Re: Tomcat 6.0.12 in windows vista 64 bits does not start
Thanks for that but the files you mention are not there. I went to commons/daemon/binaries/1.0.2/windows and downloaded commons-daemon-1.0.2-bin-windows.zip In that zip there is a prunsrv.exe in the base directory and the same in the amd directory. i.e. not procrun.exe and procrunw.exe. Sorry if I need my hand holding but I am very unfamiliar with this. mturk wrote: On 02/26/2010 11:43 AM, iainmac wrote: Thanks - is it safe to use that with 6.0.24? Download from http://commons.apache.org/downloads/download_daemon.cgi Click on the 'browse download area' and go to the binaries - 1.0.2 - windows Download and extract .zip file and then rename procrun.exe to tomcat6.exe for the required CPU arch. Rename procrunw.exe to tomcat6w.exe (same for all platforms) and copy those two files inside Tomcat bin directory. This is procedure we are going to implement with next Tomcat releases instead maintaining our set of binaries. Renaming and downloading will took place at build time of course. Regards -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Tomcat-6.0.12-in-windows-vista-64-bits-does-not-start-tp18967895p27772446.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.12 in windows vista 64 bits does not start
Hi, That link doesnt work - can anyone tell us where its gone? Thanks, Iain n828cl wrote: From: Mr Popo Sama [mailto:mrpopo...@yahoo.com.ar] Subject: Re: Tomcat 6.0.12 in windows vista 64 bits does not start sorry it is tomcat version 6.0.18 not .12 - Mensaje original De: Mr Popo Sama mrpopo...@yahoo.com.ar Para: users@tomcat.apache.org Enviado: miércoles 13 de agosto de 2008, 14:42:27 Asunto: Tomcat 6.0.12 in windows vista 64 bits does not start Hi, i am having trouble starting up the tomcat server in windows vista 64bits with java 64 You are likely using the 32-bit versions of the service wrapper. Get the 64-bit ones here: https://svn.apache.org/repos/asf/tomcat/connectors/trunk/procrun/bin/amd64/ Change the 5 in the names to 6, and replace the existing ones in Tomcat's bin directory with the renamed downloaded ones. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Tomcat-6.0.12-in-windows-vista-64-bits-does-not-start-tp18967895p27716519.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.12 in windows vista 64 bits does not start
Thanks - is it safe to use that with 6.0.24? Mark Thomas wrote: On 26/02/2010 10:15, iainmac wrote: Hi, That link doesnt work - can anyone tell us where its gone? http://svn.apache.org/repos/asf/tomcat/trunk/res/procrun/amd64/ The binary is from commons daemon. Mladen just did a commons-daemon release and that is actually the most up to date version. It should be available from the commons download pages. Mark Thanks, Iain n828cl wrote: From: Mr Popo Sama [mailto:mrpopo...@yahoo.com.ar] Subject: Re: Tomcat 6.0.12 in windows vista 64 bits does not start sorry it is tomcat version 6.0.18 not .12 - Mensaje original De: Mr Popo Samamrpopo...@yahoo.com.ar Para: users@tomcat.apache.org Enviado: miércoles 13 de agosto de 2008, 14:42:27 Asunto: Tomcat 6.0.12 in windows vista 64 bits does not start Hi, i am having trouble starting up the tomcat server in windows vista 64bits with java 64 You are likely using the 32-bit versions of the service wrapper. Get the 64-bit ones here: https://svn.apache.org/repos/asf/tomcat/connectors/trunk/procrun/bin/amd64/ Change the 5 in the names to 6, and replace the existing ones in Tomcat's bin directory with the renamed downloaded ones. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Tomcat-6.0.12-in-windows-vista-64-bits-does-not-start-tp18967895p27716773.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
6.0.24 SSL Session always New
Hi, I have just moved from 5.0.18 to 6.0.24 using JSSE for SSL. I have a web application that checks for a current session, and if there isn't one it sends the user to a login screen. This is working fine from Explorer as it did before in the previous version of Tomcat, but it keeps saying the session is new in Firefox, Safari and Chrome. In the jsp, this keeps taking me back to the login screen... if (session.getAttribute(userName)==null){ response.sendRedirect(login.jsp); return; } Why would Explorer work and the others not? Thanks, Iain -- View this message in context: http://old.nabble.com/6.0.24-SSL-Session-always-New-tp27652568p27652568.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 6.0.24 SSL Session always New
Christopher Schultz-2 wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Iain, On 2/19/2010 7:02 AM, iainmac wrote: I have just moved from 5.0.18 to 6.0.24 using JSSE for SSL. I have a web application that checks for a current session, and if there isn't one it sends the user to a login screen. This is working fine from Explorer as it did before in the previous version of Tomcat, but it keeps saying the session is new in Firefox, Safari and Chrome. In the jsp, this keeps taking me back to the login screen... if (session.getAttribute(userName)==null){ response.sendRedirect(login.jsp); return; } You might want to provide more information, such as: --- 1. When do you set the userName attribute in the session? On validation of the user. 2. When does authentication occur? How? Container-based, or your own? I so also have container based as well as my own. 3. When does the session appear to be reset? It's clear whats happenign - just not sure why: 1. From logon screen a new session is created, against that the username and other attributes are stored. 