Tomcat HTTP response chunk size
Dear All Please advise if there are any possibility to set HTTP response chunk size for Tomcat to make it transparent for application that send HTTP response. BR, Maxim
Re: Fwd: Fwd:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Yuval, On 5/24/15 5:06 PM, Yuval Schwartz wrote: Firstly, I'd like to clear something up: Is container managed security security only intended for use with administrative users of a web application? No. What would give you that impression? Because I was intending on using it for all users of my web application (eg: customers, students, etc. People with no administrative responsibilities). You can use it with everyone. On Sun, May 24, 2015 at 9:00 PM, Christopher Schultz ch...@christopherschultz.net wrote: Yuval, On 5/23/15 7:15 AM, Yuval Schwartz wrote: I can currently initialize a MessageDigestCredentialHandler object with my desired salt, iteration and algorithm parameters and then call the handler's mutate() method before inserting the password into my database. Good. And, from a servlet, the HttpServletRequest Object's login() (for example) method works when inputting the user_name and plain text password. Good. However, I am still struggling to create my database input ({salt}:{iterations}:{hash}) without inputting my desired parameter (iterations, saltLength, etc.) to a MessageDigestCredentialHandler, but rather by getting these parameters (or the CredentialHandler itself) from the servlet. What have you tried? Do you want the remote user to be able to specify the salt size and iterations? I'd advise against that, since users may intentionally reduce their own security (or, worse, intentionally give you an effectively infinite salt or iteration count, which could represent a DOS vulnerability). Without being able to do this, I don't see the purpose of specifying these parameters in the nested CredentialHandler element within the Realm element of the context.xml file (these parameters are retrieved from the storedCredential when authenticating meaning they're not used when a method such as request.login() is performed). The are absolutely used when HttpServletRequest.login() is called. That login() method ultimately calls Realm.authenticate(), which uses the CredentialHandler. The settings in CredentialHandler entirely handle logins for existing users. Realm.authenticate() calls MessageDigestCredentialHandler.matches(inputCredential, storedCredential) calls DigestCredentialHandlerBase.matchesSaltIterationsEncoded(inputCredent ials, storedCredentials) (line 146 of class MessageDigestCredentialHandler) This method isolates the salt from the storedCredential (line 162) Then isolates the iterations from the storedCredential (line 164) Then uses both these parameters in addition to the inputCredential to call MessageDigestCredentialHandler.mutate( inputCredential, salt, iterations). Then does calls the equals method of String class to compare the mutated results. Therefore I concluded that the salt and iterations are taken from the stored password when authenticate() is called. Correct: both the salt and iteration could is stored in the database along with the actual hashed credential. Also, if I change the iterations and saltLength in my context.xml file, authentication is still successful regardless of the values I input. Correct: the stored credentials still include the salt length and iteration count. If you specify the iterations and saltLength in context.xml, they will be applied to the CredentialHandler object, but no code actually uses that. Note that neither the saltLength nor the iterations attributes are documented in the Tomcat users' guide... because they are unnecessary. Did I configure something incorrectly? It looks like you are struggling to create the stores credentials in the first place (e.g. in a change password or register workflow). I wanted to do it by getting the same MessageDigestCredentialHandler that I defined in the context.xml in my servlet. This is not possible without a great deal of work. I would just instantiate my own MessageDigestCredentialHandler, configure it, and then use it to create new credentials. But since I am not able to, I just initialize a new MessageDigestCredentialHandler and use that to create the stored credentials. Sounds good. Is there any way to authenticate a user using just the stored credential (ie: I don't have the plain text password. I only have the storedCredential and I want to call request.login(). Is that possible? Tomcat can't authenticate without the plain-text credential. That's whe whole point of authentication: to prove that the remote client is who they say they are. Without the plain-text credential, there's nothing to verify. What are you actually trying to do, here... it sounds like you don't want to do standard username/password authentication. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVYxMYAAoJEBzwKT+lPKRYrTUQAJEBT6IXUIbnFJlBTxPIBDia
Re: Fwd: Fwd:
Hello Chris, Answers below. Thanks again. On Mon, May 25, 2015 at 3:18 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Yuval, On 5/24/15 5:06 PM, Yuval Schwartz wrote: Firstly, I'd like to clear something up: Is container managed security security only intended for use with administrative users of a web application? No. What would give you that impression? Because I was intending on using it for all users of my web application (eg: customers, students, etc. People with no administrative responsibilities). You can use it with everyone. On Sun, May 24, 2015 at 9:00 PM, Christopher Schultz ch...