You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2011/11/10 05:16:48 UTC
svn commit: r1200135 - in /tomcat/tc7.0.x/trunk/webapps/docs:
security-howto.xml security-manager-howto.xml setup.xml ssi-howto.xml
ssl-howto.xml virtual-hosting-howto.xml windows-auth-howto.xml
windows-service-howto.xml
Author: kkolinko
Date: Thu Nov 10 04:16:47 2011
New Revision: 1200135
URL: http://svn.apache.org/viewvc?rev=1200135&view=rev
Log:
Merging r1187809 - Trailing whitespace removal from /webapps
/webapps/docs, 9
Modified:
tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml
tomcat/tc7.0.x/trunk/webapps/docs/security-manager-howto.xml
tomcat/tc7.0.x/trunk/webapps/docs/setup.xml
tomcat/tc7.0.x/trunk/webapps/docs/ssi-howto.xml
tomcat/tc7.0.x/trunk/webapps/docs/ssl-howto.xml
tomcat/tc7.0.x/trunk/webapps/docs/virtual-hosting-howto.xml
tomcat/tc7.0.x/trunk/webapps/docs/windows-auth-howto.xml
tomcat/tc7.0.x/trunk/webapps/docs/windows-service-howto.xml
Modified: tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml?rev=1200135&r1=1200134&r2=1200135&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml Thu Nov 10 04:16:47 2011
@@ -40,7 +40,7 @@
expected impact of changing those options. The intention is to provide a
list of configuration options that should be considered when assessing the
security of a Tomcat installation.</p>
-
+
<p><strong>Note</strong>: Reading this page is not a substitute for reading
and understanding the detailed configuration documentation. Fuller
descriptions of these attributes may be found in the relevant documentation
@@ -70,14 +70,14 @@
and outgoing connections to only those connections you expect to be
present.</p>
</section>
-
+
<section name="Default web applications">
<p>Tomcat ships with a number of web applications by default.
Vulnerabilities have been discovered in these applications in the past.
Applications that are not required should be removed so the system will not
be at risk if another vulnerability is discovered.</p>
</section>
-
+
<section name="Security manager">
<p>Enabling the security manager causes web applications to be run in a
sandbox, significantly limiting a web application's ability to perform
@@ -97,12 +97,12 @@
application is deployed to a separate Tomcat instance (and ideally separate
hosts) to reduce the ability of a malicious web application impacting the
availability of other applications.</p>
-
+
<p>Tomcat is tested with the security manager enabled; but the majority of
Tomcat users do not run with a security manager, so Tomcat is not as well
user-tested in this configuration. There have been, and continue to be,
bugs reported that are triggered by running under a security manager.</p>
-
+
<p>The restrictions imposed by a security manager are likely to break most
applications if the security manager is enabled. The security manager should
not be used without extensive testing. Ideally, the use of a security
@@ -120,47 +120,47 @@
<p>If a component type is not listed, then there are no settings for that
type that directly impact security.</p>
</subsection>
-
+
<subsection name="Server">
<p>Setting the <strong>port</strong> attribute to <code>-1</code> disables
the shutdown port.</p>
<p>If the shutdown port is not disabled, a strong password should be
configured for <strong>shutdown</strong>.</p>
</subsection>
-
+
<subsection name="Listeners">
<p>The APR Lifecycle Listener is not stable if compiled on Solaris using
gcc. If using the APR/native connector on Solaris, compile it with the
Sun Studio compiler.</p>
-
- <p>The Security Listener should be enabled and configured as appropriate.
+
+ <p>The Security Listener should be enabled and configured as appropriate.
