RE: Why use a Web Server over Tomcat?
Hi everyone! David, imagine that you are developing a web application to provide services like internet banking. What network architecture would you propose? How will you implement a DMZ? Probably you put a firewall between Web Server and Database Server!! Or not? Regards, Bárbara Vieira -Original Message- From: David Smith [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 9 de Janeiro de 2008 18:35 To: Tomcat Users List Subject: Re: Why use a Web Server over Tomcat? In my CISSP training, we covered the possiblity of putting a web server in between two firewalls. The outer one cleans the course junk out of the data stream like denial of service attacks, web server compromise attackes, malformed packets, as well as closing down server services that should be available to the company, but not the public. The inner one is more fine grained possibly protecting company data assets from disclosure or blocking unapproved websites from being accessed by employees. Just trying to say there is a business case for two firewalls -- it has more to do with protecting company assets than protecting the web server. --David Bárbara Vieira wrote: Alan and Johnny, I agree with Alan. I'm using the same scheme to save passwords in database, and SSL too. But, Johnny's answer help me understand some things. Johnny, when you say: So in those organization Tomcat is probably behind the second internal firewall for staff to use as well. What do you mean? If you have a Tomcat inside a DMZ, usually we have one firewall, that separates internet from intranet, i.e., the firewall filters requests that comes from de outside. Isn't that? Thanks, Regards, Bárbara Vieira -Original Message- From: Alan Chaney [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 9 de Janeiro de 2008 14:10 To: Tomcat Users List Subject: Re: Why use a Web Server over Tomcat? One reason for doing this, is again not whether IIS or APACHE is better although APACHE on linux in the hands of a guru is very good, its because Tomcat carries clear text passwords, so if a hacker did get at the machine, they would probably see the Active X LDAP master password, I don't understand this comment at all. 'Passwords' in tomcat can be managed by a whole host of authentication schemes. I use SSL to protect access to the password on the net and MD5 encoded passwords in a database for user authentication and access control. It depends entirely upon how you configure your system. Regards Alan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:4784031b130881839419991! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Why use a Web Server over Tomcat?
Hi Mikolaj! Thanks for your help. But my question isn't just about design a DMZ. It's much more. And answering your question: yes, google is not enough. There are certain questions that google doesn't answer. Regards, Bárbara Vieira -Original Message- From: Mikolaj Rydzewski [mailto:[EMAIL PROTECTED] Sent: quinta-feira, 10 de Janeiro de 2008 14:59 To: Tomcat Users List Subject: Re: Why use a Web Server over Tomcat? Bárbara Vieira wrote: David, imagine that you are developing a web application to provide services like internet banking. What network architecture would you propose? How will you implement a DMZ? Probably you put a firewall between Web Server and Database Server!! Or not? Am I right that google is not enough for you? http://www.google.com/search?q=how+to+design+dmz -- Mikolaj Rydzewski [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Why use a Web Server over Tomcat?
Alan and Johnny, I agree with Alan. I'm using the same scheme to save passwords in database, and SSL too. But, Johnny's answer help me understand some things. Johnny, when you say: So in those organization Tomcat is probably behind the second internal firewall for staff to use as well. What do you mean? If you have a Tomcat inside a DMZ, usually we have one firewall, that separates internet from intranet, i.e., the firewall filters requests that comes from de outside. Isn't that? Thanks, Regards, Bárbara Vieira -Original Message- From: Alan Chaney [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 9 de Janeiro de 2008 14:10 To: Tomcat Users List Subject: Re: Why use a Web Server over Tomcat? One reason for doing this, is again not whether IIS or APACHE is better although APACHE on linux in the hands of a guru is very good, its because Tomcat carries clear text passwords, so if a hacker did get at the machine, they would probably see the Active X LDAP master password, I don't understand this comment at all. 'Passwords' in tomcat can be managed by a whole host of authentication schemes. I use SSL to protect access to the password on the net and MD5 encoded passwords in a database for user authentication and access control. It depends entirely upon how you configure your system. Regards Alan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:4784031b130881839419991! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Why use a Web Server over Tomcat?
