You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2019/10/07 14:54:30 UTC
[PROPOSAL] Tomcat 10: Remove WebDAV
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
I recently gave a presentation on locking-down Apache Tomcat[1] and I
briefly discussed the "sharp edges" present in Tomcat. Some of them
are unnecessarily sharp and may be actually unnecessary. I'm going to
make a few proposals to remove functions from Tomcat.
Proposal: Remove WebDAV
Justification:
WebDAV is a protocol that never really took off[2]. Read-only WebDAV
can practically be replaced by standard HTTP GET and read-write WebDAV
has a host of security problems. There are better solutions to
supporting WebDAV than using the Tomcat module.
A recent search of the users mailing list shows only 10 threads
regarding WebDAV in the past 6 years.
- -chris
[1] http://tomcat.apache.org/presentations.html#latest-locking-down-tomc
at
[2] And yet I love WebDAV very much and wish it has better support on
Windows
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bUaYACgkQHPApP6U8
pFgpvw//fpgWZWxg+c0PsXqQK/Vyw5EBDxjq4ulXVxpO2MMI7On2iP7DaUUfCIPR
bd1ijbOEjydIHeD2Gu4hj+I9as2/avTjkVlzi3fhWsLypHWJ9x0vw+M9elJBapTY
+FtMj1e4U2QPvf98lDyaBMoSHCDIBZbGq0E5AlDVwjgCgJmxzT1FNQJI90gGwtiw
PYsLaNuMZc2gwzgyQ3978kL4zwFG3gWVSexNfiI2g3GEvpUhfh7fitskxwN8rILU
l/HJCJ6HiCRoISWwIPE/m+yAFzaYcWtcBaQzx5IiiJTG1LLSiLO79M6Sj6bnYDSG
UxEfjmbgbklV0HAlnHfjA85sfLw/mPayumcaTwxMdB5VAMe45UaAF16G4vtReuaA
zlU6TVQ/5L0W4+eB30jfKNOVMnUde2iHNRIqOXDsvUV5f7Hp553ehxT+584RPVKP
Kk9CW+wwPCgJkB/gVsopM9SElhzoYcmeNB1h5zKBsBcafQzmkzGAonS3qdYdMo2u
FjVjrUVWocntuqUc5e37mm0KbzrWQstQBjmISOzAJc8ikYOghPZSgskuKEzMp3Sz
KLkyEaLluR5Jd9N89M8Ivp0xJixLYyQJ5LlmWGnTTiH8i36LilhL9FXlQZKPdV7r
irl/hJDrHu7VzQQtAet+AZAUBhdnE/zqtyoDV1pKXQjYHrFIF40=
=pQ5N
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [PROPOSAL] Tomcat 10: Remove WebDAV
Posted by Konstantin Kolinko <kn...@gmail.com>.
пн, 7 окт. 2019 г. в 17:54, Christopher Schultz <ch...@christopherschultz.net>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> I recently gave a presentation on locking-down Apache Tomcat[1] and I
> briefly discussed the "sharp edges" present in Tomcat. Some of them
> are unnecessarily sharp and may be actually unnecessary. I'm going to
> make a few proposals to remove functions from Tomcat.
>
> Proposal: Remove WebDAV
>
> Justification:
>
> WebDAV is a protocol that never really took off[2]. Read-only WebDAV
> can practically be replaced by standard HTTP GET and read-write WebDAV
> has a host of security problems.
My preference is to keep the WebDAV Servlet:
1) It is a good example of HTTP protocol beyond standard HTTP.
2) There exist 3-rd party test suites for this protocol.
3) It is tightly coupled with DefaultServlet and Tomcat internals
(resources management layer)
4) There are no security issues with read-write WebDAV as far as I know.
Enabling write (HTTP PUT) on the DefaultServlet will have the same
consequences. You have to authenticate your clients.
I am using WebDAV on some Apache HTTPD server with mod_dav.
I planned to use WebDAV on some Tomcat servers but I ended with a
configuration where DefaultServlet displays the files and upload and
management of the files is performed via SSH/SCP.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [PROPOSAL] Tomcat 10: Remove WebDAV
Posted by Mark Thomas <ma...@apache.org>.
On 09/10/2019 21:42, Michael Osipov wrote:
> Am 2019-10-09 um 21:35 schrieb Christopher Schultz:
<snip/>
>>> The only drawback I see with the current servlet is that I cannot
>>> have arbitrary paths of my context served by this servlet. It
>>> serves either the entire app or nothing. That's why I have resorted
>>> to mod_dav.
>>
>> Okay, so someone who really wants to make DAV work has decided that
>> Tomcat's implementation won't cut it. I fee that as further evidence
>> that Tomcat's implementation can just die.
>
> As you might know, people will only complain when something is
> gone/broken and not when it is working well.
