Regression in mutual authentication in 9.0.86+?
Hello all,
I have upgraded the Tomcat version from 9.0.85 to 9.0.86 (and tried with 9.0.87
too).
Some of our tests which involve on mutual authentication
("certificateVerification = optional") have started to fail.
In tests where the client does pass the certificate, I didn't see any SSL
handshake errors (with SSL handshake debugging enabled) but
"javax.servlet.request.X509Certificate" attribute wasn't set. This is the
attribute the application needs for further validations.
Could anyone please give pointers on how to debug this further?
Any code pointers where Tomcat sets this
"javax.servlet.request.X509Certificate" attribute?
Also, one more question - with optional certificate verification, the
connection doesn't fail if certificate is not passed. But connection will fail
if SSL handshake fails when a certificate is passed by client, is that correct
understanding?
Thanks,
Amit
[ANN] Apache Tomcat 9.0.87 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.87. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.87 is a bugfix and feature release. The notable changes compared to 9.0.86 include: - When restoring a saved POST request after a successful FORM authentication, ensure that neither the URI, the query string nor the protocol are corrupted when restoring the request body. - Align error handling for Writer and OutputStream. Ensure use of either once the response has been recycled triggers a NullPointerException provided that discardFacades is configured with the default value of true. - The standard thread pool implementations that are configured using the Executor element now implement ExecutorService for better support of NIO2 or others. Along with lots of other bug fixes and improvements. Please refer to the change log for the complete list of changes: https://tomcat.apache.org/tomcat-9.0-doc/changelog.html Downloads: https://tomcat.apache.org/download-90.cgi Migration guides from Apache Tomcat 7.x and 8.x: https://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat 11.0.0-M18 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M18 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process. Apache Tomcat 11.0.0-M18 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 11.0.0-M17 include: - Reduce minimum Java version to Java 17 - When restoring a saved POST request after a successful FORM authentication, ensure that neither the URI, the query string no the protocol are corrupted when restoring the request body. - Align error handling for Writer and OutputStream. Ensure use of either once the response has been recycled triggers a NullPointerException provided that discardFacades is configured with the default value of true. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
404 for j_security_check
After moving from tomcat 9 to tomcat 10after a user successfully logs in and then hits a restricted page, the login page is hit again but on this second login hit I get 404 page not found How do I set the correct path in my login jsp so that j_security_check is found? BTW I actually am wondering why a successful logged on user would even be sent to the log in page again? My login page is -> /membership/login.jsp Here is how I set the path to j_security_check in above login.jsp My restricted web.xml snippet External /external/* radiovoodoo NONE Auth /auth/* radiovoodoo NONE FORM /membership/login.jsp /membership/error.jsp Rick Noel Systems Programmer | Westwood One rn...@westwoodone.com
Re: reloading context with manager-script
Mark, On 3/14/24 07:57, Mark Thomas wrote: On 12/03/2024 13:47, Christopher Schultz wrote: Greg and Mark, On 3/12/24 05:00, Greg Huber wrote: On 11/03/2024 18:17, Christopher Schultz wrote: Mark, On 3/10/24 08:49, Mark Thomas wrote: On 10/03/2024 10:50, Greg Huber wrote: Hello, Using http://tomcat/manager-app/text/reload?path=/ When I reload an application (in java), I get a reply OK - Reloaded application at context path [/] but when the application is not present I get this reply: FAIL - No context exists named [] Is it intentional that the fail shows the ascii code rather than the slash like on the OK? Yes. If the provided context exists then we know that the name is HTML safe since all valid context names are HTML safe. In this case there is no escaping. If the context does not exist then the provided content name may not be HTML safe (it could be a deliberate XSS attempt) hence it is escaped. What is the Content-Type of the response? The URL implies that it's a text interface, not HTML. > > Running it on the browser I get > > Content-Type : text/plain;charset=utf-8 Yeah, that's what I was expecting. I think HTML escaping is not appropriate, here. Agreed. The challenge is that you don't have the context to determine if the request originates from the HTMLManagerServlet. It may be possible to refactor the escaping so it happens in HTMLManagerServlet instead. Okay, that's fair. We also might be able to sniff the content-type from the code generating the response to decide whether or not to HTML-escape. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9 returning 404 for audio files
Sam, On 3/13/24 22:34, Sam wrote: Thank you so much! Finally issue is resolved. Regards! On Tue, Mar 12, 2024, 11:43 p.m. Anson Cheung wrote: ok,it's a problem caused by tomcat cache. You need to disable it. Please refer to https://serverfault.com/questions/40205/how-do-i-disable-tomcat-caching-im-having-weird-static-file-problems On Wed, Mar 13, 2024 at 3:46 AM Chuck Caldarale wrote: On Mar 12, 2024, at 13:15, Sam wrote: As I said earlier, 404 error is only returned 1st time. Subsequent requests work fine. What triggers the creation of the audio file? Is it possible that the trigger creates a file-not-found state in the Tomcat resource cache, and that’s what is returned the first time? If disabling your cache "[finally resolved your issue]" then everyone who was asking if you were triggering a file-read through Tomcat was correct, even though you kept telling them they were wrong. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What does the number preceding the catalina.org.apache.juli.AsyncFileHandler in Tomcat's conf/logging.properties mean?
