Re: Practical use of CsrfPreventionFilter

On 13/12/2023 22:05, Christopher Schultz wrote: All, I've been playing with this Filter recently, and I have some concerns for its practical use. I'm considering adding some features to it in order to make it more practical to use, and I'm interested to see what others think about these

Re: Should allowHostHeaderMismatch be case sensitive

On 11/12/2023 17:20, Mark Thomas wrote: On 11/12/2023 17:08, David Cleary wrote: Just want to check if this is by design. The above property default was changed to better secure the default configuration. We started having some tests fail due to this. In our scenario ( as shown below

Re: [EXTERNAL] - Re: Partitioned cookies

On 14/12/2023 21:15, André van der Lugt wrote: From: Chuck Caldarale Sent: Wednesday, November 15, 2023 9:48 AM To: Tomcat Users List Subject: [EXTERNAL] - Re: Partitioned cookies On Nov 15, 2023, at 08:06, Adam Warfield

Re: Clarification on CVE-2023-46589

On 14/12/2023 16:13, Benny Prange wrote: Am Do., 14. Dez. 2023 um 16:51 Uhr schrieb Mark Thomas : On 14/12/2023 15:33, Benny Prange wrote: Hi all, I am having trouble understanding the description of CVE-2023-46589. Does this CVE affect scenarios where the Apache Tomcat is the reverse proxy

Re: Clarification on CVE-2023-46589

On 14/12/2023 15:33, Benny Prange wrote: Hi all, I am having trouble understanding the description of CVE-2023-46589. Does this CVE affect scenarios where the Apache Tomcat is the reverse proxy, or or when the Apache Tomcat is running behind a reverse proxy? Is the Tomcat vulnerable to request

[ANN] Apache Tomcat 11.0.0-M15 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M15 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

[ANN] Apache Tomcat 11.0.0-M15 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M15 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

[VOTE][RESULT] Release Apache Tomcat 11.0.0-M15

The following votes were cast: Binding: +1: markt, remm, schultz, isapir, lihan No other votes were cast. The vote therefore passes. Thanks to everyone who contributed to this release. Mark - To unsubscribe, e-mail:

Re: "Secure" parsing of XML

On 11/12/2023 14:53, Christopher Schultz wrote: Or are there maybe cases where these protections should NEVER be reduced? I'm think about the WebDAV servlet as a good example: there is never a good reason to allow remote-client-provided XML to be parsed in a potentially dangerous way. Maybe

Re: Should allowHostHeaderMismatch be case sensitive

On 11/12/2023 17:08, David Cleary wrote: Just want to check if this is by design. The above property default was changed to better secure the default configuration. We started having some tests fail due to this. In our scenario ( as shown below ), the Host header value in the HTTP request is

Re: JAVA -tomcat- Request header is too large

On 08/12/2023 22:01, Christopher Schultz wrote: Are request-ids always allocated, or only if they are "enabled"? Always allocated. I think adding the request-id to this exception detail message might be helpful, even if the request-id hasn't been enabled in the access-log. WDYT? Good

Re: [VOTE] Release Apache Tomcat 8.5.97

On 08/12/2023 22:30, Christopher Schultz wrote: Mark, On 12/8/23 14:47, Mark Thomas wrote: On 07/12/2023 18:16, Christopher Schultz wrote: The proposed 8.5.97 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 8.5.97 (stable) Unit tests on Linux, Windows, MacOS M1

Re: [VOTE] Release Apache Tomcat 8.5.97

On 07/12/2023 18:16, Christopher Schultz wrote: The proposed 8.5.97 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 8.5.97 (stable) Unit tests on Linux, Windows, MacOS M1 and MacOS Intel Build is cross-platform repeatable apart from - The fulldocs package -

Re: Annoyances with Eclipse JDT compiler

On 08/12/2023 18:46, Christopher Schultz wrote: All, Tomcat has to be built, tested, and deployed in a variety of environments. Specifically, in a variety of Java Runtime Environments. I'm finding that my 8.5.x testing and execution requires some weird backflips due to JDT versioning.