</p>
</subsection>
-
+
<subsection name="Connectors">
<p>By default, an HTTP and an AJP connector are configured. Connectors
that will not be used should be removed from server.xml.</p>
-
+
<p>The <strong>address</strong> attribute may be used to control which IP
address the connector listens on for connections. By default, the
connector listens on all configured IP addresses.</p>
-
+
<p>The <strong>allowTrace</strong> attribute may be used to enable TRACE
requests which can be useful for debugging. Due to the way some browsers
handle the response from a TRACE request (which exposes the browser to an
XSS attack), support for TRACE requests is disabled by default.</p>
-
+
<p>The <strong>maxPostSize</strong> attribute controls the maximum size
of a POST request that will be parsed for parameters. The parameters are
cached for the duration of the request so this is limited to 2MB by
default to reduce exposure to a DOS attack.</p>
-
+
<p>The <strong>maxSavePostSize</strong> attribute controls the saving of
POST requests during FORM and CLIENT-CERT authentication. The parameters
are cached for the duration of the authentication (which may be many
minutes) so this is limited to 4KB by default to reduce exposure to a DOS
attack.</p>
-
+
<p>The <strong>xpoweredBy</strong> attribute controls whether or not the
X-Powered-By HTTP header is sent with each request. If sent, the value of
the header contains the Servlet and JSP specification versions, the full
@@ -168,7 +168,7 @@
the version of the JVM. This header is disabled by default. This header
can provide useful information to both legitimate clients and attackers.
</p>
-
+
<p>The <strong>server</strong> attribute controls the value of the Server
HTTP header. The default value of this header for Tomcat 4.1.x, 5.0.x,
5.5.x, 6.0.x and 7.0.x is Apache-Coyote/1.1. This header can provide
@@ -186,18 +186,18 @@
connectors to pass secure and non-secure requests to Tomcat. If the
proxy uses AJP then the SSL attributes of the client connection are
passed via the AJP protocol and separate connectors are not needed.</p>
-
+
<p>The <strong>ciphers</strong> attribute controls the ciphers used for
SSL connections. By default, the default ciphers for the JVM will be used.
This usually means that the weak export grade ciphers will be included in
the list of available ciphers. Secure environments will normally want to
configure a more limited set of ciphers.</p>
-
+
<p>The <strong>tomcatAuthentication</strong> attribute is used with the
AJP connectors to determine if Tomcat should authenticate the user or if
authentication can be delegated to the reverse proxy that will then pass
the authenticated username to Tomcat as part of the AJP protocol.</p>
-
+
<p>The <strong>allowUnsafeLegacyRenegotiation</strong> attribute provides
a workaround for
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
@@ -208,7 +208,7 @@
<a href="http://tomcat.apache.org/security-7.html">Tomcat 7 security
page</a>.</p>
</subsection>
-
+
<subsection name="Host">
<p>The host element controls deployment. Automatic deployment allows for
simpler management but also makes it easier for an attacker to deploy a
@@ -217,19 +217,19 @@
attributes. If both are <code>false</code>, only Contexts defined in
server.xml will be deployed and any changes will require a Tomcat restart.
</p>
-
+
<p>In a hosted environment where web applications may not be trusted, set
the <strong>deployXml</strong> attribute to false to ignore any
context.xml packaged with the web application that may try to assigned
- increased privileges to the web application. </p>
+ increased privileges to the web application. </p>
</subsection>
-
+
<subsection name="Context">
<p>The <strong>crossContext</strong> attribute controls if a context is
allowed to access the resources of another context. It is
<code>false</code> by default and should only be changed for trusted web
applications.</p>
-
+
<p>The <strong>privileged</strong> attribute controls if a context is
allowed to use container provided servlets like the Manager servlet. It is
<code>false</code> by default and should only be changed for trusted web
@@ -244,23 +244,23 @@
security measures and allow, among other things, direct access to the
WEB-INF directory.</p>
</subsection>
-
+
<subsection name="Valves">
<p>It is strongly recommended that an AccessLogValve is configured. The
default Tomcat configuration includes an AccessLogValve. These are
normally configured per host but may also be configured per engine or per
context as required.</p>
-
+
<p>Any administrative application should be protected by a
RemoteAddressValve. (Note that this Valve is also available as a Filter.)
