Re: web.xml processing order of directives - filter vs security-constraint
I should add that the IP restriction is applied via filter, not with a tomcat Valve. Essentially the question breaks down to this: Is it possible in any way for a filter to be applied before the evaluation of the security-constraint? Or is there any other way of setting up an IP filter combined with authentication given the order from above? Any hint for the right direction would be greatly appreciated. Thanks, Falco On Fri, Jul 4, 2014 at 4:37 PM, Falco Schwarz hid...@falco.me wrote: All, I am trying to set up the jmx proxy servlet and am kinda stuck on security. I would like to: - restrict access to localhost - restrict access to require basic authentication Currently it works, though in the wrong order. This is how the request is being processed right now: 1) user accesses /infra/jmx 2) user has to authenticate 3) user is being denied Is it possible to switch step 2 and 3? Relevant parts of web.xml, webapp is called infra: servlet servlet-nameJMXProxy/servlet-name servlet-classorg.apache.catalina.manager.JMXProxyServlet/servlet-class /servlet servlet-mapping servlet-nameJMXProxy/servlet-name url-pattern/jmx/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameJMX Proxy interface/web-resource-name url-pattern/jmx/*/url-pattern /web-resource-collection auth-constraint role-namejmx/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameJMX Proxy/realm-name /login-config security-role description The role that is required to access the JMX Proxy /description role-namejmx/role-name /security-role
Re: web.xml processing order of directives - filter vs security-constraint
On 5 July 2014 08:41:52 BST, Falco Schwarz hid...@falco.me wrote: I should add that the IP restriction is applied via filter, not with a tomcat Valve. Essentially the question breaks down to this: Is it possible in any way for a filter to be applied before the evaluation of the security-constraint? No. Or is there any other way of setting up an IP filter combined with authentication given the order from above? Maybe look at a third party security plugin like Spring Security? Not sure if this is supported but worth a look. Mark Any hint for the right direction would be greatly appreciated. Thanks, Falco On Fri, Jul 4, 2014 at 4:37 PM, Falco Schwarz hid...@falco.me wrote: All, I am trying to set up the jmx proxy servlet and am kinda stuck on security. I would like to: - restrict access to localhost - restrict access to require basic authentication Currently it works, though in the wrong order. This is how the request is being processed right now: 1) user accesses /infra/jmx 2) user has to authenticate 3) user is being denied Is it possible to switch step 2 and 3? Relevant parts of web.xml, webapp is called infra: servlet servlet-nameJMXProxy/servlet-name servlet-classorg.apache.catalina.manager.JMXProxyServlet/servlet-class /servlet servlet-mapping servlet-nameJMXProxy/servlet-name url-pattern/jmx/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameJMX Proxy interface/web-resource-name url-pattern/jmx/*/url-pattern /web-resource-collection auth-constraint role-namejmx/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameJMX Proxy/realm-name /login-config security-role description The role that is required to access the JMX Proxy /description role-namejmx/role-name /security-role - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Host appBase vs Context docBase
Normally,we configure docBase when we want the application to be resided on a separate directory and not inside tomcat. So, when you use docBase I don't think you need to configure host/appbase as well. Appbase folders go under tomcat directory parallel to default appbase webapps. Each appbase is mapped to a particular host so we configure more than one appbases when we want to have applications running under different hosts deployed in the same tomcat. On Jul 5, 2014 7:35 AM, Igal @ getRailo.org i...@getrailo.org wrote: I'm a little confused about the Host appBase attribute. Let's say that my website resides in D:\www\site1 I don't like using {Tomcat}/webapps so I don't want to have it as a base directory for websites. What I've been doing so far is create an empty folder alongside webapps, named empty, and use it as appBase, e.g. Host name=Site1 appBase=empty unpackWARs=false autoDeploy=false !-- this works but what's the deal with appBase? !-- Context path=/ docBase=D:/www/site1 / /Host But it feels like I'm doing something wrong. I expect this to work, but it doesn't: Host name=Site1 appBase=D:/www/site1 unpackWARs=false autoDeploy=false !-- this doesn't work !-- /Host Can anyone explain why the snippet above doesn't work, and if that is the way it should be, then what is the purpose of Host/appBase? TIA -- Igal Sapir Railo Core Developer http://getRailo.org/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
