[PROPOSAL] Tomcat 10: Remove WebDAV

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[PROPOSAL] Tomcat 10: Remove WebDAV

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

I recently gave a presentation on locking-down Apache Tomcat[1] and I
briefly discussed the "sharp edges" present in Tomcat. Some of them
are unnecessarily sharp and may be actually unnecessary. I'm going to
make a few proposals to remove functions from Tomcat.

Proposal: Remove WebDAV

Justification:

WebDAV is a protocol that never really took off[2]. Read-only WebDAV
can practically be replaced by standard HTTP GET and read-write WebDAV
has a host of security problems. There are better solutions to
supporting WebDAV than using the Tomcat module.

A recent search of the users mailing list shows only 10 threads
regarding WebDAV in the past 6 years.

- -chris


[1] http://tomcat.apache.org/presentations.html#latest-locking-down-tomc
at
[2] And yet I love WebDAV very much and wish it has better support on
Windows

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bUaYACgkQHPApP6U8
pFgpvw//fpgWZWxg+c0PsXqQK/Vyw5EBDxjq4ulXVxpO2MMI7On2iP7DaUUfCIPR
bd1ijbOEjydIHeD2Gu4hj+I9as2/avTjkVlzi3fhWsLypHWJ9x0vw+M9elJBapTY
+FtMj1e4U2QPvf98lDyaBMoSHCDIBZbGq0E5AlDVwjgCgJmxzT1FNQJI90gGwtiw
PYsLaNuMZc2gwzgyQ3978kL4zwFG3gWVSexNfiI2g3GEvpUhfh7fitskxwN8rILU
l/HJCJ6HiCRoISWwIPE/m+yAFzaYcWtcBaQzx5IiiJTG1LLSiLO79M6Sj6bnYDSG
UxEfjmbgbklV0HAlnHfjA85sfLw/mPayumcaTwxMdB5VAMe45UaAF16G4vtReuaA
zlU6TVQ/5L0W4+eB30jfKNOVMnUde2iHNRIqOXDsvUV5f7Hp553ehxT+584RPVKP
Kk9CW+wwPCgJkB/gVsopM9SElhzoYcmeNB1h5zKBsBcafQzmkzGAonS3qdYdMo2u
FjVjrUVWocntuqUc5e37mm0KbzrWQstQBjmISOzAJc8ikYOghPZSgskuKEzMp3Sz
KLkyEaLluR5Jd9N89M8Ivp0xJixLYyQJ5LlmWGnTTiH8i36LilhL9FXlQZKPdV7r
irl/hJDrHu7VzQQtAet+AZAUBhdnE/zqtyoDV1pKXQjYHrFIF40=
=pQ5N
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [PROPOSAL] Tomcat 10: Remove WebDAV

markt
> All,
>
> I recently gave a presentation on locking-down Apache Tomcat[1] and I
> briefly discussed the "sharp edges" present in Tomcat. Some of them
> are unnecessarily sharp and may be actually unnecessary. I'm going to
> make a few proposals to remove functions from Tomcat.
>
> Proposal: Remove WebDAV
>
> Justification:
>
> WebDAV is a protocol that never really took off[2]. Read-only WebDAV
> can practically be replaced by standard HTTP GET and read-write WebDAV
> has a host of security problems. There are better solutions to
> supporting WebDAV than using the Tomcat module.
>
> A recent search of the users mailing list shows only 10 threads
> regarding WebDAV in the past 6 years.

I'm not so sure on this one. There are times when being able to set up a
platform independent read/write file share can be useful. Generally,
inside trusted environments.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [PROPOSAL] Tomcat 10: Remove WebDAV

Rémy Maucherat
On Mon, Oct 7, 2019 at 5:05 PM Mark Thomas <[hidden email]> wrote:
> All,
>
> I recently gave a presentation on locking-down Apache Tomcat[1] and I
> briefly discussed the "sharp edges" present in Tomcat. Some of them
> are unnecessarily sharp and may be actually unnecessary. I'm going to
> make a few proposals to remove functions from Tomcat.
>
> Proposal: Remove WebDAV
>
> Justification:
>
> WebDAV is a protocol that never really took off[2]. Read-only WebDAV
> can practically be replaced by standard HTTP GET and read-write WebDAV
> has a host of security problems. There are better solutions to
> supporting WebDAV than using the Tomcat module.
>
> A recent search of the users mailing list shows only 10 threads
> regarding WebDAV in the past 6 years.

