Return-Path: Delivered-To: apmail-jakarta-watchdog-dev-archive@apache.org Received: (qmail 55118 invoked from network); 25 Sep 2002 02:00:26 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 25 Sep 2002 02:00:26 -0000 Received: (qmail 2022 invoked by uid 97); 25 Sep 2002 02:01:13 -0000 Delivered-To: qmlist-jakarta-archive-watchdog-dev@jakarta.apache.org Received: (qmail 1975 invoked by uid 97); 25 Sep 2002 02:01:12 -0000 Mailing-List: contact watchdog-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Watchdog Developers List" Reply-To: "Watchdog Developers List" Delivered-To: mailing list watchdog-dev@jakarta.apache.org Received: (qmail 1957 invoked by uid 98); 25 Sep 2002 02:01:11 -0000 X-Antivirus: nagoya (v4218 created Aug 14 2002) Message-ID: <3D911882.3D21E063@acm.org> Date: Tue, 24 Sep 2002 18:59:30 -0700 From: Jason Hunter X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Watchdog Developers List Subject: Re: Testing SRV 4.7 (SSL Attributes) References: <3D90F034.7F3F8C8A@acm.org> <3D91026A.9090405@notshabby.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Thanks for the fast response, Ryan. Here's how I read the spec. Simple servlet containers (outside J2EE) aren't required to support SSL/HTTPS. However *if a container does choose to support SSL/HTTPS* then they're required to expose those attributes. Per SRV.4.7: "If a request has been transmitted over a secure protocol, such as HTTPS, this information must be exposed via the isSecure method of the ServletRequest interface. The web container must expose the following attributes to the servlet programmer: ..." So the rule for implementors is either (a) don't do SSL or (b) do it correctly. I don't think it's appropriate to assume that since something is optional then we shouldn't test that when present the item behaves as it should. In fact, I think it's entirely within Watchdog's (and the TCK's) current goals to ensure that the spec is followed. Otherwise anything optional in a JSR is unlikely to work when present. Here's pseudocode: 1) Try to connect using HTTPS 2) If fails, return OK 3) If succeeds, check attributes 4) If attributes correct, return OK 5) If attributes incorrect, return FAIL In reality the it may need to be the docs that say, "If you support HTTPS then run this test to make sure you support it fully" in order to satisfy lines 1 and 2. Thoughts, Ryan? -jh- Ryan Lubke wrote: > > Jason, > > The official TCK (and Watchdog) do not perform any SSL testing as this > is not a requirement of Servlet containers unless they are a part of a > J2EE environment. Please reference the following sections in the > 2.3/2.4 specifications: > > Servlet 2.3/2.4 > ---------------- > SRV.1.2 > SRV.12.5.4 > > Watchdog could potentially add these sort of tests as it's not an > official TCK, however, I think that would defeat the original idea > behind Watchdog. Of course that doesn't mean a particular projects > goals cannot change. > > -rl > > Jason Hunter wrote: > > >Hi all, > > > >It's come to my attention that most servlet container vendors totally > >ignore the requirements laid out Servlet API 2.3 SRV 4.7. These > >requirements are to expose various attributes of an SSL connection via > >the javax.servlet.request.cipher_suite, javax.servlet.request.key_size, > >and javax.servlet.request.X509Certificate request attributes. > > > >My theory is that server vendors don't support this requirement because > >Watchdog (and presumably the official TCK) don't actually check it, thus > >giving server vendors a false sense of compatibility. Whether my > >theory's true or not, I'm confident that if Watchdog (and thus the > >official TCK) started checking this requirement then soon enough all > >servlet container vendors would support it. I think that's pretty > >important because banks and such need access to these attributes to > >ensure a secure connection. > > > >To that end, I'd like to get a sense of the thoughts here for if > >Watchdog can add these sorts of tests. I don't actually see any > >SSL-based tests happening right now, but perhaps I'm not looking in the > >right place. Was that intentional, because of the difficulty setting up > >an SSL server? Is there another reason not to test for the SSL-related > >requirements? How much work would it be to add SSL-related testing? > >I'm happy to help to the extent I have time, but would appreciate > >hearing the conventional wisdom surrounding these issues. > > > >-jh- > > > >-- > >To unsubscribe, e-mail: > >For additional commands, e-mail: > > > > > > > >. > > > > > > > > -- > To unsubscribe, e-mail: > For additional commands, e-mail: -- To unsubscribe, e-mail: For additional commands, e-mail: