. Currently we use
httpd Basic Auth on the proxy box and send the Basic Auth header downstream
to
il message is
addressed. If you have received this email message in error, please
notify
the sender immediately by telephone or email and destroy the original
message without making a copy. Thank you.
- Original Message -
From: "Bill Higgins" <[EMAIL PROTECTED]>
To:
S
FYI, we ended up finding a solution to the problem above, but it required us
to use Apache HTTP Server rather than Tomcat to secure the URLs and cache
the Basic Auth credentials (since Tomcat apparently cannot do so) and
configure Tomcat to respect the other component as the trusted source of
prin
Hello, I have a web app on Tomcat 5.5 where we're using Basic Auth as our
authentication method. We recently did some load testing and noticed that
every HTTPS request to one of the secure URLs was resulting in an LDAP auth
check. This makes sense because in Basic Auth, the browser send the
cred