2014-07-05 11:41 GMT+04:00 Falco Schwarz hid...@falco.me: I should add that the IP restriction is applied via filter, not with a tomcat Valve. Essentially the question breaks down to this: Is it possible in any way for a filter to be applied before the evaluation of the security-constraint? Or is there any other way of setting up an IP filter combined with authentication given the order from above? No. A security-constraint is applied before the request reaches a web application. You can either perform IP filtering in a Valve (that will be in the pipeline before an Authenticator), or you can remove security-constraint and implement authentication and authorization in a filter (such as Security Filter, or using Spring Security framework) . http://wiki.apache.org/tomcat/AddOns#Filters Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with Transfer-Encoding
2014-07-05 9:24 GMT+04:00 Sushil Prusty sushil.pru...@gmail.com: Hello, summary of my Problem: When a client POSTs Tranfer-Encoding data using browser , my server is not processing the request character encoding properly . I send the following request: Content-Type text/html;charset=UTF-8 Date Sat, 05 Jul 2014 05:10:09 GMT Server Apache-Coyote/1.1 Transfer-Encoding chunked *disclaimerTextZażółć gęślą jaźń! ta funkcjonalność nie jest wspierana* Full details: My application running on apache-tomcat-7.0.40 and Java 1.6.x) in linux box. Below response is changed once it's reach to my controller *ZażóÅÄ gÄÅlÄ jaźÅ! ta funkcjonalnoÅÄ nie jest wspierana* I have below configuration in server.xml Connector port=80 protocol=HTTP/1.1 connectionTimeout=2 maxPostSize=5242880 maxParameterCount=25000/ Connector port=443 protocol=HTTP/1.1 scheme=https noCompressionUserAgents=gozilla, traviata compressableMimeType=text/html,text/xml,text/javascript,text/css,application/javascript,application/json URIEncoding=UTF-8 / and in my catalina.sh set JAVA_OPTS=-Djavax.servlet.request.encoding=UTF-8 -Dfile.encoding=UTF-8 (...) As a sanity check: 1) That I send the following request listing looks more like a response, not a request. (E.g. the Server Apache-Coyote/1.1 header makes no sense in a request). So you are lying somewhere. There is no point for me to try guessing what you are doing. You may have confused reading with writing somewhere, and without source code one cannot verify your words. You have to provide a step-by-step instruction and enough source code so that a person who is not familiar with your system were able to reproduce your problem. 2) Content-Type says text/html, but that line of text is not a valid HTML document. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with Transfer-Encoding
Konstantin Kolinko wrote: 2014-07-05 9:24 GMT+04:00 Sushil Prusty sushil.pru...@gmail.com: Hello, summary of my Problem: When a client POSTs Tranfer-Encoding data using browser , my server is not processing the request character encoding properly . I send the following request: Content-Type text/html;charset=UTF-8 Date Sat, 05 Jul 2014 05:10:09 GMT Server Apache-Coyote/1.1 Transfer-Encoding chunked *disclaimerTextZażółć gęślą jaźń! ta funkcjonalność nie jest wspierana* Full details: My application running on apache-tomcat-7.0.40 and Java 1.6.x) in linux box. Below response is changed once it's reach to my controller *ZażóÅÄ gÄÅlÄ jaźÅ! ta funkcjonalnoÅÄ nie jest wspierana* I have below configuration in server.xml Connector port=80 protocol=HTTP/1.1 connectionTimeout=2 maxPostSize=5242880 maxParameterCount=25000/ Connector port=443 protocol=HTTP/1.1 scheme=https noCompressionUserAgents=gozilla, traviata compressableMimeType=text/html,text/xml,text/javascript,text/css,application/javascript,application/json URIEncoding=UTF-8 / and in my catalina.sh set JAVA_OPTS=-Djavax.servlet.request.encoding=UTF-8 -Dfile.encoding=UTF-8 (...) As a sanity check: 1) That I send the following request listing looks more like a response, not a request. (E.g. the Server Apache-Coyote/1.1 header makes no sense in a request). So you are lying somewhere. There is no point for me to try guessing what you are doing. You may have confused reading with writing somewhere, and without source code one cannot verify your words. You have to provide a step-by-step instruction and enough source code so that a person who is not familiar with your system were able to reproduce your problem. 2) Content-Type says text/html, but that line of text is not a valid HTML document. +1 Character encoding/decoding issues are hell to debug as it is, because they are like quantum physics : even looking at them can change them.