Re: Installation on Win 10 failure.

On 23/04/2024 03:31, DdC wrote: I have installed tomcat originally with version 4.04 on winxp andlater on win7, ubuntu, and another linux box - many times by now.Trouble now with win10 and version 9.0.88.Yes, there is a jdk, CLASSPATH is set, j2ee.jar is in lib.Running in a cmd window

Re: Tomcat closes connections on unexpected status codes

On 18/04/2024 15:18, Stefan Ansing wrote: Hi Rémy, Mark, I just want to make sure that we’re understanding each other. I can see that the connection needs to be closed in certain conditions to prevent request smuggling attacks. I certainly don’t want to change that behaviour. However, I’m

Re: Tomcat closes connections on unexpected status codes

18, 2024 at 1:17 PM Mark Thomas wrote: On 18/04/2024 09:07, Stefan Ansing wrote: Hi, We've observed some unexpected behaviour in Apache Tomcat (version 10.1.19) where we see that HTTP/1.1 connections are closed whenever a servlet application returns the following status codes: 400, 408, 411

Re: Tomcat closes connections on unexpected status codes

On 18/04/2024 14:41, Rémy Maucherat wrote: On Thu, Apr 18, 2024 at 1:17 PM Mark Thomas wrote: On 18/04/2024 09:07, Stefan Ansing wrote: Hi, We've observed some unexpected behaviour in Apache Tomcat (version 10.1.19) where we see that HTTP/1.1 connections are closed whenever a servlet

Re: Regarding Tomcat url redirection

On 18/04/2024 12:05, lavanya tech wrote: Hi Team, I am using "Tomcat 10.1" in our environment and I wanted to redirect url from https://example.com to https://www.servercom: and for this i modified the server.xml as below in tomcat config, and the below configuration doesnot seems to work.

Re: Tomcat closes connections on unexpected status codes

On 18/04/2024 09:07, Stefan Ansing wrote: Hi, We've observed some unexpected behaviour in Apache Tomcat (version 10.1.19) where we see that HTTP/1.1 connections are closed whenever a servlet application returns the following status codes: 400, 408, 411, 414, 500, 503, 501. This causes client

Re: Tomcat log warnings for connection parameter limits?

should consider. I think a hysteresis behavior would be compatible with this. On Mon, Apr 15, 2024 at 12:00 AM Mark Thomas wrote: On 11/04/2024 21:28, Baron Fujimoto wrote> I was thinking it would be something that would be left on in a live> system. We can set these parameters, so it

Re: Package URLs for Apache Tomcat distributions

On 11/04/2024 16:52, von Loewenstein, Jan wrote: Hi folks, I am part of the Paketo community, and we are providing Cloud Native Buildpacks to create container images with – amongst other technologies – Apache Tomcat and Apache TomEE as application runtimes. One of the features of Cloud

Re: Tomcat log warnings for connection parameter limits?

On 11/04/2024 21:28, Baron Fujimoto wrote> I was thinking it would be something that would be left on in a live> system. We can set these parameters, so it would be useful to know if we were hitting the set limits. For the connection limit: How timely do you need the information to be? It is

Re: Retrieve server.built, server.number

On 11/04/2024 15:49, Bill Stewart wrote: On Wed, Apr 10, 2024 at 2:14 PM Mark Thomas wrote: ... and it might represent an information leakage vulnerability in your application. Be Careful. Shall we start the flame war now on whether exposing the current version you are running

Re: Retrieve server.built, server.number

On 10/04/2024 21:15, Christopher Schultz wrote: All, On 4/10/24 4:00 AM, Mark Thomas wrote: On 09/04/2024 17:17, prat 007 wrote: Hi All, I would like to know is there a way to find tomcat's server.built and server.number remotely using tool loke curl or from browser? In a default

Re: Retrieve server.built, server.number

On 09/04/2024 17:17, prat 007 wrote: Hi All, I would like to know is there a way to find tomcat's server.built and server.number remotely using tool loke curl or from browser? In a default installation, no. You'd have to write a servlet that reported that information and then request that

Re: Tomcat & Http 103 Early Hint

? At least, I can help with writing some tests. I think this new http feature can be beneficial a lot for web application page load performance. Therefore, this is crucial for the whole Tomcat community. By Xulin Yang Kind Regards Mark Thomas 于2024年4月8日周一 19:24写道： 8 Apr 2024 10:26:23 xulin y : Hi

