svn commit: r1679516 - in /tomcat/site/trunk/docs: ./ tomcat-7.0-doc/ tomcat-7.0-doc/api/ tomcat-7.0-doc/api/org/apache/catalina/ tomcat-7.0-doc/api/org/apache/catalina/ant/ tomcat-7.0-doc/api/org/apa
Author: violetagg Date: Fri May 15 09:06:06 2015 New Revision: 1679516 URL: http://svn.apache.org/r1679516 Log: Update docs for Apache Tomcat 7.0.62 release. [This commit notification would consist of 329 parts, which exceeds the limit of 50 ones, so it was shortened to the summary.] - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1679508 - in /tomcat/site/trunk: ./ docs/ xdocs/
Author: violetagg Date: Fri May 15 08:22:49 2015 New Revision: 1679508 URL: http://svn.apache.org/r1679508 Log: Updates (excluding docs) for 7.0.62 release Modified: tomcat/site/trunk/build.properties.default tomcat/site/trunk/docs/doap_Tomcat.rdf tomcat/site/trunk/docs/download-70.html tomcat/site/trunk/docs/index.html tomcat/site/trunk/docs/migration-7.html tomcat/site/trunk/docs/oldnews.html tomcat/site/trunk/docs/whichversion.html tomcat/site/trunk/xdocs/doap_Tomcat.rdf tomcat/site/trunk/xdocs/download-70.xml tomcat/site/trunk/xdocs/index.xml tomcat/site/trunk/xdocs/migration-7.xml tomcat/site/trunk/xdocs/oldnews.xml tomcat/site/trunk/xdocs/whichversion.xml Modified: tomcat/site/trunk/build.properties.default URL: http://svn.apache.org/viewvc/tomcat/site/trunk/build.properties.default?rev=1679508r1=1679507r2=1679508view=diff == --- tomcat/site/trunk/build.properties.default (original) +++ tomcat/site/trunk/build.properties.default Fri May 15 08:22:49 2015 @@ -37,7 +37,7 @@ tomcat.loc=http://www.apache.org/dist/to # - Tomcat versions - tomcat60=6.0.43 -tomcat70=7.0.61 +tomcat70=7.0.62 tomcat80=8.0.22 Modified: tomcat/site/trunk/docs/doap_Tomcat.rdf URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/doap_Tomcat.rdf?rev=1679508r1=1679507r2=1679508view=diff == --- tomcat/site/trunk/docs/doap_Tomcat.rdf (original) +++ tomcat/site/trunk/docs/doap_Tomcat.rdf Fri May 15 08:22:49 2015 @@ -64,8 +64,8 @@ release Version nameLatest Stable 7.0.x Release/name -created2015-04-07/created -revision7.0.61/revision +created2015-05-14/created +revision7.0.62/revision /Version /release release Modified: tomcat/site/trunk/docs/download-70.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/download-70.html?rev=1679508r1=1679507r2=1679508view=diff == --- tomcat/site/trunk/docs/download-70.html (original) +++ tomcat/site/trunk/docs/download-70.html Fri May 15 08:22:49 2015 @@ -206,7 +206,7 @@ h3 id=Quick_NavigationQuick Navigation/h3 div class=text -[define v]7.0.61[end] +[define v]7.0.62[end] a href=https://www.apache.org/dist/tomcat/tomcat-7/KEYS;KEYS/a | a href=#[v][v]/a | a href=[preferred]tomcat/tomcat-7/v[v] rel=nofollowBrowse/a | Modified: tomcat/site/trunk/docs/index.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/index.html?rev=1679508r1=1679507r2=1679508view=diff == --- tomcat/site/trunk/docs/index.html (original) +++ tomcat/site/trunk/docs/index.html Fri May 15 08:22:49 2015 @@ -227,6 +227,30 @@ project logo are trademarks of the Apach /div +h3 id=Tomcat_7.0.62_Released +span style=float: right;2015-05-14/span Tomcat 7.0.62 Released/h3 +div class=text + +p +The Apache Tomcat Project is proud to announce the release of version 7.0.62 of +Apache Tomcat. This release contains a number of bug fixes +and improvements compared to version 7.0.61. +/p + +p +Full details of these changes, and all the other changes, are available in the +a href=tomcat-7.0-doc/changelog.htmlTomcat 7 changelog/a. +/p + + +p style=text-align: center; + +a href=download-70.cgiDownload/a | +a href=tomcat-7.0-doc/changelog.htmlChangeLog for 7.0.62/a + +/p + +/div h3 id=Tomcat_6.0.44_Released span style=float: right;2015-05-12/span Tomcat 6.0.44 Released/h3 div class=text @@ -309,48 +333,6 @@ changelog/a. /p -/div -h3 id=Tomcat_7.0.61_Released -span style=float: right;2015-04-07/span Tomcat 7.0.61 Released/h3 -div class=text - -p -The Apache Tomcat Project is proud to announce the release of version 7.0.61 of -Apache Tomcat. This release contains a number of bug fixes -and improvements compared to version 7.0.59. The notable changes -since 7.0.59 include: -/p - -ul - -liAdd support for Java 8 JSSE server-preferred TLS cipher suite ordering. - This feature requires Java 8./li - -liUpdate to Tomcat Native Library version 1.1.33 to pick up the Windows - binaries that are based on OpenSSL 1.0.1m and APR 1.5.1./li - -liImplement a new feature for AJP connectors - Tomcat Authorization. If - enabled Tomcat, will take an authenticated user name from the AJP protocol - and use the appropriate Realm for the request to authorize (i.e. add - roles) to that user./li - -liUpdate the Eclipse JDT compiler to version 4.4.2./li - -/ul - -p -Full details of these changes, and all the other changes, are available in the -a href=tomcat-7.0-doc/changelog.htmlTomcat 7 changelog/a. -/p - - -p style=text-align: center; - -a href=download-70.cgiDownload/a | -a href=tomcat-7.0-doc/changelog.htmlChangeLog for 7.0.61/a - -/p
svn commit: r9013 - /release/tomcat/tomcat-7/v7.0.61/
Author: violetagg Date: Fri May 15 08:53:23 2015 New Revision: 9013 Log: Remove 7.0.61 Removed: release/tomcat/tomcat-7/v7.0.61/ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1679506 - /tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Author: violetagg Date: Fri May 15 07:52:59 2015 New Revision: 1679506 URL: http://svn.apache.org/r1679506 Log: Update the release date for 7.0.62 Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1679506r1=1679505r2=1679506view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri May 15 07:52:59 2015 @@ -76,7 +76,7 @@ /changelog /subsection /section -section name=Tomcat 7.0.62 (violetagg) +section name=Tomcat 7.0.62 (violetagg) rtext=released 2015-05-14 subsection name=Catalina changelog add - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1679541 - /tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
Author: violetagg Date: Fri May 15 10:59:19 2015 New Revision: 1679541 URL: http://svn.apache.org/r1679541 Log: Fix typos in changelog Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1679541r1=1679540r2=1679541view=diff == --- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Fri May 15 10:59:19 2015 @@ -82,7 +82,7 @@ provided by VIN. (markt) /fix fix -bug57802/bug: Correct the default impementation of +bug57802/bug: Correct the default implementation of codeconvertToType()/code provided by codejavax.el.ELResolver/code. (markt) /fix @@ -151,7 +151,7 @@ pattern code%{remote}p/code. (rjung) /add fix -bug57556/bug: Refine the previous fix fo rthis issue so that the +bug57556/bug: Refine the previous fix for this issue so that the real path returned only has a trialing separator if the requested path ended with code//code. (markt) /fix @@ -216,7 +216,7 @@ /fix scode Remove the experimental support for SPDY. No current user agent supports -the version of SPDY that the experiment targetted. Note: HTTP/2 support +the version of SPDY that the experiment targeted. Note: HTTP/2 support is under development for Tomcat 9 and may be back-ported to Tomcat 8 once complete. (markt) /scode @@ -234,7 +234,7 @@ /fix fix bug57833/bug: When using JKS based keystores for NIO or NIO2, ensure -that the key alias is always converted to lower caes since that is what +that the key alias is always converted to lower case since that is what JKS key stores expect. Based on a patch by Santosh Giri Govind M. (markt) /fix - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1679537 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/authenticator/SpnegoAuthenticator.java webapps/docs/changelog.xml webapps/docs/config/valve.xml