(*) So you need to provide *accurate* and raw information, otherwise it is just a loss of time for everyone. Use a browser plugin like HttpFox, LiveHttpHeaders, HttpFox or similar to monitor the requests being sent and responses being received, at the browser level. All these plugins allow you to selectively dump requests/responses to a file. Do that. Also, check in your browser that when you receive a response page back from the server, your browser is really seeing this response in the proper character set (use View.. Character encoding..). Transfer Encoding has nothing to do with the *character encoding* of either the request or the response. The little imprecise data that the OP provided above /suggests/ that there is some double encoding taking place /somewhere/, but so far it could as well be in the email client that he used to post to the list, as anywhere else. (*) with the wrong editor, or the wrong locale e.g. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
On Sat, Jul 5, 2014 at 12:39 PM, Mark Thomas m...@homeinbox.net wrote: Maybe look at a third party security plugin like Spring Security? Not sure if this is supported but worth a look. Mark Thanks Mark and Konstantin for your quick replies. I tried to accomplish this only using Spring Security and I also got kinda stuck with the processing ordering. It is possible to use expressions like: security:http security:intercept-url pattern=/** hasIpAddress('127.0.0.1') and hasRole('ROLE_JMX') / security:http-basic / /security:http ... but yet again, because of the http-basic tag, the user is always presented with an authentication instead of being denied. In the end I found a solution which suits my needs: combining the RemoteAddrFilter with Spring Security. This way the RemoteAddrFilter always prevents access if the client is not localhost. If the client is localhost then Spring Security kicks in and finally authenticates the User. Quite complicated for such a simple task and I really did not expect to find so little information regarding such an issue on the internet. From a systems administrator perspective there is no way I would present a login form first and then deny via ip filters, but I guess that is just how the servlet spec is defined. Anyway, thanks again and keep up the good work. Falco - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
On Sat, Jul 5, 2014 at 9:00 AM, Falco Schwarz hid...@falco.me wrote: In the end I found a solution which suits my needs: combining the RemoteAddrFilter with Spring Security. This way the RemoteAddrFilter always prevents access if the client is not localhost. (Sorry, late to the thread but ...) if you just want to restrict access to a resource to localhost, why not os-level e.g. an iptables rule? FWIW, -- Hassan Schroeder hassan.schroe...@gmail.com http://about.me/hassanschroeder twitter: @hassan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with Transfer-Encoding
Dear User Thanks for you input. I just debugged using HttpFox here is below you find header (Request-Line)POST /test/testUserEditAction.do?dojoIframeSend=true HTTP/1.1 Host** User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:30.0) Gecko/20100101 Firefox/30.0 Accepttext/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Languageen-US,en;q=0.5 Accept-Encodinggzip, deflate Refererhttps://s Action.do?action=loginflashVersion=9.0.47.0hasCorrectFlashVersion=falseproduct=xyz CookieJSESSIONID=**; doNotShowStartupOnLoad=true Connectionkeep-alive Content-Typemultipart/form-data; boundary=---*** Content-Length4039 In Post body -1550434539176507601876254213 Content-Disposition: form-data; name=disclaimerText ZażóÅÄ gÄÅlÄ jaźÅ! ta funkcjonalnoÅÄ nie jest wspierana -1550434539176507601876254213 I believe psot data got changed before reaching to server . Do you have any ideas what's wrong here, where the error might be ? On Sat, Jul 5, 2014 at 9:08 PM, André Warnier a...@ice-sa.com wrote: Konstantin Kolinko wrote: 2014-07-05 9:24 GMT+04:00 Sushil Prusty sushil.pru...@gmail.com: Hello, summary of my Problem: When a client POSTs Tranfer-Encoding data using browser , my server is not processing the request character encoding properly . I send the following request: Content-Type text/html;charset=UTF-8 Date Sat, 05 Jul 2014 05:10:09 GMT Server Apache-Coyote/1.1 Transfer-Encoding chunked *disclaimerTextZażółć gęślą jaźń! ta funkcjonalność nie jest wspierana* Full details: My application running on apache-tomcat-7.0.40 and Java 1.6.x) in linux box. Below response is changed once it's reach to my controller *ZażóÅÄ gÄÅlÄ jaźÅ! ta funkcjonalnoÅÄ nie jest wspierana* I have below configuration in server.xml Connector port=80 protocol=HTTP/1.1 connectionTimeout=2 maxPostSize=5242880 maxParameterCount=25000/ Connector port=443 protocol=HTTP/1.1 scheme=https