Re: [VOTE] Release Apache Tomcat 9.0.84

On 07/12/2023 19:44, Rémy Maucherat wrote: The proposed 9.0.84 release is: [ ] -1, Broken - do not release [X] +1, Stable - go ahead and release as 9.0.84 Unit tests on Linux, Windows, MacOS M1 and MacOS Intel Build is cross-platform repeatable apart from - The fulldocs package - This is

Re: [VOTE] Release Apache Tomcat 10.1.17

On 08/12/2023 14:41, Christopher Schultz wrote: Mark, On 12/8/23 7:34 AM, Mark Thomas wrote: On 08/12/2023 03:17, Christopher Schultz wrote: The proposed 10.1.17 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 10.1.17 Unit tests on Linux, Windows, MacOS M1

Re: [VOTE] Release Apache Tomcat 10.1.17

On 08/12/2023 12:34, Mark Thomas wrote: On 08/12/2023 03:17, Christopher Schultz wrote: The proposed 10.1.17 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 10.1.17 Unit tests on Linux, Windows, MacOS M1 and MacOS Intel Build is cross-platform repeatable apart

Re: [VOTE] Release Apache Tomcat 10.1.17

On 08/12/2023 03:17, Christopher Schultz wrote: The proposed 10.1.17 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 10.1.17 Unit tests on Linux, Windows, MacOS M1 and MacOS Intel Build is cross-platform repeatable apart from - The fulldocs package - This is

Re: Failing to decode the url correctly in tomcat 9.

On 07/12/2023 22:42, Kalaivani Sengottaiyan wrote: On Thu, Dec 7, 2023 at 2:34 PM Kalaivani Sengottaiyan < kalaivani.sengottai...@veeva.com> wrote: In one of our sample case, this is the url recorded by ngnix "-" 127.0.0.1 - - [07/Dec/2023:21:59:30 +] "GET

Re: JAVA -tomcat- Request header is too large

On 08/12/2023 09:27, Ivano Luberti wrote: Il 07/12/2023 17:51, Mark Thomas ha scritto: On 07/12/2023 15:37, Ivano Luberti wrote: Hi, since a few days these errors started showing in my log files: 06-Dec-2023 07:39:56.082 INFO [http-nio-8080-exec-5826] org.apache.coyote.http11

Re: Virtual Thread with Http11Nio2Protocol

On 08/12/2023 09:51, Mark Thomas wrote: On 08/12/2023 02:49, Han Li wrote: Hi Nicolas, I took a quick look that Tomcat's VirtualThreadExecutor does not implement the ExecutorService interface, which leads to this result. So I think this is a Tomcat bug. +1 This has been fixed for all

Re: (tomcat) branch 10.1.x updated: Improvements to French translations. (remm)

2b3f0f0964 Improvements to French translations. (remm) 2b3f0f0964 is described below commit 2b3f0f09641e0d8504a114cf296a18d66039266b Author: Mark Thomas AuthorDate: Fri Dec 8 10:26:49 2023 + Improvements to French translations. (remm) Execute the nonsense commit message. Eclipse

Re: Virtual Thread with Http11Nio2Protocol

On 08/12/2023 02:49, Han Li wrote: Hi Nicolas, I took a quick look that Tomcat's VirtualThreadExecutor does not implement the ExecutorService interface, which leads to this result. So I think this is a Tomcat bug. +1 On Dec 8, 2023, at 03:55, Nicolas BONAMY wrote: Hi, I try to use

Re: JAVA -tomcat- Request header is too large

On 07/12/2023 15:37, Ivano Luberti wrote: Hi, since a few days these errors started showing in my log files: 06-Dec-2023 07:39:56.082 INFO [http-nio-8080-exec-5826] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header  Note: further occurrences of HTTP request

Re: [VOTE] Release Apache Tomcat 11.0.0-M15

On 07/12/2023 15:36, Mark Thomas wrote: The proposed 11.0.0-M15 release is: [ ] -1 Broken - do not release [X] +1 Alpha  - go ahead and release as 11.0.0-M15 Unit tests pass on Linux, Windows MacOS Intel and MacOS M1. Mark

[VOTE] Release Apache Tomcat 11.0.0-M15

The proposed Apache Tomcat 11.0.0-M15 release is now available for voting. Apache Tomcat 11.0.0-M15 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable

