[ANN] Apache Tomcat 10.1.0-M6 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M6 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: Specifying a Custom Authenticator Class

On 02/10/2021 01:48, Jerry Malcolm wrote: I need to write a custom BasicAuthenticator class to decode a specialized encoding of the authToken.  I have been scouring google for info.  I found one post where the answer included the statement: "Extending from AuthenticatorBase is a great idea,

Re: Tomcat 9.0.52 http2 flow control issues

On 20/09/2021 07:28, Mark Thomas wrote: On 10/09/2021 11:42, Mark Thomas wrote: Hi Erik, Thanks for the report. I'm looking at this now. I'm testing with a simple index page that references 3 largish images (~6MB each). I've found an issue with HTTP/2, sendfile and StackOverflowExcpetion

Re: tomcat presentations on ApacheCon 2021

On 27/09/2021 20:27, Усманов Азат Анварович wrote: Hi everyone! Does anybody know where/when to find the video/audio/slides (if any) from the last weeks's tomcat track on ApacheCon 2021?Because I completely missed it last week. I'm assuming all of these would be added to tomcat

Re: AW: JASPIC AuthConfigProvider packaged with the web application not found

On 23/09/2021 07:03, Keil, Matthias (ORISA Software GmbH) wrote: Hi Bernd, Yes, I would like to define my Server Auth module in the jaspic-providers.xml and then provide the class with the web application. Sorry, that isn't going to be supported. You either need to provide everything at the

Re: Tomcat 9.0 async read becomes blocking with chunked transfer-encoding

On 27/09/2021 15:55, Mark Thomas wrote: On 27/09/2021 09:08, Goldengate liu wrote: Hi Mark,    I’m uploading some test files Thanks for the test case. I'm looking at this now. Bug found and fixed. One thing to note is that with chunked encoding it is possible for you to see isReady

Re: Tomcat 9.0 async read becomes blocking with chunked transfer-encoding

wrong? this is a basic use case.   Thanks,   Andrew On Sep 22, 2021, at 1:14 AM, Mark Thomas <mailto:ma...@apache.org>> wrote: On 22/09/2021 08:22, Goldengate liu wrote: Hi Chris, Servlet 3.1 spec defines that ServletInputStream can be used to read as non-blocking way as long as there is dat

Re: Possible UpgradeInfo memory leak

On 23/09/2021 09:36, Harri Pesonen wrote: Hello, while looking at Tomcat 8.5.61 heap dump in VisualVM, in Dominators by Retained Size, two biggest ones are: org.apache.tomcat.util.net.NioEndpoint#1 12 382 781 B (13,7%) org.apache.coyote.http11.upgrade.UpgradeGroupInfo#1 7 066 212 B (7,8%) I

Re: Custom error page

On 24/09/2021 11:56, Jan Pernica wrote: Hi how can I easly create error page for the whole server? Curretly if I add to conf/web.xml         500     /error/error.html             404     /error/error.html     And put into webapps/ROOT/error/error.html page it works

Re: mirrors are broken?

On 22/09/2021 10:00, jean-frederic clere wrote: Hi, https://tomcat.apache.org/download-90.cgi gives me: +++ Error! /var/www/dyn/closer.lua:322: attempt to index local 'cdn_uri_check' (a nil value) +++ Have we break something with the mirror logic? Or is my favorite mirror broken?

Re: Tomcat 9.0 async read becomes blocking

On 22/09/2021 08:22, Goldengate liu wrote: Hi Chris, Servlet 3.1 spec defines that ServletInputStream can be used to read as non-blocking way as long as there is data ready locally by calling isReady method and check the ready condition before calling read, and read should throw

Re: Tomcat 9.0 async read becomes blocking

On 21/09/2021 23:01, Javateck wrote: Hi Chris, Servlet 3.1 spec defines that ServletInputStream can be used to read as non-blocking way as long as there is data ready locally by calling isReady method and check the ready condition before calling read, and read should throw

