You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Mathias Bachner <ei...@websmart.de> on 2001/01/26 16:22:51 UTC

SSL Session problem with URL Rewriting

Hello Developers,

I have here a little problem with jakarta-tomcat-4.0-b1. I use a Session
to keep track of the user login. For security purpose, I also use
SSL. When I don't use any cookies, everything is ok, as long as I don't
switch over to SSL. When using SSL, encodeURL doesn't append the
SessionID. After some search I found in
org.apache.catalina.connector.HttpResonseBase the reason: the Method
isEncodeable sets the Port-Number for the URL to 80, if nothing is
specified, but that is wrong for https. I simply added a small if
statement where I check for https and set the port to 443. But the
question is: Is that correct? For me that seems all ok. Any other Idea?

BTW: Writing the Port-Number in the URL is not acceptable for me. I use
the same pages for SSL and non-SSL.

bye,
Mathias Bachner

[PATCH] Ajpv13 read() bug

Posted by Keith Wannamaker <Ke...@Wannamaker.org>.

Ajpv13's read() is returning signed data to the servlet.  
This is a problem (especially with, how did you guess,
binary file uploads) because byte 0xFF will be mistaken as EOF.

The solution is to return legal data bytes unsigned by
casting to char.

The 3.3 patch is here-
http://www.apache.org/~keith/jk/signed_error/unsigned33.txt

For details on reproducing the bug and a patch for 3.2:
http://www.apache.org/~keith/jk/signed_error/

Keith

RE: [PATCH] Ajpv13 webdav support

Posted by James Courtney <ja...@yahoo.com>.

Aha, I see.  I'll look forward to 3.3 then.
Thanks,
	Jamey

-----Original Message-----
From: Keith Wannamaker [mailto:Keith@Wannamaker.org]
Sent: Monday, January 29, 2001 12:54 PM
To: tomcat-dev@jakarta.apache.org
Cc: jamescourtney_1999@yahoo.com
Subject: RE: [PATCH] Ajpv13 webdav support

In 3.2 I don't think this is possible without changing code.
Try searching for ApacheConfig.
In 3.3, the auto-gen classes are now modules to be specified
in server.xml as ContextInterceptors.  Currently only Apache is enabled,
and can be disabled by modifying server.xml.

Keith

-----Original Message-----
From: James Courtney [mailto:jamescourtney_1999@yahoo.com]
Sent: Monday, January 29, 2001 3:44 PM
To: tomcat-dev@jakarta.apache.org
Subject: RE: [PATCH] Ajpv13 webdav support

I know this is rather tangential but I was unaware that it was possible to
turn on and off the auto generation of configuration files by Tomcat.  How
do I control this?
Many thanks,
	Jamey

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-dev-help@jakarta.apache.org

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

RE: [PATCH] Ajpv13 webdav support

Posted by Keith Wannamaker <Ke...@Wannamaker.org>.

In 3.2 I don't think this is possible without changing code.
Try searching for ApacheConfig.
In 3.3, the auto-gen classes are now modules to be specified
in server.xml as ContextInterceptors.  Currently only Apache is enabled,
and can be disabled by modifying server.xml.

Keith

-----Original Message-----
From: James Courtney [mailto:jamescourtney_1999@yahoo.com]
Sent: Monday, January 29, 2001 3:44 PM
To: tomcat-dev@jakarta.apache.org
Subject: RE: [PATCH] Ajpv13 webdav support


I know this is rather tangential but I was unaware that it was possible to
turn on and off the auto generation of configuration files by Tomcat.  How
do I control this?
Many thanks,
	Jamey

RE: [PATCH] Ajpv13 webdav support

Posted by James Courtney <ja...@yahoo.com>.

I know this is rather tangential but I was unaware that it was possible to
turn on and off the auto generation of configuration files by Tomcat.  How
do I control this?
Many thanks,
	Jamey

-----Original Message-----
From: danmil [mailto:danmil]On Behalf Of Dan Milstein
Sent: Sunday, January 28, 2001 1:40 PM
To: tomcat-dev@jakarta.apache.org
Subject: Re: [PATCH] Ajpv13 webdav support

Keith,

Thanks for all the good work.

A few followups:

1) Which branch. I agree with Marc -- I think we should probably keep this
work on the tomcat HEAD branch (aka TC 3.3).  Admittedly, support for the
WebDAV headers is right on the line between a bug and a feature, but I'm
inclined to be conservative about what we put in TC 3.2.  If anyone feels
differently, please chime in.

2) As the commit message said, I modified your server.xml to turn the
autogeneration of mod_jk.conf *on* by default, because that is how the
mod_jk-howto specifies things.  Just so you know.  If you had some specific
reason for setting things up that way, let me know.

-Dan

Keith Wannamaker wrote:
>
> This is a patch against cvs head to add support to ajpv13
> for webdav methods:
>
> http://www.apache.org/~keith/jk/webdav1.txt
>
> Also, this is a patch against cvs head to update the win32
> project files to reflect the new directory structure:
>
> http://www.apache.org/~keith/jk/win32.txt
>
> I'd be happy to backport both patches back to the 3.2 branch
> if they could get rolled with the pending release of 3.2.2.
>
> Keith
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-dev-help@jakarta.apache.org

--

Dan Milstein // danmil@shore.net

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-dev-help@jakarta.apache.org

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

[PATCH] enable Ajpv13 http status text

Posted by Keith Wannamaker <Ke...@Wannamaker.org>.