Re: Possible AbstractProtocol.waitingProcessors leak in Tomcat 9.0.75

ode. Additional info - I've set the session timeout to 10minutes. The app uses Java 17 with Spring Boot 3.1.x stack. It does not use any external STOMP broker relay. Regards, Jakub. On 2023/08/20 22:44:46 Mark Thomas wrote: On 20/08/2023 05:21, Mark Thomas wrote: On 18/08/2023 11:28, Rubén Pérez wr

Re: Tine to tag

On 05/12/2023 20:07, Rémy Maucherat wrote: On Tue, Dec 5, 2023 at 8:02 PM Mark Thomas wrote: Hi all, There are a few tasks to complete but we are close to being in a position to tag the December release. The remaining tasks are: - check dependencies for updates - sync with POEditor

Tine to tag

Hi all, There are a few tasks to complete but we are close to being in a position to tag the December release. The remaining tasks are: - check dependencies for updates - sync with POEditor - fix the new test that fails on NIO2 + Windows - maybe some further improvements to the unit tests

Re: Tomcat Build Issue

On 05/12/2023 15:15, Burle, Saicharan wrote: Hi Mark/Chris, We are getting this error without even deploying any application. Then start looking at your network to see what is sending this invalid data to Tomcat. Mark -

Re: (tomcat) 02/02: Improve performance of HTTP/2 tests

a8bffcbf55624ba14819dfc636f2e63dd1a8289d Author: Mark Thomas AuthorDate: Tue Dec 5 12:16:18 2023 + Improve performance of HTTP/2 tests On the Apache CI, the runs went from 43mins down to 35mins, so that's nice. That is more than I was expecting. Some of the tests still seem to be taking longer than they should. I'm

Re: Tomcat Build Issue

On 05/12/2023 09:45, Burle, Saicharan wrote: Hi All, I am trying to build a tomcat instance in a net new server and getting the below error while starting. Although instance has come up but I am unable to debug the below error. Can someone please assist in this regard?

Re: (tomcat) branch main updated: Refactor long running tests to improve parallelism

c766eefed9 Refactor long running tests to improve parallelism c766eefed9 is described below commit c766eefed99cb7004f29468d1e5546eef2a5eae8 Author: Mark Thomas AuthorDate: Mon Dec 4 19:06:26 2023 + Refactor long running tests to improve parallelism This didn't work as I hoped. The tests

Re: setenv.sh tomcat8 changelog

4 Dec 2023 15:10:13 Christoph Kukulies : The tomcat8 changelog shows the following remark among others: General • Tighten up the default file permissions for the .tar.gz distribution so no files or directories are world readable by default. Configure Tomcat to run with a default umask of 

Re: Ciphers Warning in logfile for Tomcat 8.5.96 (with Adoptium jdk-8.0.392.8-hotspot)

On 01/12/2023 14:29, Markus Schlegel wrote: Hi Peter, Thank you for your hint about "-Djdk.tls.ephemeralDHKeySize=2048". I indeed did not knew that this option exists. When I enable it, I get Grad "A" from SSLLabs while it still lists 8 weak ciphers out of 12. Because I get to grade "A" with

Re: (No members active in cluster group) Cannot discover members in cluster using Delta Manager with static membership Unicast

On 01/12/2023 08:27, Manak Bisht wrote: Hi, I am trying to implement non-sticky session replication using Delta Manager with static membership. The nodes are across two different machines. I am unable to discover members in the cluster with the following logs on both machines -

Re: Tomcat 9 build from scratch

On 30/11/2023 23:38, Aditya Shastri wrote: Thanks for the response Adwait. My ant skills are lacking. Does the minimum bytecode definition come from this line? Yes. Equally importantly it also ensures that the code is compiled against the Java 8 API. What does this line do? It is

Re: svn commit: r1914238 - in /tomcat/site/trunk: docs/index.html docs/upgrading.html xdocs/stylesheets/project.xml xdocs/upgrading.xml

On 30/11/2023 16:52, schu...@apache.org wrote: Author: schultz Date: Thu Nov 30 16:52:59 2023 New Revision: 1914238 URL: http://svn.apache.org/viewvc?rev=1914238=rev Log: Add an "Upgrading" page. Nice :) Mark - To

Re: (tomcat) 03/08: Code clean - formatting. No functional change.

