Re: Tagging June releases

2024-06-11 Thread Christopher Schultz


On 6/10/24 04:06, Mark Thomas wrote:
A bunch of minor issues built up in my TODO list while I was at 
Community over Code and the Tomcat security day. I'd like to clear these 
before I tag the June releases.


In related news, the release ballots for Servlet and Pages have 
completed successfully. There is some admin that needs to be completed 
there as well but the key impact for us is that the next Tomcat 11 vote 
will be for a BETA release rather than an ALPHA release.


My current guess is that I'll be in a position to tag 11.0.x towards the 
end of the week. I'll provide an update if that changes after I have 
triaged my inbox.

Sounds good to me.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [PROPOSAL] Tomcat 10: Remove Server-Side Includes (SSI)

2024-06-11 Thread Christopher Schultz


On 6/7/24 10:18, Michael Osipov wrote:

On 2024/06/07 12:54:44 Christopher Schultz wrote:


On 6/7/24 08:01, Michael Osipov wrote:

On 2024/06/07 08:05:34 Mark Thomas wrote:

On 06/06/2024 16:30, Christopher Schultz wrote:


Resurrecting this thread from 2019.

I'd like to remove the SSI configuration from conf/web.xml and put it
into webapps/docs/ssi-howto.html.

Are there any objections?

None here.

Do we want to go further and consider removing it entirely for Tomcat 12
onwards. Maybe a question for the users list?

I need to admit that there are situations where SSI might be prefered over JSP.
Example: I needed limited flexibility for some Asciidoctor generated documents 
dependening whether it is QA or prod. I didn't want to generate multiple sets 
of documents (reduce complexity). Now some lines of SSI display a proper QA 
banner. Good enough for the job. Getting JSP or PHP output with Asciidoctor is 
almost impossible.

It's entirely possible to separate SSI into a different project. I
didn't do it because it uses helper-classes in Tomcat for certain things.

But if SSI is desirable, it can be packaged separately at the cost of
some additional support classes/methods being copied outside of Tomcat.

I don't want to support it anymore, but it should be easy *for someone
else* to extract and bundle separately :)

What is the pain having it off by default, but have the necessary classes still 
provided in the JARs? They do not require any maintenance. They just work, 
don't they?

They do "just work" but it's basically RCE as a feature which is just 
bad. The idea that Tomcat should be a Java-based replacement for httpd 
with all its features is never something I liked. CGI, SSI, 
RewriteValve, etc. are all vestiges of that idea. If you want CGI and 
SSI and rewrite, then use the right tool for that job which is a 
reverse-proxying web server. Let Tomcat deal with all the Java-related 
stuff and shed all that extra cruft.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [PROPOSAL] Tomcat 10: Remove Server-Side Includes (SSI)

2024-06-07 Thread Christopher Schultz


On 6/7/24 08:01, Michael Osipov wrote:

On 2024/06/07 08:05:34 Mark Thomas wrote:

On 06/06/2024 16:30, Christopher Schultz wrote:


Resurrecting this thread from 2019.

I'd like to remove the SSI configuration from conf/web.xml and put it
into webapps/docs/ssi-howto.html.

Are there any objections?

None here.

Do we want to go further and consider removing it entirely for Tomcat 12
onwards. Maybe a question for the users list?

I need to admit that there are situations where SSI might be prefered over JSP.
Example: I needed limited flexibility for some Asciidoctor generated documents 
dependening whether it is QA or prod. I didn't want to generate multiple sets 
of documents (reduce complexity). Now some lines of SSI display a proper QA 
banner. Good enough for the job. Getting JSP or PHP output with Asciidoctor is 
almost impossible.

It's entirely possible to separate SSI into a different project. I 
didn't do it because it uses helper-classes in Tomcat for certain things.

But if SSI is desirable, it can be packaged separately at the cost of 
some additional support classes/methods being copied outside of Tomcat.

I don't want to support it anymore, but it should be easy *for someone 
else* to extract and bundle separately :)


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [PROPOSAL] Remove JSP file from ROOT web application

2024-06-07 Thread Christopher Schultz


On 6/6/24 11:26, Konstantin Kolinko wrote:

чт, 6 июн. 2024 г. в 17:44, Christopher Schultz :


I'd like to change the existing webapps/ROOT/index.jsp to index.html and
remove the dynamic elements. Currently, the only truly dynamic element
in the whole file is this:

Copyright 1999-${year} Apache Software
Foundation.  All Rights Reserved

I don't see any particular reason that the Copyright information must
always show the "current year". We can simply set this to "the current
year" during the release process.

This will mean that the default application will be completely static.
Not much of an upgrade, *but* if a user would prefer to completely
remove Jasper, it means that the default home page will be readable.

Hi, Chris!

+1 !

We missed you this week.

Being involved in moderation of one of our mailing lists, I suspect that
some amount of spam is caused by our default web page,
when it is de-facto used as the front page of a third-party web site.

That is, ASF is wrongly interpreted as an owner of that web site.

My thoughts were:
a) Replace it with a simple static page that just says "It works" or similar.
b) Make content dynamic, so that the current content is shown to
localhost clients only,
and show the "simple" page for anyone else.

An example of "a)" is Apache HTTPD:
Oct 2004 (19 years, 8 months ago)

My preference is for "a)".

Maybe move the old shiny "root" page to the examples web application.

This is a reasonable idea.

I always thought that httpd's "It works!" page was crappy. I like the 
Tomcat one better. But I'd like to disable everything in the ROOT web 
application if possible.

Having different behavior for local versus remote visits is an 
interesting idea. I wouldn't want to implement something like that 
without more support from other committers.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [PROPOSAL] Enable SecureLifecycleListener by default

2024-06-07 Thread Christopher Schultz


On 6/6/24 11:34, Coty Sutherland wrote:

On Thu, Jun 6, 2024 at 10:46 AM Christopher Schultz <> wrote:


I'd like to remove the  around the SecureLifecycleListener
in conf/server.xml that we bundle with Tomcat distributions.

Before I do so, are there any objections to making this change?

No objections from me. I might suggest making the default
buildDateWarningAgeDays something like 6 months though rather than no
default. If we're trying to encourage secure practices warning about older
builds should be part of that config change IMO

I got some pushback from the folks who have to support Tomcat for 
decades which is why it's disabled by default.

I'll keep pushing :)


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [PROPOSAL] Enable SecureLifecycleListener by default

2024-06-07 Thread Christopher Schultz


On 6/6/24 12:01, Konstantin Kolinko wrote:

чт, 6 июн. 2024 г. в 17:46, Christopher Schultz :


I'd like to remove the  around the SecureLifecycleListener
in conf/server.xml that we bundle with Tomcat distributions.

Before I do so, are there any objections to making this change?

Its name is "SecurityListener",

Looking at its checks:

- "checkedOsUsers":
It checks the value of System.getProperty("");

1. On Windows it is useless.


What does return when running under Administrator or 
LocalSystem or whatever?

2. It is possible to run as root to be able to bind to port 80. It is
usually done with jsvc (Apache Commons Daemon) and its capability to
drop privileges.

I wonder what the actual value of "" will be in case of "2.".
The check is performed at "before init" event, thus earlier than jsvc
drops privileges.

We can check :)

- "minimumUmask"
It checks the value of System.getProperty(UMASK_PROPERTY_NAME);
UMASK_PROPERTY_NAME = Constants.PACKAGE + ".SecurityListener.UMASK";

1. On Windows it is useless.

+1 and the documentation says it doesn't do any check on Windows.

2. The property is set by a startup script. If it is started in a
different way (jsvc /, or directly as a Java application -
as done by Eclipse IDE, as an embedded Tomcat), I expect it to break.

- "buildDateWarningAgeDays"

1. It is disabled by default.
2. It is checked at start time, but actual servers may run years
without a reboot.
3. I wonder how it behaves if Tomcat is embedded in some IOT device.

Thus I wonder whether it is worth enabling it.

(But if we want to get real feedback, enabling it now for Tomcat 11 is
a good starting point.)

Yes, this is what I was proposing.


To unsubscribe, e-mail:
For additional commands, e-mail:

[PROPOSAL] Implement additional security checks in SecurityLifecycleListener

2024-06-06 Thread Christopher Schultz


Tomcat's SecurityLifecycleListener currently checks the current working 
user's name, the umask and not much else at the moment.

I'd like to add "administrator" as another username to look for. (The 
documentation says that "root" is the only current username checked.)

I would also like to add several items from the DISA STIG document found 

I haven't decided exactly which items to implement, but I will probably 
do this as a PR with separate commits for each item.

Are there any objections to be starting this work?


To unsubscribe, e-mail:
For additional commands, e-mail:

[PROPOSAL] Enable SecureLifecycleListener by default

2024-06-06 Thread Christopher Schultz


I'd like to remove the  around the SecureLifecycleListener 
in conf/server.xml that we bundle with Tomcat distributions.

Before I do so, are there any objections to making this change?


To unsubscribe, e-mail:
For additional commands, e-mail:

[PROPOSAL] Remove JSP file from ROOT web application

2024-06-06 Thread Christopher Schultz


I'd like to change the existing webapps/ROOT/index.jsp to index.html and 
remove the dynamic elements. Currently, the only truly dynamic element 
in the whole file is this:

Copyright 1999-${year} Apache Software 
Foundation.  All Rights Reserved


I don't see any particular reason that the Copyright information must 
always show the "current year". We can simply set this to "the current 
year" during the release process.

This will mean that the default application will be completely static. 
Not much of an upgrade, *but* if a user would prefer to completely 
remove Jasper, it means that the default home page will be readable.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [PROPOSAL] Tomcat 10: Remove CGI Servlet

2024-06-06 Thread Christopher Schultz


Resurrecting this thread from 2019.

I will be proceeding with this 4.5-year-old plan to extract the CGI 
servlet to a separate JAR file to make it easy to "remove" from Tomcat 
if operators would prefer to do such things.

I think I'll also move the configuration from conf/web.xml to 
webapps/docs/cgi-howto.html while I'm at it so those vestiges are gone.


On 10/28/19 09:55, Christopher Schultz wrote:


Note: this was not a vote.

There was very little feedback, and responses were mixed. We got
exactly one response on the users@ list about real-world usage of CGI,
so we cannot draw any conclusions about real-world uses.

Otherwise, the consensus seems to be that CGIs should stay a part of
the main Tomcat distribution, but that perhaps separating it out into
a distinct JAR file and/or separate distribution might be advantageous.

It appears that the CGIServlet is completely self-contained. It makes
use of the following internal(ish) Tomcat APIs:


All of these could be replaced if necessary to make a standalone,
container-agnostic package.

It looks like it would be fairly easy to separate-out the CGIServlet
into a separate JAR file packaging if there's utility in that. For
example, security-conscious environments may want to remove that JAR
file entirely from the Tomcat deployment to be absolutely sure that
Runtime.exec() isn't available in the deployed Java code (from the
container; yet I realize that SSIServlet/SSIFilter has this, too).

I'd like to go ahead and move the CGIServlet from the general
catalina.jar file into catalina-cgi.jar. That should only require a
small change to the build.xml script.

Any objections?


On 10/7/19 10:59, Christopher Schultz wrote:


I recently gave a presentation on locking-down Apache Tomcat[1] and
I briefly discussed the "sharp edges" present in Tomcat. Some of
them are unnecessarily sharp and may be actually unnecessary. I'm
going to make a few proposals to remove functions from Tomcat.

Proposal: Remove CGI Servlet


The CGIServlet is another component, like server-side-includes,
which is a remote-code execution (RCE) vulnerability as a feature.
It is very easy to misconfigure. It is arguably not possible to
secure it on Windows[2]. There are better solutions if you want to
run Perl, Python, PHP, or whatever on your server in the form of
the many fine web-server products out there.







To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [PROPOSAL] Tomcat 10: Remove Server-Side Includes (SSI)

2024-06-06 Thread Christopher Schultz


Resurrecting this thread from 2019.

I'd like to remove the SSI configuration from conf/web.xml and put it 
into webapps/docs/ssi-howto.html.

Are there any objections?


On 10/29/19 05:05, Konstantin Kolinko wrote:

пн, 28 окт. 2019 г. в 16:34, Christopher Schultz :


The stock conf/web.xml contains a sample configuration for the SSI
servlet. We will have to decide what to do with that. I can think of
at least two options:

   a. Remove it from the stock conf/web.xml entirely
   b. Add comments to conf/web.xml indicating that the SSI component is
a separate download

I think I like #2 better.

The correct way to enable this feature is to copy those fragments into
one's own WEB-INF/web.xml.  Uncommenting them in the default web.xml
file will have [un]expected consequences.

Thus I am in favor of moving those configuration fragments to documentation.

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat-native) branch 1.1.x updated: Use ERR_error_string_n instead of ERR_error_string.

2024-06-01 Thread Christopher Schultz


On 6/1/24 10:12, Konstantin Kolinko wrote:

пт, 31 мая 2024 г. в 20:33, Christopher Schultz :


I don't think my commit broke the build. Re-winding to
fe07505146b7573f36a0d01ba0d2b847af7c9914 shows that the 1.1.x build does
not work on my machine.

$ sh buildconf --with-apr=apr-1.7.4

(This path is correct)

$ cat config.nice
#! /bin/sh
# Created by configure

"./configure" \
"--with-apr=/usr/local/Cellar/apr/1.7.4/bin/apr-1-config" \
"--with-ssl=/usr/local/Cellar/openssl@1.1/1.1.1w/" \

$ ./config.nice
[... no errors...]

$ make clean
$ make

/bin/sh /usr/local/Cellar/apr/1.7.4/build-1/libtool --silent
--mode=compile --tag=CC clang -g -O2 -Wall   -DHAVE_CONFIG_H  -DDARWIN
-I/usr/local/opt/apr/include/apr-1   -o src/ssl.lo -c src/ssl.c && touch
src/ssl.c:201:7: error: incomplete definition of type 'struct dh_st'
  dh->p = prime(NULL);
note: forward declaration of 'struct dh_st'
typedef struct dh_st DH;


The full code in that area is:

static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *), const char *gen)
  DH *dh = DH_new();

  if (!dh) {
  return NULL;
  dh->p = prime(NULL); // Line 201
  BN_dec2bn(>g, gen);
  if (!dh->p || !dh->g) {
  return NULL;
  return dh;

Is this just a bad setup on my end?

Building the main branch in this environment (but with OpenSSL 3.0)
works with some warnings but no errors.

Can anyone confirm they can build 1.1.x HEAD?

The code in src/ssl.c of Tomcat-Native 1.1.1 cited above is not
compatible with "openssl@1.1/1.1.1w".

- "openssl@1.1/1.1.1w//include/openssl/ossl_typ.h:104:16:" declares an alias:

typedef struct dh_st DH;

I.e. it declares the name "DH", but the actual definition of "struct
dh_st" is elsewhere, not in public include files. (but in some
"internal" parts of OpenSSL). Thus the structure can only be used
opaquely. The error is that

  dh->p = prime(NULL); // Line 201

tries to access "p", which is not possible without knowing the
internal structure of DH.

Note that this is fixed in Tomcat Native 1.3.x:
There it calls "DH_set0_pqg()" to set the value of p.

Looking at the commit history of OpenSSL 1.1.x, there is the following commit:
"DH: add simple getters for commonly used DH struct members"

It is not exactly on topic, but gives references where to look for.

Other links:
(declares "typedef struct dh_st DH"
(declares "DH_set0_pqg" and other DH_set / DH_get methods)
(Tomcat Native 1.1 vs 1.3)
(The same issue encountered by somebody else)

Note that the last release of Tomcat Native 1.1.x was 1.1.34 of 2015-12-15

It was built with
- APR 1.5.1
- OpenSSL 1.0.1m
(as mentioned in VERSIONS file in

Oops. I had meant to patch the 1.3.x branch, but I did not see it in 
git. I had to specifically check it out to see it.

I will remove the patch from 1.1.x which should not be there. I will 
re-do the patch for 1.3.x.

Apologies for the confusion.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat-native) branch 1.1.x updated: Use ERR_error_string_n instead of ERR_error_string.

2024-05-31 Thread Christopher Schultz
d declaration of 'struct bio_st'

typedef struct bio_st BIO;
src/ssl.c:867:37: error: incomplete definition of type 'struct bio_st'
BIO_JAVA *j = (BIO_JAVA *)bi->ptr;
note: forward declaration of 'struct bio_st'

typedef struct bio_st BIO;
src/ssl.c:881:7: error: incomplete definition of type 'struct bio_st'
bi->shutdown = 1;
note: forward declaration of 'struct bio_st'

typedef struct bio_st BIO;
src/ssl.c:882:7: error: incomplete definition of type 'struct bio_st'
bi->init = 0;
note: forward declaration of 'struct bio_st'

typedef struct bio_st BIO;
src/ssl.c:883:7: error: incomplete definition of type 'struct bio_st'
bi->num  = -1;
note: forward declaration of 'struct bio_st'

typedef struct bio_st BIO;
src/ssl.c:884:7: error: incomplete definition of type 'struct bio_st'
bi->ptr  = (char *)j;
note: forward declaration of 'struct bio_st'

typedef struct bio_st BIO;
src/ssl.c:893:11: error: incomplete definition of type 'struct bio_st'
if (bi->ptr != NULL) {
note: forward declaration of 'struct bio_st'

typedef struct bio_st BIO;
src/ssl.c:894:37: error: incomplete definition of type 'struct bio_st'
BIO_JAVA *j = (BIO_JAVA *)bi->ptr;
note: forward declaration of 'struct bio_st'

typedef struct bio_st BIO;
src/ssl.c:895:15: error: incomplete definition of type 'struct bio_st'
if (bi->init) {
note: forward declaration of 'struct bio_st'

typedef struct bio_st BIO;
fatal error: too many errors emitted, stopping now [-ferror-limit=]
1 warning and 20 errors generated.
make[1]: *** [src/ssl.lo] Error 1
make: *** [all-recursive] Error 1

I get roughly the same behavior when compiling against OpenSSL 3.0 as 
well. The first error in ssl.c doesn't look like an error to me:

src/ssl.c:201:7: error: incomplete definition of type 'struct dh_st'
dh->p = prime(NULL);

The full code in that area is:

static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *), const char *gen)
DH *dh = DH_new();

if (!dh) {
return NULL;
dh->p = prime(NULL); // Line 201
BN_dec2bn(>g, gen);
if (!dh->p || !dh->g) {
return NULL;
return dh;

Is this just a bad setup on my end?

Building the main branch in this environment (but with OpenSSL 3.0) 
works with some warnings but no errors.

Can anyone confirm they can build 1.1.x HEAD?


On 5/31/24 13:11, wrote:

This is an automated email from the ASF dual-hosted git repository.

schultz pushed a commit to branch 1.1.x
in repository

The following commit(s) were added to refs/heads/1.1.x by this push:
  new 0ab6bdd39 Use ERR_error_string_n instead of ERR_error_string.
0ab6bdd39 is described below

commit 0ab6bdd3973c702a46a9564266d1f4848bd05b01
Author: Christopher Schultz 
AuthorDate: Fri May 31 13:10:27 2024 -0400

 Use ERR_error_string_n instead of ERR_error_string.
 Use header-defined constant for error message buffer sizes.

  native/include/ssl_private.h |  5 +
  native/src/ssl.c |  8 
  native/src/sslcontext.c  | 32 
  native/src/sslnetwork.c  |  4 ++--
  4 files changed, 27 insertions(+), 22 deletions(-)

diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index 68fc8a877..ede9ae94f 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -63,6 +63,11 @@
  #define SSL_AIDX_ECC (3)
  #define SSL_AIDX_MAX (4)

+ * The length of error message strings. MUST BE AT LEAST 256.
+ */
   * Define the SSL options
diff --git a/native/src/ssl.c b/native/src/ssl.c
index d6fdaee55..782de1139 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -806,11 +806,11 @@ TCN_IMPLEMENT_CALL(jint, SSL, fipsModeSet)(TCN_STDARGS, 
jint mode)
  if(1 != (r = (jint)FIPS_mode_set((int)mode))) {
/* arrange to get a human-readable error message */
unsigned long err = ERR_get_error(

Re: (tomcat-native) branch 1.1.x updated: Use ERR_error_string_n instead of ERR_error_string.

2024-05-31 Thread Christopher Schultz


Uh, oh. This may have broken the build.



On 5/31/24 13:11, wrote:

This is an automated email from the ASF dual-hosted git repository.

schultz pushed a commit to branch 1.1.x
in repository

The following commit(s) were added to refs/heads/1.1.x by this push:
  new 0ab6bdd39 Use ERR_error_string_n instead of ERR_error_string.
0ab6bdd39 is described below

commit 0ab6bdd3973c702a46a9564266d1f4848bd05b01
Author: Christopher Schultz 
AuthorDate: Fri May 31 13:10:27 2024 -0400

 Use ERR_error_string_n instead of ERR_error_string.
 Use header-defined constant for error message buffer sizes.

  native/include/ssl_private.h |  5 +
  native/src/ssl.c |  8 
  native/src/sslcontext.c  | 32 
  native/src/sslnetwork.c  |  4 ++--
  4 files changed, 27 insertions(+), 22 deletions(-)

diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index 68fc8a877..ede9ae94f 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -63,6 +63,11 @@
  #define SSL_AIDX_ECC (3)
  #define SSL_AIDX_MAX (4)

+ * The length of error message strings. MUST BE AT LEAST 256.
+ */
   * Define the SSL options
diff --git a/native/src/ssl.c b/native/src/ssl.c
index d6fdaee55..782de1139 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -806,11 +806,11 @@ TCN_IMPLEMENT_CALL(jint, SSL, fipsModeSet)(TCN_STDARGS, 
jint mode)
  if(1 != (r = (jint)FIPS_mode_set((int)mode))) {
/* arrange to get a human-readable error message */
unsigned long err = ERR_get_error();
-  char msg[256];
/* ERR_load_crypto_strings() already called in initialize() */
-  ERR_error_string_n(err, msg, 256);

+  ERR_error_string_n(err, msg, TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_ThrowException(e, msg);

@@ -1105,9 +1105,9 @@ TCN_IMPLEMENT_CALL(jboolean, SSL, 
loadDSATempKey)(TCN_STDARGS, jint idx,

-char buf[256];
-ERR_error_string(ERR_get_error(), buf);
+ERR_error_string_n(ERR_get_error(), buf, TCN_OPENSSL_ERROR_STRING_LENGTH);
  return tcn_new_string(e, buf);
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c

index c632fc7cf..e2d341c30 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -136,8 +136,8 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, 
jlong pool,
  if (!ctx) {

-char err[256];
-ERR_error_string(ERR_get_error(), err);
+ERR_error_string_n(ERR_get_error(), err, 
  tcn_Throw(e, "Invalid Server SSL Protocol (%s)", err);
  goto init_failed;
@@ -327,8 +327,8 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, 
setCipherSuite)(TCN_STDARGS, jlong ctx,
  if (!SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers))) {
-char err[256];
-ERR_error_string(ERR_get_error(), err);
+ERR_error_string_n(ERR_get_error(), err, 
  tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
  rv = JNI_FALSE;
@@ -348,7 +348,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, 
setCARevocation)(TCN_STDARGS, jlong ctx
  jboolean rv = JNI_FALSE;
  X509_LOOKUP *lookup;
-char err[256];

  TCN_ASSERT(ctx != 0);
@@ -362,7 +362,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, 
setCARevocation)(TCN_STDARGS, jlong ctx
  if (J2S(file)) {
  lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_file());
  if (lookup == NULL) {
-ERR_error_string(ERR_get_error(), err);
+ERR_error_string_n(ERR_get_error(), err, 
  c->crl = NULL;
  tcn_Throw(e, "Lookup failed for file %s (%s)", J2S(file), err);
@@ -373,7 +373,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, 
setCARevocation)(TCN_STDARGS, jlong ctx
  if (J2S(path)) {
  lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_hash_dir());
  if (lookup == NULL) {
-ERR_error_string(ERR_get_error(), err);
+ERR_error_string_n(ERR_get_error(), err, 
  c->crl = NULL;
  tcn_Throw(e, "Lookup failed for path %s (%s)", J2S

Re: ServiceBindingPropertySource

2024-05-27 Thread Christopher Schultz


On 5/22/24 14:11, Felix Schumacher wrote:

Am 21.05.24 um 19:50 schrieb Christopher Schultz:


I've been playing with this PropertySource and I'm wondering if it 
could be improved a little.