The <strong>allow</strong> attribute should be used to limit access to a
set of known trusted hosts.</p>
-
+
<p>The default ErrorReportValve includes the Tomcat version number in the
response sent to clients. To avoid this, custom error handling can be
configured within each web application. Alternatively, the version number
- can be changed by creating the file
- CATALINA_HOME/lib/org/apache/catalina/util/ServerInfo.properties with
+ can be changed by creating the file
+ CATALINA_HOME/lib/org/apache/catalina/util/ServerInfo.properties with
content as follows:</p>
<source>
server.info=Apache Tomcat/7.0.x
@@ -269,62 +269,62 @@ server.info=Apache Tomcat/7.0.x
number reported in some of the management tools and may make it harder to
determine the real version installed. The CATALINA_HOME/bin/version.bat|sh
script will still report the version number.</p>
-
+
<p>The default ErrorReportValve can display stack traces and/or JSP
source code to clients when an error occurs. To avoid this, custom error
handling can be configured within each web application.</p>
</subsection>
-
+
<subsection name="Realms">
<p>The MemoryRealm is not intended for production use as any changes to
tomcat-users.xml require a restart of Tomcat to take effect.</p>
-
+
<p>The JDBCRealm is not recommended for production use as it is single
threaded for all authentication and authorization options. Use the
DataSourceRealm instead.</p>
-
+
<p>The UserDatabaseRealm is not intended for large-scale installations. It
is intended for small-scale, relatively static environments.</p>
-
+
<p>The JAASRealm is not widely used and therefore the code is not as
mature as the other realms. Additional testing is recommended before using
this realm.</p>
-
+
<p>By default, the realms do not implement any form of account lock-out.
This means that brute force attacks can be successful. To prevent a brute
force attack, the chosen realm should be wrapped in a LockOutRealm.</p>
</subsection>
-
+
<subsection name="Manager">
<p>The manager component is used to generate session IDs.</p>
-
+
<p>The default <strong>entropy</strong> value has been shown to generate predictable values
under certain conditions. For more secure session generation, this should
be set to a long string. This is done automatically if the APR/native
library is installed; a random value will be obtained from the APR/native
library.</p>
-
+
<p>The class used to generate random session IDs may be changed with
the <strong>randomClass</strong> attribute.</p>
-
+
<p>The length of the session ID may be changed with the
<strong>sessionIdLength</strong> attribute.</p>
</subsection>
</section>
-
+
<section name="System Properties">
<p>Setting <strong>org.apache.catalina.connector.RECYCLE_FACADES</strong>
system property to <code>true</code> will cause a new facade object to be
created for each request. This reduces the chances of a bug in an
application exposing data from one request to another.</p>
-
+
<p>The <strong>
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH</strong> and
<strong>org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH</strong>
system properties allow non-standard parsing of the request URI. Using
these options when behind a reverse proxy may enable an attacker to bypass
any security constraints enforced by the proxy.</p>
-
+
<p>The <strong>
org.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER
</strong> system property has security implications if disabled. Many user
@@ -334,26 +334,26 @@ server.info=Apache Tomcat/7.0.x
that are safe for ISO-8859-1 but trigger an XSS vulnerability if interpreted
as UTF-7.</p>
</section>
-
+
<section name="CATALINA_BASE/conf/web.xml">
<p>The DefaultServlet is configured with <strong>readonly</strong> set to
<code>true</code>. Changing this to <code>false</code> allows clients to
delete or modify static resources on the server and to upload new
resources. This should not normally be changed without requiring
authentication.</p>
-
+
<p>The DefaultServlet is configured with <strong>listings</strong> set to
<code>false</code>. This isn't because allowing directory listings is
considered unsafe but because generating listings of directories with
thousands of files can consume significant CPU leading to a DOS attack.