I'm not so sure on this one. There are times when being able to set up a
platform independent read/write file share can be useful. Generally,
inside trusted environments.

I'd also think WebDAV support can stay.
If the protocol wasn't a bigger success it's IMO all Microsoft's fault, since they insist(ed) on having non compliant impls. So using it in practice has always been harder for users. It should have been better overall since WebDAV (and extensions) are HTTP and benefit from all the security layers and ease of use there.

Rémy
 

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [PROPOSAL] Tomcat 10: Remove WebDAV

Michael Osipov
In reply to this post by Christopher Schultz-2
Am 2019-10-07 um 16:54 schrieb Christopher Schultz:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> I recently gave a presentation on locking-down Apache Tomcat[1] and I
> briefly discussed the "sharp edges" present in Tomcat. Some of them
> are unnecessarily sharp and may be actually unnecessary. I'm going to
> make a few proposals to remove functions from Tomcat.
>
> Proposal: Remove WebDAV
>
> Justification:
>
> WebDAV is a protocol that never really took off[2].

 From where do you take this? We, at work, use it all the time. Either
from Sharepoint, or a new project with mod_dav.

Another great example is mod_dav_svn. You can access you repo with any
DAV client (except crappy Windows Explorer).

> Read-only WebDAV
> can practically be replaced by standard HTTP GET

No, it can't. you can't list collections with multistatus w/o WebDAV.

> and read-write WebDAV
> has a host of security problems. There are better solutions to
> supporting WebDAV than using the Tomcat module.

Which are? Milton.io?

The only drawback I see with the current servlet is that I cannot have
arbitrary paths of my context served by this servlet. It serves either
the entire app or nothing. That's why I have resorted to mod_dav.

> A recent search of the users mailing list shows only 10 threads
> regarding WebDAV in the past 6 years.

Maybe people are just happy with the servlet?

Michael

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [PROPOSAL] Tomcat 10: Remove WebDAV

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Michael,

On 10/9/19 11:36, Michael Osipov wrote:

> Am 2019-10-07 um 16:54 schrieb Christopher Schultz:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>
>> All,
>>
>> I recently gave a presentation on locking-down Apache Tomcat[1]
>> and I briefly discussed the "sharp edges" present in Tomcat. Some
>> of them are unnecessarily sharp and may be actually unnecessary.
>> I'm going to make a few proposals to remove functions from
>> Tomcat.
>>
>> Proposal: Remove WebDAV
>>
>> Justification:
>>
>> WebDAV is a protocol that never really took off[2].
>
> From where do you take this? We, at work, use it all the time.
> Either from Sharepoint, or a new project with mod_dav.

Just because you use it doesn't mean it's widely-used. We use it at
$work as well, and it's a giant pain in the neck for anyone using a
Windows operating system. Linux and MacOS are totally fine, but we
have to buy a separate product to get Windows clients working
properly, and it's not super reliable.

> Another great example is mod_dav_svn. You can access you repo with
> any DAV client (except crappy Windows Explorer).

Or, since svn is HTTP, you can just use plain-old HTTP. Besides,
mod_dav_svn doesn't work with Tomcat.

>> Read-only WebDAV can practically be replaced by standard HTTP GET
>>
>
> No, it can't. you can't list collections with multistatus w/o
> WebDAV.

Meh.

>> and read-write WebDAV has a host of security problems. There are
>> better solutions to supporting WebDAV than using the Tomcat
>> module.
>
> Which are? Milton.io?

How about mod_dav and friends?

> The only drawback I see with the current servlet is that I cannot
> have arbitrary paths of my context served by this servlet. It
> serves either the entire app or nothing. That's why I have resorted
> to mod_dav.

Okay, so someone who really wants to make DAV work has decided that
Tomcat's implementation won't cut it. I fee that as further evidence
that Tomcat's implementation can just die.

>> A recent search of the users mailing list shows only 10 threads
>> regarding WebDAV in the past 6 years.
>
> Maybe people are just happy with the servlet?