If arbitrary path mapping would be useful then please add that as an
enhancement to Bugzilla. From memory, the path handling for WebDav is
"interesting" so I'm not sure how easy this would be to implement.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [PROPOSAL] Tomcat 10: Remove WebDAV
Posted by Michael Osipov <mi...@apache.org>.
Am 2019-10-09 um 21:35 schrieb Christopher Schultz:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Michael,
>
> On 10/9/19 11:36, Michael Osipov wrote:
>> Am 2019-10-07 um 16:54 schrieb Christopher Schultz:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
> Or, since svn is HTTP, you can just use plain-old HTTP. Besides,
> mod_dav_svn doesn't work with Tomcat.
Again, plain HTTP != WebDAV.
>>> Read-only WebDAV can practically be replaced by standard HTTP GET
>>>
>>
>> No, it can't. you can't list collections with multistatus w/o
>> WebDAV.
>
> Meh.
>
>>> and read-write WebDAV has a host of security problems. There are
>>> better solutions to supporting WebDAV than using the Tomcat
>>> module.
>>
>> Which are? Milton.io?
>
> How about mod_dav and friends?
I was thinking about Java-based solution in Tomcat, at best with Spring
to fully reuse my authnz code. I don't run HTTPd if it is not strictly
necessary. Tomcat just performs perfectly well for dynamic, static and
transport-encrypted content.
>> The only drawback I see with the current servlet is that I cannot
>> have arbitrary paths of my context served by this servlet. It
>> serves either the entire app or nothing. That's why I have resorted
>> to mod_dav.
>
> Okay, so someone who really wants to make DAV work has decided that
> Tomcat's implementation won't cut it. I fee that as further evidence
> that Tomcat's implementation can just die.
As you might know, people will only complain when something is
gone/broken and not when it is working well.
>>> A recent search of the users mailing list shows only 10 threads
>>> regarding WebDAV in the past 6 years.
>>
>> Maybe people are just happy with the servlet?
>
> People are super happy with the TLS implementation and ask about it
> all the time.
Because encryption is complex...
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [PROPOSAL] Tomcat 10: Remove WebDAV
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Michael,
On 10/9/19 11:36, Michael Osipov wrote:
> Am 2019-10-07 um 16:54 schrieb Christopher Schultz:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>
>> All,
>>
>> I recently gave a presentation on locking-down Apache Tomcat[1]
>> and I briefly discussed the "sharp edges" present in Tomcat. Some
>> of them are unnecessarily sharp and may be actually unnecessary.
>> I'm going to make a few proposals to remove functions from
>> Tomcat.
>>
>> Proposal: Remove WebDAV
>>
>> Justification:
>>
>> WebDAV is a protocol that never really took off[2].
>
> From where do you take this? We, at work, use it all the time.
> Either from Sharepoint, or a new project with mod_dav.
Just because you use it doesn't mean it's widely-used. We use it at
$work as well, and it's a giant pain in the neck for anyone using a
Windows operating system. Linux and MacOS are totally fine, but we
have to buy a separate product to get Windows clients working
properly, and it's not super reliable.
> Another great example is mod_dav_svn. You can access you repo with
> any DAV client (except crappy Windows Explorer).
Or, since svn is HTTP, you can just use plain-old HTTP. Besides,
mod_dav_svn doesn't work with Tomcat.
>> Read-only WebDAV can practically be replaced by standard HTTP GET
>>
>
> No, it can't. you can't list collections with multistatus w/o
> WebDAV.
Meh.
>> and read-write WebDAV has a host of security problems. There are
>> better solutions to supporting WebDAV than using the Tomcat
>> module.
>
> Which are? Milton.io?
How about mod_dav and friends?
> The only drawback I see with the current servlet is that I cannot
> have arbitrary paths of my context served by this servlet. It
> serves either the entire app or nothing. That's why I have resorted
> to mod_dav.
Okay, so someone who really wants to make DAV work has decided that
Tomcat's implementation won't cut it. I fee that as further evidence
that Tomcat's implementation can just die.
>> A recent search of the users mailing list shows only 10 threads
>> regarding WebDAV in the past 6 years.
>
> Maybe people are just happy with the servlet?