noCompressionUserAgents=gozilla, traviata compressableMimeType=text/html,text/xml,text/javascript, text/css,application/javascript,application/json URIEncoding=UTF-8 / and in my catalina.sh set JAVA_OPTS=-Djavax.servlet.request.encoding=UTF-8 -Dfile.encoding=UTF-8 (...) As a sanity check: 1) That I send the following request listing looks more like a response, not a request. (E.g. the Server Apache-Coyote/1.1 header makes no sense in a request). So you are lying somewhere. There is no point for me to try guessing what you are doing. You may have confused reading with writing somewhere, and without source code one cannot verify your words. You have to provide a step-by-step instruction and enough source code so that a person who is not familiar with your system were able to reproduce your problem. 2) Content-Type says text/html, but that line of text is not a valid HTML document. +1 Character encoding/decoding issues are hell to debug as it is, because they are like quantum physics : even looking at them can change them.(*) So you need to provide *accurate* and raw information, otherwise it is just a loss of time for everyone. Use a browser plugin like HttpFox, LiveHttpHeaders, HttpFox or similar to monitor the requests being sent and responses being received, at the browser level. All these plugins allow you to selectively dump requests/responses to a file. Do that. Also, check in your browser that when you receive a response page back from the server, your browser is really seeing this response in the proper character set (use View.. Character encoding..). Transfer Encoding has nothing to do with the *character encoding* of either the request or the response. The little imprecise data that the OP provided above /suggests/ that there is some double encoding taking place /somewhere/, but so far it could as well be in the email client that he used to post to the list, as anywhere else. (*) with the wrong editor, or the wrong locale e.g. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Host appBase vs Context docBase
On 7/4/2014 9:04 PM, Igal @ getRailo.org wrote: I'm a little confused about the Host appBase attribute. Let's say that my website resides in D:\www\site1 I don't like using {Tomcat}/webapps so I don't want to have it as a base directory for websites. What I've been doing so far is create an empty folder alongside webapps, named empty, and use it as appBase, e.g. Host name=Site1 appBase=empty unpackWARs=false autoDeploy=false !-- this works but what's the deal with appBase? !-- Context path=/ docBase=D:/www/site1 / /Host But it feels like I'm doing something wrong. I expect this to work, but it doesn't: Host name=Site1 appBase=D:/www/site1 unpackWARs=false autoDeploy=false !-- this doesn't work !-- /Host Can anyone explain why the snippet above doesn't work, and if that is the way it should be, then what is the purpose of Host/appBase? TIA Hi, Igal- What version of Tomcat are you using? Also, it is recommended that Context elements not be placed directly in server.xml. See: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Defining_a_context That said, you shouldn't need the empty directory. I've used an absolute path for the Host appBase attribute with relative paths for Context docBase attributes in Tomcat 6 and 7 without any problems. I haven't tried it with absolute paths for both appBase and docBase. Lastly, are you sure you want / for the Context path attribute in the first example above? The Context path for the default web application of a Host should be an empty string (). See: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
On Sat, Jul 5, 2014 at 6:17 PM, Hassan Schroeder hassan.schroe...@gmail.com wrote: (Sorry, late to the thread but ...) if you just want to restrict access to a resource to localhost, why not os-level e.g. an iptables rule? Well, the reason behind the restriction is that I would like to use tomcats jmxproxy for our production systems, as our current monitoring solution is quite limited. Therefore I am planning to deploy an additional webapp to each tomcat. I would also restrict the access to our real web applications if I would restrict the whole connector. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Host appBase vs Context docBase