2. After the logn screen does this it then redirects to the actual page I need. 3. This page is made up of a parent frame and 2 sub-frames. 4. The parent frame (the named page that the redirect is to) does that check above i.e. tries to get the Username from the session object- This works successfully. This page begins to load. 5. The first sub-frame begins to lad, tries the same check - in MSIE (and in Tomcat 5.0.28 other browers too) we are given the same validated session, so all works fine. In other browsers with 6.0.24 a new session is given, and so I am again redirected to the logon page! In a loop! Same this happens with second sub frame. As a work around I have simply rewritten my pages not to use frames, all works fine. I do wish new versions would keep default behaviour or make it clear the default behaviour has changed. I think its related to the session hijacking mentioned in the other reply, but i didn't understand all on the linked page. --- Christopher Schultz-2 wrote: I'm surprised this is working any differently in MSIE than other browsers. Are you using any kind of javascript to drive this behavior? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkt+rlIACgkQ9CaO5/Lv0PA0GwCfYs+5Cgte9Y3dW+Xo8gEwWUcj 4mIAoKNEastlN4BmGe9pBUWrq/uxwSqG =pfbY -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/6.0.24-SSL-Session-always-New-tp27652568p27658575.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 6.0.24 SSL Session always New
Thanks I think it must be something to do with that. Eric Lenio-5 wrote: On Fri, Feb 19, 2010 at 12:02:18PM +, iainmac wrote: Hi, I have just moved from 5.0.18 to 6.0.24 using JSSE for SSL. I have a web application that checks for a current session, and if there isn't one it sends the user to a login screen. This is working fine from Explorer as it did before in the previous version of Tomcat, but it keeps saying the session is new in Firefox, Safari and Chrome. In the jsp, this keeps taking me back to the login screen... if (session.getAttribute(userName)==null){ response.sendRedirect(login.jsp); return; } Why would Explorer work and the others not? Thanks, Iain You might want to review new protection Tomcat has against session fixation, which was done in 6.0.21. http://issues.apache.org/bugzilla/show_bug.cgi?id=45255 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/6.0.24-SSL-Session-always-New-tp27652568p27658593.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 6.0.24 SSL Session always New
Hi yes you are right, but I add it when I get a new validated session, so it should be there, in effect for my code, it's he same thing. This worked fine for all browsers with 5.0.28, stopped working for all but MSIE from 6.0.20. I think its a change as mentioned by the other kind respondent, although if anyone knows why its not consistent across all browsers please let me know. Thanks. awarnier wrote: iainmac wrote: Hi, I have just moved from 5.0.18 to 6.0.24 using JSSE for SSL. I have a web application that checks for a current session, and if there isn't one it sends the user to a login screen. This is working fine from Explorer as it did before in the previous version of Tomcat, but it keeps saying the session is new in Firefox, Safari and Chrome. In the jsp, this keeps taking me back to the login screen... if (session.getAttribute(userName)==null){ response.sendRedirect(login.jsp); return; } Why would Explorer work and the others not? Hi. I am being a bit adventurous here considering my knowledge of Java and JSP, but it seems to me that the test above does not really check whether there is or not a session; it checks whether the attribute userName of the session is defined. That may be a different thing. Other than that, assuming the above is correct, and assuming that the server side is always the same, and only the browser changes,.. - settings different in the different browsers ? (like IE allows cookies, the other ones not ?) - you are within a Windows network, and some Windows authentication mechanism plays a role when you use IE, and not when you use the other browsers ? You should probably provide more information about your setup, to allow people here to make more informed guesses. Like - under what OS is Tomcat running ? - what kind of authentication does your webapp use ? (WEB-INF/web.xml) - are you accessing Tomcat directly, or through another webserver and a connector ? - the settings of your SSL connector ? (passwords etc. removed) - what do the logs say ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/6.0.24-SSL-Session-always-New-tp27652568p27658632.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSL APR Tomcat 6.0.20 Not Working
