Reporting a revoked certificate
At long last, I have tomcat configured, I have revoked certificates to test with... my question today... When I try using a revoked certificate, I get the lovely and meaningful page cannot be displayed. So it is properly denying access - but it doesn't provide appear to provide any other feedback to the browser. Is that correct, or is it configurable so it could report - certificate revoked, or certificate invalid or something? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Reporting a revoked certificate
On Dec 21, 2012, at 7:35 AM, Will Nordmeyer wrote: At long last, I have tomcat configured, I have revoked certificates to test with… Nice! my question today... When I try using a revoked certificate, I get the lovely and meaningful page cannot be displayed. What browser are you using? This sounds like the generic IE message. So it is properly denying access - but it doesn't provide appear to provide any other feedback to the browser. Tomcat should be returning some HTTP error code like 400 Bad request, 401 Unauthorized or 403 Forbidden. If your browser is masking it, you can see exactly what is returned by looking at the access log. You can then override that code and provide a custom error page (like Twitter's Fail Whale). See the error-page tag in web.xml for more details. One note about this. If you are using IE, your custom error page has to be over a certain size or IE will still continue to display it's generic messages. I believe it's 512 bytes. Dan Is that correct, or is it configurable so it could report - certificate revoked, or certificate invalid or something? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Reporting a revoked certificate
On Fri, Dec 21, 2012 at 8:35 AM, Daniel Mikusa dmik...@vmware.com wrote: On Dec 21, 2012, at 7:35 AM, Will Nordmeyer wrote: At long last, I have tomcat configured, I have revoked certificates to test with… Nice! my question today... When I try using a revoked certificate, I get the lovely and meaningful page cannot be displayed. What browser are you using? This sounds like the generic IE message. So it is properly denying access - but it doesn't provide appear to provide any other feedback to the browser. Tomcat should be returning some HTTP error code like 400 Bad request, 401 Unauthorized or 403 Forbidden. If your browser is masking it, you can see exactly what is returned by looking at the access log. You can then override that code and provide a custom error page (like Twitter's Fail Whale). See the error-page tag in web.xml for more details. One note about this. If you are using IE, your custom error page has to be over a certain size or IE will still continue to display it's generic messages. I believe it's 512 bytes. Dan Thanks Dan - which access log should I look at? all of the tomcat logs don't show anything. I've got it configured with APR TCNATIVE - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Reporting a revoked certificate
Thanks Dan - which access log should I look at? all of the tomcat logs don't show anything. I've got it configured with APR TCNATIVE Hello, I'm not sure you could get an error page. The ssl dialog takes place before any http communication. So I don't think tomcat can send an http response if the certificate is revoked. You could use openssl s_client to try and connect to your server to see what is returned from Tomcat exactly. Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Reporting a revoked certificate
Hello, I'm not sure you could get an error page. The ssl dialog takes place before any http communication. So I don't think tomcat can send an http response if the certificate is revoked. You could use openssl s_client to try and connect to your server to see what is returned from Tomcat exactly. And as a quick test, you could try with Firefox. I've found it gives almost meaningful error dialog when dealing with ssl. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Reporting a revoked certificate
things to check 1)are you implementing mod_ssl or any ssl modules in apache 2)if not mod_ssl are you implementing ssl in Tomcat bio-connector 3)if not mod_ssl are you implementing ssl in Tomcat nio-connector http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support Martin__ ..place long-winded disclaimer here.. Date: Fri, 21 Dec 2012 15:36:43 +0100 Subject: Re: Reporting a revoked certificate From: cedric.coura...@gmail.com To: users@tomcat.apache.org Hello, I'm not sure you could get an error page. The ssl dialog takes place before any http communication. So I don't think tomcat can send an http response if the certificate is revoked. You could use openssl s_client to try and connect to your server to see what is returned from Tomcat exactly. And as a quick test, you could try with Firefox. I've found it gives almost meaningful error dialog when dealing with ssl. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Reporting a revoked certificate
On 21/12/2012 13:35, Daniel Mikusa wrote: On Dec 21, 2012, at 7:35 AM, Will Nordmeyer wrote: At long last, I have tomcat configured, I have revoked certificates to test with… Nice! my question today... When I try using a revoked certificate, I get the lovely and meaningful page cannot be displayed. What browser are you using? This sounds like the generic IE message. So it is properly denying access - but it doesn't provide appear to provide any other feedback to the browser. Tomcat should be returning some HTTP error code Nope. If the SSL session is not established (and if the client cert isn't valid there will not be an SSL session), there is no HTTP request for Tomcat to respond to. You'll get whatever (un)helpful message the browser decides to display. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Reporting a revoked certificate
On 21/12/2012 14:51, Martin Gainty wrote: things to check Don't bother. This is yet more irrelevant nonsense from Martin. Mark 1)are you implementing mod_ssl or any ssl modules in apache 2)if not mod_ssl are you implementing ssl in Tomcat bio-connector 3)if not mod_ssl are you implementing ssl in Tomcat nio-connector http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support Martin__ ..place long-winded disclaimer here.. Date: Fri, 21 Dec 2012 15:36:43 +0100 Subject: Re: Reporting a revoked certificate From: cedric.coura...@gmail.com To: users@tomcat.apache.org Hello, I'm not sure you could get an error page. The ssl dialog takes place before any http communication. So I don't think tomcat can send an http response if the certificate is revoked. You could use openssl s_client to try and connect to your server to see what is returned from Tomcat exactly. And as a quick test, you could try with Firefox. I've found it gives almost meaningful error dialog when dealing with ssl. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Reporting a revoked certificate
