From users-return-219901-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org Thu Dec 09 18:51:08 2010 Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 73438 invoked from network); 9 Dec 2010 18:51:08 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 9 Dec 2010 18:51:08 -0000 Received: (qmail 78941 invoked by uid 500); 9 Dec 2010 18:51:04 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 78882 invoked by uid 500); 9 Dec 2010 18:51:04 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 78873 invoked by uid 99); 9 Dec 2010 18:51:04 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Dec 2010 18:51:04 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of aw@ice-sa.com designates 212.85.38.228 as permitted sender) Received: from [212.85.38.228] (HELO tor.combios.es) (212.85.38.228) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Dec 2010 18:50:56 +0000 Received: from [192.168.245.129] (p549E095E.dip0.t-ipconnect.de [84.158.9.94]) by tor.combios.es (Postfix) with ESMTPA id E42A92269D3 for ; Thu, 9 Dec 2010 19:45:35 +0100 (CET) Message-ID: <4D0124E3.70301@ice-sa.com> Date: Thu, 09 Dec 2010 19:50:11 +0100 From: =?UTF-8?B?QW5kcsOpIFdhcm5pZXI=?= Reply-To: Tomcat Users List User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: enforcing SSL only for external clients References: <4CFE8A8C.9000102@ice-sa.com> <4CFEB6F3.1000509@ice-sa.com> <99C8B2929B39C24493377AC7A121E21F9A09B2F087@USEA-EXCH8.na.uis.unisys.com> <4CFFD13E.5060605@christopherschultz.net> <4D00003C.8020806@ice-sa.com> <4D000337.9080905@christopherschultz.net> <4D000D8F.4030406@ice-sa.com> <4D010AFE.9090105@christopherschultz.net> In-Reply-To: <4D010AFE.9090105@christopherschultz.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Christopher, Christopher Schultz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > André, > > On 12/8/2010 5:58 PM, André Warnier wrote: >> If we are talking about a standard web application using a standard html >> interface and standard browsers, then such an upload would be triggered >> by a POST from a html form with a in it, right ? >> If the upload URL (target of the form) is not within the HTTPS protected >> part, then anyone could access it and post a huge file to your site, no >> ? That may cause more stress on your server than doing this via HTTPS >> ever would. > > Here's the bad news: this can happen anyway. If I initiate an upload to > your webapp via HTTPS -- even if I don't have an session -- I can still > waste a lot of resources. > > I haven't confirmed this myself -- someone hopefully will -- but Tomcat > will consume the entire request body before closing the connection from > the client. Assume that the upload URL in question is handled by an application requiring HTTPS. And assume that the web application requires some form of user authentication. Are you telling me that if a user connects for the first time to the site using this "upload URL", Tomcat is going to read the entire POST request prior to checking if this user is authenticated ? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org