« May 2010 | Main | July 2010 »

7 posts from June 2010


Tomcat 7 Beta Released

Tomcat 7 was released yesterday and despite what you may have seen posted on DZone, it's a beta, not production code.  Tomcat 7 introduces support for the Servlet 3.0, JSP 2.2 and EL 2.2, and some other goodies.  

Tomcat 7 offers cross site request forgery protection and added security on the tomcat manager and host manager applications.  It offers protection against session fixation attacks as well as memory leak detection and prevention.

Tomcat 7 introduces alias support, which allows the inclusion of external content to be served within web applications.  If I'm understanding it correctly, if you have a company-wide set of custom error pages or images, there is now no need for you to import them within your web app archives.  Like an alias directive with apache, just set up an /errors alias pointing to that external file location (or /images, /scripts, whatever) and you're good to go.  Aliases may make our lives easier as webapp administrators and it helps put tomcat one step further in replacing apache at the web tier, (it just needs a good mod_rewrite and some mechanism to safely run on a port below 1024).

Mark Thomas at SpringSource has a pretty good write-up about tomcat 7 on the tomcatexpert.com site but, to be honest, the tomcat7.com community site operated by MuleSoft has a much better introduction to everything included in tomcat 7.

Downloads are available at the Tomcat 7 download page.  


Feedback Wanted on Draft Modern Perl Book

Over on Modern Perl Books, chromatic is looking for feedback on an upcoming book:  Modern Perl: The Book.  Give it a read and a bookmark because it looks like it is going to be filled with great information.  Feedback in the form of comments on the site is ok as well as bug reporting or patches on Github.


Scanning for Unsafe URLs - Update 1

So, after writing it, I had an opportunity to tweak the scripts a little.  I added a couple more URLs to reject in the irule but I've been having some fun dealing with redirection.  I modified the perl script a little to prevent it from automatically following redirects because I was getting some false positives on sites where the url issued a 301 or 302 redirect.  This doesn't seem optimal yet so I expect another update will be out soon. 

Once doing the change for redirection, however, I had to then tweak the URLs being scanned for to include the full URL.  I don't know how trustworthy the IIS URLs are yet--I'm going to try to find a box to test with later this week.

See the original post for the updated scripts.