Hi, I am trying to upgrade from 5.0.16 to 6.0.20 and also try to use the APR, with SSL. I had SSL working fine in 6.0.20 with JSSE (i.e. not APR SSL). I have used http://conshell.net/wiki/index.php/Keytool_to_OpenSSL_Conversion_tips to get my private key file and added this to my server.xml... Connector port=443 protocol=HTTP/1.1 maxHttpHeaderSize=8192 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLEnabled=true SSLProtocol=TLSv1 SSLPassword= SSLCertificateFile=* SSLCertificateKeyFile=** / and on startup I get this output 18-Feb-2010 17:04:45 org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.16. 18-Feb-2010 17:04:45 org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. 18-Feb-2010 17:04:46 org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-80 18-Feb-2010 17:04:46 org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-443 18-Feb-2010 17:04:46 org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1918 ms 18-Feb-2010 17:04:46 org.apache.catalina.core.StandardService start INFO: Starting service Catalina 18-Feb-2010 17:04:46 org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.20 18-Feb-2010 17:04:48 org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-80 18-Feb-2010 17:04:48 org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-443 18-Feb-2010 17:04:48 org.apache.catalina.startup.Catalina start INFO: Server startup in 1316 ms which all looks fine and dandy, but when I try to access a page with https it just doesnt respond i.e. explorer says its not there and asks to diagnose connection problems. Am I missing something simple? Thanks, Iain -- View this message in context: http://old.nabble.com/SSL-APR-Tomcat-6.0.20-Not-Working-tp27642349p27642349.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL APR Tomcat 6.0.20 Not Working
I changed TLSv1 to just TLS and it worked iainmac wrote: Hi, I am trying to upgrade from 5.0.16 to 6.0.20 and also try to use the APR, with SSL. I had SSL working fine in 6.0.20 with JSSE (i.e. not APR SSL). I have used http://conshell.net/wiki/index.php/Keytool_to_OpenSSL_Conversion_tips to get my private key file and added this to my server.xml... Connector port=443 protocol=HTTP/1.1 maxHttpHeaderSize=8192 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLEnabled=true SSLProtocol=TLSv1 SSLPassword= SSLCertificateFile=* SSLCertificateKeyFile=** / and on startup I get this output 18-Feb-2010 17:04:45 org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.16. 18-Feb-2010 17:04:45 org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. 18-Feb-2010 17:04:46 org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-80 18-Feb-2010 17:04:46 org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-443 18-Feb-2010 17:04:46 org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1918 ms 18-Feb-2010 17:04:46 org.apache.catalina.core.StandardService start INFO: Starting service Catalina 18-Feb-2010 17:04:46 org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.20 18-Feb-2010 17:04:48 org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-80 18-Feb-2010 17:04:48 org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-443 18-Feb-2010 17:04:48 org.apache.catalina.startup.Catalina start INFO: Server startup in 1316 ms which all looks fine and dandy, but when I try to access a page with https it just doesnt respond i.e. explorer says its not there and asks to diagnose connection problems. Am I missing something simple? Thanks, Iain -- View this message in context: http://old.nabble.com/SSL-APR-Tomcat-6.0.20-Not-Working-tp27642349p27647034.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Stack Trace debug to screen
Hi, I am upgrading from Tomcat 5 to 6. When developing I run Tomcat from the command line so I can see the debug as it happens, but with Tomcat 6 I can see the debug that I have coded but when there is a Tomcat exception, it doesn't appear in the command line window any more although it is in the logs. e.g. org.apache.jasper.compiler.DefaultErrorHandler.javacError(DefaultErrorHandler.java:92) org.apache.jasper.compiler.ErrorDispatcher.javacError(ErrorDispatcher.java:330) org.apache.jasper.compiler.JDTCompiler.generateClass(JDTCompiler.java:439) org.apache.jasper.compiler.Compiler.compile(Compiler.java:334) org.apache.jasper.compiler.Compiler.compile(Compiler.java:312) org.apache.jasper.compiler.Compiler.compile(Compiler.java:299) org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:586) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:317) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:342) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267) javax.servlet.http.HttpServlet.service(HttpServlet.java:717) org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:738) appears in the log, and in the browser but not in the debug in the command line window I have open. I am searching for the reason, but if any one knows what I need to do please let me know. Thanks. -- View this message in context: http://old.nabble.com/Stack-Trace-debug-to-screen-tp27210579p27210579.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Stack Trace debug to screen
Thanks, I read that but its not clear at all. I added java.util.logging.ConsoleHandler.useParentHandler = true but has not made a difference. Apache Tomcat 6.0.20 on XP. I have it working by now by deleting the loggers other than: handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler as my apps have their own logging . This now enables me to see the exceptions in the console and they are in catalina.log - ideally I would also like to have them in my apps logs too, I use log4j so I am sure it is possible but I just don't have time to get that deeply into it. Thanks for getting me this far. Konstantin Kolinko wrote: 2010/1/18 iainmac iain_macau...