Re: Tomcat 9.0.52 http2 flow control issues

On 10/09/2021 11:42, Mark Thomas wrote: Hi Erik, Thanks for the report. I'm looking at this now. I'm testing with a simple index page that references 3 largish images (~6MB each). I've found an issue with HTTP/2, sendfile and StackOverflowExcpetion that I have a local fix

[SECURITY] CVE-2021-41079 Apache Tomcat DoS

CVE-2021-41079 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.2 Apache Tomcat 9.0.0-M1 to 9.0.43 Apache Tomcat 8.5.0 to 8.5.63 Description: When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a

Re: Tomcat8.0.53 & Java related issues

On 14/09/2021 03:59, zhuyix...@orientalmind.com wrote: Dear Sir or Madam: Howdy.I'm a Java developer.I am learning related knowledge of Tomcat.Version for 8.0.53. At present,I have some problems and I hope I can get help. Currently I'm using the

[ANN] Apache Tomcat 10.0.11 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.11. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the

[ANN] Apache Tomcat 10.1.0-M5 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M5 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: Question about serving a 404

On 10/09/2021 16:44, James H. H. Lampert wrote: Our Tomcat team has been struggling with this issue for a few days: If a request comes in for https://foo.com/bar.html, which doesn't exist, then a 404 is returned, and we see a standard Tomcat 404 page. But if a request comes in for

Re: Tomcat 9.0.52 http2 flow control issues

Hi Erik, Thanks for the report. I'm looking at this now. I'm testing with a simple index page that references 3 largish images (~6MB each). I've found an issue with HTTP/2, sendfile and StackOverflowExcpetion that I have a local fix for. With that fix in place, I can see a flow control

Re: tomcat hangs

On 09/09/2021 11:50, Mehrdad Taagholi wrote: HiI use apache tomcat 8.0.32 and oracle-jdk-8u66 and redhat 6.After working with the system for a few hours and the load on the system increases, suddenly the tomcat hangs and no logs are printed and it is not possible to connect via jvisualvm and

Re: Http TRACE method headers in response body

On 08/09/2021 20:50, Christopher Schultz wrote: Mark, On 9/8/21 11:28, Mark Thomas wrote: On 08/09/2021 16:15, Gilles Robert wrote: My issue is that even though TRACE is disabled, we see the "malicious" header in the response. You need to talk to the Spring folks then. Defa

Re: Http TRACE method headers in response body

ext. If a user agent does something else with the response, and especially if it does something reckless like treating it is HTML, then than is a security issue with the user agent, not the server. Mark On Wed, 8 Sept 2021 at 17:01, Mark Thomas wrote: On 08/09/2021 14:14, Gilles Rober

Re: Http TRACE method headers in response body

On 08/09/2021 14:14, Gilles Robert wrote: Hi, Using Spring boot (2.5.4) with Tomcat (9.0.52), the HTTP TRACE method is disabled by default and returns a 405 method not allowed, which is what I expect security-wise. My issue is that if one gives a malicious header: header: malicious:

Re: JNDIRealm does not retry on read timeouts or closed connections

On 06/09/2021 09:52, Osipov, Michael (LDA IT PLM) wrote: My question is: Mark, you have direct access to JBS, would you be willing to file this issue directly or do you want me to file through bugreport.java.com first and when it arrives in JBS you could drop a comment that this also

Re: AW: AW: Orphaned thread by JNDIRealm / clearReferencesThreads reports memory leak

release round. Mark Thank you and have a good start into the new week! Thomas -Ursprüngliche Nachricht- Von: Mark Thomas Gesendet: Montag, 6. September 2021 09:36 An: users@tomcat.apache.org Betreff: Re: AW: Orphaned thread by JNDIRealm / clearReferencesThreads reports memory leak

Re: Exception in Log files

On 06/09/2021 08:16, Mohan T wrote: Hi, We could see the below exception in log files . java.io.FileNotFoundException: apache-tomcat-8.5.35/lib/commons-cli.jar (No such file or directory) The file is not there in that location. How to get rid of this exception With the information you