Re: Tomcat & Http 103 Early Hint

8 Apr 2024 10:26:23 xulin y : Hi, I would like to ask about whether Tomcat has support for http 103 early hint response status? Not at the moment. I have checked the latest doc that https://tomcat.apache.org/tomcat-11.0-doc/servletapi/jakarta/servlet/http/HttpServletResponse.html does not

Re: Intermittent error 404

8 Apr 2024 11:20:09 andreas.moro...@wobi.bz.it: Hello we use Apache Tomcat/8.5.99. Tomcat 8.5.x is no longer supported by the Tomcat community. You should upgrade to at least 9.0.x or consider purchasing 8.5.x support from one of the commercial vendors that offer it. It sounds like an

Re: [EXT]Re: unable to set compression, compressionMinSize and compressableMinemType attributes in UpgradeProtocol element

Programmer | Westwood One rn...@westwoodone.com -Original Message- From: Mark Thomas Sent: Tuesday, April 2, 2024 10:05 AM To: users@tomcat.apache.org Subject: [EXT]Re: unable to set compression, compressionMinSize and compressableMinemType attributes in UpgradeProtocol element On 02/04

Re: unable to set compression, compressionMinSize and compressableMinemType attributes in UpgradeProtocol element

On 02/04/2024 14:53, Rick Noel wrote: Hello, What am I missing here? You haven't provided information on the Tomcat version you are using. I'm assuming 10.1.x. https://tomcat.apache.org/tomcat-10.1-doc/config/http2.html Search for compressionMinSize. I get warnings that the compression

Re: PKCS#8 encryption algorithm unrecognized

.exe -delete -alias "ASA12 SAMM Vessel" -keystore "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt keytool.exe -delete -alias "WSD-2DNX4M3.mydomain.com" -keystore "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "

Re: [EXT]Re: how to define database resource in just context.xml or server.xml

On 29/03/2024 21:58, Christopher Schultz wrote: Rick, On 3/29/24 14:33, Rick Noel wrote: Our application is really a suite of 5applications.  And the server.xml  I am talking about is on our dev machine, where we want to run all 5 apps on the one web server. The context.xml has global

Re: [EXT]Re: Tomcat session replication issue - java.lang.IllegalArgumentException: setAttribute: Non-serializable attribute :

ood One rn...@westwoodone.com -Original Message----- From: Mark Thomas Sent: Friday, March 22, 2024 11:32 AM To: users@tomcat.apache.org Subject: [EXT]Re: Tomcat session replication issue - java.lang.IllegalArgumentException: setAttribute: Non-serializable attribute : On 22/03/2024 15:15, Rick

Re: Tomcat session replication issue - java.lang.IllegalArgumentException: setAttribute: Non-serializable attribute :

On 22/03/2024 15:15, Rick Noel wrote: Is there a way to configure DeltaManager or the Cluster element so it does not cause my application to throw this error. 22-Mar-2024 10:56:34.382 SEVERE [http-nio-8586-exec-5] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for

Re: Regression in mutual authentication in 9.0.86+?

potentially block the upgrade to 9.0.86/87. This fix will be picked up in the April release round. Mark Lastly, I wholeheartedly echo the gratitude many have expressed around the awesome Tomcat leads. Thanks, Amit -Original Message- From: Mark Thomas Sent: Monday, March 18, 2024 4:41

Re: What future plans are for Tomcat authentication

On 20/03/2024 06:22, Mircea Butmalai wrote: Questions are: 1. Is Jakarta Authentication specification going to replace the authentication part of Jakarta Servlet specification? Unlikely. 2. Are current authenticatiors from Tomcat (FORM, SPNEGO, SSL, HTTP DIGEST, HTTP BASIC,

Re: PKCS#8 encryption algorithm unrecognized

On 19/03/2024 18:18, Timothy Resh wrote: where the . is the fqdn This works fine *until* Tomcat 9.0.83 and now we get the following listed below. I have read some of the https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=67675 bugs and ask for help. The certificates are being created

