RE: Weird CSRF prevention behavior

Chris CS> HTTP POST should not be prohibited unless I'm reading CS> both the code and the CSRF specs incorrectly. cjb> Pretend that it does. How would you solve that? CS> You have to manually add the CSRF token in each CS> in a hidden FORM parameter. It's doable, but it sucks to CS> have to

RE: Weird CSRF prevention behavior

Hi Chris > Any ideas? About EITHER issue? > Ping. Any ideas? Yeah, and hopefully you won't gag too much. :-P [SNIP] > My application is using log4j2, but that library is only used by the > application > and the JAR file is in WEB-INF/lib/. I wouldn't expect that it would interfere > with

RE: Java 9+ and custom JCE/JSSE providers

Amit > -Djava.security.properties=file:/path/to/java_security_properties_file That "file:" prefix looks like Spring syntax. Is the prefix needed on the JVM command line? -- Cris Berneburg CACI Senior Software Engineer -Original Message- From: Amit Pande Sent: Tuesday, October 31,

RE: Get Client Certificate Information

Hi Timothy Sorry, I'm a little late to the party for a reply. On an older project, when pulling cert info (using javax), we grabbed it from the session, not the request, even though the attribute name says "request". HttpSession session = httpRequest.getSession(); Object rawSubject =

RE: [OT] SSO Token not found with RewriteRules

Hey Chris > I always include a ROOT context so I don't get nasty errors if > there is some kind of misconfiguration at the proxy, etc. It also > allows rewrites to be done "outside" of "the application", etc. Out of curiosity, what do you put in that ROOT context? A dummy / placeholder or the

RE: which missing file prevents tomcat 10 from starting as windows service ?

. Short note from my side: WinsxS is the cache for windows updates. You should not copy from that location and also don't mess around with windows internal folders  Von: Berneburg, Cris J. - US mailto:cberneb...@caci.com.INVALID>> Gesendet:

RE: which missing file prevents tomcat 10 from starting as windows service ?

","RegQueryValue","HKLM\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\Tomcat10\Parameters\Log\LogJniMessages","NAME NOT FOUND","Length: 16" "1:39:55.6939013 PM","Tomcat10.exe","12464","RegQueryValue&

RE: which missing file prevents tomcat 10 from starting as windows service ?

Hi Larry Some general guessing questions: 1. Does the Windows Event Viewer provide any insight into the service failing? 2. Is this possibly one of those issues due to a missing msvcr100.dll? - Cris B. -Original Message- From: Heidt, Larry Sent: Monday, September 19, 2022 5:15 PM To:

RE: Fwd: users Digest 17 Aug 2022 09:26:06 -0000 Issue 14393 - "BLANK" DIGEST MESSAGE ATTACHMENTS

Terence > I created an issue for the blank digest messages: > https://issues.apache.org/jira/browse/INFRA-23675 > which appears to be due a missing CRLF sequence following > the header section. It's currently "WAITING FOR INFRA" so > I don't think anyone has had a chance to look at it. Thanks

RE: Fwd: users Digest 17 Aug 2022 09:26:06 -0000 Issue 14393 - "BLANK" DIGEST MESSAGE ATTACHMENTS

> 2. Also, some digest messages are blank for me, but other > folks' replies to them are not. It's often original messages > from specific users. Maybe we can compare what we see. > Not using multiple client apps, I don't know if the blankness > is due to client app misinterpretation or if the

RE: Fwd: users Digest 17 Aug 2022 09:26:06 -0000 Issue 14393 - "BLANK" DIGEST MESSAGE ATTACHMENTS

Hi Terence I have similar issues. > First, I was suddenly unable to send e-mail to the list using an > e-mail address that I have used on the list since at least 2005, > as mentioned above. I got around this by (re)subscribing to both > users and users-digest. This may be why you found my e-mail

RE: [ANN] New committer: Han Li

Congrats Han! :-D -- Cris Berneburg CACI Senior Software Engineer -Original Message- From: Mark Thomas Sent: Tuesday, September 6, 2022 3:38 AM To: Tomcat Developers List ; Tomcat Users List Subject: [ANN] New committer: Han Li Please join me in congratulating Han. Kind regards,

