Re: A little trouble with SSL

2012-09-21 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrea, On 9/20/12 12:53 PM, Andrea Freire wrote: > Christopher Schultz christopherschultz.net> writes: >> >> Andrea, >> >> On 8/29/2010 10:39 PM, Andrea Freire wrote: >>> There are the configuration files. >> >> Your attachments were stripped by

Re: Sticky sessions not working

2012-09-21 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nicolas, On 9/21/12 12:58 AM, Nicolas Sarazin wrote: > Add : worker.node1.route=node1 > > And : worker.node2.route=node2 > > To use sticky session. These directives attach name route at the > end of JSESSIONID. That shouldn't be necessary, as the w

Re: ajp_ilink_receive error - please advise

2012-09-21 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan, On 9/21/12 5:00 PM, Daniel Mikusa wrote: > > There are a few ways to [get a thread dump]. http://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2

Re: How to generate a self signed cert for Tomcat?

2012-09-21 Thread Mark Thomas
On 22/09/2012 00:25, J.V. wrote: > Mark: I am using the default http connector; in the server.xml, there is > a section that is comment out to enable 8443, I have added a section > there very similar to what is in the file that points to a.keystore. Please provide the log output from when Tomcat s

How to generate a self signed cert for Tomcat?

2012-09-21 Thread J.V.
Mark: I am using the default http connector; in the server.xml, there is a section that is comment out to enable 8443, I have added a section there very similar to what is in the file that points to a.keystore. I can get the certs to work with my configuration if I generate the certs using ope

Re: mod_jk/1.2.32 - Error connecting to Tomcat only on one page

2012-09-21 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nicholas, On 9/21/12 4:14 AM, Nicolas Sarazin wrote: > Ok for all versions upgrades, I put it in my todo list ! It is a > customer environment, I can't make it immediately. That's okay, but you need to be ready when your customer says "hey, Tomcat 5

Behavior change to JspWriterImpl in 7.0.24

2012-09-21 Thread Brad Root
Hi There, Since Tomcat 7.0.24, I'm seeing a change in behavior when writing with the JspWriterImpl class. This change has broken some of my existing custom tags. Example 1 (in custom tag’s doTag() method): getJspContext.getOut().write(“foo”); RequestDispatcher rd = getRequest().getRequestDispatc

Re: ajp_ilink_receive error - please advise

2012-09-21 Thread Daniel Mikusa
On Sep 20, 2012, at 6:12 PM, Django Radonich-Camp wrote: > thank you for the replies chris and dan. > > chris: > 1. upgrading apache is possible, but not easy (puppet manages the install). > 2. unfortunately i have not figured out how to reproduce the problem. we > did extensive load testing o

CsrfPreventionFilter for REST

2012-09-21 Thread Violeta Georgieva
Hello, ** ** *Background information:* We are trying to protect our RESTful APIs from CSRF attack. The current Tomcat’s CSRF protection filter provides proper protection for web resources that are supposed to be accessed via

Re: very basic question about apache and tomcat

2012-09-21 Thread Mark H. Wood
I've never tried with Tomcat, but it's not hard to get other Unix applications to authenticate against the Kerberos component of ADS. I logon to Linux every day with ADS credentials, using Kerberos. o Browsers will need to be set up to use GSSAPI authentication with the affected site. There'

Re: Vulnerability or a valid behavior of tomcat ?

2012-09-21 Thread Ragini
On 09/21/2012 12:46 PM, Mark Thomas wrote: On 21/09/2012 11:23, Ragini wrote: I tried this with both tomcat 6.0.35 and tomcat7.0.28 and it actually deleted the file1.txt from home directory. So I guess I have succeded to exploit the said "CVE-2009-2693 named *Arbitrary file deletion and/or alter

Re: Vulnerability or a valid behavior of tomcat ?

2012-09-21 Thread Mark Thomas
On 21/09/2012 11:23, Ragini wrote: > I tried this with both tomcat 6.0.35 and tomcat7.0.28 and it actually > deleted the file1.txt from home directory. So I guess I have succeded to > exploit the said "CVE-2009-2693 named *Arbitrary file deletion and/or > alteration on deploy* " vulnerability. You

Vulnerability or a valid behavior of tomcat ?

2012-09-21 Thread Ragini
Hi all, I wanted to exploit tomcat vulnerability CVE-2009-2693 named "*Arbitrary file deletion and/or alteration on deploy* ". You can have a look on it here. (http://tomcat.apache.org/security-6.html) Here they say the affected versions are "Affects: 6.0.0-6.0.20". I wanted to give it a try.

Re: mod_jk/1.2.32 - Error connecting to Tomcat only on one page

2012-09-21 Thread Nicolas Sarazin
Christopher, Thank you for this fast answer ! Ok for all versions upgrades, I put it in my todo list ! It is a customer environment, I can't make it immediately. >> My VirtualHost : >> >> [...] JkMount /* ajp13 [...] > > Do you have anything else? If not, why bother with Apache httpd? Yes, we h