On 29/11/2023 12:19, Rémy Maucherat wrote: On Tue, Nov 28, 2023 at 4:16 PM Rémy Maucherat wrote: On Tue, Nov 28, 2023 at 3:18 PM Christopher Schultz wrote: Mark, On 11/25/23 08:40, Mark Thomas wrote: On 25/11/2023 07:59, Rémy Maucherat wrote: On Fri, Nov 24, 2023 at 6:17 PM wrote

Re: webdav and libreoffice

On 29/11/2023 21:46, Christopher Schultz wrote: Mark, On 11/29/23 14:09, Mark Thomas wrote: It was this change: https://github.com/apache/tomcat/commit/147fee447e27ec14e3001d9c727db1dcd4cb930c Reason phrase is an optional element of the HTTP response. This looks like a bug in whichever

Re: webdav and libreoffice

are for addressing this in the interim. I'll note though that, generally, we don't implement work-arounds for broken clients - especially ones no-one noticed for 3+ years. Mark On 29/11/2023 14:08, Mark Thomas wrote: On 28/11/2023 22:27, Jean-Max Reymond wrote: Hi, I have an application

Re: Ciphers Warning in logfile for Tomcat 8.5.96 (with Adoptium jdk-8.0.392.8-hotspot)

On 29/11/2023 10:46, Markus Schlegel wrote: Changing the config to add ":-CBC" to the default config as suggested by Mark in bugzilla does not have any effect. Still Grade B, 10 weak out of 12. It seems to me that -CBC might not be a valid option at all? Mark got different results when he

Re: webdav and libreoffice

On 28/11/2023 22:27, Jean-Max Reymond wrote: Hi, I have an application and a webdav servlet with tomcat. I am using libreoffice to edit and save files. the command is: /usr/lib/libreoffice/program/soffice.bin ms-excel:ofe|u|https://cloud.example.com/WebDav/NESTOR/GERARD/Documents.xls

[SECURITY] CVE-2023-46589 Apache Tomcat - Request Smuggling

CVE-2023-46589 Apache Tomcat - Request Smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M10 Apache Tomcat 10.1.0-M1 to 10.1.15 Apache Tomcat 9.0.0-M1 to 9.0.82 Apache Tomcat 8.5.0 to 8.5.95 Description: Tomcat did not

[SECURITY] CVE-2023-46589 Apache Tomcat - Request Smuggling

CVE-2023-46589 Apache Tomcat - Request Smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M10 Apache Tomcat 10.1.0-M1 to 10.1.15 Apache Tomcat 9.0.0-M1 to 9.0.82 Apache Tomcat 8.5.0 to 8.5.95 Description: Tomcat did not

[SECURITY] CVE-2023-46589 Apache Tomcat - Request Smuggling

CVE-2023-46589 Apache Tomcat - Request Smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M10 Apache Tomcat 10.1.0-M1 to 10.1.15 Apache Tomcat 9.0.0-M1 to 9.0.82 Apache Tomcat 8.5.0 to 8.5.95 Description: Tomcat did not

[SECURITY] CVE-2023-46589 Apache Tomcat - Request Smuggling

CVE-2023-46589 Apache Tomcat - Request Smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M10 Apache Tomcat 10.1.0-M1 to 10.1.15 Apache Tomcat 9.0.0-M1 to 9.0.82 Apache Tomcat 8.5.0 to 8.5.95 Description: Tomcat did not

Re: (tomcat) 03/08: Code clean - formatting. No functional change.

On 28/11/2023 14:17, Christopher Schultz wrote: Mark, On 11/25/23 08:40, Mark Thomas wrote: On 25/11/2023 07:59, Rémy Maucherat wrote: On Fri, Nov 24, 2023 at 6:17 PM wrote: This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main

Re: 400 Bad Request - where do I find the detailed reason for the bad request so I can fix it?