First of all, it uses an environment variable SERVICE_BINDING_ROOT 
which is in line with the service binding standard which is documented Environment variables are a little icky in 
Java, so I'd like to do one or more of the following:

1. Allow ServiceBindingPropertySource to use the SERVICE_BINDING_ROOT 
environment variable *or* a system property with an appropriate name 
such as service.binding.root, with the system property overriding the 
environment variable.

This will allow software to use e.g. to define 
service.binding.root instead of using an environment variable which 
may be awkward in certain environments.

2. Have ServiceBindingPropertySource fall-back to system property 
resolution if no matching file is found. Maybe we should do this with 
all PropertySource classes provided by Tomcat?

3. If the SERVICE_BINDING_ROOT environment variable is being used, 
copy its value into a system property. This will allow application 
software or Tomcat itself to use the file reference as necessary. For 



Without this capability, the application must:


Why would you have to do this? Could not you use 
"${path-to-cert-dir}/cert.key"? Where path-to-cert-dir is some sensible 
name and the value contains (surprise) the path to the directory in 
which cert and key are living happily together.

You can absolutely use this, but Tomcat doesn't let you use environment 
variables in ${...} expressions. The ServiceBindingPropertySource only 
knows about one environment variable: SERVICE_BINDING_ROOT. The 
application can't use that to specify any paths directly. Instead, you'd 
have to let SBPS resolve a file for you, then read the "value" of the 
config attribute from the file, and that value needs to be a path 
itself. So you have to have a file which contains nothing other than 
another file path. And it's gotta be fully-qualified. And it can't use 
replacements such as ${SERVICE_BINDING_ROOT}/myapp/my.key.

I'm just trying to remove the middle-man because I see it as needless 
extra work on the part of the admin /and/ Tomcat plus the downside that 
everything needs to be fully-qualified which reduces flexibility.

Apart from that, as Remy pointed out, kubernetes people have no problem 
with env variables.

So maybe the whole ask here is "copy $SERVICE_BINDING_ROOT to 
-Dservice.binding.root somewhere". That could be or 
maybe during ServiceBindingPropertySource initialization, which I think 
is probably a better place for it.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: ServiceBindingPropertySource

2024-05-27 Thread Christopher Schultz


On 5/22/24 06:14, Rémy Maucherat wrote:

On Wed, May 22, 2024 at 9:06 AM Mark Thomas  wrote:

On 21/05/2024 18:50, Christopher Schultz wrote:

1. Allow ServiceBindingPropertySource to use the SERVICE_BINDING_ROOT
environment variable *or* a system property with an appropriate name
such as service.binding.root, with the system property overriding the
environment variable.

Seems reasonable to me but keep in mind I've never used this code.

I haven't either, it's been contributed.

I don't really understand why the change overall, Kube uses the
environment and never the system properties.

I'd like to use this feature without Kubernetes.

2. Have ServiceBindingPropertySource fall-back to system property
resolution if no matching file is found. Maybe we should do this with
all PropertySource classes provided by Tomcat?

My reading of the docs and the code is that SystemPropertySource is
always added already.

Yes, SystemPropertySource is added. Does it not work properly ?

Sorry, I didn't actually try it. I didn't see anything in the 
PropertySource code for that... maybe it's part of the Digester 
configuration. Happy to hear this should be the way things work already.

3. If the SERVICE_BINDING_ROOT environment variable is being used, copy
its value into a system property. This will allow application software
or Tomcat itself to use the file reference as necessary. For example:

Again seems reasonable to me but same caveat as above.

The resolution should work as it is already given the javadocs from
At this point it would seem easier to simply add
-Dservice.binding.root=${SERVICE_BINDING_ROOT} to the Catalina

This is absolutely doable at the code of a longer JVM launch 
command-line. Also, lots of people are using Spring Boot or other 
embedded launchers where modifying the command-line is either difficult, 
discouraged, or simple non-standard.


To unsubscribe, e-mail:
For additional commands, e-mail:


2024-05-21 Thread Christopher Schultz


I've been playing with this PropertySource and I'm wondering if it could 
be improved a little.

First of all, it uses an environment variable SERVICE_BINDING_ROOT which 
is in line with the service binding standard which is documented Environment variables are a little icky in 
Java, so I'd like to do one or more of the following:

1. Allow ServiceBindingPropertySource to use the SERVICE_BINDING_ROOT 
environment variable *or* a system property with an appropriate name 
such as service.binding.root, with the system property overriding the 
environment variable.

This will allow software to use e.g. to define 
service.binding.root instead of using an environment variable which may 
be awkward in certain environments.

2. Have ServiceBindingPropertySource fall-back to system property 
resolution if no matching file is found. Maybe we should do this with 
all PropertySource classes provided by Tomcat?

3. If the SERVICE_BINDING_ROOT environment variable is being used, copy 
its value into a system property. This will allow application software 
or Tomcat itself to use the file reference as necessary. For example:


Without this capability, the application must:


The values passed-into the certificateKeyFile must point to files on the 
disk which themselves point to ANOTHER file. So you need two files where 
one will do, plus the file-on-the-disk needs to know its own path so it 
can point to the OTHER file which actually contains the key/cert bytes.

Does anyone have any comments on the above?


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat-native) branch main updated: Ensure local reference capacity is available for array allocations.

2024-05-20 Thread Christopher Schultz


On 5/20/24 06:37, Michael Osipov wrote:

On 2024/05/17 14:37:32 Christopher Schultz wrote:


On 5/16/24 10:39, Michael Osipov wrote:

Not for 1.3.x?

Good question. I wasn't sure how much energy we are expecting to put
into tcnative 1.3.x.

I have no problem back-porting this if its what the team wants.

I expect 1.3.x to live as long as Tomcat 9.x will live. So it should be on par 
sans the APR stuff, of course. Everything else will cause us pain.

Fair enough. I'll back-port, or approximate it if a direct back-port is 
not really possible.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat-native) branch main updated: Ensure local reference capacity is available for array allocations.

2024-05-17 Thread Christopher Schultz


On 5/16/24 10:39, Michael Osipov wrote:

Not for 1.3.x?

Good question. I wasn't sure how much energy we are expecting to put 
into tcnative 1.3.x.

I have no problem back-porting this if its what the team wants.


On 2024/05/16 13:52:45 wrote:

This is an automated email from the ASF dual-hosted git repository.

schultz pushed a commit to branch main
in repository

The following commit(s) were added to refs/heads/main by this push:
  new e49f0fe5c Ensure local reference capacity is available for array 
e49f0fe5c is described below

commit e49f0fe5c26612df01c636e7019cd70d78948976
Author: Christopher Schultz 
AuthorDate: Thu May 16 09:51:45 2024 -0400

 Ensure local reference capacity is available for array allocations.
  native/src/jnilib.c | 14 --
  1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/native/src/jnilib.c b/native/src/jnilib.c
index 342df3b9c..836502c52 100644
--- a/native/src/jnilib.c
+++ b/native/src/jnilib.c
@@ -133,6 +133,9 @@ jstring tcn_new_stringn(JNIEnv *env, const char *str, 
size_t l)
  jbyteArray tcn_new_arrayb(JNIEnv *env, const unsigned char *data, size_t len)

+if ((*env)->EnsureLocalCapacity(env, 1) < 0) {
+return NULL; /* out of memory error */
  jbyteArray bytes = (*env)->NewByteArray(env, (jsize)len);
  if (bytes != NULL) {
  (*env)->SetByteArrayRegion(env, bytes, 0, (jint)len, (jbyte *)data);
@@ -142,15 +145,22 @@ jbyteArray tcn_new_arrayb(JNIEnv *env, const unsigned 
char *data, size_t len)
  jobjectArray tcn_new_arrays(JNIEnv *env, size_t len)

+if ((*env)->EnsureLocalCapacity(env, 1) < 0) {
+return NULL; /* out of memory error */
  return (*env)->NewObjectArray(env, (jsize)len, jString_class, NULL);
  jstring tcn_new_string(JNIEnv *env, const char *str)

-if (!str)
+if (!str) {
  return NULL;
+} else {
+if ((*env)->EnsureLocalCapacity(env, 1) < 0) {
+return NULL; /* out of memory error */
  return (*env)->NewStringUTF(env, str);
  char *tcn_get_string(JNIEnv *env, jstring jstr)

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [tcnative] jnilib.c: tcn_new_array* do not call EnsureLocalCapacity

2024-05-16 Thread Christopher Schultz


On 5/15/24 15:49, Mark Thomas wrote:

On 15/05/2024 13:53, Christopher Schultz wrote:


We have a few functions in jnilib.c that create new local references 
e.g. tcn_new_stringn and most of them call EnsureLocalCapacity to make 
sure the thread doesn't run out of local references.

I'm fairly sure that calling New*Array will fail if such references 
cannot be created, but the other methods make this protected call 
beforehand and I feel like we should be consistent.

Any objections to me adding calls to EnsureLocalCapacity in 
tcn_new_array* functions?

+1 to be being consistent.


No strong view on whether that means adding them where they are missing 
or just removing the ones we currently have.

The Internets seem to say that running out of local references is 
entirely possible even with today's monstrous JVMs. I think it's worth 
adding the calls. They are probably very cheap, anyway, like checking to 
see if a stack pointer has collided with something else.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [tcnative] Should we make DEBUG builds available for Windows?

2024-05-16 Thread Christopher Schultz


On 5/15/24 15:58, Mark Thomas wrote:

On 15/05/2024 14:12, Christopher Schultz wrote:

IIRC, building a debug version just involves adding something obvious 
like /DEBUG to the compiler and/or linker and/or NOT stripping-out the 
debug symbols after the build is complete.

Would this represent a burden on the release manager to produce both 
kinds of builds for an official release?

The make file already includes a DEBUG target. We'd just need to confirm 
it meet our requirements. Running an additional build isn't too 
burdensome. If you want OpenSSL and APR compiled in debug mode too then 
that could me a little more work.

Yeah, I think we would want that, which means we need two complete 
builds from start to finish. I don't know how the Windows compiler and 
linker work very well. On Linux, it's common to strip debug symbols at 
the very end. Can we build everything with debug info and then produce 
two final libraries: one including those symbols and one with them 

In my dissassembly and investigation into that error message, the 
function doesn't look like it's from tcnative but actually one of the 
statically-linked objects bundled with it. On other hand, the likelihood 
of the bug being in tcnative is very high compared to APR or OpenSSL, so 
having only the debug symbols from tcnative itself would be better than 


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [tcnative] switch from using ERR_error_string to ERR_error_string_n

2024-05-15 Thread Christopher Schultz


On 5/15/24 09:12, Rémy Maucherat wrote:

On Tue, May 14, 2024 at 11:15 PM Christopher Schultz


I'd like to basically globally-search-and-replace ERR_error_string for
ERR_error_string_n and use a #define constant for both the
initialization of all

 char err[256];

and similar strings and use that same constant for all calls to

Any objections?

There should really be no effective change, except:

1. We can raise that error message length constant and have it affect
the whole library if we choose.

2. We will be using a length-aware string-manipulation call which is
better than using one that assumes that the buffer is at least 256 bytes


This gives me something to do since I thought this was 128 (this
probably came from the tomcat-native code somewhere initially), so I
have a problem with the FFM code which I will fix at the same time. It
seems 128 is already enough in practice.

I already have a patch ready to go. I was just waiting on some feedback 
before pushing.


To unsubscribe, e-mail:
For additional commands, e-mail:

[tcnative] Should we make DEBUG builds available for Windows?

2024-05-15 Thread Christopher Schultz


A recent thread was posted with a tcnative crash with not much in the 
way of useful information in the error:

The error details were:

#  EXCEPTION_ACCESS_VIOLATION (0xc005) at pc=0x0001800ccd10, 
pid=1244, tid=0x0ab0

# JRE version: OpenJDK Runtime Environment (Zulu 
(8.0_322-b06) (build 1.8.0_322-b06)
# Java VM: OpenJDK 64-Bit Server VM (25.322-b06 mixed mode windows-amd64 
compressed oops)

# Problematic frame:
# C  [tcnative-1.dll+0xccd10]
# Core dump written. Default location: D:\Program 


So, not super helpful unless you happen to have a debugger handy.

If we had a debug build available for users, we should be able to get 
better information coming back from that failure, possibly a complete 
native back-trace.

IIRC, building a debug version just involves adding something obvious 
like /DEBUG to the compiler and/or linker and/or NOT stripping-out the 
debug symbols after the build is complete.

Would this represent a burden on the release manager to produce both 
kinds of builds for an official release?


To unsubscribe, e-mail:
For additional commands, e-mail:

[tcnative] jnilib.c: tcn_new_array* do not call EnsureLocalCapacity

2024-05-15 Thread Christopher Schultz


We have a few functions in jnilib.c that create new local references 
e.g. tcn_new_stringn and most of them call EnsureLocalCapacity to make 
sure the thread doesn't run out of local references.

I'm fairly sure that calling New*Array will fail if such references 
cannot be created, but the other methods make this protected call 
beforehand and I feel like we should be consistent.

Any objections to me adding calls to EnsureLocalCapacity in 
tcn_new_array* functions?


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [tcnative] switch from using ERR_error_string to ERR_error_string_n

2024-05-15 Thread Christopher Schultz


On 5/15/24 05:14, Michael Osipov wrote:

On 2024/05/14 21:15:03 Christopher Schultz wrote:


I'd like to basically globally-search-and-replace ERR_error_string for
ERR_error_string_n and use a #define constant for both the
initialization of all

 char err[256];

and similar strings and use that same constant for all calls to

Any objections?

There should really be no effective change, except:

1. We can raise that error message length constant and have it affect
the whole library if we choose.

2. We will be using a length-aware string-manipulation call which is
better than using one that assumes that the buffer is at least 256 bytes

Sounds reasonable to have one unified spot. Though I wonder how to better 
address this with BZ 67609

I think this is unrelated at this point. We still probably need to 
improve the error-reporting situation overall; the buffer-size is just a 

and if resizing/realloc would be required?!

In every case I changed in the code, nothing is on the heap. Every case 
is something like this:

void foo(...) {

  char err[256];

  ERR_error_string(SSL_ERR_get(), err);


if(some_error_condition) {
  char err[256];
  ERR_error_string(SSL_ERR_get(), err);

So re-allocations aren't (currently) on the menu.

If we at some point decide to implement more "fully-featured" error 
reporting/handling, perhaps that will become an issue.


To unsubscribe, e-mail:
For additional commands, e-mail:

[tcnative] switch from using ERR_error_string to ERR_error_string_n

2024-05-14 Thread Christopher Schultz


I'd like to basically globally-search-and-replace ERR_error_string for 
ERR_error_string_n and use a #define constant for both the 
initialization of all

   char err[256];

and similar strings and use that same constant for all calls to 

Any objections?

There should really be no effective change, except:

1. We can raise that error message length constant and have it affect 
the whole library if we choose.

2. We will be using a length-aware string-manipulation call which is 
better than using one that assumes that the buffer is at least 256 bytes 


To unsubscribe, e-mail:
For additional commands, e-mail:

[VOTE][RESULT] Release Apache Tomcat 10.1.24

2024-05-13 Thread Christopher Schultz


The following votes were cast:

+1: schultz, remm, markt, rjung


+1: rmannibucau

There were no other votes, therefore the vote passes.

Thanks to everyone who contributed toward this release.


The proposed Apache Tomcat 10.1.24 release is now available for

The notable changes compared to 10.1.23 are:

- Correct error handling for asynchronous requests

- Refactor HTTP header parsing to use common parsing code and fix
  non-blocking reads of chunked request bodies including trailer fields

- WebDAV locking handling fixes

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be placed 
in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically 
convert them to Jakarta EE and copy them to the webapps directory.

It can be obtained from:

The Maven staging repo is:

The tag is:

Please reply with a +1 for release or -0/-1 with an explanation.

The proposed 10.1.24 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.1.24

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [VOTE] Release Apache Tomcat 10.1.24

2024-05-10 Thread Christopher Schultz


On 5/10/24 06:26, Mark Thomas wrote:

On 10/05/2024 11:22, Romain Manni-Bucau wrote:

Hi Christopher,

Is it possible to close the staging repo please (I get a 404)?

There is a typo in the VOTE email. The correct staging repo is:

Thanks for replying about this. Apologies for the typo :/


Le ven. 10 mai 2024 à 10:00, Mark Thomas  a écrit :

On 09/05/2024 19:12, Christopher Schultz wrote:

The proposed 10.1.24 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 10.1.24

Tests pass on Linux, Windows, MacOS (Intel) and MacOS (M1).

Build is cross platform reproducible (Linux / Windows).


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [VOTE] Release Apache Tomcat 10.1.24

2024-05-09 Thread Christopher Schultz


On 5/9/24 14:12, Christopher Schultz wrote:

The proposed Apache Tomcat 10.1.24 release is now available for

The notable changes compared to 10.1.23 are:

- Correct error handling for asynchronous requests

- Refactor HTTP header parsing to use common parsing code and fix
   non-blocking reads of chunked request bodies including trailer fields

- WebDAV locking handling fixes

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.

It can be obtained from:

The Maven staging repo is:

The tag is:

Please reply with a +1 for release or -0/-1 with an explanation.

The proposed 10.1.24 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.1.24

+1 for stable release

The build is 100% reproducible on MacOS x86-64.

Unit tests pass on MacOS aarch64 and x86-84.


* Environment
*  Java (build):openjdk version "22.0.1" 2024-04-16 OpenJDK Runtime 
Environment Temurin-22.0.1+8 (build 22.0.1+8) OpenJDK 64-Bit Server VM 
Temurin-22.0.1+8 (build 22.0.1+8, mixed mode)
*  Java (test): openjdk version "22.0.1" 2024-04-16 OpenJDK Runtime 
Environment Temurin-22.0.1+8 (build 22.0.1+8) OpenJDK 64-Bit Server VM 
Temurin-22.0.1+8 (build 22.0.1+8, mixed mode)
*  Ant: Apache Ant(TM) version 1.10.14 compiled on August 16 

*  OS:  Darwin 23.4.0 arm64
*  cc:  Apple clang version 15.0.0 (clang-1500.3.9.4)
*  make:GNU Make 3.81
*  OpenSSL: OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 
Nov 2023)

*  APR: 1.7.4
* Valid SHA-512 signature for
* Valid GPG signature for
* Valid SHA-512 signature for apache-tomcat-10.1.24.tar.gz
* Valid GPG signature for apache-tomcat-10.1.24.tar.gz
* Valid SHA-512 signature for apache-tomcat-10.1.24.exe
* Valid GPG signature for apache-tomcat-10.1.24.exe
* Valid SHA512 signature for
* Valid GPG signature for
* Valid SHA512 signature for apache-tomcat-10.1.24-src.tar.gz
* Valid GPG signature for apache-tomcat-10.1.24-src.tar.gz
* Binary Zip and tarball: Same
* Source Zip and tarball: Same
* Building dependencies returned: 0
* tcnative builds cleanly
* Tomcat builds cleanly
* Junit Tests: PASSED

To unsubscribe, e-mail:
For additional commands, e-mail:

[VOTE] Release Apache Tomcat 10.1.24

2024-05-09 Thread Christopher Schultz

The proposed Apache Tomcat 10.1.24 release is now available for

The notable changes compared to 10.1.23 are:

- Correct error handling for asynchronous requests

- Refactor HTTP header parsing to use common parsing code and fix
  non-blocking reads of chunked request bodies including trailer fields

- WebDAV locking handling fixes

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.

It can be obtained from:

The Maven staging repo is:

The tag is:

Please reply with a +1 for release or -0/-1 with an explanation.

The proposed 10.1.24 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.1.24

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: Passing down arbitrary auth attributes down to Realm#authenticate()

2024-05-08 Thread Christopher Schultz


On 5/8/24 03:01, Michael Osipov wrote:

On 2024/05/07 21:10:33 Christopher Schultz wrote:


On 5/7/24 14:06, Michael Osipov wrote:


I am working on a custom Authenticator and Realm where I need to pass
down a custom value to Realm#authenticate(), more specially a value
obtained from
Currently, there is no such facility in the interface. Any idea how to
pass this down w/o touching the interface and w/o thread-local values?
The only thing I can think of is a custom realm interface, but that
means every realm needs to implement it...

This is the entire reason that the securityfilter[1] project exists.
It's quite old but gets around this kind of thing with... a custom
interface. We use it at $work because we want to be able to get IP
addresses to log logins and login failures.

Tomcat's Realm-related interfaces have always been too restrictive for
me, but I'm not entirely sure how to get around them.

I had a conversation with markt years ago at an ApacheCon event where I
asked about strategies to help out with this sort of thing, and his
relatively quick answer without thinking about it too much was to
suggest that (a) anything new and major should probably go into the
JASPIC/Jakarta Authentication component and (b) JASPIC/Jakarta
Authentication might already be able to do what I wanted.

I didn't follow-up at the time, so I can't validate whether he was right
about (b) or whether (a) would have been particularly easy/hard.


that SF project seems quite abandoned :-(

It's more like "in the attic". It does what it needs to do and has been 
doing it for years. No need to mess around with it.

I took once a brief look at JASPIC. I must say it may be the solution
to my problem, but currently I am not capable of rewriting the entire
code base for it. I Still prefer CMS over "custom" because it gives me
subjective better integration.

That's fair.

I've never dug far enough into JASPIC / Jakarta Authentication to even 
know how to implement "standard" Tomcat Authenticator / Realm with a 
simple RDBMS-based user db. So it's possible it's an afternoon of work 
to re-build what I need on top of JASPIC (as a Provider) or maybe it's 
weeks which isn't worth it to me.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: Passing down arbitrary auth attributes down to Realm#authenticate()

2024-05-07 Thread Christopher Schultz


On 5/7/24 14:06, Michael Osipov wrote:


I am working on a custom Authenticator and Realm where I need to pass 
down a custom value to Realm#authenticate(), more specially a value 
obtained from 
Currently, there is no such facility in the interface. Any idea how to 
pass this down w/o touching the interface and w/o thread-local values? 
The only thing I can think of is a custom realm interface, but that 
means every realm needs to implement it...

