Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Tim Watts]

On Tue, 2016-02-16 at 14:31 -0500, Christopher Schultz wrote:

> On 2/16/16 11:50 AM, Dougherty, Gregory T., M.S. wrote:
> > I completely and totally trust my servlet with my data.  I do not 
> > in the least bit trust any other servlet running on that Tomcat 
> > instance.
> 
> Then those servlets shouldn't be deployed into the same application.
> Possibly not even within the same JVM. But okay, let's ignore that
> lack of safety for the time being. We're ignoring all kinds of other
> things as well, so one more doesn't matter.
> 

If I may interject: I think part of the problem here is the OP is using
"servlet" and "webapp" interchangably.  He originally used the term
webapp but then switched to servlet around the time he laid out this
authentication solution.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Gregory,

On 2/16/16 11:50 AM, Dougherty, Gregory T., M.S. wrote:
> On 2/16/16, 9:13 AM, "Christopher Schultz" 
>  wrote:
> 
> 
>> Gregory,
>> 
>> On 2/15/16 11:18 AM, Dougherty, Gregory T., M.S. wrote:
>>> How to trade information with a specified URL calling java
>>> code in tomcat/lib:
>>> 
>>> 1: Servlet calls Decryptor.start (String whoIAm, int
>>> validator, int xOr)
>> 
>> What prevents the servlet from specifying whoIAm="someoneElse"?
> 
> Absolutely nothing.  That’s why the decrypt code does an HTTP get 
> against whoIAm, to validate that claim
> 
>>> 2: Code calls Servlet http get with id=randomly generated int
>> 
>> Which code calls Servlet HTTP?
> 
> HttpURLConnection, called from within the decrypt code
> 
> 
>> 
>>> 3: Servlet returns validator in response to the http get call. 
>>> 0 is not a valid validator, it¹s what the Servlet returns if
>>> it doesn¹t have an outstanding call to Decryptor.start
>> 
>> But the whole point is that you don't trust the servlet, right? 
>> What is the servlet always returns the same value? Any servlet 
>> could impersonate any other one.
> 
> I trust each servlet to act in its own best interest.
> 
> An honest servlet will 1: Pass in real random numbers for
> validator and xOr, 2: React correctly to this http get call. An
> incompetently written or dishonest servlet can only give away its
> own passwords by doing the wrong thing.  That’s their problem, not
> mine.
> 
>>> 4: Having received the random number from the http get call, 
>>> Servlet xors it with xOr, and calls Decryptor.decrypt (String 
>>> whoIAm, String password, int xOred)
>> 
>> So, the servlet makes the HTTP request and manages the checking? 
>> I really don't get it.
> 
> Servlet (calles Decrypt.start): Sends whoIAm, validator, xOr Code 
> (calls http get on whoIAm): Sends cValid Servlet (response to HTTP 
> get): Sends validator (same as was send in call to Decrypt.start). 
> This validates whoIAm Servlet (calls Decrypt.decode): Sends
> whoIAm, password (encrypted), xOred (= xOr ^ cValid) Code (return
> value from Decrypt.decode): password (decrypted)

No, I followed all that. I still just don't "get it".

Your initial question was how to verify that the calling code was a
specific application. Your proposed solution allows the calling code
to *authenticate itself*. Thus, no security is being added.
Complexity, yes. Security, no.

Then we went off on the tangent about how administrators shouldn't
have access to the passwords. If the admins could have the passwords,
there wouldn't be any problems, here (I think).

So you're asking for a key-escrow system where just about every
component involved can have access to the password except for the
people who don't need the passwords, because they are administrators.

I suppose you could have separate admins for app servers versus DBs,
but anything the code running on a machine can do, an administrator of
that machine can do, too.

>>> 5: Code checks xOred against whoIAm.  If gets a match decrypts 
>>> the password and returns it from Decryptor.decrypt.
>> 
>> After all that, it's okay for the servlet to be able to read its 
>> own database password? Why not just give the servlet access to a 
>> DataSource with the password already set inside it?
> 
> Because it’s the Servlet’s password?  How many times do I have to 
> save that before you’ll believe it?
> 
> The data belongs to the servlet.  The servlet is working with the 
> decryption code so that the data can be safely stored with the 
> servlet.

If the data (and password protecting it) really belongs to the
servlet, why are you making it so hard for the servlet to get the data?

> Every servlet trusts itself.  None of them should be required to 
> trust any other servlet running on that instance of Tomcat.  None 
> of them should be required to trust that data saved in the source 
> control system won’t be abused, if it can be abused.
> 
>>> But so long as I can make the following two calls from my 
>>> code:
>>> 
>>> URL theURL = new URL (urlString); HttpURLConnection uc = 
>>> (HttpURLConnection) theURL.openConnection ();
>>> 
>>> I think I¹m good.
>>> 
>>> Flaws?
>> 
>> Let's see:
>> 
>> Constructed dubious use case? CHECK
> Wrong.  This use case is my current work situation.

Just because it's the problem you are facing doesn't make it your
use-case. You have decided that this is your use-case based upon the
requirements you are trying to fulfill.

>> Rolled your own security code? CHECK Used highly-secure XOR 
>> algorithm? CHECK Complicated enough to seem plausible? CHECK 
>> Confused objective leads to trivial attacks? CHECK
>> 
>> I think you've got all the bases covered, here.
>> 
>> I still don't understand what's being protected from whom, here. 
>> It looks like the code is very complicated in order to keep the 
>> password from the code, but then the code is given the password 
>> anyway. If you trust 

Re: ***UNCHECKED*** Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All,

Sorry about this. It seems Enigmail is ruining messages.

- -chris

On 2/16/16 2:09 PM, Christopher Schultz wrote:
> 
> The information contained in this email and its attachments may be
> confidential. If you have received this email in error, please
> notify the sender by return email, delete this email and destroy
> any copy.
> 
> Any advice contained in this email has been prepared without taking
> into account your objectives, financial situation or needs. Before
> acting on any advice in this email, National Australia Bank Limited
> (NAB) recommends that you consider whether it is appropriate for
> your circumstances. If this email contains reference to any
> financial products, NAB recommends you consider the Product
> Disclosure Statement (PDS) or other disclosure document available
> from NAB, before making any decisions regarding any products.
> 
> If this email contains any promotional content that you do not wish
> to receive, please reply to the original sender and write "Don't
> email promotional material" in the subject.
> 
> 
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbDeS4ACgkQ9CaO5/Lv0PAT0gCeJphTjt9Zmq1ByxC1ljY2Deul
+HQAoJe7Y681TgsFr0adsrz3xXTI8J6X
=ipRC
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

***UNCHECKED*** Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Christopher Schultz]

The information contained in this email and its attachments may be confidential.
If you have received this email in error, please notify the sender by return 
email,
delete this email and destroy any copy.

Any advice contained in this email has been prepared without taking into
account your objectives, financial situation or needs. Before acting on any
advice in this email, National Australia Bank Limited (NAB) recommends that
you consider whether it is appropriate for your circumstances.
If this email contains reference to any financial products, NAB recommends
you consider the Product Disclosure Statement (PDS) or other disclosure
document available from NAB, before making any decisions regarding any
products.

If this email contains any promotional content that you do not wish to receive,
please reply to the original sender and write "Don't email promotional
material" in the subject.

--- Begin Message ---


PGPMIME version identification
Description: PGPMIME version identification
--- End Message ---

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

***UNCHECKED*** Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Christopher Schultz]

The information contained in this email and its attachments may be confidential.
If you have received this email in error, please notify the sender by return 
email,
delete this email and destroy any copy.

Any advice contained in this email has been prepared without taking into
account your objectives, financial situation or needs. Before acting on any
advice in this email, National Australia Bank Limited (NAB) recommends that
you consider whether it is appropriate for your circumstances.
If this email contains reference to any financial products, NAB recommends
you consider the Product Disclosure Statement (PDS) or other disclosure
document available from NAB, before making any decisions regarding any
products.

If this email contains any promotional content that you do not wish to receive,
please reply to the original sender and write "Don't email promotional
material" in the subject.

--- Begin Message ---


PGPMIME version identification
Description: PGPMIME version identification
--- End Message ---

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

***UNCHECKED*** Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Christopher Schultz]

binrvxcJ0gxtC.bin
Description: PGP/MIME version identification

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Leo Donahue]

On Feb 16, 2016 10:50 AM, "Dougherty, Gregory T., M.S." <
dougherty.greg...@mayo.edu> wrote:
>
> On 2/16/16, 9:13 AM, "Christopher Schultz" 
> wrote:
>
>
> >Gregory,
> >
> >On 2/15/16 11:18 AM, Dougherty, Gregory T., M.S. wrote:
> >> How to trade information with a specified URL calling java code in
> >> tomcat/lib:
> >>
> >> 1: Servlet calls Decryptor.start (String whoIAm, int validator, int
xOr)
> >
> >What prevents the servlet from specifying whoIAm="someoneElse"?
>
> Absolutely nothing.  That’s why the decrypt code does an HTTP get against
> whoIAm, to validate that claim
>
> >> 2: Code calls Servlet http get with id=randomly generated int
> >
> >Which code calls Servlet HTTP?
>
> HttpURLConnection, called from within the decrypt code
>
>
> >
> >> 3: Servlet returns validator in response to the http get call.  0 is
> >>not a
> >> valid validator, it¹s what the Servlet returns if it doesn¹t have an
> >> outstanding call to Decryptor.start
> >
> >But the whole point is that you don't trust the servlet, right? What is
> >the servlet always returns the same value? Any servlet could impersonate
> >any other one.
>
> I trust each servlet to act in its own best interest.
>
> An honest servlet will 1: Pass in real random numbers for validator and
> xOr, 2: React correctly to this http get call.
> An incompetently written or dishonest servlet can only give away its own
> passwords by doing the wrong thing.

Give them away?  Are you logging the passwords used?

That’s their problem, not mine.
>
> >> 4: Having received the random number from the http get call, Servlet
> >>xors
> >> it with xOr, and calls Decryptor.decrypt (String whoIAm, String
> >>password,
> >> int xOred)
> >
> >So, the servlet makes the HTTP request and manages the checking? I
> >really don't get it.
>
> Servlet (calles Decrypt.start): Sends whoIAm, validator, xOr
> Code (calls http get on whoIAm): Sends cValid
> Servlet (response to HTTP get): Sends validator (same as was send in call
> to Decrypt.start). This validates whoIAm
> Servlet (calls Decrypt.decode): Sends whoIAm, password (encrypted), xOred
> (= xOr ^ cValid)
> Code (return value from Decrypt.decode): password (decrypted)
>
> >
> >> 5: Code checks xOred against whoIAm.  If gets a match decrypts the
> >> password and returns it from Decryptor.decrypt.
> >
> >After all that, it's okay for the servlet to be able to read its own
> >database password? Why not just give the servlet access to a DataSource
> >with the password already set inside it?
>
> Because it’s the Servlet’s password?  How many times do I have to save
> that before you’ll believe it?
>
> The data belongs to the servlet.  The servlet is working with the
> decryption code so that the data can be safely stored with the servlet.
>
> Every servlet trusts itself.  None of them should be required to trust any
> other servlet running on that instance of Tomcat.  None of them should be
> required to trust that data saved in the source control system won’t be
> abused, if it can be abused.
>
> >>But so long as I can make the following two calls from my code:
> >>
> >> URL theURL = new URL (urlString);
> >>  HttpURLConnection   uc = (HttpURLConnection) theURL.openConnection ();
> >>
> >> I think I¹m good.
> >>
> >> Flaws?
> >
> >Let's see:
> >
> >  Constructed dubious use case? CHECK
> Wrong.  This use case is my current work situation.
>
> >  Rolled your own security code? CHECK
> >  Used highly-secure XOR algorithm? CHECK
> >  Complicated enough to seem plausible? CHECK
> >  Confused objective leads to trivial attacks? CHECK
> >
> >I think you've got all the bases covered, here.
> >
> >I still don't understand what's being protected from whom, here. It
> >looks like the code is very complicated in order to keep the password
> >from the code, but then the code is given the password anyway. If you
> >trust the code but not the admin, then why bother with the complex code?
>
> The problem, Chris, is that you don’t understand the situation, and rather
> than try to understand the situation you’re spending all your time and
> effort sniping at things you don’t understand.  Let’s try one more time:
>
>

If you led with the information below in your original post, it would have
helped.

> My servlet is running on a Tomcat instance that is hosting 5 other
Servlets
>
> I completely and totally trust my servlet with my data.  I do not in the
> least bit trust any  other servlet running on that Tomcat instance
>
> I am willing to trust a Jar file that I’ve written / reviewed, and the
> administrators have added to tomcat/lib
>
> I have data that my servlet needs to use.  I am not going to try to go to
> a page on my servlet and personally type in that data every time it runs.
> Therefore I’m going to have to save that data.  I’m not going to save that
> data somewhere on the server hosting the Tomcat instance, because I just
> don’t’ trust the administrators that much.
>
> This means I have to save the data 

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

On 2/16/16, 9:13 AM, "Christopher Schultz" 
wrote:


>Gregory,
>
>On 2/15/16 11:18 AM, Dougherty, Gregory T., M.S. wrote:
>> How to trade information with a specified URL calling java code in
>> tomcat/lib:
>> 
>> 1: Servlet calls Decryptor.start (String whoIAm, int validator, int xOr)
>
>What prevents the servlet from specifying whoIAm="someoneElse"?