Re: TLSCertificateReloadListener Detects Expiration But Never Reads New Cert & Key Files

misconfiguration, even though certificates where server correctly but the wrong expiration date and after restarting tomcat the certificates were served with correct dates Il 18/03/2024 21:20, Mark Thomas ha scritto: On 18/03/2024 08:21, Mark Thomas wrote: On 17/03/2024 15:26, Justin Y wrote: Hi

Re: TLSCertificateReloadListener Detects Expiration But Never Reads New Cert & Key Files

On 18/03/2024 08:21, Mark Thomas wrote: On 17/03/2024 15:26, Justin Y wrote: Hi Everyone --    I've spent a few hours scratching my head and then diving into the source code of 10.1.19 to figure out what's going on. Could you test with 10.1.18? I'm wondering if the user provided SSLContext

Re: problems with partitioned cookies

On 18/03/2024 15:16, info@klawitter.de wrote: What am I doing wrong here? (Tomcat 9.0.82) https://tomcat.apache.org/tomcat-9.0-doc/changelog.html Search for "partitioned" The problem is you are using Tomcat 9.0.82. Support for a default partitioned attribute wasn't added until 9.0.85.

Re: Regression in mutual authentication in 9.0.86+?

I've just tested 9.0.x and mutual TLS authentication appears to be working as expected. I suggest starting with testing a simple JSP that echoes that attribute and if you still see the issue, provide us with your configuration. Note that the issue may be related to the certs you are using so

Re: TLSCertificateReloadListener Detects Expiration But Never Reads New Cert & Key Files

On 17/03/2024 15:26, Justin Y wrote: Hi Everyone --   I've spent a few hours scratching my head and then diving into the source code of 10.1.19 to figure out what's going on. Could you test with 10.1.18? I'm wondering if the user provided SSLContext changes in 10.1.19 have triggered a

[ANN] Apache Tomcat 11.0.0-M18 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M18 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: reloading context with manager-script

On 12/03/2024 13:47, Christopher Schultz wrote: Greg and Mark, On 3/12/24 05:00, Greg Huber wrote: On 11/03/2024 18:17, Christopher Schultz wrote: Mark, On 3/10/24 08:49, Mark Thomas wrote: On 10/03/2024 10:50, Greg Huber wrote: Hello, Using http://tomcat/manager-app/text/reload?path

Re: What does the number preceding the catalina.org.apache.juli.AsyncFileHandler in Tomcat's conf/logging.properties mean?

On 14/03/2024 11:51, Vincent Daniel wrote: Thank you so much. I am ashamed that I did not read the documentation carefully. No problem. It is only a single line in the docs and it helps a lot if you know what you are looking for. Mark On Thu, Mar 14, 2024 at 7:46 PM Mark Thomas wrote

Re: What does the number preceding the catalina.org.apache.juli.AsyncFileHandler in Tomcat's conf/logging.properties mean?

On 14/03/2024 11:36, Vincent Daniel wrote: Hi, community When I configured Tomcat logs, I found the following configuration in logging.properties 1catalina.org.apache.juli.AsyncFileHandler 2localhost.org.apache.juli.AsyncFileHandler 3manager.org.apache.juli.AsyncFileHandler

[SECURITY] CVE-2024-23672 Apache Tomcat - Denial of Service

CVE-2024-23672 Apache Tomcat - Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M16 Apache Tomcat 10.1.0-M1 to 10.1.18 Apache Tomcat 9.0.0-M1 to 9.0.85 Apache Tomcat 8.5.0 to 8.5.98 Description: It was possible

[SECURITY] CVE-2024-24549 Apache Tomcat - Denial of Service

CVE-2024-24549 Apache Tomcat - Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M16 Apache Tomcat 10.1.0-M1 to 10.1.18 Apache Tomcat 9.0.0-M1 to 9.0.85 Apache Tomcat 8.5.0 to 8.5.98 Description: When processing

Re: Tomcat 9 returning 404 for audio files

it is created? The resources implementation can cache "not found" results for a short period of time. You might want to test the code with a simple text file to determine whether file type is a factor (which seems unlikely but you never know). Mark On Mon, Mar 11, 2024, 5:22 a.m. M

Re: contextVersion NullPointerException due to race condition

On 29/02/2024 13:32, FRANTS Patrick wrote: Not sure this is the right mailing list or that it should go to dev. users@ is fine. Generally, if you aren't sure use users@. One of our unit tests will occasionally have a null pointer exception durin= g shutdown. Unfortunately I have not been