This is the entire reason that the securityfilter[1] project exists. 
It's quite old but gets around this kind of thing with... a custom 
interface. We use it at $work because we want to be able to get IP 
addresses to log logins and login failures.

Tomcat's Realm-related interfaces have always been too restrictive for 
me, but I'm not entirely sure how to get around them.

I had a conversation with markt years ago at an ApacheCon event where I 
asked about strategies to help out with this sort of thing, and his 
relatively quick answer without thinking about it too much was to 
suggest that (a) anything new and major should probably go into the 
JASPIC/Jakarta Authentication component and (b) JASPIC/Jakarta 
Authentication might already be able to do what I wanted.

I didn't follow-up at the time, so I can't validate whether he was right 
about (b) or whether (a) would have been particularly easy/hard.



To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat) branch main updated: Refactor storage of trailer fields to use MimeHeaders

2024-04-29 Thread Christopher Schultz


On 4/24/24 14:47, wrote:

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository

The following commit(s) were added to refs/heads/main by this push:
  new f087decbc9 Refactor storage of trailer fields to use MimeHeaders
f087decbc9 is described below

commit f087decbc938eff084b7be92298457736fe783c2
Author: Mark Thomas 
AuthorDate: Wed Apr 24 19:47:33 2024 +0100

 Refactor storage of trailer fields to use MimeHeaders
  java/org/apache/catalina/connector/   |  4 ++--
  java/org/apache/coyote/   | 15 +--
  .../coyote/http11/filters/ |  6 +++---
  java/org/apache/coyote/http2/  |  2 +-
  java/org/apache/tomcat/util/buf/  |  5 +
  java/org/apache/tomcat/util/http/ | 19 +++
  webapps/docs/changelog.xml|  8 
  7 files changed, 51 insertions(+), 8 deletions(-)

diff --git a/java/org/apache/catalina/connector/ 
index 390ca9daa1..6bf0f0a940 100644
--- a/java/org/apache/catalina/connector/
+++ b/java/org/apache/catalina/connector/
@@ -1763,8 +1763,8 @@ public class Request implements HttpServletRequest {
  if (!isTrailerFieldsReady()) {
  throw new 
-Map result = new 
-return result;
+// No need for a defensive copy since a new Map is returned for every 
+return coyoteRequest.getTrailerFields();
diff --git a/java/org/apache/coyote/ b/java/org/apache/coyote/

index 680aec6a7b..bf948b09a6 100644
--- a/java/org/apache/coyote/
+++ b/java/org/apache/coyote/
@@ -110,7 +110,7 @@ public final class Request {
  private final MessageBytes localAddrMB = MessageBytes.newInstance();
  private final MimeHeaders headers = new MimeHeaders();

-private final Map trailerFields = new HashMap<>();
+private final MimeHeaders trailerFields = new MimeHeaders();

   * Path parameters
@@ -293,6 +293,11 @@ public final class Request {
  public Map getTrailerFields() {

+return trailerFields.toMap();

Should getTrailerFields call getMimeTrailerFields instead of using 
this.trailerFields directly? I'm not sure how much we really care about 


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: Refactoring heads up

2024-04-26 Thread Christopher Schultz


On 4/26/24 13:17, Mark Thomas wrote:

On 24/04/2024 17:52, Mark Thomas wrote:

My plan is to commit these changes to 11.0.x with the low risk parts 
(e.g. new methods) back-ported. Then, once we can see what is left, we 
can decide how quickly/slowly we want to back-port the complete fix to 
10.1.x and 9.0.x (the issue was reported against 10.1.x).

All is looking good so far.

The complete refactoring has been applied to 11.0.x

10.1.x and 9.0.x have the new header parser and are using it for the 

The question is how long do we want to wait before back-porting the 
standard HTTP header parsing? Essentially this means back-porting this 


I'm thinking wait at least one release cycle before back-porting just in 
case of regressions given that this affects every request.

+1 for waiting until next cycle to back-port.

I don't think we have to wait any longer than that.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: Unit tests using tcnative/panama [Was: [Bug 68910] Improve LibreSSL version check in tcnative.m4]

2024-04-26 Thread Christopher Schultz

On 4/18/24 06:05, Rainer Jung wrote:

Am 18.04.24 um 09:08 schrieb

--- Comment #3 from Michael Osipov  ---
(In reply to Christopher Schultz from comment #1)

(In reply to Michael Osipov from comment #0)

since we also do support LibreSSL [...]

Note: Support for LibreSSL is more of an aspiration and less of a
requirement. We don't technically advertise support for LibreSSL, but I
would like to be able to support it.

FYI. Just ran 10.1.x with LibreSSL 3.5.2:


The rest is passing. These are failing for renegotiation or protocol 

That looks very promising.

Probably not relevant for this specific topic but maybe of general 

For other reasons I tried to identify, which unit tests actually load 
and execute with tcnative and/or panama, and those are very few. Most 
tests do not use these. Apart from the ones you mentioned as failing:


the only other tests I found using tcnative and/or openssl connectors are:


So almost all of the tests actually using a connector to run servlets 
etc. only use plain http connectors (or fixed JSSE, but I think such do 
not exist).

A few more might only use the commandline openssl binary. Those are not 
included in the above lists.

I was thinking about this the other day as well, since there are 
tcnative+APR-based tests in Tomcat 9 which are executed separately from 
NIO and NIO2. I wasn't ever sure if/how the native library was being 
loaded. I wonder if on test-start (for those tests which actually use 
the connector), we could advertise which strategy is actually being used 
at runtime? I'm aware that FFM isn't supported pre-10.1.23 and that the 
APR connector has been removed in 10.1 but when running 10.1/11 tests it 
would be nice to know that the tests are failing because some specific 
test isn't working via e.g. FFM rather than the native library just 
didn't load properly and therefore ALL tests are failing.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat) branch 10.1.x updated: Fix disastrous cookie-logging patch.

2024-04-26 Thread Christopher Schultz


Thanks for back-porting this. I thought I had already done so.


On 4/26/24 12:58, wrote:

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.1.x
in repository

The following commit(s) were added to refs/heads/10.1.x by this push:
  new 783815fd94 Fix disastrous cookie-logging patch.
783815fd94 is described below

commit 783815fd940a4ac2f6d7df7bd056e071f54d7de6
Author: Christopher Schultz 
AuthorDate: Fri Apr 19 10:16:36 2024 -0400

 Fix disastrous cookie-logging patch.
  java/org/apache/catalina/valves/ | 6 --
  1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/valves/ 
index 03acb492fa..5c4e67dde6 100644
--- a/java/org/apache/catalina/valves/
+++ b/java/org/apache/catalina/valves/
@@ -1515,17 +1515,19 @@ public abstract class AbstractAccessLogValve extends 
ValveBase implements Access
  if (cookies != null) {
  for (Cookie cookie : cookies) {
  if (cookieNameToLog.equals(cookie.getName())) {
+if (value == null) {
+value = new StringBuilder();
  if (first) {
  first = false;
  } else {
-value = new StringBuilder();
-if (value.length() == 0) {
+if (value == null) {
  } else {
  escapeAndAppend(value.toString(), buf);

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat) branch main updated: Fix disastrous cookie-logging patch.

2024-04-26 Thread Christopher Schultz


On 4/19/24 10:48, Chuck Caldarale wrote:

On Apr 19, 2024, at 09:18, Christopher Schultz  

Hopefully this patch has the intended effect. ;)

I’m not convinced this change will have any measurable performance
improvement. The JVM C2 compiler is pretty good with escape analysis,
so an unused StringBuilder object may not even get allocated.
It should get allocated, since the constructor needs to be called. But 
it may be allocated in a cheap memory region and immediately become 
speedily-collected garbage.

Also, there’s now an added comparison for each iteration of the
cookies loop, plus the additional code for an object allocation. This
enlarges the body of the loop, putting more pressure on the microcode
cache in the CPU, possibly making each iteration take longer.

That's a fair criticism.

Are there any practical examples that show a performance benefit or GC 


I made this change merely based upon code inspection. Since this code 
executes for every single request, I guessed without evidence that 
reduction of memory-churn would be beneficial.


On 4/19/24 10:17, wrote:

This is an automated email from the ASF dual-hosted git repository.
schultz pushed a commit to branch main
in repository
The following commit(s) were added to refs/heads/main by this push:
  new cbefe8624e Fix disastrous cookie-logging patch.
cbefe8624e is described below
commit cbefe8624ee5d6255955134d08498f9926295126
Author: Christopher Schultz 
AuthorDate: Fri Apr 19 10:16:36 2024 -0400
 Fix disastrous cookie-logging patch.
  java/org/apache/catalina/valves/ | 6 --
  1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/catalina/valves/ 
index 0576b83442..dd29a5ec37 100644
--- a/java/org/apache/catalina/valves/
+++ b/java/org/apache/catalina/valves/
@@ -1513,17 +1513,19 @@ public abstract class AbstractAccessLogValve extends 
ValveBase implements Access
  if (cookies != null) {
  for (Cookie cookie : cookies) {
  if (cookieNameToLog.equals(cookie.getName())) {
+if (value == null) {
+value = new StringBuilder();
  if (first) {
  first = false;
  } else {
-value = new StringBuilder();
-if (value.length() == 0) {
+if (value == null) {
  } else {
  escapeAndAppend(value.toString(), buf);
To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

[VOTE][RESULT] Release Apache Tomcat 10.1.23

2024-04-23 Thread Christopher Schultz


The following votes were cast:

+1: schultz, remm, markt, rjung, jfclere

+1: Dimitris Soumis

There were no other votes, therefore the vote passed.

I will begin the release process shortly. Thanks to everyone who 
contributed toward this release.


The proposed Apache Tomcat 10.1.23 release is now available for
voting. Apache Tomcat 10.1.21 was canceled due to a release-build mistake and 
Apache Tomcat 10.1.22 was cancelled due to an option in startup scripts which 
would have caused Java 11 environments to fail to start.

The notable changes compared to 10.1.20 are:

- Improve locking strategies in Catalina core

- Update Basic authentication to implement the requirements of RFC 7617

- Updates to Apache Commons dependencies

- Add OpenSSL support when FFM is available

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be placed 
in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically 
convert them to Jakarta EE and copy them to the webapps directory.

It can be obtained from:

The Maven staging repo is:

The tag is:

Please reply with a +1 for release or -0/-1 with an explanation.

The proposed 10.1.23 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.1.23

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [VOTE] Release Apache Tomcat 10.1.23

2024-04-23 Thread Christopher Schultz


On 4/23/24 08:27, jean-frederic clere wrote:

On 4/23/24 09:47, Mark Thomas wrote:

On 23/04/2024 06:35, jean-frederic clere wrote:

On 4/17/24 12:00, Mark Thomas wrote:

Build is reproducible.

My tests here complain about examples, did I miss something.

No idea. You'd need to do a diff to see what didn't match and that 
will (hopefully) point you towards the root cause.

The class files are different... Investigating.

I'm holding the VOTE-RESULT email just in case you find something truly 


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [VOTE] Release Apache Tomcat 10.1.23

2024-04-23 Thread Christopher Schultz


On 4/23/24 08:27, jean-frederic clere wrote:

On 4/23/24 09:47, Mark Thomas wrote:

On 23/04/2024 06:35, jean-frederic clere wrote:

On 4/17/24 12:00, Mark Thomas wrote:

Build is reproducible.

My tests here complain about examples, did I miss something.

No idea. You'd need to do a diff to see what didn't match and that 
will (hopefully) point you towards the root cause.

The class files are different... Investigating.

Try using "ant verify-release". It will give you suggestions for 
investigating anything that doesn't match.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat) branch main updated: Fix disastrous cookie-logging patch.

2024-04-19 Thread Christopher Schultz


Hopefully this patch has the intended effect. ;)


On 4/19/24 10:17, wrote:

This is an automated email from the ASF dual-hosted git repository.

schultz pushed a commit to branch main
in repository

The following commit(s) were added to refs/heads/main by this push:
  new cbefe8624e Fix disastrous cookie-logging patch.
cbefe8624e is described below

commit cbefe8624ee5d6255955134d08498f9926295126
Author: Christopher Schultz 
AuthorDate: Fri Apr 19 10:16:36 2024 -0400

 Fix disastrous cookie-logging patch.
  java/org/apache/catalina/valves/ | 6 --
  1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/valves/ 
index 0576b83442..dd29a5ec37 100644
--- a/java/org/apache/catalina/valves/
+++ b/java/org/apache/catalina/valves/
@@ -1513,17 +1513,19 @@ public abstract class AbstractAccessLogValve extends 
ValveBase implements Access
  if (cookies != null) {
  for (Cookie cookie : cookies) {
  if (cookieNameToLog.equals(cookie.getName())) {
+if (value == null) {
+value = new StringBuilder();
  if (first) {
  first = false;
  } else {
-value = new StringBuilder();
-if (value.length() == 0) {
+if (value == null) {
  } else {
  escapeAndAppend(value.toString(), buf);

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat) branch main updated: Don't create a StringBuilder object until we know we have at least one Cookie value to log.

2024-04-19 Thread Christopher Schultz


On 4/18/24 11:12, Mark Thomas wrote:

On 18/04/2024 14:31, wrote:

This is an automated email from the ASF dual-hosted git repository.

schultz pushed a commit to branch main
in repository

The following commit(s) were added to refs/heads/main by this push:
  new 23facd507d Don't create a StringBuilder object until we know 
we have at least one Cookie value to log.

23facd507d is described below

commit 23facd507db72d583ed89a13f20ab1cb766f0221
Author: Christopher Schultz 
AuthorDate: Thu Apr 18 09:30:50 2024 -0400

 Don't create a StringBuilder object until we know we have at 
least one Cookie value to log.

-1. veto. Please fix/revert ASAP.

Note: This veto applies to this commit and the back-ports.

This creates multiple paths where a NPE is possible.

OMG what the heck happened to this patch? Grr. I saw this while working 
on the timestamp-style stuff and decided to separate it out into a 
separate commit and but did I get it wrong. It NPEs on /every/ path :(

Sorry for such a low-quality commit.

I'm going to try a "correct" commit on top of it and would appreciate a 
review. If it still looks like a no-go, I'll revert the whole thing.

This does not work if there are multiple cookies with the same name that 
need to be logged.



  java/org/apache/catalina/valves/ | 3 ++-
  webapps/docs/changelog.xml  | 4 
  2 files changed, 6 insertions(+), 1 deletion(-)

diff --git 

index 5502d1c183..e13bb9e5ac 100644
--- a/java/org/apache/catalina/valves/
+++ b/java/org/apache/catalina/valves/
@@ -1479,7 +1479,7 @@ public abstract class AbstractAccessLogValve 
extends ValveBase implements Access

  public void addElement(CharArrayWriter buf, Date date, 
Request request, Response response, long time) {

-    StringBuilder value = new StringBuilder();
+    StringBuilder value = null;
  boolean first = true;
  Cookie[] cookies = request.getCookies();
  if (cookies != null) {
@@ -1490,6 +1490,7 @@ public abstract class AbstractAccessLogValve 
extends ValveBase implements Access

  } else {
+    value = new StringBuilder();
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 8ef77e52aa..f6c6c62962 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -123,6 +123,10 @@
  including the removal of the trimCredentials 
setting which

  is now hard-coded to false. (markt)
+    Small performance optimization when logging cookies with no 

+    (schultz)

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat) branch main updated: Don't create a StringBuilder object until we know we have at least one Cookie value to log.

2024-04-19 Thread Christopher Schultz


On 4/19/24 08:38, Mark Thomas wrote:
Ping. Just making sure this veto hasn't been lost in the recent flurry 
of commits.


I'll revert and re-evaluate.


On 18/04/2024 16:12, Mark Thomas wrote:

On 18/04/2024 14:31, wrote:

This is an automated email from the ASF dual-hosted git repository.

schultz pushed a commit to branch main
in repository

The following commit(s) were added to refs/heads/main by this push:
  new 23facd507d Don't create a StringBuilder object until we 
know we have at least one Cookie value to log.

23facd507d is described below

commit 23facd507db72d583ed89a13f20ab1cb766f0221
Author: Christopher Schultz 
AuthorDate: Thu Apr 18 09:30:50 2024 -0400

 Don't create a StringBuilder object until we know we have at 
least one Cookie value to log.

-1. veto. Please fix/revert ASAP.

Note: This veto applies to this commit and the back-ports.

This creates multiple paths where a NPE is possible.

This does not work if there are multiple cookies with the same name 
that need to be logged.


  java/org/apache/catalina/valves/ | 3 ++-
  webapps/docs/changelog.xml  | 4 
  2 files changed, 6 insertions(+), 1 deletion(-)

diff --git 

index 5502d1c183..e13bb9e5ac 100644
--- a/java/org/apache/catalina/valves/
+++ b/java/org/apache/catalina/valves/
@@ -1479,7 +1479,7 @@ public abstract class AbstractAccessLogValve 
extends ValveBase implements Access

  public void addElement(CharArrayWriter buf, Date date, 
Request request, Response response, long time) {

-    StringBuilder value = new StringBuilder();
+    StringBuilder value = null;
  boolean first = true;
  Cookie[] cookies = request.getCookies();
  if (cookies != null) {
@@ -1490,6 +1490,7 @@ public abstract class AbstractAccessLogValve 
extends ValveBase implements Access

  } else {
+    value = new StringBuilder();
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 8ef77e52aa..f6c6c62962 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -123,6 +123,10 @@
  including the removal of the trimCredentials 
setting which

  is now hard-coded to false. (markt)
+    Small performance optimization when logging cookies with no 

+    (schultz)

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat) 02/02: Re-factor ElapsedTimeElement to use a customizable Style

2024-04-19 Thread Christopher Schultz


On 4/19/24 08:31, Mark Thomas wrote:

On 19/04/2024 13:12, wrote:

This is an automated email from the ASF dual-hosted git repository.

schultz pushed a commit to branch main
in repository

commit d3482c35bf144cc891dfa325b2f2f50460708c23
Author: Christopher Schultz 
AuthorDate: Thu Apr 18 10:22:16 2024 -0400

 Re-factor ElapsedTimeElement to use a customizable Style

How is this customizable?

This seems to add complexity to somewhere we probably want to keep 
things simple.

It was preparation for this PR:

The use of two-booleans means that we could support only 4 possible 
formats where one of them didn't make any sense (i.e. microseconds=true 
&& milliseconds == true).


  .../catalina/valves/    | 52 

  webapps/docs/changelog.xml |  4 ++
  2 files changed, 44 insertions(+), 12 deletions(-)

diff --git 

index e13bb9e5ac..0576b83442 100644
--- a/java/org/apache/catalina/valves/
+++ b/java/org/apache/catalina/valves/
@@ -1307,8 +1307,44 @@ public abstract class AbstractAccessLogValve 
extends ValveBase implements Access

   * write time taken to process the request - %D, %T
  protected static class ElapsedTimeElement implements 
AccessLogElement {

-    private final boolean micros;
-    private final boolean millis;
+    enum Style {
+    SECONDS {
+    @Override
+    public void append(CharArrayWriter buf, long time) {

+    }
+    },
+    @Override
+    public void append(CharArrayWriter buf, long time) {

+    }
+    },
+    @Override
+    public void append(CharArrayWriter buf, long time) {

+    }
+    };
+    /**
+ * Append the time to the buffer in the appropriate format.
+ *
+ * @param buf The buffer to append to.
+ * @param time The time to log in nanoseconds.
+ */
+    public abstract void append(CharArrayWriter buf, long time);
+    }
+    private final Style style;
+    /**
+ * Create a new ElapsedTimeElement that will log the time in 
the specified style.

+ *
+ * @param style The elapsed-time style to use.
+ */
+    public ElapsedTimeElement(Style style) {
+ = style;
+    }
   * @param micros true, write time in 
microseconds - %D
@@ -1316,20 +1352,12 @@ public abstract class AbstractAccessLogValve 
extends ValveBase implements Access

   *   time in seconds - %T
  public ElapsedTimeElement(boolean micros, boolean millis) {
-    this.micros = micros;
-    this.millis = millis;
+    this(micros ? Style.MICROSECONDS : millis ? 

  public void addElement(CharArrayWriter buf, Date date, 
Request request, Response response, long time) {

-    if (micros) {

-    } else if (millis) {

-    } else {
-    // second

-    }
+    style.append(buf, time);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index bda2e5d98c..f6eacba634 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -133,6 +133,10 @@
  dispatch is now performed rather than completing the request 
using the

  error page mechanism. (markt)
+    Re-factor ElapsedTimeElement in AbstractAccessLogValve to use 
a customizable

+    style. (schultz)

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail: dev-h...@tomcat.ap

Re: Some remarks on panama libssl loading

2024-04-18 Thread Christopher Schultz


On 4/17/24 16:46, Michael Osipov wrote:

On 2024/04/17 14:21:06 Rainer Jung wrote:

Am 17.04.24 um 15:34 schrieb Michael Osipov:

Rainer, I do not fully understand the problem here. We use libtool to solve 
exactly this problem with versioned SONAMEs. It will create symlinks to the 
Do you expect anyone even with dlopen() to load libfoo.o.{SOVERSION} unless it 
is strictly needed?

lrwxr-xr-x  1 root  wheel26 2024-03-22 10:20 /usr/lib/ -> 
lrwxr-xr-x  1 root  wheel   13 2024-03-22 10:20 /usr/lib/ ->
-r--r--r--  1 root  wheel   608008 2024-03-22 10:20 /usr/lib/
and so on...

Yes, I expect that! anyone is the JVM :(

The problem is, that the Java API does not care about these well thought
native traditions. You can not open using
System.loadlibrary(String name), because whatever you give it as "name"
parameter it will always try to open It always prepends
"lib" to name and always suffixes it with plain ".so".

Yes, it might exist as the first in your list of symlinks, but on most
linux distributions this link is not installed by default, because it is
only needed when doing compilations. So it is only installed when you
install development packages for libs.

Ah, now I see your problem, but it looks like a downstream problem of your 
distro of choice, no? I wonder how you compile then custom software if .so 
isn't present and the linker cannot find it with -L? What if you install the 
devel package to have .so link?

That works, but doesn't seem to be a reasonable requirement if you just 
want to install Ubuntu and Tomcat and run a server.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [VOTE] Release Apache Tomcat 10.1.23

2024-04-16 Thread Christopher Schultz


On 4/16/24 14:34, Rémy Maucherat wrote:

On Tue, Apr 16, 2024 at 3:11 PM Christopher Schultz

The proposed Apache Tomcat 10.1.23 release is now available for
voting. Apache Tomcat 10.1.21 was canceled due to a release-build
mistake and Apache Tomcat 10.1.22 was cancelled due to an option in
startup scripts which would have caused Java 11 environments to fail to

The notable changes compared to 10.1.20 are:

- Improve locking strategies in Catalina core

- Update Basic authentication to implement the requirements of RFC 7617

- Updates to Apache Commons dependencies

- Add OpenSSL support when FFM is available

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10
without changes. Java EE applications designed for Tomcat 9 and earlier
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat
will automatically convert them to Jakarta EE and copy them to the
webapps directory.

It can be obtained from:

The Maven staging repo is:

The tag is:

Please reply with a +1 for release or -0/-1 with an explanation.