RE: Rename version 10.1 to 11

Chris, and the rest of the TC team cs> Note that Java 10 will auto-migrate older applications for you cs> without modification. It's kind of a friendly bootstrapping feature cs> to help developers make the transition to pre-Jakarta-EE to cs> port-Jakarta-EE. Thaaanks! :-) cs> the transition

RE: Odd EL resolution issue - java.lang.NoClassDefFoundError: package/Class1 (wrong name: package/class1)

Mark, et al > Running Tomcat in a container via Docker Desktop on a Windows host > with the web application served from a location on the host mounted > /bound to the container is insecure. So the app resides on the "host" OS file system and is mounted into the Docker "guest" container, rather

RE: Tomcat 9 can not start on windows 10 as service

w> I install tomcat 9 using downloaded installation package. It was installed successfully. w> I made tomcat manager working. I deployed my application... Suddenly, tomcat stopped. w> Then I try to restart it using windows service. I got error 5: access denied. I uninstalled w> tomcat and

RE: compression?

Hi Mark crisb> P.S.: If a documentation update is recommended, crisb> I would be happy to make the changes, crisb> but I would probably need guidance for that too. ;-) markt> Source file is here: markt> https://github.com/apache/tomcat/blob/main/webapps/docs/config/http.xml markt> A pull

RE: compression?

Thanks Mark :-) crisb> Is it possible to connect IIS to TC using HTTP instead of AJP? crisb> Several "Tomcat IIS How-To" articles all mention using AJP crisb> (not HTTP) using an ISAPI redirector. markt> In theory, yes. You'd need to find an HTTP reverse proxy component for IIS. markt> This

RE: compression?

Carsten and Mark Thanks for the info. :-) crisb> Weird, when going thru IIS to TC, it's not compressed c.klein> IIS fetches the requested resource from TC, acting as an HTTP client (or are you using AJP with IIS?). markt> IIS will be using AJP to talk to Tomcat which doesn't support

RE: compression?

Thanks Mark! cb> 1. compressionMinSize - What are the units, bytes? Markt> Yes. cb> 2. compressibleMimeType - If you specify a type explicitly, [...] Are [the defaults] cb> over-ridden, so they need to be specified explicitly too? Or is it cumulative? Markt> Default is over-ridden. OK, that

RE: Log4j2 logging with Tomcat 9 web app

Hi Ravi :-) > My web app is based on Tomcat 9.0.45 server. I have migrated from Tomcat 7 to > Tomcat 9 > and from log4j 1.x to log4j 2.x. I have updated the log4j2.properties as per > log4j 2.x standard, > still my tomcat.log file is not getting generated and all the application log > are

compression?

Hi Folks :-) Got some questions about turning on compression. Looking at the documentation (I did not read the whole thing, just the portions in question), I still need some clarification. https://tomcat.apache.org/tomcat-8.5-doc/config/http.html 1. compressionMinSize - What are the units,

RE: Strange error with JSP

Hi Chris Was there a final resolution to this? -- Cris Berneburg CACI Senior Software Engineer -Original Message- From: Christopher Schultz Sent: Wednesday, June 2, 2021 1:52 PM To: Tomcat Users List Subject: Strange error with JSP All, I don't do too much work with JSPs, but I do

RE: 500 instances of tomcat on the same server

Eric and Mark Just curious... Eric> We can run 75 to 125 instances of tomcat on a single Linux server Eric, Do you have or need a centralized way of managing all those instances? It sounds like different support groups connect to their own instances, if I understand correctly. Mark> if

RE: Strange error with JSP

Chris [major snippage] CS> app/work/Catalina/localhost/[$context]/org/apache/jsp/admin/ CS> SessionSnooper_jsp.java exist and have file-dates from way back CS> in 2016. (No recent changes) CS> This is Tomcat 8.5.65 from a stock ASF-distrubuted tarball, CS> launched using "catalina.sh start".

RE: [OT] web app big memory usage?

Thanks Chris [snip, snip, snippety-snip] CS> What's the database? And the driver? Oracle 19, oracle.jdbc.OracleDriver - jdbc:oracle:thin. CS> MySQL Connector/J used to (still does?) read 100% of the results CS> into the heap before Statement.executeQuery() returns unless you CS> specifically

RE: Strange error with JSP

Hi Chris cs> This is a relatively simple JSP. There are no tag libraries in use and cs> there are 3 imports of JSPs which contain some static utility functions. Sorry, no technical suggestions, but some questions... Can you load those 3 dependent JSP's in a browser via URL (or are they

RE: [OT] web app big memory usage?