Re: Tomcat not syncing existing sessions on restart

On 10/03/2024 16:59, Manak Bisht wrote: On Fri, Feb 9, 2024 at 4:45 PM Mark Thomas wrote: Using 0.0.0.0 as the address for the receiver is going to cause problems. I see similar issues with 11.0.x as 8.5.x. I haven't dug too deeply into things as a) I am short of time and b) I'm not convinced

Re: Tomcat 9 returning 404 for audio files

On 11/03/2024 02:21, Sam wrote: I just upgraded a legacy application from Tomcat 7 to Tomcat 9. It's deployed as a war file. I'm facing a weird issue with audio files playback. When loading a page that contains an audio file. First time Tomcat returns 404 error but if reloading the page, audio

Re: reloading context with manager-script

On 10/03/2024 10:50, Greg Huber wrote: Hello, Using http://tomcat/manager-app/text/reload?path=/ When I reload an application (in java), I get a reply OK - Reloaded application at context path [/] but when the application is not present I get this reply: FAIL - No context exists named []

Re: Need help for a problem on migrating from Tomcat-8 to Tomcat-9

On 26/02/2024 06:11, Saha, Rajib wrote: Hi Experts, In our product, we are using Tomcat [OriginalFileName: prunsrv.exe] for creating a service[Say, Service-A]. It's a huge product running in market for last 20 years. We are in progress of moving from Tomcat-8 to tomcat-9. When we are

Re: A curious case of Tomcat 10.1.x NIO(1) acceptor not stopping clearly on some setups

On 25/02/2024 18:18, Michał Szymborski wrote: On quick inspection the acceptor thread (https://github.com/apache/tomcat/blob/10.1.x/java/org/apache/tomcat/util/net/Acceptor.java#L128) was listening on [/[0:0:0:0:0:0:0:0]:39033] , which was correctly picked up at first, but then this local

Re: NoClassDefFoundError for SSL operations

On 23/02/2024 01:14, bigelytechnol...@yahoo.com wrote: This spammer has been unsubscribed and banned from re-subscribing. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail:

Re: The custom 404 page of Tomcat8 suddenly becomes invalid

On 19/02/2024 01:35, LeventLee wrote: Hello, Here is my information： openjdk version "1.8.0_345" | OpenJDK Runtime Environment (build 1.8.0_345-b01) | OpenJDK 64-Bit Server VM (build 25.345-b01, mixed mode) Linux 5.10.134-12.al8.x86_64 Apache Tomcat/8.0.24 That version is over 8 years old.

Re: Tomcat Manager 403's with LDAP Realm

On 17/02/2024 21:42, Dan McLaughlin wrote: We've had the same LDAP realm configured for probably 10 years, and the same roles in our LDAP for probably the same. We have 4 roles configured in LDAP manager-gui, manager-jmx, manager-script, and manager-status. My user only has the manager-gui

Re: Compile with JDK 17, run on JRE 11?

On 17/02/2024 16:01, Troels Arvin wrote: Hello, Since 9.0.83, building Tomcat has required JDK 17, according to the release notes. Is it possible to take the resulting binaries and run them on JRE 11? Yes. The minimum Java version at runtime (8) is unchanged. Mark

Re: Long lasting websocket sessions

On 09/02/2024 13:47, Alex O'Ree wrote: I've been experimenting with tomcat 9.x in seeing how long i can get a web socket session to last. I'm currently struggling to get past 30 minutes or so. Looking for guidance on how to best increase this or if this is a bad idea. Here's the current

Re: [EXT]Re: [EXT]Re: jakartaee-migration-1.0.7 migration tool failure

ransaction\ROOT##0001 directory. That is where I believe my application to be Here is how I have my context defined in server.xml.. Is my server.xml wrong? When I place my .war in webapps-javaee\transaction dir? -Original Message----- From: Mark Thomas Sent: Thursday, February 8, 20

Re: [ANN] Apache Tomcat Native 1.3.0 released

On 13/02/2024 10:21, Michael Osipov wrote: On 2024/02/13 08:46:42 Mark Thomas wrote: The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.3.0 stable. The key features of this release are: - The minimum supported OpenSSL version is 1.1.1 - The minimum supported