Re: AW: Orphaned thread by JNDIRealm / clearReferencesThreads reports memory leak

n and is reported as leaking during undeployment. Greetings, Thomas Von: Mark Thomas Gesendet: Sonntag, 5. September 2021 11:55 An: users@tomcat.apache.org Betreff: Re: Orphaned thread by JNDIRealm / clearReferencesThreads reports memory leak Thomas, Try setting: useContextClassLoade

Re: Orphaned thread by JNDIRealm / clearReferencesThreads reports memory leak

Thomas, Try setting: useContextClassLoader="false" for the JNDIRealm. Mark On 02/09/2021 08:33, Thomas Hoffmann (Speed4Trade GmbH) wrote: Hello, we are using the org.apache.catalina.realm.JNDIRealm for authentication of users against our windows AD. When undeploying the application, we

[ANN] Apache Tomcat Native 1.2.31 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.31 stable. The key features of this release are: - Windows binaries built using OpenSSL 1.1.1l - Fix an issue when building with OpenSSl 3.0.0 Please refer to the change log for the complete list of changes:

Re: UserDatabaseRealm and DIGEST

On 24/08/2021 17:28, jonmcalexan...@wellsfargo.com.INVALID wrote: Ok, so I've been reading thru the documentation on DIGEST but not entirely sure I have it right. What is the best practice for DIGEST and what algorithms are allowed, such as is sha-256 allowed? First, a question of

Re: clearReferencesThreads issues warning about 2 threads, spawned by JDK in printing components

On 23/08/2021 08:10, Thomas Hoffmann (Speed4Trade GmbH) wrote: Is there anything, the application can prevent this? Yes. Call Thread.setContextClassLoader(ClassLoader) before calling the code that creates those threads, passing the common class loader. Afterwards, reset the TCCL back to

[ANN] Apache Tomcat 8.5.70 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.70. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and Java Authentication Service Provider Interface for Containers

Re: Tomcat "JNDI Datasource How-To" documentation & driver managers

On 14/08/2021 01:51, Andrew Tanton wrote: In the Tomcat "JNDI Datasource How-To" documentation page , there is an unusually opinionated section, which discusses the Java service provider (driver

Re: No way to return error from broken streaming connection?

esponse to clients. >> >> I'll move my question to a more appropriate forum. >> >> On Tue, 10 Aug 2021 at 02:45, Mark Thomas wrote: >> > >> > On 10/08/2021 02:25, Marcin Wisnicki wrote: >> > > I have a servlet (it's really a SpringBoot

Re: No way to return error from broken streaming connection?

On 10/08/2021 02:25, Marcin Wisnicki wrote: I have a servlet (it's really a SpringBoot controller but it shouldn't matter?) in Tomcat 9.0.46 that streams responses of unknown size to the browser. I've discovered that if the streaming process fails in the middle of the write, the client will

Re: More information, Re: Tomcat 8.5.68 failing on takeoff!

On August 9, 2021 5:31:41 PM UTC, "James H. H. Lampert" wrote: >On 8/9/21 10:24 AM, Mark Thomas wrote: >> Future versions of Tomcat won't see this issue but if the customer is > >> prepared to update Tomcat to fix this issue then they might as well >just >>

Re: More information, Re: Tomcat 8.5.68 failing on takeoff!

ar' -exec grep -l 'crimson' {} \;", I also get nothing. So unless anybody else has any ideas, I'm once again stuck, at least on this angle. Mark Thomas wrote: Tomcat 7 doesn't have JASPIC support so you'll never see this issue in Tomcat 7. . . . to which I replied (seriously, rather than

[ANN] Apache Tomcat 10.1.0-M4 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M4 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

[ANN] Apache Tomcat 10.0.10 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.10. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the

Re: Http11NioProtocol with TLS seems to be very slow for certain requests >= 9.0.48

On August 6, 2021 1:35:24 PM UTC, Benjamin Grenacher wrote: >Recently updated from 9.0.43 to 9.0.50 and are having similar symptoms >as already reported ("Possible Http11NioProtocol regression since >9.0.48?"). > >Integration test runs have shown this issue seems to occur for browser >tests

Re: Question for verification

On August 6, 2021 2:24:13 PM UTC, jonmcalexan...@wellsfargo.com.INVALID wrote: >Verifying an assumption. > >All modern versions of Tomcat (8.5 and above) are compatible with Java >11. Yes. We regularly test Tomcat with the early access versions of each Java release. We also have CI systems that

Re: Wrong logic for NONE as certificateKeystoreFile?

