Tomcat 8.5.4, Backup Manager and Serializable objects in httpSession

[Jared Walker]

Hello,

I have a question about how BackupManager enforces or performs session
replication.

I have added print outs to the serializing methods of an object I'm
binding to the http session.  When I run a simple test (login to the
server, shut it down, then try to refresh) I do not stay logged in.
In looking through my debug output I have noticed the following on the
server that is acting as the backup for session replication:

ClickSession:865 - Session read in:
ClickSession:866 - Session ID: tj8Zu6ANdJdftMJHPAOa/JyTBiY=
ClickSession:867 - Login ID: 1
1249:ClickSession is bound to HttpSession tj8Zu6ANdJdftMJHPAOa/JyTBiY=
by key com.clickfind.http.ClickSession

ClickSession:865 - Session read in:
ClickSession:866 - Session ID: tj8Zu6ANdJdftMJHPAOa/JyTBiY=
ClickSession:867 - Login ID: 18201

ClickSession:865 - Session read in:
ClickSession:866 - Session ID: tj8Zu6ANdJdftMJHPAOa/JyTBiY=
ClickSession:867 - Login ID: 18201

ClickSession:876 - Session write out:
ClickSession:877 - Session ID: tj8Zu6ANdJdftMJHPAOa/JyTBiY=
ClickSession:878 - Login ID: 1

As you can see, initially the session is replicated across with a
guest login (ID=1).  Then there are subsequent messages that indicate
it is receiving updates to the session with an actual login value
(ID=18201).

However, when it goes to replicate the session to another server
(because the primary node was shut down) you can see that it writes
out the original value for the session (ID=1).

How can I ensure that the replication replaces the existing object in
the session attributes?

Thanks,
-Jared

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

QUIC

[Einav Hollander]

Hello,

Are there plans to support the QUIC protocol in Apache Tomcat? When?

Thanks,
Einav

Re: Passing client certificate through Nginx to Tomcat SSL Valve

[Mark Thomas]

On 29/05/17 17:02, Christopher Schultz wrote:
> Mark,
> 
> On 5/29/17 11:40 AM, Christopher Schultz wrote:
>> Mark,
> 
>> On 6/23/16 7:58 AM, Mark Thomas wrote:
>>> On a related topic, I wonder how tolerant 
>>> CertificateFactory.generateCertificate() is since that will have 
>>> an impact on exactly how smart the SSLValve needs to be.
> 
>> Tested with Oracle Java 1.8.0_121:
> 
>> * Normal PEM-encoded cert is parsed just fine by
>> CertificateFactory * Replacing all newlines with a single space
>> causes an error ("Incomplete data") * Replacing all newlines after
>> the first newline (after --- BEGIN ... ---) works as desired *
>> Removing all whitespace after the initial newline works as desired
> 
>> So a certificate that looks like this:
> 
>> -BEGIN CERTIFICATE- 
>> MIICERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACER
> TD
> 
> 
> ATACERTDATA..-END
>> CERTIFICATE-
> 
>> Is good enough for CertificateFactory (in its current form).
> 
>> We may be able to get away with just a single whitespace ->
>> newline character conversion, instead of completely restoring the 
>> 64-character-wrapped PEM-encoded certificate.
> 
> Furthermore, CertificateFactory does not complain if there is an
> additional newline between the "-BEGIN CERTIFICATE-\n" and the
> rest of the certificate.
> 
> That means that, theoretically, we could simply write the "BEGIN"
> header, then a newline, then everything that follows it regardless of
> the composition, and CertificateFactory should be able to handle it.

Time to open an enhancement request and add this information?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: trimSpaces removing whitespace from html

[Mark Thomas]

On 29/05/17 13:00, Konstantin Kolinko wrote:
> 2017-05-29 11:43 GMT+03:00 Mark Thomas :
>> On 26/05/17 21:33, Christopher Schultz wrote:



>>> Would it be reasonable to change trimSpaces so that spaces within
>>> element attributes would be normalized to a single space, and others
>>> would be removed? I'm not sure how aware the parser is of the
>>> surrounding document structure.
>>
>> The parser is completely unaware. As far as it is concerned, it is just
>> template text. Parsing the template text it is likely impossible since
>> correct parsing depends on evaluating the entire page.
> 
> Aren't EL expressions a part of that template text?

No. You want to work from the EBNF Grammar (section JSP.1.3.10.1) rather
than the text descriptions. It is much more precise.



> Jasper option "trimSpaces" is documented as
> "Should white spaces in template text between actions or directives be
> trimmed ?, default false."
> http://tomcat.apache.org/tomcat-8.5-doc/jasper-howto.html

That is poorly worded. It would be better if it stated that if true, it
effectively forces the trimDirectiveWhitespaces page directive to true
for every page and tag.



> JSP.8.5.1 The tag Directive
> 
> 
> trimDirective-
> Whitespaces
> (optional) Carries the same syntax and semantics of the trim-
> DirectiveWhitespaces attribute of the page directive.
> However, there is no corresponding global configuration
> element in web.xml.
> 
> 
> Thus the global configuration should not apply to tag files at all?