Hi there! Im making a research about internet banking and e-commerce good practices to design a secure system. I have an application based on servlets running in a Tomcat Server. My application provides secure authentication based in both methods: SSL mutual authentication and form authentication(supplied by Tomcat). All the data that is sent over the network are encrypted(SSL). In my research I discovered that some systems banks that using applications based on servlets( or something based on servlets, like JSP and other things), are using a Web Server like ISS, over a Servlet Container( like Sun Web Server, or possibly Tomcat Server). Why thats happen? Why we have a Web Server over another Web Server, if the low-level Web Server is capable to do everything alone? In my application, client authentication and authorization is controlled by Tomcat Server. Should use I a Apache Server over Tomcat or an IIS server over Tomcat? What kind of security am I providing doing this? My research is in the beginning and the documentation about it is vague, so I apologize if Im saying something wrong. Regards, Bárbara Vieira
RE: Why use a Web Server over Tomcat?
Diego and Kristian, I understand your perspective. But, my question is about security. Why systems banks use an IIS Server instead of an Apache Server over a Tomcat Server(or some servlet container), if that systems authenticate the client using servlets technology or some technology supplied by some servlet container like Tomcat? I understand the fact that systems uses a Web Server over another to serve static content. But if in my application all content is closed, i.e., every client that wants to accede to that content must be authenticated and that authentication is controlled by Tomcat. Should I have some Web Server over Tomcat? I think that if I have an Apache Server over Tomcat, it causes an overhead, because all requests sent to Apache, must be sent to Tomcat. Regards, Bárbara Vieira -Original Message- From: Diego [mailto:[EMAIL PROTECTED] Sent: terça-feira, 8 de Janeiro de 2008 12:06 To: Tomcat Users List Subject: Re: Why use a Web Server over Tomcat? Review the list archives for the disproof of this myth. Tomcat 5.0 and above are quite capable of serving static content, efficiently enough that you'll saturate your network connection long before you saturate disk, memory or CPU. So unless you have one of the situations like those described by Kristian. Like having other technologies like PHP you don't have to make load balance with Apache 2. Its way better to make a load balance with several Tomcats since you can make a load balance of your dynamic content too. On Jan 8, 2008 9:56 AM, Peter Crowther [EMAIL PROTECTED] wrote: From: Kristian Rink [mailto:[EMAIL PROTECTED] Asides this, while tomcat and friends (servlet containers) are made to serve up, well, J2EE web tier applications, web servers like apache2, lighttpd, ... are usually better at serving static content (images, static css files, html documents that don't contain any logic, ...). Review the list archives for the disproof of this myth. Tomcat 5.0 and above are quite capable of serving static content, efficiently enough that you'll saturate your network connection long before you saturate disk, memory or CPU. - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Diego - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Session expires every request
Hi Chuck!!! Thanks for your help!! The problem is solved :) I don't know what was the problem, but it is somewhere in my web application. I discovered that when I try to create a new web application, with the same basic configurations. In my new web application the session is maintained and everything works fine!! Thanks any away :-) Regards from Braga, Portugal Bárbara Vieira -Original Message- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: sábado, 1 de Dezembro de 2007 18:46 To: Tomcat Users List Subject: RE: SSL Session expires every request From: Bárbara Vieira [mailto:[EMAIL PROTECTED] Subject: RE: SSL Session expires every request However, when the user is authenticated using a CERT, all the sessions are null : HttpSession in Servlets and Session(Internal Session) in my Valve. The info is interesting, but you didn't answer my question: How are you retrieving the session? A code sample would be good. Note that the Servlet API spec indicates that HttpServletRequest.getSession() should be called prior to committing the response; are you complying with that? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Session expires every request