Thanks for the report. Fixed for the September release round. Mark On 05/08/2021 14:09, Mikael Sterner wrote: It seems like the logic implemented for NONE as certificateKeystoreFile deviates from the documentation. Currently NONE is always interpreted as a file path, even for PKCS11. Looks

Re: More information, Re: Tomcat 8.5.68 failing on takeoff!

On 06/08/2021 06:15, Christopher Schultz wrote: On 8/5/21 18:33, James H. H. Lampert wrote: java.lang.SecurityException: org.xml.sax.SAXNotRecognizedException: Feature: http://apache.org/xml/features/allow-java-encodings  

Re: Minor doc bug, DSS should be DSA for certificate type?

Hi Mikael, Thanks for spotting and reporting this. I've just fixed this typo in all the supported branches. The fix will be included in the September release round. Kind regards, Mark On 04/08/2021 19:13, Mikael Sterner wrote: In tomcat/webapps/docs/config/http.xml, it seems like the

RE: Xms Xmx in JAVA_OPT vs CATALINA_OPTS

On August 3, 2021 7:34:37 PM UTC, Adam Elliott wrote: Adam, As per the reasoning in Olaf's email you really should be using CATALINA_OPTS rather than JAVA_OPTS. Mark >From my understanding, setenv is not a default file, and any settings >inside are "custom". And all of these options are

Re: compression?

On 27/07/2021 13:08, Berneburg, Cris J. - US wrote: Carsten and Mark Thanks for the info. :-) crisb> Weird, when going thru IIS to TC, it's not compressed c.klein> IIS fetches the requested resource from TC, acting as an HTTP client (or are you using AJP with IIS?). markt> IIS will be

Re: Tomcat Usage Data Interest

On 26/07/2021 12:13, Coty Sutherland wrote: Hi all, I'm curious about whether or not we have/can get some information about the usage of Tomcat out in the wild. Things like download count across various versions (including archived version downloads) for the last few years, svn history and

Re: compression?

On 23/07/2021 18:53, Berneburg, Cris J. - US wrote: Thanks Mark! cb> 1. compressionMinSize - What are the units, bytes? Markt> Yes. cb> 2. compressibleMimeType - If you specify a type explicitly, [...] Are [the defaults] cb> over-ridden, so they need to be specified explicitly too? Or is it

Re: Strange incomplete response/truncation with Tomcat 9.0.48 AND 9.0.50

for your cooperation. -Original Message- From: Mark Thomas Sent: Friday, July 23, 2021 2:56 AM To: users@tomcat.apache.org Subject: Re: Strange incomplete response/truncation with Tomcat 9.0.48 AND 9.0.50 On 22/07/2021 22:06, jonmcalexan...@wellsfargo.com.INVALID wrote: I have a team

Re: Strange incomplete response/truncation with Tomcat 9.0.48 AND 9.0.50

On 22/07/2021 22:06, jonmcalexan...@wellsfargo.com.INVALID wrote: I have a team that is running into issues since version 9.0.48 where they are receiving incomplete message responses from Tomcat when the request was made from WebLogic. Incomplete responses from 9.0.48 onwards. That sounds

Re: tomcat 8.5.57 stops killing sessions after some time

On 21/07/2021 16:00, Ivano Luberti wrote: Il 21/07/2021 16:44, Mark Thomas ha scritto: Take 3 thread dumps 5 seconds apart and post them here. How to take thread dumps?  kill -3 ? That will work. There are lots of ways. This is most of them: https://www.baeldung.com/java-thread-dump

Re: tomcat 8.5.57 stops killing sessions after some time

On 21/07/2021 15:34, Ivano Luberti wrote: Hello, I'm new to the list but befeore writing this I have searched the users mailing list without finding anything useful. I have an instance of Apache Tomcat/8.5.57 running on a CentOS machine with java 1.7.0_261 Several webapps run on this

Re: Cache-Control for INTEGRAL transport guarantee?

