From HTTP to HTTPS request.getHeader(referer)
Hello and thank you for reading my post. I'm trying to make a webapp work with HTTPS. It was working properly with HTTP. Below is the problem I have. Inside a servlet, in its doPost() method, to check whether the incoming JSP is example1.jsp or example2.jsp, I am using the following piece of code: --- s_referer = request.getHeader(referer); if(s_referer.contains(example1.jsp) == true) { b_jspReferer1 = true; } if(s_referer.contains(example2.jsp) == true) { b_jspReferer2 = true; } --- In example1.jsp and example2.jsp there is a form element which action attribute is set to do_example: --- form method=post action=do_example [...] /form --- Now that I'm using HTTPS, s_referer is always equal to do_example in the servlet. Before, it used to be either example1.jsp in case the incoming JSP was example1.jsp and example2.jsp in case the incoming JSP was example2.jsp. I don't know how to correct my code to be able to discriminate between the two JSPs. Can you please help me? I apologize in advance for the barbaric expression incoming JSP. I hope my point is understandable despite unfortunate expression. Best regards. -- View this message in context: http://tomcat.10.x6.nabble.com/From-HTTP-to-HTTPS-request-getHeader-referer-tp5024782.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Unable to disable SSL in Tomcat 6 !
Nothing helped much. Please let me know how can i disable SSL in Tomcat 6.0.37. I tried below configuration in server.xml on Tomcat 6.0.37 Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocols = TLSv1 The same with sslEnabledProtocols instead of sslProtocols worked for Tomcat 7. I am also following solution at https://access.redhat.com/solutions/1232233 -Regards Utkarsh On Thu, Oct 30, 2014 at 10:30 PM, Mark Thomas ma...@apache.org wrote: On 30/10/2014 16:38, Utkarsh Dave wrote: Hello all, To avoid poodle vulnerability we are trying to disable SSL v3 and all its versions through below configuration. Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocols = TLSv1 / Can you please tell me if we are missing anything and how can we make this thing work? http://wiki.apache.org/tomcat/Security/POODLE Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: From HTTP to HTTPS request.getHeader(referer)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/31/2014 5:06 AM, Léa Massiot wrote: Hello and thank you for reading my post. I'm trying to make a webapp work with HTTPS. It was working properly with HTTP. Below is the problem I have. Inside a servlet, in its doPost() method, to check whether the incoming JSP is example1.jsp or example2.jsp, I am using the following piece of code: --- s_referer = request.getHeader(referer); if(s_referer.contains(example1.jsp) == true) { b_jspReferer1 = true; } if(s_referer.contains(example2.jsp) == true) { b_jspReferer2 = true; } --- In example1.jsp and example2.jsp there is a form element which action attribute is set to do_example: --- form method=post action=do_example [...] /form --- Now that I'm using HTTPS, s_referer is always equal to do_example in the servlet. Before, it used to be either example1.jsp in case the incoming JSP was example1.jsp and example2.jsp in case the incoming JSP was example2.jsp. I don't know how to correct my code to be able to discriminate between the two JSPs. Can you please help me? I apologize in advance for the barbaric expression incoming JSP. I hope my point is understandable despite unfortunate expression. Best regards. -- View this message in context: http://tomcat.10.x6.nabble.com/From-HTTP-to-HTTPS-request-getHeader-referer-tp5024782.html Sent from the Tomcat - User mailing list archive at Nabble.com. Times the referer will be empty: 1. entered the site URL in browser address bar itself. 