Absolutely nothing.  That’s why the decrypt code does an HTTP get against
whoIAm, to validate that claim

>> 2: Code calls Servlet http get with id=randomly generated int
>
>Which code calls Servlet HTTP?

HttpURLConnection, called from within the decrypt code


>
>> 3: Servlet returns validator in response to the http get call.  0 is
>>not a
>> valid validator, it¹s what the Servlet returns if it doesn¹t have an
>> outstanding call to Decryptor.start
>
>But the whole point is that you don't trust the servlet, right? What is
>the servlet always returns the same value? Any servlet could impersonate
>any other one.

I trust each servlet to act in its own best interest.

An honest servlet will 1: Pass in real random numbers for validator and
xOr, 2: React correctly to this http get call.
An incompetently written or dishonest servlet can only give away its own
passwords by doing the wrong thing.  That’s their problem, not mine.

>> 4: Having received the random number from the http get call, Servlet
>>xors
>> it with xOr, and calls Decryptor.decrypt (String whoIAm, String
>>password,
>> int xOred)
>
>So, the servlet makes the HTTP request and manages the checking? I
>really don't get it.

Servlet (calles Decrypt.start): Sends whoIAm, validator, xOr
Code (calls http get on whoIAm): Sends cValid
Servlet (response to HTTP get): Sends validator (same as was send in call
to Decrypt.start). This validates whoIAm
Servlet (calls Decrypt.decode): Sends whoIAm, password (encrypted), xOred
(= xOr ^ cValid)
Code (return value from Decrypt.decode): password (decrypted)

>
>> 5: Code checks xOred against whoIAm.  If gets a match decrypts the
>> password and returns it from Decryptor.decrypt.
>
>After all that, it's okay for the servlet to be able to read its own
>database password? Why not just give the servlet access to a DataSource
>with the password already set inside it?

Because it’s the Servlet’s password?  How many times do I have to save
that before you’ll believe it?

The data belongs to the servlet.  The servlet is working with the
decryption code so that the data can be safely stored with the servlet.

Every servlet trusts itself.  None of them should be required to trust any
other servlet running on that instance of Tomcat.  None of them should be
required to trust that data saved in the source control system won’t be
abused, if it can be abused.

>>But so long as I can make the following two calls from my code:
>> 
>> URL theURL = new URL (urlString);
>>  HttpURLConnection   uc = (HttpURLConnection) theURL.openConnection ();
>> 
>> I think I¹m good.
>> 
>> Flaws?
>
>Let's see:
>
>  Constructed dubious use case? CHECK
Wrong.  This use case is my current work situation.

>  Rolled your own security code? CHECK
>  Used highly-secure XOR algorithm? CHECK
>  Complicated enough to seem plausible? CHECK
>  Confused objective leads to trivial attacks? CHECK
>
>I think you've got all the bases covered, here.
>
>I still don't understand what's being protected from whom, here. It
>looks like the code is very complicated in order to keep the password
>from the code, but then the code is given the password anyway. If you
>trust the code but not the admin, then why bother with the complex code?

The problem, Chris, is that you don’t understand the situation, and rather
than try to understand the situation you’re spending all your time and
effort sniping at things you don’t understand.  Let’s try one more time:


My servlet is running on a Tomcat instance that is hosting 5 other Servlets

I completely and totally trust my servlet with my data.  I do not in the
least bit trust any  other servlet running on that Tomcat instance

I am willing to trust a Jar file that I’ve written / reviewed, and the
administrators have added to tomcat/lib

I have data that my servlet needs to use.  I am not going to try to go to
a page on my servlet and personally type in that data every time it runs.
Therefore I’m going to have to save that data.  I’m not going to save that
data somewhere on the server hosting the Tomcat instance, because I just
don’t’ trust the administrators that much.

This means I have to save the data with my web app.  Everything saved with
my app is available to a pool of people, large enough that I can not trust
that the data is secure.


This is the current situation.  Neither you nor I get to change any of the
above parameters.  Is anything about the above unclear (other than why
this is so)?

When I say “I do not trust the Servlet calling the jar code” what I mean
is that I absolutely trust my own servlet when it’s calling the jar code,

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Leo Donahue]

On Feb 12, 2016 2:35 PM, "Dougherty, Gregory T., M.S." <
dougherty.greg...@mayo.edu> wrote:
>
> You are correct, I¹m trying to authorize the web app, not the user.

I am going to start all the way back here and suggest that you abandon this
approach of authenticating a web "app".

This is unconventional by all standards and you will end up with a security
hole(s).

Users authenticate to web apps, nothing further.

The web app itself can also authenticate to the database separate from any
userBUT... the web app still has a "user name".

Your problem is that someone is giving you impossible to meet security
requirements, which results in you wanting to mess with application URLs
and the other stuff you mentioned.

Secret:  even large organizations have some form of clear text passwords,
but who has access to these is strictly controlled.

>
> Goal: I am trying to come up with a way for a Tomcat app to securely store
> and retrieve the password it needs to access a DB.
>

We have given you some options to deal with this.

It seems as though the sys admins either can't or don't want to help you
establish more of an Enterprise architecture, which would solve a lot of
your issues.

> My definition of ³secure² includes ³there exist no files with an
> unencrypted copy of the password².  IIUC, JNDI fails this test.
>
> My requirements include that all web app components are checked in to a
> source control system that malicious users can have read access to.

Are you in control of the source control system?  You know, you can assign
roles to users for certain repositories and restrict access to your code
repo.

If you have developers working at Mayo who are malicious, get rid of them.

> Solution:
> 1: Trusted user creates public:private key pair (1), distributes public
key
> 2: Web app developer creates pubic:private key pair (2), distributes
> public key
> 3: Web app developer encrypted password with private key 2, then public
> key 1, stores with web app
> 4: Web app calls decryption jar that¹s in tomcat/lib, passing in the
> encrypted password from step 3
> 5: Decryption code determines which app called it, pulls the public key
> (3) saved for that app
> 6: Decryption code decrypts with private key 1, public key 3, and returns
> the unencrypted password.
>
> So long as 1: Trusted user can store private key where it¹s secure, but
> accessible to decryption code, and 2: Can correctly determine the calling
> app, I believe this setup is secure.
>
> We log who uploads the web apps, so if user X uploads a bogus ³User Y
> App², we can deal with that.
> --

Developers should never get to deploy anything to production servers.  In
fact, you should have different passwords for different deployment realms.

>From my perspective, you (or someone else is telling you to do this) are
trying to bypass as much security for the appearance of security simply
because of the Tomcat environment you have to work with.

I think we all want you to succeed here, but the approach you're leaning
towards isn't going to work.

> Gregory Dougherty
> Sr. Analyst/Programmer | Information Technology
> Information Technology
> (507) 284-8493 | dougherty.greg...@mayo.edu
>
>
>
>
>
>
>
> On 2/12/16, 2:00 PM, "Leo Donahue"  wrote:
>
> >On Feb 11, 2016 4:56 PM, "Dougherty, Gregory T., M.S." <
> >dougherty.greg...@mayo.edu> wrote:
> >>
> >> I would like to have a jar file in tomcat/lib that can be called from
> >>any
> >of the running web apps.  I need for the code in the jar to behave
> >differently depending on which web app called it.
> >
> >I would agree with what the others are saying here.  It seems you are
> >trying to authorize an entire web app instead of authoring the user of
the
> >web app.
> >
> >If the jar simply needs to take action based on a role of some kind, then
> >could you not tie in a ldap user with appropriate role?
> >
> >Leo
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Christopher Schultz]

Gregory,

On 2/15/16 11:18 AM, Dougherty, Gregory T., M.S. wrote:
> How to trade information with a specified URL calling java code in
> tomcat/lib:
> 
> 1: Servlet calls Decryptor.start (String whoIAm, int validator, int xOr)

What prevents the servlet from specifying whoIAm="someoneElse"?

> 2: Code calls Servlet http get with id=randomly generated int

Which code calls Servlet HTTP?

> 3: Servlet returns validator in response to the http get call.  0 is not a
> valid validator, it¹s what the Servlet returns if it doesn¹t have an
> outstanding call to Decryptor.start

But the whole point is that you don't trust the servlet, right? What is
the servlet always returns the same value? Any servlet could impersonate
any other one.

> 4: Having received the random number from the http get call, Servlet xors
> it with xOr, and calls Decryptor.decrypt (String whoIAm, String password,
> int xOred)

So, the servlet makes the HTTP request and manages the checking? I
really don't get it.

> 5: Code checks xOred against whoIAm.  If gets a match decrypts the
> password and returns it from Decryptor.decrypt.

After all that, it's okay for the servlet to be able to read its own
database password? Why not just give the servlet access to a DataSource
with the password already set inside it?

> What I¹d rather have is a Tomcat provided Class with a static method that
> returns the calling URL.

Show me an implementation that Tomcat could provide that the servlet
could not tamper with.

> But so long as I can make the following two calls from my code:
> 
> URL theURL = new URL (urlString);
>  HttpURLConnectionuc = (HttpURLConnection) theURL.openConnection ();
> 
> I think I¹m good.
> 
> Flaws?

Let's see:

  Constructed dubious use case? CHECK
  Rolled your own security code? CHECK
  Used highly-secure XOR algorithm? CHECK
  Complicated enough to seem plausible? CHECK
  Confused objective leads to trivial attacks? CHECK

I think you've got all the bases covered, here.

I still don't understand what's being protected from whom, here. It
looks like the code is very complicated in order to keep the password
from the code, but then the code is given the password anyway. If you
trust the code but not the admin, then why bother with the complex code?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

How to trade information with a specified URL calling java code in
tomcat/lib:

1: Servlet calls Decryptor.start (String whoIAm, int validator, int xOr)
2: Code calls Servlet http get with id=randomly generated int
3: Servlet returns validator in response to the http get call.  0 is not a
valid validator, it¹s what the Servlet returns if it doesn¹t have an
outstanding call to Decryptor.start
4: Having received the random number from the http get call, Servlet xors
it with xOr, and calls Decryptor.decrypt (String whoIAm, String password,
int xOred)
5: Code checks xOred against whoIAm.  If gets a match decrypts the
password and returns it from Decryptor.decrypt.

What I¹d rather have is a Tomcat provided Class with a static method that
returns the calling URL.  But so long as I can make the following two
calls from my code:

URL theURL = new URL (urlString);
HttpURLConnection   uc = (HttpURLConnection) 
theURL.openConnection ();

I think I¹m good.


Flaws?
-- 
Gregory Dougherty
Sr. Analyst/Programmer | Information Technology
Information Technology
(507) 284-8493 | dougherty.greg...@mayo.edu


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

Chris,


On 2/15/16, 9:20 AM, "Christopher Schultz" 
wrote:

>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA1
>
>Gregory,
>
>On 2/12/16 6:46 PM, Dougherty, Gregory T., M.S. wrote:
>> Chris,
>> 
>> 
>> On 2/12/16, 5:27 PM, "Christopher Schultz"
>>  wrote:
>> 
>>> Gregory,
>>> 
>>> On 2/12/16 4:19 PM, Dougherty, Gregory T., M.S. wrote:
 On 2/12/16, 3:08 PM, "Leo Donahue" 
 wrote:
 
 
> On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." <
> dougherty.greg...@mayo.edu> wrote:
 My definition of ³secure² includes ³there exist no files with
 an unencrypted copy of the password².
>>> 
>>> Do you mean "no files at all" or "no files in revision-control"?
>>> Again, you have to decide whether you trust your administrators.
>> 
>> No files at all.
>> 
>> Even if I did trust my administrators, they don’t want the task of
>> having to update the passwords every six months.
>> 
 How does the data source know that this web app, unlike every
 other web app in existence, is allowed to access the data
 source?
>>> 
>>> The container allows you to map data sources to web applications.
>>> Use that facility. And trust your administrators.
>> 
>> This sounds like something I can use to uniquely identify which app
>> is running, no? Can my code ask Tomcat for the DataSource the
>> container assigns to the web app, that instead of returning a
>> password, simply returns the name of the app?
>
>No, it will return a DataSource. What you do with it is up to you.
>Generally-speaking, a DataSource already knows the password that will
>be used to access the database. So the application doesn't need to
>have any passwords at all.

The only way I can envision the DataSource having the password is if it’s
some way hard coded into it, which is the exact thing I’m trying to avoid.


>>>If you free yourself from the idea that everything needs to be in
>>> one big revision-control system, it makes things easier.
>>> Everybody does their job: the devs write the software, the admins
>>> deploy it. The admins have the keys to the kingdom (they always
>>> do; don't fight it) and the devs have keys to nothing.
>> 
>> I don’t get a vote on that one.
>
>So you are tasked with:
>
>(a) Removing all plaintext passwords from configuration files
>(b) All configuration files must be in revision control
>(c) Developers manage the passwords to the production dbs
>(d) Admins must never see devs' passwords
>(e) The system must actually work
>
>Do I have that all correct?

Yes.

>
>>> Of course, the devs are writing the software, so if you are
>>> truly paranoid, you need to make sure that the devs aren't
>>> stealing secrets from the admins when the app runs ;)
>> 
>> I am truly paranoid, that’s why I want an unambiguous way to figure
>> out what app is running.  That way the only data they can “steal”
>> is their own data.
>
>Use separate VMs (or JVMs) for each application. No question
>whatsoever which application is running.