The proposed 10.1.23 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 10.1.23

Sorry again for the trouble ...

It's no trouble.

When I was still doing Tomcat 8.5 it would have been worse. I managed to 
get things such that the final digit of both releases was the same and 
it was hard to mess them up. Burning .21 and .22 would have thrown that 
out of wack and I probably would have been doing wrong-tags or 
wrong-emails or whatever.

So don't worry about it :)


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [VOTE] Release Apache Tomcat 10.1.23

2024-04-16 Thread Christopher Schultz


On 4/16/24 09:11, Christopher Schultz wrote:

The proposed Apache Tomcat 10.1.23 release is now available for
voting. Apache Tomcat 10.1.21 was canceled due to a release-build 
mistake and Apache Tomcat 10.1.22 was cancelled due to an option in 
startup scripts which would have caused Java 11 environments to fail to 

The notable changes compared to 10.1.20 are:

- Improve locking strategies in Catalina core

- Update Basic authentication to implement the requirements of RFC 7617

- Updates to Apache Commons dependencies

- Add OpenSSL support when FFM is available

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.

It can be obtained from:

The Maven staging repo is:

The tag is:

Please reply with a +1 for release or -0/-1 with an explanation.

The proposed 10.1.23 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.1.23

+1 for stable release

Unit tests pass on MacOS aarch64.


* Environment
*  Java (build):openjdk version "22" 2024-03-19 OpenJDK Runtime 
Environment Temurin-22+36 (build 22+36) OpenJDK 64-Bit Server VM 
Temurin-22+36 (build 22+36, mixed mode)
*  Java (test): openjdk version "22" 2024-03-19 OpenJDK Runtime 
Environment Temurin-22+36 (build 22+36) OpenJDK 64-Bit Server VM 
Temurin-22+36 (build 22+36, mixed mode)
*  Ant: Apache Ant(TM) version 1.10.14 compiled on August 16 

*  OS:  Darwin 23.4.0 arm64
*  cc:  Apple clang version 15.0.0 (clang-1500.3.9.4)
*  make:GNU Make 3.81
*  OpenSSL: OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 
Nov 2023)

*  APR: 1.7.4
* Valid SHA-512 signature for
* Valid GPG signature for
* Valid SHA-512 signature for apache-tomcat-10.1.23.tar.gz
* Valid GPG signature for apache-tomcat-10.1.23.tar.gz
* Valid SHA-512 signature for apache-tomcat-10.1.23.exe
* Valid GPG signature for apache-tomcat-10.1.23.exe
* Valid SHA512 signature for
* Valid GPG signature for
* Valid SHA512 signature for apache-tomcat-10.1.23-src.tar.gz
* Valid GPG signature for apache-tomcat-10.1.23-src.tar.gz
* Binary Zip and tarball: Same
* Source Zip and tarball: Same
* Building dependencies returned: 0
* tcnative builds cleanly
* Tomcat builds cleanly
* Junit Tests: PASSED

To unsubscribe, e-mail:
For additional commands, e-mail:

[VOTE] Release Apache Tomcat 10.1.23

2024-04-16 Thread Christopher Schultz

The proposed Apache Tomcat 10.1.23 release is now available for
voting. Apache Tomcat 10.1.21 was canceled due to a release-build 
mistake and Apache Tomcat 10.1.22 was cancelled due to an option in 
startup scripts which would have caused Java 11 environments to fail to 

The notable changes compared to 10.1.20 are:

- Improve locking strategies in Catalina core

- Update Basic authentication to implement the requirements of RFC 7617

- Updates to Apache Commons dependencies

- Add OpenSSL support when FFM is available

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.

It can be obtained from:

The Maven staging repo is:

The tag is:

Please reply with a +1 for release or -0/-1 with an explanation.

The proposed 10.1.23 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.1.23

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: Base64 and BASIC authentication

2024-04-16 Thread Christopher Schultz


On 4/16/24 03:18, Mark Thomas wrote:

TL;DR - we need to tighten up parsing of BASIC authentication headers.

When I switched out Tomcat's Base64 handling for the built-in JRE 
handling, I noticed that BASIC authentication was using a very relaxed 
version of the Base64 decoder. That seemed odd, so I replaced it with 
the standard Base64 decoder. That broke a bunch of tests so I switched 
to the MIME decoder (the most relaxed) which fixed most - but not all - 
of the issues. Then I started look at what the tests were testing and 
the relevant RFCs.

The current RFC for HTTP BASIC authentication is RFC 7617. This in turn 
references numerous other RFCs, most notably RFC 7235 (HTTP 
Authentication) and RFC 4648 (Base64). Taken together these require that 
the format of the Authorization header is:

- The token "Basic"
- Exactly 1 space
- The base64 encoding of username:password

Tomcat's current implementation is based on RFC 2617 and allows the 

- white space around the base64

Meh. This doesn't seem too impactful. If any part of the credential 
needs to contain whitespace, that whitespace will be base64 encoded and 
therefore not-whitespace in the header value.

- allows embedded line breaks in the base64

Ew. -1 please

- missing padding

This seems okay to me. JWT as a very modern example of base64-encoded 
data in HTTP allows missing padding just to save 1-3 bytes even though 
the JWTs themselves are monstrous.

- illegal characters in the base64 (ignored)
- illegal characters in the base64 padding (ignored)

These these should probably no longer be ignored.

- excessive padding

Weird. I wonder if that was intentional.

- whitespace around the decoded password

Full -1 from me. Whitespace should be allowed as part of a username or 
password and trimming it is inappropriate.

I don't see any of the above causing issues apart from the last one 
which prevents the use of passwords with leading or trailing whitespace. 
This is mostly of a cleaning up exercise so the switch to Java's base64 
decoder is simpler.

Before I merge the change to use the JRE's Base64 encoder, I intend to 
tighten up the parsing of Basic authentication headers. I intend to do 
this for all currently supported versions.

Any objections?

None here.

Do the relevant RFCs say anything about the missing padding? If Java 
allows us to accept pad-less values, I would allow that to continue.


To unsubscribe, e-mail:
For additional commands, e-mail:

[VOTE][CANCELLED] Release Apache Tomcat 10.1.22

2024-04-15 Thread Christopher Schultz


I'm cancelling the vote due to an issue raised by rjung which could 
cause Java 11 environments to fail to start Tomcat due to the 
introduction of an unsupported JVM startup switch.

I'll re-roll the release with an updated script today.


The proposed Apache Tomcat 10.1.22 release is now available for
voting. Apache Tomcat 10.1.21 was canceled due to a release-build mistake. 
There are no source-level changes between 10.1.21 and 10.1.22.

The notable changes compared to 10.1.20 are:

- Add OpenSSL support when FFM is available

- Improve locking strategies in Catalina core

- Updates to Apache Commons dependencies

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be placed 
in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically 
convert them to Jakarta EE and copy them to the webapps directory.

It can be obtained from:

The Maven staging repo is:

The tag is:

Please reply with a +1 for release or -0/-1 with an explanation.

The proposed 10.1.22 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.1.22

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat) 01/06: Remove unused code - thanks to UCDetector

2024-04-15 Thread Christopher Schultz


On 4/15/24 11:13, Mark Thomas wrote:

On 05/04/2024 12:55, Mark Thomas wrote:

5 Apr 2024 04:33:42 Christopher Schultz :


Can't this entire class be replaced with calls to 
java.util.Base64.get*Encoder and java.util.Base64.get*Decoder 
wherever necessary?

Now that 9.0.x is oldest, we should be able to use java.util.Base64 
from Java 1.8+

Possibly. There is a commit from 2.0.x that does that that we could 
back port.

The one thing I wanted to check was that the Tomcat one was stricter 
for URL safe Vs non URL safe. I wasn't sure how that applied here.

My main concern was aligning 9.0.x through 11.0.x which is now done. 
Improvements like this were next on the TODO list for File upload.

I've done more checks and it was the commons implementation that used 
the same decoder for standard and URL-safe. The Java implementation has 
specific decoders for each.

It looks like we can remove the o.a.tomcat.util.codec.binary package 
completely. I'll take a look. If it is possible then the plan would be 
remove in 11.0.x and deprecate in 10.1.x and earlier just in case 
someone is using the Tomcat internals directly.



To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [VOTE] Release Apache Tomcat 10.1.22

2024-04-11 Thread Christopher Schultz


On 4/11/24 05:18, Rémy Maucherat wrote:

On Wed, Apr 10, 2024 at 8:52 PM Christopher Schultz

The proposed Apache Tomcat 10.1.22 release is now available for
voting. Apache Tomcat 10.1.21 was canceled due to a release-build
mistake. There are no source-level changes between 10.1.21 and 10.1.22.

The notable changes compared to 10.1.20 are:

- Add OpenSSL support when FFM is available

- Improve locking strategies in Catalina core

- Updates to Apache Commons dependencies

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10
without changes. Java EE applications designed for Tomcat 9 and earlier
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat
will automatically convert them to Jakarta EE and copy them to the
webapps directory.

It can be obtained from:

The Maven staging repo is:

The tag is:

Please reply with a +1 for release or -0/-1 with an explanation.

The proposed 10.1.22 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 10.1.22

+1 because it's good, but let's skip advertising FFM support for this
one (due to my mistake, as I had only verified FFM support earlier
using the testsuite).

Okay, when I announce the release, I'll use some other item in-place of 
the FFM highlight.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [VOTE] Release Apache Tomcat 10.1.22

2024-04-10 Thread Christopher Schultz


On 4/10/24 2:51 PM, Christopher Schultz wrote:

The proposed Apache Tomcat 10.1.22 release is now available for
voting. Apache Tomcat 10.1.21 was canceled due to a release-build 
mistake. There are no source-level changes between 10.1.21 and 10.1.22.

The notable changes compared to 10.1.20 are:

- Add OpenSSL support when FFM is available

- Improve locking strategies in Catalina core

- Updates to Apache Commons dependencies

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.

It can be obtained from:

The Maven staging repo is:

The tag is:

Please reply with a +1 for release or -0/-1 with an explanation.

The proposed 10.1.22 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.1.22

+1 for stable release. Unit tests pass on both MacOS x86-64 and MacOS 
aarch64. Builds are 100% reproducible on both MacOS x86-64 and MacOS 


* Environment
*  Java (build):openjdk version "22" 2024-03-19 OpenJDK Runtime 
Environment Temurin-22+36 (build 22+36) OpenJDK 64-Bit Server VM 
Temurin-22+36 (build 22+36, mixed mode)
*  Java (test): openjdk version "22" 2024-03-19 OpenJDK Runtime 
Environment Temurin-22+36 (build 22+36) OpenJDK 64-Bit Server VM 
Temurin-22+36 (build 22+36, mixed mode)

*  OS:  Darwin 21.6.0 x86_64
*  cc:  Apple clang version 12.0.0 (clang-1200.0.31.1)
*  make:GNU Make 3.81
*  OpenSSL:   OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 
Jan 2024)

*  APR: 1.7.4
* Valid SHA-512 signature for
* Valid GPG signature for
* Valid SHA-512 signature for apache-tomcat-10.1.22.tar.gz
* Valid GPG signature for apache-tomcat-10.1.22.tar.gz
* Valid SHA-512 signature for apache-tomcat-10.1.22.exe
* Valid GPG signature for apache-tomcat-10.1.22.exe
* Valid SHA512 signature for
* Valid GPG signature for
* Valid SHA512 signature for apache-tomcat-10.1.22-src.tar.gz
* Valid GPG signature for apache-tomcat-10.1.22-src.tar.gz
* Binary Zip and tarball: Same
* Source Zip and tarball: Same
* Building dependencies returned: 0
* tcnative builds cleanly
* Tomcat builds cleanly
* Junit Tests: PASSED

* Environment
*  Java (build):openjdk version "22" 2024-03-19 OpenJDK Runtime 
Environment Temurin-22+36 (build 22+36) OpenJDK 64-Bit Server VM 
Temurin-22+36 (build 22+36, mixed mode)
*  Java (test): openjdk version "22" 2024-03-19 OpenJDK Runtime 
Environment Temurin-22+36 (build 22+36) OpenJDK 64-Bit Server VM 
Temurin-22+36 (build 22+36, mixed mode)
*  Ant: Apache Ant(TM) version 1.10.14 compiled on August 16 

*  OS:  Darwin 23.3.0 arm64
*  cc:  Apple clang version 15.0.0 (clang-1500.
*  make:GNU Make 3.81
*  OpenSSL:   OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 
Nov 2023)

*  APR: 1.7.4
* Valid SHA-512 signature for
* Valid GPG signature for
* Valid SHA-512 signature for apache-tomcat-10.1.22.tar.gz
* Valid GPG signature for apache-tomcat-10.1.22.tar.gz
* Valid SHA-512 signature for apache-tomcat-10.1.22.exe
* Valid GPG signature for apache-tomcat-10.1.22.exe
* Valid SHA512 signature for
* Valid GPG signature for
* Valid SHA512 signature for apache-tomcat-10.1.22-src.tar.gz
* Valid GPG signature for apache-tomcat-10.1.22-src.tar.gz
* Binary Zip and tarball: Same
* Source Zip and tarball: Same
* Building dependencies returned: 0
* tcnative builds cleanly
* Tomcat builds cleanly
* Junit Tests: PASSED

To unsubscribe, e-mail:
For additional commands, e-mail:

[VOTE] Release Apache Tomcat 10.1.22

2024-04-10 Thread Christopher Schultz

The proposed Apache Tomcat 10.1.22 release is now available for
voting. Apache Tomcat 10.1.21 was canceled due to a release-build 
mistake. There are no source-level changes between 10.1.21 and 10.1.22.

The notable changes compared to 10.1.20 are:

- Add OpenSSL support when FFM is available

- Improve locking strategies in Catalina core

- Updates to Apache Commons dependencies

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.

It can be obtained from:

The Maven staging repo is:

The tag is:

Please reply with a +1 for release or -0/-1 with an explanation.

The proposed 10.1.22 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.1.22

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [VOTE][CANCELLED] Release Apache Tomcat 10.1.21

2024-04-10 Thread Christopher Schultz
I am cancelling this release because it was built with the wrong JDK 

I will re-build the release shortly as 10.1.22.


On 4/9/24 15:42, Christopher Schultz wrote:

The proposed Apache Tomcat 10.1.21 release is now available for

The notable changes compared to 10.1.21 are:

- Add OpenSSL support when FFM is available

- Improve locking strategies in Catalina core

- Updates to Apache Commons dependencies

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.

It can be obtained from:

The Maven staging repo is:

The tag is:

Please reply with a +1 for release or -0/-1 with an explanation.

The proposed 10.1.21 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.1.21

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [VOTE] Release Apache Tomcat 9.0.88

2024-04-10 Thread Christopher Schultz


Thanks for RMing.

On 4/9/24 09:54, Rémy Maucherat wrote:

The proposed Apache Tomcat 9.0.88 release is now available for voting.

The notable changes compared to 9.0.87 are:

- Cookies header generation enhancements.

- Fix regression when reloading TLS configuration and files.

For full details, see the changelog:

It can be obtained from:
The Maven staging repo is:
The tag is:

The proposed 9.0.88 release is:
[ ] -1, Broken - do not release
[ ] +1, Stable - go ahead and release as 9.0.88

+1 for stable release.

Unit tests pass on MacOS aarm64 for NIO, NIO2, and APR. Build is 
reproducible on MacOS aarm64 except for the "fulldocs" bundle likely due 
to a JDK bug.

* Environment
*  Java (build):openjdk version "17.0.10" 2024-01-16 OpenJDK Runtime 
Environment Temurin-17.0.10+7 (build 17.0.10+7) OpenJDK 64-Bit Server VM 
Temurin-17.0.10+7 (build 17.0.10+7, mixed mode)
*  Java (test): openjdk version "17.0.10" 2024-01-16 OpenJDK Runtime 
Environment Temurin-17.0.10+7 (build 17.0.10+7) OpenJDK 64-Bit Server VM 
Temurin-17.0.10+7 (build 17.0.10+7, mixed mode)
*  Ant: Apache Ant(TM) version 1.10.14 compiled on August 16 

*  OS:  Darwin 23.3.0 arm64
*  cc:  Apple clang version 15.0.0 (clang-1500.
*  make:GNU Make 3.81
*  OpenSSL:   OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 
Nov 2023)

*  APR: 1.7.4
* Valid SHA-512 signature for
* Valid GPG signature for
* Valid SHA-512 signature for apache-tomcat-9.0.88.tar.gz
* Valid GPG signature for apache-tomcat-9.0.88.tar.gz
* Valid SHA-512 signature for apache-tomcat-9.0.88.exe
* Valid GPG signature for apache-tomcat-9.0.88.exe
* Valid SHA512 signature for
* Valid GPG signature for
* Valid SHA512 signature for apache-tomcat-9.0.88-src.tar.gz
* Valid GPG signature for apache-tomcat-9.0.88-src.tar.gz
* Binary Zip and tarball: !! NOT SAME
* Source Zip and tarball: Same
* Building dependencies returned: 0
* tcnative builds cleanly
* Tomcat builds cleanly
* Junit Tests: PASSED


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [VOTE] Release Apache Tomcat 10.1.21

2024-04-10 Thread Christopher Schultz


On 4/10/24 5:18 AM, Rémy Maucherat wrote:

On Tue, Apr 9, 2024 at 9:42 PM Christopher Schultz

The proposed Apache Tomcat 10.1.21 release is now available for

The notable changes compared to 10.1.21 are:

- Add OpenSSL support when FFM is available

This was built with Java 17 so there's no FFM. I'm ok with that though.

If this was a mistake and we want to make sure to avoid it in the
future, I can flip the script to fail when trying to use ant release
on older Java versions. I noted that it would be flipped when Java 22
has better availability, which is supposed to be "ok" now. Temurin has
builds for everything, it looks good.

I honestly wasn't thinking about it.

So if the release is built with 17 even downstream can't use FFM. Not great.

What does everybody think? Should we bump Tomcat 10.x up to Java 22+ 
required for release-build? Java 22 is finally GA, so this seems 
reasonable. I wouldn't have wanted to do it a few weeks ago with a 
pre-release Java 22.

I'm leaning toward re-rolling 10.1.21 with Java 22. I could also burn 
the version number though nothing will have changed.



- Improve locking strategies in Catalina core

- Updates to Apache Commons dependencies

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10
without changes. Java EE applications designed for Tomcat 9 and earlier
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat
will automatically convert them to Jakarta EE and copy them to the
webapps directory.

It can be obtained from:

The Maven staging repo is:

The tag is:

Please reply with a +1 for release or -0/-1 with an explanation.

The proposed 10.1.21 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 10.1.21


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

[VOTE] Release Apache Tomcat 10.1.21

2024-04-09 Thread Christopher Schultz

The proposed Apache Tomcat 10.1.21 release is now available for

The notable changes compared to 10.1.21 are:

- Add OpenSSL support when FFM is available

- Improve locking strategies in Catalina core

- Updates to Apache Commons dependencies

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.

It can be obtained from:

The Maven staging repo is:

The tag is:

Please reply with a +1 for release or -0/-1 with an explanation.

The proposed 10.1.21 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.1.21

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat) 01/06: Remove unused code - thanks to UCDetector

2024-04-04 Thread Christopher Schultz


Can't this entire class be replaced with calls to 
java.util.Base64.get*Encoder and java.util.Base64.get*Decoder wherever 

Now that 9.0.x is oldest, we should be able to use java.util.Base64 from 
Java 1.8+



On 4/4/24 15:52, wrote:

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository

commit 1a2f722e405ec17c5dab5fac43ae2fe63eb8fbce
Author: Mark Thomas 
AuthorDate: Fri Jun 17 12:29:10 2022 +0100

 Remove unused code - thanks to UCDetector
  .../apache/tomcat/util/codec/binary/| 155 -
  .../tomcat/util/codec/binary/   |  88 
  2 files changed, 243 deletions(-)

diff --git a/java/org/apache/tomcat/util/codec/binary/ 
index a733df9937..e38bf3df17 100644
--- a/java/org/apache/tomcat/util/codec/binary/
+++ b/java/org/apache/tomcat/util/codec/binary/
@@ -16,9 +16,6 @@
  package org.apache.tomcat.util.codec.binary;
-import java.math.BigInteger;

-import java.util.Objects;
   * Provides Base64 encoding and decoding as defined by;>RFC 2045.
@@ -141,20 +138,6 @@ public class Base64 extends BaseNCodec {
  // The private member fields below are used with the new streaming 
approach, which requires
  // some state be preserved between calls of encode() and decode().

- * Decodes Base64 data into octets.
- * 
- * Note: this method seamlessly handles data encoded in URL-safe or 
normal mode.
- * 
- *
- * @param base64Data
- *Byte array containing Base64 data
- * @return Array containing decoded data.
- */
-public static byte[] decodeBase64(final byte[] base64Data) {
-return decodeBase64(base64Data, 0, base64Data.length);
  public  static byte[] decodeBase64(
  final byte[] base64Data, final int off, final int len) {
  return new Base64().decode(base64Data, off, len);
@@ -180,29 +163,6 @@ public class Base64 extends BaseNCodec {
  // Implementation of integer encoding used for crypto

- * Decodes a byte64-encoded integer according to crypto standards such as 
W3C's XML-Signature.
- *
- * @param pArray
- *a byte array containing base64 character data
- * @return A BigInteger
- * @since 1.4
- */
-public static BigInteger decodeInteger(final byte[] pArray) {
-return new BigInteger(1, decodeBase64(pArray));
- * Encodes binary data using the base64 algorithm but does not chunk the 
- *
- * @param binaryData
- *binary data to encode
- * @return byte[] containing Base64 characters in their UTF-8 
- */
-public static byte[] encodeBase64(final byte[] binaryData) {
-return encodeBase64(binaryData, false);
   * Encodes binary data using the base64 algorithm, optionally chunking 
the output into 76 character blocks.
@@ -272,17 +232,6 @@ public class Base64 extends BaseNCodec {
  return b64.encode(binaryData);

- * Encodes binary data using the base64 algorithm and chunks the encoded 
output into 76 character blocks
- *
- * @param binaryData
- *binary data to encode
- * @return Base64 characters chunked in 76 character blocks
- */
-public static byte[] encodeBase64Chunked(final byte[] binaryData) {
-return encodeBase64(binaryData, true);
   * Encodes binary data using the base64 algorithm but does not chunk the 
@@ -298,19 +247,6 @@ public class Base64 extends BaseNCodec {
  return StringUtils.newStringUsAscii(encodeBase64(binaryData, false));

- * Encodes binary data using a URL-safe variation of the base64 algorithm 
but does not chunk the output. The
- * url-safe variation emits - and _ instead of + and / characters.
- * Note: no padding is added.
- * @param binaryData
- *binary data to encode
- * @return byte[] containing Base64 characters in their UTF-8 
- * @since 1.4
- */
-public static byte[] encodeBase64URLSafe(final byte[] binaryData) {
-return encodeBase64(binaryData, false, true);
   * Encodes binary data using a URL-safe variation of the base64 algorithm 
but does not chunk the output. The
   * url-safe variation emits - and _ instead of + and / characters.
@@ -324,97 +260,6 @@ public class Base64 extends BaseNCodec {
  return StringUtils.newStringUsAscii(encodeBase64(binaryData, false, 

- * Encodes to a byte64-encoded integer according to crypto standards 

Re: Stop releasing Tomcat 9 or adding back Tomcat 10.0?