2. visited the site by a browser-maintained bookmark. 3. visited the site as first page in the window/tab. 4. switched from a https URL to a http URL. 5. switched from a https URL to a different https URL. 6. has security software installed (antivirus/firewall/etc) which strips the referrer from all requests. 7. is behind a proxy which strips the referrer from all requests. 8. visited the site programmatically (like, curl) without setting the referrer header (searchbots!). Have you looked in various tools on the browser (developer tools on Chrome, Tamper on Firefox, Fiddler on IE) to see if the referer is being set? . . . just my two cents /mde/ -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBAgAGBQJUU7ZlAAoJEEFGbsYNeTwtqbEH/RkgyGagCetRJXRf1rNRwF9x o66i7Ghq2kdfOV8bMqU3jlWEQ7NaRZI6l2aOqkbgsRQBJQqopOn2IakV3EiIdzg3 DoeJmXypucroKAJPKlkUJoI/b6wv8pftjIwaOoqulKcICs5EFA+x+MQPKAOD6Xrp ystXeAy+FD5ChxkAPXzzQQr7BMvUYJptZfOv++s5meS6uAK+u3jpZq5OG0CCLWer K2V15WwswEd2GVZE+ohAnxYkzuheQbxIsTZ+eRwEIl+kiEKLCTruohTqS7fGHOtb TcSxMJvZEQi9Y8B24V6xEbYaWLLwPvk8B2qQ1Uuxwu50ZA4nilUa2wd74jw1zVo= =NOdV -END PGP SIGNATURE- --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: require infomation on tomcat 6.0 EOL and support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Vinay, On 10/30/14 11:50 PM, Hareshbhai Desai,Vinaykumar (Vinaykumar) wrote: As per my understanding tomcat 6.0 is EOL but it's not yet announced. This is not yet true. There is likely to be a release of Tomcat 6.0 somewhat soon, as there were recent modifications required to use the newer protocols in OpenSSL. Tomcat 6 is is more of a maintenance mode in that serious problems are fixed, but no new features are being added. Generally EOL announcement to EOL timeframe would be 1 year. If you say so. That mean tomcat 6.0 support time frame would be minimum 1 yr from now. That sounds logical, based upon your above assertion. Just wanted to confirm that any security vulnerability found in this period then Apache tomcat will provide support of Tomcat 6. Please correct me if my understanding is wrong. Tomcat 6 will continue to be supported as long as the community wants it to be supported. Nobody can forcibly stop anyone from supporting it. The currently active Tomcat committers are still supporting Tomcat 6 but, for many reasons, are concentrating their efforts on the newer versions. If you are relying on long-term support for Tomcat 6, you should probably hire someone to do that. Let me put it this way: don't wait for an EOL announcement for Tomcat 6 to do anything about it. Start using Tomcat 8 right now. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUU97ZAAoJEBzwKT+lPKRYqREP/0csfQ96itUS/dMd7+HXkY10 e9tBFmdhdaama6UZxOGYOxi5m4RJKYxFyBM3qcWa0tSanBk5Ytd+Kn0NRgN/V+gW Zuzqq/bLR+a0PEskOrd2gqK29zDIRW9yWDt06PXswtBbYLxkJUFxO5NeCfJNopW4 hpvb5LKtNGD5mA4MPpECPgw2srcTAMThXdpe6xhsYD5Wo42rfb/cdQOJWs5CyDYV 28SOikrTFF/tQAOYwJLl4aHMUY1PIs4mAx12bZ+QKJ4PF4fUdEGQs7bcuTBK0hnf JWwke4qC8JxuNXZsALuwvSvEZcSphFxmDrxxYMp3Tv0qHd/UHP55cqGzY3SZcRTq dJSfJ8D9YTAnUmnWtCjFaBtU6TYTfIZzjNMZcSUGTq/UVGA3s6i51EWxoD/dH4gE zE6fGS9GD9pgtMkwHprR3qi3lR2j2sBzCJy0vHVSlFWMSpsg0iEI6QgHU+KnQ9Q1 WlGNIAOol99wKekq6R7sqNIU5+yxyPbirIBCHLRqDw/W0D/iKk2n7hfDBIzbJ7te iwwmPvjn7JMLMLU2MbE316Q91W4bPDwRvZdUK6EyGWhbsKj2d8Sj3TT3GWoxYAmw tOmgIVaghEnN0fcvEYV++Ei4p3+N3CdZQX1fvrtvtkEJcsBVceownH9nDC5zW4KG 7UIB2ulbHPrJy93hbsbX =emai -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Unable to disable SSL in Tomcat 6 !
