[SciFed] Tomcat 6 requirement for Shib IDP

Dhivakaran Muruganantham dmuruganantham at lbl.gov
Wed Jan 25 18:36:01 GMT 2012


Nate,
Thank you very much.  This helps.
Leads to another question, Is there a CVE number for 'parsing
specification-compliant cookies' with Tomcat5?
The reason for my question is Redhat/CentOS platform specific builds have
regular updates on Tomcat5, so may be this problem the developer mentioned
is not applicable. I can look at the tomcat5 package changeLog from Redhat
or ask the developer about this issue. But i need CVE reference.

I don't think i am the only one, interested in running CentOS/Redhat
platform.
Doing a 'yum' install using the Standard repo is always preferred method,
instead of downloading a generic package. I think.

thanks
dhiva



On Wed, Jan 25, 2012 at 10:19 AM, Nate Klingenstein <ndk at internet2.edu>wrote:

> **
> Dhiva,
>
> I asked the lead developer of the IdP for details as to why Tomcat 5 is
> not supported.  Apparently Tomcat 5 has a problem parsing
> specification-compliant cookies that they have chosen to not fix, with the
> suggested remedy of "upgrade to 6."  As a result, we can only support
> Tomcat 6.
>
> Tomcat 6 packages are available directly from the Tomcat project's website:
>
> http://tomcat.apache.org/download-60.cgi
>
> Future distributions of the IdP with an embedded servlet container would
> hopefully reduce the amount of package management you'll need to do.
>
> Hope this answers your question,
> Nate.
>
>
> On 1/25/2012 17:37, Dhiva wrote:
>
> >> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPInstall
> >> The Shibboleth Identity Provider, version 2, is a standard Java web
> application based on the Servlet 2.4 specification.
>
>  >>
> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPApacheTomcatPrepare
>  >> Apache Tomcat 6.0.17 or greater (NOT 7)
>  >> Java 5 or greater (Java 6 recommended )
>
>  My issue here is that Redhat/CentOS machines does have Tomcat 5
> packages, but NOT tomcat 6.
> But the servlet specification is indeed 2.4, which matches with Shib
> requirement.
> I have used jpackage.repo in the past, but it is not consistently
> providing tomcat 6 packages for Redhat/CentOS.
>
>  I would like to stay with Redhat/CentOS Package Repository, so i wanted
> to know if Tomcat 5 along with the OpenJDK.
>
>
>  thanks
> dhiva
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120125/94f4907e/attachment-0001.html 


More information about the users mailing list