Not an available solution.

However, I finally realized I do have a solution.

1: Call Decryptor.identifyMe (String whoIAm)
2: Code checks whoIAm.  If a known Servlet, send that servlet a message
consisting of a random integer.
3: Servlet calls Decryptor.decrypt (int token, String password) with the
token and the password to decrypt
4: Decryptor.decrypt uses the token to prove what Sevlet it’s talking to,
pulls up the correct public key, decodes the password, and returns it.

Flaws?


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Leo,

On 2/12/16 8:35 PM, Leo Donahue wrote:
> On Fri, Feb 12, 2016 at 5:46 PM, Dougherty, Gregory T., M.S. < 
> dougherty.greg...@mayo.edu> wrote:
> 
>> Chris,
>> 
>> 
>> On 2/12/16, 5:27 PM, "Christopher Schultz"
>>  wrote:
>> 
>>> Gregory,
>>> 
>>> On 2/12/16 4:19 PM, Dougherty, Gregory T., M.S. wrote:
 On 2/12/16, 3:08 PM, "Leo Donahue" 
 wrote:
 
 
> On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." < 
> dougherty.greg...@mayo.edu> wrote:
 My definition of ³secure² includes ³there exist no files with
 an unencrypted copy of the password².
>>> 
>>> Do you mean "no files at all" or "no files in
>>> revision-control"? Again, you have to decide whether you trust
>>> your administrators.
>> 
>> No files at all.
>> 
> 
> Not even encrypted files?
> 
> 
>> 
>> Even if I did trust my administrators, they don’t want the task
>> of having to update the passwords every six months.
>> 
> 
> Greaaat.

Yeah, this is a dumb requirement. Application-level passwords should
never have to change. User passwords? Fine, if you have some silly
requirement that they be changed ("okay, FINE! password-zero-ONE!"),
make users change their own passwords. But don't make administrators
change db-access passwords. Lock-down access to the database and don't
have anything change.

 How does the data source know that this web app, unlike
 every other web app in existence, is allowed to access the
 data source?
>>> 
>>> The container allows you to map data sources to web
>>> applications. Use that facility. And trust your
>>> administrators.
>> 
>> This sounds like something I can use to uniquely identify which
>> app is running, no? Can my code ask Tomcat for the DataSource the
>> container assigns to the web app, that instead of returning a
>> password, simply returns the name of the app?
>> 
> 
> What I was saying about the data source is that where you configure
> it in Tomcat doesn't need a password in plain text, if your custom
> data source is going to simply use the username from the Tomcat
> data source config file to go look up the real encrypted password.
> You have to implement this yourself.  Precisely how is totally up
> to you.

Gregory, here's where you can use your crazy private-public-encryption
thing work. You can have your code unlock the password during startup
and then the application will get an unlocked DataSource and never has
to deal with passwords at all.

> You are going to need a process that writes encrypted user
> passwords to an ENCRYPTED file, on a schedule, preferably every
> day.  If you can't have encrypted files, then you are stuck, don't
> read on.

I think he's comfortable with a non-plaintext password written to a
file. So, if you had a DataSource configuration that looked like this,
for instance:

 You need to write something that generates long passwords, because
> you don't need to remember them, and writes them to the encrypted
> file.  All you need to do is regenerate them whenever you want.  If
> you are saying that you need to choose your own password because it
> is used elsewhere, then you are stuck again.

A synchronization process is possible. You could inject the new
password via JMX, for example. (At least, I think you can.)

The worst part is that, evidently, the admins are going to have to
change the passwords at the database-level, but they aren't allowed to
know the passwords. So I don't know how that's gonna work.

> This same process is going to let you read and un-encrypt (spell
> check not helping me here) said password.  How you write this is up
> to you.
> 
> In your custom data source, where you override the 
> getConnection(username,password), you will obviously need to call
> the function that fetches the real password for said supplied user.
> How you do that is up to you, like I said, this is a bigger project
> than a quick hack.
> 
>  ...  auth="Container" type="javax.sql.DataSource" username="dbusername" 
> password="this can be blank or null, because your custom data
> source will handle it" driverClassName="this is your custom data
> source class which implements javax.sql.Datasource" 
> url="jdbc:Whatever" maxActive="etc" maxIdle="etc"/> ... 
> 
> https://tomcat.apache.org/tomcat-8.0-doc/jndi-resources-howto.html#JDB
C_Data_Sources
>
> 
https://docs.oracle.com/javase/8/docs/api/javax/sql/DataSource.html#getC
onnection-java.lang.String-java.lang.String-

I think maybe something confusing to me has been whose users passwords
are we talking about, here? I've been assuming that we are talking
about an application-level user for an entire application. So, if you
are running "myapp", then the username is always "myappdbuser" and the
password is always "myappdbpassword" (or whatever). Usually,
applications always use the same credentials to access a database like
this; it's not always necessary to support multiple usernames 

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

Chris,

On 2/12/16, 7:35 PM, "Leo Donahue"  wrote:


>On Fri, Feb 12, 2016 at 5:46 PM, Dougherty, Gregory T., M.S. <
>dougherty.greg...@mayo.edu> wrote:
>
>> Chris,
>>
>>
>> On 2/12/16, 5:27 PM, "Christopher Schultz"
>>
>> wrote:
>>
>> >Gregory,
>> >
>> >On 2/12/16 4:19 PM, Dougherty, Gregory T., M.S. wrote:
>> >> On 2/12/16, 3:08 PM, "Leo Donahue"  wrote:
>> >>
>> >>
>> >>> On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." <
>> >>> dougherty.greg...@mayo.edu> wrote:
>> >> My definition of ³secure² includes ³there exist no files with an
>> >> unencrypted copy of the password².
>> >
>> >Do you mean "no files at all" or "no files in revision-control"?
>> >Again, you have to decide whether you trust your administrators.
>>
>> No files at all.
>>
>
>Not even encrypted files?

Who is encrypting the file?  Where is the code key for the encryption
stored?  How does my app get access to the encryption key?  Who is
creating the encrypted file?

>You need to write something that generates long passwords, because you
>don't need to remember them, and writes them to the encrypted file.  All
>you need to do is regenerate them whenever you want.  If you are saying
>that you need to choose your own password because it is used elsewhere,
>then you are stuck again.

1: I need to be able to use the password elsewhere
2: The process for changing the password to connect to the DB is not
automated.  So I can’t have some automated task changing it every day.

>>>Why would you check the data source configuration into the
>> >revision-control system? It's not necessary to do that. Do you check
>> >Tomcat's server.xml into revision control?
>>
>> Are you going to have your data source configuration sitting on only one
>> user’s personal computer?  What happens when that person is on vacation?
>> Sick?  Has a hard drive crash?
>>
>
>I don't understand why that would be the case that you store this data
>source configuration on anyone's personal computer.  Are you saying that
>Mayo Clinic IT lets developers run production apps from Tomcats on their
>personal computers?

No, I’m saying that a file on the server is out of my reach, out of my
control, and therefore out of my consideration.

Greg

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Gregory,

On 2/12/16 6:46 PM, Dougherty, Gregory T., M.S. wrote:
> Chris,
> 
> 
> On 2/12/16, 5:27 PM, "Christopher Schultz"
>  wrote:
> 
>> Gregory,
>> 
>> On 2/12/16 4:19 PM, Dougherty, Gregory T., M.S. wrote:
>>> On 2/12/16, 3:08 PM, "Leo Donahue" 
>>> wrote:
>>> 
>>> 
 On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." < 
 dougherty.greg...@mayo.edu> wrote:
>>> My definition of ³secure² includes ³there exist no files with
>>> an unencrypted copy of the password².
>> 
>> Do you mean "no files at all" or "no files in revision-control"? 
>> Again, you have to decide whether you trust your administrators.
> 
> No files at all.
> 
> Even if I did trust my administrators, they don’t want the task of
> having to update the passwords every six months.
> 
>>> How does the data source know that this web app, unlike every 
>>> other web app in existence, is allowed to access the data
>>> source?
>> 
>> The container allows you to map data sources to web applications.
>> Use that facility. And trust your administrators.
> 
> This sounds like something I can use to uniquely identify which app
> is running, no? Can my code ask Tomcat for the DataSource the
> container assigns to the web app, that instead of returning a
> password, simply returns the name of the app?

No, it will return a DataSource. What you do with it is up to you.
Generally-speaking, a DataSource already knows the password that will
be used to access the database. So the application doesn't need to
have any passwords at all.

>>> For that matter, how do I set up the data source (whose every 
>>> element is checked into the source code control system that a 
>>> malicious user may have access to) so that it knows the
>>> passwords of interest?
>> 
>> Why would you check the data source configuration into the 
>> revision-control system? It's not necessary to do that. Do you
>> check Tomcat's server.xml into revision control?
> 
> Are you going to have your data source configuration sitting on
> only one user’s personal computer?  What happens when that person
> is on vacation? Sick?  Has a hard drive crash?

That configuration goes onto the server where you are deployed. If you
have any kind of sane configuration-management system, you'll have
that configuration locked-away somewhere safe that can be deployed (by
admins only) to new deployed nodes whenever necessary.

This has nothing to do with individual users. This has to do with
configuration management.

>> If you free yourself from the idea that everything needs to be in
>> one big revision-control system, it makes things easier.
>> Everybody does their job: the devs write the software, the admins
>> deploy it. The admins have the keys to the kingdom (they always
>> do; don't fight it) and the devs have keys to nothing.
> 
> I don’t get a vote on that one.

So you are tasked with:

(a) Removing all plaintext passwords from configuration files
(b) All configuration files must be in revision control
(c) Developers manage the passwords to the production dbs
(d) Admins must never see devs' passwords
(e) The system must actually work

Do I have that all correct?

>> Of course, the devs are writing the software, so if you are
>> truly paranoid, you need to make sure that the devs aren't
>> stealing secrets from the admins when the app runs ;)
> 
> I am truly paranoid, that’s why I want an unambiguous way to figure
> out what app is running.  That way the only data they can “steal”
> is their own data.

Use separate VMs (or JVMs) for each application. No question
whatsoever which application is running.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbB7MsACgkQ9CaO5/Lv0PA1QwCfVtUZbXkR0YR4dZlVRQhz
x4AAn2RPyD95VMsh7qk0RcWh2oCNh8I7
=VPNK
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Gregory,

On 2/12/16 7:03 PM, Dougherty, Gregory T., M.S. wrote:
> It appears I’ve done a poor job explaining the situation, so let me
> try again.
> 
> We have multiple apps running on a production Tomcat server.  Each
> one of those apps has one or more passwords that belong to the app
> developers. Generally we’re talking about DB passwords.
> 
> If you’re willing to place your password in plain text in a file 
> accessible via JNDI, your problem is solved.  I’m not.

I do get it. I'm just not sure (a) why you are so concerned about
plaintext passwords and (b) how you think you can actually secure such
a system.

> I encrypt my password with my private key, then with the admin’s
> public key, then save it in a properties file for my app.  When my
> app gets launched on Tomcat, it pulls that password from the
> properties file, and send it off to the decryption code.

Encrypting your own password with your private key is next to useless.
By definition, the decryption key for the thing you just created (your
encrypted password) is publicly-known. Therefore everyone in the world
can decrypt that password.

The only think you can gain by encrypting your own password with your
private key is authentication: the decryption code can determine that
you are the one who injected that key into the keystore.

> The decryption code decrypts the passed in string with the admin’s
> private key. Now it needs to know which public key to use to
> complete the decryption process.  If the calling app gets to say
> “hey use this key”, then a malicious user can pull my encrypted key
> out of my properties file, and send it to the decryption code while
> saying “Hey, I’m Greg’s app”. Security fail.

Is the admin's private key publicly-available? I would suspect so,
since you said that everything is checked-into source-control. If the
admin's private key is in fact public (source control = public, by
your definition), then everything an attacker needs to know (your
public key, admin's private key) is public. *There's* your "security
fail". Why? because you went through all that trouble to convince
yourself you were safe, and you actually aren't. It's /worse/ than the
plaintext scenario.

> The decryption code doesn’t save any plain text passwords anywhere.
> It’s called with a string, it decrypts the string and returns the
> result.
> 
> When I need to update my password, I encrypt the new password and
> save it in the properties file.  No work for the admin, because my
> public key hasn’t changed.
> 
> Does that make things clearer?

It does. It just doesn't make them secure in any way that I can see.

Contratulations: you have succeeded in removing plaintext passwords
from your files. But you did it in a very convoluted way that adds no
more security than using XOR or ROT13 on the password values.

If you want no cleartext passwords in configuration files, then why
not use password-less logins? It achieves the same level of security
with a lot less effort.

Remember, hiding the passwords from the admins is useless: they have
admin access to the db, so the only thing you are protecting is the
password itself, not the data it protects.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbB618ACgkQ9CaO5/Lv0PD2ogCfVjKw2jjzegwgdnS9oyoHp4Gi
MPMAnRez/yeEe8xY7X8iqgConHGRuGM9
=MN6X
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Cris Berneburg - US]

Chris

[SNIP: Chris Schultz and Greg Dougherty] 

> >>> The web app needs a DB password so it can connect to the DB.
> >> 
> >> I disagree that the web app needs a password.
> > 
> > The web app has to be able to read and write to the DB.  That takes a 
> > password.
> 
> I agree with Leo: your application only needs a javax.sql.DataSource.
> That can be pre-seeded with a password to make connections. The web 
> application itself doesn't need to have any authentication information in it,
> unless you want to be able to make new connections with different credentials.
> 
> My web applications have nary a username or password to access their 
> databases, and yet connections to SQL DataSources work perfectly fine.
> Multiple dev and test environments, demo, and production. Same code base. 
> Same revision-control system. No passwords.