Hi Chris [lots of snippage] cb> One of our web apps is using a "lot" of memory, specifically a big cb> user query. We'd like to find out why. cb> 1. Is there a way to analyze uncollected garbage? cb> * AWS EC2 instance. cb> * There are other TC instances on the same server. cb> * Each TC

RE: [OT] web app big memory usage?

Hi Raghunath cb> One of our web apps is using a "lot" of memory, cb> specifically a big user query. We'd like to find out why. cb> 1. Is there a way to analyze uncollected garbage? rm> You could try using the Oracle utility - "jstat" - for analyzing rm> the GC in an active Java process (PID)

RE: [OT] web app big memory usage?

Hi John :-) cb> 1. Is there a way to analyze uncollected garbage? cb> 2. Is that a reasonable way to identify potential memory usage problems? jeg> MAT has an option to "Keep unreachable options." It's under preferences. Thanks for the suggestion! I did not know about that option. jeg> It

RE: [OT] web app big memory usage?

Hi Amit :-) cb> 1. Is there a way to analyze uncollected garbage? cb> 2. Is that a reasonable way to identify potential memory usage problems? ap> Have you enabled the " Enable 'keep unreachable objects'" setting of MAT? ap> https://blog.gceasy.io/2015/12/11/eclipse-mat-titbits/ No, I had not

[OT] web app big memory usage?

Hi Folks :-) One of our web apps is using a "lot" of memory, specifically a big user query. We'd like to find out why. The Tomcat Web Application Manager Find leaks button said that "No web applications appear to have triggered a memory leak on stop, reload or undeploy." Tomcat Manager

RE: temp folder?

Hi Mark Thanks for getting back with me. :-) markt> What is the setting for unpackWARs for Host? These are the host settings in server.xml: name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" deployOnStartup="false" markt> Running directly from a WAR (with

temp folder?

Hi Folks Sometimes we get strange errors after deployments to our test server. We just "solved" some weirdness by manually cleaning out the TC temp folder(s) - again. Googling confirms what I thought about the TC work versus temp folder: * "work stores compiled JSPs and other assets". * "temp

RE: [OT?] caching DB items in startup listener

Hi Chris cb> I was thinking of a servlet request (or something) that is called on cb> startup that could also be called later on-demand(?). cs> How would you trigger that servlet to be called on startup? cs> Some kind of script that does catalina.sh && sleep $time cs> && curl

RE: [OT?] caching DB items in startup listener

Hi Thomas Thanks for the info and your opinion! :-) cb> 1. Is performing DB heavy-lifting operations in ServletContextListener cb> a "reasonable" practice? cb> 2. Is there a "better" way of caching said items at application cb> startup? tm> What happens when the DB has problems when the

RE: [OT?] caching DB items in startup listener

Hey Chris cb> 1. Is performing DB heavy-lifting operations in ServletContextListener a "reasonable" practice? cb> 2. Is there a "better" way of caching said items at application startup? cs> IMHO there is no better way than using a ServletContextListener to load things at startup. OK, good

[OT?] caching DB items in startup listener

Hi Folks I'm working on an old legacy app and noticed something. It caches a bunch of info (lookup table data) from the database using a ServletContextListener. I think opening DB connections in a listener is reasonable. While there is no business logic in the listener, I'm not sure doing a

RE: Low throughput with HTTP2

Thanks again Mark :-) mt> how that Map is pruned (it is currently too aggressive) mt> if Tomcat is processing 10k req/s just keeping track of mt> the last 30s is potentially 300k streams. How to do that mt> efficiently for all usage patterns is a problem that mt> needs some thought. Sounds a

RE: Low throughput with HTTP2

Hi Mark Thanks for taking the time to explain that to me. :-) A few more questions, if you don't mind. cjb> TC thinks the stream should be closed when the client cjb> thinks the stream is still open? Basically RST_STREAM cjb> is a keep-alive? mt> No. The stream closed cleanly. The client is

RE: Low throughput with HTTP2

Hi Mark As with most topics here, I struggle to understand what is being discussed. :-) So please bear with me. > improving how Tomcat handles traffic like this. > > Looks like Tomcat could prune the closed streams > less aggressively. > > At the moment it waits until there are >

RE: [OT] RE: How to get the tag name from within a taglib class ?

