[GitHub] [tomcat] michael-o opened a new pull request #225: BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) an…
michael-o opened a new pull request #225: BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) an… URL: https://github.com/apache/tomcat/pull/225 …d friends @markt-asf Please have a look, I have added new public methods to the API. Hopefully, I have integrated them properly into the system. Tests are all green for master, 8.5.x, 7.0.x. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63875] Tomcat 8.5.46, APR/libtcnative crashes
https://bz.apache.org/bugzilla/show_bug.cgi?id=63875 Remy Maucherat changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |INVALID --- Comment #19 from Remy Maucherat --- Since this was using embedded with a crash only on shutdown, and given comment 17, I would say the issue was some sort of misuse of the AprLifecycleListener or the handling of the native library. The debug given didn't show an issue with the SSL context close (all it does is prevent a crash caused by a double free). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63949] ERR_INCOMPLETE_CHUNKED_ENCODING errors when using NIO Connector with HTTPS
https://bz.apache.org/bugzilla/show_bug.cgi?id=63949 Remy Maucherat changed: What|Removed |Added Status|NEW |NEEDINFO OS||All --- Comment #1 from Remy Maucherat --- -1 for the patch, you're doing a blocking write, so it "works". We'll examine the issue eventually, but it most likely works fine as is. If it is non blocking, the "selector" was not doing any magic, it simply does a non blocking write, hence the patch. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63949] New: ERR_INCOMPLETE_CHUNKED_ENCODING errors when using NIO Connector with HTTPS
https://bz.apache.org/bugzilla/show_bug.cgi?id=63949 Bug ID: 63949 Summary: ERR_INCOMPLETE_CHUNKED_ENCODING errors when using NIO Connector with HTTPS Product: Tomcat 9 Version: 9.0.20 Hardware: Macintosh Status: NEW Severity: normal Priority: P2 Component: Util Assignee: dev@tomcat.apache.org Reporter: justin.w...@edge-technologies.com Target Milestone: - Created attachment 36892 --> https://bz.apache.org/bugzilla/attachment.cgi?id=36892=edit patch for NioEndpoint to use pool writes when blocking & non-blocking Product: Tomcat 9.0.20+ Component: tomcat/java/org/apache/tomcat/util/net/NioEndpoint.java Platform: macOS Mojave 10.14.6 Java version: 1.8.0_202 (Oracle Corporation) Using the NIO Connector with SSL, I am seeing issues with the chunked responses. It's been sporadic, but repeatable with my application within 20 attempts (though usually just the first after a fresh start is enough). Tried on 8.5.40 and 8.5.47, and did not experience the issue. It shows up in Chrome as: > net::ERR_INCOMPLETE_CHUNKED_ENCODING Going back to older Tomcat versions, we were able to narrow it down to 9.0.20 being the first version with the issue, specifically this commit: https://github.com/apache/tomcat/commit/4377d2db40 With the move to a straight write during non-blocking writes, the case for a non-blocking write with a shared selector is different. By reverting back to a pool write, I was able to make fix the issue. Attached patch applies to master branch, commit 0872b1a498610b008acbdaa719895ae15370359a. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [tomcat] branch 8.5.x updated: Add RFC references.
чт, 21 нояб. 2019 г. в 20:14, : > > This is an automated email from the ASF dual-hosted git repository. > > schultz pushed a commit to branch 8.5.x > in repository https://gitbox.apache.org/repos/asf/tomcat.git > > > The following commit(s) were added to refs/heads/8.5.x by this push: > new fdf0ba0 Add RFC references. > fdf0ba0 is described below > > commit fdf0ba0aaebaffd588077defea0f56d6ba81396e > Author: Christopher Schultz > AuthorDate: Thu Nov 21 11:17:54 2019 -0500 > > Add RFC references. > --- > java/org/apache/catalina/servlets/WebdavServlet.java | 7 ++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java > b/java/org/apache/catalina/servlets/WebdavServlet.java > index ef5573d..f870443 100644 > --- a/java/org/apache/catalina/servlets/WebdavServlet.java > +++ b/java/org/apache/catalina/servlets/WebdavServlet.java > @@ -61,7 +61,10 @@ import org.xml.sax.InputSource; > import org.xml.sax.SAXException; > > /** > - * Servlet which adds support for WebDAV level 2. All the basic HTTP requests > + * Servlet which adds support for > + * https://tools.ietf.org/html/rfc4918;>WebDAV > + * https://tools.ietf.org/html/rfc4918#section-18;>level 2. > + * All the basic HTTP requests > * are handled by the DefaultServlet. The WebDAVServlet must not be used as > the > * default servlet (ie mapped to '/') as it will not work in this > configuration. > * > @@ -120,6 +123,8 @@ import org.xml.sax.SAXException; > * http://host:port/context/webdavedit/content > * > * @author Remy Maucherat > + * > + * @see https://tools.ietf.org/html/rfc4918 > */ This change triggered a compilation failure at Buildbot, see https://ci.apache.org/builders/tomcat-85-trunk/builds/2053 IIRC, if a plain URL is used in a '@see' tag it should be in double quotes, @see "https://tools.ietf.org/html/rfc4918; Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Using CSRF prevention filter with session-timeout workflow resumption
ср, 20 нояб. 2019 г. в 23:36, Christopher Schultz : > > All, > > The servlet spec defines the workflow for form-based authentication: > if the client requests a protected resource, an authorization check is > performed. If the user is unauthenticated, the login form is shown. > Successful login allows the user to be sent to the > originally-requested resource. > > This works great to allow users to pick-up workflows where they > left-off in the case of session timeout: once authenticated, the user > is sent back to the page they were trying to get to originally, > including a potential re-POST of form data, for example. > > With the CSRF prevention filter in-place, this then causes an error > (well, CSRF policy violation == forbidden response) because the nonce > originally added to the request's query string no longer matches a > valid nonce on the server. > > This can be considered both good and bad behavior. Good: if handed a > forged nonce from an attacker, the nonce will not be valid if the user > is asked to login. Session-fixation attacks could get an attacker > around this. Bad: it completely and totally breaks workflow-resumption. > > I'm looking for a way around this because I *really* like the fact > that you can resume a workflow after re-authenticating. > > (I happen to be using a 3rd-party authentication and authorization > library implemented as a Filter and I'm having some issues with > getting that working as well, but the problem exists with the stock > Tomcat authenticators.) > > Is there a safe way to implement workflow-resumption in the presence > of the CSRF prevention filter? Or even under *any* CSRF scheme? 1. I think you need to look at specific examples. E.g. with Tomcat Manager web application, do you want to resume such an operation? Possible scenarios: 1) The operation was triggered from a stale page E.g. the top page was open for more than 30 minutes and one tries to stop a web application, or to upload a new one. 2) The operation was triggered by following a bookmark in a browser 3) The operation was triggered by following a link prepared by an attacker 4) An attacker triggers a link silently, e.g. using it as a src address for an image. 2. I think that resuming an operation a) needs some clear confirmation from a user. b) should be distinct from any other confirmation. E.g. not to be confused with an authentication prompt. c) it should be clear to a user what specific operation is being resumed. So that an attacker (in scenario 3)) cannot trick you into performing a different operation than what you were expecting. 3. I think that a lot can be done with a custom 403 page if there is an indication that the 403 response was triggered by a CSRF filter. At least we can make the 403 page in Tomcat Manager more friendly in case the rejection was caused by CSRF protection. We already have some request attributes that indicate that there was a problem with processing of a request, org.apache.catalina.parameter_parse_failed org.apache.catalina.parameter_parse_failed_reason I use them in configurations for AccessLogValve. Maybe we could introduce similar features for the rejections generated by CsrfPreventionFilter, CorsFilter, RemoteAddrFilter / RemoteAddrValve, so that the cause of rejection could be visible in an access log and so that one could prepare a custom error page. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in on tomcat-85-trunk
The Buildbot has detected a new failure on builder tomcat-85-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-85-trunk/builds/2053 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-85-commit' triggered this build Build Source Stamp: [branch 8.5.x] fdf0ba0aaebaffd588077defea0f56d6ba81396e Blamelist: Christopher Schultz BUILD FAILED: failed compile Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Add RFC references.