2024-03-29 Thread Christopher Schultz


On 3/29/24 08:50, Romain Manni-Bucau wrote:

Le ven. 29 mars 2024 à 13:41, Christopher Schultz <> a écrit :


On 3/29/24 03:18, Romain Manni-Bucau wrote:

Side note: what I meant about ASF is that there was a help habit between
communities. I know it got "broken" (=it is no more a general real thing)
some years ago to isolate all projects (give them a total independency)


I'm clearly not a fan of that, in particular when it deserves the project
but I totally respect your choice, didnt mean anything stronger than a


No problem. Adding the smile made it clear you were hoping about me
specifically. But it wasn't clear what you were saying about the
(Tomcat) project itself.

On the method addition/ TCK: no issue since signature of the api stays


Can break tomcat facade object design - but not a big deal for me - but
clearly not tck compat.

Okay, I'm not super familiar with the TCK process itself. I had assumed
that if we added arbitrary methods to the jakarta.* public interfaces,
we'd fail the TCK.

This is true but the proposal is more to comply to servlet5 U servlet 6
(union) API in tomcat objects.
If ServletRequestImpl (RequestFacade mainly) has the union of methods then
it can run with api 5 or 6 and still repect the compliance of both in the
same codebase.

Indeed I'm only proposing it cause the diff is very low IMHO otherwise I
agree it would be a nightmare.

If that's not the case, then...

If you build a patch set for Tomcat 10.1.x to re-add those methods and
it passes your TCK, we can apply them to 10.1 nd see if we also pass the

If it passes both, I have no objection to adding those methods back to
10.1 to help-out anyone who feels strongly about supporting Servlet 5.
You may find that others on the team are -1 on this; I'm not sure.

Back to practical things: if you maintain a patch set (which should be
fairly limited, as I asserted and you seem to agree with) that you can
apply in order to pass the TCK and that's neaarly all its for, then I
think it won't be much maintenance for you to keep that set.

That is, if you either directly-fork Tomcat 10.1 or if your build
process downloads the sources, patches and builds Tomcat locally, then
you will pass the TCK and everyone is happy.

The fork part is the unhappy part, not because of the work but because:

* It breaks security scans
* It breaks change tracking and needs adjustments (for tomcat you try to
limit the diff between branches but as soon the branch is outside the
project it will be more complicated and a change can break the downstream
project more easily)
* It requires yet another release cycle outside of the official project
* It confuses end users
* It makes it impossible for users to upgrade Tomcat without a release of
the fork - what is possible in embedded TomEE or other projects

This is why I was looking for another compromise.

Could another compromise be "TomEE ignores Servlet 5 and just goes 
directly to Servlet 6"? That seems to be what Rémy is recommending 
because he obviously has no affection for Servlet 5 :)


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: Stop releasing Tomcat 9 or adding back Tomcat 10.0?

2024-03-29 Thread Christopher Schultz


On 3/29/24 03:18, Romain Manni-Bucau wrote:

Side note: what I meant about ASF is that there was a help habit between
communities. I know it got "broken" (=it is no more a general real thing)
some years ago to isolate all projects (give them a total independency) but
I'm clearly not a fan of that, in particular when it deserves the project
but I totally respect your choice, didnt mean anything stronger than a hope.

No problem. Adding the smile made it clear you were hoping about me 
specifically. But it wasn't clear what you were saying about the 
(Tomcat) project itself.

On the method addition/ TCK: no issue since signature of the api stays the
Can break tomcat facade object design - but not a big deal for me - but
clearly not tck compat.

Okay, I'm not super familiar with the TCK process itself. I had assumed 
that if we added arbitrary methods to the jakarta.* public interfaces, 
we'd fail the TCK.

If that's not the case, then...

If you build a patch set for Tomcat 10.1.x to re-add those methods and 
it passes your TCK, we can apply them to 10.1 nd see if we also pass the 

If it passes both, I have no objection to adding those methods back to 
10.1 to help-out anyone who feels strongly about supporting Servlet 5. 
You may find that others on the team are -1 on this; I'm not sure.

Back to practical things: if you maintain a patch set (which should be 
fairly limited, as I asserted and you seem to agree with) that you can 
apply in order to pass the TCK and that's neaarly all its for, then I 
think it won't be much maintenance for you to keep that set.

That is, if you either directly-fork Tomcat 10.1 or if your build 
process downloads the sources, patches and builds Tomcat locally, then 
you will pass the TCK and everyone is happy.

If your build process is strictly "download Tomcat binaries and use 
them" then of course it will be more complicated.


Le jeu. 28 mars 2024 à 23:13, Christopher Schultz <> a écrit :


On 3/27/24 15:29, Romain Manni-Bucau wrote:

FYI here is the diff between servlet 5 and 6 API jars:

New API: - jakarta.servlet.ServletConnection Deleted API: -
jakarta.servlet.SingleThreadModel -


- jakarta.servlet.http.HttpUtils Changed API:
jakarta.servlet.ServletContext Deleted methods: - public abstract
jakarta.servlet.ServletContext.getServlet(java.lang.String) throws
jakarta.servlet.ServletException - public abstract java.util.Enumeration
jakarta.servlet.ServletContext.getServletNames() - public abstract
java.util.Enumeration jakarta.servlet.ServletContext.getServlets() -


abstract void
jakarta.servlet.ServletRequest Added methods: - public abstract
jakarta.servlet.ServletRequest.getServletConnection() - public abstract
java.lang.String jakarta.servlet.ServletRequest.getProtocolRequestId() -
public abstract java.lang.String
jakarta.servlet.ServletRequest.getRequestId() Deleted methods: - public
abstract java.lang.String
jakarta.servlet.ServletRequestWrapper Added methods: - public
jakarta.servlet.ServletRequestWrapper.getServletConnection() - public
jakarta.servlet.ServletRequestWrapper.getProtocolRequestId() - public
java.lang.String jakarta.servlet.ServletRequestWrapper.getRequestId()
Deleted methods: - public java.lang.String
jakarta.servlet.SessionCookieConfig Added methods: - public abstract
jakarta.servlet.SessionCookieConfig.getAttribute(java.lang.String) -


abstract java.util.Map


- public abstract void


jakarta.servlet.UnavailableException Deleted methods: - public
jakarta.servlet.Servlet jakarta.servlet.UnavailableException.getServlet()
jakarta.servlet.descriptor.JspPropertyGroupDescriptor Added methods: -
public abstract java.lang.String


jakarta.servlet.http.Cookie Added methods: - public boolean
jakarta.servlet.http.Cookie.equals(java.lang.Object) - public int
jakarta.servlet.http.Cookie.hashCode() - public java.lang.String
jakarta.servlet.http.Cookie.getAttribute(java.lang.String) - public
java.lang.String jakarta.servlet.http.Cookie.toString() - public
java.util.Map jakarta.servlet.http.Cookie.getAttributes() - public void


jakarta.servlet.http.HttpServlet Added fields: - public static final
java.lang.String jakarta.servlet.http.HttpServlet.LEGACY_DO_HEAD Added
methods: - public void

Re: Stop releasing Tomcat 9 or adding back Tomcat 10.0?

2024-03-28 Thread Christopher Schultz


On 3/27/24 15:29, Romain Manni-Bucau wrote:

FYI here is the diff between servlet 5 and 6 API jars:

New API: - jakarta.servlet.ServletConnection Deleted API: -
jakarta.servlet.SingleThreadModel - jakarta.servlet.http.HttpSessionContext
- jakarta.servlet.http.HttpUtils Changed API:
jakarta.servlet.ServletContext Deleted methods: - public abstract
jakarta.servlet.ServletContext.getServlet(java.lang.String) throws
jakarta.servlet.ServletException - public abstract java.util.Enumeration
jakarta.servlet.ServletContext.getServletNames() - public abstract
java.util.Enumeration jakarta.servlet.ServletContext.getServlets() - public
abstract void
jakarta.servlet.ServletRequest Added methods: - public abstract
jakarta.servlet.ServletRequest.getServletConnection() - public abstract
java.lang.String jakarta.servlet.ServletRequest.getProtocolRequestId() -
public abstract java.lang.String
jakarta.servlet.ServletRequest.getRequestId() Deleted methods: - public
abstract java.lang.String
jakarta.servlet.ServletRequestWrapper Added methods: - public
jakarta.servlet.ServletRequestWrapper.getServletConnection() - public
jakarta.servlet.ServletRequestWrapper.getProtocolRequestId() - public
java.lang.String jakarta.servlet.ServletRequestWrapper.getRequestId()
Deleted methods: - public java.lang.String
jakarta.servlet.SessionCookieConfig Added methods: - public abstract
jakarta.servlet.SessionCookieConfig.getAttribute(java.lang.String) - public
abstract java.util.Map jakarta.servlet.SessionCookieConfig.getAttributes()
- public abstract void
jakarta.servlet.UnavailableException Deleted methods: - public
jakarta.servlet.Servlet jakarta.servlet.UnavailableException.getServlet()
jakarta.servlet.descriptor.JspPropertyGroupDescriptor Added methods: -
public abstract java.lang.String
jakarta.servlet.http.Cookie Added methods: - public boolean
jakarta.servlet.http.Cookie.equals(java.lang.Object) - public int
jakarta.servlet.http.Cookie.hashCode() - public java.lang.String
jakarta.servlet.http.Cookie.getAttribute(java.lang.String) - public
java.lang.String jakarta.servlet.http.Cookie.toString() - public
java.util.Map jakarta.servlet.http.Cookie.getAttributes() - public void
jakarta.servlet.http.HttpServlet Added fields: - public static final
java.lang.String jakarta.servlet.http.HttpServlet.LEGACY_DO_HEAD Added
methods: - public void
jakarta.servlet.http.HttpServlet.init(jakarta.servlet.ServletConfig) throws
jakarta.servlet.ServletException jakarta.servlet.http.HttpServletRequest
Deleted methods: - public abstract boolean
jakarta.servlet.http.HttpServletRequestWrapper Deleted methods: - public
jakarta.servlet.http.HttpServletResponse Deleted methods: - public abstract
- public abstract java.lang.String
jakarta.servlet.http.HttpServletResponse.encodeUrl(java.lang.String) -
public abstract void
jakarta.servlet.http.HttpServletResponseWrapper Deleted methods: - public
- public java.lang.String
- public void
jakarta.servlet.http.HttpSession Deleted methods: - public abstract
jakarta.servlet.http.HttpSession.getSessionContext() - public abstract
jakarta.servlet.http.HttpSession.getValue(java.lang.String) - public
abstract java.lang.String[]
jakarta.servlet.http.HttpSession.getValueNames() - public abstract void
- public abstract void

It does not look crazy to get back (without @Override) deleted methods in
Tomcat - most of them are just either "return null" or a delegation to
another method so cost for tomcat is almost 0 for that side.
What I'm not yet sure - didn't have time to check yet - is if the new API
are used directly from jakarta package (if so it would fail running with
servlet 5 api else it will run 

Re: Stop releasing Tomcat 9 or adding back Tomcat 10.0?

2024-03-28 Thread Christopher Schultz


On 3/27/24 08:26, Romain Manni-Bucau wrote:

Hi Chris,

Le mer. 27 mars 2024 à 13:13, Christopher Schultz <> a écrit :


On 3/27/24 06:13, Romain Manni-Bucau wrote:

Le mer. 27 mars 2024 à 10:58, Rémy Maucherat  a écrit :

On Wed, Mar 27, 2024 at 9:49 AM Romain Manni-Bucau

Hi all,

Checkout out TomEE's notifications I realized Tomcat is in a weirdish
situation where Tomcat 9 is Servlet 4 and "+1" version is Tomcat 10.1


is Servlet 6.
It means Tomcat is no more a Servlet 5 friendly option.

I wonder if it means Tomcat < 10.1 should be stopped too or if Tomcat


should be maintained and released again - pretty sure we can find help


desired for that not that far.
Another option is to restore the deleted methods between servlet 5-6 in


code base to be able to run Tomcat 10.1 with Servlet 5 API instead of
Servlet 6 - to pass signature TCK.


Nothing. The Tomcat developers (= the committers) determined that the
EE 9 release was useless since the only change is the javax -> jakarta
package renaming. A big task for sure, but that seemed to us this was
more a developer oriented armaggeddon and not something that benefits
our users.

For reasons that elude my understanding, some other projects like
TomEE thought this was still useful and decided to release full
support for EE 9 rather than go to EE 10 like we did. Our plan about
EE was public. So I guess this is still our problem obviously, but I
don't feel like doing anything about it.

  From what I saw on other AsfEE projects, users requested it, nothing


and then you have CVE game.

BTW, about the last item. Recently, I tried to run CXF on the new EE
10 APIs (since OWB moved to that). It doesn't work as it uses
deprecated APIs, while IMO it should have moved away from them long
ago. And it's an ASF project, not some hack project somewhere.

This is fixed AFAIK on master (maybe last release, didnt check) so should
be fine soon.

Basically unless there's a cut somewhere, nothing will ever change :D
As a result, I don't think an API restoration in Tomcat 10.1 is a good
idea ...

Ok, so last option is TomEE community taking the lead on 10.0 branch, is
that an option if all the PR work is done?

Is the problem that you have customers actually using these APIs?

Or is the problem that you can't pass a TCK unless you have support for
these ancient methods?

A bit both, have to admit I lost a bit track of original user request and
if they adopted it or not but TCK point is important and justifies today a
complete tomcat fork which is quite not understandable for me from an ASF

It sounds like you are saying "we over at TomEE need something and 
because we are both ASF projects, Tomcat really ought to do this work 
for us". That doesn't sound very nice to me.

You asked us, and we told you we don't care to scratch that particular 
itch. *shrug*

Most of that stuff was deprecated ages ago and just finally removed.

Why is it super important for you to get certified for Servlet 5
specifically? Why not just get Jakarta EE 10 certified and move on? Any
applications that would actually fail on Tomcat 10.1 + Migration Tool
really really _really_ need to be updated to work properly. People have
had 15 years to stop using that stuff.

This is the plan, but for the same reason you don't want to release 10.0,
certification is not a one week fork, tomee 10m1 is planned but in the
meantime having tomee 9 (servlet 5) certified would be very welcomed.
That said should I read it as you are proposing yourself to help? (trying

Yeah... no.

I was just suggesting that maybe the patch set isn't really that big. 
And that you shouldn't bother yourself with 10.0 because nobody should 
use it. It's probably riddled with unfixed CVEs that actually-supported 
versions of Tomcat have fixed and released.

Honestly, I think it would be much more worth you while to fork Tomcat
10.1 and add-back the methods you need rather than trying to resurrect
the 10.0 branch. There have been no commits on that branch for 2 years,
and we've had something like ~24 releases of each other branch in the
meantime. That includes performance improvements, security fixes,
feature and stability improvements, etc.

Would it be as simple as providing your own replacements for deprecated
classes/methods to pass the TCK? That seems far less onerous than
bringing back zombie Tomcat 10.0.

Asked this morning the same question but it is still being investigated if
possible but still means forking at some point so gain is not really huge
for the project - can be for end users, agree.

You don't really need to fork. You just need a patch-set which is 
hopefully small. I suppose you could maintain a fork, but I don't think 
it would be that onerous.

I would like to see what you

Re: Stop releasing Tomcat 9 or adding back Tomcat 10.0?

2024-03-27 Thread Christopher Schultz


On 3/27/24 06:13, Romain Manni-Bucau wrote:

Le mer. 27 mars 2024 à 10:58, Rémy Maucherat  a écrit :

On Wed, Mar 27, 2024 at 9:49 AM Romain Manni-Bucau

Hi all,

Checkout out TomEE's notifications I realized Tomcat is in a weirdish
situation where Tomcat 9 is Servlet 4 and "+1" version is Tomcat 10.1


is Servlet 6.
It means Tomcat is no more a Servlet 5 friendly option.

I wonder if it means Tomcat < 10.1 should be stopped too or if Tomcat


should be maintained and released again - pretty sure we can find help if
desired for that not that far.
Another option is to restore the deleted methods between servlet 5-6 in


code base to be able to run Tomcat 10.1 with Servlet 5 API instead of
Servlet 6 - to pass signature TCK.


Nothing. The Tomcat developers (= the committers) determined that the
EE 9 release was useless since the only change is the javax -> jakarta
package renaming. A big task for sure, but that seemed to us this was
more a developer oriented armaggeddon and not something that benefits
our users.

For reasons that elude my understanding, some other projects like
TomEE thought this was still useful and decided to release full
support for EE 9 rather than go to EE 10 like we did. Our plan about
EE was public. So I guess this is still our problem obviously, but I
don't feel like doing anything about it.

 From what I saw on other AsfEE projects, users requested it, nothing more
and then you have CVE game.

BTW, about the last item. Recently, I tried to run CXF on the new EE
10 APIs (since OWB moved to that). It doesn't work as it uses
deprecated APIs, while IMO it should have moved away from them long
ago. And it's an ASF project, not some hack project somewhere.

This is fixed AFAIK on master (maybe last release, didnt check) so should
be fine soon.

Basically unless there's a cut somewhere, nothing will ever change :D
As a result, I don't think an API restoration in Tomcat 10.1 is a good
idea ...

Ok, so last option is TomEE community taking the lead on 10.0 branch, is
that an option if all the PR work is done?

Is the problem that you have customers actually using these APIs?

Or is the problem that you can't pass a TCK unless you have support for 
these ancient methods?

Most of that stuff was deprecated ages ago and just finally removed.

Why is it super important for you to get certified for Servlet 5 
specifically? Why not just get Jakarta EE 10 certified and move on? Any 
applications that would actually fail on Tomcat 10.1 + Migration Tool 
really really _really_ need to be updated to work properly. People have 
had 15 years to stop using that stuff.

Honestly, I think it would be much more worth you while to fork Tomcat 
10.1 and add-back the methods you need rather than trying to resurrect 
the 10.0 branch. There have been no commits on that branch for 2 years, 
and we've had something like ~24 releases of each other branch in the 
meantime. That includes performance improvements, security fixes, 
feature and stability improvements, etc.

Would it be as simple as providing your own replacements for deprecated 
classes/methods to pass the TCK? That seems far less onerous than 
bringing back zombie Tomcat 10.0.


To unsubscribe, e-mail:
For additional commands, e-mail:

[ANN] Apache Tomcat 10.1.20 Available

2024-03-25 Thread Christopher Schultz

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 10.1.20.

Apache Tomcat 10 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the /webapps-javaee directory and Tomcat will 
automatically convert them to Jakarta EE and copy them to the webapps 
directory. This conversion is performed using the Apache Tomcat 
migration tool for Jakarta EE tool which is also available as a separate 
download for off-line use.

Apache Tomcat 10.1.20 is a bugfix and feature release. The notable 
changes compared to 10.1.19 include:

 - Fix regression when reloading TLS configuration and files.

 - When restoring a saved POST request after a successful FORM
   authentication, ensure that neither the URI, the query string no
   the protocol are corrupted when restoring the request body.

 - Align error handling for Writer and OutputStream. Ensure use of
   either once the response has been recycled triggers a
   NullPointerException provided that discardFacades is configured with
   the default value of true.

Please refer to the change log for the complete list of changes:


Migration guides from Apache Tomcat 8.5.x and 9.0.x:


- The Apache Tomcat team

To unsubscribe, e-mail:
For additional commands, e-mail:

[ANN] Apache Tomcat 8.5.100 Available

2024-03-25 Thread Christopher Schultz

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.5.100.

*This will likely be the final release of Apache Tomcat 8.5. Please see 
the EOL notice linked at the end of this message.*

Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.

Apache Tomcat 8.5.100 is a bugfix and feature release. The notable
changes compared to 8.5.99 include:

 - Fix regression when reloading TLS configuration and files.

 - When restoring a saved POST request after a successful FORM
   authentication, ensure that neither the URI, the query string no
   the protocol are corrupted when restoring the request body.

 - Align error handling for Writer and OutputStream. Ensure use of
   either once the response has been recycled triggers a
   NullPointerException provided that discardFacades is configured with
   the default value of true.

Please refer to the change log for the complete list of changes:


Migration guides from Apache Tomcat 7.x and 8.0:

Please note that Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 
2024. For more information please visit


- The Apache Tomcat team

To unsubscribe, e-mail:
For additional commands, e-mail:

[VOTE][RESULT] Release Apache Tomcat 10.1.20

2024-03-25 Thread Christopher Schultz


Apologies for the delay on closing the vote for this release.

The following votes were cast:

+1: schultz, remm, isapir, markt


+1: Romain Mannu-Bucau, Dimitris Soumis

There were no other votes, therefore the vote passes.

I will begin the release process shortly.


The proposed Apache Tomcat 10.1.20 release is now available for

The notable changes compared to 10.1.19 are:

- Fix regression when reloading TLS configuration and files.

- When restoring a saved POST request after a successful FORM
  authentication, ensure that neither the URI, the query string no
  the protocol are corrupted when restoring the request body.

- Align error handling for Writer and OutputStream. Ensure use of either
  once the response has been recycled triggers a NullPointerException
  provided that discardFacades is configured with the default value of

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be placed 
in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically 
convert them to Jakarta EE and copy them to the webapps directory.

It can be obtained from:

The Maven staging repo is:

The tag is:

The proposed 10.1.20 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.1.20

To unsubscribe, e-mail:
For additional commands, e-mail:

[VOTE][RESULT] Release Apache Tomcat 8.5.100

2024-03-25 Thread Christopher Schultz


Apologies for the delay on closing the vote for this release.

The following votes were cast:

+1: schultz, remm, isapir, markt


+1: Dimitris Soumis

There were no other votes, therefore the vote passes.

I will begin the release process shortly.


The proposed Apache Tomcat 8.5.100 release is now available for voting.

The notable changes compared to 8.5.99 are:

- Fix regression when reloading TLS configuration and files.

- When restoring a saved POST request after a successful FORM
  authentication, ensure that neither the URI, the query string no
  the protocol are corrupted when restoring the request body.

- Align error handling for Writer and OutputStream. Ensure use of either
  once the response has been recycled triggers a NullPointerException
  provided that discardFacades is configured with the default value of

Along with lots of other bug fixes and improvements.

For full details, see the changelog:

It can be obtained from:

The Maven staging repo is:

The tag is:

The proposed 8.5.100 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 8.5.100 (stable)

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat) branch main updated: Use server's ClassLoader instead of application's when loading XMLInputFactory.

2024-03-25 Thread Christopher Schultz


On 3/25/24 10:21, Rémy Maucherat wrote:

On Mon, Mar 25, 2024 at 2:32 PM Christopher Schultz


On 3/22/24 11:39, Rémy Maucherat wrote:

On Fri, Mar 22, 2024 at 2:40 PM  wrote:

This is an automated email from the ASF dual-hosted git repository.

schultz pushed a commit to branch main
in repository

The following commit(s) were added to refs/heads/main by this push:
   new 988992ba2e Use server's ClassLoader instead of application's when 
loading XMLInputFactory.
988992ba2e is described below

commit 988992ba2e9a8e2c3db47ac960c2fa6c3fc7a8a4
Author: Christopher Schultz 
AuthorDate: Fri Mar 22 09:37:08 2024 -0400

  Use server's ClassLoader instead of application's when loading 

It doesn't work because there's nothing corresponding to the
XMLInputFactory.class.getName() id. The default newFactory doesn't do
the same thing at all.