Thanks Chris! CS> IMO, the JSP effort was a stepping-stone on a path to better CS> technologies like Velocity, FreeMarker, and others. If I were CS> king, JSP would just go away. Just my POV of course [...] cjb> what do you like better about Velocity, FreeMarker, etc. cjb> more than JSP? CS> I

[OT] RE: How to get the tag name from within a taglib class ?

Hey Chris CS> IMO, the JSP effort was a stepping-stone on a path to better CS> technologies like Velocity, FreeMarker, and others. If I were CS> king, JSP would just go away. Just my POV of course, you are CS> welcome to fall in love with JSP. :) Seeing as I am ever on the trailing edge of

RE: How to get the tag name from within a taglib class ?

Rony RF> If possible I would like to write a single tagclass, but use it RF> for two or more different tags, as the implementation would share RF> quite a lot of code. Besides, it might be helpful for debugging. CS> Feel free to build a base class with the shared code and then implement CS> the

RE: Security audit raises questions (Tomcat 7.0.93)

Hi JHHL > security audit on the Tomcat server we maintain My condolences. :-) We're gone through several scans over the past couple years too. Yeah, it's a pain. If you can get the report details, it may provide enough info to pinpoint the exact problems. Checkmarx scanning software does,

RE: [OT] TLSv1.3 in TC8.5 + Azul Java 8

-Original Message- From: Christopher Schultz > "things to look into when I retire and my house is totally clean and > my kids are finally out of the house" so of course, I'll never get around to > it. +1 :-) -- Cris Berneburg CACI Lead Software Engineer

RE: Security vulnerabilities with tomcat 9

Hi Sumit Please see my response below your question. -Original Message- From: Sumit Bhardwaj Sent: Saturday, July 20, 2019 8:48 AM To: Tomcat Users List Subject: Security vulnerabilities with tomcat 9 > Hi, > > We are using tomcat 9 and getting following two vulnerabilities in

RE: 4 Apache Events in 2019: DC Roadshow soon [etc]

-- Christopher Schultz (cs) wrote 3/12/19: -- Rich Bowen (rb) wrote 3/6/19: rb> * Apache Roadshow DC is in [2] weeks. Register now at rb> https://apachecon.com/usroadshowdc19/ cs> I'll be speaking at this event, and I'd love to meet some cs> local Tomcat-ers. It's $25 to attend; schedule

[OT?] RE: Tomcat 8.5.13 - random issue with HTTPS (blank page) - working good with HTTP

Hi Youness Please see my comments below -Original Message- From: youness.dakk...@bnpparibasfortis.com Sent: Wednesday, March 6, 2019 7:55 AM To: Tomcat Users List Subject: RE: Tomcat 8.5.13 - random issue with HTTPS (blank page) - working good with HTTP > This is the content of the

RE: tomcat Finding!

Hi Danyaal dh> I'm encountering following scan finding errors dh> and couldn't find way to mitigate this. dh> Tomcat 8.5.32 dh> 12085 dh> Apache Tomcat Default Files dh> The following default files were found dh> :/nessus-check/default-404-error-page.html dh> Delete the default index page and

RE: [slightly OT] Re: Tomcat 9 does not work with Java 11

Hi Andi am> Another try on a third Windows Server 2008 R2 that never contained Java or Tomcat. am> I am logged in as local administrator. am> Installed Java 11 and Tomcat 9. am> And again same error :( am> I would really appreciate any help. Sorry you are going through all this trouble. I have

RE: [slightly OT] Re: Tomcat 9 does not work with Java 11

Hi Ralf am> What I did now: am> - removed Tomcat services by service.bat am> - uninstalled all Tomcats (7 and 9) am> - uninstalled all Java (was only Version 11) am> - server reboot am> - Installed Java 11 (File: jdk-11.0.1_windows-x64_bin.exe) am> - reboot am> - Installed Tomcat 9 (File:

RE: reinstall TC service after java upgrade?

