>
>
>
>
>> E.g. "Transfer-Encoding: chunked" and "Content-Length" are mutually
>> exclusive, cannot be used at the same time, cannot be used more than
>> once. They should not be blindly copied.
>>
>
> Good question on that, I can take a look. I remove Content-Length from
> the downstream
>
>
>
> Status 500 means that some error happened during processing.
>
> Is there anything in the logs? Exceptions?
>
>
The 500 was generated by a downstream Tomcat 8.5.11 server, this one is
just trying to proxy the message.
> Maybe the browser closes the connection by its own decision,
>
>
> I'm working directly with the servlet api. Whats odd is it worked fine in
> 8.0.39. The response is set first:
>
>
>
Also, I just verified the issue doesn't occur using undertow 1.3.25
Mark & Olaf,
I'm working directly with the servlet api. Whats odd is it worked fine in
8.0.39. The response is set first:
https://github.com/TremoloSecurity/OpenUnison/blob/1.0.9/unison/unison-server-core/src/main/java/com/tremolosecurity/proxy/filter/PostProcess.java
- lines 110-121
Then I
I'm running tomcat 8.0.41 on a CentOS7 Docker container. Something very
strange is happening. If I use a GET and return a 200 with JSON content
the data gets back to my browser. But if I run a POST and return a 500
with the content being JSON written to response.getOutputStream()
(including a
>
>
>
> Your request wrappers store their own reference to a
> HttpServletRequest in addition to the one stored by the
> ServletRequestWrapper class.
>
>
> My guess is that your issue will be solved if you either override
> ServletRequestWrapper.setRequest() to update your request field, or
> use
All,
I'm having a very strange issue with
request.getServletContext().getRequestDispatcher().forward(). It gives me
a 404 on a JSP page that if I go to directly, works fine. This is with
tomcat 8.0.30 on OSX on JDK :
ava version "1.7.0_65"
Java(TM) SE Runtime Environment (build 1.7.0_65-b17)
>
> You have to provide the actual source code.
>
> There is an example in the examples webapp that performs forwarding to
> a JSP and it works,
>
> \webapps\examples\WEB-INF\classes\ServletToJsp.java
>
>
So the good news is that I got it to work by getting rid of any of the
methods that were
I'm trying to figure out how I can create custom session cookies. I've
found the Manager interface for creating the sessions, but there's nothing
about the actual session cookie. I don't see anything in the Valve
interface that will let me do this either. Is this possible in Tomcat 7
(or 8?).
I need to be more dynamic. I need to be able to setthe session name and
domain based on the url.
On Sep 8, 2013 9:12 AM, Michael-O 1983-01...@gmx.net wrote:
Am 2013-09-08 14:15, schrieb Marc Boorshtein:
I'm trying to figure out how I can create custom session cookies. I've
found the Manager
Governments Not Unix? sounds counter productive...
On Tue, Feb 14, 2012 at 12:56 PM, Andrew Todd andrew.todd...@gmail.com wrote:
On Tue, Feb 14, 2012 at 11:51 AM, Christopher Schultz
ch...@christopherschultz.net wrote:
Stallman as a government adviser? :)
Shouldn't that be GNU/Government?
So I tried moving the configuraiton of the valve into the app's
META-INF/context.xml with no success. One thing I didn't mention that
is interesting is that the I do set the request's setUserPrincipal(..)
and that works.
Thanks
Marc
On Tue, May 31, 2011 at 5:27 PM, Marc Boorshtein mboorsht
Can you try this:
request.addHeader(attrib.getName(), val);
logger.info(After added header:
+ attrib.getName() + =
+ request.getHeader(attrib.getName()));
I wonder if the header value is being ignored because the request is
frozen or something like that.
Hi, Marc-
Is that a carriage return and/or line feed before the attribute name in the
log file or just the formatting of the e-mail?
-Terence Bandoian
just email formatting
-
To unsubscribe, e-mail:
To quote one of my favorite tv showswell there's your problem! Thanks,
I'll give this a try.
Marc
Sent from my iPad
On Jun 1, 2011, at 4:47 PM, Mark Thomas ma...@apache.org wrote:
On 01/06/2011 16:16, Marc Boorshtein wrote:
So for some reason the addHeader is not doing anything
I'm
On 01/06/2011 16:16, Marc Boorshtein wrote:
So for some reason the addHeader is not doing anything
I'm guessing you haven't looked at the source for this yet.
org.apache.catalina.connector#addHeader(String,String) is a NOOP. It was
removed for Tomcat 7.
You want
I've got a simple Valve that creates some headers running on Tomcat6
6.0.32 that creates headers by calling request.addHeader(...). The
valve is configured in tomcat_home/conf/context.xml. The valve runs,
the headers are added but they don't make it to the underlying web
application. Am I
Do you have any filters or other valves that might be wrapping the request
and choosing to ignore your extra headers?
No, the app is just a servlet that loops over all the headers and
cookies and generates a properties response
1) Show us your modified conf/context.xml.
!-- The contents
I've setup a pretty generic httpd(2.2.19)+mod_jk to tomcat 6 on Oracle
Linux 5 (CentOS 5 equiv) with SSL setup. With JkExtractSSL and the
correct SSLOptions in the httpd configuration files. I can see the
SSL environment variables in /cgi-bin/printenv but no headers or
environment variables in
And your SSLOptions are what exactly?