@christopherschultz.net wrote: Yuval, On 5/23/15 7:15 AM, Yuval Schwartz wrote: I can currently initialize a MessageDigestCredentialHandler object with my desired salt, iteration and algorithm parameters and then call the handler's mutate() method before inserting the password into my database. Good. And, from a servlet, the HttpServletRequest Object's login() (for example) method works when inputting the user_name and plain text password. Good. However, I am still struggling to create my database input ({salt}:{iterations}:{hash}) without inputting my desired parameter (iterations, saltLength, etc.) to a MessageDigestCredentialHandler, but rather by getting these parameters (or the CredentialHandler itself) from the servlet. What have you tried? Do you want the remote user to be able to specify the salt size and iterations? I'd advise against that, since users may intentionally reduce their own security (or, worse, intentionally give you an effectively infinite salt or iteration count, which could represent a DOS vulnerability). Without being able to do this, I don't see the purpose of specifying these parameters in the nested CredentialHandler element within the Realm element of the context.xml file (these parameters are retrieved from the storedCredential when authenticating meaning they're not used when a method such as request.login() is performed). The are absolutely used when HttpServletRequest.login() is called. That login() method ultimately calls Realm.authenticate(), which uses the CredentialHandler. The settings in CredentialHandler entirely handle logins for existing users. Realm.authenticate() calls MessageDigestCredentialHandler.matches(inputCredential, storedCredential) calls DigestCredentialHandlerBase.matchesSaltIterationsEncoded(inputCredent ials, storedCredentials) (line 146 of class MessageDigestCredentialHandler) This method isolates the salt from the storedCredential (line 162) Then isolates the iterations from the storedCredential (line 164) Then uses both these parameters in addition to the inputCredential to call MessageDigestCredentialHandler.mutate( inputCredential, salt, iterations). Then does calls the equals method of String class to compare the mutated results. Therefore I concluded that the salt and iterations are taken from the stored password when authenticate() is called. Correct: both the salt and iteration could is stored in the database along with the actual hashed credential. Also, if I change the iterations and saltLength in my context.xml file, authentication is still successful regardless of the values I input. Correct: the stored credentials still include the salt length and iteration count. If you specify the iterations and saltLength in context.xml, they will be applied to the CredentialHandler object, but no code actually uses that. Note that neither the saltLength nor the iterations attributes are documented in the Tomcat users' guide... because they are unnecessary. Did I configure something incorrectly? It looks like you are struggling to create the stores credentials in the first place (e.g. in a change password or register workflow). I wanted to do it by getting the same MessageDigestCredentialHandler that I defined in the context.xml in my servlet. This is not possible without a great deal of work. I would just instantiate my own MessageDigestCredentialHandler, configure it, and then use it to create new credentials. But since I am not able to, I just initialize a new MessageDigestCredentialHandler and use that to create the stored credentials. Sounds good. Is there any way to authenticate a user using just the stored credential (ie: I don't have the plain text password. I only have the storedCredential and I want to call request.login(). Is that possible? Tomcat can't authenticate without the plain-text credential. That's whe whole point of authentication: to prove that the remote client is who they say they are. Without the plain-text credential, there's nothing to verify. What are you actually trying to do, here... it sounds like you don't want to do standard username/password
Re: RewriteCond
On Mon, May 25, 2015 at 8:30 AM, Frank Lehmann frank-lehm...@freenet.de wrote: I found this condition on the web after several searchings. RewriteCond %{HTTP_USER_AGENT} (android|blackberry|googlebot-mobile|iemobile|ipad|iphone|ipod|mobile|palmos|webos) [NC] RewriteRule ^(.+)$ http://www.dashandwerk.net/mobile/ [L] But it will not work. Not surprising, since that's configuration for Apache httpd and has nothing to do with Tomcat. How can i rewrite a url when a mobile client is getting my homepage ? Assuming you are in fact actually using Tomcat, you can try this: http://tuckey.org/urlrewrite/ Good luck, -- Hassan Schroeder hassan.schroe...@gmail.com http://about.me/hassanschroeder twitter: @hassan Consulting Availability : Silicon Valley or remote - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RewriteCond
Hi helpers, i want to rewrite my url when a mobile user reaches my homepage. I found this condition on the web after several searchings. But it will not work. All other condition also not working, i have tested many conditions. How can i rewrite a url when a mobile client is getting my homepage ? Thanks for help. RewriteCond %{HTTP_USER_AGENT} (android|blackberry|googlebot-mobile|iemobile|ipad|iphone|ipod|mobile|palmos|webos) [NC] RewriteRule ^(.+)$ http://www.dashandwerk.net/mobile/ [L] My environment. Tomcat 8 Windows 2012 R2 Homepage under folder webapps/root - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat HTTP response chunk size
On 25/05/2015 10:21, Maxim Neshcheret wrote: Dear All Please advise if there are any possibility to set HTTP response chunk size for Tomcat to make it transparent for application that send HTTP response. Tomcat automatically handles chunked encoding for you. It is already transparent. Chunk size depends on buffer size. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat HTTP response chunk size
Hi Mark Thank you for reply! Any chance to manage buffer size in Tomcat? Do you now if it is recommended approach? BR, Maxim From: Mark Thomas Reply-To: Tomcat Users List Date: Tuesday 26 May 2015 01:03 To: Tomcat Users List Subject: Re: Tomcat HTTP response chunk size On 25/05/2015 10:21, Maxim Neshcheret wrote: Dear All Please advise if there are any possibility to set HTTP response chunk size for Tomcat to make it transparent for application that send HTTP response. Tomcat automatically handles chunked encoding for you. It is already transparent. Chunk size depends on buffer size. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org