On 21/07/2021 08:06, Mikael Sterner wrote: On Tue, Jul 20, 2021, at 10:04, Mark Thomas wrote: Cache headers have been somewhat of a moving target with different browsers behaving in different ways at different times over the years. I wanted to review the current state of things before forming

Re: compression?

On 21/07/2021 15:06, Berneburg, Cris J. - US wrote: Hi Folks :-) Got some questions about turning on compression. Looking at the documentation (I did not read the whole thing, just the portions in question), I still need some clarification.

Re: Log4j2 logging with Tomcat 9 web app

On 20/07/2021 21:05, Ravi Kumar wrote: Hi, My web app is based on Tomcat 9.0.45 server. I have migrated from Tomcat 7 to Tomcat 9 and from log4j 1.x to log4j 2.x. I have updated the log4j2.properties as per log4j 2.x standard, still my tomcat.log file is not getting generated and all the

Re: request.getPathInfo() Question

On 19/07/2021 20:55, Jerry Malcolm wrote: I have a servlet in the ROOT context mapped to "/".  I'm using request.getPathInfo() to get everything after the ".com/" in the URL. But no matter what is added to the url after .com/, getPathInfo() always returns null.  I printed out getRequestURL(),

Re: Cache-Control for INTEGRAL transport guarantee?

On 19/07/2021 20:46, Mikael Sterner wrote: Hi! I can understand the motivation for adding a Cache-Control header for CONFIDENTIAL transport guarantees, as discussed in

Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder

On 19/07/2021 10:20, Mark Thomas wrote: On 13/07/2021 16:35, Paolo Clerici wrote: I don't see any ISAPI redirector set up there. I was expecting to see something like the steps described here: http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html Yes, if I have not missed something

Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder

On 13/07/2021 16:35, Paolo Clerici wrote: I don't see any ISAPI redirector set up there. I was expecting to see something like the steps described here: http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html Yes, if I have not missed something, I think I have done everything that is

Re: Tomcat HTTP/2 vs HTTP/1.1

On 18/07/2021 17:44, Deshmukh, Kedar wrote: Hi, We are in process of assessing HTTP/2 protocol for our Web applications as there are lot of benefits it provides over HTTP/1.1 at least theoretically. With given settings in tomcat, we are able to switch to HTTP/2 without trouble. For us next

Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder

mar 13 lug 2021 alle ore 10:27 Mark Thomas ha scritto: On 13/07/2021 08:49, Paolo Clerici wrote: Hi Mark, Are you connecting from a machine that isn't part of the Windows AD? I have tried both from PCs connected to AD and from PCs not connected to AD. Normally, I'd expect authentication

Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder

On 13/07/2021 08:49, Paolo Clerici wrote: Hi Mark, Are you connecting from a machine that isn't part of the Windows AD? I have tried both from PCs connected to AD and from PCs not connected to AD. Normally, I'd expect authentication to work without any password prompt. If I connect from PC

Re: Internals of setMaxInactiveInterval

On 13/07/2021 04:33, Saurav Sarkar wrote: Hi All, I would like to understand the internals of Session~setMaxInactiveInterval in tomcat. I understand that if HTTP requests are not received within the said interval then the session is cleared. All the objects belonging to the session will be

Re: When does tomcat 7.0.76 determine it needs to redeploy the war file?