When it uses the word 'global' in this case, it means all JSP files
defined by a  element in web.xml. There is no
equivalent web.xml configuration option for tag files.


When we add this new option, I don't think the new value should override
and explicit per page or per tag directive to remove whitespace completely.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Passing client certificate through Nginx to Tomcat SSL Valve

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 5/29/17 11:40 AM, Christopher Schultz wrote:
> Mark,
> 
> On 6/23/16 7:58 AM, Mark Thomas wrote:
>> On a related topic, I wonder how tolerant 
>> CertificateFactory.generateCertificate() is since that will have 
>> an impact on exactly how smart the SSLValve needs to be.
> 
> Tested with Oracle Java 1.8.0_121:
> 
> * Normal PEM-encoded cert is parsed just fine by
> CertificateFactory * Replacing all newlines with a single space
> causes an error ("Incomplete data") * Replacing all newlines after
> the first newline (after --- BEGIN ... ---) works as desired *
> Removing all whitespace after the initial newline works as desired
> 
> So a certificate that looks like this:
> 
> -BEGIN CERTIFICATE- 
> MIICERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACER
TD
>
> 
ATACERTDATA..-END
> CERTIFICATE-
> 
> Is good enough for CertificateFactory (in its current form).
> 
> We may be able to get away with just a single whitespace ->
> newline character conversion, instead of completely restoring the 
> 64-character-wrapped PEM-encoded certificate.

Furthermore, CertificateFactory does not complain if there is an
additional newline between the "-BEGIN CERTIFICATE-\n" and the
rest of the certificate.

That means that, theoretically, we could simply write the "BEGIN"
header, then a newline, then everything that follows it regardless of
the composition, and CertificateFactory should be able to handle it.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZLEYSAAoJEBzwKT+lPKRYwqoQAKyldCc8V7PkkmDvyPrq4Feq
tbO8E5lY9LQS9RhUguoI29j7/9xJSG4Z12/hRk5dkwaMwTBWgZWIrnSkVKhooCUE
InFeg5F1Zt5YLK5LjtFkLg12XH55noQqEHW7cJa1XqpL72OC/qdEHMqOrMs9ZJPW
LMr8E7pMmgou4NB5zxn1w2O4ZPkeRUDaw0OLmYcCH11vo27FKORAZ3UB+IAcQzq7
tPwgC7hSP5sao7x892CFHOvqNBw6bEdjpgvLtg/ndaE3odzxf1OlPfjg52RW3cwQ
06TTL6Db7HPRGme9UzQBps0gPR/57uXDsAmySejAYs3e6y8P3q4Wcp+0q0Trj1j0
5zadfF0pOIxJC/IVycg69XtGjn5Wbec8yaqaylGuiM07riC4Aev/uvbp1AEmekP5
3mOkpIFh1eZFZhDyv019BhKNm4r9QRaqBJ0llh6tHwWhlN2Ube/AlOtXe8yUPE75
jLktl3t7dqtfzzrMxn1nzEP5EWOSISxHa8lkpDXmT6tQ3XXxXiYXVwPOsFls1seh
O7jlqzmmGe6vSRGIRIngh7a6oMczMaCWQ0ZWdk17oUdTYELhdLFHtFykA04wXXF7
B4BlJoG5hKTKf/d/+T+k/I57xuNYcMpSKaCZfhAJf/Gi4ASVZ3U12KpPPr66eOln
ipt2DAxpm1K9l4dVaeqH
=1a+W
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Considering @serverEndPoint url for routing the request , if the request is of ws:// type

[Bhuvan Gupta]

Mark,

>>Explicitly declare Tomcat's WebSocket filter and ensure it is the first
filter in the processing chain.
Can you please give a sample , how to create such filter.

I looked into the documentation , but cant find it

On Sun, May 28, 2017 at 3:44 PM, Mark Thomas  wrote:

> On 28 May 2017 10:09:03 BST, Bhuvan Gupta  wrote:
> >Hello,
> >
> >
> >
> >I create a sample webapp using servlets and http, which work fine and
> >the
> >web.xml looks like
> >
> >
> >guiceFilter
> >com.google.inject.servlet.GuiceFilter filter-class>
> >
> >guiceFilter
> >/*
> >
> >Now i want to add few @ServerEndPoint class to use websocket. So i
> >added a
> >class and added @ServerEndpoint(value = "/websocket/chat) on that
> >class.
> >
> >Now i expected that when i use websocket client and use
> >ws://localhost:8080/app/websocket/chatto connect it should work but it
> >does
> >not as i already have a /* filter which redirect request to
> >guiceFilter.
> >
> >*If i comment the filter it works fine.*
> >--
> >
> >*Question:*
> >
> >How can i tell tomcat to first consider serverEndPoint url for routing
> >the
> >request before matching the filter url patterns ?
>
> Explicitly declare Tomcat's WebSocket filter and ensure it is the first
> filter in the processing chain.
>
> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Passing client certificate through Nginx to Tomcat SSL Valve

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 6/23/16 7:58 AM, Mark Thomas wrote:
> On a related topic, I wonder how tolerant 
> CertificateFactory.generateCertificate() is since that will have
> an impact on exactly how smart the SSLValve needs to be.