On 27/11/2023 20:09, Graham Leggett wrote: Hi all, Long running webapps, tomcat recently updated from tomcat7 to tomcat v9.0.65. One webapp sends a request to another. The request fails with a 400 Bad Request, with the detail message "The server cannot or will not process the request due to

Re: (tomcat) 04/04: Fix BZ 68119 - Refactor for improved performance during type conversion

8df7a3a95babb12fc38b8efa7eb938877ef38485 Author: Mark Thomas AuthorDate: Mon Nov 27 14:01:49 2023 + Fix BZ 68119 - Refactor for improved performance during type conversion https://bz.apache.org/bugzilla/show_bug.cgi?id=68119 --- java/javax/el/CompositeELResolver.java | 47

Re: Buildbot failure in on tomcat-11.0.x

/112/builds/766 Blamelist: Mark Thomas Build Text: failed compile (failure) Status Detected: new failure Build Source Stamp: [branch main] 79a0e29a611d582135ebfb3740c060363c13f877 Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0

Re: Possible way to avoid Tomcat from recycling the request/response on error?

more complicated with asynchronous servlets but it boils down to avoid accessing the request, response and associated objects after complete()/dispatch() have been called. Mark On Sat, Nov 25, 2023 at 5:42 AM Mark Thomas wrote: On 25/11/2023 05:30, Adwait Kumar Singh wrote

Re: Using Async Servlets correctly to avoid smuggling.

On 25/11/2023 01:43, Adwait Kumar Singh wrote: Hey Tomcat users, I am using Async Servlets and have a question on how to safeguard my application from Request Smuggling. In my current setup I do the following, 1. `startAsync` on the ServletRequest. 2. Create a ReadListener and attach it to

Re: Possible way to avoid Tomcat from recycling the request/response on error?

On 25/11/2023 05:30, Adwait Kumar Singh wrote: Is there a way around this, to keep the async context open even on an error and not close it till complete is invoked? No. The spec requires the error handler to call complete() in onError() and error handler doesn't, the container must. Mark

Re: (tomcat) 03/08: Code clean - formatting. No functional change.

b91af3e5c32d154e26dbf8f1a19c84d301ce8e1e Author: Mark Thomas AuthorDate: Fri Nov 24 16:54:27 2023 + Code clean - formatting. No functional change. Primarily to reduce IDE warnings from generated code. jextract is really bad for this. OTOH, fixing them is not practical since they will reappear every time

Re: Breaking changes in 9.0.83 ?

19 Nov 2023 04:23:46 Adwait Kumar Singh : I can see that BND was updated to 7.0 in 9.0.83, however BND 7.0 requires at least JDK 17 runtime while Tomcat 9 still supports JDK 8. Is this breaking change intended? Yes, it was intended. It is not a breaking change. The minimum supported

Re: CredentialHandler not working for MD5

On 17/11/2023 19:36, Christopher Schultz wrote: Is there any reason why SHA-256 is the default? MD5 is the historical default / only implementation for HTTP DIGEST. RFC 7616 (2015) Chrome will choose SHA-256 if presented with a choice of SHA-256 and MD5. Mark

Re: CredentialHandler not working for MD5

On 16/11/2023 18:06, Peter Otto wrote: 1. Configure BASIC auth with clear-text passwords in the Realm and get that working. 2. Switch to DIGEST auth with clear-text passwords in the Realm and get that working. 3. Then configure DIGEST auth and digested passwords in the Realm. Hi

Re: Tomcat 8: Random 404 and 505 errors

On 16/11/2023 22:53, Pavan Veginati wrote: Hi, We are seeing random 404 and 505 errors with GET and POST requests. Out of the 10 million daily requests in one cluster, there are 2-3 such 404 errors. In another cluster with around 100 million daily requests, we are seeing 20-30 404s on average

[ANN] Apache Tomcat 11.0.0-M14 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M14 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

[ANN] Apache Tomcat 11.0.0-M14 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M14 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: Tomcat 8.5.x and repeatable builds

On 15/11/2023 09:35, Michael Osipov wrote: On 2023/11/14 16:53:38 Mark Thomas wrote: All, We are currently unable to produce cross-platform repeatable builds for Tomcat 8.5.x with Java 11 due to https://bugs.openjdk.org/browse/JDK-8320082 We have several options: 1. Do nothing. Build remains

Re: Tomcat 8.5.x and repeatable builds

On 14/11/2023 20:31, Christopher Schultz wrote: Mark, On 11/14/23 11:53, Mark Thomas wrote: All, We are currently unable to produce cross-platform repeatable builds for Tomcat 8.5.x with Java 11 due to https://bugs.openjdk.org/browse/JDK-8320082 We have several options: 1. Do nothing