On 12/07/2021 19:21, Brian Wolfe wrote: Hi, As the subject asks, when does tomcat decide that it needs to redeploy the war file? I know the usual one where the app folder does not exist. Basically I have an app where some changes were made to the webapp folder, but were not made in the

Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder

hanisms enabled? Are your two test machines (working and not working) connecting to the same Tomcat instance (and on the same port)? Mark Thank you, Paolo Il giorno ven 9 lug 2021 alle ore 18:56 Mark Thomas ha scritto: On 09/07/2021 16:59, Paolo Clerici wrote: I use IIS 10.0 as a reverse pr

[SECURITY] CVE-2021-33037 Apache Tomcat HTTP request smuggling

CVE-2021-33037 HTTP request smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.6 Apache Tomcat 9.0.0.M1 to 9.0.46 Apache Tomcat 8.5.0 to 8.5.66 Description: Apache Tomcat did not correctly parse the HTTP transfer-encoding

[SECURITY] CVE-2021-30640 Apache Tomcat JNDI realm authentication weakness

CVE-2021-30640 JNDI Realm Authentication Weakness Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.5 Apache Tomcat 9.0.0.M1 to 9.0.45 Apache Tomcat 8.5.0 to 8.5.65 Apache Tomcat 7.0.0 to 7.0.108 Description: Queries made by the JNDI Realm

[SECURITY] CVE-2021-30639 Apache Tomcat DoS

CVE-2021-30639 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.3 to 10.0.4 Apache Tomcat 9.0.44 Apache Tomcat 8.5.64 Description: An error introduced as part of a change to improve error handling during non-blocking I/O meant

Re: [Possible Spam] Re: HTTP/2 Memory Leak

upon the information contained in the communication or any attachments. -Original Message- From: Mark Thomas Sent: Friday, July 9, 2021 12:59 PM To: users@tomcat.apache.org Subject: Re: [Possible Spam] Re: HTTP/2 Memory Leak Importance: Low On 09/07/2021 16:21, Mark A. Claassen wrote

Re: [Possible Spam] Re: HTTP/2 Memory Leak

On 09/07/2021 16:21, Mark A. Claassen wrote: Thanks. I have done more heap analysis and think I have it tracked closer to the source. -- I started looking at the heap a different way. The random values I looked at before (of the 80,000) may not have be as representative as I thought.

Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder

On 09/07/2021 16:59, Paolo Clerici wrote: I use IIS 10.0 as a reverse proxy of Tomcat 7. IIS 10.0 use Windows Authentication. When I run the javax.servlet.http.HttpServletRequest.getAuthType() method I get the null value. When I run the javax.servlet.http.HttpServletRequest.getRemoteUser()

Re: Tomcat Jasper Compiler ant task not working - missing tag lib validator

On 08/07/2021 23:12, Builder Lynx Demo wrote: Hi Chris, Mark, Thank you for pointing that out.  I never would have guessed that. Updating the separator addresses that issue.  However now the jasper task throws an exception: BUILD FAILED /home/alex/cc/build.xml:534: The following error

Re: Mixing Root Context webapp with other webapps

On 09/07/2021 08:23, Olaf Kock wrote: On 09.07.21 07:58, Jerry Malcolm wrote: I have one webapp that processes REST-style url paths and therefore needs to run in the ROOT context.  Is it possible to run other webapps in the same host with other non-root contexts?   In other words, when

Re: HTTP/2 Memory Leak

Memory leak, high memory usage or high GC churn? The StreamProcessor shouldn't be a GC root. Either something should be retaining a reference to it or it should be eligible for GC. There isn't much in the way of HTTP/2 specific leaks that have been fixed. For HTTP/2, I'd expect you to see

Re: Possible Http11NioProtocol regression since 9.0.48?

On 06/07/2021 10:01, Rémy Maucherat wrote: On Tue, Jul 6, 2021 at 10:41 AM Mark Thomas wrote: On 05/07/2021 20:19, André van der Lugt wrote: Mark, thank you for your efforts so far. No problem. Happy to help. At this point it is hard to tell where the root cause is. It is possible

Re: Possible Http11NioProtocol regression since 9.0.48?

On 05/07/2021 20:19, André van der Lugt wrote: Mark, thank you for your efforts so far. No problem. Happy to help. At this point it is hard to tell where the root cause is. It is possible that the Tomcat changes introduced a bug in Tomcat. It is also possible that the Tomcat changes

Re: Possible Http11NioProtocol regression since 9.0.48?