</p>
</section>
-
+
<section name="General">
<p>BASIC and FORM authentication pass user names and passwords in clear
text. Web applications using these authentication mechanisms with clients
connecting over untrusted networks should use SSL.</p>
-
+
<p>The session cookie for a session with an authenticated user are nearly
as useful as the user's password to an attacker and in nearly all
circumstances should be afforded the same level of protection as the
Modified: tomcat/tc7.0.x/trunk/webapps/docs/security-manager-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/security-manager-howto.xml?rev=1200135&r1=1200134&r2=1200135&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/security-manager-howto.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/security-manager-howto.xml Thu Nov 10 04:16:47 2011
@@ -58,10 +58,10 @@
<p><strong>WARNING</strong> - A security audit
have been conducted using the Tomcat codebase. Most of the critical
- package have been protected and a new security package protection mechanism
- has been implemented. Still, make sure that you are satisfied with your SecurityManager
- configuration before allowing untrusted users to publish web applications,
- JSPs, servlets, beans, or tag libraries. <strong>However, running with a
+ package have been protected and a new security package protection mechanism
+ has been implemented. Still, make sure that you are satisfied with your SecurityManager
+ configuration before allowing untrusted users to publish web applications,
+ JSPs, servlets, beans, or tag libraries. <strong>However, running with a
SecurityManager is definitely better than running without one.</strong></p>
</section>
@@ -134,7 +134,7 @@ permission java.io.FilePermission
permission java.io.FilePermission
"** application working directory**/-", "read,write,delete";
</source>
- <p>Where **your application context** equals the folder (or WAR file) under which
+ <p>Where **your application context** equals the folder (or WAR file) under which
your application has been deployed and **application working directory** is the
temporary directory provided to your application as required by the
Servlet Specification.</p>
@@ -201,17 +201,17 @@ $CATALINA_HOME/bin/catalina.sh start -se
internal package are protected againts package definition and access. See
<a href="http://java.sun.com/security/seccodeguide.html">
http://java.sun.com/security/seccodeguide.html</a>
- for more information.</p>
+ for more information.</p>
+
-
- <p><strong>WARNING</strong>: Be aware that removing the default package protection
+ <p><strong>WARNING</strong>: Be aware that removing the default package protection
could possibly open a security hole</p>
<h3>The Default Properties File</h3>
<p>The default <code>$CATALINA_BASE/conf/catalina.properties</code> file
looks like this:</p>
-<source>
+<source>
#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
Modified: tomcat/tc7.0.x/trunk/webapps/docs/setup.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/setup.xml?rev=1200135&r1=1200134&r2=1200135&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/setup.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/setup.xml Thu Nov 10 04:16:47 2011
@@ -37,7 +37,7 @@
<p>
This document introduces several ways to set up Tomcat for running
on different platforms. Please note that some advanced setup issues
- are not covered here: the full distribution (ZIP file or tarball)
+ are not covered here: the full distribution (ZIP file or tarball)
includes a file called
RUNNING.txt which discusses these issues. We encourage you to refer
to it if the information below does not answer some of your questions.
@@ -47,14 +47,14 @@
<section name="Windows">
<p>
- Installing Tomcat on Windows can be done easily using the Windows
+ Installing Tomcat on Windows can be done easily using the Windows
installer. Its interface and functionality is similar to other wizard
based installers, with only a few items of interest.
</p>
<p>
<ul>
- <li><strong>Installation as a service</strong>: Tomcat will be
+ <li><strong>Installation as a service</strong>: Tomcat will be
installed as a Windows service no matter what setting is selected.
Using the checkbox on the component page sets the service as "auto"
startup, so that Tomcat is automatically started when Windows
@@ -76,19 +76,19 @@
<li>Refer to the
<a href="windows-service-howto.html">Windows Service HOW-TO</a>
for information on how to manage Tomcat as a Windows service.
- </li>
+ </li>
</ul>
</p>
- <p>The installer will create shortcuts allowing starting and configuring
- Tomcat. It is important to note that the Tomcat administration web
+ <p>The installer will create shortcuts allowing starting and configuring
+ Tomcat. It is important to note that the Tomcat administration web
application can only be used when Tomcat is running.</p>
</section>
<section name="Unix daemon">
- <p>Tomcat can be run as a daemon using the jsvc tool from the
+ <p>Tomcat can be run as a daemon using the jsvc tool from the