People are super happy with the TLS implementation and ask about it
all the time.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2eNo4ACgkQHPApP6U8
pFgeow/+LzA+bwZtlK4r3cNZ5NQIlhfErzp5/EF+IcvfuRgrZKC0seLc9I0B9/GD
U9FkzcyCebTaEjK4zUQKpzI8pgJUgkGj8v+EbStZSSNASrL9rZra0Lkzbqm6nXgQ
33tHE0+pqRnny9j4Ysye1L+q2m1qyTg+cVoz5h7vN2ybXsJXeT7aQklOSj5b7yJx
464s2/wF8dfhY0U6uDIHg3ixK0378kptixfbQMuB/fHMoHkQRNznfayvjAoRiTGn
EfeD+w4HsS9r46JdmnB5OMIPjPcbSuCI4OuSLzkEaiYvdcgN5F4CZMQdua3MJWaB
P8g0dkhC3FzLf/LoXfOa9GmjUuer+TuaFKPLjTKCHF1SBhQx4ZXcMjsVX4zQkvS3
JDXemUUF6eOo/doj360AQeV8B/FBzePd33R2rhSB12FG19vrSgIjlALdTg1E0H4S
JeMuq7PBY44uWWJaEAMAg/LghWCyc3RICZi58htydUO/fnF4LA90kNz8RlSQ18Wg
iozFCeCQCQdbd6MuOqe+irU1+kAPvyezEd2YIU/S5TjD17PqE/6cZgEPzZRUrFc7
Z+JB6kBsGNJ9fVXMYqx4VBLx5lcaIy942fft5UiNqMsPaUT686R68Oj1WKJGbMgF
d0h93S14V8d02H+H9SFkV1oP2KOvILRhs3fJTFZLXZ/kU2CBBYU=
=f/+q
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [PROPOSAL] Tomcat 10: Remove WebDAV

Michael Osipov
Am 2019-10-09 um 21:35 schrieb Christopher Schultz:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Michael,
>
> On 10/9/19 11:36, Michael Osipov wrote:
>> Am 2019-10-07 um 16:54 schrieb Christopher Schultz:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
> Or, since svn is HTTP, you can just use plain-old HTTP. Besides,
> mod_dav_svn doesn't work with Tomcat.

Again, plain HTTP != WebDAV.

>>> Read-only WebDAV can practically be replaced by standard HTTP GET
>>>
>>
>> No, it can't. you can't list collections with multistatus w/o
>> WebDAV.
>
> Meh.
>
>>> and read-write WebDAV has a host of security problems. There are
>>> better solutions to supporting WebDAV than using the Tomcat
>>> module.
>>
>> Which are? Milton.io?
>
> How about mod_dav and friends?

I was thinking about Java-based solution in Tomcat, at best with Spring
to fully reuse my authnz code. I don't run HTTPd if it is not strictly
necessary. Tomcat just performs perfectly well for dynamic, static and
transport-encrypted content.

>> The only drawback I see with the current servlet is that I cannot
>> have arbitrary paths of my context served by this servlet. It
>> serves either the entire app or nothing. That's why I have resorted
>> to mod_dav.
>
> Okay, so someone who really wants to make DAV work has decided that
> Tomcat's implementation won't cut it. I fee that as further evidence
> that Tomcat's implementation can just die.

As you might know, people will only complain when something is
gone/broken and not when it is working well.

>>> A recent search of the users mailing list shows only 10 threads
>>> regarding WebDAV in the past 6 years.
>>
>> Maybe people are just happy with the servlet?
>
> People are super happy with the TLS implementation and ask about it
> all the time.

Because encryption is complex...

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [PROPOSAL] Tomcat 10: Remove WebDAV

markt
On 09/10/2019 21:42, Michael Osipov wrote:
> Am 2019-10-09 um 21:35 schrieb Christopher Schultz:

<snip/>

>>> The only drawback I see with the current servlet is that I cannot
>>> have arbitrary paths of my context served by this servlet. It
>>> serves either the entire app or nothing. That's why I have resorted
>>> to mod_dav.
>>
>> Okay, so someone who really wants to make DAV work has decided that
>> Tomcat's implementation won't cut it. I fee that as further evidence
>> that Tomcat's implementation can just die.
>
> As you might know, people will only complain when something is
> gone/broken and not when it is working well.

If arbitrary path mapping would be useful then please add that as an
enhancement to Bugzilla. From memory, the path handling for WebDav is
"interesting" so I'm not sure how easy this would be to implement.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]