On 02/07/2021 13:09, Mark Thomas wrote: On 02/07/2021 12:43, André van der Lugt wrote: I finally managed to create a decrypted Wireshark capture with injected TLS session keys, will send it in a direct message due to size. I hope it provides the information needed. Thanks. I have the file

[ANN] Apache Tomcat 10.0.8 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.8. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the

[ANN] Apache Tomcat 10.1.0-M2 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M2. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: CVE-2021-25329, was Re: Most recent security-related update to 8.5

On 02/07/2021 16:44, James H. H. Lampert wrote: On 7/2/21 12:02 AM, Mark Thomas wrote: It is an alternative session manager that persists session data via a configured Store. There are two Store implementations provided by default - File and DataSource. You would know if you were using

Re: Possible Http11NioProtocol regression since 9.0.48?

On 02/07/2021 12:43, André van der Lugt wrote: I finally managed to create a decrypted Wireshark capture with injected TLS session keys, will send it in a direct message due to size. I hope it provides the information needed. Thanks. I have the file. I'll hopefully have time to look at this

Re: Possible bug in http2 window size handling in tomcat 9.0.45

but given the severity of this issue, my current intention is to try and do an August release. Mark /Erik Den fre 2 juli 2021 kl 10:28 skrev Mark Thomas : On 01/07/2021 08:57, Mark Thomas wrote: On 01/07/2021 08:41, Erik Nilsson wrote: useAsyncIO="false" compressibleMimeType=

Re: Possible bug in http2 window size handling in tomcat 9.0.45

On 01/07/2021 08:57, Mark Thomas wrote: On 01/07/2021 08:41, Erik Nilsson wrote: protocol="org.apache.coyote.http11.Http11NioProtocol"     connectionTimeout="2" compression="on" useAsyncIO="false" compressibleMimeType="tex

Re: What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5

On 01/07/2021 22:24, James H. H. Lampert wrote: Also, I've got somebody complaining about CVE-2021-25329. I'm not sure I understand what CVE-2021-25329 is, or what the underlying CVE-2020-9484 is. If the person complaining about CVE-2021-25329 can't explain (or demonstrate) why it is an

Re: What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5

On 02/07/2021 01:10, James H. H. Lampert wrote: On 7/1/21 4:55 PM, in response to: I will note, however, that the Tomcat servers in question are *not* configured to listen on any ports other than HTTPS (either 443, 8443, or something else in that vein) and the shutdown port. Shawn Heisey

Re: Possible bug in http2 window size handling in tomcat 9.0.45

the thread updated with how I get on. Mark Den tors 1 juli 2021 kl 09:32 skrev Mark Thomas : On 01/07/2021 07:16, Erik Nilsson wrote: Hmm I can still get the same exceptions even if I set useAsyncIO="false", but with maxConcurrentStreamExecution="1" it's stable. Can you

Re: Possible bug in http2 window size handling in tomcat 9.0.45

Thanks, Mark /Erik Den ons 30 juni 2021 kl 18:41 skrev Mark Thomas : On 30/06/2021 16:49, Erik Nilsson wrote: Perfect that u can reproduce this with another webapp. Thankful for your quick response. As I pointed out in the beginning of the conversation we also got this prob

Re: Possible bug in http2 window size handling in tomcat 9.0.45

On 30/06/2021 16:49, Erik Nilsson wrote: Perfect that u can reproduce this with another webapp. Thankful for your quick response. As I pointed out in the beginning of the conversation we also got this problem behind our f5 loadbalancer. But not with if we connect to Tomcat directly without a

Re: Possible bug in http2 window size handling in tomcat 9.0.45

On 29/06/2021 09:43, Mark Thomas wrote: On 29/06/2021 09:26, Erik Nilsson wrote: Sorry but there seems to be no difference in the behaviour.. /Erik OK. Thanks for testing. I'm going to need those debug logs then to figure out what is going on. Debug logs received off-list. Tx. I'm able

Re: Possible Http11NioProtocol regression since 9.0.48?