Ugh, sorry about that. Thanks for fixing it.

Setting the ContextClassLoader seems like the wrong approach. Isn't
there a ClassLoader parameter to getFactory for a reason?

Feel free to revert it if you don't like it.

Well, using the "obvious" solution didn't work, so ...

I didn't realize that the JRE classes would use 
Thread.currentClassLoader for anything. Does this actually achieve the 
goal of preventing an XMLInputFactory leak? I should probably ask the 


   java/org/apache/jasper/compiler/ | 3 ++-
   webapps/docs/changelog.xml| 5 +
   2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/jasper/compiler/ 
index bac9ade2ee..cf3b623104 100644
--- a/java/org/apache/jasper/compiler/
+++ b/java/org/apache/jasper/compiler/
@@ -35,7 +35,8 @@ class EncodingDetector {

   private static final XMLInputFactory XML_INPUT_FACTORY;
   static {
-XML_INPUT_FACTORY = XMLInputFactory.newInstance();

   private final String encoding;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 341c3a6596..0eca891322 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -179,6 +179,11 @@
   and the web application is deployed as a WAR file rather than an
   unpacked directory. (markt)
+Prevent the web application's ClassLoader from being pinned by the JSP
+compiler if an application uses a custom XMLInputFactory. Based upon a
+suggestion from Simon Niederberger. (schultz)

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat) branch main updated: Use server's ClassLoader instead of application's when loading XMLInputFactory.

2024-03-25 Thread Christopher Schultz


On 3/22/24 11:39, Rémy Maucherat wrote:

On Fri, Mar 22, 2024 at 2:40 PM  wrote:

This is an automated email from the ASF dual-hosted git repository.

schultz pushed a commit to branch main
in repository

The following commit(s) were added to refs/heads/main by this push:
  new 988992ba2e Use server's ClassLoader instead of application's when 
loading XMLInputFactory.
988992ba2e is described below

commit 988992ba2e9a8e2c3db47ac960c2fa6c3fc7a8a4
Author: Christopher Schultz 
AuthorDate: Fri Mar 22 09:37:08 2024 -0400

 Use server's ClassLoader instead of application's when loading 

It doesn't work because there's nothing corresponding to the
XMLInputFactory.class.getName() id. The default newFactory doesn't do
the same thing at all.

Ugh, sorry about that. Thanks for fixing it.

Setting the ContextClassLoader seems like the wrong approach. Isn't 
there a ClassLoader parameter to getFactory for a reason?



  java/org/apache/jasper/compiler/ | 3 ++-
  webapps/docs/changelog.xml| 5 +
  2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/jasper/compiler/ 
index bac9ade2ee..cf3b623104 100644
--- a/java/org/apache/jasper/compiler/
+++ b/java/org/apache/jasper/compiler/
@@ -35,7 +35,8 @@ class EncodingDetector {

  private static final XMLInputFactory XML_INPUT_FACTORY;
  static {
-XML_INPUT_FACTORY = XMLInputFactory.newInstance();

  private final String encoding;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 341c3a6596..0eca891322 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -179,6 +179,11 @@
  and the web application is deployed as a WAR file rather than an
  unpacked directory. (markt)

+Prevent the web application's ClassLoader from being pinned by the JSP
+compiler if an application uses a custom XMLInputFactory. Based upon a
+suggestion from Simon Niederberger. (schultz)

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: HTTP / 3 protocol updates

2024-03-25 Thread Christopher Schultz


On 3/24/24 11:30, Koteswararao Gundapaneni wrote:

When can I expect the update on the HTTP/3 protocol implementation?


RFC 9114  (June 2022) -

Not yet implemented by Apache Tomcat. (As of July 2022)

Why pick "July 2022" as an arbitrary date to be not-implemented-as-of 
instead of, say, TODAY?

(This reference doesn't seem relevant.)

h3 is not currently a priority for the Apache Tomcat team, for several 

1. Tomcat is very often used behind a reverse proxy, where persistent 
HTTP or h2 connections can be used to "solve" the 
connection-establishment "problem".

2. Java does not currently provide an implementation of h3. This means 
we either have to wait for Java to provide such an implementation or 
look to outside libraries such as Quiche. One of the goals of Tomcat is 
to have as few dependencies as possible, so using Quiche, etc. would be 
contrary to those goals.

3. OpenSSL currently does provide an implementation of h3 but it is very 
different than both the current implementation of TLS and also anything 
offered by Java (which does not yet exist).

This is a project run by a small group of volunteers, not a large 
company with many resources. We all have "day jobs" where we spend most 
of our time.

You've been making inquiries about becoming a committer on the project. 
One way to score a lot of points towards that might be to propose a 
working implementation of h3 that can be added to a currently-supported 
version of Tomcat. I would encourage you to work exclusively on the 11.x 
branch, as that is where most new functionality is added before being 
back-ported to the other stable branches.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat) branch main updated: Set context CL before calling XMLInputFactory.newFactory

2024-03-25 Thread Christopher Schultz


On 3/25/24 05:45, wrote:

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch main
in repository

The following commit(s) were added to refs/heads/main by this push:
  new 510c71b009 Set context CL before calling XMLInputFactory.newFactory
510c71b009 is described below

commit 510c71b009085f94122bc18501d1981322846540
Author: remm 
AuthorDate: Mon Mar 25 10:45:28 2024 +0100

 Set context CL before calling XMLInputFactory.newFactory
 Passing the CL to XMLInputFactory.newFactory does not work because it

 needs an id (basically the concrete class to load).
 Try the context CL instead.
 The class is preloaded for previous Tomcat versions so it shouldn't be a
 security manager issue.

Ugh, sorry about that. Thanks for fixing it.

Setting the ContextClassLoader seems like the wrong approach. Isn't 
there a ClassLoader parameter to newFactory for a reason?


  java/org/apache/jasper/compiler/ | 11 +--
  1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/jasper/compiler/ 
index cf3b623104..fb7795ca16 100644
--- a/java/org/apache/jasper/compiler/
+++ b/java/org/apache/jasper/compiler/
@@ -35,8 +35,15 @@ class EncodingDetector {
  private static final XMLInputFactory XML_INPUT_FACTORY;

  static {
+ClassLoader oldCl = Thread.currentThread().getContextClassLoader();
+try {
+XML_INPUT_FACTORY = XMLInputFactory.newFactory();
+} finally {
+if (oldCl != null) {
  private final String encoding;

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: Observability of virtual threads

2024-03-21 Thread Christopher Schultz


On 3/20/24 16:25, Romain Manni-Bucau wrote:

Chris, added some comments inline.

Le mer. 20 mars 2024 à 19:41, Christopher Schultz <> a écrit :


On 3/20/24 13:34, Romain Manni-Bucau wrote:

Thread dumps being dump of threads - literally os threads - and virtual
threads not being threads at all - they are runnables in a dedicated


pool - it is quite fair to not make them the same and have their


- pool - only in the thread dump but not themselves no?


If you take a thread dump today (with a "real" thread), you only get a
Java stack trace, you get no "native stack trace" or anything like that.
So from that perspective, the "thread" is really the instance of
java.lang.Thread which could just as easily be a Virtual Thread.

You also get no scheduling information, other than what the thread's
"priority" is... but you can't get any real-time data about where it
sits in the scheduling queue, etc.

Well, this does not work like that, as mentionned it is a ForkJoinPool so
not a plain queue - except the design which is not a 1 task = 1 position,
it has multiple queues - so the position in "the queue" does not give you
the information you are mentionned there.

I was using "scheduling queue" as an abstract idea, there. I know it's a 
work-stealing queue which is not straightforward to describe.

If you really care about monitoring this pool you can just
instrument java.lang.VirtualThread#DEFAULT_SCHEDULER (plain reflection
works good enough if you open this part but agents too).

This is Rainer's complaint (which I agree with): there are no standard 
-- available -- APIs for this kind of thing. Use of reflection for 
instrumentation is an anti-pattern IMHO.

The JRE team over the years has learned that instrumentation is a vital 
part of application monitoring and has done a really great job of 
exposing JRE internals through standard APIs. This one is a sore spot 
that really needs to be fixed.

I'm much less interested in what the "native thread" is doing _below_
the Java part. Presumably, it's always running
Thread.cpp::runTheJavaCode and that's not useful information to anybody.

Depends how you instrument/query it, while at code level it does not change
much things and you still get the thread stack context.

... unless you can't get a reference to the threads in the first place, 
which is what Rainer is saying.

For raw thread dumps you indeed need the new jcmd command
(Thread.dump_to_file) and I agree there is no real point to not let it go
in the plain jstack with a new toggle you can enable at need (but hopefully
not by default since we'll end up with undownloadable/too big dumps).

I don't know why this is any different or worse than taking a heap dump. 
Heap dumps have been available for decades and nobody says "OMG what 
will we do with a 16GiB heap dump?!" You only take a heap-dump when you 
NEED it, and the same is true for a thread dump. If you want a thread 
dump and your system can't log it all because you have 100M threads, 
well, then you have made some bad choices.

If there existed an API to query (virtual) threads, your application or 
some tool could examine the threads and only log those you care about. 
That would solve BOTH problems.

Ultimately using reflection and opening jdk.internal.vm package you can
also just use ThreadContainers.root() and iterate over children()/threads()
but not sure how portable it will be.

There is a negative effect there, before we were often decorating executors
(the Runnable to execute) to add before/after context and potentially track
threads there but it does not work anymore since threads are totally

If the Virtual Thread is not mounted on an OS thread, then it's
"suspended" or "blocked" or whatever-it-is. If it's on an OS thread, it
had better be running: that's the whole point of the scheme. (I suppose
it could be BLOCKED-yet-on-an-OS-thread -- one of the current problems
which hopefully will be less of a problem in the future, but I'd like to
ignore that for now).

I don't know what's wrong with having millions of threads, and still
being able to walk through them using existing APIs. Nobody walks
through threads for no good reason... if you want to see the threads,
you should be able to see the threads.

If I wanted to walk-through every instance of java.lang.String in a JVM
(¡millions of them!), then I should be able to do it even if (a) it's a
weird thing to do and (b) it will take a while. Well, I want to do it,
so let me do it(!).

If you have only one "real" Thread (e.g. the main thread) and everything
else is Virtual... when you ask for a thread dump or walk all the
threads, do you only see "main" and not the mounted-on-OS-threads
Virtual Threads? If the JVM were willing to consider Virtual Threads

Re: Observability of virtual threads

2024-03-20 Thread Christopher Schultz


On 3/20/24 13:34, Romain Manni-Bucau wrote:

Thread dumps being dump of threads - literally os threads - and virtual
threads not being threads at all - they are runnables in a dedicated thread
pool - it is quite fair to not make them the same and have their scheduler
- pool - only in the thread dump but not themselves no?


If you take a thread dump today (with a "real" thread), you only get a 
Java stack trace, you get no "native stack trace" or anything like that. 
So from that perspective, the "thread" is really the instance of 
java.lang.Thread which could just as easily be a Virtual Thread.

You also get no scheduling information, other than what the thread's 
"priority" is... but you can't get any real-time data about where it 
sits in the scheduling queue, etc.

I'm much less interested in what the "native thread" is doing _below_ 
the Java part. Presumably, it's always running 
Thread.cpp::runTheJavaCode and that's not useful information to anybody.

If the Virtual Thread is not mounted on an OS thread, then it's 
"suspended" or "blocked" or whatever-it-is. If it's on an OS thread, it 
had better be running: that's the whole point of the scheme. (I suppose 
it could be BLOCKED-yet-on-an-OS-thread -- one of the current problems 
which hopefully will be less of a problem in the future, but I'd like to 
ignore that for now).

I don't know what's wrong with having millions of threads, and still 
being able to walk through them using existing APIs. Nobody walks 
through threads for no good reason... if you want to see the threads, 
you should be able to see the threads.

If I wanted to walk-through every instance of java.lang.String in a JVM 
(¡millions of them!), then I should be able to do it even if (a) it's a 
weird thing to do and (b) it will take a while. Well, I want to do it, 
so let me do it(!).

If you have only one "real" Thread (e.g. the main thread) and everything 
else is Virtual... when you ask for a thread dump or walk all the 
threads, do you only see "main" and not the mounted-on-OS-threads 
Virtual Threads? If the JVM were willing to consider Virtual Threads 
"visible" and therefore dumpable, etc. through existing interfaces 
_while they were mounted on an OS thread_ I could almost agree that 
makes some sense. But if I have a unit of work not making any progress, 
I'm gonna want to be able to see that (Virtual) Thread in a thread dump 
or any other kind of analysis tool, including its stack trace.

Similarly to why threadlocal are not recommended for virtual thread this
would probably make an useless pressure on the JVM IMHO - why there is an
option to see it but it is mainly for debug purposes.
See virtual threads as continuations (suspendable/resumable "Runnable") in
a dedicated and not programmatically configurable nor selectable/proviable
thread pool, they are not in thread dumps and this doesnt bother you ;) -
ultimately if you want it you want all java objects to be monitored and in
the thread dump which would be weird - but I agree the semantic is

I'm not sure why ThreadLocals are not recommended for Virtual Threads. 
Honestly, the presence ThreadLocal is a gigantic hack for badly-written 
APIs but if you accept that fact, there doesn't seem to be anything 
really bad about it. It "doesn't make sense" for Virtual Threads because 
it's wasteful: you probably use something once or twice and don't get 
the benefit of it when the thread dies -- because you aren't supposed to 
use thread pools anymore. But it's no less wasteful and dumb than it was 
in the first place.

IIRC, Tomcat uses ThreadLocal to store date-formatting objects for 
access logs. That's a great use for ThreadLocal. If the threads are no 
longer pooled, it's "wasteful" in that we create and discard a 
SimpleDateFormat for every log, but what's the alternative? Use a shared 
SimpleDateFormat and synchronize across threads? Yuck. So it's up to 
Tomcat to decide if ThreadLocal makes sense in a Virtual Thread world.

(Honestly, we need to start using java.time. Now that Tomcat 8.5 no 
longer needs to be supported, we should look at our options for moving-on.)

 From my tests virtual threads do their job but they stay slower than a
proper reactive/async impl mainly due to the overhead they add *everywhere*
compare to reactive programming plus this single thread pool issue which
adds a lot of contention when all the app/lot of tasks is/are done using it
- vs bulkhead pattern for ex.
But if you come from a plain sync application it can be very interesting if
it stays compatible and you don't need to add throttling to control the
memory - often in the old style you throttle with the number of threads,
now you need a semaphore or alike.
Will not be a free lunch ;).

Agreed, free lunches never exist.


If an application exists that never bothered to convert to using 
non-blocking I/O but uses many threads, it could be very easily changed 
(slightly) to use Virtual Threads 

Re: Observability of virtual threads

2024-03-20 Thread Christopher Schultz


On 3/20/24 13:33, Rainer Jung wrote:

Am 20.03.24 um 18:17 schrieb Christopher Schultz:


Thanks for writing this up.

On 3/20/24 07:22, Rainer Jung wrote:
I wanted to share an observation and I hope the things are correct 
how I am describing them. Maybe things have already improved and I am 
not aware of it, hints welcome.

Part of JEP 425 (Project Loom, Java virtual threads) discusses how to 
handle observability of virtual threads from inside the JVM and tooling.

The final outcome is, that virtual threads are not included in the 
typical JVM APIs which one can use to observe threads, like 
enumerating them or accessing the stacks of individual threads. As a 
consequence, also jstack and "kill -QUIT" do not show virtual threads 
at all, not even when they are attached to a native thread and 
executing code.


There is one single method to help with observability of virtual threads,

which dumps a full thread dump to a file. Of course that is by no 
means appropriate, if you want to do a fine grained observation. At 
least you can choose to write a json structure instead of a hard to 
parse text format, but that's it.

Boy, that's a real miss from the JVM team. I'm surprised that they 
have overlooked this. I don't see a real reason that a Virtual Thread 
would be treated any differently than a regular thread.

The JEP hints at "since thre could be millions of virtual threads it 
makes no sense to support them in the existing JMX APIs". I don't by 
this extremely simplistic reasoning.


Furthermore, the "dump to file" method they provided does not contain 
any locking information you usually expect in a thread dump.


For instance I am often using a tool, that inspects our 
RequestProcessors to find long running requests and then retrieves 
the list of Java threads as ThreadInfo objects to find the one 
executing the request and finally retrieves the stack of that request 
from the JVM. Such an approach is no longer possible. Almost all of 
JMX does not show any info about virtual threads.

It also seems Tomcat no longer uses a pool when a connector is 
configured to use virtual threads. So there are no metrics like 
currentThreadCount or currentThreadsBusy.

When using virtual threads, the number of requests is the same as the 
number of threads, since each request -> new Virtual Thread though 
I think the request-count is only incremented when the request has 
completed, so maybe there are threads running that can't be counted 

But I understand that you were hoping to get some information about 
these threads and though maybe Tomcat's metrics could help. I guess 
not really.

But thread-busy count is the same as in-flight-request count. And 
current thread count is the same as in-flight-request count as well.

I guess this also limits the use of some manager features and 
probably also the StuckThreadsDetectionValve when combined with 
virtual threads.

Most likely. I'm fairly sure that uses the "usual Thread-walker 
things" which you are reporting do not work any more with VTs.

What JVM are you using for your investigations?

Zulu 21, but I expect the other OpenJDK variants to behave the same way. 
It mostly comes out of the JEP.

Of course Tomcat has solved most of the problems, that virtual 
threads want to solve, by doing the hard work of using the NIO and 
NIO2 APIs. So virtual threads are probably not that important for us. 
But we should be aware of the observability deficiencies whenever we 
would discuss whether we could switch from NIO or NIO2 to virtual 
threads to simplify connector code in some distant future.


I've been enthusiastically talking with markt about dropping all that 
nasty NIO stuff and "going back to BIO with virtual threads" which, at 
this point, is mostly a threat and not a promise. But if VTs really 
deliver everything they are claiming to deliver, then it may be 
possible to go back to BIO as long as servlet-async is retired. And 
I'm not holding my breath on that one.

There was an interesting talk at FOSDEM about the current limitations of 
the virtual thread implementation. They have several situations where 
they switch over to blocking. I think for instance file I/O and also 
some types of locks they can not yet handle well.

Yes, these are known issues. Specifically, synchronized blocks and 
virtual threads don't play well together, which is why Tomcat recently 
converted many synchronized { ... } to use ReentrantLocks, which DO work 
with (today's) VTs.

They have some improvements in the pipeline, but I think one would at 
least wait for those. And hopefully they improve the observability in 
the meantime.


I wish I had known this type 

Re: [VOTE] Release Apache Tomcat 10.1.20

2024-03-20 Thread Christopher Schultz


On 3/20/24 09:09, Dimitris Soumis wrote:

+1 All tests pass on Fedora 38 with Java 21, tcnative-2.0.7, openssl-3.0.13.

(Just to mention that testing failed when running for the first time.
Crashed when running
Running again had no issues.)

If you can get it to fail again, please post the failure here so we can 

We have found and fixed some timing issues when this exact thing happens 
to a tester.


On Tue, Mar 19, 2024 at 4:04 PM Christopher Schultz <> wrote:

The proposed Apache Tomcat 10.1.20 release is now available for

The notable changes compared to 10.1.19 are:

- Fix regression when reloading TLS configuration and files.

- When restoring a saved POST request after a successful FORM
authentication, ensure that neither the URI, the query string no
the protocol are corrupted when restoring the request body.

- Align error handling for Writer and OutputStream. Ensure use of either
once the response has been recycled triggers a NullPointerException
provided that discardFacades is configured with the default value of

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10
without changes. Java EE applications designed for Tomcat 9 and earlier
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat
will automatically convert them to Jakarta EE and copy them to the
webapps directory.

It can be obtained from:

The Maven staging repo is:

The tag is:

The proposed 10.1.20 release is:
[ ] Broken - do not release
[X ] Stable - go ahead and release as 10.1.20

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: Observability of virtual threads

2024-03-20 Thread Christopher Schultz


Thanks for writing this up.

On 3/20/24 07:22, Rainer Jung wrote:
I wanted to share an observation and I hope the things are correct how I 
am describing them. Maybe things have already improved and I am not 
aware of it, hints welcome.

Part of JEP 425 (Project Loom, Java virtual threads) discusses how to 
handle observability of virtual threads from inside the JVM and tooling.

The final outcome is, that virtual threads are not included in the 
typical JVM APIs which one can use to observe threads, like enumerating 
them or accessing the stacks of individual threads. As a consequence, 
also jstack and "kill -QUIT" do not show virtual threads at all, not 
even when they are attached to a native thread and executing code.


There is one single method to help with observability of virtual threads,

which dumps a full thread dump to a file. Of course that is by no means 
appropriate, if you want to do a fine grained observation. At least you 
can choose to write a json structure instead of a hard to parse text 
format, but that's it.

Boy, that's a real miss from the JVM team. I'm surprised that they have 
overlooked this. I don't see a real reason that a Virtual Thread would 
be treated any differently than a regular thread.

For instance I am often using a tool, that inspects our 
RequestProcessors to find long running requests and then retrieves the 
list of Java threads as ThreadInfo objects to find the one executing the 
request and finally retrieves the stack of that request from the JVM. 
Such an approach is no longer possible. Almost all of JMX does not show 
any info about virtual threads.

It also seems Tomcat no longer uses a pool when a connector is 
configured to use virtual threads. So there are no metrics like 
currentThreadCount or currentThreadsBusy.

When using virtual threads, the number of requests is the same as the 
number of threads, since each request -> new Virtual Thread though I 
think the request-count is only incremented when the request has 
completed, so maybe there are threads running that can't be counted (yet).

But I understand that you were hoping to get some information about 
these threads and though maybe Tomcat's metrics could help. I guess not 

But thread-busy count is the same as in-flight-request count. And 
current thread count is the same as in-flight-request count as well.

I guess this also limits the use of some manager features and probably 
also the StuckThreadsDetectionValve when combined with virtual threads.

Most likely. I'm fairly sure that uses the "usual Thread-walker things" 
which you are reporting do not work any more with VTs.

What JVM are you using for your investigations?

Of course Tomcat has solved most of the problems, that virtual threads 
want to solve, by doing the hard work of using the NIO and NIO2 APIs. So 
virtual threads are probably not that important for us. But we should be 
aware of the observability deficiencies whenever we would discuss 
whether we could switch from NIO or NIO2 to virtual threads to simplify 
connector code in some distant future.


I've been enthusiastically talking with markt about dropping all that 
nasty NIO stuff and "going back to BIO with virtual threads" which, at 
this point, is mostly a threat and not a promise. But if VTs really 
deliver everything they are claiming to deliver, then it may be possible 
to go back to BIO as long as servlet-async is retired. And I'm not 
holding my breath on that one.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [VOTE] Release Apache Tomcat 8.5.100

2024-03-19 Thread Christopher Schultz


On 3/19/24 13:50, Mcalexander, Jon J. wrote:

I know I'm not a tester, however is 8.5.100 relevant knowing that
8.5x is EOL at the end of the month?
That is correct. I expect this will be the final 8.5.x release unless 
something awful happens in the near future.