[VOTE][RESULT] Release Apache Tomcat 11.0.0-M14

The following votes were cast: Binding: +1: remm, markt, schultz, jfclere Non-binding: +1: Dimitris Soumis No other votes were cast. The vote therefore passes. Thanks to everyone who contributed to this release. Mark On 09/11/2023 19:58, Mark Thomas wrote: The proposed Apache Tomcat

Re: [VOTE] Release Apache Tomcat 11.0.0-M14

On 11/11/2023 13:49, Rémy Maucherat wrote: On Sat, Nov 11, 2023 at 2:36 AM Konstantin Kolinko wrote: сб, 11 нояб. 2023 г. в 03:09, Konstantin Kolinko : чт, 9 нояб. 2023 г. в 22:58, Mark Thomas : The proposed Apache Tomcat 11.0.0-M14 release is now available for voting. It can be obtained

Re: unable to start the tomcat 11 after successful build

This message belongs on the users mailing list, not the dev list. https://tomcat.apache.org/lists.html Mark On 15/11/2023 08:07, koteswara Rao Gundapaneni wrote: Hi I am unable to start the tomcat 11 server after successful build even its not showing proper errors log is not able to view

Re: CredentialHandler not working for MD5

You are confusing DIGEST authentication and digested passwords. The two are separate but related processes. If you use both, you do need to ensure that they are using the same digest. There is no need to modify code. This call all be controlled via configuration.

Re: Accessing Credential handler inside the web application always returns null

On 12/11/2023 23:01, Усманов Азат Анварович wrote: Sorry for delayed response, Once I comment out the CredentialHandler in context xml both in my app's context.xml and in global context.xml, and add realm to server.xml. CredentialHandler returns null once again. This is by design. The

Tomcat 8.5.x and repeatable builds

All, We are currently unable to produce cross-platform repeatable builds for Tomcat 8.5.x with Java 11 due to https://bugs.openjdk.org/browse/JDK-8320082 We have several options: 1. Do nothing. Build remains repeatable on the same OS. Wait and see if OpenJDK fix the bug. 2. Switch to

Re: [VOTE] Release Apache Tomcat 8.5.96

On 10/11/2023 20:04, Christopher Schultz wrote: The proposed 8.5.96 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 8.5.96 (stable) Build is not cross-platform reproducible as different byte code is generated by the same JDK and Ant version on different

Re: [VOTE] Release Apache Tomcat 9.0.83

On 09/11/2023 22:12, Rémy Maucherat wrote: The proposed 9.0.83 release is: [ ] -1, Broken - do not release [X] +1, Stable - go ahead and release as 9.0.83 Build is cross-platform reproducible apart from the fulldocs package which is expected due to https://bugs.openjdk.org/browse/JDK-8306980

Re: [VOTE] Release Apache Tomcat 10.1.16

On 10/11/2023 20:00, Christopher Schultz wrote: The proposed 10.1.16 release is: [ ] Broken - do not release [ ] Stable - go ahead and release as 10.1.16 Build is cross-platform reproducible apart from the fulldocs package which is expected due to https://bugs.openjdk.org/browse/JDK-8306980

Re: [VOTE] Release Apache Tomcat 11.0.0-M14

On 09/11/2023 19:58, Mark Thomas wrote: The proposed 11.0.0-M14 release is: [ ] -1 Broken - do not release [X] +1 Alpha  - go ahead and release as 11.0.0-M14 Tests pass on Linux, Windows, MacOS (Intel & M1). Build is cross-platform (Linux & Windows) reproducibl

Re: Tomcat 10.1.15 JVM crashes randomly on startup

On 13/11/2023 07:52, Øyvind Flatval wrote: Greetings! We are currently experiencing a very vague problem with our Tomcat 10.1 instance, where the JVM will crash almost instantly after Tomcat is done starting up. The problem happens somewhat regularly, and only happens within the first minute

Re: [VOTE] Release Apache Tomcat 8.5.99

Maybe re-issue this vote with the correct subject? Mark On 10/11/2023 16:09, Christopher Schultz wrote: The proposed Apache Tomcat 8.5.96 release is now available for voting. The notable changes compared to 8.5.95 are: - Fix reloading TLS configuration could cause the Connector to   refuse

Re: FileUpload class not working with Tomcat 10.1

On 10/11/2023 16:49, Mark Foley wrote: I recently upgraded from Tomcat 10.0.17 to 10.1.13. When I previously upgraded from 9.0.41 to 10.0.17 (back in 2/22) the FileUpload class broke. I fixed that thanks to postings on stackoverflow, but now that I've upgraded to 10.1.13 it is broken again!