Hi Chuck! That's what I'm doing : - I had implemented a valve that extends FormAuthenticator to provide 2 authentications methods at the same time : FORM and CLIENT_CERT. - Until this week everything worked fine : I can authenticate the users with 2 authentications methods, and the session is maintained. Yesterday, when I try to accede to HttpSession in Servlets, what's happen was: when the user is authenticated using FORM method, HttpSession isn't null in servlets, neither internal session(Session) in valve. However, when the user is authenticated using a CERT, all the sessions are null : HttpSession in Servlets and Session(Internal Session) in my Valve. - Well, I thought that the problem was in my valve, so I disable my valve, and in my web application I configured only one authentication method - CLIENT_CERT. However, the HttpSession was still null. - The strange thing is that everything works fine - I can authenticate the user using CLIENT_CERT method, and retrieve to him the requested URL and I have access to Principal in the HttpServletRequest object. But, when there is no session. - I had checked if the browsers accept cookies too, and it accepts. Do you have any idea of what's happen?! Thanks, Regards from Braga, Portugal Bárbara Vieira -Original Message- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: sábado, 1 de Dezembro de 2007 00:30 To: Tomcat Users List Subject: RE: SSL Session expires every request From: Bárbara Vieira [mailto:[EMAIL PROTECTED] Subject: RE: SSL Session expires every request HttpSession wasn't null in the beginning, when I started my implementation. However, now is null in every request. How are you retrieving the session? A code sample would be good. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Session expires every request
Hi Martin! I'm using 2 connectors : non-SSL HTTP/1.1 Connector on port 8080 and SSL HTTP/1.1 Connector on port 8443. Tomcat's connectors are very well configured, because HttpSession wasn't null in the beginning, when I started my implementation. However, now is null in every request. I can authenticate the client, and the request has a principal that is not null. But session is strangely null. -Original Message- From: Martin Gainty [mailto:[EMAIL PROTECTED] Sent: sexta-feira, 30 de Novembro de 2007 23:07 To: Tomcat Users List Subject: Re: SSL Session expires every request Barbara Filip asks if you are using non SSL HTTP/1.1 HTTPConnector ***or*** SSL HTTP/1.1 Connector (presumably with Client certs) ? M-- - Original Message - From: Filip Hanik - Dev Lists [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Friday, November 30, 2007 2:16 PM Subject: Re: SSL Session expires every request what session are you talking about, the HTTP session or the actual SSL session? Filip Bárbara Vieira wrote: Hi there!! I have a problem with SSL Session in Tomcat. Im using CLIENT_CERT authentication to authenticate users in my web application. But, the session expires at every request, in all browsers : Opera, IE, Firefox and Netscape. This is not make any sense, and I dont know solve this problem L If somebody can help, I really appreciate that. Thanks for everything, Regards from Braga, Portugal Bárbara Vieira No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.16.10/1160 - Release Date: 11/29/2007 8:32 PM - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Session expires every request
I have this problem with all my web applications. It already worked. But now isn't working and I need to know how to solve the problem. I'll try almost everything: install a new Tomcat, remove additional configurations in web applications, etc. But nothing works. -Original Message- From: Carlo Politi [mailto:[EMAIL PROTECTED] Sent: sexta-feira, 30 de Novembro de 2007 22:31 To: Tomcat Users List Subject: Re: SSL Session expires every request m very strange behaviour but have you had this strange thing only with a particular application or with all? - Messaggio originale - Da: Bárbara Vieira [EMAIL PROTECTED] A: Tomcat Users List users@tomcat.apache.org Inviato: Venerdì 30 novembre 2007, 23:26:39 Oggetto: RE: SSL Session expires every request Hi carlo!! Yes, it validates the certs. The certs are valid :) When the application is running all pages are showed( all pages are protected - under ssl), but when I test if HttpSession in the HttpServletRequest exists, it is null. ___ Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB http://mail.yahoo.it - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Session expires every request
I'm talking about HTTPSession. I think that I cannot accede to SSL session from HTTPServletRequest. -Original Message- From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: sexta-feira, 30 de Novembro de 2007 19:16 To: Tomcat Users List Subject: Re: SSL Session expires every request what session are you talking about, the HTTP session or the actual SSL session? Filip Bárbara Vieira wrote: Hi there!! I have a problem with SSL Session in Tomcat. Im using CLIENT_CERT authentication to authenticate users in my web application. But, the session expires at every request, in all browsers : Opera, IE, Firefox and Netscape. This is not make any sense, and I dont know solve this problem L If somebody can help, I really appreciate that. Thanks for everything, Regards from Braga, Portugal Bárbara Vieira No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.16.10/1160 - Release Date: 11/29/2007 8:32 PM - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Session expires every request