Author: markt Date: Fri May 15 10:42:29 2015 New Revision: 1679537 URL: http://svn.apache.org/r1679537 Log: Fix a problem with SPNEGO auth and Java 8 update 40 onwards. Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml tomcat/tc7.0.x/trunk/webapps/docs/config/valve.xml Propchange: tomcat/tc7.0.x/trunk/ -- --- svn:mergeinfo (original) +++ svn:mergeinfo Fri May 15 10:42:29 2015 @@ -1,2 +1,2 @@ -/tomcat/tc8.0.x/trunk:1636525,1637336,1637685,1637709,1638726,1640089,1640276,1640349,1640363,1640366,1640642,1640672,1640674,1640689,1640884,1641001,1641065,1641067,1641375,1641638,1641723,1641726,1641729-1641730,1641736,1641988,1642669-1642670,1642698,1642701,1643205,1643215,1643217,1643230,1643232,1643273,1643285,1643329-1643330,1643511,1643513,1643521,1643539,1643571,1643581-1643582,1643635,1643655,1643738,1643964,1644018,1644333,1644954,1644992,1645014,1645360,1645456,1645627,1645642,1645686,1645903-1645904,1645908-1645909,1645913,1645920,1646458,1646460-1646462,1646735,1646738-1646741,1646744,1646746,1646748-1646755,1646757,1646759-1646760,1647043,1648816,1651420-1651422,1651844,1652926,1652939-1652940,1652973,1653798,1653817,1653841,1654042,1654161,1654736,1654767,1654787,1656592,1662986,1663265,1663278,1663325,1663535,1663567,1663679,1663997,1664175,1664321,1664872,1665061,1665086,1666027,1666395,1666503,1666506,1666560,1666570,1666581,1666759,1666967,1666988,1667553-1667555 ,1667558,1667617,1667633,1667637,1667747,1667767,1667873,1668028,1668137,1668634,1669432,1669801,1669840,1669895-1669896,1670398,1670435,1670592,1670605-1670607,1670609,1670632,1670720,1670725,1670727,1670731,1671114,1672273,1672285,1673759,1674220,1674295,1675469,1675488,1675595,1675831,1676232,1676367-1676369,1676382,1676394,1676483,1676556,1676635,1678178 -/tomcat/trunk:1156115-1157160,1157162-1157859,1157862-1157942,1157945-1160347,1160349-1163716,1163718-1166689,1166691-1174340,1174342-1175596,1175598-1175611,1175613-1175932,1175934-1177783,1177785-1177980,1178006-1180720,1180722-1183094,1183096-1187753,1187755,1187775,1187801,1187806,1187809,1187826-1188312,1188314-1188401,1188646-1188840,1188842-1190176,1190178-1195223,1195225-1195953,1195955,1195957-1201238,1201240-1203345,1203347-1206623,1206625-1208046,1208073,1208096,1208114,1208145,1208772,1209194-1212125,1212127-1220291,1220293,1220295-1221321,1221323-1222329,1222332-1222401,1222405-1222795,1222850-1222950,1222969-1225326,1225328-1225463,1225465,1225627,1225629-1226534,1226536-1228908,1228911-1228923,1228927-1229532,1229534-1230766,1230768-1231625,1231627-1233414,1233419-1235207,1235209-1237425,1237427,1237429-1237977,1237981,1237985,1237995,1238070,1238073,1239024-1239048,1239050-1239062,1239135,1239256,1239258-1239485,1239785-1240046,1240101,1240106,1240109,1240112,1240114 ,1240116,1240118,1240121,1240329,1240474-1240850,1240857,1241087,1241160,1241408-1241822,1241908-1241909,1241912-1242110,1242371-1292130,1292134-1292458,1292464-1292670,1292672-1292776,1292780-1293392,1293397-1297017,1297019-1297963,1297965-1299820,1300108,1300111-1300460,1300520-1300948,1300997,1301006,1301280,1302332,1302348,1302608-1302610,1302649,1302837,1303138,1303163,1303338,1303521,1303587,1303698,1303803,1303852,1304011,1304035,1304037,1304135,1304249,1304253,1304260,1304271,1304275,1304468,1304895,1304930-1304932,1305194,1305943,1305965,1306556,1306579-1306580,1307084,1307310,1307511-1307512,1307579,1307591,1307597,1310636,1310639-1310640,1310642,1310701,1311212,1311995,1327617,1327670,1331766,1333161,1333173,1333827,1334787,1335026,1335257,1335547,1335692,1335711,1335731,1336515,1336813,1336864,1336868,1336884,1337419,1337426,1337546,1337572,1337591-1337595,1337643,1337707,1337719,1337734,1337741,1337745,1338151-1338154,1338178,1342027,1342029,1342315,1342320,1342476,1342 