[ANN] Apache Tomcat Native 1.3.0 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.3.0 stable. The key features of this release are: - The minimum supported OpenSSL version is 1.1.1 - The minimum supported APR version in 1.6.3 - The windows binaries in this release have been built with

[ANN] Apache Tomcat Native 2.0.7 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 2.0.7 stable. The key features of this release are: - Align default pass phrase prompt with httpd on Windows - The windows binaries in this release have been built with OpenSSL 3.0.13 The 2.0.x branch is

Re: Tomcat not syncing existing sessions on restart

On 09/02/2024 07:51, Manak Bisht wrote: On Fri, Feb 9, 2024 at 3:25 AM Mark Thomas wrote: Same JRE? Yes, 8.0.402 Generally, I wouldn't use 0.0.0.0, I'd use a specific IP address. I'm not sure how the clustering would behave with 0.0.0.0 Using 0.0.0.0 as the address for the receiver

Re: Tomcat Instance unable to connect to DB with TCPS

On 09/02/2024 02:54, Kebret, Michael wrote: Tomcat version 9.0.83 running on Linux redhat 7 java 11.0.20. When changing the protocol from TCP to TCPS in Catalina.properties and in server.xml we have attribute truststorePassword= (tested with both cleartext and encrypted) password connection

Re: Getting provider/properties from jaspic-providers.xml to my ServerAuthModule

On 08/02/2024 14:37, Ryan Esch wrote: I'm using Tomcat 9. I have a provider in jaspic-providers.xml: I am not sure how to get these properties to my ServerAuthModule. I have a ServletContextListener and can see that the jaspic-providers.xml file is being processed if I call:

Re: Persistent Manager Implementation Question

Try turning on ALL logging for the org.apache.catalina.session package. Mark On 08/02/2024 20:49, Miguel Vidal wrote: demo4.zip Hello, Specifications Windows 10 Tomcat 8.5 this is a configuration

Re: [EXT]Re: [EXT]Re: jakartaee-migration-1.0.7 migration tool failure

Confirmed this is user error. There is no bug in the migration tool. Steps to demonstrate this: - Create new, blank Eclipse dynamic web project - Add provided servlet code - Add required libraries - Remove referenced to internal logging code - Add web.xml with basic mapping to "/test" - Export

Re: Tomcat not syncing existing sessions on restart

address. I'm not sure how the clustering would behave with 0.0.0.0 Mark Sincerely, Manak Bisht On Fri, Feb 2, 2024 at 9:41 PM Mark Thomas wrote: On 31/01/2024 13:33, Manak Bisht wrote: I tried tweaking all the settings that I could think of but I am unable to sync sessions on restart

Re: [EXT]Re: jakartaee-migration-1.0.7 migration tool failure

}); return mapping; } } Rick Noel Systems Programmer | Westwood One rn...@westwoodone.com -Original Message- From: Mark Thomas Sent: Thursday, February 8, 2024 9:27 AM To: users@tomcat.apache.org Subject: Re: [EXT]Re: jakartaee-migration-1.0.7 migration tool fa

Re: [EXT]Re: jakartaee-migration-1.0.7 migration tool failure

One rn...@westwoodone.com -Original Message- From: Mark Thomas Sent: Thursday, February 8, 2024 8:54 AM To: users@tomcat.apache.org Subject: [EXT]Re: jakartaee-migration-1.0.7 migration tool failure [You don't often get email from ma...@apache.org. Learn why this is important at https

Re: jakartaee-migration-1.0.7 migration tool failure

On 08/02/2024 13:45, Rick Noel wrote: Our application uses classes in this jar xmlrpc-server3.1.3.jar .(it is the latest version) We are trying to migrate to Tomcat 10 but that jar uses the javax.server. package classes instead of the needed jakarta.server. pacakage. I have tried

Re: Tomcat taglibs 2.0.0 release?

On 05/02/2024 15:49, Jeroen Hoffman wrote: On Mon, Feb 5, 2024 at 4:05 PM Mark Thomas wrote: Are there plans to release the 2.0.0 version? No plans. Tomcat 10.1.x onwards uses the 1.2.5 taglibs release converted for Jakarta EE using the Tomcat migration tool. Thanks for the quick

Re: Tomcat taglibs 2.0.0 release?