Tested with Oracle Java 1.8.0_121:

* Normal PEM-encoded cert is parsed just fine by CertificateFactory
* Replacing all newlines with a single space causes an error
("Incomplete data")
* Replacing all newlines after the first newline (after --- BEGIN ...
- ---) works as desired
* Removing all whitespace after the initial newline works as desired

So a certificate that looks like this:

- -BEGIN CERTIFICATE-
MIICERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTD
ATACERTDATA..-END
CERTIFICATE-

Is good enough for CertificateFactory (in its current form).

We may be able to get away with just a single whitespace -> newline
character conversion, instead of completely restoring the
64-character-wrapped PEM-encoded certificate.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZLED8AAoJEBzwKT+lPKRY+ikP/18GRhuOz2XvQaWCDIKPncqo
0TEoDQBccKB+tiVF89kqaFakjIz832NzjwkeALxK76Sr6ybBwiW1+alky2uUlRa6
/YFZJK4rBlBlJqjXlBxs7M1kLErlzWpWrQA/PKCGylh1Eh8xcMWelGmtPyWUGWre
20ATMEKaeTpMNMv863MiYoDPfqMbTsMdpGjBUP6135M1cm1wW/IBYyJMPf94ep4v
jUNE7x0Ryv7iCaNFFoqxOTdsBh+b03+DHRw5/ltXMBKJY487ITSjeBAPwXj5wbJg
IvgzLm0Mu3DGEXBdV0loGi+ALso0ctbp2UuHNvw/j5P5qMjHvRvWpLpke91nCjLr
8mpQc49P1tC1zYPDEHeCXkRJKq78y0aJWwH41UmhlniEnbtcIDEEziBSpkeQM3H1
XrqTm3uthjTJgd8Hhcc5nFUMTdruDeeMmNNsyWp7lElGShf52DSZrGSsn9TNEOz0
eAc+4FuBdwDV+gFTcwMlqwL0XzoXuyQBZ13MDldS/zc7wGuXpFjjD9QJKdhdtHlo
CAgHayA13MEPSV9MuCBcfP8psOVaGQsnpIKOTHAinIyPYRgLUbibWW8NvQma2rHu
QcqCBGDDJspAp2YSP1+LF5lJAU5sC7ZZRqRO6JxDfcMqeEHEDijIwYnWrHa4K88P
ITjHyG0qEBQxkstpYSdb
=vEY+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Security Headers Implementation in Tomcat 6.x version

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 5/29/17 7:34 AM, Shaik, Mohammad N. wrote:
> Based on your inputs, we are thinking to put Apache httpd in front 
> of Tomcat 6 server, since our header configuration is going to be
> static.

This might not be a bad idea for a number of reasons, but it is by no
means required.

You can download the Tomcat 7 source package and use the security
filters from Tomcat 7[1] in Tomcat 6: there is nothing in there that
actually requires Tomcat 7 to run.

> Can you please help us in identifying which version of Apache HTTP 
> Server we can use for Tomcat 6 version? Also, it will be great if
> you can share some guidelines on how to implement Apache in front
> of Tomcat.
All supported versions of Apache web server work with app supported
versions of Tomcat (as well as Tomcat 6). You have several choices for
how to connect them together, but the most straightforward is to use
mod_proxy_http from httpd to Tomcat. Tomcat behaves exactly as it did
before and requires no additional configuration unless you are moving
TLS termination from Tomcat to httpd. If that's the case, there are
many guides on the web as well as on Tomcat's Presentations Page[2]
that document how to do that.

Hope that helps,
- -chris

[1] http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
[2] http://tomcat.apache.org/presentations.html
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZLD3hAAoJEBzwKT+lPKRYPh0P/RiGWVDs8c/PsFdC8VmU8fBB
V+EqkBd3SMeMK9l/2NtHW+MK/5BkkB5/2ebZiivCBYVTkUi4jaqnBvy981EJFcFb
vxovSsFhkhAPnr2DtZcg98wkTJ5dwT7ze50Cx/VBeXVlZD8n/nh+Msv5a1Fab0qI
dTzTGUwAguFwVZHkZX16LefqHvbvC6R5lJDCkqdtWx51KbDB4fY2TdVhzGK1vCEk
Vgrg4uEhjrkS/d6YgU4VWY8gHF2202DbmGPyZjIlh8l3R9bFWUE5NEg0AokOAAxR
AySanDW0J1QNKjm11KQuwynDVTqLGu9u9JBxKYsqsZsjjzSIpHFzVislI/lIbKBi
RKb1m+Hsfm0LkmDX+9N47EKXG5B6HOenUjWnjy2BCBnkINPXSbGOPXrG4028hSmo
NlPWGZTFSJnlcE4mLTxHZBQjPwgg2pmn/Ck4LsP9PFJITC3/2jtCpnwCv29pcxx8
ILG8On65M9uA2AdnhGucNvSpV5nsfPujhBQtB44A9Xd9V3ssdqn+hSgorZ4aMY7U
XPGyiUV985D+9XKkaHY0gBWjLdEBRZisWV1k66QjAWXC3ekdxGQzyV47RehwRueQ
6Zcc5MuH1F/3okJpXlxSwnpwfLyfZZPjZrhVoyKMxAWj2ozkIqPcfcSw8cYxN5hr
Fx+sOmqCwHww762nVlnZ
=03C1
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Passing client certificate through Nginx to Tomcat SSL Valve

