TomcatExpert

Blogs

Blog : Crawler Session Manager Valve

posted by mthomas on May 18, 2011 07:25 AM

For organizations with large publically searchable websites, such as those found in ecommerce companies with large product catalogues or companies with active online communities, web crawlers or bots can trigger the creation of many thousands of sessions as they crawl these large sites. Normally crawling sites without relying on cookies or session IDs, these bots can create a session for each page crawled which, depending on the size of the site, may result in significant memory consumption. New in Apache Tomcat 7, a Crawler Session Manager Valve ensures that crawlers are associated with a single session - just like normal users - regardless of whether or not they provide a session token with their requests.

A Relevant Example

One of the roles I play in the Apache Tomcat project is managing the issues.apache.org servers which run the two Apache issue trackers we have—two instances of Bugzilla and one instance of JIRA. Not surprisingly, JIRA runs on Tomcat. A few months ago, while looking at the JIRA management interface, I noticed that we were seeing around 100,000 concurrent sessions. Given that there are only 60,000 registered users and less than 5,000 active users any month, this number appeared extremely inflated.

After a bit of investigation, the access logs revealed that when many of the webcrawlers (e.g., googlebot, bingbot, etc) were crawling the JIRA site, they were creating a new session for every request. For our JIRA instance, this meant that about 95% of the open sessions were left over from a bot creating a single request. For instance, a bot requesting 100 pages, would open 100 sessions. Each one of these requests would hang around in memory for about 4 hours, chewing up tremendous memory resources on the server.

Read More

2 comments   |  

0
Rating
  |  

Developers, Operations | JIRA, Tomcat 7, Tomcat Admin

Blog : Apache Tomcat 7.0.14 Released

posted by Stacey Schneider on May 13, 2011 08:43 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.14.

Apache Tomcat 7.0.14 includes bug fixes and the following new features compared to version 7.0.12:

  • new StuckThreadDetectionValve to identify long running requests
  • JAAS authentication support for the JMXRemoteLifecycleListener
  • updated MIME type mappings to align with those of Apache httpd

Please refer to the change log for the list of changes:

http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

1 comments   |  

0
Rating
  |  

Developers, Executives | Tomcat 7

Blog : Cross-Site Request Forgery

posted by mthomas on May 9, 2011 07:08 AM

Cross-site request forgery (CSRF), also sometimes referred to as one-click attacks or session riding, is another type of malicious exploit of websites that the Apache Tomcat community has addressed in the Apache Tomcat 7 release process. Different from cross-site scripting, where the attacker exploits the trust users have for a particular site, CSRF targets the trust that sites have in a user’s browser. The new CSRF Protection prevents attacks directly on Apache Tomcat Manager and Apache Tomcat Host Manager as well as provides a CSRF Prevention Filter for the applications that run on Tomcat to use.

A Simple Example

A system administrator connects to a Tomcat instance and logs into the Tomcat Manager application. The admin performs routine tasks such as deploying a web application, checking the status of another application and upgrading a third application. Then the administrator leaves Tomcat Manager, and goes to browse the web. One of the sites the administrator browses has malicious code in either a link or a flash file that tricks the browser into making a request into Tomcat Manager. The admin’s session for Tomcat Manager has not yet expired, and Tomcat grants the malicious code access to the request. This essentially introduces a large back door for control into the system administrator’s Tomcat instances.

In addition to targeting administrators to take down websites, applications that run on Tomcat-such as banking applications-are also vulnerable to the same attacks. Check out the article on CSRF on the Open Web Application Security Project (OWASP) for more detail.

Read More

1 comments   |  

0
Rating
  |  

Operations, Security | CSRF, Tomcat 7, Tomcat Host Application

Blog : Session Fixation Protection

posted by mthomas on April 25, 2011 06:30 AM

A common practice these days in email marketing is to provide users with custom links that direct them quickly to their own account, and streamline the number of steps needed to sign up for additional services or address outdated or invalid account information. This is great for company relationships with their customers, however it is somewhat easily exploited.

A simple scenario

Mary and Bob both have accounts with the same bank. Mary is not very internet savvy, and Bob is. Bob sends Mary a link that is plainly seen to be their bank’s address and attaches a session ID (http://www.foobank.com/?SID=BOB_KNOWS_THE_ID). Mary sees its one of the bank’s URLs, and clicks it, logs in with her username and password. As soon as she does that, Bob is able to also click that link and the session is now validated so he has full access to all her account information and money!