On Dec 21, 2012, at 9:28 AM, Will Nordmeyer wrote: On Fri, Dec 21, 2012 at 8:35 AM, Daniel Mikusa dmik...@vmware.com wrote: On Dec 21, 2012, at 7:35 AM, Will Nordmeyer wrote: At long last, I have tomcat configured, I have revoked certificates to test with… Nice! my question today... When I try using a revoked certificate, I get the lovely and meaningful page cannot be displayed. What browser are you using? This sounds like the generic IE message. So it is properly denying access - but it doesn't provide appear to provide any other feedback to the browser. Tomcat should be returning some HTTP error code like 400 Bad request, 401 Unauthorized or 403 Forbidden. If your browser is masking it, you can see exactly what is returned by looking at the access log. You can then override that code and provide a custom error page (like Twitter's Fail Whale). See the error-page tag in web.xml for more details. One note about this. If you are using IE, your custom error page has to be over a certain size or IE will still continue to display it's generic messages. I believe it's 512 bytes. Dan Thanks Dan - which access log should I look at? all of the tomcat logs don't show anything. I've got it configured with APR TCNATIVE Mark and Cédric are right. Ignore my post, sorry about sending you down the wrong path. Dan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Reporting a revoked certificate
On Fri, Dec 21, 2012 at 10:30 AM, Daniel Mikusa dmik...@vmware.com wrote: On Dec 21, 2012, at 9:28 AM, Will Nordmeyer wrote: On Fri, Dec 21, 2012 at 8:35 AM, Daniel Mikusa dmik...@vmware.com wrote: On Dec 21, 2012, at 7:35 AM, Will Nordmeyer wrote: At long last, I have tomcat configured, I have revoked certificates to test with… Nice! my question today... When I try using a revoked certificate, I get the lovely and meaningful page cannot be displayed. What browser are you using? This sounds like the generic IE message. So it is properly denying access - but it doesn't provide appear to provide any other feedback to the browser. Tomcat should be returning some HTTP error code like 400 Bad request, 401 Unauthorized or 403 Forbidden. If your browser is masking it, you can see exactly what is returned by looking at the access log. You can then override that code and provide a custom error page (like Twitter's Fail Whale). See the error-page tag in web.xml for more details. One note about this. If you are using IE, your custom error page has to be over a certain size or IE will still continue to display it's generic messages. I believe it's 512 bytes. Dan Thanks Dan - which access log should I look at? all of the tomcat logs don't show anything. I've got it configured with APR TCNATIVE Mark and Cédric are right. Ignore my post, sorry about sending you down the wrong path. Dan OK - I thought my answer was no luck since I didn't see anything in my googling before running to you all. But thought I'd ask just in case. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.33 just stops without any errors...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Tony, On 12/20/12 6:16 PM, Tony Anecito wrote: Thanks I did a search through all folder for those types of files and none found. I am thinking it ran out of a resource. I will keep trying. Anything in the Window event log? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDUhg0ACgkQ9CaO5/Lv0PDdMQCZAXESdKMsflMl+HO1rUnQ7sD4 RoUAoLjye7EWARxOEytr0+4LOWF4ihKo =a2yc -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: jvmRoute with multiple AJP Connectors for one Engine
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Robert, On 12/20/12 8:39 PM, Robert Anderson wrote: Now, the trick: VirtualHost *:80 ... Include conf.d/mod_jk.mounts ... /VirtualHost VirtualHost *:443 ... Include conf.d/mod_jk_sec.mounts ... /VirtualHost Oh, of course. It's still not necessary unless you have some other kind of options that need to be different. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDUhoEACgkQ9CaO5/Lv0PCeAACfSLMRO0zXGfuOWR1kJvFkYi0f ItQAoJwEamOodhEg8lvXy2D2q69Tgb78 =NJFj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Reporting a revoked certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cédric, On 12/21/12 9:34 AM, Cédric Couralet wrote: Thanks Dan - which access log should I look at? all of the tomcat logs don't show anything. I've got it configured with APR TCNATIVE Hello, I'm not sure you could get an error page. The ssl dialog takes place before any http communication. So I don't think tomcat can send an http response if the certificate is revoked. +1 I don't think you have any control over the page that gets displayed in this event: Tomcat does not even get involved. Either OpenSSL or JSSE will simply refuse the handshake and the (software) client has to report something to the user. Sounds like MSIE does it's usual worthless error reporting. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDUhy8ACgkQ9CaO5/Lv0PCXmACfVkGB3b+/yXndeehTg6Hl1GCP C2EAoLbMxP3hv5icouotV46p64nhmbcl =Mvyi -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: jvmRoute with multiple AJP Connectors for one Engine
Chris, This strategy is working well, we have some statistics and controls that are easier to implement and maintain if we keep separate connectors. Currently, we have only two Tomcats, each one with 40 applications (focus in justice, virtual processes) deployed on it and processing 160 req/sec. Robert On Fri, Dec 21, 2012 at 12:55 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Robert, On 12/20/12 8:39 PM, Robert Anderson wrote: Now, the trick: VirtualHost *:80 ... Include conf.d/mod_jk.mounts ... /VirtualHost VirtualHost *:443 ... Include conf.d/mod_jk_sec.mounts ... /VirtualHost Oh, of course. It's still not necessary unless you have some other kind of options that need to be different. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDUhoEACgkQ9CaO5/Lv0PCeAACfSLMRO0zXGfuOWR1kJvFkYi0f ItQAoJwEamOodhEg8lvXy2D2q69Tgb78 =NJFj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat j_security_check skips authentication after timeout?