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Utkarsh, On 10/31/14 11:52 AM, Utkarsh Dave wrote: Nothing helped much. Please let me know how can i disable SSL in Tomcat 6.0.37. I tried below configuration in server.xml on Tomcat 6.0.37 Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocols = TLSv1 The same with sslEnabledProtocols instead of sslProtocols worked for Tomcat 7. I am also following solution at https://access.redhat.com/solutions/1232233 The configuration attributes protocols, sslProtocols, and sslEnabledProtocols are all equivalent in Tomcat 6.0.38 and later. Before Tomcat 6.0.38, protocols and sslProtocols are equivalent. So it shouldn't really matter which one you use. But since you are using 6.0.37, then you definitely can't use sslEnabledProtocols. So.. what's the problem? With the above configuration, what protocols end up being enabled? How are you performing your testing? You are using the Java BIO connector so it's using JSSE for crypto. Those settings you have should work. The default for sslProtocol is TLS which should get you pretty much everything, and restricting sslProtocols to TLSv1 should get you only TLSv1, as long as your JVM recognizes that particular protocol string. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUU+FoAAoJEBzwKT+lPKRYHscQAIRhapwkrWIhVvGv6GJxkUVV uhWrZQm/mBj4+kGCy+/Ca3b9oE6i5IKAQCLRxF5sVDABplZcAM80w8HSAXcSUtXd vw1lLxZ7/0iwJ5sukceypw+zlbSgsg3OFCDBBpBrk9bikUBVQUN5PCmMxnsyS8X3 fOMi8hrEbqHSZWu6qPq3I5u4BJVBSvzCpGlF5KXrQH1kovCekULH5HAmQ93V3umL 6oD06LzF4Qef5x6wUHCRb8Kz7o7xC9Sk+bclvajJx2UCWAH5flEvlT+gR0+ERFbT B4M6fSvEpdrOHz6jsgixOBkJz1yXsH2d6uNztvtitIwuDCHP6T32xQ3lWvwma4Cn 3prT1Z+ytJUI3E9MhEwWZ1rWNSZgR/alm3k+zmud9Gm3Msr+Zl61uKKsAQPW8/YG BlfC4c1PR3VpquhqDP6eSw9E4CP/4LwvO0mQO7+t4ZDSEmxwT9DSBjvy5tjWRqo7 flmtwFsfVkQ/qwCjgJFRneRYM4+7zJ8IVnEhnXLiXQhZYU8NMAJ1bcxHpd9Yz6O7 gQXQRlA7bZDW2dgRNsMwimVPovY+36XrS92Bsn8VEcc/uuLx/XyGgcqYnNnhvfjk UKpB4Uj38zjjBBEnjYnI5JVmDBam5I44Y12eSsxBS0elvBGc3U3Pv8W7ijFz74u7 NzqKsmZJjk2x5bbHZERQ =9f5b -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: From HTTP to HTTPS request.getHeader(referer)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Léa, On 10/31/14 8:06 AM, Léa Massiot wrote: Hello and thank you for reading my post. I'm trying to make a webapp work with HTTPS. It was working properly with HTTP. Below is the problem I have. Inside a servlet, in its doPost() method, to check whether the incoming JSP is example1.jsp or example2.jsp, I am using the following piece of code: --- s_referer = request.getHeader(referer); if(s_referer.contains(example1.jsp) == true) Note that true == true is always true and true == false is always false. { b_jspReferer1 = true; } if(s_referer.contains(example2.jsp) == true) { b_jspReferer2 = true; } What is the referrer contains both example1.jsp *and* example2.jsp? --- In example1.jsp and example2.jsp there is a form element which action attribute is set to do_example: --- form method=post action=do_example [...] /form --- Now that I'm using HTTPS, s_referer is always equal to do_example in the servlet. That's weird. Does do_example do an internal forward to example(1|2).jsp for redisplay? If the browser doesn't want to send the Referer header, it won't send