Thanks André cjb> I upgraded Java from 8u181 to 8u191 on our dev (JDK) and test cjb> (JRE) Windows 2012 servers today. After doing so, the Tomcat cjb> 8.5(.32) Windows services would no longer start. Removing and cjb> re-adding the service fixed the service. mt> You need to reconfigure

RE: reinstall TC service after java upgrade?

Thanks Mark cjb> I upgraded Java from 8u181 to 8u191 on our dev (JDK) and test (JRE) cjb> Windows 2012 servers today. After doing so, the Tomcat 8.5(.32) cjb> Windows services would no longer start. Removing and re-adding cjb> the service fixed the service. I don't remember having to

reinstall TC service after java upgrade?

Hi Folks I upgraded Java from 8u181 to 8u191 on our dev (JDK) and test (JRE) Windows 2012 servers today. After doing so, the Tomcat 8.5(.32) Windows services would no longer start. Removing and re-adding the service fixed the service. I don't remember having to re-install the TC Windows

RE: [OT] Oracle Java 11 discussion?

Chris cjb> large bureaucracy [...] I would not be cjb> surprised if there is a policy against dev kits and IDE's on cjb> production servers for security sake. Tomcat (whisper: with built-in cjb> compiler) is approved, but is the JDK allowed? Guess I can ask. cjb> Yeah, it's potentially a

RE: [OT] Oracle Java 11 discussion?

Hey Chris cjb> RAMBLE: Too bad there can't be an Apache OpenJRE umbrella project, cjb> with specific Apache OpenJRE [version X] sub-projects, that maintain cjb> JRE [version X]'s indefinitely. One source (Apache) for all the cjb> different JRE's for the Java community at large, rather than

RE: [OT] Oracle Java 11 discussion?

Thanks Igal is> p.s. So happy to see that you finally moved from Tomcat 6 to 8.5. is> Perhaps you can share that experience in a separate thread and let is> others know if you ran into any major problems during that process. Will do. So far we've only run into 3 minor issues. -- Cris Berneburg

RE: [OT] Oracle Java 11 discussion?

Thanks Igal mt> OpenJDK is very close to the Oracle JDK these days. I regularly run mt> Tomcat's unit tests with the latest OpenJDK and have yet to find an mt> issue that is OpenJDK specific. is> I asked Gil Tene about this a couple of weeks ago. Gil is a co- is> founder of Azul Systems, an

RE: [OT] Oracle Java 11 discussion?

Thanks Mark mt> The argument for a JRE vs a JDK is that the JDK includes mt> a compiler. The only reason Tomcat can run on a JRE and mt> still support JSPs (which require compilation) is that mt> Tomcat includes a Java compiler. I don't think the mt> security argument holds much water. I had not

[OT] Oracle Java 11 discussion?

Hi Folks What has anyone been thinking about the upcoming Oracle Java 11 release / support stuff? Frankly, I'm confused by it all and am still trying to wrap my brain around it. I have concerns about the potential implications for my little project, and also wonder about Tomcat at large.

RE: TC 8.5 cachingAllowed=false ramifications [and potential Resource CacheSelector specification]?

Mark cjb> SPECIFIC: The Excel files are [...] accessed only cjb> once. They don't need to be cached. Is it cjb> possible to declare only the Excel reports output cjb> folder as non-cache-able but leave the (default) cjb> context cache setting as-is so everything else cjb> can be cached in the

RE: TC 8.5 cachingAllowed=false ramifications?

Mark cjb> RAMBLE: The thing is, it worked in TC 6.0 cjb> but not 8.5. Is it possible a major change cjb> [...] Did TC 6.0 not cache files? mt> The resources implementation was completely mt> re-written for 8.x [...] I'm fairly sure mt> not found results weren't cached in 6.0.x. OK, thanks for

RE: TC 8.5 cachingAllowed=false ramifications?

Thanks Chris cjb> of TC 8.5.32 on Java 8u181, report output Excel cjb> files won't load (immediately). An error is cjb> displayed to the user. [...] cjb> 1. What are the ramifications of disabling the cache? cjb> IOW, what are the potential side-effects? [...] cjb> 2. Is there a "better" way to

RE: TC 8.5 cachingAllowed=false ramifications?