People are super happy with the TLS implementation and ask about it
all the time.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2eNo4ACgkQHPApP6U8
pFgeow/+LzA+bwZtlK4r3cNZ5NQIlhfErzp5/EF+IcvfuRgrZKC0seLc9I0B9/GD
U9FkzcyCebTaEjK4zUQKpzI8pgJUgkGj8v+EbStZSSNASrL9rZra0Lkzbqm6nXgQ
33tHE0+pqRnny9j4Ysye1L+q2m1qyTg+cVoz5h7vN2ybXsJXeT7aQklOSj5b7yJx
464s2/wF8dfhY0U6uDIHg3ixK0378kptixfbQMuB/fHMoHkQRNznfayvjAoRiTGn
EfeD+w4HsS9r46JdmnB5OMIPjPcbSuCI4OuSLzkEaiYvdcgN5F4CZMQdua3MJWaB
P8g0dkhC3FzLf/LoXfOa9GmjUuer+TuaFKPLjTKCHF1SBhQx4ZXcMjsVX4zQkvS3
JDXemUUF6eOo/doj360AQeV8B/FBzePd33R2rhSB12FG19vrSgIjlALdTg1E0H4S
JeMuq7PBY44uWWJaEAMAg/LghWCyc3RICZi58htydUO/fnF4LA90kNz8RlSQ18Wg
iozFCeCQCQdbd6MuOqe+irU1+kAPvyezEd2YIU/S5TjD17PqE/6cZgEPzZRUrFc7
Z+JB6kBsGNJ9fVXMYqx4VBLx5lcaIy942fft5UiNqMsPaUT686R68Oj1WKJGbMgF
d0h93S14V8d02H+H9SFkV1oP2KOvILRhs3fJTFZLXZ/kU2CBBYU=
=f/+q
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [PROPOSAL] Tomcat 10: Remove WebDAV
Posted by Michael Osipov <mi...@apache.org>.
Am 2019-10-07 um 16:54 schrieb Christopher Schultz:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> I recently gave a presentation on locking-down Apache Tomcat[1] and I
> briefly discussed the "sharp edges" present in Tomcat. Some of them
> are unnecessarily sharp and may be actually unnecessary. I'm going to
> make a few proposals to remove functions from Tomcat.
>
> Proposal: Remove WebDAV
>
> Justification:
>
> WebDAV is a protocol that never really took off[2].
From where do you take this? We, at work, use it all the time. Either
from Sharepoint, or a new project with mod_dav.
Another great example is mod_dav_svn. You can access you repo with any
DAV client (except crappy Windows Explorer).
> Read-only WebDAV
> can practically be replaced by standard HTTP GET
No, it can't. you can't list collections with multistatus w/o WebDAV.
> and read-write WebDAV
> has a host of security problems. There are better solutions to
> supporting WebDAV than using the Tomcat module.
Which are? Milton.io?
The only drawback I see with the current servlet is that I cannot have
arbitrary paths of my context served by this servlet. It serves either
the entire app or nothing. That's why I have resorted to mod_dav.
> A recent search of the users mailing list shows only 10 threads
> regarding WebDAV in the past 6 years.
Maybe people are just happy with the servlet?
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [PROPOSAL] Tomcat 10: Remove WebDAV
Posted by Rémy Maucherat <re...@apache.org>.
On Mon, Oct 7, 2019 at 5:05 PM Mark Thomas <ma...@apache.org> wrote:
> > All,
> >
> > I recently gave a presentation on locking-down Apache Tomcat[1] and I
> > briefly discussed the "sharp edges" present in Tomcat. Some of them
> > are unnecessarily sharp and may be actually unnecessary. I'm going to
> > make a few proposals to remove functions from Tomcat.
> >
> > Proposal: Remove WebDAV
> >
> > Justification:
> >
> > WebDAV is a protocol that never really took off[2]. Read-only WebDAV
> > can practically be replaced by standard HTTP GET and read-write WebDAV
> > has a host of security problems. There are better solutions to
> > supporting WebDAV than using the Tomcat module.
> >
> > A recent search of the users mailing list shows only 10 threads
> > regarding WebDAV in the past 6 years.
>
> I'm not so sure on this one. There are times when being able to set up a
> platform independent read/write file share can be useful. Generally,
> inside trusted environments.
>
I'd also think WebDAV support can stay.
If the protocol wasn't a bigger success it's IMO all Microsoft's fault,
since they insist(ed) on having non compliant impls. So using it in
practice has always been harder for users. It should have been better
overall since WebDAV (and extensions) are HTTP and benefit from all the
security layers and ease of use there.
Rémy
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: [PROPOSAL] Tomcat 10: Remove WebDAV
Posted by Mark Thomas <ma...@apache.org>.
> All,
>
> I recently gave a presentation on locking-down Apache Tomcat[1] and I
> briefly discussed the "sharp edges" present in Tomcat. Some of them
> are unnecessarily sharp and may be actually unnecessary. I'm going to
> make a few proposals to remove functions from Tomcat.
>
> Proposal: Remove WebDAV
>
> Justification:
>
> WebDAV is a protocol that never really took off[2]. Read-only WebDAV
> can practically be replaced by standard HTTP GET and read-write WebDAV
> has a host of security problems. There are better solutions to
> supporting WebDAV than using the Tomcat module.
>
> A recent search of the users mailing list shows only 10 threads
> regarding WebDAV in the past 6 years.
I'm not so sure on this one. There are times when being able to set up a
platform independent read/write file share can be useful. Generally,
inside trusted environments.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org