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Lucas,

On 5/27/17 9:41 AM, Lucas Ventura Carro wrote:
>> On 23/06/2016 12:58, Mark Thomas wrote: Smarter sounds good to
>> me. Why not try and write a patch for this?
> 
> I work faster with github pull-requests :) 
> https://github.com/apache/tomcat80/pull/8

Pull-request == patch0

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZLDjPAAoJEBzwKT+lPKRY15wQAL51uczV1xnD14jgvfgMYzFo
vtPJvy6MmqfYecwI7uZlB1K62YQg7oVH1bwxokoDRtkCUfEcIfIEqhZKvPhF4Zpm
VyPxi6sa3dmeEJiNMIKWP7puLNUhzUVxhEhA8fAYIU8FUBPfIjMXeuUEyvkRJ1H3
bRX9cCP+fhv5CIWj9h2iZg2ij99bYLVbLlXQnRHS2df6eV/MX9LB3W7IhPnbsOi/
N2XAcg+OU2dmqOf/hyjSRI26f0rqV74XJ8QvkMXj85ot34B46VaHSocPrBl6iHLc
pw+8aT1cp2Nwx2ln4DiGloqUAeIyfvdtP94h6ZTtCDGJfiUvkzYSDqlC2U2GtcPp
aRdN4Oezgqvscgrnq353AdjvrDzrp3VhdkpodcKjLGUOasueDaRoIRv3/BCLaBsP
br3VRyeOPVhAIqKFUHaVyuDph6ntgi2LaCtDNDasCkX8zP4irtfgUaw8XOaoH3Dp
7brPnDlGC9Uo1BV11/BqgmYa4D213wJaR+eTBMUfnHPdCrbyQkmoxLGDe4VzEuAY
6grOXrqaloLQIkV+7If4ywFlG+LZu/euoSjRlS4CLI6tbFvIQjamD30FTB6ffUy3
Bw6j3lZSNmi3PDQsY2zeTkY2cNWczlYNBXNW9gimJuu7DeogSTPg7+KRJZAVS6to
GebtB4cwm5ctihPG8EQw
=cgBg
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: trimSpaces removing whitespace from html

[Konstantin Kolinko]

2017-05-29 11:43 GMT+03:00 Mark Thomas :
> On 26/05/17 21:33, Christopher Schultz wrote:
>> Mark,
>>
>> On 5/26/17 6:59 AM, Mark Thomas wrote:
>>> On 26/05/17 10:15, David Kavanagh wrote:
 Hey guys,

 Thanks for getting back to me. I didn't realise that the
 attachments would be stripped.> Here are the two files in full.
>>
>>> That isn't enough for us to reproduce it. Those files refer to a
>>> handful of other tag files and classes we don't have.
>>
>>> However, I have been able to derive a simple test case from it:
>>
>>> =start== This is a test
>>> ==end===
>>
>>> The output with trimSpaces enabled is:
>>
>>> =start== This is a test
>>> ==end===
>>
>>> trimSpaces is behaving exactly as designed. It removes any blocks
>>> of template text that consist solely of white space.
>>
>>> What you have is: TemplateText [This is a test]
>>
>>> Because the second template text is empty, it gets removed.
>>
>>> The fix is:
>>
>>> =start== This is a
>>> test ==end===
>>
>>> This is a potential use case for a recently closed (as WONTFIX)
>>> enhancement request:
>>
>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=45931
>>
>>> Whether this use case is sufficient to justify re-opening that
>>> enhancement request, reviewing the patch and updating it for 9.0.x
>>> is TBD. How realistic is it for you to apply the fix (using ${'
>>> '}) described above?
>>
>> Would it be reasonable to change trimSpaces so that spaces within
>> element attributes would be normalized to a single space, and others
>> would be removed? I'm not sure how aware the parser is of the
>> surrounding document structure.
>
> The parser is completely unaware. As far as it is concerned, it is just
> template text. Parsing the template text it is likely impossible since
> correct parsing depends on evaluating the entire page.

Aren't EL expressions a part of that template text?

=

Reading JSP 2.3 spec, there is

ch. JSP.1.9 Template Text Semantics
says that template text is uninterpreted

but
ch. JSP.2.2 Expressions and Template Text
says that EL can be used in template text.

ch. JSP.10.1.12 Template Text and XML Elements
talks about EL expressions that a part of template text

>From JSP.10.1.12 when mapping JSP pages into XML view,
the template text is mapped into  elements,
preserving EL expressions within the text.

=

The option that controls removal of whitespaces is called
"trimDirectiveWhitespaces".