commons-daemon project. Source tarballs for jsvc are included with the
Tomcat binaries, and need to be compiled. Building jsvc requires
a C ANSI compiler (such as GCC), GNU Autoconf, and a JDK.</p>
@@ -101,10 +101,10 @@
<p>Using the following commands should result in a compiled jsvc binary,
located in the <code>$CATALINA_HOME/bin</code> folder. This assumes
- that GNU TAR is used, and that <code>CATALINA_HOME</code> is an
- environment variable pointing to the base path of the Tomcat
+ that GNU TAR is used, and that <code>CATALINA_HOME</code> is an
+ environment variable pointing to the base path of the Tomcat
installation.</p>
-
+
<p>Please note that you should use the GNU make (gmake) instead of
the native BSD make on FreeBSD systems.</p>
@@ -131,15 +131,15 @@
to using a server VM rather than a client VM. This has been observed on
OSX.</p>
- <p>jsvc has other useful parameters, such as <code>-user</code> which
+ <p>jsvc has other useful parameters, such as <code>-user</code> which
causes it to switch to another user after the daemon initialization is
complete. This allows, for example, running Tomcat as a non privileged
user while still being able to use privileged ports. Note that if you
use this option and start Tomcat as root, you'll need to disable the
<code>org.apache.catalina.security.SecurityListener</code> check that
- prevents Tomcat starting when running as root.</p>
-
- <p><code>jsvc --help</code> will return the full jsvc usage
+ prevents Tomcat starting when running as root.</p>
+
+ <p><code>jsvc --help</code> will return the full jsvc usage
information. In particular, the <code>-debug</code> option is useful
to debug issues running jsvc.</p>
@@ -149,12 +149,12 @@
boot time from <code>/etc/init.d</code>. The file is currently setup for
running Tomcat 5.5.x, so it will be necessary to edit it a little.</p>
- <p>Note that the Commons-Daemon JAR file must be on your runtime classpath
+ <p>Note that the Commons-Daemon JAR file must be on your runtime classpath
to run Tomcat in this manner. The Commons-Daemon JAR file is in the
Class-Path entry of the bootstrap.jar manifest, but if you get a
ClassNotFoundException or a NoClassDefFoundError for a Commons-Daemon
class, add the Commons-Daemon JAR to the -cp argument when launching
- jsvc.</p>
+ jsvc.</p>
</section>
Modified: tomcat/tc7.0.x/trunk/webapps/docs/ssi-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/ssi-howto.xml?rev=1200135&r1=1200134&r2=1200135&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/ssi-howto.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/ssi-howto.xml Thu Nov 10 04:16:47 2011
@@ -211,7 +211,7 @@ Apache Introduction to SSI</a> for more
<tr>
<td>CONTENT_LENGTH</td>
<td>
- The length of the data (in bytes or the number of
+ The length of the data (in bytes or the number of
characters) passed from a form.</td>
</tr>
@@ -246,7 +246,7 @@ Virtual path to the file</td>
<tr>
<td>GATEWAY_INTERFACE</td>
<td>
- The revision of the Common Gateway Interface that the
+ The revision of the Common Gateway Interface that the
server uses if enabled: "CGI/1.1".</td>
</tr>
@@ -313,7 +313,7 @@ The query string that follows the "
<tr>
<td>QUERY_STRING_UNESCAPED</td>
<td>
-Undecoded query string with all shell metacharacters escaped
+Undecoded query string with all shell metacharacters escaped
with "\"</td>
</tr>
<tr>
@@ -380,7 +380,7 @@ with "\"</td>
<tr>
<td>SERVER_SOFTWARE</td>
<td>
- The name and version of the server software that is
+ The name and version of the server software that is
answering the client request.</td>
</tr>
<tr>
Modified: tomcat/tc7.0.x/trunk/webapps/docs/ssl-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/ssl-howto.xml?rev=1200135&r1=1200134&r2=1200135&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/ssl-howto.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/ssl-howto.xml Thu Nov 10 04:16:47 2011
@@ -60,7 +60,7 @@ $JAVA_HOME/bin/keytool -genkey -alias to
<p></p>
and specify a password value of "changeit".</li><br/><br/>
<li>Uncomment the "SSL HTTP/1.1 Connector" entry in
- <code>$CATALINA_BASE/conf/server.xml</code> and modify as described in
+ <code>$CATALINA_BASE/conf/server.xml</code> and modify as described in
the <a href="#Configuration">Configuration section</a> below.</li>
<br/><br/>
</ol>
@@ -212,7 +212,7 @@ Note that OpenSSL often adds readable co
<code>keytool</code>does not support that, so remove the OpenSSL comments if
they exist before importing the key using <code>keytool</code>.
</p>
-<p>To import an existing certificate signed by your own CA into a PKCS12
+<p>To import an existing certificate signed by your own CA into a PKCS12
keystore using OpenSSL you would execute a command like:
<source>openssl pkcs12 -export -in mycert.crt -inkey mykey.key \
-out mycert.p12 -name tomcat -CAfile myCA.crt \
@@ -287,13 +287,13 @@ Tomcat can use two different implementat
</ul>
The exact configuration details depend on which implementation is being used.