This is an automated email from the ASF dual-hosted git repository. schultz pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new fdf0ba0 Add RFC references. fdf0ba0 is described below commit fdf0ba0aaebaffd588077defea0f56d6ba81396e Author: Christopher Schultz AuthorDate: Thu Nov 21 11:17:54 2019 -0500 Add RFC references. --- java/org/apache/catalina/servlets/WebdavServlet.java | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java b/java/org/apache/catalina/servlets/WebdavServlet.java index ef5573d..f870443 100644 --- a/java/org/apache/catalina/servlets/WebdavServlet.java +++ b/java/org/apache/catalina/servlets/WebdavServlet.java @@ -61,7 +61,10 @@ import org.xml.sax.InputSource; import org.xml.sax.SAXException; /** - * Servlet which adds support for WebDAV level 2. All the basic HTTP requests + * Servlet which adds support for + * https://tools.ietf.org/html/rfc4918;>WebDAV + * https://tools.ietf.org/html/rfc4918#section-18;>level 2. + * All the basic HTTP requests * are handled by the DefaultServlet. The WebDAVServlet must not be used as the * default servlet (ie mapped to '/') as it will not work in this configuration. * @@ -120,6 +123,8 @@ import org.xml.sax.SAXException; * http://host:port/context/webdavedit/content * * @author Remy Maucherat + * + * @see https://tools.ietf.org/html/rfc4918 */ public class WebdavServlet extends DefaultServlet { - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 7.0.x updated: Add RFC references.
This is an automated email from the ASF dual-hosted git repository. schultz pushed a commit to branch 7.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/7.0.x by this push: new 55a73c1 Add RFC references. 55a73c1 is described below commit 55a73c1ddbdf7a4864ab9bc0a612e11aeb5d8776 Author: Christopher Schultz AuthorDate: Thu Nov 21 11:17:54 2019 -0500 Add RFC references. --- java/org/apache/catalina/servlets/WebdavServlet.java | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java b/java/org/apache/catalina/servlets/WebdavServlet.java index ebe86f2..e4c19cb 100644 --- a/java/org/apache/catalina/servlets/WebdavServlet.java +++ b/java/org/apache/catalina/servlets/WebdavServlet.java @@ -68,7 +68,10 @@ import org.xml.sax.InputSource; import org.xml.sax.SAXException; /** - * Servlet which adds support for WebDAV level 2. All the basic HTTP requests + * Servlet which adds support for + * https://tools.ietf.org/html/rfc4918;>WebDAV + * https://tools.ietf.org/html/rfc4918#section-18;>level 2. + * All the basic HTTP requests * are handled by the DefaultServlet. The WebDAVServlet must not be used as the * default servlet (ie mapped to '/') as it will not work in this configuration. * @@ -127,6 +130,8 @@ import org.xml.sax.SAXException; * http://host:port/context/webdavedit/content * * @author Remy Maucherat + * + * @see https://tools.ietf.org/html/rfc4918 */ public class WebdavServlet extends DefaultServlet { - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch BZ-63681/9.0.x created (now 9062436)
This is an automated email from the ASF dual-hosted git repository. michaelo pushed a change to branch BZ-63681/9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git. at 9062436 BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends This branch includes the following new commits: new 9062436 BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/01: BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends
This is an automated email from the ASF dual-hosted git repository. michaelo pushed a commit to branch BZ-63681/9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 90624364edd1115cceb47e7bc4ece5828a0e62d2 Author: Michael Osipov AuthorDate: Wed Aug 21 23:23:19 2019 +0200 BZ 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends --- java/org/apache/catalina/Realm.java | 13 + java/org/apache/catalina/realm/CombinedRealm.java | 33 + java/org/apache/catalina/realm/LockOutRealm.java | 13 + java/org/apache/catalina/realm/RealmBase.java | 58 +++ webapps/docs/changelog.xml| 8 5 files changed, 115 insertions(+), 10 deletions(-) diff --git a/java/org/apache/catalina/Realm.java b/java/org/apache/catalina/Realm.java index 7785ec2..6f5d2c7 100644 --- a/java/org/apache/catalina/Realm.java +++ b/java/org/apache/catalina/Realm.java @@ -25,6 +25,8 @@ import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.tomcat.util.descriptor.web.SecurityConstraint; import org.ietf.jgss.GSSContext; +import org.ietf.jgss.GSSCredential; +import org.ietf.jgss.GSSName; /** * A Realm is a read-only facade for an underlying security realm @@ -117,6 +119,17 @@ public interface Realm extends Contained { /** + * Try to authenticate using a {@link GSSName} + * + * @param gssName The {@link GSSName} of the principal to look up + * @param gssCredential The {@link GSSCredential} of the principal, may be + * {@code null} + * @return the associated principal, or {@code null} if there is none + */ +public Principal authenticate(GSSName gssName, GSSCredential gssCredential); + + +/** * Try to authenticate using {@link X509Certificate}s * * @param certs Array of client certificates, with the first one in diff --git a/java/org/apache/catalina/realm/CombinedRealm.java b/java/org/apache/catalina/realm/CombinedRealm.java index 6a73b0f..6bbc238 100644 --- a/java/org/apache/catalina/realm/CombinedRealm.java +++ b/java/org/apache/catalina/realm/CombinedRealm.java @@ -32,6 +32,7 @@ import org.apache.catalina.Realm; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.ietf.jgss.GSSContext; +import org.ietf.jgss.GSSCredential; import org.ietf.jgss.GSSException; import org.ietf.jgss.GSSName; @@ -386,6 +387,38 @@ public class CombinedRealm extends RealmBase { return null; } +/** + * {@inheritDoc} + */ +@Override +public Principal authenticate(GSSName gssName, GSSCredential gssCredential) { +Principal authenticatedUser = null; +String username = gssName.toString(); + +for (Realm realm : realms) { +if (log.isDebugEnabled()) { +log.debug(sm.getString("combinedRealm.authStart", +username, realm.getClass().getName())); +} + +authenticatedUser = realm.authenticate(gssName, gssCredential); + +if (authenticatedUser == null) { +if (log.isDebugEnabled()) { +log.debug(sm.getString("combinedRealm.authFail", +username, realm.getClass().getName())); +} +} else { +if (log.isDebugEnabled()) { +log.debug(sm.getString("combinedRealm.authSuccess", +username, realm.getClass().getName())); +} +break; +} +} +return authenticatedUser; +} + @Override protected String getPassword(String username) { // This method should never be called diff --git a/java/org/apache/catalina/realm/LockOutRealm.java b/java/org/apache/catalina/realm/LockOutRealm.java index aa4820a..28ce315 100644 --- a/java/org/apache/catalina/realm/LockOutRealm.java +++ b/java/org/apache/catalina/realm/LockOutRealm.java @@ -27,6 +27,7 @@ import org.apache.catalina.LifecycleException; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.ietf.jgss.GSSContext; +import org.ietf.jgss.GSSCredential; import org.ietf.jgss.GSSException; import org.ietf.jgss.GSSName; @@ -200,6 +201,18 @@ public class LockOutRealm extends CombinedRealm { return null; } +/** + * {@inheritDoc} + */ +@Override +public Principal authenticate(GSSName gssName, GSSCredential gssCredential) { +String username = gssName.toString(); + +Principal authenticatedUser = super.authenticate(gssName, gssCredential); + +return filterLockedAccounts(username, authenticatedUser); +} + /* * Filters authenticated principals to ensure that null is diff --git a/java/org/apache/catalina/realm/RealmBase.java
[tomcat] branch 8.5.x updated: Port current version of the async API