Sorry, I'm confused.  Are you saying that your database does not require 
password authentication?  Or are you saying that while your DB does require 
password authentication, the applications do not access those passwords because 
you rely on a data source that provides the password to the DB?  Is the data 
source is an intermediary that does the authentication?  I'm still struggling 
conceptually with the "security requirement" of having encrypted passwords, as 
opposed to clear-text passwords, stored in config files on the tomcat server.  
"It's turtles (passwords) all the way down!"  Or is that a different issue?

[SNIP AGAIN]

--
Cris Berneburg, Lead Software Engineer, CACI


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[tomcat]

On 15.02.2016 11:06, Christoph Nenning wrote:

Perhaps I¹m naïve, but I was looking for a Tomcat provided

³getCurrentURL

()² call, and assumed that nothing else could have that. :-)

Thank you for the SecurityManager suggestion, I hadn¹t thought about

that.

  I¹ll look in to how much of a pain that is.



You can rebuild the url with several methods of HttpServletRequest like:
- getScheme()
- getServerPort()
- getContextPath()
- getServletPath()
- getPathInfo()

To figure out the host name you can use the Host header:
getHeader("Host")


Regards,
Christoph



Christoph,
to save the OP (and Mark, and Christopher) some re-explaining, here is a 
summary :

- the above is known
- but the question here is that the above cannot be trusted, because the webapp cannot be 
trusted, and the webapp could have "wrapped" the original HttpServletRequest with another 
object, which could have its own methods overriding the above and returning falsified 
responses.
Granted, this is a bit nitpicking, but this being done as part of some security scheme 
(the validity of which is not the point of this summary), one needs to take this into 
consideration.


André














On 2/11/16, 5:33 PM, "Mark Thomas"  wrote:


On 11/02/2016 22:56, Dougherty, Gregory T., M.S. wrote:

I would like to have a jar file in tomcat/lib that can be called from
any of the running web apps.  I need for the code in the jar to behave
differently depending on which web app called it.  It is not in this
case possible for the code to ³trust² the caller to tell it the URL of
the caller.

Is it possible for that code to independently determine the URL of

the

caller?


If you can't trust the caller to tell you the URL, you can't trust that
the caller isn't going to tinker with whatever mechanism you do use to
determine the URL.

You'd have a better chance of doing this if you ran under a
SecurityManager but unless you write an application from the start with
the intention of running it under a SecurityManager it is usually a lot
of additional effort to update the app so it runs correctly.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



This Email was scanned by Sophos Anti Virus




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Christoph Nenning]

> > Perhaps I¹m naïve, but I was looking for a Tomcat provided 
> ³getCurrentURL
> > ()² call, and assumed that nothing else could have that. :-)
> > 
> > Thank you for the SecurityManager suggestion, I hadn¹t thought about 
> that.
> >  I¹ll look in to how much of a pain that is.
> 
> 
> You can rebuild the url with several methods of HttpServletRequest like:
> - getScheme()
> - getServerPort()
> - getContextPath()
> - getServletPath()
> - getPathInfo()
> 
> To figure out the host name you can use the Host header:
> getHeader("Host")
> 

Oh, now I see there have been much more messages on this thread. Sorry for 
not reading it first.


 
Regards,
Christoph
> 
> 
> 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > On 2/11/16, 5:33 PM, "Mark Thomas"  wrote:
> > 
> > >On 11/02/2016 22:56, Dougherty, Gregory T., M.S. wrote:
> > >> I would like to have a jar file in tomcat/lib that can be called 
from
> > >>any of the running web apps.  I need for the code in the jar to 
behave
> > >>differently depending on which web app called it.  It is not in this
> > >>case possible for the code to ³trust² the caller to tell it the URL 
of
> > >>the caller.
> > >> 
> > >> Is it possible for that code to independently determine the URL of 
> the
> > >>caller?
> > >
> > >If you can't trust the caller to tell you the URL, you can't trust 
that
> > >the caller isn't going to tinker with whatever mechanism you do use 
to
> > >determine the URL.
> > >
> > >You'd have a better chance of doing this if you ran under a
> > >SecurityManager but unless you write an application from the start 
with
> > >the intention of running it under a SecurityManager it is usually a 
lot
> > >of additional effort to update the app so it runs correctly.
> > >
> > >Mark
> > >
> > >
> > >-
> > >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > >For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > 
> > 
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> > 
> 
> This Email was scanned by Sophos Anti Virus

This Email was scanned by Sophos Anti Virus

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Christoph Nenning]

> Perhaps I¹m naïve, but I was looking for a Tomcat provided 
³getCurrentURL
> ()² call, and assumed that nothing else could have that. :-)
> 
> Thank you for the SecurityManager suggestion, I hadn¹t thought about 
that.
>  I¹ll look in to how much of a pain that is.


You can rebuild the url with several methods of HttpServletRequest like:
- getScheme()
- getServerPort()
- getContextPath()
- getServletPath()
- getPathInfo()

To figure out the host name you can use the Host header:
getHeader("Host")


Regards,
Christoph



> 
> 
> 
> 
> 
> 
> 
> On 2/11/16, 5:33 PM, "Mark Thomas"  wrote:
> 
> >On 11/02/2016 22:56, Dougherty, Gregory T., M.S. wrote:
> >> I would like to have a jar file in tomcat/lib that can be called from
> >>any of the running web apps.  I need for the code in the jar to behave
> >>differently depending on which web app called it.  It is not in this
> >>case possible for the code to ³trust² the caller to tell it the URL of
> >>the caller.
> >> 
> >> Is it possible for that code to independently determine the URL of 
the
> >>caller?
> >
> >If you can't trust the caller to tell you the URL, you can't trust that
> >the caller isn't going to tinker with whatever mechanism you do use to
> >determine the URL.
> >
> >You'd have a better chance of doing this if you ran under a
> >SecurityManager but unless you write an application from the start with
> >the intention of running it under a SecurityManager it is usually a lot
> >of additional effort to update the app so it runs correctly.
> >
> >Mark
> >
> >
> >-
> >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

This Email was scanned by Sophos Anti Virus

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[tomcat]

Sorry, I lost the original message, so I can't respond in-thread.
I only saw the last message, but to that, isn't this what the Op is asking for :

http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/HttpServletRequest.html

No matter which jar these things are in, if these methods get called, they should return 
the current URI which the client called to trigger the current webapp, no ?

(I'm talking of getRequestURL() and siblings).


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

Perhaps I¹m naïve, but I was looking for a Tomcat provided ³getCurrentURL
()² call, and assumed that nothing else could have that. :-)

Thank you for the SecurityManager suggestion, I hadn¹t thought about that.
 I¹ll look in to how much of a pain that is.
-- 
Gregory Dougherty
Sr. Analyst/Programmer | Information Technology
Information Technology
(507) 284-8493 | dougherty.greg...@mayo.edu







On 2/11/16, 5:33 PM, "Mark Thomas"  wrote:

>On 11/02/2016 22:56, Dougherty, Gregory T., M.S. wrote:
>> I would like to have a jar file in tomcat/lib that can be called from
>>any of the running web apps.  I need for the code in the jar to behave
>>differently depending on which web app called it.  It is not in this
>>case possible for the code to ³trust² the caller to tell it the URL of
>>the caller.
>> 
>> Is it possible for that code to independently determine the URL of the
>>caller?
>
>If you can't trust the caller to tell you the URL, you can't trust that
>the caller isn't going to tinker with whatever mechanism you do use to
>determine the URL.
>
>You'd have a better chance of doing this if you ran under a
>SecurityManager but unless you write an application from the start with
>the intention of running it under a SecurityManager it is usually a lot
>of additional effort to update the app so it runs correctly.
>
>Mark
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

André,

On 2/12/16 1:11 PM, André Warnier (tomcat) wrote:
> Sorry, I lost the original message, so I can't respond in-thread. I
> only saw the last message, but to that, isn't this what the Op is 
> asking for :
> 
> http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/
HttpServletRequest.html
>
> 
> 
> No matter which jar these things are in, if these methods get
> called, they should return the current URI which the client called
> to trigger the current webapp, no ? (I'm talking of getRequestURL()
> and siblings).

Mark's response accurately points out that anything the library does
to try to determine which application it's running under can
relatively easily be subverted by the application itself.

For your example above, it would be easy to simply wrap the
HttpServletRequest object and override "getRequestURL" and friends.

If you don't trust the code calling you, then you can't trust anything
up the stack.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla+LZYACgkQ9CaO5/Lv0PCAiACbBvXYQkR+9+SRLkvkK0YtiC7o
m+4An1hUOlgygT+aQdgk8p+dmW2PI9v4
=V0Ik
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[tomcat]

On 12.02.2016 20:08, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

André,

On 2/12/16 1:11 PM, André Warnier (tomcat) wrote:

Sorry, I lost the original message, so I can't respond in-thread. I
only saw the last message, but to that, isn't this what the Op is
asking for :

http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/

HttpServletRequest.html




No matter which jar these things are in, if these methods get
called, they should return the current URI which the client called
to trigger the current webapp, no ? (I'm talking of getRequestURL()
and siblings).


Mark's response accurately points out that anything the library does
to try to determine which application it's running under can
relatively easily be subverted by the application itself.

For your example above, it would be easy to simply wrap the
HttpServletRequest object and override "getRequestURL" and friends.

If you don't trust the code calling you, then you can't trust anything
up the stack.



Ok, sorry, I have not really followed the thread since the beginning. I did not realise 
that there was a question of not trusting the *code* of the webapps themselves.

I though it was only not trusting the client (browser or whatever).

But let me then push the question one level deeper, at the Java level : is there a way by 
which some code about to call a method, could find out if this method is "the genuine 
article", or has been overridden by a wrapper for instance ?


(And I do realise that this is not really applicable here, it is more by 
curiosity)
I mean, the JVM of course must know; but is there a way by which the code can ask the JVM 
about this ?
Or alternatively, can the code "force" the JVM to execute the real method of the original 
parent (in this case HttpServletRequest) instead of a perhaps wrapper object's method ?




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

It is what I¹m looking for, except I need a way to get an object that I
can trust that implements that interface.
-- 
Gregory Dougherty
Sr. Analyst/Programmer | Information Technology
Information Technology
(507) 284-8493 | dougherty.greg...@mayo.edu







On 2/12/16, 12:11 PM, "André Warnier (tomcat)"  wrote:

>Sorry, I lost the original message, so I can't respond in-thread.
>I only saw the last message, but to that, isn't this what the Op is
>asking for :
>
>http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/Http
>ServletRequest.html
>
>No matter which jar these things are in, if these methods get called,
>they should return
>the current URI which the client called to trigger the current webapp, no
>?
>(I'm talking of getRequestURL() and siblings).
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

You can honestly tell who¹s calling you, since you can throw an exception,
catch it, then look at the stack trace.

If you have an object, you can get its class, you can get what methods it
implements, and you can get its parent class and recurse.

So that should let you figure out which class will be implementing the
emthod you¹re calling, unless I¹m totally confused.
-- 
Gregory Dougherty
Sr. Analyst/Programmer | Information Technology
Information Technology
(507) 284-8493 | dougherty.greg...@mayo.edu







On 2/12/16, 1:35 PM, "André Warnier (tomcat)"  wrote:

>On 12.02.2016 20:08, Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> André,
>>
>> On 2/12/16 1:11 PM, André Warnier (tomcat) wrote:
>>> Sorry, I lost the original message, so I can't respond in-thread. I
>>> only saw the last message, but to that, isn't this what the Op is
>>> asking for :
>>>
>>> http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/
>> HttpServletRequest.html
>>>
>>>
>>>
>>> No matter which jar these things are in, if these methods get
>>> called, they should return the current URI which the client called
>>> to trigger the current webapp, no ? (I'm talking of getRequestURL()
>>> and siblings).
>>
>> Mark's response accurately points out that anything the library does
>> to try to determine which application it's running under can
>> relatively easily be subverted by the application itself.
>>
>> For your example above, it would be easy to simply wrap the
>> HttpServletRequest object and override "getRequestURL" and friends.
>>
>> If you don't trust the code calling you, then you can't trust anything
>> up the stack.
>>
>
>Ok, sorry, I have not really followed the thread since the beginning. I
>did not realise 
>that there was a question of not trusting the *code* of the webapps
>themselves.
>I though it was only not trusting the client (browser or whatever).
>
>But let me then push the question one level deeper, at the Java level :
>is there a way by 
>which some code about to call a method, could find out if this method is
>"the genuine 
>article", or has been overridden by a wrapper for instance ?
>
>(And I do realise that this is not really applicable here, it is more by
>curiosity)
>I mean, the JVM of course must know; but is there a way by which the code
>can ask the JVM 
>about this ?
>Or alternatively, can the code "force" the JVM to execute the real method
>of the original 
>parent (in this case HttpServletRequest) instead of a perhaps wrapper
>object's method ?
>
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Leo Donahue]

On Feb 11, 2016 4:56 PM, "Dougherty, Gregory T., M.S." <
dougherty.greg...@mayo.edu> wrote:
>
> I would like to have a jar file in tomcat/lib that can be called from any
of the running web apps.  I need for the code in the jar to behave
differently depending on which web app called it.