:) On Thu, Mar 14, 2024 at 7:53 PM Mark Thomas wrote: > > On 14/03/2024 11:51, Vincent Daniel wrote: > > Thank you so much. > > I am ashamed that I did not read the documentation carefully. > > No problem. It is only a single line in the docs and it helps a lot if > you know what you are looking for. > > Mark > > > > > On Thu, Mar 14, 2024 at 7:46 PM Mark Thomas wrote: > >> > >> On 14/03/2024 11:36, Vincent Daniel wrote: > >>> Hi, community > >>> > >>> When I configured Tomcat logs, I found the following configuration in > >>> logging.properties > >>> > >>> 1catalina.org.apache.juli.AsyncFileHandler > >>> 2localhost.org.apache.juli.AsyncFileHandler > >>> 3manager.org.apache.juli.AsyncFileHandler > >>> 4host-manager.org.apache.juli.AsyncFileHandler > >>> > >>> I am not sure what the numbers in front of them mean? > >>> > >>> I checked the Tomcat documentation > Logging chapter and found no > >>> relevant instructions. I also searched the Tomcat source code > >>> repository on Github, and only found document-related content. > >>> > >>> Can someone explain this please? > >> > >> https://tomcat.apache.org/tomcat-11.0-doc/logging.html > >> > >> Search for the word "prefix". > >> > >> Mark > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: reloading context with manager-script
On 12/03/2024 13:47, Christopher Schultz wrote: Greg and Mark, On 3/12/24 05:00, Greg Huber wrote: On 11/03/2024 18:17, Christopher Schultz wrote: Mark, On 3/10/24 08:49, Mark Thomas wrote: On 10/03/2024 10:50, Greg Huber wrote: Hello, Using http://tomcat/manager-app/text/reload?path=/ When I reload an application (in java), I get a reply OK - Reloaded application at context path [/] but when the application is not present I get this reply: FAIL - No context exists named [] Is it intentional that the fail shows the ascii code rather than the slash like on the OK? Yes. If the provided context exists then we know that the name is HTML safe since all valid context names are HTML safe. In this case there is no escaping. If the context does not exist then the provided content name may not be HTML safe (it could be a deliberate XSS attempt) hence it is escaped. What is the Content-Type of the response? The URL implies that it's a text interface, not HTML. > > Running it on the browser I get > > Content-Type : text/plain;charset=utf-8 Yeah, that's what I was expecting. I think HTML escaping is not appropriate, here. Agreed. The challenge is that you don't have the context to determine if the request originates from the HTMLManagerServlet. It may be possible to refactor the escaping so it happens in HTMLManagerServlet instead. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What does the number preceding the catalina.org.apache.juli.AsyncFileHandler in Tomcat's conf/logging.properties mean?
On 14/03/2024 11:51, Vincent Daniel wrote: Thank you so much. I am ashamed that I did not read the documentation carefully. No problem. It is only a single line in the docs and it helps a lot if you know what you are looking for. Mark On Thu, Mar 14, 2024 at 7:46 PM Mark Thomas wrote: On 14/03/2024 11:36, Vincent Daniel wrote: Hi, community When I configured Tomcat logs, I found the following configuration in logging.properties 1catalina.org.apache.juli.AsyncFileHandler 2localhost.org.apache.juli.AsyncFileHandler 3manager.org.apache.juli.AsyncFileHandler 4host-manager.org.apache.juli.AsyncFileHandler I am not sure what the numbers in front of them mean? I checked the Tomcat documentation > Logging chapter and found no relevant instructions. I also searched the Tomcat source code repository on Github, and only found document-related content. Can someone explain this please? https://tomcat.apache.org/tomcat-11.0-doc/logging.html Search for the word "prefix". Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What does the number preceding the catalina.org.apache.juli.AsyncFileHandler in Tomcat's conf/logging.properties mean?
Thank you so much. I am ashamed that I did not read the documentation carefully. On Thu, Mar 14, 2024 at 7:46 PM Mark Thomas wrote: > > On 14/03/2024 11:36, Vincent Daniel wrote: > > Hi, community > > > > When I configured Tomcat logs, I found the following configuration in > > logging.properties > > > > 1catalina.org.apache.juli.AsyncFileHandler > > 2localhost.org.apache.juli.AsyncFileHandler > > 3manager.org.apache.juli.AsyncFileHandler > > 4host-manager.org.apache.juli.AsyncFileHandler > > > > I am not sure what the numbers in front of them mean? > > > > I checked the Tomcat documentation > Logging chapter and found no > > relevant instructions. I also searched the Tomcat source code > > repository on Github, and only found document-related content. > > > > Can someone explain this please? > > https://tomcat.apache.org/tomcat-11.0-doc/logging.html > > Search for the word "prefix". > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What does the number preceding the catalina.org.apache.juli.AsyncFileHandler in Tomcat's conf/logging.properties mean?
On 14/03/2024 11:36, Vincent Daniel wrote: Hi, community When I configured Tomcat logs, I found the following configuration in logging.properties 1catalina.org.apache.juli.AsyncFileHandler 2localhost.org.apache.juli.AsyncFileHandler 3manager.org.apache.juli.AsyncFileHandler 4host-manager.org.apache.juli.AsyncFileHandler I am not sure what the numbers in front of them mean? I checked the Tomcat documentation > Logging chapter and found no relevant instructions. I also searched the Tomcat source code repository on Github, and only found document-related content. Can someone explain this please? https://tomcat.apache.org/tomcat-11.0-doc/logging.html Search for the word "prefix". Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
What does the number preceding the catalina.org.apache.juli.AsyncFileHandler in Tomcat's conf/logging.properties mean?
Hi, community When I configured Tomcat logs, I found the following configuration in logging.properties 1catalina.org.apache.juli.AsyncFileHandler 2localhost.org.apache.juli.AsyncFileHandler 3manager.org.apache.juli.AsyncFileHandler 4host-manager.org.apache.juli.AsyncFileHandler I am not sure what the numbers in front of them mean? I checked the Tomcat documentation > Logging chapter and found no relevant instructions. I also searched the Tomcat source code repository on Github, and only found document-related content. Can someone explain this please? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