I'd be happy to have any member of this community (and you are such if 
you are reading this post) do any kind of testing they deem useful for a 
Tomcat release.

Feel free to run the unit tests (ant test) in your environment and 
report the results. Run your own application using this 
release-candidate and let us know if anything isn't working as expected. 
Or use the "verify-release" to keep us honest. Any of those things are 
helpful to any release manager.


-Original Message-----
From: Christopher Schultz 
Sent: Tuesday, March 19, 2024 11:09 AM
To: Tomcat Developers List 
Subject: Re: [VOTE] Release Apache Tomcat 8.5.100


On 3/19/24 10:23, Christopher Schultz wrote:

The proposed Apache Tomcat 8.5.100 release is now available for voting.

The notable changes compared to 8.5.99 are:

- Fix regression when reloading TLS configuration and files.

- When restoring a saved POST request after a successful FORM
    authentication, ensure that neither the URI, the query string no
    the protocol are corrupted when restoring the request body.

- Align error handling for Writer and OutputStream. Ensure use of
    once the response has been recycled triggers a NullPointerException
    provided that discardFacades is configured with the default value

Along with lots of other bug fixes and improvements.

For full details, see the changelog:





It can be obtained from:




The Maven staging repo is:





The tag is:



The proposed 8.5.100 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 8.5.100 (stable)

+1 for stable release.

The build is 100% reproducible and the unit tests pass[1] including APR on
MacOS x86-64. Works on a vanilla servlet-based application in a development

[1] The unit tests that fail do so due to a class format error arising from the
combination of the Eclipse compiler, the version of Java, etc.
and can be ignored.

* Environment
*  Java (build):openjdk version "17.0.10" 2024-01-16 OpenJDK Runtime
Environment Temurin-17.0.10+7 (build 17.0.10+7) OpenJDK 64-Bit Server
Temurin-17.0.10+7 (build 17.0.10+7, mixed mode)
*  Java (test): openjdk version "17.0.10" 2024-01-16 OpenJDK Runtime
Environment Temurin-17.0.10+7 (build 17.0.10+7) OpenJDK 64-Bit Server
Temurin-17.0.10+7 (build 17.0.10+7, mixed mode)
*  OS:  Darwin 21.6.0 x86_64
*  cc:  Apple clang version 12.0.0 (clang-1200.0.31.1)
*  make:GNU Make 3.81
*  OpenSSL:   OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23
Nov 2023)
*  APR: 1.7.4
* Valid SHA-512 signature for
* Valid GPG signature for
* Valid SHA-512 signature for apache-tomcat-8.5.100.tar.gz
* Valid GPG signature for apache-tomcat-8.5.100.tar.gz
* Valid SHA-512 signature for apache-tomcat-8.5.100.exe
* Valid GPG signature for apache-tomcat-8.5.100.exe
* Valid SHA512 signature for
* Valid GPG signature for
* Valid SHA512 signature for apache-tomcat-8.5.100-src.tar.gz
* Valid GPG signature for apache-tomcat-8.5.100-src.tar.gz
* Binary Zip and tarball: Same
* Source Zip and tarball: Same
* Building dependencies returned: 0
* tcnative builds cleanly
* Tomcat builds cleanly
* Junit Tests: FAILED
* Tests that failed:
* org.apache.catalina.mapper.TestMapperWebapps.APR.txt
* org.apache.catalina.mapper.TestMapperWebapps.NIO.txt
* org.apache.catalina.mapper.TestMapperWebapps.NIO2.txt

Unit tests also pass on Linux x86-64. Details:

* Environment
*  Java (build):openjdk version "17.0.10" 2024-01-16 OpenJDK Runtime
Environment (build 17.0.10+7-Debian-1deb12u1) OpenJDK 64-Bit Server VM
(build 17.0.10+7-Debian-1deb

Re: [VOTE] Release Apache Tomcat 8.5.100

2024-03-19 Thread Christopher Schultz


On 3/19/24 10:23, Christopher Schultz wrote:

The proposed Apache Tomcat 8.5.100 release is now available for voting.

The notable changes compared to 8.5.99 are:

- Fix regression when reloading TLS configuration and files.

- When restoring a saved POST request after a successful FORM
   authentication, ensure that neither the URI, the query string no
   the protocol are corrupted when restoring the request body.

- Align error handling for Writer and OutputStream. Ensure use of either
   once the response has been recycled triggers a NullPointerException
   provided that discardFacades is configured with the default value of

Along with lots of other bug fixes and improvements.

For full details, see the changelog:

It can be obtained from:

The Maven staging repo is:

The tag is:

The proposed 8.5.100 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 8.5.100 (stable)

+1 for stable release.

The build is 100% reproducible and the unit tests pass[1] including APR 
on MacOS x86-64. Works on a vanilla servlet-based application in a 
development environment.

[1] The unit tests that fail do so due to a class format error arising 
from the combination of the Eclipse compiler, the version of Java, etc. 
and can be ignored.

* Environment
*  Java (build):openjdk version "17.0.10" 2024-01-16 OpenJDK Runtime 
Environment Temurin-17.0.10+7 (build 17.0.10+7) OpenJDK 64-Bit Server VM 
Temurin-17.0.10+7 (build 17.0.10+7, mixed mode)
*  Java (test): openjdk version "17.0.10" 2024-01-16 OpenJDK Runtime 
Environment Temurin-17.0.10+7 (build 17.0.10+7) OpenJDK 64-Bit Server VM 
Temurin-17.0.10+7 (build 17.0.10+7, mixed mode)

*  OS:  Darwin 21.6.0 x86_64
*  cc:  Apple clang version 12.0.0 (clang-1200.0.31.1)
*  make:GNU Make 3.81
*  OpenSSL:   OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 
Nov 2023)

*  APR: 1.7.4
* Valid SHA-512 signature for
* Valid GPG signature for
* Valid SHA-512 signature for apache-tomcat-8.5.100.tar.gz
* Valid GPG signature for apache-tomcat-8.5.100.tar.gz
* Valid SHA-512 signature for apache-tomcat-8.5.100.exe
* Valid GPG signature for apache-tomcat-8.5.100.exe
* Valid SHA512 signature for
* Valid GPG signature for
* Valid SHA512 signature for apache-tomcat-8.5.100-src.tar.gz
* Valid GPG signature for apache-tomcat-8.5.100-src.tar.gz
* Binary Zip and tarball: Same
* Source Zip and tarball: Same
* Building dependencies returned: 0
* tcnative builds cleanly
* Tomcat builds cleanly
* Junit Tests: FAILED
* Tests that failed:
* org.apache.catalina.mapper.TestMapperWebapps.APR.txt
* org.apache.catalina.mapper.TestMapperWebapps.NIO.txt
* org.apache.catalina.mapper.TestMapperWebapps.NIO2.txt

Unit tests also pass on Linux x86-64. Details:

* Environment
*  Java (build):openjdk version "17.0.10" 2024-01-16 OpenJDK Runtime 
Environment (build 17.0.10+7-Debian-1deb12u1) OpenJDK 64-Bit Server VM 
(build 17.0.10+7-Debian-1deb12u1, mixed mode, sharing)
*  Java (test): openjdk version "17.0.10" 2024-01-16 OpenJDK Runtime 
Environment (build 17.0.10+7-Debian-1deb12u1) OpenJDK 64-Bit Server VM 
(build 17.0.10+7-Debian-1deb12u1, mixed mode, sharing)

*  OS:  Linux 6.1.0-12-amd64 x86_64
*  cc:  cc (Debian 12.2.0-14) 12.2.0
*  make:GNU Make 4.3
*  OpenSSL:   OpenSSL 1.1.1 11 Sep 2018
*  APR: 1.7.2
* Valid SHA-512 signature for
* Valid GPG signature for
* Valid SHA-512 signature for apache-tomcat-8.5.100.tar.gz
* Valid GPG signature for apache-tomcat-8.5.100.tar.gz
* Valid SHA-512 signature for apache-tomcat-8.5.100.exe
* Valid GPG signature for apache-tomcat-8.5.100.exe
* Valid Windows Digital Signature for apache-tomcat-8.5.100.exe
* Valid SHA512 signature for
* Valid GPG signature for
* Valid SHA512 signature for apache-tomcat-8.5.100-src.tar.gz
* Valid GPG signature for apache-tomcat-8.5.100-src.tar.gz
* Binary Zip and tarball: Same
* Source Zip and tarball: Same
* Building dependencies returned: 0
* tcnative builds cleanly
* Tomcat builds cleanly
* Junit Tests: FAILED
* Tests that failed:
* org.apache.catalina.mapper.TestMapperWebapps.APR.txt
* org.apache.catalina.mapper.TestMapperWebapps.NIO.txt
* org.apache.catalina.mapper.TestMapperWebapps.NIO2.txt

To unsubscribe, e-mail: dev-unsubscr...@tomc

[VOTE] Release Apache Tomcat 8.5.100

2024-03-19 Thread Christopher Schultz

The proposed Apache Tomcat 8.5.100 release is now available for voting.

The notable changes compared to 8.5.99 are:

- Fix regression when reloading TLS configuration and files.

- When restoring a saved POST request after a successful FORM
  authentication, ensure that neither the URI, the query string no
  the protocol are corrupted when restoring the request body.

- Align error handling for Writer and OutputStream. Ensure use of either
  once the response has been recycled triggers a NullPointerException
  provided that discardFacades is configured with the default value of

Along with lots of other bug fixes and improvements.

For full details, see the changelog:

It can be obtained from:

The Maven staging repo is:

The tag is:

The proposed 8.5.100 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 8.5.100 (stable)

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [VOTE] Release Apache Tomcat 10.1.20

2024-03-19 Thread Christopher Schultz


On 3/19/24 09:52, Christopher Schultz wrote:

The proposed Apache Tomcat 10.1.20 release is now available for

The notable changes compared to 10.1.19 are:

- Fix regression when reloading TLS configuration and files.

- When restoring a saved POST request after a successful FORM
   authentication, ensure that neither the URI, the query string no
   the protocol are corrupted when restoring the request body.

- Align error handling for Writer and OutputStream. Ensure use of either
   once the response has been recycled triggers a NullPointerException
   provided that discardFacades is configured with the default value of

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.

It can be obtained from:

The Maven staging repo is:

The tag is:

The proposed 10.1.20 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.1.20

+1 for stable release

The build is 100% reproducible and the unit tests pass on MacOS x86-64.

* Environment
*  Java (build):openjdk version "17.0.10" 2024-01-16 OpenJDK Runtime 
Environment Temurin-17.0.10+7 (build 17.0.10+7) OpenJDK 64-Bit Server VM 
Temurin-17.0.10+7 (build 17.0.10+7, mixed mode)
*  Java (test): openjdk version "17.0.10" 2024-01-16 OpenJDK Runtime 
Environment Temurin-17.0.10+7 (build 17.0.10+7) OpenJDK 64-Bit Server VM 
Temurin-17.0.10+7 (build 17.0.10+7, mixed mode)

*  OS:  Darwin 21.6.0 x86_64
*  cc:  Apple clang version 12.0.0 (clang-1200.0.31.1)
*  make:GNU Make 3.81
*  OpenSSL:   OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 
Nov 2023)

*  APR: 1.7.4
* Valid SHA-512 signature for
* Valid GPG signature for
* Valid SHA-512 signature for apache-tomcat-10.1.20.tar.gz
* Valid GPG signature for apache-tomcat-10.1.20.tar.gz
* Valid SHA-512 signature for apache-tomcat-10.1.20.exe
* Valid GPG signature for apache-tomcat-10.1.20.exe
* Valid SHA512 signature for
* Valid GPG signature for
* Valid SHA512 signature for apache-tomcat-10.1.20-src.tar.gz
* Valid GPG signature for apache-tomcat-10.1.20-src.tar.gz
* Binary Zip and tarball: Same
* Source Zip and tarball: Same
* Building dependencies returned: 0
* tcnative builds cleanly
* Tomcat builds cleanly
* Junit Tests: PASSED

To unsubscribe, e-mail:
For additional commands, e-mail:

[VOTE] Release Apache Tomcat 10.1.20

2024-03-19 Thread Christopher Schultz

The proposed Apache Tomcat 10.1.20 release is now available for

The notable changes compared to 10.1.19 are:

- Fix regression when reloading TLS configuration and files.

- When restoring a saved POST request after a successful FORM
  authentication, ensure that neither the URI, the query string no
  the protocol are corrupted when restoring the request body.

- Align error handling for Writer and OutputStream. Ensure use of either
  once the response has been recycled triggers a NullPointerException
  provided that discardFacades is configured with the default value of

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.

It can be obtained from:

The Maven staging repo is:

The tag is:

The proposed 10.1.20 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.1.20

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [PR] Unify comma-separated-value code and optimize the implementation [tomcat]

2024-03-15 Thread Christopher Schultz


On 3/15/24 13:27, markt-asf (via GitHub) wrote:

markt-asf commented on code in PR #707:

@@ -966,7 +967,7 @@ private String[] getCipherSuitesArray() {
  this.cipherSuitesArray = null;
  } else {
-this.cipherSuitesArray = cipherSuites.trim().split("\\s*,\\s*");
+this.cipherSuitesArray = 
  if (containerLog.isTraceEnabled()) {

Review Comment:
Is this trim necessary here? I know it was there before but it looks 

Looking back, it does make sense to remove this. I was thinking that as 
I wrote it, but the trim was technically necessary before the change 
from regex to split-then-trim.

I'll shave off this sharp edge.

@@ -94,4 +94,28 @@ public static  void join(Iterable iterable, char 
separator, Function

Checkstyle was happy enough. :)

I'll get that corrected.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat) 02/02: Add checking for the age of the Tomcat version running and warn if it's getting old.

2024-03-15 Thread Christopher Schultz

Mark and Rémy,

On 3/13/24 10:53, Mark Thomas wrote:

On 13/03/2024 14:38, Rémy Maucherat wrote:


1. A longer default nag-duration

That's a good start. If it is meant to be enabled by default, I would
like a value that is long enough so that it is almost certain there's
an issue. 2 years ?


2. Add an explicit "disable" (e.g. -1)

I was thinking yes to this and setting it to -1 by default.

3. Disable the feature by default

4. Remove this feature entirely

The target for this was really 8.5 which will immediately go
out-of-support once 8.5.100 is released. So really the default for
8.5.100 should be "nag immediately", but we can't expect that anybody
really uses the out-of-the-box server.xml without any customizations, so
specifically setting the duration to some small number of days in
server.xml isn't going to have any effect.

The more I think about this the more I wonder if some further tweaks are 

This check only runs at startup. There are some (very) long running 
Tomcat instances out there. Is on startup enough? Should this check be 
periodic? If yes, how periodic? Once a day? Probably whatever frequency 
we went for with the TLS reload warnings would be about right.

I'm going to make these changes immediately:

1. Implement -1 = disabled

2. Set default to -1 instead of 180 for main/10.1/9

3. Set default to 180 for 8.5.x

It would be "easy" to configure this for periodic checking, but I'm not 
going to do that quite yet.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: Plans for 10.1.x and 8.5.x release?

2024-03-15 Thread Christopher Schultz


On 3/15/24 07:52, Mark Thomas wrote:
Just wondering what your thinking was for the March releases of 10.1.x 
and 8.5.x

I definitely want to make the changes discussed on dev@ for the Tomcat 
age-nagging, plus one more thing to round-off before cutting

I was planning to do both releases at the same time, which is why I 
haven't done either, yet.

I could have a release build by the end of the day, I'd imagine.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: Requesting as I had been agreed to commit from a contributor role

2024-03-14 Thread Christopher Schultz


On 3/14/24 14:21, Mark Thomas wrote:

On 14/03/2024 13:43, koteswara Rao Gundapaneni wrote:

On Thu, 14 Mar 2024, 00:28 koteswara Rao Gundapaneni,>> wrote:

    HI Tomcat PMC,

    Please ensure I had showing my interest as a committer as I have
    been passed my contribution status from a range of having said
    that few contributions

Simply saying I have been showing my interest to work as committer

Please approve my icla

There is nothing to approve. You submitted your ICLA. It has been filed 
by the ASF secretary.

I'll note that:
- no-one asked you to file an ICLA
- there was no need for you to file an ICLA
- the only thing filing an ICLA achieved was wasting the precious
   resource of volunteer time

I *strongly* urge you to read the advice (including the references to 
how the ASF works) you have been given on and off list, stop wasting 
precious volunteer time and think very carefully before you post 
anything else to a Tomcat mailing list.

Definitely read ASF How It Works, specifically the section on 
Meritocracy[1]. You cannot simply ask to become a committer on a 
project. Instead, you have to demonstrate to the existing project 
participants that you *deserve* to be /invited/ as a committer.

So far, the weird series of PRs and emails you have sent are not making 
you look good.

I'm not trying to be mean. I'm trying to be honest and use simple language.



To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat) 02/02: Add checking for the age of the Tomcat version running and warn if it's getting old.

2024-03-13 Thread Christopher Schultz


On 3/12/24 12:05, Rémy Maucherat wrote:

On Tue, Mar 12, 2024 at 3:02 PM Christopher Schultz


On 3/12/24 05:00, Mark Thomas wrote:

On 11/03/2024 21:38, wrote:

This is an automated email from the ASF dual-hosted git repository.

schultz pushed a commit to branch main
in repository

commit 3ab883aa746a5c577efa39d9080858e53ca77da6
Author: Christopher Schultz 
AuthorDate: Mon Mar 11 17:38:01 2024 -0400

  Add checking for the age of the Tomcat version running and warn
if it's getting old.

How do I disable this check if I don't want to use it? I'd expect
something like set it to "-1".

I could add a special case for "disable" or you could set it to a very
high value.

If your Tomcat installation is still running in 32768 days, you
certainly won't give a damn if it starts issuing warnings.

I don't like this either. It might get me into real trouble with my
downstream, actually.

Unless there's a security issue, I think people don't really really
have to upgrade working production systems that often. For example,
between 9.0.62 and 9.0.71, no CVEs above low. And even if there was
most often a user will not be affected. Upgrading costs testing and
resources, so ...

I'm not advocating that users should never upgrade, but building in a
nag by default is not great. Esp 6 months. By the time things are
upgraded they will start nagging again the next day pretty much. Then
a warn log about security often cannot be simply ignored.

Okay. Are you suggestion any of the following?

1. A longer default nag-duration

2. Add an explicit "disable" (e.g. -1)

3. Disable the feature by default

4. Remove this feature entirely

The target for this was really 8.5 which will immediately go 
out-of-support once 8.5.100 is released. So really the default for 
8.5.100 should be "nag immediately", but we can't expect that anybody 
really uses the out-of-the-box server.xml without any customizations, so 
specifically setting the duration to some small number of days in 
server.xml isn't going to have any effect.

That's why I made it "on by default".

Another option would be:

5. Change the behavior between 8.5 and the other branches. 8.5 could 
have this on-by-default while the others do not. We might make it a 
policy to "change to on-by-default around EOL time" so that most people 
will not change the configuration from the default, but then the default 
changes for the final release(s) in a branch.

In terms of "you only need to upgrade if there are CVEs"... that would 
be a very difficult policy for us to manage, because any release we know 
has any CVEs would be released before we knew it had them. Any new 
release with fixes cannot announce to the old releases that they need to 
be upgraded.

My goal was to improve security for those who are unlikely to be paying 
attention to announce@tomcat or using any of the publicly (and 
non-publicly) available bug trackers and services to ensure they aren't 
running vulnerable versions of Tomcat.

We often release fixes without announcing them until long after the 
fact, which means that any new release could conceivably be a "security 
release". You (downstream) won't know until later whether or not you 
should have upgraded. So the best advice is to upgrade as often as it is 
convenient for you to do so. This is simply a reminder to do it.

Since we have releases roughly every month, I figured that 
every-6-months would be a good cadence. And it can always be configured 
to shut up "forever" if necessary.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [VOTE] Release Apache Tomcat 9.0.87

2024-03-12 Thread Christopher Schultz


Thank for RMing.

On 3/11/24 07:09, Rémy Maucherat wrote:

The proposed Apache Tomcat 9.0.87 release is now available for voting.

The notable changes compared to 9.0.86 are:

- When restoring a saved POST request after a successful FORM
authentication, ensure that neither the URI, the query string nor
the protocol are corrupted when restoring the request body.

- Align error handling for Writer and OutputStream. Ensure use of either
once the response has been recycled triggers a NullPointerException
provided that discardFacades is configured with the default value of

- The standard thread pool implementations that are
configured using the Executor element now implement
ExecutorService for better support of NIO2 or others.

For full details, see the changelog:

It can be obtained from:
The Maven staging repo is:
The tag is:

The proposed 9.0.87 release is:
[ ] -1, Broken - do not release
[ ] +1, Stable - go ahead and release as 9.0.87

+1 for stable release.

Works with a vanilla servlet-based application in a development environment.

Unit tests pass on arm64 MacOS. The build is reproducible except for the 
fulldocs package which is missing specific file content due to a JDK bug.

* Environment
*  Java (build):openjdk version "17.0.10" 2024-01-16 OpenJDK Runtime 
Environment Temurin-17.0.10+7 (build 17.0.10+7) OpenJDK 64-Bit Server VM 
Temurin-17.0.10+7 (build 17.0.10+7, mixed mode)
*  Java (test): openjdk version "17.0.10" 2024-01-16 OpenJDK Runtime 
Environment Temurin-17.0.10+7 (build 17.0.10+7) OpenJDK 64-Bit Server VM 
Temurin-17.0.10+7 (build 17.0.10+7, mixed mode)
*  Ant: Apache Ant(TM) version 1.10.14 compiled on August 16 

*  OS:  Darwin 23.3.0 arm64
*  cc:  Apple clang version 15.0.0 (clang-1500.
*  make:GNU Make 3.81
*  OpenSSL:   OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 
Nov 2023)

*  APR: 1.7.4
* Valid SHA-512 signature for
* Valid GPG signature for
* Valid SHA-512 signature for apache-tomcat-9.0.87.tar.gz
* Valid GPG signature for apache-tomcat-9.0.87.tar.gz
* Valid SHA-512 signature for apache-tomcat-9.0.87.exe
* Valid GPG signature for apache-tomcat-9.0.87.exe
* Valid SHA512 signature for
* Valid GPG signature for
* Valid SHA512 signature for apache-tomcat-9.0.87-src.tar.gz
* Valid GPG signature for apache-tomcat-9.0.87-src.tar.gz
* Binary Zip and tarball: Same
* Source Zip and tarball: Same
* Building dependencies returned: 0
* tcnative builds cleanly
* Tomcat builds cleanly
* Junit Tests: PASSED

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: [VOTE] Release Apache Tomcat 11.0.0-M18

2024-03-12 Thread Christopher Schultz


Thanks for RMing

On 3/9/24 1:52 PM, Mark Thomas wrote:

The proposed Apache Tomcat 11.0.0-M18 release is now available for

Apache Tomcat 11.0.0-M18 is a milestone release of the 11.0.x branch and 
has been made to provide users with early access to the new features in 
Apache Tomcat 11.0.x so that they may provide feedback. The notable 
changes compared to the previous milestone include:

- Reduce minimum Java version to Java 17

- When restoring a saved POST request after a successful FORM
   authentication, ensure that neither the URI, the query string no
   the protocol are corrupted when restoring the request body.