I would agree with what the others are saying here.  It seems you are
trying to authorize an entire web app instead of authoring the user of the
web app.

If the jar simply needs to take action based on a role of some kind, then
could you not tie in a ldap user with appropriate role?

Leo

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[tomcat]

On 12.02.2016 20:49, Dougherty, Gregory T., M.S. wrote:

You can honestly tell who¹s calling you, since you can throw an exception,
catch it, then look at the stack trace.

If you have an object, you can get its class, you can get what methods it
implements, and you can get its parent class and recurse.

So that should let you figure out which class will be implementing the
emthod you¹re calling, unless I¹m totally confused.



I can be confused easily too, in matters Java.
But let's just speculate, and someone undoubtedly would correct me if I'm wrong.
Since
1) you do not necessarily trust the code which is (directly) calling you.  But you would 
trust it if you were sure that it is the original Tomcat code.
2) if I remember correctly, a HttpServletRequest object is immutable, so nobody can have 
modified the original data of the request, as it came in and was parsed by Tomcat.
3) What they could do however, is wrap the original object into another, and override the 
methods so that they would return other data than the original when you call getRequestURL
4) but you can climb up the object hierarchy, until you find the original (Tomcat) 
HttpServletRequest object and its methods


yes ?
Then I would imagine that there must be a way for you to retrieve the data as provided by 
the original HttpServletRequest getRequestURL, no ?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[tomcat]

On 12.02.2016 21:00, Leo Donahue wrote:

On Feb 11, 2016 4:56 PM, "Dougherty, Gregory T., M.S." <
dougherty.greg...@mayo.edu> wrote:


I would like to have a jar file in tomcat/lib that can be called from any

of the running web apps.  I need for the code in the jar to behave
differently depending on which web app called it.

I would agree with what the others are saying here.  It seems you are
trying to authorize an entire web app instead of authoring the user of the
web app.

If the jar simply needs to take action based on a role of some kind, then
could you not tie in a ldap user with appropriate role?



I do not know either what the ultimate use case of the OP is.
But I could imagine for example some webapps allowing to upload a file, and this jar 
containing a "saveFile" method which saves the file to a different server directory, 
depending on which webapp called it (but without relying for this on a parameter passed by 
the webapp or its configuration, and just relying on the URL having been used to call that 
webapp).

(Of course there are other ways to achieve this, but this is just as a non-AAA 
example).

Gregory, it may be time to tell us something about what you /really/ want to 
achieve here.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Leo Donahue]

On Feb 12, 2016 2:50 PM, "Dougherty, Gregory T., M.S." <
dougherty.greg...@mayo.edu> wrote:
>
> How does it validate itself to that common location, without a password
>

A.  Stop top posting.  You're killing me on my Android phone backspacing to
where I want to reply.

B.  What is "it"?  The web app?  The web app user?

Leo

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Leo Donahue]

On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." <
dougherty.greg...@mayo.edu> wrote:
>
> The web app needs a DB password so it can connect to the DB.

I disagree that the web app needs a password.

> None of the
> users have direct access to the DB.

Nor should they.

> The web app uses LDAp to validate
> users.

That is fine.

>
> How does the Web app get access to the DB, without saving within the web
> app anything that someone else could also use to get access to that DB?
>

Implement your own data source.

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Leo Donahue]

On Feb 12, 2016 2:35 PM, "Dougherty, Gregory T., M.S." <
dougherty.greg...@mayo.edu> wrote:
>
> You are correct, I¹m trying to authorize the web app, not the user.
>
> Goal: I am trying to come up with a way for a Tomcat app to securely store
> and retrieve the password it needs to access a DB.
>
> My definition of ³secure² includes ³there exist no files with an
> unencrypted copy of the password².  IIUC, JNDI fails this test.
>
> My requirements include that all web app components are checked in to a
> source control system that malicious users can have read access to.
> --
> Gregory Dougherty

This is a secure password question?

This task falls more in line with your enterprise architecture than with a
simple common jar file.

Think about how you could implement your own data source that reads
encrypted passwords from some common location.

The Tomcat "app" should not have anything to do with this.

Leo

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

On 2/12/16, 2:54 PM, "Leo Donahue"  wrote:


>On Feb 12, 2016 2:50 PM, "Dougherty, Gregory T., M.S." <
>dougherty.greg...@mayo.edu> wrote:
>>
>> How does it validate itself to that common location, without a password
>>
>
>A.  Stop top posting.  You're killing me on my Android phone backspacing
>to
>where I want to reply.
>
>B.  What is "it"?  The web app?  The web app user?
>
>Leo

The web app needs a DB password so it can connect to the DB.  None of the
users have direct access to the DB.  The web app uses LDAp to validate
users.

How does the Web app get access to the DB, without saving within the web
app anything that someone else could also use to get access to that DB?
-- 
Gregory Dougherty
Sr. Analyst/Programmer | Information Technology
Information Technology
(507) 284-8493 | dougherty.greg...@mayo.edu


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Tim Watts]

On Fri, 2016-02-12 at 20:35 +, Dougherty, Gregory T., M.S. wrote:
> You are correct, I¹m trying to authorize the web app, not the user.
> 
> Goal: I am trying to come up with a way for a Tomcat app to securely store
> and retrieve the password it needs to access a DB.
> 
> My definition of ³secure² includes ³there exist no files with an
> unencrypted copy of the password².  IIUC, JNDI fails this test.
> 
> My requirements include that all web app components are checked in to a
> source control system that malicious users can have read access to.
> 
> Solution:
> 1: Trusted user creates public:private key pair (1), distributes public key
> 2: Web app developer creates pubic:private key pair (2), distributes
> public key
> 3: Web app developer encrypted password with private key 2, then public
> key 1, stores with web app
> 4: Web app calls decryption jar that¹s in tomcat/lib, passing in the
> encrypted password from step 3
> 5: Decryption code determines which app called it, pulls the public key
> (3) saved for that app
> 6: Decryption code decrypts with private key 1, public key 3, and returns
> the unencrypted password.
> 
> So long as 1: Trusted user can store private key where it¹s secure, but
> accessible to decryption code

Since the webapps all run in the same tomcat and therefore under the
same OS user account, how do you ensure that *only* the decryption code
can access the private key?  Otherwise, any webapp could decrypt any
other webapp's password.


> , and 2: Can correctly determine the calling
> app, I believe this setup is secure.
> 
> We log who uploads the web apps, so if user X uploads a bogus ³User Y
> App², we can deal with that.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Gregory,

On 2/12/16 2:49 PM, Dougherty, Gregory T., M.S. wrote:
> You can honestly tell who¹s calling you, since you can throw an
> exception, catch it, then look at the stack trace.

Sure. There are easier ways to do that (see Chuck's post), but it
doesn't get you anything. The idea here is that the environment is known
:

1. Tomcat is available (and trustworthy), invokes web application code
2. Web application is untrustworthy, calls library code
3. Library code wants to be sure the web application hasn't
   tampered with any data

In this case, the library will discover that (*gasp*!) an untrusted
application has calls methods within itself! Oh noes! Well, actually,
that was entirely expected. And the fact that Tomcat is up in the
stack trace somewhere doesn't prove anything about the validity of the
data.

So the stack trace idea is a red herring.

> If you have an object, you can get its class, you can get what
> methods it implements, and you can get its parent class and
> recurse.
> 
> So that should let you figure out which class will be implementing
> the method you¹re calling, unless I¹m totally confused.

Sure, but what happens if the classes all look legit?

How about this?

HttpServletRequest request = [original, real request];
final String requestURI = "/forged";

library.doSomething(new HttpServletRequestWrapper(new
HttpServletRequestWrapper(request) {
  @Override
  public String getRequestURI() { return requestURI; }
}
});

The library code wants to check to see if the HttpServletRequest
object is legit, so it looks at its runtime type. The runtime type is
javax.servlet.http.HttpServletRequestWrapper. That's not evil, is it?
But there are two layers of wrapper: one that is evil (the internal
one) and then a nice, clean, shiny, no-op wrapper around it. And you
can't penetrate the wrapper to find out what kind of object it's wrappin
g.

Yes, you can use introspection and look at the
ServletRequestWrapper.request field, but you will be prohibited from
checking that value under a SecurityManager. And if you don't trust
your web applications, then you should be running under a SecurityManage
r.

Ultimately, I think this is going to boil-down to "I have a library
that I want to license only for certain applications and I don't want
it used outside of those". You should fix that kind of thing with
legal contracts instead of trying to enforce it with technology.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla+ZdkACgkQ9CaO5/Lv0PARbgCfSjBWkpBZn1bUuVDdfQsdQK9F
Oz8AoKGVsDA9+NS6aCU/obV8sXiYBUfP
=UrFH
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

Chirs,


On 2/12/16, 5:19 PM, "Christopher Schultz" 
wrote:

>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA1
>
>Gregory,
>
>On 2/12/16 3:35 PM, Dougherty, Gregory T., M.S. wrote:
>> You are correct, I¹m trying to authorize the web app, not the
>> user.
>> 
>> Goal: I am trying to come up with a way for a Tomcat app to
>> securely store and retrieve the password it needs to access a DB.
>
>Is it Tomcat that needs access to the password, or the library?
Sorry, for a web app running on Tomcat.

>> My definition of ³secure² includes ³there exist no files with an
>> unencrypted copy of the password².  IIUC, JNDI fails this test.
>> 
>> My requirements include that all web app components are checked in
>> to a source control system that malicious users can have read
>> access to.
>> 
>> Solution: 1: Trusted user creates public:private key pair (1),
>> distributes public key 2: Web app developer creates pubic:private
>> key pair (2), distributes public key 3: Web app developer encrypted
>> password with private key 2, then public key 1, stores with web
>> app 4: Web app calls decryption jar that¹s in tomcat/lib, passing
>> in the encrypted password from step 3 5: Decryption code determines
>> which app called it, pulls the public key (3) saved for that app 6:
>> Decryption code decrypts with private key 1, public key 3, and
>> returns the unencrypted password.
>
>Sounds crazy:
>
>(a) You have web developers managing passwords, keys, etc. Don't trust
>those fools! They are the ones writing those untrustworthy applications!

It’s their password I’m trusting them with.  What I don’t trust them with
is anyone else’s password.  The encrypted passwords are saved in source
code control with the web app.  Many people can read that.  Therefore the
challenge is to make sure that many people can read the encrypted
password, but only the right app can decrypt it.

>(b) You never said that any private key is stored with the web
>application (or library). How does that all work?

Probably have the Sys admin upload it to the decryption code after Tomcat
is started up.

>(c) You have two layers of encryption where only one is necessary:
>have someone (not one of the devs) encrypt the true password with a
>public key, and have only the library (or whatever) have access to the
>private key. Don't distribute the private key with the library. Only
>deploy the private key onto a server where the library will be used
>for production. That second layer does nothing unless I misunderstand
>what's going on.

You misunderstand what’s going on.
The the web app developers are the only ones who know their passwords.  If
they only encrypt it with the secure public key, then anyone else can take
that encrypted password, use it in their app, and get the unencrypted
password back.

>> So long as 1: Trusted user can store private key where it¹s secure,
>> but accessible to decryption code, and 2: Can correctly determine
>> the calling app, I believe this setup is secure.
>> 
>> We log who uploads the web apps, so if user X uploads a bogus ³User
>> Y App², we can deal with that.
>
>You can use JNDI in a way that is secure from the web application
>(within reason). You can't make it secure from the administrator, though
>.
>
>Do you trust your administrators in this scenario?

I don’t trust anyone enough to give them a plain text copy of my
passwords, no.

>- -chris
>-BEGIN PGP SIGNATURE-
>Comment: GPGTools - http://gpgtools.org
>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
>iEYEARECAAYFAla+aGoACgkQ9CaO5/Lv0PBqIgCgtd0iynz/vgSdjy6mEgd9q6W5
>it8AoI96Xn6dIYKrvz71fhY/WKpJHWAz
>=DlEh
>-END PGP SIGNATURE-
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

On 2/12/16, 3:40 PM, "Tim Watts"  wrote:


>On Fri, 2016-02-12 at 20:35 +, Dougherty, Gregory T., M.S. wrote:
>> You are correct, I¹m trying to authorize the web app, not the user.
>> 
>> Goal: I am trying to come up with a way for a Tomcat app to securely
>>store
>> and retrieve the password it needs to access a DB.
>> 
>> My definition of ³secure² includes ³there exist no files with an
>> unencrypted copy of the password².  IIUC, JNDI fails this test.
>> 
>> My requirements include that all web app components are checked in to a
>> source control system that malicious users can have read access to.
>> 
>> Solution:
>> 1: Trusted user creates public:private key pair (1), distributes public
>>key
>> 2: Web app developer creates pubic:private key pair (2), distributes
>> public key
>> 3: Web app developer encrypted password with private key 2, then public
>> key 1, stores with web app
>> 4: Web app calls decryption jar that¹s in tomcat/lib, passing in the
>> encrypted password from step 3
>> 5: Decryption code determines which app called it, pulls the public key
>> (3) saved for that app
>> 6: Decryption code decrypts with private key 1, public key 3, and
>>returns
>> the unencrypted password.
>> 
>> So long as 1: Trusted user can store private key where it¹s secure, but
>> accessible to decryption code
>
>Since the webapps all run in the same tomcat and therefore under the
>same OS user account, how do you ensure that *only* the decryption code
>can access the private key?  Otherwise, any webapp could decrypt any
>other webapp's password.