Option of %@page directive is defined as


Indicates how whitespaces in template text should be
handled. If true, template text that contains only whitespaces
is removed from the output. The default is not to trim
whitespaces. This attribute is useful to remove the
extraneous whitespaces from the end of a directive that is not
followed by template text. The corresponding JSP
configuration element is trim-directive-whitespaces (see
Section JSP.3.3.8, “Removing whitespaces from template
text”). The attribute is ignored by JSP documents (XML
syntax).


Configuration option is defined in
JSP.3.3.8 Removing whitespaces from template text

The example in JSP.3.3.8 shows how whitespace is removed between
directives (<%..., JSP.1.10 Directives),
but there is no example of removing whitespace between EL.

There is also no example whether this option applies to custom tags
(aka JSP.1.13 Actions).

Jasper option "trimSpaces" is documented as
"Should white spaces in template text between actions or directives be
trimmed ?, default false."
http://tomcat.apache.org/tomcat-8.5-doc/jasper-howto.html

=

JSP.8.5.1 The tag Directive


trimDirective-
Whitespaces
(optional) Carries the same syntax and semantics of the trim-
DirectiveWhitespaces attribute of the page directive.
However, there is no corresponding global configuration
element in web.xml.


Thus the global configuration should not apply to tag files at all?

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: trimSpaces removing whitespace from html

[David Kavanagh]

Here is the link to the enhancement request.

https://bz.apache.org/bugzilla/show_bug.cgi?id=45931

Thanks

On 29 May 2017 at 13:32, David Kavanagh  wrote:

>
>
> On 29 May 2017 at 10:43, Mark Thomas  wrote:
>
>> On 26/05/17 21:33, Christopher Schultz wrote:
>> > Mark,
>> >
>> > On 5/26/17 6:59 AM, Mark Thomas wrote:
>> >> On 26/05/17 10:15, David Kavanagh wrote:
>> >>> Hey guys,
>> >>>
>> >>> Thanks for getting back to me. I didn't realise that the
>> >>> attachments would be stripped.> Here are the two files in full.
>> >
>> >> That isn't enough for us to reproduce it. Those files refer to a
>> >> handful of other tag files and classes we don't have.
>> >
>> >> However, I have been able to derive a simple test case from it:
>> >
>> >> =start== This is a test
>> >> ==end===
>> >
>> >> The output with trimSpaces enabled is:
>> >
>> >> =start== This is a test
>> >> ==end===
>> >
>> >> trimSpaces is behaving exactly as designed. It removes any blocks
>> >> of template text that consist solely of white space.
>> >
>> >> What you have is: TemplateText [This is a test]
>> >
>> >> Because the second template text is empty, it gets removed.
>> >
>> >> The fix is:
>> >
>> >> =start== This is a
>> >> test ==end===
>> >
>> >> This is a potential use case for a recently closed (as WONTFIX)
>> >> enhancement request:
>> >
>> >> https://bz.apache.org/bugzilla/show_bug.cgi?id=45931
>> >
>> >> Whether this use case is sufficient to justify re-opening that
>> >> enhancement request, reviewing the patch and updating it for 9.0.x
>> >> is TBD. How realistic is it for you to apply the fix (using ${'
>> >> '}) described above?
>> >
>> > Would it be reasonable to change trimSpaces so that spaces within
>> > element attributes would be normalized to a single space, and others
>> > would be removed? I'm not sure how aware the parser is of the
>> > surrounding document structure.
>>
>> The parser is completely unaware. As far as it is concerned, it is just
>> template text. Parsing the template text it is likely impossible since
>> correct parsing depends on evaluating the entire page.
>>
>> Mark
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> Hey,
>
> I reopened the enhancement request BZ 45931, and linked to this thread as
> you asked.
> I will look into porting the patch now also. The help is much appreciated.
>
> Thanks
>

RE: Security Headers Implementation in Tomcat 6.x version

[Shaik, Mohammad N.]

Hello Olaf,

Thanks for your response!

Based on your inputs, we are thinking to put Apache httpd in front of Tomcat 6 
server, since our header configuration is going to be static.

Can you please help us in identifying which version of Apache HTTP Server we 
can use for Tomcat 6 version? Also, it will be great if you can share some 
guidelines on how to implement Apache in front of Tomcat.


Regards,
Mohammad Nayeem

-Original Message-
From: Olaf Kock [mailto:tom...@olafkock.de]
Sent: 29 May 2017 13:53
To: users@tomcat.apache.org
Subject: Re: Security Headers Implementation in Tomcat 6.x version