The implementation used by Tomcat is chosen automatically unless it is overriden as described below.
-If the installation uses <a href="apr.html">APR</a>
+If the installation uses <a href="apr.html">APR</a>
- i.e. you have installed the Tomcat native library -
-then it will use the APR SSL implementation, otherwise it will use the Java JSSE implementation.
+then it will use the APR SSL implementation, otherwise it will use the Java JSSE implementation.
</p>
<p>
- To avoid auto configuration you can define which implementation to use by specifying a classname
+ To avoid auto configuration you can define which implementation to use by specifying a classname
in the <b>protocol</b> attribute of the Connector.<br/>
To define a Java (JSSE) connector, regardless of whether the APR library is loaded or not do:
<source>
@@ -347,7 +347,7 @@ file installed with Tomcat. For JSSE, i
<source>
<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<!--
-<Connector
+<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
@@ -356,15 +356,15 @@ file installed with Tomcat. For JSSE, i
</source>
<p>
The example above will throw an error if you have the APR and the Tomcat Native libraries in your path,
- as Tomcat will try to use the APR connector. The APR connector uses different attributes for
+ as Tomcat will try to use the APR connector. The APR connector uses different attributes for
SSL keys and certificates. An example of an APR configuration is:
<source>
<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<!--
-<Connector
+<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
- SSLCertificateFile="/usr/local/ssl/server.crt"
+ SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
clientAuth="optional" SSLProtocol="TLSv1"/>
-->
@@ -412,20 +412,20 @@ contains some troubleshooting tips.</p>
</section>
<section name="Installing a Certificate from a Certificate Authority">
-<p>To obtain and install a Certificate from a Certificate Authority (like verisign.com, thawte.com
+<p>To obtain and install a Certificate from a Certificate Authority (like verisign.com, thawte.com
or trustcenter.de), read the previous section and then follow these instructions:</p>
<subsection name="Create a local Certificate Signing Request (CSR)">
-<p>In order to obtain a Certificate from the Certificate Authority of your choice
-you have to create a so called Certificate Signing Request (CSR). That CSR will be used
-by the Certificate Authority to create a Certificate that will identify your website
+<p>In order to obtain a Certificate from the Certificate Authority of your choice
+you have to create a so called Certificate Signing Request (CSR). That CSR will be used
+by the Certificate Authority to create a Certificate that will identify your website
as "secure". To create a CSR follow these steps:</p>
<ul>
<li>Create a local Certificate (as described in the previous section):
<source>keytool -genkey -alias tomcat -keyalg RSA \
-keystore <your_keystore_filename></source>
Note: In some cases you will have to enter the domain of your website (i.e. <code>www.myside.org</code>)
- in the field "first- and lastname" in order to create a working Certificate.
+ in the field "first- and lastname" in order to create a working Certificate.
</li>
<li>The CSR is then created with:
<source>keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr \
@@ -437,8 +437,8 @@ documentation of the Certificate Authori
</subsection>
<subsection name="Importing the Certificate">
-<p>Now that you have your Certificate you can import it into you local keystore.
-First of all you have to import a so called Chain Certificate or Root Certificate into your keystore.
+<p>Now that you have your Certificate you can import it into you local keystore.
+First of all you have to import a so called Chain Certificate or Root Certificate into your keystore.
After that you can proceed with importing your Certificate.</p>
<ul>
@@ -565,7 +565,7 @@ public class SessionTrackingModeListener
ServletContext context = event.getServletContext();
EnumSet<SessionTrackingMode> modes =
EnumSet.of(SessionTrackingMode.SSL);
-
+
context.setSessionTrackingModes(modes);
}
@@ -574,7 +574,7 @@ public class SessionTrackingModeListener
</p>
<p>Note: SSL session tracking is implemented for the BIO and NIO connectors.
It is not yet implemented for the APR connector.</p>
-
+
</section>
<section name="Miscellaneous Tips and Bits">
Modified: tomcat/tc7.0.x/trunk/webapps/docs/virtual-hosting-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/virtual-hosting-howto.xml?rev=1200135&r1=1200134&r2=1200135&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/virtual-hosting-howto.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/virtual-hosting-howto.xml Thu Nov 10 04:16:47 2011
@@ -41,7 +41,7 @@
</p>
<p>
Also, this how-to uses Unix-style path separators and commands; if you're
- on Windows modify accordingly.