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new f627f8e Port current version of the async API f627f8e is described below commit f627f8e9ea2761960af8248b86d77515b4478f42 Author: remm AuthorDate: Thu Nov 21 17:29:27 2019 +0100 Port current version of the async API Add async IO to APR and NIO. Add vectoring to the NioChannel. NIO2 code is pulled up in the superclass. This reduces the differences between the connectors from 9.0 and 8.5. I will continue backporting other now tested refactorings to reduce the differences. --- .../catalina/security/SecurityClassLoad.java | 6 +- java/org/apache/tomcat/util/net/AprEndpoint.java | 126 +++- java/org/apache/tomcat/util/net/Nio2Endpoint.java | 311 +-- java/org/apache/tomcat/util/net/NioChannel.java| 27 +- java/org/apache/tomcat/util/net/NioEndpoint.java | 109 +++ .../apache/tomcat/util/net/SecureNioChannel.java | 145 + .../apache/tomcat/util/net/SocketWrapperBase.java | 335 - webapps/docs/changelog.xml | 6 + 8 files changed, 820 insertions(+), 245 deletions(-) diff --git a/java/org/apache/catalina/security/SecurityClassLoad.java b/java/org/apache/catalina/security/SecurityClassLoad.java index b6e2be7..5afa0a0 100644 --- a/java/org/apache/catalina/security/SecurityClassLoad.java +++ b/java/org/apache/catalina/security/SecurityClassLoad.java @@ -183,12 +183,14 @@ public final class SecurityClassLoad { loader.loadClass(basePackage + "util.net.NioBlockingSelector$BlockPoller$RunnableAdd"); loader.loadClass(basePackage + "util.net.NioBlockingSelector$BlockPoller$RunnableCancel"); loader.loadClass(basePackage + "util.net.NioBlockingSelector$BlockPoller$RunnableRemove"); -loader.loadClass(basePackage + "util.net.Nio2Endpoint$Nio2SocketWrapper$OperationState"); -loader.loadClass(basePackage + "util.net.Nio2Endpoint$Nio2SocketWrapper$VectoredIOCompletionHandler"); +loader.loadClass(basePackage + "util.net.AprEndpoint$AprSocketWrapper$AprOperationState"); +loader.loadClass(basePackage + "util.net.NioEndpoint$NioSocketWrapper$NioOperationState"); +loader.loadClass(basePackage + "util.net.Nio2Endpoint$Nio2SocketWrapper$Nio2OperationState"); loader.loadClass(basePackage + "util.net.SocketWrapperBase$BlockingMode"); loader.loadClass(basePackage + "util.net.SocketWrapperBase$CompletionCheck"); loader.loadClass(basePackage + "util.net.SocketWrapperBase$CompletionHandlerCall"); loader.loadClass(basePackage + "util.net.SocketWrapperBase$CompletionState"); +loader.loadClass(basePackage + "util.net.SocketWrapperBase$VectoredIOCompletionHandler"); // security loader.loadClass(basePackage + "util.security.PrivilegedGetTccl"); loader.loadClass(basePackage + "util.security.PrivilegedSetTccl"); diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java b/java/org/apache/tomcat/util/net/AprEndpoint.java index 460b075..d325b3c 100644 --- a/java/org/apache/tomcat/util/net/AprEndpoint.java +++ b/java/org/apache/tomcat/util/net/AprEndpoint.java @@ -21,6 +21,7 @@ import java.io.IOException; import java.net.InetSocketAddress; import java.net.SocketTimeoutException; import java.nio.ByteBuffer; +import java.nio.channels.CompletionHandler; import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.HashMap; @@ -28,6 +29,8 @@ import java.util.Map; import java.util.Set; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.RejectedExecutionException; +import java.util.concurrent.Semaphore; +import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicInteger; import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReentrantReadWriteLock.WriteLock; @@ -112,6 +115,11 @@ public class AprEndpoint extends AbstractEndpoint implements SNICallBack { // Constructor public AprEndpoint() { +// Asynchronous IO has significantly lower performance with APR: +// - no IO vectoring +// - mandatory use of direct buffers forces output buffering +// - needs extra output flushes due to buffering +setUseAsyncIO(false); // Need to override the default for maxConnections to align it with what // was pollerSize (before the two were merged) setMaxConnections(8 * 1024); @@ -1178,7 +1186,7 @@ public class AprEndpoint extends AbstractEndpoint implements SNICallBack { while (info != null) { // Make sure we aren't trying add the socket as well as close it
buildbot failure in on tomcat-trunk
The Buildbot has detected a new failure on builder tomcat-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-trunk/builds/4761 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' triggered this build Build Source Stamp: [branch master] 0872b1a498610b008acbdaa719895ae15370359a Blamelist: Christopher Schultz BUILD FAILED: failed compile Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Using CSRF prevention filter with session-timeout workflow resumption
> Mark, > > On 11/21/19 04:00, Mark Thomas wrote: >>> All, >>> >>> The servlet spec defines the workflow for form-based >>> authentication: if the client requests a protected resource, an >>> authorization check is performed. If the user is unauthenticated, >>> the login form is shown. Successful login allows the user to be >>> sent to the originally-requested resource. >>> >>> This works great to allow users to pick-up workflows where they >>> left-off in the case of session timeout: once authenticated, the >>> user is sent back to the page they were trying to get to >>> originally, including a potential re-POST of form data, for >>> example. >>> >>> With the CSRF prevention filter in-place, this then causes an >>> error (well, CSRF policy violation == forbidden response) because >>> the nonce originally added to the request's query string no >>> longer matches a valid nonce on the server. >>> >>> This can be considered both good and bad behavior. Good: if >>> handed a forged nonce from an attacker, the nonce will not be >>> valid if the user is asked to login. Session-fixation attacks >>> could get an attacker around this. Bad: it completely and totally >>> breaks workflow-resumption. >>> >>> I'm looking for a way around this because I *really* like the >>> fact that you can resume a workflow after re-authenticating. >>> >>> (I happen to be using a 3rd-party authentication and >>> authorization library implemented as a Filter and I'm having some >>> issues with getting that working as well, but the problem exists >>> with the stock Tomcat authenticators.) >>> >>> Is there a safe way to implement workflow-resumption in the >>> presence of the CSRF prevention filter? Or even under *any* CSRF >>> scheme? > >> Use an Origin based protection? > > So something like CORS? I haven't dived into CORS, yet. Is it fair to > say that CSRF might be a simpler and less powerful standard while CORS > is a replacement for it? Or do they serve different use-cases? Different use cases. Origin based CSRF protection is considered less effective than token based (I'm only going on what I read - I haven't dug into the whys) but it should be sufficient for the scenario you describe. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Add RFC references.
