Re: JEP 411 Deprecate the Security Manager for removal

[Mark Thomas]

On 15/04/2021 21:03, Me Self wrote:

Hi All

It appears the security manager is going to be removed from a future
release of java according to https://openjdk.java.net/jeps/411.


That will be quite a chunk of code we could remove / would have to 
remove from Tomcat.



When running Tomcat on Linux there are many excellent alternatives to
locking down the JVM process with sandboxing/mandatory access control for
instance Systemd and AppArmor and various LSM modules or even SELinux for
the masochists.

But what about Windows - I'm kind of blank here?

The primary use case is to prevent Remote Code Execution attacks from
spilling out into the OS. These attacks have been plentiful in some web
frameworks (for instance struts2) and ĺibraries that are often used with
Tomcat. Most of the severe ones we have had in the past fail in the
presence of a sandbox because the remote code relies on privileged
operations that are typically not permitted by the sandbox.

The requirements for a sandbox I believe would be

1. Mandatory Access Control: Central configuration of security properties.
Cannot be modified by the JVM process or user.
2. Principle of Least Privilege: Everything is forbidden except for
explicit permissions that are granted for operations that are actually
needed.
3. Preferably also with some level of app firewall built in.

So does this exist for Windows?


Run a VM?

You can run a service as a custom user but I haven't looked at just how 
minimal the privileges for that user can be.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [EXTERNAL] Re: tomcat timeout

[Mohamed Eliyas Abdul Kadar]

I am generating report for a year, normally this takes 5 mins on weblogic 
server. We are migrating to tomcat and it does not show any error. In developer 
tools I see timeout for that request.

From: Rob Sargent 
Sent: Thursday, April 15, 2021 11:48 AM
To: users@tomcat.apache.org
Subject: [EXTERNAL] Re: tomcat timeout

CAUTION: This email originated from outside the organization. DO NOT click 
links or open attachments unless you recognize the sender and know the content 
is safe.



On 4/15/21 12:23 PM, Mohamed Eliyas Abdul Kadar wrote:
> I am using tomcat 9.0.41. In my web application, when executing a query to 
> fetch data for reporting it is taking time more than 2 minutes. The request 
> is getting time out after 50s. Please let me know how to increase the data 
> base timeout to 5 mins.
> This communication and its attachments contain confidential information and 
> is intended only for the named addressee. If you are not the named addressee 
> you should not disseminate, distribute or copy this communication. Please 
> notify the sender immediately if you have received this communication by 
> mistake and delete or destroy this communication. Communications cannot be 
> guaranteed to be secured or error-free as information could be intercepted, 
> corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. 
> The sender therefore does not accept liability for any errors or omissions in 
> the contents of this communication which arise as a result of transmission. 
> If verification is required please request a hard-copy version. NeoGenomics 
> Laboratories, 12701 Commonwealth Dr, Fort Myers, FL 33913, 
> http://www.neogenomics.com (2021)
>
Are you sure you're not better off focusing on why your query is taking
so long.  How much data are you reading through and how much are you
returning to the web client?


-
To unsubscribe, e-mail: 
users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: 
users-h...@tomcat.apache.org
This communication and its attachments contain confidential information and is 
intended only for the named addressee. If you are not the named addressee you 
should not disseminate, distribute or copy this communication. Please notify 
the sender immediately if you have received this communication by mistake and 
delete or destroy this communication. Communications cannot be guaranteed to be 
secured or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses. The sender therefore 
does not accept liability for any errors or omissions in the contents of this 
communication which arise as a result of transmission. If verification is 
required please request a hard-copy version. NeoGenomics Laboratories, 12701 
Commonwealth Dr, Fort Myers, FL 33913, http://www.neogenomics.com (2021)

JEP 411 Deprecate the Security Manager for removal

[Me Self]

Hi All

It appears the security manager is going to be removed from a future
release of java according to https://openjdk.java.net/jeps/411.

When running Tomcat on Linux there are many excellent alternatives to
locking down the JVM process with sandboxing/mandatory access control for
instance Systemd and AppArmor and various LSM modules or even SELinux for
the masochists.

But what about Windows - I'm kind of blank here?

The primary use case is to prevent Remote Code Execution attacks from
spilling out into the OS. These attacks have been plentiful in some web
frameworks (for instance struts2) and ĺibraries that are often used with
Tomcat. Most of the severe ones we have had in the past fail in the
presence of a sandbox because the remote code relies on privileged
operations that are typically not permitted by the sandbox.

The requirements for a sandbox I believe would be

1. Mandatory Access Control: Central configuration of security properties.
Cannot be modified by the JVM process or user.
2. Principle of Least Privilege: Everything is forbidden except for
explicit permissions that are granted for operations that are actually
needed.
3. Preferably also with some level of app firewall built in.

So does this exist for Windows?

RE: [EXTERNAL] Re: tomcat timeout

[Mohamed Eliyas Abdul Kadar]

Using chrome browser, I am accessing a web application which is making a 
database call. The database call is taking more than 2 mins , but the request 
time outs at 50 seconds. Is there a way to increase this timeout.

-Original Message-
From: Mark Thomas 
Sent: Thursday, April 15, 2021 11:54 AM
To: users@tomcat.apache.org
Subject: [EXTERNAL] Re: tomcat timeout

CAUTION: This email originated from outside the organization. DO NOT click 
links or open attachments unless you recognize the sender and know the content 
is safe.