one... it's not going to send something bogus. Before, it used to be either example1.jsp in case the incoming JSP was example1.jsp and example2.jsp in case the incoming JSP was example2.jsp. I don't know how to correct my code to be able to discriminate between the two JSPs. Can you please help me? I apologize in advance for the barbaric expression incoming JSP. I hope my point is understandable despite unfortunate expression. The Referer is going to be the URL that was showing in the web browser when the user clicked on the Submit button. If do_example forwards to example1.jsp (instead of performing a redirect), then the browser thinks that the current page is do_example and you'll get that in your Referer header. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUU+KZAAoJEBzwKT+lPKRYtFAQALwANlt5SQJNdeNOBhdw1rd+ bmzpsLoKUYER29dl6xFlfJogS2fu/Wym1EQI1E3+wBWSc3L9VwXUx+qcCSEwfBQ9 aP5AiIp6WoVXw8l1f8vxgZ5iuLqawrMNs3WvypTAS+VCcAk+hx6G83auX/PriVIR HsnUbmcXISiKwbe2BUB5QKICNeWbXacifE8NPDQvpUGtak+xcWf7kolNUWbl/9Gs bSUUEVINkerBTeHisJnTRoQ7sN7fFKZ1ZouDgIh6uTkvKtCjN6EJhR6/sgkFB+cC T92TyaqRtWxJD+gZOCUWY7IJbPgxu04ASLexS796WHRggRr+k31YWOZDIBz1BS0p dkz42wavfj15TPAiZ07NsWxU3hlFl66xpv1EaLWexK2Q7Fqdiy3oVobnHsoUIsa9 gotOV91tATzK9JXWIX/AaALyGvqMXYJAzbRuOnAEEJHES3IJDKdim849zHfFKajJ JvnEFf3gt1A+tWEwussyxVAbWXir+guwTp9IidegXhKNvPmNj1sjiJk/cciVTc54 ZKypluktYedERfJcld/tycaKJY9NFdEHhm+1rv0tV8cPwenlg/qsxQpgUgESksc0 vNOgATWMlPNZLzoLstwigrgHD5d+Non2O+bFl7lUYeFYXKz6jjq4X0yfMvRPiTHL z6TgpoBFrXbfjCAUgQ+x =rl+Q -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Authentication Memcached + Tomcat
I'm testing Memcached to implement failover on my Tomcat servers. Is there any way of implementing security by user / password?
Re: Authentication Memcached + Tomcat
Nilson Uehara wrote: I'm testing Memcached to implement failover on my Tomcat servers. Is there any way of implementing security by user / password? Probably. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Authentication Memcached + Tomcat
On Fri, Oct 31, 2014 at 3:51 PM, Nilson Uehara nilueh...@gmail.com wrote: I'm testing Memcached to implement failover on my Tomcat servers. Is there any way of implementing security by user / password? Can you clarify this request? Are these two separate thoughts, or is memcached somehow related to the security question? If it's just security you're after, then see this section in the docs. http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html Dan
How do you catch these exceptions
Tomcat 7.0.56 Java 7.0_72 I received the below Tomcat error messages in a web application. Is there a way for me to catch these exceptions so that I can then either execute Java code or trigger a Linux shell script? Oct 31, 2014 7:38:25 PM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor doRun SEVERE: java.lang.OutOfMemoryError: Java heap space Oct 31, 2014 7:38:46 PM org.apache.tomcat.util.net.NioEndpoint$Acceptor run SEVERE: java.lang.OutOfMemoryError: Java heap space Oct 31, 2014 7:38:49 PM org.apache.tomcat.util.net.NioEndpoint$Poller run Thanks, Lance Campbellhttp://illinois.edu/person/lance Software Architect Web Services at Public Affairs 217-333-0382 [University of Illinois at Urbana-Champaign logo]http://illinois.edu/