Re: Testing OpenSSL integration using the FFM API with Tomcat 11 on Windows 10

(or whatever it is called) in an appropriate directory - ensure that directory is included in java.library.path (use setenv.bat) - ensure the OpenSSLLifecycleListener is configured in server.xml - start Tomcat HTH, Mark On Fri, Nov 10, 2023, 01:48 Mark Thomas wrote: On 10/11/2023 00:59, Eduardo

Re: Release build JDK

Java 21 for release should be fine. The only hard requirement is that it supports the appropriate release target. Mark On 10/11/2023 14:40, Christopher Schultz wrote: All, I see that the builds of 10.1.x require Java 17 or later. Is it okay to use Java 21 for that purpose, or is there a

Re: (tomcat-connectors) branch main updated: BZ 68117: Fix typo and escaping in libtool flag introduced in 1.2.49.

On 10/11/2023 10:38, rj...@apache.org wrote: This is an automated email from the ASF dual-hosted git repository. rjung pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat-connectors.git The following commit(s) were added to refs/heads/main by this push:

Re: Testing OpenSSL integration using the FFM API with Tomcat 11 on Windows 10

On 10/11/2023 00:59, Eduardo Guadalupe wrote: Hi, I wanted to test the OpenSSL integration using the FFM API rather than Tomcat Native in Apache Tomcat 11.0.0-M14. Starting Tomcat is printing an error: Failed to initialize the SSLEngine. java.lang.UnsatisfiedLinkError: no ssl in

[VOTE] Release Apache Tomcat 11.0.0-M14

The proposed Apache Tomcat 11.0.0-M14 release is now available for voting. Apache Tomcat 11.0.0-M14 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable

Re: Unexpected error running unit tests in 8.5.x

On 09/11/2023 19:07, Christopher Schultz wrote: Any suggestions for what to look at? Is this a "you need a newer JDT compiler to use Java 17" problem? I think so. This looks like similar reports we have had before for the 8.5.x tests. Mark

Re: (tomcat) branch main updated: Reproducible build fixes

/heads/main by this push: new 1a969a46b0 Reproducible build fixes 1a969a46b0 is described below commit 1a969a46b01d00a6fc880606c17145af23a8a010 Author: Mark Thomas AuthorDate: Thu Nov 9 17:54:26 2023 + Reproducible build fixes I did not anticipate that problem. So it is only

Re: (tomcat) 01/01: Tag 11.0.0-M14

On 09/11/2023 17:09, Mark Thomas wrote: All, I am seeing issues with cross-platform reproducibility for all archives. I was expecting the issue for the Javadoc but not the others. I'm not going to push any artifacts to dist or Maven in case I need to delete the tag and start again. I'll

Re: (tomcat) 01/01: Tag 11.0.0-M14

On 09/11/2023 16:52, ma...@apache.org wrote: This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to tag 11.0.0-M14 in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 58b42c32ce1a75d0c68bd1ad6d6e6cc8f76ab76c Author: Mark Thomas AuthorDate

Re: Tagging and code signing

On 08/11/2023 21:07, Christopher Schultz wrote: Mark, On 11/8/23 12:58, Mark Thomas wrote: Hi all, I have a few things I still want to look at with the recent error handling changes. I'm seeing differences in behaviour between versions I at least want to understand. Depending on what I find

Tagging and code signing

Hi all, I have a few things I still want to look at with the recent error handling changes. I'm seeing differences in behaviour between versions I at least want to understand. Depending on what I find, I might try and align behaviours a little more. Once that is done, I plan to run my usual

Re: Chunk size error after upgrading JRE

On 07/11/2023 14:05, Tuukka Ilomäki wrote: We have a very old application running on Tomcat 8.5.90. After upgrading from JRE 8.0.252.09 from AdoptOpenJDK to 8u302b08 from Temurin (both pretty old, I know, also newer JREs exhibit the same issue) we started having NS_ERROR_NET_PARTIAL_TRANSFER