Also Tomcat and mod_jk version info might be relevant.
oadModulejk_module modules/mod_jk.so
LoadFile /home/sys/ssl-poc/webgate/access/oblix/lib/libgcc_s.so.1
LoadFile /home/sys/ssl-poc/webgate/access/oblix/lib/libstdc++.so.5
SSLOptions +StdEnvVars
Marc,
On 5/24/2011 11:39 AM, Marc Boorshtein wrote:
SSLOptions +StdEnvVars
SSLOptions +ExportCertData
JkExtractSSL On
VirtualHost _default_:9443
I'm not entirely sure about the JkExtractSSL option, but some other
mod_jk options are not copied into all virtual hosts. You might want
JDBC? Are you sure its not an attempted SQL Injection attack?
On Sun, Nov 7, 2010 at 12:23 PM, Assaf ass...@yahoo.com wrote:
Hello,
I have a recurring visitor (from a fixed IP
address: bzq-79-177-23-102.red.bezeqint.net) who is constantly visiting my
site
and EACH time causes the server
Do a search on SQL injection and you will get plenty of results
Sent from my iPad
On Nov 7, 2010, at 1:03 PM, Caldarale, Charles R chuck.caldar...@unisys.com
wrote:
From: Martin Gainty [mailto:mgai...@hotmail.com]
Subject: RE: Malicious host is crashing my server
the culprit will change
Message
From: Marc Boorshtein mboorsht...@gmail.com
To: Tomcat Users List users@tomcat.apache.org
Sent: Sun, November 7, 2010 7:08:01 PM
Subject: Re: Malicious host is crashing my server
Do a search on SQL injection and you will get plenty of results
Sent from my iPad
On Nov 7
On Wed, Jun 23, 2010 at 8:49 AM, Savoy, Melinda
melindasa...@texashealth.org wrote:
Let me ask, what maybe a stupid question now, but when I print out the
enumeration value of the request header names, see below, using
request.getHeaderNames() should the user be listed as one of the headers
I haven't tried this with IIS, but we had quite the discussion on this
last week with Apache tomcat with JK. In your server.xml file add
tomcatAuthentication=false to the AJP connector object. If you look
in the archives of this list for JK_REMOTE_USER there is a very
interesting discussion on
On Tue, Jun 22, 2010 at 8:16 AM, Savoy, Melinda
melindasa...@texashealth.org wrote:
Thanks Marc. I actually have that setting in my server.xml file as well.
Hmm, I've only gotten the ISAPI filter working once and not in this
context. Unless there are other ways to do this Pid's idea is
Unless you are going to authenticate via one of Tomcat's authentication
methods; BASIC, FORM, etc, then getRemoteUser() is going to return null.
You'll need to add a security constraint, login-config and security-role to
your web.xml to test getRemoteUser(); in just Tomcat.
This
I'm not looking to start a holy war here, but is there anything
incorrect in what I said? Tomcat is a servlet container, the servlet
Yes.
You made a sweeping statement about container managed security which
implied that things should just work. Someone has to make them work.
As an app
On Thu, Jun 17, 2010 at 9:11 AM, Mark Thomas ma...@apache.org wrote:
On 17/06/2010 13:26, André Warnier wrote:
I must say that, with my limited knowledge of the Tomcat internals taken
into consideration, I tend to agree with Marc in this case, if he is
right in claiming that the Tomcat Realm
Hi.
I must say that, with my limited knowledge of the Tomcat internals taken
into consideration, I tend to agree with Marc in this case, if he is
right in claiming that the Tomcat Realm mixes authentication with
authorization and does not allow to separate the two.
Well, he said he's
You're talking about having to change your app, but you've only
described having to make modifications to a Tomcat internal support class.
You seem to be saying that Tomcat has a compliancy issue - IMO the
problem with leaving that unchallenged is that it breeds
misunderstanding that would
All,
I'm trying to setup apache in front of tomcat and have apache do the
authentication for access and pass the user's context back to tomcat.
I've seen documentation that says that I should set the JK_REMOTE_USER
environment variable but it doesn't seem to be working. Here is my
httpd
You should not need to do that, it should be automatic.
Just make sure that in the Tomcat Connector for AJP (in server.xml), you
set the attribute
tomcatAuthentication=false
If the request is authenticated by Apache, mod_jk will (always) pass it
internally to Tomcat, along with the
OK, come context first:
What I'm trying to do is integrate a Commercial Off The Shelf (COTS)
application that relies on container security into a Web Access
Manager (WAM). In a typical WAM deployment there are AAA is broken up
into multiple layers:
Web Server - Authentication (via the WAM) and
Sent from my iPhone
On Jun 16, 2010, at 11:12 AM, David kerber dcker...@verizon.net wrote:
On 6/16/2010 10:58 AM, Marc Boorshtein wrote:
...
That being said, the sequence of events should be:
1. Web server authenticates the user (works)
2. Pass the context to Tomcat (works)
3. Tomcat
To look at this from a very strict point of view, the whole area is already
a bit stretched. Tomcat has this notion of roles (because the Servlet
Spec has this same notion). But if you look at common authentication
schemes, like NTLM or LDAP, they do not have this notion. It is possible
The problem with the Realm system is its designed with the assumption
that tomcat is doing the authentication which is not a valid
assumption in an environment where the authentication is seperated
from authorization. The entire point of container security is that as
a coder I don't have to
38 matches
Mail list logo
