sadfffffffffffffffffffffffffff
qqqegdasfcxzadfasdf - 力瓦依丁・库尔班 Mobile:18130819208 qq:895791034 WeChat:lee_vayi Email:l...@bsoft.com.cn Company:Bsoft software Company
sadfasdf
asdfasdfasdfasf - 力瓦依丁・库尔班 Mobile:18130819208 qq:895791034 WeChat:lee_vayi Email:l...@bsoft.com.cn Company:Bsoft software Company
sadfffffffffffffffffffffffff
asdf - 力瓦依丁・库尔班 Mobile:18130819208 qq:895791034 WeChat:lee_vayi Email:l...@bsoft.com.cn Company:Bsoft software Company
asfdgdsasdddddddddddddddddddddddd
sdaf - 力瓦依丁・库尔班 Mobile:18130819208 qq:895791034 WeChat:lee_vayi Email:l...@bsoft.com.cn Company:Bsoft software Company
sadfasdf
asdfasdf - 力瓦依丁・库尔班 Mobile:18130819208 qq:895791034 WeChat:lee_vayi Email:l...@bsoft.com.cn Company:Bsoft software Company
sadfasdf
asdfasdfasdf - 力瓦依丁・库尔班 Mobile:18130819208 qq:895791034 WeChat:lee_vayi Email:l...@bsoft.com.cn Company:Bsoft software Company
sad
fasdfasdfasdfa - 力瓦依丁・库尔班 Mobile:18130819208 qq:895791034 WeChat:lee_vayi Email:l...@bsoft.com.cn Company:Bsoft software Company
sdfasdf
sdfasdfsdfasdf - 力瓦依丁・库尔班 Mobile:18130819208 qq:895791034 WeChat:lee_vayi Email:l...@bsoft.com.cn Company:Bsoft software Company
sadfasdf
asdfasdfasdfasdf - 力瓦依丁・库尔班 Mobile:18130819208 qq:895791034 WeChat:lee_vayi Email:l...@bsoft.com.cn Company:Bsoft software Company
sadfasdf
asdfasdfasdfasfd - 力瓦依丁・库尔班 Mobile:18130819208 qq:895791034 WeChat:lee_vayi Email:l...@bsoft.com.cn Company:Bsoft software Company
dfasdfasdfasdfasdf
asfdsadfsdf - 力瓦依丁・库尔班 Mobile:18130819208 qq:895791034 WeChat:lee_vayi Email:l...@bsoft.com.cn Company:Bsoft software Company
sadfasdf
asdfasdfasdfasdf - 力瓦依丁・库尔班 Mobile:18130819208 qq:895791034 WeChat:lee_vayi Email:l...@bsoft.com.cn Company:Bsoft software Company
sadfasdf
sdfsdfasdf - 力瓦依丁・库尔班 Mobile:18130819208 qq:895791034 WeChat:lee_vayi Email:l...@bsoft.com.cn Company:Bsoft software Company
sadfasdf
sdfasdfasdfasdf - 力瓦依丁・库尔班 Mobile:18130819208 qq:895791034 WeChat:lee_vayi Email:l...@bsoft.com.cn Company:Bsoft software Company
asdfasdfa
sdfasdfasdfsa - 力瓦依丁・库尔班 Mobile:18130819208 qq:895791034 WeChat:lee_vayi Email:l...@bsoft.com.cn Company:Bsoft software Company
asfasdfasd
fasdfasdfasdfsdf - 力瓦依丁・库尔班 Mobile:18130819208 qq:895791034 WeChat:lee_vayi Email:l...@bsoft.com.cn Company:Bsoft software Company
sadfasdfasdfasdfas
dfasdfasdfasdfasdfasdfasdf - 力瓦依丁・库尔班 Mobile:18130819208 qq:895791034 WeChat:lee_vayi Email:l...@bsoft.com.cn Company:Bsoft software Company
sdas
dasdasdasdasd - 力瓦依丁・库尔班 Mobile:18130819208 qq:895791034 WeChat:lee_vayi Email:l...@bsoft.com.cn Company:Bsoft software Company
Re: RE: Tomcat valve JAAS : form error page displayed first before response reaches back to Tomcat valve
good question.lol l...@bsoft.com.cn From: Kim Ming Yap Date: 2015-05-19 06:23 To: Tomcat Users List Subject: RE: Tomcat valve JAAS : form error page displayed first before response reaches back to Tomcat valve I think Tomcat should provide interfaces for different scenarios .. that's my opinion. So coming back to my web form-based authentication problem, is there a solution to it? I still want to solve my problem Please advice.Thanks. Date: Mon, 18 May 2015 18:01:31 -0400 From: ch...@christopherschultz.net To: users@tomcat.apache.org Subject: Re: Tomcat valve JAAS : form error page displayed first before response reaches back to Tomcat valve -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ming Yap, On 5/18/15 4:56 PM, Kim Ming Yap wrote: Now here's comes to crucial point and question when comes to JAAS. I know the benefit of JAAS - a pluggable authentication and authorization module. Why and in JavaEE's name have a JAAS realm (eg in Tomcat) where the loginmodule has no access to those most important objects - sessions, request etc? ... because JAAS does not require you to be running within a web context. You can use JAAS in a think client. Or from a command-line client. Or whatever. In those cases, what would you use for the request or session? I did a bit of research .. hence other web container like JBoss, Oracle WebLogic has to build an extended version of their authentication module