Re:

g On 06/11/2023 12:19, Mark Thomas wrote: On 06/11/2023 10:57, Greg Huber wrote:  >> The maximum useful size will be the total size of static resources (i.e. everything NOT under WEB-INF/lib or WEB-INF/classes). Since I have nothing in either of these, its all mapped in the PostReso

Re: TLD jar scanning at Tomcat Startup

On 06/11/2023 20:53, charles didonato wrote: Good Evening, Tomcat 9.082 on Windows 11. Tomcat runs as a Windows service. When I start Tomcat and deploy my war file, it hangs at the following in the Catalina Log: 06-Nov-2023 15:21:59.819 INFO [main]

Re: WebApp Mutual TLS for connecting to thrid party REST service

On 06/11/2023 17:03, Brian Wolfe wrote: Is there a way to use JSSE in tomcat to manage TLS mutual auth for when a process in tomcat is acting as a client during a REST call to use a client certificate from a keystore to authenticate to the third party? Or is this something that has to be handled

Re:

e jars, and add a bit for luck.  (ie 85mb +5mb). The "i.e. everything NOT under WEB-INF/lib or WEB-INF/classes" is irrespective of which resource collection it is in. So JARs from PostResources won't be cached. Mark Thanks On 06/11/2023 09:43, Mark Thomas wrote: On 05/11/2023 1

Re: tomcat 10

On 06/11/2023 06:46, 一直以来 wrote: Why do I print System. out. println (request) as different objects in the servlet for the request in tomcat10? Is the request object not reused in tomcat10? There is a pool of cached request objects. Each request is also accessed via a facade (which is

Re:

the cache brings. Those benefits are going to be application (and hardware) dependent. Mark Thanks Greg On Sun, 5 Nov 2023 at 15:31, Christopher Schultz < ch...@christopherschultz.net> wrote: Greg and Mark, On 11/5/23 09:31, Mark Thomas wrote: On 05/11/2023 10:18, Greg Huber wrot

Re: (tomcat) branch main updated: Update BND to 7.0.0

On 05/11/2023 10:10, Mark Thomas wrote: On 03/11/2023 15:07, Michael Osipov wrote: On 2023/11/03 11:57:56 Mark Thomas wrote: On 03/11/2023 09:26, Michael Osipov wrote: This change now completely missed to enfore Java 17 on < 11 and opt-in to skip the required during tests I have introdu

Re:

asses. eg: As its purely for development guess it makes no difference? I doubt you'll notice if you disable it. Mark Cheers Greg On 05/11/2023 10:02, Mark Thomas wrote: On 04/11/2023 11:03, Greg Huber wrote: Hello, I am using the and to run tomcat for debugging my app (and it is pret

Re: (tomcat) branch main updated: Update BND to 7.0.0

On 03/11/2023 15:07, Michael Osipov wrote: On 2023/11/03 11:57:56 Mark Thomas wrote: On 03/11/2023 09:26, Michael Osipov wrote: This change now completely missed to enfore Java 17 on < 11 and opt-in to skip the required during tests I have introduced last month. Tomcat 11.0.x has requi

Re:

On 04/11/2023 11:03, Greg Huber wrote: Hello, I am using the and to run tomcat for debugging my app (and it is pretty awesome).  I am getting the cache warning limit, as it is 10mb, what effect would it have if I turned off the cache ie cachingAllowed="false" rather than having to increase

Re: Verifying Tomcat downloads

On 03/11/2023 15:45, James H. H. Lampert wrote: Forgive me if this might be a bit off-topic. But I haven't found a lot of resources on the subject (and that includes a search of List archives). For years now, I've been ignoring the note on the Tomcat download pages to verify the downloads,

Re: FYI - Gump will be moving to Java 22 EA shortly

Hi all, It took a little longer than I expected to do this. I've just switched vmgump to Java 22. The first run should start in ~4.5 hours. Mark On 24/10/2023 12:32, Mark Thomas wrote: Hi all, Tomcat now needs Java 22 to build the development branch so I'll be moving Gump to use Java 22

<    1   2   3   4   5   6   7   8   9   10   >