Am 29.05.2017 um 07:59 schrieb Shaik, Mohammad N.:
> We are using Tomcat 6.x version and we need to implement the following 
> headers in our environment.
>
> Headers:
> 1) Strict-Transport-Security
> 2) Content-Security-Policy
> 
> 7) X-Robots-Tag
>
> When I checked the Tomcat 6 version webpage 
> (https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomcat-2D6.0-2Ddoc_config_filter.html=DwIC-g=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU=MmEr4IILdgkhxtcFHmAb7ZO1pGl9B2Gek5dFuSCIBKw=
>  ), I don't see any filters that implement any these headers. Some of them 
> are available in Tomcat 7 version webpage 
> (https://urldefense.proofpoint.com/v2/url?u=https-3A__tomcat.apache.org_tomcat-2D7.0-2Ddoc_config_filter.html=DwIC-g=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU=aSZ5lgpIY-aPi2TSYp6DDNykQA9QFD8ImYaIKp70gUA=
>  ), but we cannot upgrade to Tomcat 7.x version due to some constraints.
>
> Can you kindly guide me how to implement these headers in Tomcat 6.x version. 
> All your comments on this topic are welcome.
As tomcat 6 is solid out of service for almost half a year already (see 
https://urldefense.proofpoint.com/v2/url?u=http-3A__tomcat.apache.org_tomcat-2D60-2Deol.html=DwIC-g=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=n7KdPZPxHJiaMMRttjzNEDRaQq4sRDfs3q027rnDxLU=MluZR_Lq5a0pPtOi3Req6Md1UeKkctbV-mPOCjQsSUU=4Z8PWPmO-QMztdwYP9hAotZazIQFlsSUO5SfDxrVjG4=
 ), you're between a rock and a hard place: Invest in a platform that's a 
potential security threat (it won't get any more updates) or invest in an 
upgrade.

That out of the way, for most cases, just have an Apache httpd in front of 
tomcat and use its magic to tag most of your headers. For many it will be 
static configuration. If there's anything dynamic that you need, implement a 
servlet filter that just does the job. Hardcode it - you don't need a lot of 
configuration if you come up with a solution that's just used within your 
premises.

If you have multiple web applications that all need the same filter, deploy the 
filter on all of them.

Olaf

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: trimSpaces removing whitespace from html

[David Kavanagh]

On 29 May 2017 at 10:43, Mark Thomas  wrote:

> On 26/05/17 21:33, Christopher Schultz wrote:
> > Mark,
> >
> > On 5/26/17 6:59 AM, Mark Thomas wrote:
> >> On 26/05/17 10:15, David Kavanagh wrote:
> >>> Hey guys,
> >>>
> >>> Thanks for getting back to me. I didn't realise that the
> >>> attachments would be stripped.> Here are the two files in full.
> >
> >> That isn't enough for us to reproduce it. Those files refer to a
> >> handful of other tag files and classes we don't have.
> >
> >> However, I have been able to derive a simple test case from it:
> >
> >> =start== This is a test
> >> ==end===
> >
> >> The output with trimSpaces enabled is:
> >
> >> =start== This is a test
> >> ==end===
> >
> >> trimSpaces is behaving exactly as designed. It removes any blocks
> >> of template text that consist solely of white space.
> >
> >> What you have is: TemplateText [This is a test]
> >
> >> Because the second template text is empty, it gets removed.
> >
> >> The fix is:
> >
> >> =start== This is a
> >> test ==end===
> >
> >> This is a potential use case for a recently closed (as WONTFIX)
> >> enhancement request:
> >
> >> https://bz.apache.org/bugzilla/show_bug.cgi?id=45931
> >
> >> Whether this use case is sufficient to justify re-opening that
> >> enhancement request, reviewing the patch and updating it for 9.0.x
> >> is TBD. How realistic is it for you to apply the fix (using ${'
> >> '}) described above?
> >
> > Would it be reasonable to change trimSpaces so that spaces within
> > element attributes would be normalized to a single space, and others
> > would be removed? I'm not sure how aware the parser is of the
> > surrounding document structure.
>
> The parser is completely unaware. As far as it is concerned, it is just
> template text. Parsing the template text it is likely impossible since
> correct parsing depends on evaluating the entire page.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Hey,

I reopened the enhancement request BZ 45931, and linked to this thread as
you asked.
I will look into porting the patch now also. The help is much appreciated.

Thanks

Re: trimSpaces removing whitespace from html

[Mark Thomas]

On 26/05/17 21:33, Christopher Schultz wrote:
> Mark,
> 
> On 5/26/17 6:59 AM, Mark Thomas wrote:
>> On 26/05/17 10:15, David Kavanagh wrote:
>>> Hey guys,
>>>
>>> Thanks for getting back to me. I didn't realise that the
>>> attachments would be stripped.> Here are the two files in full.
> 
>> That isn't enough for us to reproduce it. Those files refer to a
>> handful of other tag files and classes we don't have.
> 
>> However, I have been able to derive a simple test case from it:
> 
>> =start== This is a test 
>> ==end===
> 
>> The output with trimSpaces enabled is:
> 
>> =start== This is a test 
>> ==end===
> 
>> trimSpaces is behaving exactly as designed. It removes any blocks
>> of template text that consist solely of white space.
> 
>> What you have is: TemplateText [This is a test]
> 
>> Because the second template text is empty, it gets removed.
> 
>> The fix is:
> 
>> =start== This is a
>> test ==end===
> 
>> This is a potential use case for a recently closed (as WONTFIX) 
>> enhancement request:
> 
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=45931
> 
>> Whether this use case is sufficient to justify re-opening that 
>> enhancement request, reviewing the patch and updating it for 9.0.x
>> is TBD. How realistic is it for you to apply the fix (using ${'
>> '}) described above?
> 
> Would it be reasonable to change trimSpaces so that spaces within
> element attributes would be normalized to a single space, and others
> would be removed? I'm not sure how aware the parser is of the
> surrounding document structure.