There are more complex scenarios documented across the web. Some additional easy to understand examples can be found on Wikipedia. Reality is that there are several things Mary could do to be more educated and protect herself, but consumers are hard to educate perfectly. In turn, companies—especially ones that rely on authenticated sessions to service their customers—must protect their customers from these types of attacks.

Read More

4 comments   |  

0
Rating
  |  

Security | Tomcat 6, Tomcat 7, Tomcat Security

Blog : Apache Tomcat 7.0.12 Released

posted by Stacey Schneider on April 6, 2011 11:20 AM

Announced this afternoon by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.12.

Apache Tomcat 7.0.12 includes bug fixes and the following new features compared to version 7.0.12:

  • initial support for SPNEGO/Kerberos authentication (also referred to as Windows authentication);
  • provide a new configuration option to define a close method to call on a JNDI resource when it is no longer required;
  • optional support for pre-emptive authentication.

Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Known issues:

  • HTTP pipelining is likely to fail with 505 errors with the HTTP BIO connector (bug 50957). The other connectors (HTTP NIO, HTTP APR/native, AJP BIO & AJP APR/native) are not affected.

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

0 comments   |  

0
Rating
  |  

Developers, Operations | Tomcat 7, Tomcat Security

Blog : Apache Tomcat 7.0.11 Released

posted by Stacey Schneider on March 11, 2011 09:17 AM

Announced this afternoon by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.11.

Apache Tomcat 7.0.11 is primarily a security fix release with a small number of additional bug fixes compared to 7.0.10.

Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

1 comments   |  

0
Rating
  |  

Developers, Security | Tomcat 7

Blog : Apache Tomcat 7.0.10 Released

posted by Stacey Schneider on March 8, 2011 02:10 PM

Announced this afternoon by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.10.

Apache Tomcat 7.0.8 is primarily a security and bug fix release with numerous fixes compared to 7.0.8.

Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

0 comments   |  

0
Rating
  |  

Developers | Tomcat 7

Blog : Apache Tomcat 7.0.8 Released

posted by Stacey Schneider on February 7, 2011 08:24 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.8.

Apache Tomcat 7.0.8 is primarily a security and bug fix release with numerous fixes compared to 7.0.6.

Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

0 comments   |  

0
Rating
  |  

Developers, Executives | Tomcat 7

Blog : Apache Tomcat 6.0.32 Released

posted by Stacey Schneider on February 3, 2011 09:28 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 6.0.32 stable..

Apache Tomcat 6.0.32 is primarily a security and bug fix release. All users of older versions of the Tomcat 6.0 family should upgrade to 6.0.32.

Note that is version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for different CPU architectures.

Apache Tomcat 6.0 includes new features over Apache Tomcat 5.5, including support for the new Servlet 2.5 and JSP 2.1 specifications, a refactored clustering implementation, advanced IO features, and improvements in memory usage.

Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-60.cgi

Migration guide from Apache Tomcat 5.5.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

1 comments   |  

0
Rating
  |  

Developers, Executives | Tomcat 6

Blog : Cross-site Scripting (XSS) Prevention in Apache Tomcat 7

posted by mthomas on January 26, 2011 07:28 AM

Cross-site scripting (XSS) is the leading form of security vulnerabilities for web applications today. This vulnerability is found when attackers are able to inject client-side scripting into web pages by tricking the browser to trust scripts run from malicious hosts. These scripts usually access user and session information stored in cookies, and allow the hackers to forge trusted user behavior. The result can allow hijackers to control your user account, change your account settings, or redirect web traffic to malicious or false advertising sites. Recently, there has been an increase in high-profile cross-site scripting attacks on sites like Twitter and IBM's DeveloperWorks, which illustrate how common these vulnerabilities exist on web sites both large and small.

Because cross-site scripting is such a significant and universal threat (a few cross-site scripting issues have been fixed in Tomcat 7), an unofficial extension to the Cookie specifications - httpOnly cookies - has been introduced to combat it. Although it is unofficial, it is widely supported. This feature reduces the risk of these security vulnerabilities by preventing the browser from allowing scripts to access information stored in cookies.

Read More

1 comments   |  

0
Rating
  |  

Security | Cross-site Scripting, security, Tomcat 7

Syndicate content