to capture those important objects .. I just don't comprehend this.This is mind boggling. Pluggable authentication and authorization is kind of an unattainable goal when you want it to work across any use case. You just happen to be thinking of the web-based authentication use case, here, and it's not matching up with your expectations. What if you wanted to use some information about a TLS certificate for authentication? Does the JAAS module now need to have access to the X.509 certificate as well? What about a Smart Card? Where does that fit into your web-based view of JAAS? It's just more complicated than you think, unfortunately. I have spent almost 4 weeks on trying to solve this basic problem when comes to form based authentication using JAAS. 1. Valid credential - no issue2. Credential disabled due to gt 3 retry - This message propagate to the error page3. Invalid user id - This message propagate to error page4. Invalid password - This message propagate to error page You should do some reading about user-enumeration vulnerabilities and similar things. You probably don't want to give this kind of information to a user. Hint: the user might be an adversary, and any information you give them them is something they can use to gain access to your system. For example: if I enter ob...@whitehouse.gov as my username and you tell me user does not exist, I can keep trying usernames until I get one that does exist. Great, now I know the user exists and I can keep trying passwords until I get in. If you tell me credentials disabled, then I will know when I've tripped some kind of maximum login-attempt trigger that will (likely) disable the user for a while. So, I'll adjust my attack strategy so that I only try each user 3 times because I know that after that, they will be disabled. If you have a hard business requirement to tell the user why they aren't being permitted to login, you might want to go back to whoever wrote those requirements and ask them to review them from a security perspective. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVWmE7AAoJEBzwKT+lPKRYLHsP/0SjF8xJlXoZUPLRZVKAvJ9U Lf4c5eokEFOjQdbMx4e3vLnTfYK2dWnq0d1Te3n+Zk6fWahy4ijiHHZsdvsQxHCt VDFmXZe6FcBu1bFzcU9JNnr2RqRDEBd3St7wWlReB49LpgQaXh3jvKQgPK67ChR9 K0kBAgzV9BRXzKRLjkEHhC+Q3jFgzmd2J3HerDCgKB6jSFw6dn8NdZJqCfAIAG6R xtbYvryRrQEVaMNs0Z0eDRsRy3iTAZAA1FZOUGSxVfAWapcj12RtnbKfB6tX+wc1 ghy6ZZW3efQSirvZ4BbYqsptBYzsA3oU25zbJG5jdz170okYLphx9vbtbP7wFQFJ CPANIDWLj/aTKCch+SCOMLlOXCBAR69HobDG3Tzi0riaeZAxNuBV61SZjIUhA+Bl tVfihOoLxZQcPk7s4VoR4w1SD7nBqMSkzbwTJujbjM7UKi311lRr6LqO6DvYEsg1 eX4qpKELndniJ035wrZXjbGtMS6JWDRjmeIJkVc0+6XsdMJ7c1bzaImfJg9dv6x9 ZlKpiTbW4n5jC6jrvu5elRuAudf0Me467y9JDZq6ujMmcPVr3BcQQKb4cHXnPRzh BpHqXcn19LZGatyx0wpz8nf5ZjHQiyeaWOgSjLyk8yJXXz6EyA4SZ8Ndi8O5Z/tb kgPkqUPohzH02HWcg6E2 =q5gu -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Finding the Apache httpd IP address when AJP is used
Hi,Nice to meet you. l...@bsoft.com.cn From: Paul Klinkenberg Date: 2015-04-29 21:54 To: users@tomcat.apache.org Subject: Finding the Apache httpd IP address when AJP is used Hi Tomcat users! I have been working on an update for a Tomcat valve called mod_cfml. The project aims to provide automatic web context creation in Tomcat, when coming from a frontend webserver. The live code base can be found at https://github.com/utdream/mod_cfml https://github.com/utdream/mod_cfml One of the features I wanted to add, is adding an IP restriction in the valve (see github https://github.com/paulklinkenberg/mod_cfml/commit/dab058b7f38f98a6e7f076323e3d23be476e6de6). While testing, I noticed that AJP works very well: it hides the IP address of the caller, which is the front-end Apache webserver, and instead returns the IP of the remote client / the client who called the frontend webserver. I have been digging around quite a lot, but have not been able to find the Apache httpd IP address :-( My question is hopefully simple to answer: can I retrieve the IP address which called the AJP connector, from within the valve? My server.xml is: Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.startup.VersionLoggerListener / Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true Valve className=mod_cfml.core loggingEnabled=true waitForContext=10 maxContexts= timeBetweenContexts=0 scanClassPaths=false allowedIPs=127.0.0.1,192.168.1.52 / /Host /Engine /Service /Server Thanks in advance for your time! Kind regards, Paul Klinkenberg The Netherlands p.s. I asked this question, in other wording, on SackOverflow.com http://sackoverflow.com/ as well. I hope I have better luck here ;-) http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp
Re: Re: Finding the Apache httpd IP address when AJP is used
Paul Klinkenberg wrote: Hi Tomcat users! I have been working on an update for a Tomcat valve called mod_cfml. The project aims to provide automatic web context creation in Tomcat, when coming from a frontend webserver. The live code base can be found at https://github.com/utdream/mod_cfml https://github.com/utdream/mod_cfml One of the features I wanted to add, is adding an IP restriction in the valve (see github https://github.com/paulklinkenberg/mod_cfml/commit/dab058b7f38f98a6e7f076323e3d23be476e6de6). While testing, I noticed that AJP works very well: it hides the IP address of the caller, which is the front-end Apache webserver, and instead returns the IP of the remote client / the client who called the frontend webserver. I have been digging around quite a lot, but have not been able to find the Apache httpd IP address :-( My question is hopefully simple to answer: can I retrieve the IP address which called the AJP connector, from within the valve? My server.xml is: Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.startup.VersionLoggerListener / Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true Valve className=mod_cfml.core loggingEnabled=true waitForContext=10 maxContexts= timeBetweenContexts=0 scanClassPaths=false allowedIPs=127.0.0.1,192.168.1.52 / /Host /Engine /Service /Server Thanks in advance for your time! Kind regards, Paul Klinkenberg The Netherlands p.s. I asked this question, in other wording, on SackOverflow.com http://sackoverflow.com/ as well. I hope I have better luck here ;-) http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp Hi. With Apache httpd and mod_jk as front-end, you have (at least) 2 options : - set an additional HTTP request header at the Apache httpd level, before the request is proxied to the back-end Tomcat - set a JkEnvVar value at the at the Apache httpd level, before the request is proxied to Tomcat You can then retrieve these set values at the Tomcat level, either by parsing the request headers, or by retrieving a request attribute corresponding to the JkEnvVar. The JkEnvVar/attribute method is probably more efficient in a mod_jk context; the HTTP header solution is more portable, since it does not depend on specifically mod_jk being used as a connector. Presumably, when at the Apache httpd level you decide to proxy a request to a back-end Tomcat, you know through which interface you'll do it, and what its IP address is, and you can put it into one of the things above. Is that enough info to get you started ? Caveat : one part I am not quite sure of, is what things you do have easy access to, at the level of a Valve. The above is what you'd do at a webapp level, I hope it is also accessible at your Valve level. Hi André, Thanks for the response, much appreciated. The reason I want to add the IP restriction in the valve, is to make 100% sure that the request (for creating a new Tomcat context) is indeed coming from the frontend webserver. This valve is a setup not just for me, where I could tweak server settings and such, but for anyone who uses the mod_cfml connector. It is installed by default by the Railo/Lucee installers (getrailo.org http://getrailo.org/ / lucee.org http://lucee.org/) Therefor, I cannot rely on an incoming header, as it could originate from anywhere. Also, a remote system could call the AJP endpoint on the Tomcat server, with this JkEnvVar set to a spoofed value. (if the port is not
