DO NOT REPLY [Bug 48685] Spnego Support in Tomcat
https://issues.apache.org/bugzilla/show_bug.cgi?id=48685 --- Comment #19 from Michael Osipov <1983-01...@gmx.net> 2011-03-23 05:21:42 EDT --- Created an attachment (id=26792) --> (https://issues.apache.org/bugzilla/attachment.cgi?id=26792) Complete SPNEGO Authenticator and Active Directory Realm this is our minimal implementation of SpnegoAuthenticator (less than 200 lines) and Active Directory Realm. It requires only a Java 6 to run due to SPNEGO support. All authentication is done thru Kerberos for the Active Directory too. Adapt classes to your Tomcat namespace. I hereby grant a full ASLv2 license to the Apache Foundation to integrate the source into Tomcat. If you need any changes, please tell. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48685] Spnego Support in Tomcat
https://issues.apache.org/bugzilla/show_bug.cgi?id=48685 --- Comment #20 from Mark Thomas 2011-03-23 05:34:51 EDT --- I haven't look at this yet but I just wanted to say thank you and let you know this is on the radar. Personally, I'm snowed under with other stuff at the minute but I will get to this as soon as I can - unless one of the other committers beats me to it. Thanks again. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 50958] New: ISAPI HTTP Response Splitting Vulnerability
https://issues.apache.org/bugzilla/show_bug.cgi?id=50958 Summary: ISAPI HTTP Response Splitting Vulnerability Product: Tomcat Connectors Version: 1.2.31 Platform: PC OS/Version: Windows XP Status: NEW Severity: normal Priority: P2 Component: isapi AssignedTo: dev@tomcat.apache.org ReportedBy: vkhle...@gmail.com Created an attachment (id=26793) --> (https://issues.apache.org/bugzilla/attachment.cgi?id=26793) Contains test WAR and ISAPI config files The ISAPI plugin seems to be vulnerable to HTTP response splitting attacks. The plugin code doesn't filter CRLFs from response header values before the response is sent to the client. Tomcat replaces CRLFs with spaces when accessed directly through an HTTP connector. I suggest the ISAPI plugin does the same. The test application in the attachment demonstrates the attack. It contains a simple JSP that sets a special header value that breaks the HTTP response structure. To run the test app, extract the attached zip file, deploy the WAR to Tomcat, and use the included config files for the ISAPI plugin. Once done, browse to http://localhost/response-splitting If the message "Please enter password" with a text box is displayed, the exploit has worked. Compare that to the response you get by browsing to Tomcat directly (i.e. a blank page). The test app uses a hard-coded header value, but it's easy to imagine that the value could come from an untrusted source, like a request parameter. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[POOL] Ready for 1.5.6
Phil, I believe all the pool issues for 1.5.x have been resolved. Over to you... :) Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [POOL] Ready for 1.5.6
On 23/03/2011 19:33, Mark Thomas wrote: > Phil, > > I believe all the pool issues for 1.5.x have been resolved. Over to > you... :) Grr. Wrong list. Sorry for the noise. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 47242] request for AJP command line client
https://issues.apache.org/bugzilla/show_bug.cgi?id=47242 --- Comment #16 from Rebeccah 2011-03-23 20:42:30 EDT --- Rainer, Chamith, any update on when this patch will be incorporated into JMeter? As of JMeter 2.4, the header parsing exception mentioned in comment 6 is occurring in the AjpSampler, preventing me from doing the testing I want to do. I logged Bug 50963 before I realized it was the same exception. Thanks, Rebeccah -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 47242] request for AJP command line client
https://issues.apache.org/bugzilla/show_bug.cgi?id=47242 --- Comment #17 from Bill Barker 2011-03-23 21:22:05 EDT --- (In reply to comment #16) > Rainer, Chamith, any update on when this patch will be incorporated into > JMeter? As of JMeter 2.4, the header parsing exception mentioned in comment 6 > is occurring in the AjpSampler, preventing me from doing the testing I want to > do. I logged Bug 50963 before I realized it was the same exception. > > Thanks, > > Rebeccah Of the people that have replied here, I believe that only Sebb has karma to fix JMeter. So you are better off posting to Bug 50963 to get JMeter fixed. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 47242] request for AJP command line client
https://issues.apache.org/bugzilla/show_bug.cgi?id=47242 --- Comment #18 from Sebb 2011-03-23 21:54:49 EDT --- Bug 50963 has just been fixed. What I would like to see is an AJP client jar which includes methods for generating requests and parsing responses. Then JMeter and other applications can make use of the same code. Does that sound reasonable? Any takers to define an API? -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