This is an automated email from the ASF dual-hosted git repository. schultz pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new 0872b1a Add RFC references. 0872b1a is described below commit 0872b1a498610b008acbdaa719895ae15370359a Author: Christopher Schultz AuthorDate: Thu Nov 21 11:17:54 2019 -0500 Add RFC references. --- java/org/apache/catalina/servlets/WebdavServlet.java | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java b/java/org/apache/catalina/servlets/WebdavServlet.java index ef5573d..f870443 100644 --- a/java/org/apache/catalina/servlets/WebdavServlet.java +++ b/java/org/apache/catalina/servlets/WebdavServlet.java @@ -61,7 +61,10 @@ import org.xml.sax.InputSource; import org.xml.sax.SAXException; /** - * Servlet which adds support for WebDAV level 2. All the basic HTTP requests + * Servlet which adds support for + * https://tools.ietf.org/html/rfc4918;>WebDAV + * https://tools.ietf.org/html/rfc4918#section-18;>level 2. + * All the basic HTTP requests * are handled by the DefaultServlet. The WebDAVServlet must not be used as the * default servlet (ie mapped to '/') as it will not work in this configuration. * @@ -120,6 +123,8 @@ import org.xml.sax.SAXException; * http://host:port/context/webdavedit/content * * @author Remy Maucherat + * + * @see https://tools.ietf.org/html/rfc4918 */ public class WebdavServlet extends DefaultServlet { - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Using CSRF prevention filter with session-timeout workflow resumption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 11/21/19 04:00, Mark Thomas wrote: >> All, >> >> The servlet spec defines the workflow for form-based >> authentication: if the client requests a protected resource, an >> authorization check is performed. If the user is unauthenticated, >> the login form is shown. Successful login allows the user to be >> sent to the originally-requested resource. >> >> This works great to allow users to pick-up workflows where they >> left-off in the case of session timeout: once authenticated, the >> user is sent back to the page they were trying to get to >> originally, including a potential re-POST of form data, for >> example. >> >> With the CSRF prevention filter in-place, this then causes an >> error (well, CSRF policy violation == forbidden response) because >> the nonce originally added to the request's query string no >> longer matches a valid nonce on the server. >> >> This can be considered both good and bad behavior. Good: if >> handed a forged nonce from an attacker, the nonce will not be >> valid if the user is asked to login. Session-fixation attacks >> could get an attacker around this. Bad: it completely and totally >> breaks workflow-resumption. >> >> I'm looking for a way around this because I *really* like the >> fact that you can resume a workflow after re-authenticating. >> >> (I happen to be using a 3rd-party authentication and >> authorization library implemented as a Filter and I'm having some >> issues with getting that working as well, but the problem exists >> with the stock Tomcat authenticators.) >> >> Is there a safe way to implement workflow-resumption in the >> presence of the CSRF prevention filter? Or even under *any* CSRF >> scheme? > > Use an Origin based protection? So something like CORS? I haven't dived into CORS, yet. Is it fair to say that CSRF might be a simpler and less powerful standard while CORS is a replacement for it? Or do they serve different use-cases? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3WsvMACgkQHPApP6U8 pFim4xAAkL2PrvyfhLM1LLAaJry8e12dUDxKamwziiy7jsF/Vp47ZXm/E2HUl4H3 tSrxa14C7/7p2MiNF3nWSxgI6xLUY8nSrSnJP8cok2YenkxGFaSe2z5A1AtPcaLh hSP+sT4VP0Ddnd968r/iHd2b9Z2RmQZnVT9ZICEsCd2+o/7+hNom5mK+LWqej5qB 4wmhpbLhE/nmEM697yvXw2bbLIMuhxU+aQ0XshKJKKvatmpm2Ncskjbrrov4CCfO oKYb2sj9yIfObt2B1JGPqokGWOZyoEJ9LXsXE2SZ8VFRo8vgjrkugDUWrNfb5LXY iigJH+w0sdxu/iKohxmEoEPV4Nst+yW76l9/DcMr7eDaWmpDrXO4AyQU3oc/TP8z bNcXb4QI5E1WpAT9zbaQiko9Yku+AUmaacu3pOm4npDsUWCrwwz7YoSKazimWVW6 UbGpiiYxB84cf06A0QvY7r/UnvOMYC/VsAV+S6f02FefeNOardIxzx1Rha5PBCtb 67xJK+ceuJcqmnconjcwrqMdPVEeMEkVxS8XbEKHrJmc2K+/6il7RrgYJMMFdeyy hwJihK8356/FahlrEkyfW77KPE45LphMlU8YyOQkI/FOMi9EFeTvMN/dVOroByrO ItJy+UxuHv9ZtfYNbIUoZrsvshzF7FRyMavofsWPoIQwH3pSTxw= =2BcQ -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63948] MultipartFile upload big files over HTTP/2 broken
https://bz.apache.org/bugzilla/show_bug.cgi?id=63948 Andy Wilkinson changed: What|Removed |Added CC||awilkin...@pivotal.io -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63859] AJP cping/cpong mode failing on Tomcat 9.x
https://bz.apache.org/bugzilla/show_bug.cgi?id=63859 Aurelien Pernoud changed: What|Removed |Added Status|NEW |NEEDINFO --- Comment #20 from Aurelien Pernoud --- Hi Mark, I deployed your version with FINE debug as before, so far the server didn't catch fire which is pretty cool, as soon as I have the error (kept only CI mode) I will provide you the logs. Definitely appreciate your help on this one. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63948] New: MultipartFile upload big files over HTTP/2 broken
https://bz.apache.org/bugzilla/show_bug.cgi?id=63948 Bug ID: 63948 Summary: MultipartFile upload big files over HTTP/2 broken Product: Tomcat 9 Version: 9.0.29 Hardware: All OS: Linux Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: rodrigoda...@gmail.com Target Milestone: - Hi. When I upload a big file per http2 using the http upload methods. A stream error occurs and the connection is severed from sending the file. however if i turn off http2 the file is sent normally. The Error occurs when I upload files larger than 1mb (But its not acurrate) using angular 8 by JSON REST post (observable), if i use Postman and send the same file, the error not happen. As a workaround, I changed the application.properties setting to: server.http2.enabled=false But I would like to use http2. This is my environment: Spring Boot 2.2.1.RELEASE, Tomcat native version of Spring Boot (Apache Tomcat/9.0.27) And Java 11 Oracle: java 11.0.5 2019-10-15 LTS Java(TM) SE Runtime Environment 18.9 (build 11.0.5+10-LTS) Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.5+10-LTS, mixed mode) Here is a sample code of use: https://github.com/darckyn/test-http2 And here is the discution about this in Spring Boot GitHub: https://github.com/spring-projects/spring-boot/issues/18806 Thx StackTrace: org.apache.catalina.connector.ClientAbortException: org.apache.coyote.CloseNowException: Connection [3], Stream [1], This stream is not writable at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:309) ~[tomcat-embed-core-9.0.27.jar:9.0.27] at org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:272) ~[tomcat-embed-core-9.0.27.jar:9.0.27] at org.apache.catalina.connector.CoyoteOutputStream.flush(CoyoteOutputStream.java:118) ~[tomcat-embed-core-9.0.27.jar:9.0.27] at com.fasterxml.jackson.core.json.UTF8JsonGenerator.flush(UTF8JsonGenerator.java:1153) ~[jackson-core-2.10.0.jar:2.10.0] at com.fasterxml.jackson.databind.ObjectWriter.writeValue(ObjectWriter.java:923) ~[jackson-databind-2.10.0.jar:2.10.0] at org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter.writeInternal(AbstractJackson2HttpMessageConverter.java:287) ~[spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.http.converter.AbstractGenericHttpMessageConverter.write(AbstractGenericHttpMessageConverter.java:104) ~[spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.web.servlet.mvc.method.annotation.AbstractMessageConverterMethodProcessor.writeWithMessageConverters(AbstractMessageConverterMethodProcessor.java:295) ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor.handleReturnValue(HttpEntityMethodProcessor.java:226) ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.web.method.support.HandlerMethodReturnValueHandlerComposite.handleReturnValue(HandlerMethodReturnValueHandlerComposite.java:82) ~[spring-web-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:124) ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:888) ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:793) ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040) ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943) ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE] at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909) ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE] at javax.servlet.http.HttpServlet.service(HttpServlet.java:660) ~[tomcat-embed-core-9.0.27.jar:9.0.27] at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE] at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
[Bug 63865] Cookie Attribute SameSite=None is default to unset in Chrome browser