On 05/02/2024 14:16, Jeroen Hoffman wrote: Hi everybody, I have a question on Tomcat taglibs, I chose this mailing list because the taglibs-user one seems inactive. We in the process of updating our application to use Java 17 and Tomcat 10, including javax/jakarta change. It uses Tomcat

Re: Return a custom page in the event of a client requesting a non-existent resource on tomcat9

On 02/02/2024 18:48, Kaushal Shriyan wrote: Hi, I am running tomcat version 9.0.84 on Red Hat Enterprise Linux release 8.7 (Ootpa). Is there a way to configure the server to return a custom page in the event of a client requesting a non-existent resource. Yes. Please guide me. To do this

Re: Tomcat not syncing existing sessions on restart

On 31/01/2024 13:33, Manak Bisht wrote: I tried tweaking all the settings that I could think of but I am unable to sync sessions on restart even on a stock Tomcat 8.5.98 installation using your provided war. I am unable to identify whether this is actually a bug or something wrong with my

Re: How does the user principal get set on the servlet container session?

On 01/02/2024 17:48, Ryanesch@yahoo wrote: On Feb 1, 2024, at 10:34 AM, Mark Thomas wrote: On 31/01/2024 00:15, Ryan Esch wrote: From what I understand, the container knows if a user is authenticated by using the session id passed to it and then looking up the user principal

Re: How does the user principal get set on the servlet container session?

On 31/01/2024 00:15, Ryan Esch wrote: From what I understand, the container knows if a user is authenticated by using the session id passed to it and then looking up the user principal. If this is non-null, the user is authenticated. I am using web.xml with security constraints and

Re: Session Cookie Logging

On 27/01/2024 14:38, Dan McLaughlin wrote: Hey Mark, If you see a bug report, then that will mean I was able to reproduce it. I see different behaviors in our local docker environment. Still, it's nowhere as complex as our production environment--where everything is clustered and behind

Re: Session Cookie Logging

On 26/01/2024 22:22, Dan McLaughlin wrote: Hey Konstantin, Thanks for the reply. I synced the source last night. I haven't had a chance to step through with a debugger yet. But the only way I could get the Cookie Path set was to modify the context.xml and add sessionCookiePath to every

Re: How to access the request URL in a custom valve implementation?

On 26/01/2024 10:46, Manak Bisht wrote: Hi, I am trying to extend the AccessLogValve to modify logging behaviour for certain URLs. However, I don't have access to the request object in the AccessLogValve API. So, I am left with regex matching on the CharArrayWriter message object. Is there a

Re: Tomcat Version 9.0.79 - SAML2 - - Error occurred while attempting to refresh metadata from ':\WEB-INF\idp-meta-downloaded.xml'

On 25/01/2024 13:55, Tobias Blum (Fujitsu) wrote: Hello together, we have updated the Tomcat from Version 9.0.65 to Version 9.0.79. We are running tomcat on Windows Server 2019 Our Tomcat Version is delivered with SAP BusinessObjects. We have configured for our Web Application which runs on

Re: Getting wrong value calling request.getScheme()

On 24/01/2024 15:48, joan.balagu...@ventusproxy.com wrote: Any help would be really appreciated. Configuration error. Someone has done the equivalent of Or possibly a mis-configured RemoteIpFilter (or Valve). Or similar. Mark

Re: Tomcat not syncing existing sessions on restart

I have configured my standard cluster test environment for a 2-node cluster, using DeltaManager and static membership. httpd is configured for non-sticky load-balancing. Each node has the Manager web application and my simple cluster-test deployed.

Re: EOL - Tomcat versions

On 19/01/2024 19:06, Francisco Dellanio Leite Alencar wrote: @Mark Thomas, Is it possible to consider that the minimum support time of Apache Tomcat 9.0.X is until 2027 (10 years since Released)? I'd say 2027 is a reasonable estimate of the likely EOL date for 9.0.x but I'm not going

Re: [SECURITY] CVE-2024-21733 Apache Tomcat - Information Disclosure

Correcting the CVE reference in the text (the subject line is correct) Mark On 19/01/2024 10:17, Mark Thomas wrote: CVE-2023-21733 Apache Tomcat - Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0-M11 to 9.0.43 Apache

[SECURITY] CVE-2024-21733 Apache Tomcat - Information Disclosure

CVE-2023-46589 Apache Tomcat - Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0-M11 to 9.0.43 Apache Tomcat 8.5.7 to 8.5.63 Description: Incomplete POST requests triggered an error response that could contain data from a

Re: Consultation on disabling insecure HTTP requests in Tomcat

On 18/01/2024 09:22, 2460873257 wrote: Hi Tomcat Experts：       I'm trying to Looking for a solution to disable the tomcat * Options request, Why? but upon checking the source code, it seems that it is directly defined in the code. Is there a configuration provided to disable it? No.