On 15/04/2021 19:23, Mohamed Eliyas Abdul Kadar wrote:
>
> I am using tomcat 9.0.41. In my web application, when executing a query to 
> fetch data for reporting it is taking time more than 2 minutes. The request 
> is getting time out after 50s. Please let me know how to increase the data 
> base timeout to 5 mins.

Nothing to do with Tomcat. That is a client issue. Tomcat will wait for as long 
as it takes to wrote the response.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

This communication and its attachments contain confidential information and is 
intended only for the named addressee. If you are not the named addressee you 
should not disseminate, distribute or copy this communication. Please notify 
the sender immediately if you have received this communication by mistake and 
delete or destroy this communication. Communications cannot be guaranteed to be 
secured or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses. The sender therefore 
does not accept liability for any errors or omissions in the contents of this 
communication which arise as a result of transmission. If verification is 
required please request a hard-copy version. NeoGenomics Laboratories, 12701 
Commonwealth Dr, Fort Myers, FL 33913, http://www.neogenomics.com (2021)


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat timeout

[Mark Thomas]

On 15/04/2021 19:23, Mohamed Eliyas Abdul Kadar wrote:


I am using tomcat 9.0.41. In my web application, when executing a query to 
fetch data for reporting it is taking time more than 2 minutes. The request is 
getting time out after 50s. Please let me know how to increase the data base 
timeout to 5 mins.


Nothing to do with Tomcat. That is a client issue. Tomcat will wait for 
as long as it takes to wrote the response.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat timeout

[Rob Sargent]

On 4/15/21 12:23 PM, Mohamed Eliyas Abdul Kadar wrote:

I am using tomcat 9.0.41. In my web application, when executing a query to 
fetch data for reporting it is taking time more than 2 minutes. The request is 
getting time out after 50s. Please let me know how to increase the data base 
timeout to 5 mins.
This communication and its attachments contain confidential information and is 
intended only for the named addressee. If you are not the named addressee you 
should not disseminate, distribute or copy this communication. Please notify 
the sender immediately if you have received this communication by mistake and 
delete or destroy this communication. Communications cannot be guaranteed to be 
secured or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses. The sender therefore 
does not accept liability for any errors or omissions in the contents of this 
communication which arise as a result of transmission. If verification is 
required please request a hard-copy version. NeoGenomics Laboratories, 12701 
Commonwealth Dr, Fort Myers, FL 33913, http://www.neogenomics.com (2021)

Are you sure you're not better off focusing on why your query is taking 
so long.  How much data are you reading through and how much are you 
returning to the web client?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat timeout

[Mohamed Eliyas Abdul Kadar]

I am using tomcat 9.0.41. In my web application, when executing a query to 
fetch data for reporting it is taking time more than 2 minutes. The request is 
getting time out after 50s. Please let me know how to increase the data base 
timeout to 5 mins.
This communication and its attachments contain confidential information and is 
intended only for the named addressee. If you are not the named addressee you 
should not disseminate, distribute or copy this communication. Please notify 
the sender immediately if you have received this communication by mistake and 
delete or destroy this communication. Communications cannot be guaranteed to be 
secured or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses. The sender therefore 
does not accept liability for any errors or omissions in the contents of this 
communication which arise as a result of transmission. If verification is 
required please request a hard-copy version. NeoGenomics Laboratories, 12701 
Commonwealth Dr, Fort Myers, FL 33913, http://www.neogenomics.com (2021)

tomcat timeout

[Mohamed Eliyas Abdul Kadar]

I am using tomcat 9.0.41. In my web application, when executing a query to 
fetch data for reporting it is taking time more than 2 minutes. The request is 
getting time out after 50s. Please let me know how to increase the data base 
timeout to 5 mins.
This communication and its attachments contain confidential information and is 
intended only for the named addressee. If you are not the named addressee you 
should not disseminate, distribute or copy this communication. Please notify 
the sender immediately if you have received this communication by mistake and 
delete or destroy this communication. Communications cannot be guaranteed to be 
secured or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses. The sender therefore 
does not accept liability for any errors or omissions in the contents of this 
communication which arise as a result of transmission. If verification is 
required please request a hard-copy version. NeoGenomics Laboratories, 12701 
Commonwealth Dr, Fort Myers, FL 33913, http://www.neogenomics.com (2021)

Forcing Single Session Cookie for SingleSignOn Across Webapps

[Jerry Malcolm]

I have a web site that is made up of several individual webapps all tied 
together with SingleSignOn.   We are using Amazon's Load Balancer with 
session affinity.  However each webapp is generating it's own session 
cookie, so the load balancer is routing to different server instances 
for each webapp, which defeats the SingleSignOn.  Is there a way to get 
one single sessionId cookie for all of the webapps in a SingleSignOn 
situation.


Thanks.

Jerry


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Status Code 500 on /manager/status after upgrade to 9.0.45

[Dan Schreck]

I just upgraded from 9.0.39 to 9.0.45 and experiencing something odd.  When I 
go to 
http:///manager/status
 the page fully renders but is delivered with HTTP Status 500.  This isn't a 
problem when viewing in a browser, but my automated monitoring tool isn't 
working because it thinks there is no data.

Any suggestions ?  Thanks.

Dan Schreck
 | Director of IT Operations | Foundation Source
Phone & Fax: +1 203-319-3727 | dschr...@foundationsource.com
55 Walls Drive, 3rd Floor, Fairfield CT 06824
www.foundationsource.com
The finest compliment we can receive is an introduction to friends, family, and 
colleagues from an appreciative client.

Foundation Source is the nation's leading provider of support services for 
private foundations. The contents of this email are provided for informational 
purposes only and should not be construed as tax, legal or financial advice.