Thanks Mark cjb> Anyone have advice on, experience with, or cjb> info about setting cachingAllowed=false? cjb> [...] cjb> In our testing of TC 8.5.32 on Java 8u181, cjb> report output Excel files won't load cjb> (immediately). An error is displayed to cjb> the user. These Stack Overflow topics

RE: JasperException in production

Mark cjb> getting the dreaded JasperException in production. cjb> Don't know what changed to start causing this. Same cjb> thing happened in the test environment 9/4/18. We cjb> got around the problem in test by upgrading to Java cjb> 8u181 and Tomcat 8.5.30. cjb> cjb> JRE 8u171, 32 bit cjb>

RE: Apache failed to initialize connector

Hi Gael >> >> >> On 03/10/18 12:28, Gael REYNOARD wrote: >> >> >>> Hello everybody, >> >> >>> >> >> >>> OS : Windows 7 Pro x64 >> >> >>> Tomcat : 8.5.31 >> >> >>> >> >> >>> On a test bench, I reboot Windows to test one of our C# >> applications. >> >> >>> Sometimes after starting the OS, my

TC 8.5 cachingAllowed=false ramifications?

Hi Folks Anyone have advice on, experience with, or info about setting cachingAllowed=false? BACKGROUND: Our customer is suddenly getting a JasperException in production. To solve, we're planning to upgrade Tomcat to 8.5.x. In our testing of TC 8.5.32 on Java 8u181, report output Excel

JasperException in production

OK, now we're getting the dreaded JasperException in production. Don't know what changed to start causing this. Same thing happened in the test environment 9/4/18. We got around the problem in test by upgrading to Java 8u181 and Tomcat 8.5.30. JRE 8u171, 32 bit Tomcat 6.0.32, 32 bit

Re: help with org.apache.jasper.compiler.JDTCompiler issue?

I just remembered something. cjb> After reverting Java and our app, the app still cjb> won't run and still throws compilation errors. cjb> * Staging Server - after rollback cjb> JRE 8u171, 32 bit cjb> Tomcat 6.0.32, 32 bit (unchanged) cjb> App v3.3.2 cjb> * Partial stack trace: cjb>

Re: help with org.apache.jasper.compiler.JDTCompiler issue?

Konstantin, et al Well, it's all a moot point now. :-) cjb> After reverting Java and our app, the app still cjb> won't run and still throws compilation errors. cjb> * Staging Server - after rollback cjb> JRE 8u171, 32 bit cjb> Tomcat 6.0.32, 32 bit (unchanged) cjb> App v3.3.2 kk> My guess is

Re: help with org.apache.jasper.compiler.JDTCompiler issue?

Konstantin Thanks for jumping in to help out. :-) cjb> After reverting Java and our app, the app still cjb> won't run and still throws compilation errors. cjb> * Staging Server - after rollback cjb> JRE 8u171, 32 bit cjb> Tomcat 6.0.32, 32 bit (unchanged) cjb> App v3.3.2 kk> My guess is that

help with org.apache.jasper.compiler.JDTCompiler issue?

Hi Folks We can't figure out what's wrong with our staging server. After upgrading Java and our application, Tomcat started logging "Compilation error" exceptions. The login JSP page did not display. After reverting Java and our app, the app still won't run and still throws compilation

RE: how to prevent user access to JSP pages?

Hi Woonsan cjb> I'd like to prevent users from requesting JSP pages directly cjb> a. [...] adding a for each folder. cjb> b. [...] JSP files under the WEB-INF folder. wk> c. Implement a servlet filter which is mapped to /* with wk> dispatcher options: REQUEST, INCLUDE, FORWARD. The filter

RE: how to prevent user access to JSP pages?

Chris [combining messages] cjb> Am I mistaken, but does vulnerability scanning software cjb> seem to feed on that sort of thing? cs> Most vulnerability scanners just try to detect your server's cs> version and look-up any publicly-reported vulnerabilities in cs> e.g. NVD. They are really stupid

RE: how to prevent user access to JSP pages?

Chris (and Mark) Bingo! cjb> Due to security concerns and general fussiness on my part, I'd like cjb> to prevent users from requesting JSP pages directly [...]. That cjb> way I can legitimately claim that all requests are being validated, cjb> input scrubbed, JSP's cannot be taken advantage

RE: how to prevent user access to JSP pages?

