Apache Tomcat Maven Plugin
  1. Apache Tomcat Maven Plugin
  2. MTOMCAT-108

THe httpsPort flag starts another http thread not an https thread

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0-beta-1
    • Fix Version/s: 2.0-beta-1
    • Component/s: tomcat7
    • Labels:
      None
    • Environment:
      MAc OSX 10.6.8

      Description

      WHen you run the executable war the httpsPort flag starts an http protocol listener thread on the port listed not an https protocol listener.

      1. https.patch
        11 kB
        Brad Giaccio
      2. https.patch
        11 kB
        Brad Giaccio

        Activity

        Hide
        Keith Corbin added a comment -

        My bad, I was looking at the old repo location.
        --Keith

        On Wed, Dec 21, 2011 at 1:51 PM, Olivier Lamy (Commented) (JIRA) <

        Show
        Keith Corbin added a comment - My bad, I was looking at the old repo location. --Keith On Wed, Dec 21, 2011 at 1:51 PM, Olivier Lamy (Commented) (JIRA) <
        Show
        Olivier Lamy (*$^¨%`£) added a comment - http://tomcat.apache.org/maven-plugin-2.0-SNAPSHOT/snapshot-test.html says https://repository.apache.org/content/groups/snapshots-group
        Hide
        Brad Giaccio added a comment -

        @Keith what Repository are you looking in https://repository.apache.org/content/groups/snapshots-group/org/apache/tomcat/maven/tomcat7-war-runner/2.0-SNAPSHOT/
        The files from Tue Dec 20 00:16:29 UTC 2011, the ones after that (i.e Today) appear to have fixes for MTOMCAT-110 and MTOMCAT-111 as well

        Show
        Brad Giaccio added a comment - @Keith what Repository are you looking in https://repository.apache.org/content/groups/snapshots-group/org/apache/tomcat/maven/tomcat7-war-runner/2.0-SNAPSHOT/ The files from Tue Dec 20 00:16:29 UTC 2011, the ones after that (i.e Today) appear to have fixes for MTOMCAT-110 and MTOMCAT-111 as well
        Hide
        Keith Corbin added a comment -

        @Olivier. Sorry, I meant when will it be available in the SNAPSHOT? Currently the SNAPSHOT is showing a last build date of Novermber 11th, 2011.

        Show
        Keith Corbin added a comment - @Olivier. Sorry, I meant when will it be available in the SNAPSHOT? Currently the SNAPSHOT is showing a last build date of Novermber 11th, 2011.
        Hide
        Olivier Lamy (*$^¨%`£) added a comment -

        @Keith until a release
        Currently you can use 2.0-SNAPSHOT to test.
        see http://tomcat.apache.org/maven-plugin-2.0-SNAPSHOT/snapshot-test.html

        Show
        Olivier Lamy (*$^¨%`£) added a comment - @Keith until a release Currently you can use 2.0-SNAPSHOT to test. see http://tomcat.apache.org/maven-plugin-2.0-SNAPSHOT/snapshot-test.html
        Hide
        Keith Corbin added a comment -

        How long will it take for this to make its way to the Maven repo?

        Show
        Keith Corbin added a comment - How long will it take for this to make its way to the Maven repo?
        Hide
        Hudson added a comment -

        Integrated in TomcatMavenPlugin #75 (See https://builds.apache.org/job/TomcatMavenPlugin/75/)
        MTOMCAT-108 The httpsPort flag starts another http thread not an https thread
        Submitted by Brad Giaccio.

        olamy : http://svn.apache.org/viewvc/?view=rev&rev=1221023
        Files :

        • /tomcat/maven-plugin/trunk/tomcat7-war-runner/src/main/java/org/apache/tomcat/maven/runner/PasswordUtil.java
        • /tomcat/maven-plugin/trunk/tomcat7-war-runner/src/main/java/org/apache/tomcat/maven/runner/Tomcat7Runner.java
        • /tomcat/maven-plugin/trunk/tomcat7-war-runner/src/main/java/org/apache/tomcat/maven/runner/Tomcat7RunnerCli.java
        Show
        Hudson added a comment - Integrated in TomcatMavenPlugin #75 (See https://builds.apache.org/job/TomcatMavenPlugin/75/ ) MTOMCAT-108 The httpsPort flag starts another http thread not an https thread Submitted by Brad Giaccio. olamy : http://svn.apache.org/viewvc/?view=rev&rev=1221023 Files : /tomcat/maven-plugin/trunk/tomcat7-war-runner/src/main/java/org/apache/tomcat/maven/runner/PasswordUtil.java /tomcat/maven-plugin/trunk/tomcat7-war-runner/src/main/java/org/apache/tomcat/maven/runner/Tomcat7Runner.java /tomcat/maven-plugin/trunk/tomcat7-war-runner/src/main/java/org/apache/tomcat/maven/runner/Tomcat7RunnerCli.java
        Hide
        Olivier Lamy (*$^¨%`£) added a comment -

        applied.
        SNAPSHOT will deployed by jenkins build.
        Reopen if any issues.
        Thanks for the patch!