I’m leaning towards having a web app that the sys admin uses to upload his
private key to the decryption code.  So long as we have a “setPrivateKey
()” and no “getPrivateKey ()” a malicious user can break everyone, but
can’t extract anything.
-- 
Gregory Dougherty
Sr. Analyst/Programmer | Information Technology
Information Technology
(507) 284-8493 | dougherty.greg...@mayo.edu

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

Oh, one thing I left out: Tomcat is running multiple web apps, each which
needs its own password(s).

Tomcat is run by the sys admin, who is presumed to be trusted.  The sys
admin will be creating the public:private key pair in step 1.
The encryption code will be checked by multiple people, and is assumed to
be trusted.  
This solution does not concern itself with the possibility of someone
modifying the Tomcat app that everyone is running under (not saying it
can’t happen, saying it’s outside the scope of concern at this time).

-- 
Gregory Dougherty
Sr. Analyst/Programmer | Information Technology
Information Technology
(507) 284-8493 | dougherty.greg...@mayo.edu







On 2/12/16, 2:35 PM, "Dougherty, Gregory T., M.S."
 wrote:

>You are correct, I¹m trying to authorize the web app, not the user.
>
>Goal: I am trying to come up with a way for a Tomcat app to securely store
>and retrieve the password it needs to access a DB.
>
>My definition of ³secure² includes ³there exist no files with an
>unencrypted copy of the password².  IIUC, JNDI fails this test.
>
>My requirements include that all web app components are checked in to a
>source control system that malicious users can have read access to.
>
>Solution:
>1: Trusted user creates public:private key pair (1), distributes public
>key
>2: Web app developer creates pubic:private key pair (2), distributes
>public key
>3: Web app developer encrypted password with private key 2, then public
>key 1, stores with web app
>4: Web app calls decryption jar that¹s in tomcat/lib, passing in the
>encrypted password from step 3
>5: Decryption code determines which app called it, pulls the public key
>(3) saved for that app
>6: Decryption code decrypts with private key 1, public key 3, and returns
>the unencrypted password.
>
>So long as 1: Trusted user can store private key where it¹s secure, but
>accessible to decryption code, and 2: Can correctly determine the calling
>app, I believe this setup is secure.
>
>We log who uploads the web apps, so if user X uploads a bogus ³User Y
>App², we can deal with that.
>-- 
>Gregory Dougherty
>Sr. Analyst/Programmer | Information Technology
>Information Technology
>(507) 284-8493 | dougherty.greg...@mayo.edu
>
>
>
>
>
>
>
>On 2/12/16, 2:00 PM, "Leo Donahue"  wrote:
>
>>On Feb 11, 2016 4:56 PM, "Dougherty, Gregory T., M.S." <
>>dougherty.greg...@mayo.edu> wrote:
>>>
>>> I would like to have a jar file in tomcat/lib that can be called from
>>>any
>>of the running web apps.  I need for the code in the jar to behave
>>differently depending on which web app called it.
>>
>>I would agree with what the others are saying here.  It seems you are
>>trying to authorize an entire web app instead of authoring the user of
>>the
>>web app.
>>
>>If the jar simply needs to take action based on a role of some kind, then
>>could you not tie in a ldap user with appropriate role?
>>
>>Leo
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

On 2/12/16, 3:08 PM, "Leo Donahue"  wrote:


>On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." <
>dougherty.greg...@mayo.edu> wrote:
>>
>> The web app needs a DB password so it can connect to the DB.
>
>I disagree that the web app needs a password.
The web app has to be able to read and write to the DB.  That takes a
password.
>
>> How does the Web app get access to the DB, without saving within the web
>> app anything that someone else could also use to get access to that DB?
>>
>
>Implement your own data source.

How does the web app connect to the data source?  How does the data source
know that this web app, unlike every other web app in existence, is
allowed to access the data source?

For that matter, how do I set up the data source (whose every element is
checked into the source code control system that a malicious user may have
access to) so that it knows the passwords of interest?

That leaves aside the issue that the web app is a production web app,
which means it can¹t rely on a non-production data source, which means I
can¹t set up my own data source.  But even if I could, all the other
problems still apply.
-- 
Gregory Dougherty
Sr. Analyst/Programmer | Information Technology
Information Technology
(507) 284-8493 | dougherty.greg...@mayo.edu




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Leo Donahue]

On Feb 12, 2016 3:19 PM, "Dougherty, Gregory T., M.S." <
dougherty.greg...@mayo.edu> wrote:
>
> On 2/12/16, 3:08 PM, "Leo Donahue"  wrote:
>
>
> >On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." <
> >dougherty.greg...@mayo.edu> wrote:
> >>
> >> The web app needs a DB password so it can connect to the DB.
> >
> >I disagree that the web app needs a password.
> The web app has to be able to read and write to the DB.  That takes a
> password.

No, javax.sql.DataSource needs a password.  Your web app just needs a user
name.

Your custom data source will fetch a password.

> >
> >> How does the Web app get access to the DB, without saving within the
web
> >> app anything that someone else could also use to get access to that DB?
> >>
> >
> >Implement your own data source.
>
> How does the web app connect to the data source?  How does the data source
> know that this web app, unlike every other web app in existence, is
> allowed to access the data source?
>
> For that matter, how do I set up the data source (whose every element is
> checked into the source code control system that a malicious user may have
> access to) so that it knows the passwords of interest?
>
> That leaves aside the issue that the web app is a production web app,
> which means it can¹t rely on a non-production data source, which means I
> can¹t set up my own data source.  But even if I could, all the other
> problems still apply.
> --

A.  You don't get to manage your passwords.

B.  The suggestion I'm giving you requires coordination with sys admins and
DBA's.  It is more than just a simple app trying find a way to hide
passwords, none of which will "ever" be in source control.

Leo

RE: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Caldarale, Charles R]

> From: Dougherty, Gregory T., M.S. [mailto:dougherty.greg...@mayo.edu] 
> Subject: Re: Is there a way for code running on Tomcat 7+ to determine the 
> URL of the Web App it's running under?

> You can honestly tell who¹s calling you, since you can throw an exception,
> catch it, then look at the stack trace.

Or just call Thread.getStackTrace()...

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

You are correct, I¹m trying to authorize the web app, not the user.

Goal: I am trying to come up with a way for a Tomcat app to securely store
and retrieve the password it needs to access a DB.

My definition of ³secure² includes ³there exist no files with an
unencrypted copy of the password².  IIUC, JNDI fails this test.

My requirements include that all web app components are checked in to a
source control system that malicious users can have read access to.

Solution:
1: Trusted user creates public:private key pair (1), distributes public key
2: Web app developer creates pubic:private key pair (2), distributes
public key
3: Web app developer encrypted password with private key 2, then public
key 1, stores with web app
4: Web app calls decryption jar that¹s in tomcat/lib, passing in the
encrypted password from step 3
5: Decryption code determines which app called it, pulls the public key
(3) saved for that app
6: Decryption code decrypts with private key 1, public key 3, and returns
the unencrypted password.

So long as 1: Trusted user can store private key where it¹s secure, but
accessible to decryption code, and 2: Can correctly determine the calling
app, I believe this setup is secure.

We log who uploads the web apps, so if user X uploads a bogus ³User Y
App², we can deal with that.
-- 
Gregory Dougherty
Sr. Analyst/Programmer | Information Technology
Information Technology
(507) 284-8493 | dougherty.greg...@mayo.edu







On 2/12/16, 2:00 PM, "Leo Donahue"  wrote:

>On Feb 11, 2016 4:56 PM, "Dougherty, Gregory T., M.S." <
>dougherty.greg...@mayo.edu> wrote:
>>
>> I would like to have a jar file in tomcat/lib that can be called from
>>any
>of the running web apps.  I need for the code in the jar to behave
>differently depending on which web app called it.
>
>I would agree with what the others are saying here.  It seems you are
>trying to authorize an entire web app instead of authoring the user of the
>web app.
>
>If the jar simply needs to take action based on a role of some kind, then
>could you not tie in a ldap user with appropriate role?
>
>Leo


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Gregory,

On 2/12/16 4:19 PM, Dougherty, Gregory T., M.S. wrote:
> On 2/12/16, 3:08 PM, "Leo Donahue"  wrote:
> 
> 
>> On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." < 
>> dougherty.greg...@mayo.edu> wrote:
>>> 
>>> The web app needs a DB password so it can connect to the DB.
>> 
>> I disagree that the web app needs a password.
> 
> The web app has to be able to read and write to the DB.  That takes
> a password.

I agree with Leo: your application only needs a javax.sql.DataSource.
That can be pre-seeded with a password to make connections. The web
application itself doesn't need to have any authentication information
in it, unless you want to be able to make new connections with
different credentials.

My web applications have nary a username or password to access their
databases, and yet connections to SQL DataSources work perfectly fine.
Multiple dev and test environments, demo, and production. Same code
base. Same revision-control system. No passwords.

>>> How does the Web app get access to the DB, without saving
>>> within the web app anything that someone else could also use to
>>> get access to that DB?
>>> 
>> 
>> Implement your own data source.
> 
> How does the web app connect to the data source?

Tomcat provides a DataSource via JNDI. There are other ways you could
implement this as well, but the JNDI DataSource seems like it should
meet your needs. Except maybe this one:

> My definition of ³secure² includes ³there exist no files with an 
> unencrypted copy of the password².

Do you mean "no files at all" or "no files in revision-control"?
Again, you have to decide whether you trust your administrators.

> How does the data source know that this web app, unlike every
> other web app in existence, is allowed to access the data source?

The container allows you to map data sources to web applications. Use
that facility. And trust your administrators.

> For that matter, how do I set up the data source (whose every
> element is checked into the source code control system that a
> malicious user may have access to) so that it knows the passwords
> of interest?

Why would you check the data source configuration into the
revision-control system? It's not necessary to do that. Do you check
Tomcat's server.xml into revision control?

> That leaves aside the issue that the web app is a production web
> app, which means it can¹t rely on a non-production data source,
> which means I can¹t set up my own data source.  But even if I
> could, all the other problems still apply.

If you free yourself from the idea that everything needs to be in one
big revision-control system, it makes things easier. Everybody does
their job: the devs write the software, the admins deploy it. The
admins have the keys to the kingdom (they always do; don't fight it)
and the devs have keys to nothing.

Of course, the devs are writing the software, so if you are truly
paranoid, you need to make sure that the devs aren't stealing secrets
from the admins when the app runs ;)

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla+al4ACgkQ9CaO5/Lv0PA4RQCgrzhBjr0yuJ+D6Ts6fjzV9fVr
fuAAnRKbUGbM6wQ5RZM58QHVsTQCHcW7
=k3tX
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

How does it validate itself to that common location, without a password?


-- 
Gregory Dougherty
Sr. Analyst/Programmer | Information Technology
Information Technology
(507) 284-8493 | dougherty.greg...@mayo.edu







On 2/12/16, 2:46 PM, "Leo Donahue"  wrote:

>On Feb 12, 2016 2:35 PM, "Dougherty, Gregory T., M.S." <
>dougherty.greg...@mayo.edu> wrote:
>>
>> You are correct, I¹m trying to authorize the web app, not the user.
>>
>> Goal: I am trying to come up with a way for a Tomcat app to securely
>>store
>> and retrieve the password it needs to access a DB.
>>
>> My definition of ³secure² includes ³there exist no files with an
>> unencrypted copy of the password².  IIUC, JNDI fails this test.
>>
>> My requirements include that all web app components are checked in to a
>> source control system that malicious users can have read access to.
>> --
>> Gregory Dougherty
>
>This is a secure password question?
>
>This task falls more in line with your enterprise architecture than with a
>simple common jar file.
>
>Think about how you could implement your own data source that reads
>encrypted passwords from some common location.
>
>The Tomcat "app" should not have anything to do with this.
>
>Leo

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

On 2/12/16, 3:29 PM, "Leo Donahue"  wrote:


>On Feb 12, 2016 3:19 PM, "Dougherty, Gregory T., M.S." <
>dougherty.greg...@mayo.edu> wrote:
>>
>> On 2/12/16, 3:08 PM, "Leo Donahue"  wrote:
>>
>>
>> >On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." <
>> >dougherty.greg...@mayo.edu> wrote:
>> >>
>> >> The web app needs a DB password so it can connect to the DB.
>> >
>> >I disagree that the web app needs a password.
>> The web app has to be able to read and write to the DB.  That takes a
>> password.
>
>No, javax.sql.DataSource needs a password.  Your web app just needs a user
>name.
>
>Your custom data source will fetch a password.
How?

What, precisely, is the exact mechanism by which this custom DataSource
will fetch the password?  And how is it that someone else, who has full
access to all my source code, including to the source code of my custom
DataSource, won¹t be able to retrieve the exact same password?

Requirement for ³secure²: There are no files sitting anywhere on the
server that have a plain text copy of my password.