Hi carlo!! Yes, it validates the certs. The certs are valid :) When the application is running all pages are showed( all pages are protected - under ssl), but when I test if HttpSession in the HttpServletRequest exists, it is null. -Original Message- From: Carlo Politi [mailto:[EMAIL PROTECTED] Sent: sexta-feira, 30 de Novembro de 2007 18:47 To: Tomcat Users List Subject: Re: SSL Session expires every request but the certs are valids? - Messaggio originale - Da: Bárbara Vieira [EMAIL PROTECTED] A: Tomcat Users List users@tomcat.apache.org Inviato: Venerdì 30 novembre 2007, 18:22:32 Oggetto: SSL Session expires every request Hi there!! I have a problem with SSL Session in Tomcat. I’m using CLIENT_CERT authentication to authenticate users in my web application. But, the session expires at every request, in all browsers : Opera, IE, Firefox and Netscape. This is not make any sense, and I don’t know solve this problem L If somebody can help, I really appreciate that. Thanks for everything, Regards from Braga, Portugal Bárbara Vieira ___ Yahoo! Messenger with Voice: chiama da PC a telefono a tariffe esclusive http://it.messenger.yahoo.com - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Session expires every request
Hi Martin! session-timeout is 2.(2 minutes). I believe that's not the problem, because CLIENT_CERT authentication already worked with session-timeout = 2. -Original Message- From: Martin Gainty [mailto:[EMAIL PROTECTED] Sent: sexta-feira, 30 de Novembro de 2007 18:37 To: Tomcat Users List Subject: Re: SSL Session expires every request which value is session-timeout assgined to in web.xml? M-- - Original Message - From: Bárbara Vieira [EMAIL PROTECTED] To: 'Tomcat Users List' users@tomcat.apache.org Sent: Friday, November 30, 2007 12:22 PM Subject: SSL Session expires every request Hi there!! I have a problem with SSL Session in Tomcat. I'm using CLIENT_CERT authentication to authenticate users in my web application. But, the session expires at every request, in all browsers : Opera, IE, Firefox and Netscape. This is not make any sense, and I don't know solve this problem L If somebody can help, I really appreciate that. Thanks for everything, Regards from Braga, Portugal Bárbara Vieira - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL Session expires every request
Hi there!! I have a problem with SSL Session in Tomcat. Im using CLIENT_CERT authentication to authenticate users in my web application. But, the session expires at every request, in all browsers : Opera, IE, Firefox and Netscape. This is not make any sense, and I dont know solve this problem L If somebody can help, I really appreciate that. Thanks for everything, Regards from Braga, Portugal Bárbara Vieira
RE: Tomcat's container architecture - Authenticator
Hi Carlo! Thank you for being help me J My question is about invoke method in AuthenticatorBase.java. If you look at invoke code you can see that: - the method first action is check if there is any Principal in the Request - if there isn’t a Principal it tests if there is a Principal in the internal session(Session) - if there is a Principal(in Session) it puts the Principal and the authentication method in the Request - and the method(invoke) follows, and it tries to authenticate Request HttpRequest hrequest = (HttpRequest) request; HttpResponse hresponse = (HttpResponse) response; // Have we got a cached authenticated Principal to record? if (cache) { Principal principal = ((HttpServletRequest) request.getRequest()).getUserPrincipal(); if (principal == null) { Session session = getSession(hrequest); if (session != null) { principal = session.getPrincipal(); if (principal != null) { if (log.isDebugEnabled()) log.debug(We have cached auth type + session.getAuthType() + for principal + session.getPrincipal()); hrequest.setAuthType(session.getAuthType()); hrequest.setUserPrincipal(principal); } } } } If we look know to authenticate method in FormAuthenticator.java class: - the first think it does is check is there is a Principal in the Request - if there is a Principal, it returns true // Have we already authenticated someone? Principal principal = hreq.getUserPrincipal(); String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE); if (principal != null) { if (log.isDebugEnabled()) log.debug(Already authenticated ' + principal.getName() + '); // Associate the session with any existing SSO session if (ssoId != null) associate(ssoId, getSession(request, true)); return (true); } My question is: why we are putting the Principal in the Request? Why we can’t just authenticate