[ANN] Apache Tomcat 11.0.0-M16 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M16 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: Regarding Tomcat is creating the zombie processes

onus is on you to provide the steps necessary for someone on this list to recreate the problem you are seeing starting from a Tomcat distribution downloaded from tomcat.apache.org Mark Thanks, Omkar V. -Original Message- From: Mark Thomas Sent: Friday, January 5, 2024 6:00 PM To: users

Re: EOL - Tomcat versions

On 08/01/2024 06:47, i...@flyingfischer.ch wrote: https://endoflife.date/tomcat Am 08.01.24 um 07:39 schrieb Deshmukh, Kedar: Hello, Could you please throw some light on Tomcat versions and its EOL plan? See https://tomcat.apache.org/whichversion.html    1.  8.5.X EOL 31 March 2024

Re: Regarding Tomcat is creating the zombie processes

You will need to provide more details. A default Tomcat install does not create parent and child processes so zombie processes cannot occur. I'll also note that zombie process do not consume system resources (apart from a process ID). Please provide the steps you used to recreate this

Re: EOL for Tomcat 9.0.x and Tomcat 10.1.x

On 19/12/2023 12:32, Kaluva S wrote: Hi, We are planning to migrate from tomcat 9.0.x to Tomcat 10.1.x but want to know about EOL for both the releases. On the official tomcat website, we couldn't find any information about this. If anyone knows, please share so that we will plan accordingly.

Re: Clarification on CVE-2023-46589

On 18/12/2023 09:50, purtrator wrote: There are many types of things one can do with HTTP Request Smuggling, is this an attack where header theft, cache poisoning or even response queue poisoning is possible? What are the possible damage scenarios? Assume that any attack enabled by request

Re: JSP EL - How to

17 Dec 2023 21:31:10 Chuck Caldarale : On Dec 16, 2023, at 23:05, Arbol One wrote: Hello. In my NetBeans IDE, I have a ANT web project, to which I have added under Libraries the JSTL 1.2.7 - jstl-impl.jar and the JSTL 1.2.7 - jstl-api.jar libraries. However, when adding this code :

Re: Tomcat with IIS

18 Dec 2023 05:31:24 Mohammed Ramadan Ghallab : Hello I’m using tomcat and I want to create a virtual directory but I can’t do that if it isn’t possible can you please tell me how to integrate tomcat with IIS https://tomcat.apache.org/connectors-doc/webserver_howto/iis.html Tested and

Re: Should allowHostHeaderMismatch be case sensitive

On 15/12/2023 14:48, Christopher Schultz wrote: Do we need to argue over encoding and/or rules of case-insensitive-matching? Could we? Probably. Do we need to? Unlikely. My expectation is that most clients aren't even including the host in the request line these days. Non-ASCII hostnames

Re: security-constraint url-pattern question

On 14/12/2023 17:28, ResSoft wrote: Chris, I figured out how to make this work. It works in my dev dox but not in my prod box. Both have the same version of tomcat. Here is the web.xml entry. I any ideas would be great. Those constraints look correct to me and a quick test using

Re: Should allowHostHeaderMismatch be case sensitive

On 11/12/2023 17:20, Mark Thomas wrote: On 11/12/2023 17:08, David Cleary wrote: Just want to check if this is by design. The above property default was changed to better secure the default configuration. We started having some tests fail due to this. In our scenario ( as shown below

Re: [EXTERNAL] - Re: Partitioned cookies

On 14/12/2023 21:15, André van der Lugt wrote: From: Chuck Caldarale Sent: Wednesday, November 15, 2023 9:48 AM To: Tomcat Users List Subject: [EXTERNAL] - Re: Partitioned cookies On Nov 15, 2023, at 08:06, Adam Warfield