        Show
        Olivier Lamy (*$^¨%`£) added a comment - applied. SNAPSHOT will deployed by jenkins build. Reopen if any issues. Thanks for the patch!
        Hide
        Brad Giaccio added a comment -

        1. Cleaned up formatting

        2. Added a @see to PaswordUtil pointing back to Jetty Source

        3. Will apply cleanly after your patch to MTOMCAT-109

        Show
        Brad Giaccio added a comment - 1. Cleaned up formatting 2. Added a @see to PaswordUtil pointing back to Jetty Source 3. Will apply cleanly after your patch to MTOMCAT-109
        Hide
        Brad Giaccio added a comment -

        Reading plain text from a file wouldn't help the security scan software would still find it, it needs to be non-human-readable.

        The code http://grepcode.com/file_/repo1.maven.org/maven2/org.mortbay.jetty/jetty/6.1.11/org/mortbay/jetty/security/Password.java/?v=source
        Uses the Apache 2.0 License which says I can reuse the code and I just put your style of comment in the header so it would match the rest of your code.

        Show
        Brad Giaccio added a comment - Reading plain text from a file wouldn't help the security scan software would still find it, it needs to be non-human-readable. The code http://grepcode.com/file_/repo1.maven.org/maven2/org.mortbay.jetty/jetty/6.1.11/org/mortbay/jetty/security/Password.java/?v=source Uses the Apache 2.0 License which says I can reuse the code and I just put your style of comment in the header so it would match the rest of your code.
        Hide
        Olivier Lamy (*$^¨%`£) added a comment -

        why not reading the password from a file ?
        And -httpsPasswordFile= (the file will contains only the password)
        this comment "Lifted from Jetty org.mortbay.jetty.security.Password" can/will lead in some ip issues.
        With such source code import, license headers must be preserve and I don't see that in your patch.

        Show
        Olivier Lamy (*$^¨%`£) added a comment - why not reading the password from a file ? And -httpsPasswordFile= (the file will contains only the password) this comment "Lifted from Jetty org.mortbay.jetty.security.Password" can/will lead in some ip issues. With such source code import, license headers must be preserve and I don't see that in your patch.
        Hide
        Brad Giaccio added a comment -

        @Oliver
        1. Sorry about the formatting I tried to follow what you had, as odd as it looked. If you can't take it as is then I'll have to fix it on Monday.
        2. As for the obfuscate stuff, its most definitely breakable but at least 'protects' it from prying eyes. In the environment I'll be using this having plain texts passwords is a deal breaker and will mean I can't install my software, so please please keep it.

        If there is anything else I can do let me know

        Show
        Brad Giaccio added a comment - @Oliver 1. Sorry about the formatting I tried to follow what you had, as odd as it looked. If you can't take it as is then I'll have to fix it on Monday. 2. As for the obfuscate stuff, its most definitely breakable but at least 'protects' it from prying eyes. In the environment I'll be using this having plain texts passwords is a deal breaker and will mean I can't install my software, so please please keep it. If there is anything else I can do let me know
        Hide
        Olivier Lamy (*$^¨%`£) added a comment -

        btw regarding this obfuscate stuff I wonder how it's secured as the deobfuscate method is open source

        Show
        Olivier Lamy (*$^¨%`£) added a comment - btw regarding this obfuscate stuff I wonder how it's secured as the deobfuscate method is open source
        Hide
        Olivier Lamy (*$^¨%`£) added a comment -

        @Brad looks a good patch. Note the maven plugin use the maven code formatting: http://maven.apache.org/developers/conventions/code.html

        Show
        Olivier Lamy (*$^¨%`£) added a comment - @Brad looks a good patch. Note the maven plugin use the maven code formatting: http://maven.apache.org/developers/conventions/code.html
        Hide
        Brad Giaccio added a comment -

        I've tested this patch on Mac OSX 10.6.8, Fedora Core 16, and Redhat Linux 5.4

        It handles, httpPort not being set so only https starts up
        it adds 3 options to the startup
        -keyAlias
        -clientAuth
        It checks for the 6 -Djavax.net.ssl properties for setting up key and trust stores

        I also added PasswordUtil to allow the passwords to be obfuscated (a security requirement for some systems is no passwords in clear text ... I know obfuscation is like closing your front door and hoping know one uses the peep hole).

        I've confirmed function as best I can with and without http turned on and with and without clientAuth. It appears to be working correctly.

        Show
        Brad Giaccio added a comment - I've tested this patch on Mac OSX 10.6.8, Fedora Core 16, and Redhat Linux 5.4 It handles, httpPort not being set so only https starts up it adds 3 options to the startup -keyAlias -clientAuth It checks for the 6 -Djavax.net.ssl properties for setting up key and trust stores I also added PasswordUtil to allow the passwords to be obfuscated (a security requirement for some systems is no passwords in clear text ... I know obfuscation is like closing your front door and hoping know one uses the peep hole). I've confirmed function as best I can with and without http turned on and with and without clientAuth. It appears to be working correctly.

          People

          • Assignee:
            Olivier Lamy (*$^¨%`£)
            Reporter:
            Keith Corbin
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development