the user if there is a principal in internal Session?! Doesn’t make sense, put the Principal in the Request, and after in the authentication method we just test if there is a Principal in the Request and return true. In others words, what kind of security this process provides?! Was I cleat enough? Thanks for everything, Regards from Braga, Portugal Bárbara Vieira From: Carlo Politi [mailto:[EMAIL PROTECTED] Sent: terça-feira, 27 de Novembro de 2007 23:49 To: [EMAIL PROTECTED] Subject: Re: Tomcat's container architecture - Authenticator Hi Bárbara, i can help you because I'm doing a new authenticator as work of my thesis. I have analyzed BasicAuthenticator and modified it; could you tell me the right point of your problem? - Messaggio originale - Da: Bárbara Vieira [EMAIL PROTECTED] A: users@tomcat.apache.org Inviato: Mercoledì 28 novembre 2007, 0:23:49 Oggetto: Tomcat's container architecture - Authenticator Hi there! This question is about Authenticator package. I appreciate if anyone can help me. I’m implementing a Valve and a Realm to provides authentication and authorization using two authentications methods at the same time : FORM and CERT-CLIENT. Obviously, I’m looking to authenticator package code, more precisely to AuthenticatorBase.class and FormAuthenticator.class, and analyzing that. In this analyze has emerged some questions about what the author are doing in invoke method in AuthenticatiorBase class. In other words, what I would like to know is, why the author are putting the Principal on the request, and the next step is authenticate the request?! I don’t understand the reason why we have to pass the request to authenticate method in FormAuthenticator class, because that method isn’t doing anything if the request has a principal. This doesn’t make any sense, because first we put the principal on the request and next, in the authenticate method, we just test if the request has a principal. Why we have to put the principal on the request?! Why we cannot just authenticate the user if the request has a principal, or if the principal is in internal session?! I’m a little bit confused about that J Thanks for everything, Regards from Braga, Portugal, Bárbara Vieira _ http://us.rd.yahoo.com/mail_it/taglines/*http:/it.messenger.yahoo.com Yahoo! Messenger with Voice: chiama da PC a telefono a tariffe esclusive
RE: Tomcat's container architecture - Authenticator
Hi Carlo!! In fact I have to develop a new one and at the same time study and analyze Authenticator package code. Why are you asking? -Original Message- From: Carlo Politi [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 28 de Novembro de 2007 16:52 To: Tomcat Users List Subject: Re: Tomcat's container architecture - Authenticator Only a question: what do you have to do with this auth? do you need to develope a new one or simply study it? ___ Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB http://mail.yahoo.it - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat's container architecture - Authenticator
Hi Chris!! A request may be checked multiple times for authentication (think server-side forwards, etc.) so it's a small optimization to cache the principal in the request -- and it satisfies the requirement that request.getUserPrincipal() actually works, so it makes sense. This is not a answer to my question. If you look at the sequence that Request object does in the invoke method in AuthenticatorBase, and authenticate method in the FormAuthenticator, you'll see that my question isn't that. I know that caching data is a optimization. But if we have the Principal in cache, why we have to call the authenticator method(FormAuthenticator)? That call doesn't provide any additional security, can you understand now? -Original Message- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 28 de Novembro de 2007 17:09 To: Tomcat Users List Cc: 'Carlo Politi' Subject: Re: Tomcat's container architecture - Authenticator -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Barbara, Bárbara Vieira wrote: My question is: why we are putting the Principal in the Request? So that request.getUserPrincipal() will return a value. Why we can’t just authenticate the user if there is a principal in internal Session?! Doesn’t make sense, put the Principal in the Request, and after in the authentication method we just test if there is a Principal in the Request and return true. A request may be checked multiple times for authentication (think server-side forwards, etc.) so it's a small optimization to cache the principal in the request -- and it satisfies the requirement that request.getUserPrincipal() actually works, so it makes sense. In others words, what kind of security this process provides?! There will never be a Principal object that has not been properly authenticated. Is that good enough security for you? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHTaC89CaO5/Lv0PARArZNAJ9GTktlPVu1+Q3a9CMkxbtdAB5V4QCeJJwm K6u4yM6jdG/l+IA/p/WT0TI= =lF0e -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat's container architecture - Authenticator