The parser is completely unaware. As far as it is concerned, it is just
template text. Parsing the template text it is likely impossible since
correct parsing depends on evaluating the entire page.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: trimSpaces removing whitespace from html

[Mark Thomas]

On 29/05/17 09:09, David Kavanagh wrote:
> On 26 May 2017 at 22:33, Christopher Schultz 
> wrote:
> 
> Mark,
> 
> On 5/26/17 6:59 AM, Mark Thomas wrote:



 This is a potential use case for a recently closed (as WONTFIX)
 enhancement request:

 https://bz.apache.org/bugzilla/show_bug.cgi?id=45931

 Whether this use case is sufficient to justify re-opening that
 enhancement request, reviewing the patch and updating it for 9.0.x
 is TBD. How realistic is it for you to apply the fix (using ${'
 '}) described above?
> 
> Would it be reasonable to change trimSpaces so that spaces within
> element attributes would be normalized to a single space, and others
> would be removed? I'm not sure how aware the parser is of the
> surrounding document structure.
> 
> -chris



> Hey guys,
> 
> Thanks again for the help. For the Tomcat setup we currently have, the
> first link sent my Mark is a good fix for us.
> The other option Mark posted that would require modifying the .jsp files is
> unfortunately not realistic because we currently use thousands of .jsps.
> The possible fix that Christopher suggested in the last message would be
> the perfect solution.

BZ 45931 it is then. Please re-open that enhancement request and link to
this thread as the use case that justifies it. If you wanted to take a
look at porting the patch as well, that would be great.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Security Headers Implementation in Tomcat 6.x version

[Olaf Kock]

Am 29.05.2017 um 07:59 schrieb Shaik, Mohammad N.:
> We are using Tomcat 6.x version and we need to implement the following 
> headers in our environment.
>
> Headers:
> 1) Strict-Transport-Security
> 2) Content-Security-Policy
> 
> 7) X-Robots-Tag
>
> When I checked the Tomcat 6 version webpage 
> (https://tomcat.apache.org/tomcat-6.0-doc/config/filter.html), I don't see 
> any filters that implement any these headers. Some of them are available in 
> Tomcat 7 version webpage 
> (https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html), but we cannot 
> upgrade to Tomcat 7.x version due to some constraints.
>
> Can you kindly guide me how to implement these headers in Tomcat 6.x version. 
> All your comments on this topic are welcome.
As tomcat 6 is solid out of service for almost half a year already (see
http://tomcat.apache.org/tomcat-60-eol.html), you're between a rock and
a hard place: Invest in a platform that's a potential security threat
(it won't get any more updates) or invest in an upgrade.

That out of the way, for most cases, just have an Apache httpd in front
of tomcat and use its magic to tag most of your headers. For many it
will be static configuration. If there's anything dynamic that you need,
implement a servlet filter that just does the job. Hardcode it - you
don't need a lot of configuration if you come up with a solution that's
just used within your premises.

If you have multiple web applications that all need the same filter,
deploy the filter on all of them.

Olaf

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to implement Security Headers in Tomcat 6

[manjesh]

If the technology is java/j2ee then you can implements some sort of servlet
filter where you can  manipulate the HTTP response to add these headers for
each outgoing response.  I believe  other platforms like .Net should also
support similar feature to customize the request and response objects.

On Mon, May 29, 2017 at 12:28 PM, Shaik, Mohammad N. <
mohammad.n.sh...@accenture.com> wrote:

> Hello,
>
> Can someone please let me know if the following headers are compatible
> with Tomcat 6.x version? If yes, then how do we enable them?
>
> Headers:
> 1) Strict-Transport-Security
> 2) Content-Security-Policy
> 3) Public-Key-Pins
> 4) X-Frame-Options
> 5) X-XSS-Protection
> 6) X-Content-Type-Options
> 7) X-Robots-Tag
>
>
> Kind Regards,
> Mohammad Nayeem
>
> 
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy.
> 
> __
>
> www.accenture.com
>

Re: trimSpaces removing whitespace from html

[David Kavanagh]