Normally,we configure docBase when we want the application to be resided on a separate directory and not inside tomcat that's exactly what I'm trying to do when you use docBase I don't think you need to configure host/appbase as well if I don't use host/appBase then webapps is set as default, and then if a document that exists in webapps is requested, e.g. /index.jsp and it does not exist in my application directory, then it is served from webapps, which is something that I really don't want to happen. sure, I can clear the contents of the webapps folder instead of creating the empty folder, but not sure I want to do that either. On 7/5/2014 3:49 AM, Neeraj Sinha wrote: Normally,we configure docBase when we want the application to be resided on a separate directory and not inside tomcat. So, when you use docBase I don't think you need to configure host/appbase as well. Appbase folders go under tomcat directory parallel to default appbase webapps. Each appbase is mapped to a particular host so we configure more than one appbases when we want to have applications running under different hosts deployed in the same tomcat. On Jul 5, 2014 7:35 AM, Igal @ getRailo.org i...@getrailo.org wrote: I'm a little confused about the Host appBase attribute. Let's say that my website resides in D:\www\site1 I don't like using {Tomcat}/webapps so I don't want to have it as a base directory for websites. What I've been doing so far is create an empty folder alongside webapps, named empty, and use it as appBase, e.g. Host name=Site1 appBase=empty unpackWARs=false autoDeploy=false !-- this works but what's the deal with appBase? !-- Context path=/ docBase=D:/www/site1 / /Host But it feels like I'm doing something wrong. I expect this to work, but it doesn't: Host name=Site1 appBase=D:/www/site1 unpackWARs=false autoDeploy=false !-- this doesn't work !-- /Host Can anyone explain why the snippet above doesn't work, and if that is the way it should be, then what is the purpose of Host/appBase? TIA -- Igal Sapir Railo Core Developer http://getRailo.org/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Igal Sapir Railo Core Developer http://getRailo.org/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Host appBase vs Context docBase
What version of Tomcat are you using? I've been using Tomcat 6 and 7 for a while, and now running Tomcat 8. it is recommended that Context elements not be placed directly in server.xml I know, but it is much easier for me to edit a single file, server.xml then deploy all the other files. I'm looking to keep the deployment process as simple as possible. you shouldn't need the empty directory. I've used an absolute path for the Host appBase attribute with relative paths for Context docBase attributes in Tomcat 6 and 7 without any problems. when I try that then webapps is used by default. if a request is made for a file that exists in webapps, e.g. index.jsp and does not exist in my application's folder, then it is served from webapps and I don't want that. are you sure you want / for the Context path attribute in the first example above? it was my understanding that and / are the same here. / reads more clearly to me as the root directory so I prefer to use that. *after reading your email and testing it, however, I noticed that if I omit the Host/appBase and use an empty-string for the Context/docBase/path it works as intended, so maybe that's what I was doing wrong? is that the best practice?* Host name=Site1 unpackWARs=false autoDeploy=false Context path= docBase=D:/www/site1 / Context path=/virtualdir docBase=D:/www/shared/virtualdir / /Host ? thank you both for your responses, Igal On 7/5/2014 9:48 AM, Terence M. Bandoian wrote: On 7/4/2014 9:04 PM, Igal @ getRailo.org wrote: I'm a little confused about the Host appBase attribute. Let's say that my website resides in D:\www\site1 I don't like using {Tomcat}/webapps so I don't want to have it as a base directory for websites. What I've been doing so far is create an empty folder alongside webapps, named empty, and use it as appBase, e.g. Host name=Site1 appBase=empty unpackWARs=false autoDeploy=false !-- this works but what's the deal with appBase? !-- Context path=/ docBase=D:/www/site1 / /Host But it feels like I'm doing something wrong. I expect this to work, but it doesn't: Host name=Site1 appBase=D:/www/site1 unpackWARs=false autoDeploy=false !-- this doesn't work !-- /Host Can anyone explain why the snippet above doesn't work, and if that is the way it should be, then what is the purpose of Host/appBase? TIA Hi, Igal- What version of Tomcat are you using? Also, it is recommended that Context elements not be placed directly in server.xml. See: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Defining_a_context That said, you shouldn't need the empty directory. I've used an absolute path for the Host appBase attribute with relative paths for Context docBase attributes in Tomcat 6 and 7 without any problems. I haven't tried it with absolute paths for both appBase and docBase. Lastly, are you sure you want / for the Context path attribute in the first example above? The Context path for the default web application of a Host should be an empty string (). See: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Igal Sapir Railo Core Developer http://getRailo.org/