Hi there! This question is about Authenticator package. I appreciate if anyone can help me. Im implementing a Valve and a Realm to provides authentication and authorization using two authentications methods at the same time : FORM and CERT-CLIENT. Obviously, Im looking to authenticator package code, more precisely to AuthenticatorBase.class and FormAuthenticator.class, and analyzing that. In this analyze has emerged some questions about what the author are doing in invoke method in AuthenticatiorBase class. In other words, what I would like to know is, why the author are putting the Principal on the request, and the next step is authenticate the request?! I dont understand the reason why we have to pass the request to authenticate method in FormAuthenticator class, because that method isnt doing anything if the request has a principal. This doesnt make any sense, because first we put the principal on the request and next, in the authenticate method, we just test if the request has a principal. Why we have to put the principal on the request?! Why we cannot just authenticate the user if the request has a principal, or if the principal is in internal session?! Im a little bit confused about that J Thanks for everything, Regards from Braga, Portugal, Bárbara Vieira
MemoryRealm question
Hi everyone!! I have a question about org.apache.catalina.realm.MemoryRealm. When I use that Realm, how the principals variable, that is declared in that class(MemoryRealm) as a HashMap, is loaded? I.e. How the data that is in the file (ex. Tomcat-users.xml) is loaded to that variable?! Im trying to implement my own realm, but using that MemoryRealm as a model. However when I run my program with my own realm, the principals variable is null. If anyone can help, I appreciate. Regards from Braga, Portugal Bárbara Vieira
Different Realms with Differents Authentications Mecanisms
Hi everyone! I have an application based on servlets, and two different authentication mechanisms. The user can be authenticated with client certificate(CERT-CLIENT), if there is a client certificate installed on the web browser. And can be authenticated using an HTML form(FORM) if the first method doesnt authenticate the user. My problem is that Im able to authenticate a user, using the Subject Distinguished Name as a username on HTML form, without a password. I found a solution that might be right, but a have a question about that: Can I configure different Reamls to use on differents authentications mechanisms in the same application? Regards from Braga, Portugal Bárbara Vieira
Difference between org.apacha.catalina.Session and javax.servlet.http.HttpSession
Hi there! This question is about Tomcats Architecture and CoyoteConnectors. I would like to know the difference between Session(org.apacha.catalina.Session) and HttSession(javax.servlet.http.HttpSession) objects. In Request(org.apache.catalina.connector.Request) object I get HttpSession request.getSession() and Session request.getSessionInternal() objects, but I dont know the difference between this objects on Tomcats Architecture. I suppose that this objects represents different sessions in my Web Application, but this doesnt make sense, because each Web Application just have one session scope. I know that HttpSession is available from Session object session.getSession(). Another question about it is that, when I invalidate the HttpSession, am I invalidating Session object too? Thanks for help me, Regards from Braga, Portugal Bárbara Vieira
SSL session is the same HTTP session and is the same Servlet session
This question is about Tomcats architecture. When a connection HTTP over SSL(HTTP) is established, Tomcat encapsulates this connection in an object CoyoteConnector. After that, this object is transformed in another objects, until it is encapsulated in a HttpRequest object. When the connection is encapsulated on a HttpRequest/ HttpServletRequest, whats happen?! My question is about SSL session that is established, about HTTP session that is in the higher layer, and about session available on Servlet. I want to know if the SSL session is the same HTTP session and is the same Servlet session. My concern is about keeping a secure session, even if the SSL session is broken. Ie, suppose the following situation: - An HTTPS connection is established and a HttpServlet session is created the user is authenticated by a certificate(mutual authentication) - I turn off the network the SSL session is broken(I suppose that is whats happen) - When I turn on the network, the user is authenticated because the session on server didnt end(there wasnt a timeout yet) This is a big problem. How can I control this?! Thanks, Bárbara Vieira