Requirement for secure: The sys admin does not get to know my password.
He¹s ³trusted² in that we assume he won¹t abuse his private key on order
to steal my password.  He¹s not ³trusted² to know everyone¹s passwords.
 
Requirement from system: password must be updated every six months.  So I
have to be able to change the password, and inform my web app of the
changed password.

>A.  You don't get to manage your passwords.
>
>B.  The suggestion I'm giving you requires coordination with sys admins
>and
>DBA's.  It is more than just a simple app trying find a way to hide
>passwords, none of which will "ever" be in source control.
>
>Leo

A: I¹m the only one who knows my password, I have to manage it.  I have to
be able to use that password in contexts totally divorced from the web
server.
B: A solution that requires the sys admin to know, and update every six
months, my passwords is not a viable solution.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

André,

On 2/12/16 2:35 PM, André Warnier (tomcat) wrote:
> On 12.02.2016 20:08, Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>> 
>> André,
>> 
>> On 2/12/16 1:11 PM, André Warnier (tomcat) wrote:
>>> Sorry, I lost the original message, so I can't respond
>>> in-thread. I only saw the last message, but to that, isn't this
>>> what the Op is asking for :
>>> 
>>> http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/htt
p/
>>
>>> 
HttpServletRequest.html
>>> 
>>> 
>>> 
>>> No matter which jar these things are in, if these methods get 
>>> called, they should return the current URI which the client
>>> called to trigger the current webapp, no ? (I'm talking of
>>> getRequestURL() and siblings).
>> 
>> Mark's response accurately points out that anything the library
>> does to try to determine which application it's running under
>> can relatively easily be subverted by the application itself.
>> 
>> For your example above, it would be easy to simply wrap the 
>> HttpServletRequest object and override "getRequestURL" and
>> friends.
>> 
>> If you don't trust the code calling you, then you can't trust
>> anything up the stack.
>> 
> 
> Ok, sorry, I have not really followed the thread since the
> beginning. I did not realise that there was a question of not
> trusting the *code* of the webapps themselves. I though it was only
> not trusting the client (browser or whatever).
> 
> But let me then push the question one level deeper, at the Java
> level : is there a way by which some code about to call a method,
> could find out if this method is "the genuine article", or has been
> overridden by a wrapper for instance ?

Not really. Let's take the HttpServletRequest object for instance. The
object you get just implements an interface, so the runtime type is
unpredictable. The container is allowed to give you anything it wants,
and it's allowed to change its mind at any point.

You can't tell the difference between an HttpServletRequest
(implementing) object created by the container versus one created by
the application. You could maybe white-list classes in
"org.apache.catalina.*" packages, but then your library becomes
brittle and will fail of Tomcat changes its implementation, or the
library needs to be portable to other containers.

> (And I do realise that this is not really applicable here, it is
> more by curiosity) I mean, the JVM of course must know; but is
> there a way by which the code can ask the JVM about this ? Or
> alternatively, can the code "force" the JVM to execute the real 
> method of the original parent (in this case HttpServletRequest)
> instead of a perhaps wrapper object's method ?

No: this would break one of the basic concepts of OO design, which is
that objects implementing an interface (generically, including
adhering to the contract defined by an class's superclass "interface")
should be treated as implementations of that interface. The runtime
type isn't supposed to matter.

Yes, you can use reflection/introspection to pull-apart the runtime
type, but you can never really be able to make good decisions about
the information you find in there.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla+YY4ACgkQ9CaO5/Lv0PDeYACcCiFmRaPX9i6HjmQ0ifnr45qA
K5wAoKBqKvMjvCbKn+5R2ZXRPzd/hVfF
=mkxD
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

André,

On 2/12/16 3:10 PM, André Warnier (tomcat) wrote:
> On 12.02.2016 20:49, Dougherty, Gregory T., M.S. wrote:
>> You can honestly tell who¹s calling you, since you can throw an 
>> exception, catch it, then look at the stack trace.
>> 
>> If you have an object, you can get its class, you can get what
>> methods it implements, and you can get its parent class and
>> recurse.
>> 
>> So that should let you figure out which class will be
>> implementing the emthod you¹re calling, unless I¹m totally
>> confused.
>> 
> 
> I can be confused easily too, in matters Java.

Just don't start talking about Perl. It's just as confusing from the
other side of the fence. ;)

> But let's just speculate, and someone undoubtedly would correct me
> if I'm wrong. Since 1) you do not necessarily trust the code which
> is (directly) calling you.  But you would trust it if you were sure
> that it is the original Tomcat code. 2) if I remember correctly, a
> HttpServletRequest object is immutable, so nobody can have modified
> the original data of the request, as it came in and was parsed by
> Tomcat.

It's true, the HttpServletRequest doesn't have any mutators, but that
doesn't mean that the class implementing the interface must be
immutable. Neither the interface itself nor the javadoc make any such
assertions.

> 3) What they could do however, is wrap the original object into
> another, and override the methods so that they would return other
> data than the original when you call getRequestURL

There is no difference as far as this hypothetical library is
concerned between cases #2 and #3 above: the code can only call
methods defined in the interface. The fact that the runtime method
returns something potentially suspicious is undetectable, and the
mechanism by which it does that doesn't matter.

> 4) but you can climb up the object hierarchy, until you find the 
> original (Tomcat) HttpServletRequest object and its methods

No. You can't unwrap the HttpServletRequest object to find out what
its "parent" (or wrapped) request is (unless you happen to have a
known runtime type which supports a method like getWrapper()).

The wrapper is an object which encapsulates the original request, it
doesn't "extend" it in the sense that you can call Class.getSuperclass()
.

Even if you *were* able to navigate up some magic class hierarchy
(which doesn't exist for class-composition of this type... but IF YOU
COULD!), if you tried to call something like
EvilRequestWrapper.super.super.super.getRequestURL() you'd find that
Java just calls EvilRequestWrapper.getRequestURL anyway -- because
that's how virtual method dispatch works in object-oriented systems.
Without hacking the JVM, there's no way to call
EvilRequestWrapper.super.super.getRequestURL().

> yes ?
> 
> Then I would imagine that there must be a way for you to retrieve
> the data as provided by the original HttpServletRequest
> getRequestURL, no ?

Nope. And any way I can think of for Tomcat to stash it somewhere
"safe" can also be compromised by the webapp's code (previously
determined to be untrustworthy, and potentially hostile... or at least
underhanded).

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla+Y1oACgkQ9CaO5/Lv0PB19wCeJ3HJ5mJx7Ywv4HZap/P6HT6T
GGkAn0sA0jW08UTPkMOmRI0Bn4X0ARee
=XY5u
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Gregory,

On 2/12/16 3:35 PM, Dougherty, Gregory T., M.S. wrote:
> You are correct, I¹m trying to authorize the web app, not the
> user.
> 
> Goal: I am trying to come up with a way for a Tomcat app to
> securely store and retrieve the password it needs to access a DB.

Is it Tomcat that needs access to the password, or the library?

> My definition of ³secure² includes ³there exist no files with an 
> unencrypted copy of the password².  IIUC, JNDI fails this test.
> 
> My requirements include that all web app components are checked in
> to a source control system that malicious users can have read
> access to.
> 
> Solution: 1: Trusted user creates public:private key pair (1),
> distributes public key 2: Web app developer creates pubic:private
> key pair (2), distributes public key 3: Web app developer encrypted
> password with private key 2, then public key 1, stores with web
> app 4: Web app calls decryption jar that¹s in tomcat/lib, passing
> in the encrypted password from step 3 5: Decryption code determines
> which app called it, pulls the public key (3) saved for that app 6:
> Decryption code decrypts with private key 1, public key 3, and
> returns the unencrypted password.

Sounds crazy:

(a) You have web developers managing passwords, keys, etc. Don't trust
those fools! They are the ones writing those untrustworthy applications!

(b) You never said that any private key is stored with the web
application (or library). How does that all work?

(c) You have two layers of encryption where only one is necessary:
have someone (not one of the devs) encrypt the true password with a
public key, and have only the library (or whatever) have access to the
private key. Don't distribute the private key with the library. Only
deploy the private key onto a server where the library will be used
for production. That second layer does nothing unless I misunderstand
what's going on.

> So long as 1: Trusted user can store private key where it¹s secure,
> but accessible to decryption code, and 2: Can correctly determine
> the calling app, I believe this setup is secure.
> 
> We log who uploads the web apps, so if user X uploads a bogus ³User
> Y App², we can deal with that.

You can use JNDI in a way that is secure from the web application
(within reason). You can't make it secure from the administrator, though
.

Do you trust your administrators in this scenario?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla+aGoACgkQ9CaO5/Lv0PBqIgCgtd0iynz/vgSdjy6mEgd9q6W5
it8AoI96Xn6dIYKrvz71fhY/WKpJHWAz
=DlEh
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Leo Donahue]

On Fri, Feb 12, 2016 at 5:46 PM, Dougherty, Gregory T., M.S. <
dougherty.greg...@mayo.edu> wrote:

> Chris,
>
>
> On 2/12/16, 5:27 PM, "Christopher Schultz" 
> wrote:
>
> >Gregory,
> >
> >On 2/12/16 4:19 PM, Dougherty, Gregory T., M.S. wrote:
> >> On 2/12/16, 3:08 PM, "Leo Donahue"  wrote:
> >>
> >>
> >>> On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." <
> >>> dougherty.greg...@mayo.edu> wrote:
> >> My definition of ³secure² includes ³there exist no files with an
> >> unencrypted copy of the password².
> >
> >Do you mean "no files at all" or "no files in revision-control"?
> >Again, you have to decide whether you trust your administrators.
>
> No files at all.
>

Not even encrypted files?


>
> Even if I did trust my administrators, they don’t want the task of having
> to update the passwords every six months.
>

Greaaat.


>
> >> How does the data source know that this web app, unlike every
> >> other web app in existence, is allowed to access the data source?
> >
> >The container allows you to map data sources to web applications. Use
> >that facility. And trust your administrators.
>
> This sounds like something I can use to uniquely identify which app is
> running, no?
> Can my code ask Tomcat for the DataSource the container assigns to the web
> app, that instead of returning a password, simply returns the name of the
> app?
>

What I was saying about the data source is that where you configure it in
Tomcat doesn't need a password in plain text, if your custom data source is
going to simply use the username from the Tomcat data source config file to
go look up the real encrypted password.  You have to implement this
yourself.  Precisely how is totally up to you.

You are going to need a process that writes encrypted user passwords to an
ENCRYPTED file, on a schedule, preferably every day.  If you can't have
encrypted files, then you are stuck, don't read on.

You need to write something that generates long passwords, because you
don't need to remember them, and writes them to the encrypted file.  All
you need to do is regenerate them whenever you want.  If you are saying
that you need to choose your own password because it is used elsewhere,
then you are stuck again.

This same process is going to let you read and un-encrypt (spell check not
helping me here) said password.  How you write this is up to you.

In your custom data source, where you override the
getConnection(username,password), you will obviously need to call the
function that fetches the real password for said supplied user.  How you do
that is up to you, like I said, this is a bigger project than a quick hack.


  ...
  
  ...


https://tomcat.apache.org/tomcat-8.0-doc/jndi-resources-howto.html#JDBC_Data_Sources
https://docs.oracle.com/javase/8/docs/api/javax/sql/DataSource.html#getConnection-java.lang.String-java.lang.String-



>
> >> For that matter, how do I set up the data source (whose every
> >> element is checked into the source code control system that a
> >> malicious user may have access to) so that it knows the passwords
> >> of interest?
> >
> >Why would you check the data source configuration into the
> >revision-control system? It's not necessary to do that. Do you check
> >Tomcat's server.xml into revision control?
>
> Are you going to have your data source configuration sitting on only one
> user’s personal computer?  What happens when that person is on vacation?
> Sick?  Has a hard drive crash?
>

I don't understand why that would be the case that you store this data
source configuration on anyone's personal computer.  Are you saying that
Mayo Clinic IT lets developers run production apps from Tomcats on their
personal computers?


>
> >If you free yourself from the idea that everything needs to be in one
> >big revision-control system, it makes things easier. Everybody does
> >their job: the devs write the software, the admins deploy it. The
> >admins have the keys to the kingdom (they always do; don't fight it)
> >and the devs have keys to nothing.
>
> I don’t get a vote on that one.
>
> >Of course, the devs are writing the software, so if you are truly
> >paranoid, you need to make sure that the devs aren't stealing secrets
> >from the admins when the app runs ;)
>
> I am truly paranoid, that’s why I want an unambiguous way to figure out
> what app is running.  That way the only data they can “steal” is their own
> data.
>
> >
> >- -chris
> -Greg
>
>

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Leo Donahue]

On Fri, Feb 12, 2016 at 5:33 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Gregory,
> >
> > The web app needs a DB password so it can connect to the
> > DB.
> 
>  I disagree that the web app needs a password.
> >>> The web app has to be able to read and write to the DB.  That
> >>> takes a password.
> >>
> >> No, javax.sql.DataSource needs a password.  Your web app just
> >> needs a user name.
> >>
> >> Your custom data source will fetch a password.
> > How?
> >
> > What, precisely, is the exact mechanism by which this custom
> > DataSource will fetch the password?
>
> (I think Leo's bating you, here: he's trying to get you to admit that
> this is a shell game where an encrypted password requires an encrypted
> password requires an encrypted password, etc. all the way down.
>


This thread is on fire!  I am finding it hard to know where to reply.