+ on Windows modify accordingly.
</p>
</section>
Modified: tomcat/tc7.0.x/trunk/webapps/docs/windows-auth-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/windows-auth-howto.xml?rev=1200135&r1=1200134&r2=1200135&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/windows-auth-howto.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/windows-auth-howto.xml Thu Nov 10 04:16:47 2011
@@ -238,7 +238,7 @@ com.sun.security.jgss.krb5.accept {
<li>Pure Java solution</li>
</ul>
</subsection>
-
+
<subsection name="SPNEGO project at SourceForge">
<p>Full details of this solution can be found through the
<a href="http://spnego.sourceforge.net/index.html/">project site</a>. The key
@@ -275,7 +275,7 @@ com.sun.security.jgss.krb5.accept {
<li><a href="http://adldap.sourceforge.net/wiki/doku.php?id=mod_auth_ntlm_winbind">
mod_auth_ntlm_winbind</a> for non-Windows platforms. Known to work with httpd
2.0.x on 32-bit platforms. Some users have reported stability issues with both
- httpd 2.2.x builds and 64-bit Linux builds.</li>
+ httpd 2.2.x builds and 64-bit Linux builds.</li>
</ol>
<p>There are three steps to configuring httpd to provide Windows
authentication. They are:</p>
@@ -293,4 +293,4 @@ com.sun.security.jgss.krb5.accept {
</section>
</body>
-</document>
+</document>
Modified: tomcat/tc7.0.x/trunk/webapps/docs/windows-service-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/windows-service-howto.xml?rev=1200135&r1=1200134&r2=1200135&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/windows-service-howto.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/windows-service-howto.xml Thu Nov 10 04:16:47 2011
@@ -42,9 +42,9 @@
<p>
<b>Tomcat7w</b> is a GUI application for monitoring and configuring Tomcat
services.
-</p>
+</p>
<p>The available command line options are:</p>
-<p>
+<p>
<table>
<tr><th>//ES//</th>
<td>Edit service configuration</td>
@@ -63,7 +63,7 @@
Each command line directive is in the form of <b>//XX//ServiceName</b>
</p>
<p>The available command line options are:</p>
-<p>
+<p>
<table>
<tr><th>//TS//</th>
<td>Run the service as console application</td>
@@ -90,9 +90,9 @@
<tr><th>//DS//</th>
<td>Delete service</td>
<td>Stops the service if running</td>
- </tr>
+ </tr>
</table>
-</p>
+</p>
</section>
<section name="Command line parameters">
<p>
@@ -103,7 +103,7 @@
prefixed with <code>PR_</code> exists it will take precedence.
For example:
<source>set PR_CLASSPATH=xx.jar</source>
-</p>
+</p>
<p>is equivalent to providing
<source>--Classpath=xx.jar</source>
</p>
@@ -112,13 +112,13 @@
PR_JVMMS, PR_JVMMX, PR_JVMSS, PR_STARTPARAMS, PR_STOPPARAMS and
PR_STOPTIMEOUT will not work until this bug is fixed:
<a href="http://issues.apache.org/jira/browse/DAEMON-49">DAEMON-49</a></p>
-<p>
+<p>
<table>
<tr>
<th>ParameterName</th>
<th>Default</th>
<th>Description</th>
- </tr>
+ </tr>
<tr>
<td>--Description</td>
<td></td>
@@ -298,9 +298,9 @@
<td>--StdError</td>
<td></td>
<td>Redirected stderr filename</td>
- </tr>
+ </tr>
</table>
-</p>
+</p>
</section>
<section name="Installing services">
<p>
@@ -314,7 +314,7 @@ a user to use for the installation of th
Account Control (UAC) you must either disable UAC or right-click on cmd.exe and
select "Run as administrator" in order to run this script. If UAC is enabled
neither being logged on with an Administrator account, nor using the
-<code>/user</code> switch is sufficient.
+<code>/user</code> switch is sufficient.
</p>
<p>
<source>
@@ -378,4 +378,4 @@ C:\> tomcat7
</p>
</section>
</body>
-</document>
+</document>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org