Re: Clarification on CVE-2023-46589

On 14/12/2023 16:13, Benny Prange wrote: Am Do., 14. Dez. 2023 um 16:51 Uhr schrieb Mark Thomas : On 14/12/2023 15:33, Benny Prange wrote: Hi all, I am having trouble understanding the description of CVE-2023-46589. Does this CVE affect scenarios where the Apache Tomcat is the reverse proxy

Re: Clarification on CVE-2023-46589

On 14/12/2023 15:33, Benny Prange wrote: Hi all, I am having trouble understanding the description of CVE-2023-46589. Does this CVE affect scenarios where the Apache Tomcat is the reverse proxy, or or when the Apache Tomcat is running behind a reverse proxy? Is the Tomcat vulnerable to request

Re: Should allowHostHeaderMismatch be case sensitive

On 11/12/2023 17:08, David Cleary wrote: Just want to check if this is by design. The above property default was changed to better secure the default configuration. We started having some tests fail due to this. In our scenario ( as shown below ), the Host header value in the HTTP request is

Re: JAVA -tomcat- Request header is too large

On 08/12/2023 22:01, Christopher Schultz wrote: Are request-ids always allocated, or only if they are "enabled"? Always allocated. I think adding the request-id to this exception detail message might be helpful, even if the request-id hasn't been enabled in the access-log. WDYT? Good

Re: Failing to decode the url correctly in tomcat 9.

On 07/12/2023 22:42, Kalaivani Sengottaiyan wrote: On Thu, Dec 7, 2023 at 2:34 PM Kalaivani Sengottaiyan < kalaivani.sengottai...@veeva.com> wrote: In one of our sample case, this is the url recorded by ngnix "-" 127.0.0.1 - - [07/Dec/2023:21:59:30 +] "GET

Re: JAVA -tomcat- Request header is too large

On 08/12/2023 09:27, Ivano Luberti wrote: Il 07/12/2023 17:51, Mark Thomas ha scritto: On 07/12/2023 15:37, Ivano Luberti wrote: Hi, since a few days these errors started showing in my log files: 06-Dec-2023 07:39:56.082 INFO [http-nio-8080-exec-5826] org.apache.coyote.http11

Re: Virtual Thread with Http11Nio2Protocol

On 08/12/2023 09:51, Mark Thomas wrote: On 08/12/2023 02:49, Han Li wrote: Hi Nicolas, I took a quick look that Tomcat's VirtualThreadExecutor does not implement the ExecutorService interface, which leads to this result. So I think this is a Tomcat bug. +1 This has been fixed for all

Re: Virtual Thread with Http11Nio2Protocol

On 08/12/2023 02:49, Han Li wrote: Hi Nicolas, I took a quick look that Tomcat's VirtualThreadExecutor does not implement the ExecutorService interface, which leads to this result. So I think this is a Tomcat bug. +1 On Dec 8, 2023, at 03:55, Nicolas BONAMY wrote: Hi, I try to use

Re: JAVA -tomcat- Request header is too large

On 07/12/2023 15:37, Ivano Luberti wrote: Hi, since a few days these errors started showing in my log files: 06-Dec-2023 07:39:56.082 INFO [http-nio-8080-exec-5826] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header  Note: further occurrences of HTTP request

Re: Possible AbstractProtocol.waitingProcessors leak in Tomcat 9.0.75

ode. Additional info - I've set the session timeout to 10minutes. The app uses Java 17 with Spring Boot 3.1.x stack. It does not use any external STOMP broker relay. Regards, Jakub. On 2023/08/20 22:44:46 Mark Thomas wrote: On 20/08/2023 05:21, Mark Thomas wrote: On 18/08/2023 11:28, Rubén Pérez wr

Re: Tomcat Build Issue

On 05/12/2023 15:15, Burle, Saicharan wrote: Hi Mark/Chris, We are getting this error without even deploying any application. Then start looking at your network to see what is sending this invalid data to Tomcat. Mark -

Re: Tomcat Build Issue

On 05/12/2023 09:45, Burle, Saicharan wrote: Hi All, I am trying to build a tomcat instance in a net new server and getting the below error while starting. Although instance has come up but I am unable to debug the below error. Can someone please assist in this regard?

  1   2   3   4   5   6   7   8   9   10   >