On 26 May 2017 at 22:33, Christopher Schultz 
wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Mark,
>
> On 5/26/17 6:59 AM, Mark Thomas wrote:
> > On 26/05/17 10:15, David Kavanagh wrote:
> >> Hey guys,
> >>
> >> Thanks for getting back to me. I didn't realise that the
> >> attachments would be stripped.> Here are the two files in full.
> >
> > That isn't enough for us to reproduce it. Those files refer to a
> > handful of other tag files and classes we don't have.
> >
> > However, I have been able to derive a simple test case from it:
> >
> > =start== This is a test
> > ==end===
> >
> > The output with trimSpaces enabled is:
> >
> > =start== This is a test
> > ==end===
> >
> > trimSpaces is behaving exactly as designed. It removes any blocks
> > of template text that consist solely of white space.
> >
> > What you have is: TemplateText [This is a test]
> >
> > Because the second template text is empty, it gets removed.
> >
> > The fix is:
> >
> > =start== This is a
> > test ==end===
> >
> > This is a potential use case for a recently closed (as WONTFIX)
> > enhancement request:
> >
> > https://bz.apache.org/bugzilla/show_bug.cgi?id=45931
> >
> > Whether this use case is sufficient to justify re-opening that
> > enhancement request, reviewing the patch and updating it for 9.0.x
> > is TBD. How realistic is it for you to apply the fix (using ${'
> > '}) described above?
>
> Would it be reasonable to change trimSpaces so that spaces within
> element attributes would be normalized to a single space, and others
> would be removed? I'm not sure how aware the parser is of the
> surrounding document structure.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlkokS8ACgkQHPApP6U8
> pFiW1A/+LnfMx+8SfU0TkGuhfxiKxh4kfdX+Hn4XNjJbcyAqTuPnwBD3D1kfXB6r
> QajDBPlEj9vKQgRZhdEuYpj/fMRxqxrdcwMR0ImjWhb4dm7q6ZxsDnWdWqzI3GF+
> ltYQ4Oql+NmCLkXMxZOF6JMUVJGWcj+wQnCuwWp5UvRzFhZTzevcz9H+35TPPa3z
> t+oX2ZjnAPXXVI+C8fnJ5qrdm6Ovj853BzQteR40vB6zwk8CDkyWhN98XEBz1DrD
> QMQTXe0VHa6B0cgrrNLna6K3S5FwolnQJS6xA2AKHMR8ugoAukBGJjBHntAo9NAH
> XvR+5Wxx/Iecc/9Cw/YuKgFzExEKQvU7Nj9EhuUrTIDKVGYMEG8rg2iEkRtqjd8T
> sQptiIt/kHoRSsatfSP1RzqhTVsbOJrATEQdoas5Tzn0rSKwXZkGPe7iHH/hHAlI
> EREd25F6zHHKJL6Vugw7UidRtqIg8htg2EwhgDstx/gw334L9xB//KnrMWM+ErDf
> gZkEPrE2tXzeu7hkDvpWVxERN9mMx6UT7uEUgG7csTBdKPh2snBBhJzSsKX2GyS6
> /OPXwzfFdD526rI5ZgzSzGbuC4Z1TAHjtBBnLWsstIjZtIRq+SKFGl15gfNxj0PQ
> KYc9uvoduFfUspT7eRaEk1DbkUBidA/sfhmPMgove3XVq+u5/SM=
> =gYLg
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Hey guys,

Thanks again for the help. For the Tomcat setup we currently have, the
first link sent my Mark is a good fix for us.
The other option Mark posted that would require modifying the .jsp files is
unfortunately not realistic because we currently use thousands of .jsps.
The possible fix that Christopher suggested in the last message would be
the perfect solution.

Kind Regards

David

Change of status code for ClientAbortExceptions - bug?

[Thomas Eliassen]

Hi,

Since https://bz.apache.org/bugzilla/show_bug.cgi?id=60718 (r1783148 in 
tc8.5.x), ClientAbortExceptions are logged in the access log as status 500, 
changed from the previous status 200.

Is this actually the desired behaviour? It doesn't seem appropriate to log a 
500 as this isn't necessarily a server error.

Also, the error isn't being logged to catalina.log using the default 
logging.properties, which for a 500 error seems wrong.


Regards,
Thomas


Immobilien Scout GmbH
Management: Dr. Michael Bütter, Dr. Thomas Schroeter
Chairman of the Supervisory Board: Gregory Ellis
Commercial Register: Local Court of Charlottenburg, HRB 69108
Place of Association: Berlin


  
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to implement Security Headers in Tomcat 6

[Shaik, Mohammad N.]

Hello,

Can someone please let me know if the following headers are compatible with 
Tomcat 6.x version? If yes, then how do we enable them?

Headers:
1) Strict-Transport-Security
2) Content-Security-Policy
3) Public-Key-Pins
4) X-Frame-Options
5) X-XSS-Protection
6) X-Content-Type-Options
7) X-Robots-Tag


Kind Regards,
Mohammad Nayeem



This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com

AW: Autodeploy servlets below webapps folder

[Gubler, Ruediger]

Hi,

we have several servlets in webapps which are used by every project.
We will move some third party servlets containg project spezific data into the 
project folder without and further config (autodeploy).

With your suggestion we must generate a host for every project on the dev 
server (hundrets of ports open) and huge configuration.

Rüdiger


Von: Martin Gainty [mailto:mgai...@hotmail.com]
Gesendet: Samstag, 27. Mai 2017 14:55
An: Gubler, Ruediger
Betreff: Re: Autodeploy servlets below webapps folder


 Rüdiger



in server.xml at



mailto:rgub...@initse.com>>
Sent: Friday, May 26, 2017 4:01 AM
To: users@tomcat.apache.org
Subject: Autodeploy servlets below webapps folder

Hi,

We have currently the following structure on our tomcat servers:

webapps/projects/project1..n
webapps/servletProject1.1
webapps/servletProject1.m
...
webapps/servletProject_n.1
webapps/servletProject_n.m

We would like to put the servlet below the project folders.
webapps/projects/project1..n/servlet1..m

Is this possible without configuration changes for every new project?


Kind regards, Rüdiger