This patch enables ajpv13 http status text
http://www.apache.org/~keith/jk/status.txt

Keith

RE: [PATCH] Ajpv13 webdav support

Posted by Keith Wannamaker <Ke...@Wannamaker.org>.

Hi Dan,
Thanks for committing the patches.

|1) Which branch. I agree with Marc -- I think we should probably keep this
|work on the tomcat HEAD branch (aka TC 3.3).  Admittedly, support for the
|WebDAV headers is right on the line between a bug and a feature, but I'm
|inclined to be conservative about what we put in TC 3.2.  If anyone feels
|differently, please chime in.

In case the consensus is to apply to the 3.2 branch, the equivalent patch is
here:
http://www.apache.org/~keith/jk/webdav32.txt

|2) As the commit message said, I modified your server.xml to turn the
|autogeneration of mod_jk.conf *on* by default, because that is how the
|mod_jk-howto specifies things.

No, that sounds good to me.

Keith

Re: [PATCH] Ajpv13 webdav support

Posted by Dan Milstein <da...@shore.net>.

Keith,

Thanks for all the good work.

A few followups:

1) Which branch. I agree with Marc -- I think we should probably keep this
work on the tomcat HEAD branch (aka TC 3.3).  Admittedly, support for the
WebDAV headers is right on the line between a bug and a feature, but I'm
inclined to be conservative about what we put in TC 3.2.  If anyone feels
differently, please chime in.

2) As the commit message said, I modified your server.xml to turn the
autogeneration of mod_jk.conf *on* by default, because that is how the
mod_jk-howto specifies things.  Just so you know.  If you had some specific
reason for setting things up that way, let me know.

-Dan

Keith Wannamaker wrote:
> 
> This is a patch against cvs head to add support to ajpv13
> for webdav methods:
> 
> http://www.apache.org/~keith/jk/webdav1.txt
> 
> Also, this is a patch against cvs head to update the win32
> project files to reflect the new directory structure:
> 
> http://www.apache.org/~keith/jk/win32.txt
> 
> I'd be happy to backport both patches back to the 3.2 branch
> if they could get rolled with the pending release of 3.2.2.
> 
> Keith
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-dev-help@jakarta.apache.org

-- 

Dan Milstein // danmil@shore.net

[PATCH] ajp13 Apache autoconfig fix

Posted by Keith Wannamaker <Ke...@Wannamaker.org>.

This is a patch against cvs head to autogenerate ajpv13
support for Apache, if the ajpv13 module has been loaded.
Also, update server.xml to show ajpv13 support.

http://www.apache.org/~keith/jk/config.txt

Keith

[PATCH] Ajpv13 webdav support

Posted by Keith Wannamaker <Ke...@Wannamaker.org>.

This is a patch against cvs head to add support to ajpv13
for webdav methods:

http://www.apache.org/~keith/jk/webdav1.txt

Also, this is a patch against cvs head to update the win32
project files to reflect the new directory structure:

http://www.apache.org/~keith/jk/win32.txt

I'd be happy to backport both patches back to the 3.2 branch
if they could get rolled with the pending release of 3.2.2.

Keith

Re: SSL Session problem with URL Rewriting

Posted by Mathias Bachner <ei...@websmart.de>.

On Fri, 26 Jan 2001, Craig R. McClanahan wrote:

> Matthias, I just checked in a change to do exactly this, which will show up in
> tonight's nightly build of Tomcat 4.0.  Could you please try it and ensure that
> it fixes your problem?
Tried it. All works fine now. The SessionID gets proberly added for SSL
and non-SSL sessions. 

Thanks for fast fixing.

Mathias Bachner

Re: SSL Session problem with URL Rewriting

Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.

Mathias Bachner wrote:

> Hello Developers,
>
> I have here a little problem with jakarta-tomcat-4.0-b1. I use a Session
> to keep track of the user login. For security purpose, I also use
> SSL. When I don't use any cookies, everything is ok, as long as I don't
> switch over to SSL. When using SSL, encodeURL doesn't append the
> SessionID. After some search I found in
> org.apache.catalina.connector.HttpResonseBase the reason: the Method
> isEncodeable sets the Port-Number for the URL to 80, if nothing is
> specified, but that is wrong for https. I simply added a small if
> statement where I check for https and set the port to 443. But the
> question is: Is that correct? For me that seems all ok. Any other Idea?
>

Matthias, I just checked in a change to do exactly this, which will show up in
tonight's nightly build of Tomcat 4.0.  Could you please try it and ensure that
it fixes your problem?

>
> BTW: Writing the Port-Number in the URL is not acceptable for me. I use
> the same pages for SSL and non-SSL.
>
> bye,
> Mathias Bachner
>

Craig McClanahan



>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-dev-help@jakarta.apache.org