- Align error handling for Writer and OutputStream. Ensure use of either
   once the response has been recycled triggers a NullPointerException
   provided that discardFacades is configured with the default value of

For full details, see the change log:

Applications that run on Tomcat 9 and earlier will not run on Tomcat 11 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory. Applications using deprecated APIs may require 
further changes.

It can be obtained from:

The Maven staging repo is:

The tag is:

The proposed 11.0.0-M18 release is:
[ ] -1 Broken - do not release
[ ] +1 Alpha  - go ahead and release as 11.0.0-M18

+1 for alpha release.

Unit tests pass on x86-64 MacOS. The build is reproducible except for 
the fulldocs package which is missing specific file content due to a JDK 


* Environment
*  Java (build):openjdk version "22" 2024-03-19 OpenJDK Runtime 
Environment (build 22+35-2369) OpenJDK 64-Bit Server VM (build 
22+35-2369, mixed mode, sharing)
*  Java (test): openjdk version "22" 2024-03-19 OpenJDK Runtime 
Environment (build 22+35-2369) OpenJDK 64-Bit Server VM (build 
22+35-2369, mixed mode, sharing)

*  OS:  Darwin 21.6.0 x86_64
*  cc:  Apple clang version 12.0.0 (clang-1200.0.31.1)
*  make:GNU Make 3.81
*  OpenSSL:   OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 
Nov 2023)

*  APR: 1.7.4
* Valid SHA-512 signature for
* Valid GPG signature for
* Valid SHA-512 signature for apache-tomcat-11.0.0-M18.tar.gz
* Valid GPG signature for apache-tomcat-11.0.0-M18.tar.gz
* Valid SHA-512 signature for apache-tomcat-11.0.0-M18.exe
* Valid GPG signature for apache-tomcat-11.0.0-M18.exe
* Valid SHA512 signature for
* Valid GPG signature for
* Valid SHA512 signature for apache-tomcat-11.0.0-M18-src.tar.gz
* Valid GPG signature for apache-tomcat-11.0.0-M18-src.tar.gz
* Binary Zip and tarball: Same
* Source Zip and tarball: Same
* Building dependencies returned: 0
* tcnative builds cleanly
* Tomcat builds cleanly
* Junit Tests: PASSED

To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat) 02/02: Add checking for the age of the Tomcat version running and warn if it's getting old.

2024-03-12 Thread Christopher Schultz


On 3/12/24 05:00, Mark Thomas wrote:

On 11/03/2024 21:38, wrote:

This is an automated email from the ASF dual-hosted git repository.

schultz pushed a commit to branch main
in repository

commit 3ab883aa746a5c577efa39d9080858e53ca77da6
Author: Christopher Schultz 
AuthorDate: Mon Mar 11 17:38:01 2024 -0400

 Add checking for the age of the Tomcat version running and warn 
if it's getting old.

How do I disable this check if I don't want to use it? I'd expect 
something like set it to "-1".

I could add a special case for "disable" or you could set it to a very 
high value.

If your Tomcat installation is still running in 32768 days, you 
certainly won't give a damn if it starts issuing warnings.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat) branch main updated: Add new valveSkip flag, also fix no rewrite rule match

2024-03-08 Thread Christopher Schultz


On 3/8/24 09:46, wrote:

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch main
in repository

The following commit(s) were added to refs/heads/main by this push:
  new 7a3bbc6e30 Add new valveSkip flag, also fix no rewrite rule match
7a3bbc6e30 is described below

commit 7a3bbc6e300ced35268fe1c46c90f6b5c752dc5c
Author: remm 
AuthorDate: Fri Mar 8 15:46:04 2024 +0100

 Add new valveSkip flag, also fix no rewrite rule match
 This allows skipping the next valve in the Catalina pipeline, for

 conditional execution. This was inspired by BZ 60997, which the rewrite
 valve can do (set the rewrite valve, then set the semaphore valve next;
 if match then the semaphore is skipped).
 Also notice major issue where rewrite is considered to have occurred
 when the output is identical but equals return false due to type
  .../apache/catalina/valves/rewrite/  | 14 ++
  .../apache/catalina/valves/rewrite/ | 20 ++--
  .../catalina/valves/rewrite/| 18 ++
  webapps/docs/changelog.xml   |  9 +
  webapps/docs/rewrite.xml | 11 +++
  5 files changed, 70 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/valves/rewrite/ 
index e4466d525b..269eedab7f 100644
--- a/java/org/apache/catalina/valves/rewrite/
+++ b/java/org/apache/catalina/valves/rewrite/
@@ -335,6 +335,11 @@ public class RewriteRule {
  protected boolean type = false;
  protected String typeValue = null;

+ * Allows skipping the next valve in the Catalina pipeline.
+ */
+protected boolean valveSkip = false;

Maybe "skipNextValve"? "valveSkip" isn't super descriptive.

Same with accessor/mutator.

Same for ValveSkip/VS flag name? Maybe SNV? SkipNextValve?


  public boolean isEscapeBackReferences() {
  return escapeBackReferences;
@@ -560,4 +565,13 @@ public class RewriteRule {
  public void setCookieHttpOnly(boolean cookieHttpOnly) {
  this.cookieHttpOnly = cookieHttpOnly;
+public boolean isValveSkip() {
+return this.valveSkip;
+public void setValveSkip(boolean valveSkip) {
+this.valveSkip = valveSkip;
diff --git a/java/org/apache/catalina/valves/rewrite/ 
index 492d45e26d..d15210621d 100644
--- a/java/org/apache/catalina/valves/rewrite/
+++ b/java/org/apache/catalina/valves/rewrite/
@@ -38,6 +38,7 @@ import org.apache.catalina.Context;
  import org.apache.catalina.Lifecycle;
  import org.apache.catalina.LifecycleException;
  import org.apache.catalina.Pipeline;
+import org.apache.catalina.Valve;
  import org.apache.catalina.connector.Connector;
  import org.apache.catalina.connector.Request;
  import org.apache.catalina.connector.Response;
@@ -319,11 +320,12 @@ public class RewriteValve extends ValveBase {
  boolean done = false;
  boolean qsa = false;
  boolean qsd = false;
+boolean valveSkip = false;
  for (int i = 0; i < rules.length; i++) {
  RewriteRule rule = rules[i];
  CharSequence test = (rule.isHost()) ? host : urlDecoded;
  CharSequence newtest = rule.evaluate(test, resolver);
-if (newtest != null && !test.equals(newtest.toString())) {
+if (newtest != null && 
!test.toString().equals(newtest.toString())) {
  if (containerLog.isTraceEnabled()) {
  containerLog.trace("Rewrote " + test + " as " + 
  + " with rule pattern " + 
@@ -345,6 +347,10 @@ public class RewriteValve extends ValveBase {
  qsd = true;
+if (!valveSkip && newtest != null && rule.isValveSkip()) {

+valveSkip = true;
  // Final reply
  // - forbidden

@@ -543,7 +549,15 @@ public class RewriteValve extends ValveBase {
  pipeline.getFirst().invoke(request, response);
  } else {
-getNext().invoke(request, response);
+Valve next = getNext();
+if (valveSkip) {
+next = next.getNext();
+if (next == null) {
+// Ignore and invoke the next valve normally
+next = getNext();

Re: Planning for

2024-03-07 Thread Christopher Schultz


On 3/6/24 08:54, Christopher Schultz wrote:


I was wondering if anyone had any thoughts on adding anything to (likely .100) to indicate that the build was the last in the 
series. Of course, we will advertise EOL on the web site, etc. but I was 
thinking something more runtime-oriented.

Would it be okay to add an INFO log on startup that says "8.5.x has 
reached EOL and you should consider upgrading to 9.0 or later. Bug fixes 
including security fixes are unlikely to be released for 8.5.x after 

Perhaps that's too annoying?

I'm even thinking that we might want to bake this kind of thing into all 
releases. Every release knows its release-date, and we could have a 
start message that warns the user whenever the release-date gets to be 
reasonably far in the past. Say, 6 months. Or a year. Something 
"reasonable". Just in case nobody bothers to upgrade to to see 
this kind of message.

Any thoughts?

Mark Thomas and I discussed this last night over dinner while he was in 
town. I can't tell you how mice it is to get together with people from 
this community in-person. I hope I can meet some of you in Bratislava if 

In general, this seems like a Good Idea but it needs a little bit of tuning.

My plan is to work on a PR that looks something like this:

1. It will be a feature of the SecurityListener
2. It will simply log a WARN message once the release gets to be 
"somewhat old"

3. It will be tunable, at least slightly
4. It should not act oddly in development environments


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: (tomcat) 03/03: Add new suspendWrappedResponseAfterForward

2024-03-06 Thread Christopher Schultz


On 3/6/24 09:02, wrote:

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 10.1.x
in repository

commit 6f85b32c545539f36266ef83218d85c9656ae6a9
Author: remm 
AuthorDate: Wed Mar 6 11:44:14 2024 +0100

 Add new suspendWrappedResponseAfterForward
 This allow configuring the suspend after forward unwrapping.

  java/org/apache/catalina/   | 17 +
  .../org/apache/catalina/core/ |  3 ++-
  java/org/apache/catalina/core/  | 14 ++
  java/org/apache/catalina/startup/ |  9 +
  test/org/apache/tomcat/unittest/  |  5 +
  webapps/docs/changelog.xml  |  5 -
  webapps/docs/config/context.xml |  7 +++
  7 files changed, 58 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/ 
index fb50454dcc..2f66fb46c5 100644
--- a/java/org/apache/catalina/
+++ b/java/org/apache/catalina/
@@ -1994,6 +1994,23 @@ public interface Context extends Container, ContextBind {
  void setDispatcherWrapsSameObject(boolean dispatcherWrapsSameObject);

+ * If this is true, then following a forward the response will
+ * be unwrapped to suspend the Catalina response instead of simply closing
+ * the top level response. The default value is true.
+ * @return the flag value
+ */
+boolean getSuspendWrappedResponseAfterForward();
+ * Allows unwrapping the response object to suspend the response following
+ * a forward.
+ * @param suspendWrappedResponseAfterForward the new flag value
+ */
+void setSuspendWrappedResponseAfterForward(boolean 
   * Find configuration file with the specified path, first looking into the
   * webapp resources, then delegating to
diff --git a/java/org/apache/catalina/core/ 
index eff85041f6..abb7b2fe4d 100644
--- a/java/org/apache/catalina/core/
+++ b/java/org/apache/catalina/core/
@@ -355,7 +355,8 @@ final class ApplicationDispatcher implements 
AsyncDispatcher, RequestDispatcher
  if (response instanceof ResponseFacade) {
  finished = true;
  ((ResponseFacade) response).finish();
-} else if (response instanceof ServletResponseWrapper) {
+} else if (context.getSuspendWrappedResponseAfterForward()
+&& response instanceof ServletResponseWrapper) {
  ServletResponse baseResponse = response;
  do {
  baseResponse = ((ServletResponseWrapper) 
diff --git a/java/org/apache/catalina/core/ 
index 698dadf132..4f13b69a3f 100644
--- a/java/org/apache/catalina/core/
+++ b/java/org/apache/catalina/core/
@@ -798,6 +798,8 @@ public class StandardContext extends ContainerBase 
implements Context, Notificat
  private boolean dispatcherWrapsSameObject = Globals.STRICT_SERVLET_COMPLIANCE;
+private boolean suspendWrappedResponseAfterForward = false;

  private boolean parallelAnnotationScanning = false;
  private boolean useBloomFilterForArchives = false;

@@ -881,6 +883,18 @@ public class StandardContext extends ContainerBase 
implements Context, Notificat

+public boolean getSuspendWrappedResponseAfterForward() {
+return suspendWrappedResponseAfterForward;
+public void setSuspendWrappedResponseAfterForward(boolean 
suspendWrappedResponseAfterForward) {
+this.suspendWrappedResponseAfterForward = 
  public String getRequestCharacterEncoding() {
  return requestEncoding;
diff --git a/java/org/apache/catalina/startup/ 
index eb249a1d16..6ca2063a46 100644
--- a/java/org/apache/catalina/startup/
+++ b/java/org/apache/catalina/startup/
@@ -1425,4 +1425,13 @@ public class FailedContext extends LifecycleMBeanBase 
implements Context {
  public void setUseBloomFilterForArchives(boolean 
useBloomFilterForArchives) {

+public boolean getSuspendWrappedResponseAfterForward() {
+return false;
+public void setSuspendWrappedResponseAfterForward(boolean 
suspendWrappedResponseAfterForward) {
\ No newline at end of file
diff --git 

Re: March releases

2024-03-06 Thread Christopher Schultz


On 3/5/24 07:18, Mark Thomas wrote:

On 27/02/2024 09:29, Christopher Schultz wrote:


On 2/27/24 06:20, Mark Thomas wrote:

On 27/02/2024 10:57, Rémy Maucherat wrote:

On Tue, Feb 27, 2024 at 10:12 AM Mark Thomas  wrote:


When I look at the current change logs there isn't much there to 

a March release. There are a couple of open bugs of which one looks
likely that there is an actual issue to be fixed.

That said, I'm unlikely to be in a position to tag 11.0.x until w/c 11
March. The change log may look different at that point.

It is probably too early to make a decision but I wanted to float the
possibility of skipping the March release. That would mean we'd 

need to make the final 8.5.x release in April.

We don't need to always release all branches every time.

Good point.

For example, 11 already has two useful fixes right now: support for
Java 17 (one could want to verify it), then the FFM fix I made (using
the wrong loader in one location means it simply breaks depending on
how OpenSSL is loaded, so that's bad). But these two are not in the
other branches.

Ack. Those are good reasons for an 11.0.x release.

I just checked the dependencies - there are no updates at the moment.

As for a final 8.5, I would say it is not mandatory if there's nothing
useful in the changelog by the end of March. There's always going to
be a final final fix needed anyway. I started skipping some backports
to 8.5 since "regressions, who knows".

I was just thinking .100 was a nice point release to end on ;)

Yeah, me too ;)

I think we should release 8.5.100 in March, if only to meet our own 
goal of "ending support at the end of March". There isn't likely to be 
anything so important that it needs to be added after that.

We made a few exceptions for Tomcats 6, 7, and 8.0 for security 
issues, but I think there's no reason not to release 8.5.100 during 
March. I don't mind waiting until later in the month just in case 
anything comes up. Plus we can always change our minds and release 
again if there is something vital.

Following up on this, I think the bug fix for BZ 68495 does make it 
worth doing a set of releases this month.

The dependencies are up to date, I've just updated the translations and 
we don't have any open bugs at the moment.

There is the sproadic test failure issue that Rainer highlighted.

My plan, as I am not in a huge rush since the Feb releases were so late 
and I am travelling this week, is to look at that issue, check the unit 
tests all pass on the usual set of platforms and then tag 11.0.x.

I've just realised I don't have access to MacOS on Intel until the end 
of the week so I'm thinking tag 11.0.x on Friday if everything else goes 
to plan.

I have two Intel Macs where I can run unit tests for you if you are 
excited about getting started sooner.

But I agree: there is no rush. Releasing 8.5.x toward the end of the 
month is preferable just in case we discover something else we'd really 
like to fix.


To unsubscribe, e-mail:
For additional commands, e-mail:

Planning for

2024-03-06 Thread Christopher Schultz


I was wondering if anyone had any thoughts on adding anything to (likely .100) to indicate that the build was the last in the 
series. Of course, we will advertise EOL on the web site, etc. but I was 
thinking something more runtime-oriented.

Would it be okay to add an INFO log on startup that says "8.5.x has 
reached EOL and you should consider upgrading to 9.0 or later. Bug fixes 
including security fixes are unlikely to be released for 8.5.x after 

Perhaps that's too annoying?

I'm even thinking that we might want to bake this kind of thing into all 
releases. Every release knows its release-date, and we could have a 
start message that warns the user whenever the release-date gets to be 
reasonably far in the past. Say, 6 months. Or a year. Something 
"reasonable". Just in case nobody bothers to upgrade to to see 
this kind of message.

Any thoughts?


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: Add support for HTTP connectors to accept REMOTE_USER information from a proxy?

2024-03-06 Thread Christopher Schultz



Any thoughts?


On 2/28/24 14:53, Christopher Schultz wrote:


When using AJP, setting tomcatAuthentication="false" allows mod_jk or 
mod_proxy_ajp to transmit authenticated user information across the 
connection to Tomcat so that request.getRemoteUser() will return 
whatever httpd has for REMOTE_USER.

The same is not true for the HTTP connectors.

   RemoteIPValve takes care of X-Forwarded-* headers

   SSLValve takes care of SSL_* variables for cipher, client cert, etc.

This appears to be one of the only commonly-used pieces of information 
that is difficult to transmit across HTTP while it's easy with AJP.

As a part of my crusade to get people to move from AJP to HTTP, I'd like 
to propose that we make arrangements for this information to be 
transmitted in some reasonable way.

One way to do it would be to add something to RemoteIPValve that would 
be willing to accept e.g. X-Remote-User header and assign that to the 
request. (This would be disabled by default!) Straightforward, 
relatively easy to understand and configure, and uses existing 
components. But perhaps X-Remote-User is "out of scope" for RemoteIPValve?

Another way would be to add tomcatAuthentication="false" as an option 
for the HTTP connector. It would behave like its AJP twin, except it 
would look in HTTP headers for ... X-Remote-User? REMOTE_USER? Somethign 
user-configurable? While this option mirrors the way it's done for AJP, 
I don't like it as much as using RemoteIPValve, if for no other reason 
than it has nothing to do with the connector itself and the 
RemoteIPValve already has similar configuration options for setting the 
names of special HTTP headers.

We could introduce a new Valve that just does this, and maybe adds other 
things later that we find are also missing. This introduces a completely 
new component, makes the valve chain even longer, etc. and so I still 
favor adding this to RemoteIPValve.



To unsubscribe, e-mail:
For additional commands, e-mail:

Add support for HTTP connectors to accept REMOTE_USER information from a proxy?

2024-02-28 Thread Christopher Schultz


When using AJP, setting tomcatAuthentication="false" allows mod_jk or 
mod_proxy_ajp to transmit authenticated user information across the 
connection to Tomcat so that request.getRemoteUser() will return 
whatever httpd has for REMOTE_USER.

The same is not true for the HTTP connectors.

  RemoteIPValve takes care of X-Forwarded-* headers

  SSLValve takes care of SSL_* variables for cipher, client cert, etc.

This appears to be one of the only commonly-used pieces of information 
that is difficult to transmit across HTTP while it's easy with AJP.

As a part of my crusade to get people to move from AJP to HTTP, I'd like 
to propose that we make arrangements for this information to be 
transmitted in some reasonable way.

One way to do it would be to add something to RemoteIPValve that would 
be willing to accept e.g. X-Remote-User header and assign that to the 
request. (This would be disabled by default!) Straightforward, 
relatively easy to understand and configure, and uses existing 
components. But perhaps X-Remote-User is "out of scope" for RemoteIPValve?

Another way would be to add tomcatAuthentication="false" as an option 
for the HTTP connector. It would behave like its AJP twin, except it 
would look in HTTP headers for ... X-Remote-User? REMOTE_USER? Somethign 
user-configurable? While this option mirrors the way it's done for AJP, 
I don't like it as much as using RemoteIPValve, if for no other reason 
than it has nothing to do with the connector itself and the 
RemoteIPValve already has similar configuration options for setting the 
names of special HTTP headers.

We could introduce a new Valve that just does this, and maybe adds other 
things later that we find are also missing. This introduces a completely 
new component, makes the valve chain even longer, etc. and so I still 
favor adding this to RemoteIPValve.



To unsubscribe, e-mail:
For additional commands, e-mail:

Re: March releases

2024-02-27 Thread Christopher Schultz


On 2/27/24 06:20, Mark Thomas wrote:

On 27/02/2024 10:57, Rémy Maucherat wrote:

On Tue, Feb 27, 2024 at 10:12 AM Mark Thomas  wrote:


When I look at the current change logs there isn't much there to justify
a March release. There are a couple of open bugs of which one looks
likely that there is an actual issue to be fixed.

That said, I'm unlikely to be in a position to tag 11.0.x until w/c 11
March. The change log may look different at that point.

It is probably too early to make a decision but I wanted to float the
possibility of skipping the March release. That would mean we'd probably
need to make the final 8.5.x release in April.

We don't need to always release all branches every time.

Good point.

For example, 11 already has two useful fixes right now: support for
Java 17 (one could want to verify it), then the FFM fix I made (using
the wrong loader in one location means it simply breaks depending on
how OpenSSL is loaded, so that's bad). But these two are not in the
other branches.

Ack. Those are good reasons for an 11.0.x release.

I just checked the dependencies - there are no updates at the moment.

As for a final 8.5, I would say it is not mandatory if there's nothing
useful in the changelog by the end of March. There's always going to
be a final final fix needed anyway. I started skipping some backports
to 8.5 since "regressions, who knows".

I was just thinking .100 was a nice point release to end on ;)

Yeah, me too ;)

I think we should release 8.5.100 in March, if only to meet our own goal 
of "ending support at the end of March". There isn't likely to be 
anything so important that it needs to be added after that.

We made a few exceptions for Tomcats 6, 7, and 8.0 for security issues, 
but I think there's no reason not to release 8.5.100 during March. I 
don't mind waiting until later in the month just in case anything comes 
up. Plus we can always change our minds and release again if there is 
something vital.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: FFM in Tomcat 10.1

2024-02-26 Thread Christopher Schultz


On 2/23/24 08:35, Rémy Maucherat wrote:


I would like to propose backporting the OpenSSL FFM support to Tomcat 10.1.

Java 22.0.0 should be released on March 19, and the next Java LTS
should still have no problem targeting Java 11. As a result, there
should be no negative impact to the platform support, and users
running on Java 22+ could benefit from easier OpenSSL support.

Obviously I anticipate most users will use FFM support once the next
Java LTS is out in a few years, but getting the feature out now would
still be good.

After the change:
- Compiling, running the testsuite, etc is still doable with Java 17.
- Running Tomcat 10.1 still works with Java 11.
- Building a Tomcat 10.1 release would now require Java 22+.

Backporting further to Tomcat 9.0 could be riskier however. Following
the removal of the Java 7 release target, Java 8 might be next. The
main question is if the next Java LTS will still support the Java 8
release target.

Comments ?

I'm not sure why, but I find it annoying that you can't build some 
Tomcat releases with the versions on which they are intended to run.

It's too bad the FFM stuff didn't land until Java 19.


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: Tomcat 8.5.99 artifacts not in Maven central

2024-02-26 Thread Christopher Schultz


On 2/22/24 15:11, Mark Thomas wrote:

On 22/02/2024 20:03, S. Ali Tokmen wrote:

Dear Tomcat development team

The Tomcat 8.5.99 artifacts not in Maven central.

Is this normal?


I've just checked and they weren't promoted from the staging repository. 
I've just done that. They should be in Maven Central shortly.

Whoops. Thanks for taking care of this, Mark.


To unsubscribe, e-mail:
For additional commands, e-mail:

  1   2   3   4   5   6   7   8   9   10   >