I am not baiting anyone, I will explain in a different reply.



>
> > And how is it that someone else, who has full access to all my
> > source code, including to the source code of my custom DataSource,
> > won¹t be able to retrieve the exact same password?
> >
> > Requirement for ³secure²: There are no files sitting anywhere on
> > the server that have a plain text copy of my password.
>
> Is this because you don't trust your admins?
>
> > Requirement for secure: The sys admin does not get to know my
> > password. He¹s ³trusted² in that we assume he won¹t abuse his
> > private key on order to steal my password.  He¹s not ³trusted² to
> > know everyone¹s passwords.
>
> Forget about "other people's passwords" for a moment: you don't trust
> your admins to peek at the super-secret database password (which is
> usually something like "pr0duct!on" LOL)?
>
> If the admins wants the password, he (or she) is going to get it. Your
> library needs the cleartext password at some point and at that point,
> the admin effectively has it, too.
>
> (I had a conversation with Sander Temme at ApacheCon over a few beers
> while he tried to explain how one of Thales's hardware key escrow
> systems were capable of doing thins kind of thing. I had a hard time
> understanding how it was possible. It could have been the beer.)
>
> > Requirement from system: password must be updated every six months.
> > So I have to be able to change the password, and inform my web app
> > of the changed password.
>
> Aah, yes. Password-rotation. That definitely keeps things secure. :(
>
> >> A.  You don't get to manage your passwords.
> >>
> >> B.  The suggestion I'm giving you requires coordination with sys
> >> admins and DBA's.  It is more than just a simple app trying find
> >> a way to hide passwords, none of which will "ever" be in source
> >> control.
> >>
> >> Leo
> >
> > A: I¹m the only one who knows my password, I have to manage it.  I
> > have to be able to use that password in contexts totally divorced
> > from the web server.
>
> This is your LDAP password? Are we still taking about
> application-level passwords for your database? Or user-level passwords
> for ... what, exactly?
>
> > B: A solution that requires the sys admin to know, and update every
> > six months, my passwords is not a viable solution.
>
> If the admin won't update the password, who will?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAla+a+YACgkQ9CaO5/Lv0PBRowCfTJSdScNVitc5Bq79oY+JMoZZ
> PAwAoJ+85CadSDhL/BKvDjwLoOM/thuP
> =symF
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Gregory,

On 2/12/16 4:49 PM, Dougherty, Gregory T., M.S. wrote:
> On 2/12/16, 3:29 PM, "Leo Donahue"  wrote:
> 
> 
>> On Feb 12, 2016 3:19 PM, "Dougherty, Gregory T., M.S." < 
>> dougherty.greg...@mayo.edu> wrote:
>>> 
>>> On 2/12/16, 3:08 PM, "Leo Donahue" 
>>> wrote:
>>> 
>>> 
 On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." < 
 dougherty.greg...@mayo.edu> wrote:
> 
> The web app needs a DB password so it can connect to the
> DB.
 
 I disagree that the web app needs a password.
>>> The web app has to be able to read and write to the DB.  That
>>> takes a password.
>> 
>> No, javax.sql.DataSource needs a password.  Your web app just
>> needs a user name.
>> 
>> Your custom data source will fetch a password.
> How?
> 
> What, precisely, is the exact mechanism by which this custom
> DataSource will fetch the password?

(I think Leo's bating you, here: he's trying to get you to admit that
this is a shell game where an encrypted password requires an encrypted
password requires an encrypted password, etc. all the way down.

> And how is it that someone else, who has full access to all my
> source code, including to the source code of my custom DataSource,
> won¹t be able to retrieve the exact same password?
> 
> Requirement for ³secure²: There are no files sitting anywhere on
> the server that have a plain text copy of my password.

Is this because you don't trust your admins?

> Requirement for secure: The sys admin does not get to know my
> password. He¹s ³trusted² in that we assume he won¹t abuse his
> private key on order to steal my password.  He¹s not ³trusted² to
> know everyone¹s passwords.

Forget about "other people's passwords" for a moment: you don't trust
your admins to peek at the super-secret database password (which is
usually something like "pr0duct!on" LOL)?

If the admins wants the password, he (or she) is going to get it. Your
library needs the cleartext password at some point and at that point,
the admin effectively has it, too.

(I had a conversation with Sander Temme at ApacheCon over a few beers
while he tried to explain how one of Thales's hardware key escrow
systems were capable of doing thins kind of thing. I had a hard time
understanding how it was possible. It could have been the beer.)

> Requirement from system: password must be updated every six months.
> So I have to be able to change the password, and inform my web app
> of the changed password.

Aah, yes. Password-rotation. That definitely keeps things secure. :(

>> A.  You don't get to manage your passwords.
>> 
>> B.  The suggestion I'm giving you requires coordination with sys
>> admins and DBA's.  It is more than just a simple app trying find
>> a way to hide passwords, none of which will "ever" be in source
>> control.
>> 
>> Leo
> 
> A: I¹m the only one who knows my password, I have to manage it.  I
> have to be able to use that password in contexts totally divorced
> from the web server.

This is your LDAP password? Are we still taking about
application-level passwords for your database? Or user-level passwords
for ... what, exactly?

> B: A solution that requires the sys admin to know, and update every
> six months, my passwords is not a viable solution.

If the admin won't update the password, who will?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla+a+YACgkQ9CaO5/Lv0PBRowCfTJSdScNVitc5Bq79oY+JMoZZ
PAwAoJ+85CadSDhL/BKvDjwLoOM/thuP
=symF
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

Chris, 


On 2/12/16, 5:27 PM, "Christopher Schultz" 
wrote:

>Gregory,
>
>On 2/12/16 4:19 PM, Dougherty, Gregory T., M.S. wrote:
>> On 2/12/16, 3:08 PM, "Leo Donahue"  wrote:
>> 
>> 
>>> On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." <
>>> dougherty.greg...@mayo.edu> wrote:
>> My definition of ³secure² includes ³there exist no files with an
>> unencrypted copy of the password².
>
>Do you mean "no files at all" or "no files in revision-control"?
>Again, you have to decide whether you trust your administrators.

No files at all.

Even if I did trust my administrators, they don’t want the task of having
to update the passwords every six months.

>> How does the data source know that this web app, unlike every
>> other web app in existence, is allowed to access the data source?
>
>The container allows you to map data sources to web applications. Use
>that facility. And trust your administrators.

This sounds like something I can use to uniquely identify which app is
running, no?
Can my code ask Tomcat for the DataSource the container assigns to the web
app, that instead of returning a password, simply returns the name of the
app?

>> For that matter, how do I set up the data source (whose every
>> element is checked into the source code control system that a
>> malicious user may have access to) so that it knows the passwords
>> of interest?
>
>Why would you check the data source configuration into the
>revision-control system? It's not necessary to do that. Do you check
>Tomcat's server.xml into revision control?

Are you going to have your data source configuration sitting on only one
user’s personal computer?  What happens when that person is on vacation?
Sick?  Has a hard drive crash?

>If you free yourself from the idea that everything needs to be in one
>big revision-control system, it makes things easier. Everybody does
>their job: the devs write the software, the admins deploy it. The
>admins have the keys to the kingdom (they always do; don't fight it)
>and the devs have keys to nothing.

I don’t get a vote on that one.

>Of course, the devs are writing the software, so if you are truly
>paranoid, you need to make sure that the devs aren't stealing secrets
>from the admins when the app runs ;)

I am truly paranoid, that’s why I want an unambiguous way to figure out
what app is running.  That way the only data they can “steal” is their own
data.

>
>- -chris
-Greg

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

Chris,


It appears I’ve done a poor job explaining the situation, so let me try
again.

We have multiple apps running on a production Tomcat server.  Each one of
those apps has one or more passwords that belong to the app developers.
Generally we’re talking about DB passwords.

If you’re willing to place your password in plain text in a file
accessible via JNDI, your problem is solved.  I’m not.

I encrypt my password with my private key, then with the admin’s public
key, then save it in a properties file for my app.  When my app gets
launched on Tomcat, it pulls that password from the properties file, and
send it off to the decryption code.

The decryption code decrypts the passed in string with the admin’s private
key.  Now it needs to know which public key to use to complete the
decryption process.  If the calling app gets to say “hey use this key”,
then a malicious user can pull my encrypted key out of my properties file,
and send it to the decryption code while saying “Hey, I’m Greg’s app”.
Security fail.

The decryption code doesn’t save any plain text passwords anywhere.  It’s
called with a string, it decrypts the string and returns the result.

When I need to update my password, I encrypt the new password and save it
in the properties file.  No work for the admin, because my public key
hasn’t changed.

Does that make things clearer?

On 2/12/16, 5:33 PM, "Christopher Schultz" 
wrote:

>Gregory,
>
>On 2/12/16 4:49 PM, Dougherty, Gregory T., M.S. wrote:
>> On 2/12/16, 3:29 PM, "Leo Donahue"  wrote:
>> 
>> 
>>> On Feb 12, 2016 3:19 PM, "Dougherty, Gregory T., M.S." <
>>> dougherty.greg...@mayo.edu> wrote:
 
 On 2/12/16, 3:08 PM, "Leo Donahue" 
 wrote:
 
 
> On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." <
> dougherty.greg...@mayo.edu> wrote:
>> 
>> The web app needs a DB password so it can connect to the
>> DB.
> 
> I disagree that the web app needs a password.
 The web app has to be able to read and write to the DB.  That
 takes a password.
>>> 
>>> No, javax.sql.DataSource needs a password.  Your web app just
>>> needs a user name.
>>> 
>>> Your custom data source will fetch a password.
>> How?
>> 
>> What, precisely, is the exact mechanism by which this custom
>> DataSource will fetch the password?
>
>(I think Leo's bating you, here: he's trying to get you to admit that
>this is a shell game where an encrypted password requires an encrypted
>password requires an encrypted password, etc. all the way down.
>
>> And how is it that someone else, who has full access to all my
>> source code, including to the source code of my custom DataSource,
>> won¹t be able to retrieve the exact same password?
>> 
>> Requirement for ³secure²: There are no files sitting anywhere on
>> the server that have a plain text copy of my password.
>
>Is this because you don't trust your admins?
>
>> Requirement for secure: The sys admin does not get to know my
>> password. He¹s ³trusted² in that we assume he won¹t abuse his
>> private key on order to steal my password.  He¹s not ³trusted² to
>> know everyone¹s passwords.
>
>Forget about "other people's passwords" for a moment: you don't trust
>your admins to peek at the super-secret database password (which is
>usually something like "pr0duct!on" LOL)?
>
>If the admins wants the password, he (or she) is going to get it. Your
>library needs the cleartext password at some point and at that point,
>the admin effectively has it, too.
>
>(I had a conversation with Sander Temme at ApacheCon over a few beers
>while he tried to explain how one of Thales's hardware key escrow
>systems were capable of doing thins kind of thing. I had a hard time
>understanding how it was possible. It could have been the beer.)
>
>> Requirement from system: password must be updated every six months.
>> So I have to be able to change the password, and inform my web app
>> of the changed password.
>
>Aah, yes. Password-rotation. That definitely keeps things secure. :(
>
>>> A.  You don't get to manage your passwords.
>>> 
>>> B.  The suggestion I'm giving you requires coordination with sys
>>> admins and DBA's.  It is more than just a simple app trying find
>>> a way to hide passwords, none of which will "ever" be in source
>>> control.
>>> 
>>> Leo
>> 
>> A: I¹m the only one who knows my password, I have to manage it.  I
>> have to be able to use that password in contexts totally divorced
>> from the web server.
>
>This is your LDAP password? Are we still taking about
>application-level passwords for your database? Or user-level passwords
>for ... what, exactly?
>
>> B: A solution that requires the sys admin to know, and update every
>> six months, my passwords is not a viable solution.
>
>If the admin won't update the password, who will?
>
>- -chris
>-BEGIN PGP SIGNATURE-
>Comment: GPGTools - http://gpgtools.org
>Comment: Using GnuPG with Thunderbird - 

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Mark Thomas]

On 11/02/2016 22:56, Dougherty, Gregory T., M.S. wrote:
> I would like to have a jar file in tomcat/lib that can be called from any of 
> the running web apps.  I need for the code in the jar to behave differently 
> depending on which web app called it.  It is not in this case possible for 
> the code to “trust” the caller to tell it the URL of the caller.
> 
> Is it possible for that code to independently determine the URL of the caller?

If you can't trust the caller to tell you the URL, you can't trust that
the caller isn't going to tinker with whatever mechanism you do use to
determine the URL.

You'd have a better chance of doing this if you ran under a
SecurityManager but unless you write an application from the start with
the intention of running it under a SecurityManager it is usually a lot
of additional effort to update the app so it runs correctly.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

I would like to have a jar file in tomcat/lib that can be called from any of 
the running web apps.  I need for the code in the jar to behave differently 
depending on which web app called it.  It is not in this case possible for the 
code to “trust” the caller to tell it the URL of the caller.

Is it possible for that code to independently determine the URL of the caller?

Thank you,
--
Gregory Dougherty
Sr. Analyst/Programmer | Information Technology
Information Technology
(507) 284-8493 | dougherty.greg...@mayo.edu