https://bz.apache.org/bugzilla/show_bug.cgi?id=63865 Mark Thomas changed: What|Removed |Added CC||matthew.buck...@ctl.ox.ac.u ||k --- Comment #6 from Mark Thomas --- *** Bug 63947 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63947] Rfc6265CookieProcessor won't output SameSite=None
https://bz.apache.org/bugzilla/show_bug.cgi?id=63947 Mark Thomas changed: What|Removed |Added Resolution|--- |DUPLICATE Status|NEW |RESOLVED --- Comment #1 from Mark Thomas --- *** This bug has been marked as a duplicate of bug 63865 *** -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 7.0.x updated: Fix typos
This is an automated email from the ASF dual-hosted git repository. violetagg pushed a commit to branch 7.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/7.0.x by this push: new c0e753e2 Fix typos c0e753e2 is described below commit c0e753e2ed1ad0d8e5ec5cd2f40698bb1a374179 Author: Violeta Georgieva AuthorDate: Thu Nov 21 13:12:17 2019 +0200 Fix typos --- webapps/docs/changelog.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 695e3ae..7edef03 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -175,7 +175,7 @@ 63826: Remove commons-daemon-native.tar.gz and tomcat-native.tar.gz from the binary zip distributions for Windows since compiled versions of those components are already -included within the zip distriubutions. (markt) +included within the zip distributions. (markt) 63833: Fix an error in the generification of the copied @@ -213,7 +213,7 @@ 57665: Add support for the X-Forwarded-Host -header to the RemoteIpFilter and RemotepValve. +header to the RemoteIpFilter and RemoteIpValve. (markt) @@ -454,7 +454,7 @@ When performing a silent install with the Windows Installer, ensure that -the registry entires are added to the 64-bit registry when using a +the registry entries are added to the 64-bit registry when using a 64-bit JVM. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix typos
This is an automated email from the ASF dual-hosted git repository. violetagg pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 31ea629 Fix typos 31ea629 is described below commit 31ea629f7e2199af5fad7a773f8989c499791845 Author: Violeta Georgieva AuthorDate: Thu Nov 21 12:59:04 2019 +0200 Fix typos (cherry picked from commit 18d1dbf2f84b7e68e40b7a37256c0ff34f71553f) --- webapps/docs/changelog.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 8d9a8e1..2381942 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -245,7 +245,7 @@ 63826: Remove commons-daemon-native.tar.gz and tomcat-native.tar.gz from the binary zip distributions for Windows since compiled versions of those components are already -included within the zip distriubutions. (markt) +included within the zip distributions. (markt) 63838: Suppress reflexive access warnings when running the @@ -492,7 +492,7 @@ When performing a silent install with the Windows Installer, ensure that -the registry entires are added to the 64-bit registry when using a +the registry entries are added to the 64-bit registry when using a 64-bit JVM. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Fix typos
This is an automated email from the ASF dual-hosted git repository. violetagg pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new 18d1dbf Fix typos 18d1dbf is described below commit 18d1dbf2f84b7e68e40b7a37256c0ff34f71553f Author: Violeta Georgieva AuthorDate: Thu Nov 21 12:59:04 2019 +0200 Fix typos --- webapps/docs/changelog.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 7b66046..8ed612f 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -272,7 +272,7 @@ 63826: Remove commons-daemon-native.tar.gz and tomcat-native.tar.gz from the binary zip distributions for Windows since compiled versions of those components are already -included within the zip distriubutions. (markt) +included within the zip distributions. (markt) 63838: Suppress reflexive access warnings when running the @@ -572,7 +572,7 @@ When performing a silent install with the Windows Installer, ensure that -the registry entires are added to the 64-bit registry when using a +the registry entries are added to the 64-bit registry when using a 64-bit JVM. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r36860 - /dev/tomcat/tomcat-7/v7.0.97/
Author: violetagg Date: Thu Nov 21 10:36:20 2019 New Revision: 36860 Log: Tomcat 7.0.97 vote did not pass Removed: dev/tomcat/tomcat-7/v7.0.97/ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Pull down APR specific lock structure
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new a472f6a Pull down APR specific lock structure a472f6a is described below commit a472f6af67a7cc03fe42a55cfaa7902933117afd Author: remm AuthorDate: Thu Nov 21 11:28:07 2019 +0100 Pull down APR specific lock structure They would otherwise be allocated for NIOx but are not used at all. --- java/org/apache/tomcat/util/net/AprEndpoint.java | 21 ++ .../apache/tomcat/util/net/SocketWrapperBase.java | 32 +++--- 2 files changed, 31 insertions(+), 22 deletions(-) diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java b/java/org/apache/tomcat/util/net/AprEndpoint.java index f34ccf3..10322da 100644 --- a/java/org/apache/tomcat/util/net/AprEndpoint.java +++ b/java/org/apache/tomcat/util/net/AprEndpoint.java @@ -32,6 +32,7 @@ import java.util.concurrent.Semaphore; import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicInteger; import java.util.concurrent.locks.Lock; +import java.util.concurrent.locks.ReentrantReadWriteLock; import java.util.concurrent.locks.ReentrantReadWriteLock.WriteLock; import javax.net.ssl.KeyManager; @@ -2020,9 +2021,21 @@ public class AprEndpoint extends AbstractEndpoint implements SNICallB // This field should only be used by Poller#run() private int pollerFlags = 0; +/* + * Used if block/non-blocking is set at the socket level. The client is + * responsible for the thread-safe use of this field via the locks provided. + */ +private volatile boolean blockingStatus = true; +private final Lock blockingStatusReadLock; +private final WriteLock blockingStatusWriteLock; + public AprSocketWrapper(Long socket, AprEndpoint endpoint) { super(socket, endpoint); +ReentrantReadWriteLock lock = new ReentrantReadWriteLock(); +this.blockingStatusReadLock = lock.readLock(); +this.blockingStatusWriteLock = lock.writeLock(); + // TODO Make the socketWriteBuffer size configurable and align the // SSL and app buffer size settings with NIO & NIO2. if (endpoint.isSSLEnabled()) { @@ -2035,6 +2048,14 @@ public class AprEndpoint extends AbstractEndpoint implements SNICallB socketBufferHandler = new SocketBufferHandler(6 * 1500, 6 * 1500, true); } +public boolean getBlockingStatus() { return blockingStatus; } +public void setBlockingStatus(boolean blockingStatus) { +this.blockingStatus = blockingStatus; +} +public Lock getBlockingStatusReadLock() { return blockingStatusReadLock; } +public WriteLock getBlockingStatusWriteLock() { +return blockingStatusWriteLock; +} @Override public int read(boolean block, byte[] b, int off, int len) throws IOException { diff --git a/java/org/apache/tomcat/util/net/SocketWrapperBase.java b/java/org/apache/tomcat/util/net/SocketWrapperBase.java index 1b700cb..e81eb26 100644 --- a/java/org/apache/tomcat/util/net/SocketWrapperBase.java +++ b/java/org/apache/tomcat/util/net/SocketWrapperBase.java @@ -29,9 +29,6 @@ import java.util.concurrent.RejectedExecutionException; import java.util.concurrent.Semaphore; import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicBoolean; -import java.util.concurrent.locks.Lock; -import java.util.concurrent.locks.ReentrantReadWriteLock; -import java.util.concurrent.locks.ReentrantReadWriteLock.WriteLock; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; @@ -58,6 +55,7 @@ public abstract class SocketWrapperBase { private volatile boolean upgraded = false; private boolean secure = false; private String negotiatedProtocol = null; + /* * Following cached for speed / reduced GC */ @@ -67,14 +65,8 @@ public abstract class SocketWrapperBase { protected String remoteAddr = null; protected String remoteHost = null; protected int remotePort = -1; -/* - * Used if block/non-blocking is set at the socket level. The client is - * responsible for the thread-safe use of this field via the locks provided. - */ -private volatile boolean blockingStatus = true; -private final Lock blockingStatusReadLock; -private final WriteLock blockingStatusWriteLock; -/* + +/** * Used to record the first IOException that occurs during non-blocking * read/writes that can't be usefully propagated up the stack since there is * no user code or appropriate container code in the stack to handle it. @@ -103,19 +95,23 @@ public abstract class SocketWrapperBase { */ protected final WriteBuffer