I got the responsibility of maintaining a legacy web-application running on Tomcat 5.5.36 and using the *j_security_check* feature for user-authentication. One problem scenario I am looking into: When you first start the browser and logon to the application, everything works OK The application receives the username from *request.getRemoteUser()* and looks up user-roles in config-tables, for exactly what each user is allowed to do in the GUI. *The problem is* when a user leaves the application inactive for an extended time (not clear yet exactly how long, but more than an hour) and then submits a form. It now appears that tomcat may have discarded the authentication-info, because of time-out I guess, and *request.getRemoteUser()* will return *null *, which result in a broken GUI-display. I would expect (prefer) Tomcat, in this case to request the login-credentials anew, before accessing the application, but for some reason it does not. For info, the *web.xml* under *{TOMCAT_HOME}/config* has ...session-timeout240/session-timeout... while the *web.xml* in the application WAR-file has no session-timeout specified at all. What do I need to do to get Tomcat to always ask for login-credentials again, when needed, and make sure *request.getRemoteUser()* is never null when calling the application? Anyone has a clue?
Re: Tomcat j_security_check skips authentication after timeout?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 12/21/12 4:01 PM, rop wrote: I got the responsibility of maintaining a legacy web-application running on Tomcat 5.5.36 and using the *j_security_check* feature for user-authentication. Obligatory warning: Tomcat 5.5.x is no longer supported. You will likely get better help, feedback, results, etc. by upgrading. Most web applications can be migrated to later versions (Tomcat 7.0.x is current) with little adjustment. Moving on... To be clear, you're talking about using FORM authentication, right? One problem scenario I am looking into: When you first start the browser and logon to the application, everything works OK The application receives the username from *request.getRemoteUser()* and looks up user-roles in config-tables, for exactly what each user is allowed to do in the GUI. Technically, Tomcat uses role-based authorization for URL-patterns. Whatever you do in the GUI is up to you. *The problem is* when a user leaves the application inactive for an extended time (not clear yet exactly how long, but more than an hour) and then submits a form. In this case, the HttpSession has expired and the user is no longer authenticated. It now appears that tomcat may have discarded the authentication-info, because of time-out I guess, and *request.getRemoteUser()* will return *null *, which result in a broken GUI-display. Since Tomcat does not control your UI, this is your application's fault. I would expect (prefer) Tomcat, in this case to request the login-credentials anew, before accessing the application, but for some reason it does not. If you have a security-constraint with an auth-constraint on the URL(s) you are serving, then Tomcat *will* request the user's credentials anew. I suspect you have a simple login screen that is protected and nothing else is. For info, the *web.xml* under *{TOMCAT_HOME}/config* has ...session-timeout240/session-timeout... That is likely a mistake on your (or someone else at your organization's) part. while the *web.xml* in the application WAR-file has no session-timeout specified at all. This is the proper place for a web application's session timeout to be set. What do I need to do to get Tomcat to always ask for login-credentials again, when needed, and make sure *request.getRemoteUser()* is never null when calling the application? Please post an example URL to your web application that results in a broken GUI after the session times-out. Also, post all security-constraint elements (and their children) from your WEB-INF/web.xml file. Feel free to sanitize and/or anonymize them as necessary (but consistently: if you say that you are requesting /foo/bar and your constraint is on /bar/baz then we're going to tell you that's the problem). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDU474ACgkQ9CaO5/Lv0PBHTwCdF+G0v+l9+T1Ht2tjoe4RJiB1 1zgAni2Px6X/nddHKiDfKxEF8Il30Yg9 =Aykg -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org