Re: Problem with Transfer-Encoding
Sushil Prusty wrote: Dear User Thanks for you input. You're welcome. First, a foreword : I will try my best to help you, but doing this is very difficult, and doing it via email is even more difficult. I was not kidding when I wrote earlier that even looking at the data may make it change. Of course, that is not really true, but the fact of cutting and pasting this data, from your saved HTTPFox trace into an email that you send to the Tomcat list, and then the Tomcat list server forwarding this to other people in a new email, may again decode and re-encode this data several times, and confuse the situation totally. So we need to be very, very systematic, and make sure that what we see is really what we get, ok ? What you should really do, is to save the original HttpFox data to a file, then save that file, then zip that file, then post it somewhere where we can get this zip-file. So that we can download it, unzip it, and then be sure that we are really seeing the same data as you do. In the meantime, a question : I just debugged using HttpFox here is below you find header (Request-Line)POST /test/testUserEditAction.do?dojoIframeSend=true The above request line is triggered by something. By what ? Is that a link or button on a HTML page which is currently loaded in your browser ? If yes, then before you actually click this link, can you in your browser use the View..Character set function, and tells us what the browser thinks about the current page loaded in the browser, before you even send this request to the server ? The reason why I am asking, is that this is the character set which the browser will most probably use to encode the text data that it sends to the server (when you click the link). Then see the note below, in the text. HTTP/1.1 Host** User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:30.0) Gecko/20100101 Firefox/30.0 Accepttext/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Languageen-US,en;q=0.5 Accept-Encodinggzip, deflate Refererhttps://s Action.do?action=loginflashVersion=9.0.47.0hasCorrectFlashVersion=falseproduct=xyz CookieJSESSIONID=**; doNotShowStartupOnLoad=true Connectionkeep-alive Content-Typemultipart/form-data; boundary=---*** Content-Length4039 In Post body -1550434539176507601876254213 Content-Disposition: form-data; name=disclaimerText ZażóÅÄ gÄÅlÄ jaźÅ! ta funkcjonalnoÅÄ nie jest wspierana The line above may or may not have been further corrupted (compared to the original that you see), by the simple fact of copying this text into your email. But assuming for a moment that it was not, and that it really is what it looks like above, there is some kind of a problem : (You'll have to follow carefully here) If I take the original text line which you posted in your first message : Zażółć gęślą jaźń! ta funkcjonalność nie jest wspierana* and I imagine that internally, this is encoded as UTF-8; Then if I look at that same series of UTF-8 characters, but now examine the *bytes* that compose these characters and view them in ASCII, I should see this : Zażółć gęślÄ… jaźń! ta funkcjonalność nie jest wspierana* But if you compare this carefully, with the string as it appears in your HttpFox trace, you will see that it does not match exactly. For example, look at the last 2 letters of the word funkcjonalność, in both versions. So there appears to be some discrepancy between the character set which your browser is really using (to send data to the server), and the UTF-8 that your server seems to expect. Furthermore (and put this on account of my suspicious nature if you want) : The second part of that message, in Polish, means : This functionality is not supported. Which triggers the question : what kind of HTML page would be sending this phrase, as part of the data, in a POST to a server ? Can you give us some context as to what you are trying to do here ? -1550434539176507601876254213 I believe psot data got changed before reaching to server . Do you have any ideas what's wrong here, where the error might be ? On Sat, Jul 5, 2014 at 9:08 PM, André Warnier a...@ice-sa.com wrote: Konstantin Kolinko wrote: 2014-07-05 9:24 GMT+04:00 Sushil Prusty sushil.pru...@gmail.com: Hello, summary of my Problem: When a client POSTs Tranfer-Encoding data using browser , my server is not processing the request character encoding properly . I send the following request: Content-Type text/html;charset=UTF-8 Date Sat, 05 Jul 2014 05:10:09 GMT Server Apache-Coyote/1.1 Transfer-Encoding chunked *disclaimerTextZażółć gęślą jaźń! ta funkcjonalność nie jest wspierana* Full details: My application running on apache-tomcat-7.0.40 and Java 1.6.x) in linux box. Below response is changed once it's