Hi Mark Thanks for taking the time to reply. :-) cjb> Due to security concerns and general fussiness on my part, I'd like cjb> to prevent users from requesting JSP pages directly [...]. That cjb> way I can legitimately claim that all requests are being validated, cjb> input scrubbed, JSP's

RE: how to prevent user access to JSP pages?

Hi Woonsan Thanks for providing an "option C". :-) There is still much for me to learn. cjb> Due to security concerns and general fussiness on my part, I'd like cjb> to prevent users from requesting JSP pages directly [...]. That cjb> way I can legitimately claim that all requests are being

RE: how to prevent user access to JSP pages?

Hi Chris Thanks for your insight and reply. cjb> I'd like to prevent users from requesting JSP pages directly, cjb> except for the login page. cs> Why except for the login page? I would include the login page cs> as something that should be fronted with a (non-JSP) servlet, cs> even if that

RE: how to prevent user access to JSP pages?

Hi Louis Thanks for replying to my request for help. :-) cjb> Due to security concerns and general fussiness on my part, I'd like cjb> to prevent users from requesting JSP pages directly [...]. That cjb> way I can legitimately claim that all requests are being validated, cjb> input

RE: how to prevent user access to JSP pages?

David Thanks for taking the time to reply. :-) cjb> Due to security concerns and general fussiness on my part, I'd like to cjb> prevent users from requesting JSP pages directly [...]. That way I can cjb> legitimately claim that all requests are being validated, input scrubbed, cjb> JSP's

how to prevent user access to JSP pages?

Due to security concerns and general fussiness on my part, I'd like to prevent users from requesting JSP pages directly, except for the login page. I want all requests to be handled by servlets. That way I can legitimately claim that all requests are being validated, input scrubbed, JSP's

RE: tomcat 6 vulnerability scan default error page help

Mark Thanks for taking the time to help. Again, I appreciate it. cjb> We are getting dinged by a vulnerability scan for the default cjb> not-found error page being returned by Tomcat for a Status 404. cjb> [...] cjb> And we're using Tomcat 6.0.37 (ahem). MT> And you are worried about returning

RE: tomcat 6 vulnerability scan default error page help

Leon, Mark, and Alejandro Thanks for your time and suggestions. I appreciate it. cjb> We are getting dinged by a vulnerability scan for the default cjb> not-found error page being returned by Tomcat for a Status 404. cjb> [...] cjb> However, I can't find where the error-page for 404 is defined.

RE: tomcat 6 vulnerability scan default error page help

-Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Wednesday, May 2, 2018 4:01 PM To: users@tomcat.apache.org Subject: Re: tomcat 6 vulnerability scan default error page help > On 02/05/18 20:51, Leon Rosenberg wrote: > > Hi Mark, > > > > I agree with you that the

tomcat 6 vulnerability scan default error page help

We are getting dinged by a vulnerability scan for the default not-found error page being returned by Tomcat for a Status 404. On my dev server when requesting an invalid URL, Tomcat returns a Status 404 page that displays the Tomcat version. Right, I need to do something about that. However,

RE: Tomcat 9 ;jsessionid

Hi Greg -Original Message- From: Greg Huber [mailto:gregh3...@gmail.com] Sent: Thursday, April 26, 2018 4:53 AM To: Tomcat Users List Subject: Tomcat 9 ;jsessionid > Hello, > > One thing I have noticed with Tomcat 9.0.x I get alot > ;jsessionid=xxx appended to

RE: Training material is now on-line

Thanks Mark [lots of snippage] MT> https://apache.github.io/tomcat-training/ cjb> Should "Client" actually be "Server" in Step 12: ChangeCipherSpec? cjb> Or did you already know about that? MT> It should and I didn't. I've just committed the fix. It should be MT> live in a few minutes. Thanks

RE: Training material is now on-line

Thanks Mark for making that available! My questions below. -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Wednesday, April 11, 2018 6:32 PM To: Tomcat Users List Subject: Training material is now on-line > Hi all, > > Thanks to the magic