@hotmail.com: Hi, I am upgrading from Tomcat 5 to 6. When developing I run Tomcat from the command line so I can see the debug as it happens, but with Tomcat 6 I can see the debug that I have coded but when there is a Tomcat exception, it doesn't appear in the command line window any more although it is in the logs. e.g. org.apache.jasper.compiler.DefaultErrorHandler.javacError(DefaultErrorHandler.java:92) org.apache.jasper.compiler.ErrorDispatcher.javacError(ErrorDispatcher.java:330) org.apache.jasper.compiler.JDTCompiler.generateClass(JDTCompiler.java:439) org.apache.jasper.compiler.Compiler.compile(Compiler.java:334) org.apache.jasper.compiler.Compiler.compile(Compiler.java:312) org.apache.jasper.compiler.Compiler.compile(Compiler.java:299) org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:586) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:317) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:342) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267) javax.servlet.http.HttpServlet.service(HttpServlet.java:717) org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:738) appears in the log, and in the browser but not in the debug in the command line window I have open. I am searching for the reason, but if any one knows what I need to do please let me know. Thanks. That message is logged by 2localhost.org.apache.juli.FileHandler (or what the name of that log file is?) and does not reach the ConsoleHandler that prints messages to the console. See http://tomcat.apache.org/tomcat-6.0-doc/logging.html There is the following phrase: By default, loggers will not delegate to their parent if they have associated handlers. This may be changed per logger using the loggerName.useParentHandlers property, which accepts a boolean value. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Stack-Trace-debug-to-screen-tp27210579p27211979.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: The code of method _jspService(...) is exceeding the 65535 byteslimit
Hi, I am moving from Tomcat 5 to 6, and jsp's that worked fine in 5 now give me this length error. I also have moved from java j2sdk1.4.1_02 to jdk1.6.0_18. I know I can rewrite the code, and over time I probably will, but is there a way of configuring Tomcat 6 to enable me to compile these jsp's? Thanks, Iain Peter Hubbard wrote: On Fri, 2006-05-12 at 14:02 +0200, lk wrote: Hi, I got this bad error. Is there a way to solve this problem (maybe in the configurations file)? Thanks This simply means you have way too much jsp code in one file. Maybe you could split them up, or remove some of the functionality from the jsp itself into helper classes. As far as I know, it is a limit placed on method size by the JVM - I'm not sure if it can be changed. -- Peter Hubbard pet...@staff.telkomsa.net - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/The-code-of-method-_jspService%28...%29-is-exceeding-the-65535-byteslimit-tp4356835p27212087.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: allowTrace=false allowing Trace Method
Sorry, not sure what you want an example of, and not sure what you mean when you ask what connectors I am using (not really an expert) Using Tomcat 5.0.16. My workaround did pass the security scan. Strangely I had the same version of Tomcat on a different box where the allowTrace=false did what it was supposed to. I was flummoxed when it didn't work n the new box. Iain Christopher Schultz-2 wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ian, On 1/13/2010 12:37 PM, iainmac wrote: I need to disable TRACE to pass a security scan, so I added allowTrace=false to all my connectors, but its still allowing TRACE! Can you give us an example? Recently, someone complained that the JSPServlet will allow /any/ HTTP method, even methods that are not defined like: FOO /path/to/my.jsp HTTP/1.1 Teh FOO method ist allowed!!111!!!ELEVEN!! For whatever reason, the JSPServlet specifically allows any method, including TRACE. I've never used allowTrace=false, though it /is/ the default. I had to work around with urlrewrite and a jsp with 1 line which was response.sendError(response.SC_NOT_IMPLEMENTED , NOT IMPLEMENTED); And does this pass your security audit? However I would prefer the allowTrace=false to work properly! Agreed, though the documentation doesn't state what happens when allowTrace=true versus allowTrace=false: it just says enabled or disables the TRACE method without describing the expected behavior. Any ideas as to why its not working? Not without looking at the code. You are welcome to check it out. Which connector(s) are you using? What version of Tomcat are you running? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktOK8AACgkQ9CaO5/Lv0PAYowCeIjb1OC3GuXl2FkrYUknvOPBP aV0AmwdVlFQSfuSONNlgu0ga04/Qq82Z =8Ku1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/allowTrace%3D%22false%22-allowing-Trace-Method-tp27148410p27159680.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
allowTrace=false allowing Trace Method
Hi, I need to disable TRACE to pass a security scan, so I added allowTrace=false to all my connectors, but its still allowing TRACE! I had to work around with urlrewrite and a jsp with 1 line which was response.sendError(response.SC_NOT_IMPLEMENTED , NOT IMPLEMENTED); However I would prefer the allowTrace=false to work properly! Any ideas as to why its not working? Thanks, I. -- View this message in context: http://old.nabble.com/allowTrace%3D%22false%22-allowing-Trace-Method-tp27148410p27148410.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org