On 30/06/2021 13:57, André van der Lugt wrote: Hi, Since upgrading our Tomcat 9.0.x installation from 9.0.46 to 9.0.48, I've noticed several times that the download of a response with static content from a web archive (i.e. JavaScript file) takes 'keepAliveTimeout' time to complete. It only

Re: Using log4j for logging

version from tomcat version 7 and use it for 9 or similar. I guess that might work but I'd be surprised. Mark Regards, Niranjan On 6/29/21 12:24 AM, Mark Thomas wrote: On 29/06/2021 01:11, Niranjan Rao wrote: Greetings, I wanted to setup log4j for tomcat logs and google searches seems

Re: Possible bug in http2 window size handling in tomcat 9.0.45

On 29/06/2021 09:26, Erik Nilsson wrote: Sorry but there seems to be no difference in the behaviour.. /Erik OK. Thanks for testing. I'm going to need those debug logs then to figure out what is going on. Mark Den mån 28 juni 2021 kl 20:44 skrev Mark Thomas : On 28/06/2021 15:11, Mark

Re: Using log4j for logging

On 29/06/2021 01:11, Niranjan Rao wrote: Greetings, I wanted to setup log4j for tomcat logs and google searches seems to indicate that this is possible. Many articles speak about downloading tomcat-juli-adapters.jar from bin/extras directory. I found out that for tomcat version 9, extras

Re: Possible bug in http2 window size handling in tomcat 9.0.45

On 28/06/2021 15:11, Mark Thomas wrote: On 28/06/2021 10:53, Erik Nilsson wrote: Yep, something seems to go wrong with the waitingFor field in WindowAllocationManager. We are developing a quite complex embedded cms application, don't know if I will be able to share this application

Re: Possible bug in http2 window size handling in tomcat 9.0.45

On 28/06/2021 10:53, Erik Nilsson wrote: Yep, something seems to go wrong with the waitingFor field in WindowAllocationManager. We are developing a quite complex embedded cms application, don't know if I will be able to share this application. Hopefully you can reproduce this anyway by using

Re: 500 instances of tomcat on the same server

On 28/06/2021 14:53, Christopher Schultz wrote: Eric, On 6/25/21 22:58, Eric Robinson wrote: We can run 75 to 125 instances of tomcat on a single Linux server with 12 cores and 128GB RAM. It works great. CPU is around 25%, our JVMs are not throwing OOMEs, iowait is minimal, and network

Re: Questions about Integrated Windows Authentication

On 28/06/2021 10:36, Carsten Klein wrote: Hi there, I have two questions about Tomcat's Integrated Windows Authentication: Tomcat is stuck on version 7.0.52 on an outdated Ubuntu 14.04 LTS. Note that Tomcat 7 is no longer supported. 1. useDelegatedCredential = true I'm using JNDIRealm

Re: Possible bug in http2 window size handling in tomcat 9.0.45

On 27/06/2021 12:05, Erik Nilsson wrote: We might have found an issue with the window size in http2 in Tomcat 9.0.45. Thanks for the heads up. 9.0.45 has fixes for all the known issues with window size management so this looks like a potential new bug. java.lang.IllegalStateException:

Re: 500 instances of tomcat on the same server

On 26/06/2021 03:58, Eric Robinson wrote: We can run 75 to 125 instances of tomcat on a single Linux server with 12 cores and 128GB RAM. It works great. CPU is around 25%, our JVMs are not throwing OOMEs, iowait is minimal, and network traffic is about 30Mbps. We're happy with the results.

Re: Trouble with HTTP/2 during concurrent bulk data transfer (server -> client)

they will be comparatively early - possibly as soon as the end of this week. If you want to track release progress then I'd recommend following the dev@ list. Mark Thanks, Kedar -Original Message- From: Mark Thomas Sent: Friday, June 18, 2021 2:50 AM To: users@tomcat.apache.org Subject: Re: Trouble

<    4   5   6   7   8   9   10   11   12   13   >