RE: [OT] Want help understanding missing piece in architecture

Thanks Chris for taking the time to provide such a detailed and educational answer. cjb> Now let's say that we want the Tomcat application to only do cjb> rendering. It connects to a different server, X, and no longer to the cjb> DB. The X server connects to the DB. Requests and data flow

[OT] Want help understanding missing piece in architecture

Hi Folks There's a concept I'm trying to wrap my brain around. It's similar to MVC, separating responsibilities between the display and model/controller layers. In terms of coding, I know how to make that happen. However, in terms of server architecture, I do not. For the purposes of

RE: Security of AJP

Chris and Chris -Original Message- > From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org] > Sent: Wednesday, February 28, 2018 8:40 AM > To: Tomcat Users List > Subject: RE: Security of AJP > > Since AJP is not really needed by Tomcat; If I comment out

RE: tomcat 7.0 resurrecting directory while service is installed - running in command line mode?

Christoph While my response is late, and you seemed to have solved your problem, if you don't mind, I would like to attempt to clarify about quotes and spaces in Windows. -Original Message- From: Christoph P.U. Kukulies [mailto:k...@kukulies.org] Sent: Wednesday, January 10, 2018 6:39

RE: diff tomcat versions share the same CATALINA_BASE?

Chris Thanks again taking the time to help. Please see below. >>> So I would recommend a separate CATALINA_BASE for each application's >>> support for a major Tomcat version. Note that you are welcome to >>> share WAR files for an application. >>> >>> Example: >>> >>> Tomcat 6

RE: diff tomcat versions share the same CATALINA_BASE?

Chris Thanks for taking the time to explain this to me. I'm still trying to absorb it all. More below. > > My question is this. Is it even possible or simply not recommended > > for both tomcat instances to share the same CATALINA_BASE? The work > > folder with compiled cache is buried in

diff tomcat versions share the same CATALINA_BASE?

I'm thinking about upgrading our tomcat from version 6.x to 8.5.x. Yeah, it's overdue. :-) In our test environment, I would like to install 8.5 in parallel with 6 for side-by-side comparison testing. Having never done it before, I'm also thinking about splitting the tomcat and document

RE: TomCat service is running but not responding

Darin > From: dbol...@dsginc.biz [mailto:dbol...@dsginc.biz] > Sent: Friday, October 20, 2017 9:47 AM > To: users@tomcat.apache.org > Subject: TomCat service is running but not responding > > I have a TomCat 8.5.23 service running on a Windows 2008 server. > The service would be running fine but

RE: 8.5 - multiple host configuration question

Chris and Chris (but not Chris) -Original Message- From: Chris Cheshire [mailto:yahoono...@gmail.com] Sent: Friday, September 08, 2017 9:16 PM To: Tomcat Users List Subject: Re: 8.5 - multiple host configuration question On Thu, Sep 7, 2017 at 5:29 PM,

RE: [OT] Unable to install Tomcat 9 on Windows 10

Hey Chris > From: Christopher Schultz [mailto:chris@...] > Sent: Friday, July 21, 2017 1:02 PM > To: users@tomcat.apache.org > Subject: Re: [OT] Unable to install Tomcat 9 on Windows 10 [SNIP] > I'm not such a miserable bastard as this thread would indicate Sounds like a great sig for you.

RE: Using Log4J2 2.8 (via the 1.2 API Bridge) for Tomcat8 Internal Logging - RollingFileAppender does not (cannot?) create new Log File

Ankit -Original Message- From: Berneburg, Cris J. - US Sent: Thursday, April 13, 2017 10:35 AM To: Tomcat Users List Subject: RE: Using Log4J2 2.8 (via the 1.2 API Bridge) for Tomcat8 Internal Logging - RollingFileAppender does not (cannot?) create new Log File >> The only p

RE: Using Log4J2 2.8 (via the 1.2 API Bridge) for Tomcat8 Internal Logging - RollingFileAppender does not (cannot?) create new Log File

Hi Ankit -Original Message- From: Ankit Agarwal [mailto:ankit_agarwal@...] Sent: Tuesday, April 11, 2017 12:28 PM To: Tomcat Users List Subject: Re: Using Log4J2 2.8 (via the 1.2 API Bridge) for Tomcat8 Internal Logging - RollingFileAppender does not (cannot?) create new Log File > Hi

  1   2   >