[Bug 63947] New: Rfc6265CookieProcessor won't output SameSite=None
https://bz.apache.org/bugzilla/show_bug.cgi?id=63947 Bug ID: 63947 Summary: Rfc6265CookieProcessor won't output SameSite=None Product: Tomcat 9 Version: 9.0.27 Hardware: PC OS: Mac OS X 10.1 Status: NEW Severity: normal Priority: P2 Component: Util Assignee: dev@tomcat.apache.org Reporter: matthew.buck...@ctl.ox.ac.uk Target Milestone: - With the upcoming change to Google Chrome will mean that any cookie without a SameSite=None attribute will be treated as though it has SameSite=Lax (https://www.chromestatus.com/feature/5088147346030592). Currently the Rfc6265CookieProcessor doesn't allow you to output a SameSite=None attribute as when you try the cookie processor ignores it as previously not outputting the values was equivalent. Could we allow the Rfc6265CookieProcessor to output SameSite=None so that I can use this to revert the behaviour of Chrome to sending Cookies on cross domain requests? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: 7.0.97 still in Nexus
На чт, 21.11.2019 г. в 11:27 Mark Thomas написа: > > Can we drop this RC from Nexus? Dropped Thanks for noting this, Violeta
Nexus: Staging Repository Dropped
Message from: https://repository.apache.orgDeployer properties:"userAgent" = "maven-artifact/2.2.1 (Java 1.7.0_80; Windows 7 6.1)""userId" = "violetagg""ip" = "84.242.148.23"Details:The orgapachetomcat-1232 staging repository has been dropped.Action performed by Violeta Georgieva Georgieva (violetagg)
svn commit: r36859 - /dev/tomcat/tomcat-8/v8.5.49/ /release/tomcat/tomcat-8/v8.5.49/
Author: markt Date: Thu Nov 21 09:28:25 2019 New Revision: 36859 Log: Release Apache Tomcat 8.5.49 Added: release/tomcat/tomcat-8/v8.5.49/ - copied from r36858, dev/tomcat/tomcat-8/v8.5.49/ Removed: dev/tomcat/tomcat-8/v8.5.49/ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
7.0.97 still in Nexus
Can we drop this RC from Nexus? Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Nexus: Promotion Completed
Message from: https://repository.apache.orgDeployer properties:"userAgent" = "maven-artifact/2.2.1 (Java 1.7.0_80; Windows 7 6.1)""userId" = "markt""ip" = "213.121.9.136"Details:The following artifacts have been promoted to the "Releases" [id=releases] repository/org/apache/tomcat/tomcat-i18n-de/8.5.49/tomcat-i18n-de-8.5.49.jar.asc(SHA1: 698285b06254192975a90e496fcbe6f1e9be7ec6)/org/apache/tomcat/tomcat-i18n-de/8.5.49/tomcat-i18n-de-8.5.49.pom.asc(SHA1: f09ae2abf504b7925628b856114a754cf5605690)/org/apache/tomcat/tomcat-i18n-de/8.5.49/tomcat-i18n-de-8.5.49.pom(SHA1: 0c958456d02ce9489152daa9bd51f092300cb57f)/org/apache/tomcat/tomcat-i18n-de/8.5.49/tomcat-i18n-de-8.5.49.jar(SHA1: d9f70ce1c6319663491ace1ea32b4e4648646c52)/org/apache/tomcat/tomcat-jni/8.5.49/tomcat-jni-8.5.49-sources.jar(SHA1: e93081ff6917968a43cff00664c043343d23763d)/org/apache/tomcat/tomcat-jni/8.5.49/tomcat-jni-8.5.49.pom(SHA1: da1c95a636dc62ff1df0646e67909771b8fc630c)/org/apache/tomcat/tomcat-jni/8.5.49/tomcat-jni-8.5.49.pom.asc(SHA1: 9a45ffeb969700ec6cd0321cd3ea60f7951119c1)/org/apache/tomcat/tomcat-jni/8.5.49/tomcat-jni-8.5.49.jar(SHA1: b2b116dc1bde4a07b6fbdcda137084e190781c35)/org/apache/tomcat/tomcat-jni/8.5.49/tomcat-jni-8.5.49-sources.jar.asc(SHA1: b7e620a30a0f28724c09eb9fd11ef6b5f5a2e2fe)/org/apache/tomcat/tomcat-jni/8.5.49/tomcat-jni-8.5.49.jar.asc(SHA1: 15093e31c459f9d373d62d5ca7646b9a606923b1)/org/apache/tomcat/tomcat-juli/8.5.49/tomcat-juli-8.5.49.jar.asc(SHA1: e75fec935e09d40f601b2107fea4b8f5f4188f9f)/org/apache/tomcat/tomcat-juli/8.5.49/tomcat-juli-8.5.49.pom.asc(SHA1: 626448173e928a58f1438ccb011b6281f00bf4ea)/org/apache/tomcat/tomcat-juli/8.5.49/tomcat-juli-8.5.49.jar(SHA1: f3f21446948de84c03f40756b0ed10a1120f2791)/org/apache/tomcat/tomcat-juli/8.5.49/tomcat-juli-8.5.49-sources.jar.asc(SHA1: a1c49b536f6e4f453f4c5d80db14d0e11d1715dc)/org/apache/tomcat/tomcat-juli/8.5.49/tomcat-juli-8.5.49.pom(SHA1: 0450bfb5b510eb64d7e16020f1b0bef2fc540071)/org/apache/tomcat/tomcat-juli/8.5.49/tomcat-juli-8.5.49-sources.jar(SHA1: a9062f461986a53a425018206db1761cce42683a)/org/apache/tomcat/tomcat-util/8.5.49/tomcat-util-8.5.49-sources.jar(SHA1: 4a8df506e6366725a6e2808dd7649b1548ee0fba)/org/apache/tomcat/tomcat-util/8.5.49/tomcat-util-8.5.49.pom(SHA1: f9ee77be31b1d0e06f83950e422d1fd9d9e65569)/org/apache/tomcat/tomcat-util/8.5.49/tomcat-util-8.5.49-sources.jar.asc(SHA1: aaff72025c6212e5532d055e556102f3005cddfb)/org/apache/tomcat/tomcat-util/8.5.49/tomcat-util-8.5.49.jar.asc(SHA1: ce821fcb53045d5922e3671c2984bc1a572dd58a)/org/apache/tomcat/tomcat-util/8.5.49/tomcat-util-8.5.49.jar(SHA1: ed441f4c7a41f3d576d12c9fb680b2953306034a)/org/apache/tomcat/tomcat-util/8.5.49/tomcat-util-8.5.49.pom.asc(SHA1: d14b9375673c2b8c8988fc0d5d7e5b6c6646772e)/org/apache/tomcat/tomcat-catalina/8.5.49/tomcat-catalina-8.5.49-sources.jar(SHA1: d7bd852f0199a4b12f6c006a65010a52125f0516)/org/apache/tomcat/tomcat-catalina/8.5.49/tomcat-catalina-8.5.49.pom(SHA1: e2dabfc5d6e244e2ef22b1fab71167c4297120c2)/org/apache/tomcat/tomcat-catalina/8.5.49/tomcat-catalina-8.5.49.jar.asc(SHA1: 6c36875a7b7805d784b9d4b9ac1fe9a6ccf0c39c)/org/apache/tomcat/tomcat-catalina/8.5.49/tomcat-catalina-8.5.49-sources.jar.asc(SHA1: 7908b3199e96495272adfc9dd3a67010d3faf6c1)/org/apache/tomcat/tomcat-catalina/8.5.49/tomcat-catalina-8.5.49.jar(SHA1: d645089d72050978288ff7a58b59298b5df0603d)/org/apache/tomcat/tomcat-catalina/8.5.49/tomcat-catalina-8.5.49.pom.asc(SHA1: 2571836698673a44d7899b63bcfd89712b6050d6)/org/apache/tomcat/tomcat-catalina-ws/8.5.49/tomcat-catalina-ws-8.5.49-sources.jar(SHA1: 5212d1f3a0c9bcce3beb6f64aa05e6fc5511040b)/org/apache/tomcat/tomcat-catalina-ws/8.5.49/tomcat-catalina-ws-8.5.49.pom(SHA1: 4ae18d2c6cb0aa0ed62b3fbed095223a48237d8d)/org/apache/tomcat/tomcat-catalina-ws/8.5.49/tomcat-catalina-ws-8.5.49.jar(SHA1: 8f4ba408db37c34b2a754a64220b3a5fe6923846)/org/apache/tomcat/tomcat-catalina-ws/8.5.49/tomcat-catalina-ws-8.5.49-sources.jar.asc(SHA1: f5bde938310d303bf484e6662af42c2a50dcb98b)/org/apache/tomcat/tomcat-catalina-ws/8.5.49/tomcat-catalina-ws-8.5.49.jar.asc(SHA1: df03a0e9ed7fa31e46844282f53f0e1f741a5cdb)/org/apache/tomcat/tomcat-catalina-ws/8.5.49/tomcat-catalina-ws-8.5.49.pom.asc(SHA1: e354938aacc6e1b3f9b527614ba5cb5e0664f1a4)/org/apache/tomcat/tomcat-i18n-fr/8.5.49/tomcat-i18n-fr-8.5.49.pom.asc(SHA1: 12876e6a220896d52e4775c0faab8f39797da941)/org/apache/tomcat/tomcat-i18n-fr/8.5.49/tomcat-i18n-fr-8.5.49.pom(SHA1: 098672d396e0dc00862c32e6deca9da2a5df8819)/org/apache/tomcat/tomcat-i18n-fr/8.5.49/tomcat-i18n-fr-8.5.49.jar.asc(SHA1: 0d898ec598dfee60ff4a00db52dfa33e0efb6b9b)/org/apache/tomcat/tomcat-i18n-fr/8.5.49/tomcat-i18n-fr-8.5.49.jar(SHA1: 94ac4b34ca549cdeb4477c777d5367c57f4343de)/org/apache/tomcat/tomcat-jdbc/8.5.49/tomcat-jdbc-8.5.49.jar(SHA1: 16ff36193247c38b89b00fb8c181c8b180f5a1c7)/org/apache/tomcat/tomcat-jdbc/8.5.49/tomcat-jdbc-8.5.49-sources.jar.asc(SHA1: 38cefbdc55a7eda82ed85d007ad986eeed569892)/org/apache/tomcat/tomcat-jdbc/8.5.49/tomcat-jdbc-8.5.49.jar.asc(SHA1:
Re: Tag Tomcat 7
On 21/11/2019 09:22, Violeta Georgieva wrote: > Hi, > > I'm thinking of preparing Tomcat 7 for a release/vote tomorrow. > Please reply here if you need more time for that release. Cool. I have nothing sat locally that needs to be committed. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE][RESULT] Release Apache Tomcat 8.5.49
The following votes were cast: Binding: +1: remm, isapir(?), csutherl, markt No other votes were cast. The vote therefore passes. Thanks to everyone who contributed to this release. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Tag Tomcat 7
Hi, I'm thinking of preparing Tomcat 7 for a release/vote tomorrow. Please reply here if you need more time for that release. Thanks, Violeta
Re: [VOTE] Release Apache Tomcat 8.5.49
On 17/11/2019 19:01, Mark Thomas wrote: > The proposed 8.5.49 release is: > [ ] Broken - do not release > [X] Stable - go ahead and release as 8.5.49 Unit tests pass for NIO, NIO2 and APR/Native (1.2.23) on Linux, Windows and MacOS. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r36858 - /dev/tomcat/tomcat-9/v9.0.29/ /release/tomcat/tomcat-9/v9.0.29/
Author: markt Date: Thu Nov 21 09:11:24 2019 New Revision: 36858 Log: Release Apache Tomcat 9.0.29 Added: release/tomcat/tomcat-9/v9.0.29/ - copied from r36857, dev/tomcat/tomcat-9/v9.0.29/ Removed: dev/tomcat/tomcat-9/v9.0.29/ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE][RESULT] Release Apache Tomcat 9.0.29
The following votes were cast: Binding: +1: remm, isapir, csutherl, jfclere, markt Non-binding: +1: michaelo, Jonathan Gallimore No other votes were cast. This vote therefore passes. Thanks to everyone who contributed to this release. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Nexus: Promotion Completed
Message from: https://repository.apache.orgDeployer properties:"userAgent" = "maven-artifact/2.2.1 (Java 1.8.0_222; Windows 7 6.1)""userId" = "markt""ip" = "213.121.9.136"Details:The following artifacts have been promoted to the "Releases" [id=releases] repository/org/apache/tomcat/tomcat-i18n-de/9.0.29/tomcat-i18n-de-9.0.29.pom(SHA1: a894425f444d6dce72c58944bea93be17b77c074)/org/apache/tomcat/tomcat-i18n-de/9.0.29/tomcat-i18n-de-9.0.29.jar(SHA1: eaf7308c07e388d9a4210733e4ba4f4f07a7b8c9)/org/apache/tomcat/tomcat-i18n-de/9.0.29/tomcat-i18n-de-9.0.29.pom.asc(SHA1: 9a89a920b81d21827a1d8fc709ccb542b45d7a07)/org/apache/tomcat/tomcat-i18n-de/9.0.29/tomcat-i18n-de-9.0.29.jar.asc(SHA1: 3178ef90e5363552257dda89f21d3186acb5c4a0)/org/apache/tomcat/tomcat-jni/9.0.29/tomcat-jni-9.0.29-sources.jar.asc(SHA1: 6594e140fc6711d22a9a0c96599a9989965200ea)/org/apache/tomcat/tomcat-jni/9.0.29/tomcat-jni-9.0.29.pom(SHA1: e17685375aaf9cedb2b3068c6ff01d250d1321ca)/org/apache/tomcat/tomcat-jni/9.0.29/tomcat-jni-9.0.29.pom.asc(SHA1: 42d4a07ec6e6d49d803107fe8cd6099e52efae0c)/org/apache/tomcat/tomcat-jni/9.0.29/tomcat-jni-9.0.29.jar(SHA1: acb75e299517d9bdcdf754dfca1de69b4ad2e387)/org/apache/tomcat/tomcat-jni/9.0.29/tomcat-jni-9.0.29.jar.asc(SHA1: 3242410fd5472cf03754e087b10ce970a925ae51)/org/apache/tomcat/tomcat-jni/9.0.29/tomcat-jni-9.0.29-sources.jar(SHA1: 0034a24f0f7469030b26283fa08cad53e262c071)/org/apache/tomcat/tomcat-juli/9.0.29/tomcat-juli-9.0.29-sources.jar.asc(SHA1: 70dc8f791b4ff365d64aa49e4a001e3238e3ef5e)/org/apache/tomcat/tomcat-juli/9.0.29/tomcat-juli-9.0.29.pom(SHA1: afab7dfff05c63617e124fc46e090c0a83809bef)/org/apache/tomcat/tomcat-juli/9.0.29/tomcat-juli-9.0.29.jar.asc(SHA1: c31fe12e11c32327932c747b499ec97f1f5aa193)/org/apache/tomcat/tomcat-juli/9.0.29/tomcat-juli-9.0.29-sources.jar(SHA1: f13eb5f2730a780a39e4c00c42817791577d4f87)/org/apache/tomcat/tomcat-juli/9.0.29/tomcat-juli-9.0.29.pom.asc(SHA1: 6c816284053479910ed5d0089c65729b8b543611)/org/apache/tomcat/tomcat-juli/9.0.29/tomcat-juli-9.0.29.jar(SHA1: 6b46c700f00c81d572bfc55ff3069b6da521a341)/org/apache/tomcat/tomcat-util/9.0.29/tomcat-util-9.0.29.jar(SHA1: 8955d7e1642142b30faee8f7dd167ac23b1eb582)/org/apache/tomcat/tomcat-util/9.0.29/tomcat-util-9.0.29-sources.jar(SHA1: d88bb817f8b211314290be12719d39e4ce120bfb)/org/apache/tomcat/tomcat-util/9.0.29/tomcat-util-9.0.29.jar.asc(SHA1: 2043842bb6fe4eae3764d4df1a326c129b1aa004)/org/apache/tomcat/tomcat-util/9.0.29/tomcat-util-9.0.29-sources.jar.asc(SHA1: e7be7b509377a54027f1e4c1203aab969965)/org/apache/tomcat/tomcat-util/9.0.29/tomcat-util-9.0.29.pom.asc(SHA1: 997559654ef3556def263a6afbd321e8db078390)/org/apache/tomcat/tomcat-util/9.0.29/tomcat-util-9.0.29.pom(SHA1: 9823bebecd84e58e926035648810ef7f56709fee)/org/apache/tomcat/tomcat-catalina/9.0.29/tomcat-catalina-9.0.29.jar.asc(SHA1: dffb0a3b0580f0ecfcaf51256ab3d88d154fa887)/org/apache/tomcat/tomcat-catalina/9.0.29/tomcat-catalina-9.0.29.jar(SHA1: 743966c7f000cb2cca9a28b9e8f7d42ae8cc68b0)/org/apache/tomcat/tomcat-catalina/9.0.29/tomcat-catalina-9.0.29.pom.asc(SHA1: 6d58ab2cd5433c8137f30267ad89c7f1a5e82a46)/org/apache/tomcat/tomcat-catalina/9.0.29/tomcat-catalina-9.0.29-sources.jar.asc(SHA1: a2559a6b769338e832c8983a244d9929f7bb87a7)/org/apache/tomcat/tomcat-catalina/9.0.29/tomcat-catalina-9.0.29-sources.jar(SHA1: a9351f39f36145a8e7f55b604efd19a6a389a631)/org/apache/tomcat/tomcat-catalina/9.0.29/tomcat-catalina-9.0.29.pom(SHA1: ecf7cd9bffad79e3d66fffc3e4fd5c192f45)/org/apache/tomcat/tomcat-i18n-fr/9.0.29/tomcat-i18n-fr-9.0.29.pom.asc(SHA1: 4a050f935888c8c4e218d426b18670d48e6ed1ff)/org/apache/tomcat/tomcat-i18n-fr/9.0.29/tomcat-i18n-fr-9.0.29.pom(SHA1: f30e269360ba4144ae907b1017a28384dea1cb96)/org/apache/tomcat/tomcat-i18n-fr/9.0.29/tomcat-i18n-fr-9.0.29.jar(SHA1: a3fdb1a22aca6fba0e1140947ed1fe9a5e4ca4a5)/org/apache/tomcat/tomcat-i18n-fr/9.0.29/tomcat-i18n-fr-9.0.29.jar.asc(SHA1: 8fa02eb4fbcdbc8da7cf80f94b3cb6e9071f196c)/org/apache/tomcat/tomcat-i18n-cs/9.0.29/tomcat-i18n-cs-9.0.29.jar.asc(SHA1: 2a67b3492814ddbe4e715dce6589fa5b1a2203b2)/org/apache/tomcat/tomcat-i18n-cs/9.0.29/tomcat-i18n-cs-9.0.29.pom.asc(SHA1: b1adf3f5c272b71255fba71992ef3f6d7082206b)/org/apache/tomcat/tomcat-i18n-cs/9.0.29/tomcat-i18n-cs-9.0.29.pom(SHA1: b2854592eeac5dbb01474108a32d28107fe72bc1)/org/apache/tomcat/tomcat-i18n-cs/9.0.29/tomcat-i18n-cs-9.0.29.jar(SHA1: c0b84e5e34a3c0340d64970fc4de91694d0273d2)/org/apache/tomcat/tomcat-jdbc/9.0.29/tomcat-jdbc-9.0.29.pom.asc(SHA1: 14e701fb1c03eb3b423d3e11f36d4931dfcd1cd6)/org/apache/tomcat/tomcat-jdbc/9.0.29/tomcat-jdbc-9.0.29-sources.jar(SHA1: f1c320bd6018225620f5457bf170f37067d45111)/org/apache/tomcat/tomcat-jdbc/9.0.29/tomcat-jdbc-9.0.29.jar.asc(SHA1: ec3a050284c289664a2501894fd271a800e769c5)/org/apache/tomcat/tomcat-jdbc/9.0.29/tomcat-jdbc-9.0.29-sources.jar.asc(SHA1: 7a892e50bb4aa5079472ec3d4d1d4248f5a949e7)/org/apache/tomcat/tomcat-jdbc/9.0.29/tomcat-jdbc-9.0.29.pom(SHA1:
Re: [VOTE] Release Apache Tomcat 9.0.29
On 16/11/2019 18:56, Mark Thomas wrote: > The proposed 9.0.29 release is: > [ ] Broken - do not release > [X] Stable - go ahead and release as 9.0.29 Tests passed for NIO, NIO2 and APR/native (1.2.23) on Windows, Linux and MacOS. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Using CSRF prevention filter with session-timeout workflow resumption
