tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: I don't understand a recent change released in Tomcat 7.0.70
Date Fri, 24 Jun 2016 15:45:19 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Lyllax,

On 6/24/16 1:30 AM, Lyallex wrote:
> On 23 June 2016 at 19:43, Mark Thomas <markt@apache.org> wrote:
>> On 23/06/2016 17:56, Lyallex wrote:
>>> I'm trying to understand why a recent change in 7.0.70 has been
>>> done the way it has. The change makes absolutely no sense to me
>>> and I need to ask the implementer why in the name of sanity he
>>> did what he did. I'm talking to you markt whoever you are :-)
>>> 
>>> Where should I ask the question? dev list?
>>> 
>>> I couldn't care less how much shouting ensues, I just need to
>>> get some sleep.
>> 
>> How about you cut the attitude and just ask your question?
> 
> OK, I will.
> 
> To give this some context and with the greatest respect to a
> dedicated committer none of what follows is intended as criticism
> it's just that I think the current solution to 59399 need
> rethinking
> 
> My commercial site has been up for years, there are links dating
> back years that refer to the old http scheme I have no control over
> this, now, whenever I get a hit from an 'old' link I need to force
> the switch to https, lots of sites have this probem and need a
> solution, it has nothing whatsoever to do with dabases in any way
> shape or form.
> 
> So,
> 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=59399
> 
> What has the status code returned when switching from http ->
> https got to do with a Realm?
> 
> http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html
> 
> <cite> "A Realm is a "database" of usernames and passwords that
> identify valid users of a web application .. " </cite>
> 
> Or: What has the status code returned when switching from http -> 
> https got to do with a database of usernames and passwords?
> 
> https://tomcat.apache.org/tomcat-7.0-doc/config/realm.html
> 
> JDBCDatabaseRealm
> 
> attrbute: transportGuaranteeRedirectStatus
> 
> <cite> The HTTP status code to use when the container needs to
> issue an HTTP redirect to meet the requirements of a configured
> transport guarantee. The prpvoded status code is not validated. If
> not specified, the default value of 302 is used. </cite>
> 
> I just don't get why this is here
> 
> furthermore https://bz.apache.org/bugzilla/show_bug.cgi?id=59399
> 
> <cite> Mark Thomas 2016-06-15 11:12:11 UTC
> 
> This has been implemented as a new option in the Realm and will
> has implemented in: - 9.0.x for 9.0.0.M9 onwards - 8.5.x for 8.5.4
> onwards - 8.0.x for 8.0.37 onwards - 7.0.x for 7.0.70 onwards 
> </cite>
> 
> Which Realm(s)? only JDBCDatabaseRealm has the attribute but your 
> comment seems to imply that all Realms have it
> (transportGuaranteeRedirectStatus)
> 
> In which case surely it should be a common attribute and (I'm
> guessing here) the functionality be included in the base class for
> Realm
> 
> What happens if I don't use JDBCDatabaseRealm, does that mean I
> can't configure the switchover status code. What happens if I write
> my own Realm?
> 
> In the 'good old days' it was common practice to only switch to
> https during or after signing in to an application, networks were
> slow and encryption takes time, now networks are faster and the
> overhead isn't such an issue. Entire sites now use the https
> scheme, I know mine does. I can see a situation where, because the
> mighty Google says it must be so, even an entirely static site with
> no database and no manager will be served up under https. How is
> such a site suppose to implement https?
> 
> FYI I have it in black and white, from a Google webaster forum 
> responder that, in the event of  a tie between two pages in a
> ranking calculation, the https scheme would produce a ranking
> signal that would elevate the https page above the non https page
> in the resulting rankings.
> 
> Once again this is not intended as criticsm of a dedicated and 
> prolific committer

Wow, what a diatribe. What is necessary?

1. This is a new option which defaults to the previous behavior. This
should literally effect nobody except people who care about it.

2. There is a bug in the documentation which suggests that its only
available for a single Realm when it is in fact available for all Realms
.

3. You can redirect anything yourself if you want to. The only reason
for the Realm option was because Tomcat itself is issuing this
particular redirect based upon an authentication situation (as defined
by the servlet specification).

4. If you want "easy" redirection from http -> https and you don't
want to write the 5-line Filter to do it for you, use url-rewrite and
set up a rule that redirects all http:// requests to https:// URLs.

And seriously, calm down. You completely lost your mind over a new
configuration option that you misunderstood. You made it sound like we
introduced a breaking change to a product that brought-down your whole
enterprise. But the reality is that a relatively benign commit has
completely enraged you for ... what reason exactly?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXbVWPAAoJEBzwKT+lPKRYafkQAK5XR8ePljpPb88jwsfPZoGp
+USL/hgqPI9FZOQ2XS96P7kc8oihjYCEYL38jqoXkXDC1Y263ulgEXqvKCwFN1cq
oDXEtCXH+WvaaFF+N0jR6t2qbZEZ5dd36gCnuI7oXdT49kUbySeJ+xOnx6b/uBg0
2KAkxSzIA/EzsC/C3Z+Aj+HibZY6bklNFliU93EBFLdO0MrXKxvCYe1lfTwYn5v9
OFH/dCqzmlFt6byDW0IQTHi1n0tvwVLJrORTEBwGAAEjWfvQ/MgPPs3OZj9WVKa9
dxsZ2jURaEJt88S7iahIIePRijDpZ4TrRKAuqCbtnOLphwki83i2S+yoMCHf2BML
b0naBnrCDzDnZ8J6uQrE+u79RM+r54o5MO+cgsiXGccTm4gDT/SsiEFaGn4hH6BO
sUvM4yEFrme2TQYfnvum0S5FiyD10SxxO/ip0wtdvi8605aKXD5vV1ND1e+WGz3h
jn4pB4W7lbXmM7WA9SjVwP4vIT7jBEHrIWWtTijVhNjB/TcCEk3K1Xd1dFd1LjF2
/UNBYqUhlk3gAloHUhaBOapL59IqpPgaMWANFnPZVAmWDaPQauHFbAaEPkmbdzxB
UrxyttgxwghECxcoUPiQbK6qClHNpdndGNUhq4FKFv7d2Lk95LGGBlm0sSW+Gl43
vQ2usLFeI7CA2ROsjLAS
=zxsY
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message