> All, > > The servlet spec defines the workflow for form-based authentication: > if the client requests a protected resource, an authorization check is > performed. If the user is unauthenticated, the login form is shown. > Successful login allows the user to be sent to the > originally-requested resource. > > This works great to allow users to pick-up workflows where they > left-off in the case of session timeout: once authenticated, the user > is sent back to the page they were trying to get to originally, > including a potential re-POST of form data, for example. > > With the CSRF prevention filter in-place, this then causes an error > (well, CSRF policy violation == forbidden response) because the nonce > originally added to the request's query string no longer matches a > valid nonce on the server. > > This can be considered both good and bad behavior. Good: if handed a > forged nonce from an attacker, the nonce will not be valid if the user > is asked to login. Session-fixation attacks could get an attacker > around this. Bad: it completely and totally breaks workflow-resumption. > > I'm looking for a way around this because I *really* like the fact > that you can resume a workflow after re-authenticating. > > (I happen to be using a 3rd-party authentication and authorization > library implemented as a Filter and I'm having some issues with > getting that working as well, but the problem exists with the stock > Tomcat authenticators.) > > Is there a safe way to implement workflow-resumption in the presence > of the CSRF prevention filter? Or even under *any* CSRF scheme? Use an Origin based protection? Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Bundling of localized messages
> Mark, > > On 11/19/19 07:08, Mark Thomas wrote: >> > >>> Is there a particular reason (a) the translations are in a >>> separate JAR file - i.e. not in catalina.jar and (b) they are >>> separated by language? Perhaps the thought was that, knowing that >>> you don't need e.g. Korean means you can remove the JAR file from >>> some kind of bare-ones distribution. > >> Essentially, yes. The intention was to make it easy to use the >> default English text if users didn't need / didn't want the >> translations. > >>> For SSI, at least, I think it makes sense to bundle all the i18n >>> files together in the same JAR file. I'm using the macro >>> to build my JAR file which explicitly >>> LocalStrings_*.properties from whatever JAR file is being built. >>> I'd need to change the way that the SSI JAR file is built in >>> order to achieve this. But before doing so, I wanted to get >>> consensus on what to do with these files. > >> Have you removed all the other dependencies? FastHttpDateFormat, >> StringManager, JULI, IOTools etc? > > No, I haven't. I figured this would turn into a bit of a rat hole so I > wanted to discuss before doing anything. > > This is just a first step towards being able to separate SSI. If SSI > isn't required, the JAR file can be removed from the distribution and > the only sloppiness will be that the locallized strings will remain in > other JAR files. I think that is a reasonable first step. > But for the future, if SSI were indeed able to be separated-out into a > standalone product (with obvious dependencies), this would need to be > resolved. It's fine to kick the can down the road a bit on this > decision and/or action, but I wanted to bring it up before I committed > anything. I'd lean towards kicking the can down the road. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Default maxConnections to 8192 for all connectors
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new 34a4b06 Default maxConnections to 8192 for all connectors 34a4b06 is described below commit 34a4b06dc0274bb9f72f02ae025239fa63570c27 Author: remm AuthorDate: Thu Nov 21 09:25:54 2019 +0100 Default maxConnections to 8192 for all connectors NIOx were using 10k as the maxConnections default, and APR was using 8192. Harmonize all connectors down to 8192 since it's almost the same and is easier to explain in the docs. --- java/org/apache/tomcat/util/net/AbstractEndpoint.java | 5 ++--- java/org/apache/tomcat/util/net/AprEndpoint.java | 3 --- webapps/docs/changelog.xml| 4 webapps/docs/config/ajp.xml | 5 ++--- webapps/docs/config/http.xml | 5 ++--- 5 files changed, 10 insertions(+), 12 deletions(-) diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java b/java/org/apache/tomcat/util/net/AbstractEndpoint.java index 12b8a25..db9fa70 100644 --- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java +++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java @@ -455,7 +455,7 @@ public abstract class AbstractEndpoint { public int getAcceptorThreadPriority() { return acceptorThreadPriority; } -private int maxConnections = 1; +private int maxConnections = 8*1024; public void setMaxConnections(int maxCon) { this.maxConnections = maxCon; LimitLatch latch = this.connectionLimitLatch; @@ -470,8 +470,7 @@ public abstract class AbstractEndpoint { initializeConnectionLatch(); } } - -public int getMaxConnections() { return this.maxConnections; } +public int getMaxConnections() { return this.maxConnections; } /** * Return the current count of connections handled by this endpoint, if the diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java b/java/org/apache/tomcat/util/net/AprEndpoint.java index 31b811b..f34ccf3 100644 --- a/java/org/apache/tomcat/util/net/AprEndpoint.java +++ b/java/org/apache/tomcat/util/net/AprEndpoint.java @@ -111,9 +111,6 @@ public class AprEndpoint extends AbstractEndpoint implements SNICallB // Constructor public AprEndpoint() { -// Need to override the default for maxConnections to align it with what -// was pollerSize (before the two were merged) -setMaxConnections(8 * 1024); // Asynchronous IO has significantly lower performance with APR: // - no IO vectoring // - mandatory use of direct buffers forces output buffering diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 08ec5a0..7b66046 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -51,6 +51,10 @@ Fix endpoint closeSocket and destroySocket discrepancies, in particular in the APR connector. (remm) + +Harmonize maxConnections default value to 8192 across all connectors. +(remm) + diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml index 137c6e7..c70af91 100644 --- a/webapps/docs/config/ajp.xml +++ b/webapps/docs/config/ajp.xml @@ -376,9 +376,8 @@ falls below maxConnections at which point the server will start accepting and processing new connections again. Note that once the limit has been reached, the operating system may still accept connections - based on the acceptCount setting. The default value varies by - connector type. For NIO and NIO2 the default is 1. - For APR/native, the default is 8192. + based on the acceptCount setting. The default value + is 8192. For NIO/NIO2 only, setting the value to -1, will disable the maxConnections feature and connections will not be counted. diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml index 0747de7..0f95e65 100644 --- a/webapps/docs/config/http.xml +++ b/webapps/docs/config/http.xml @@ -448,9 +448,8 @@ falls below maxConnections at which point the server will start accepting and processing new connections again. Note that once the limit has been reached, the operating system may still accept connections - based on the acceptCount setting. The default value varies by - connector type. For NIO and NIO2 the default is 1. - For APR/native, the default is 8192. + based on the acceptCount setting. The default value + is 8192. For NIO/NIO2 only, setting the value to -1, will disable the maxConnections feature and connections will not be counted.
[Bug 63943] Add possibility to overwrite remote port with information from header value
https://bz.apache.org/bugzilla/show_bug.cgi?id=63943 --- Comment #5 from Mark Thomas --- (In reply to George Stanchev from comment #4) > According to [1] it is "x-forwarded-port" No, that is the port on the proxy that the client connected to (already supported). The enhancement request is for the port that the client connected from. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org