498,1342503,1342717,1342795,1342805,1343044-1343046,1343335,1343394,1343400,1343629,1343708,1343718,1343895,1344063,1344068,1344250,1344266,1344515,1344528,1344612,1344629,1344725,1344868,1344890,1344893,1344896,1344901,1345020,1345029,1345039,1345287-1345290,1345294,1345309,1345325,1345357,1345367,1345579-1345580,1345582,1345688,1345699,1345704,1345731-1345732,1345737,1345744,1345752,1345754,1345779,1345781,1345846,1346107,1346365,1346376,1346404,1346510,1346514,1346519,1346581,1346635,1346644,1346683,1346794,1346885,1346932,1347034,1347047,1347087,1347108-1347109,1347583,1347737,1348105,1348357,1348398,1348425,1348461-1348495,1348498,1348752,1348762,1348772,1348776,1348859,1348968,1348973,1348989,1349007,1349237,1349298,1349317,1349410,1349473,1349539,1349879,1349887,1349893,1349922,1349984,1350124,1350241,1350243,1350294-1350295,1350299,1350864,1350900,1351010,1351054,1351056,1351068,1351134-1351135,1351148,1351259,1351604,1351636-1351640,1351991,1351993,1352011,1352056,1352059,1
svn commit: r1679538 - /tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
Author: markt Date: Fri May 15 10:45:03 2015 New Revision: 1679538 URL: http://svn.apache.org/r1679538 Log: whitespace Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1679538r1=1679537r2=1679538view=diff == --- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Fri May 15 10:45:03 2015 @@ -61,7 +61,7 @@ Java 8 update 40 and later. The workaround should be safe for earlier Java versions but it can be disabled with the codeapplyJava8u40Fix/code attribute of the SPNEGO authenticator if -necessary. (markt) +necessary. (markt) /fix /changelog /subsection - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1679542 - /tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Author: violetagg Date: Fri May 15 11:04:00 2015 New Revision: 1679542 URL: http://svn.apache.org/r1679542 Log: Fix typos in changelog Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1679542r1=1679541r2=1679542view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri May 15 11:04:00 2015 @@ -158,7 +158,7 @@ /fix fix bug57833/bug: When using JKS based keystores for NIO, ensure that -the key alias is always converted to lower caes since that is what JKS +the key alias is always converted to lower case since that is what JKS key stores expect. Based on a patch by Santosh Giri Govind M. (markt) /fix fix - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1679534 - in /tomcat/trunk: java/org/apache/catalina/authenticator/SpnegoAuthenticator.java webapps/docs/config/valve.xml
Author: markt Date: Fri May 15 10:24:11 2015 New Revision: 1679534 URL: http://svn.apache.org/r1679534 Log: Fix a problem with SPNEGO auth and Java 8 update 40 onwards. Modified: tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java tomcat/trunk/webapps/docs/config/valve.xml Modified: tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java?rev=1679534r1=1679533r2=1679534view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java Fri May 15 10:24:11 2015 @@ -22,6 +22,7 @@ import java.security.Principal; import java.security.PrivilegedAction; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; +import java.util.LinkedHashMap; import java.util.regex.Pattern; import javax.security.auth.Subject; @@ -91,6 +92,14 @@ public class SpnegoAuthenticator extends } } +private boolean applyJava8u40Fix = true; +public boolean getApplyJava8u40Fix() { +return applyJava8u40Fix; +} +public void setApplyJava8u40Fix(boolean applyJava8u40Fix) { +this.applyJava8u40Fix = applyJava8u40Fix; +} + @Override protected String getAuthMethod() { @@ -164,6 +173,10 @@ public class SpnegoAuthenticator extends authorizationBC.getOffset(), authorizationBC.getLength()); +if (getApplyJava8u40Fix()) { +SpnegoTokenFixer.fix(decoded); +} + if (decoded.length == 0) { if (log.isDebugEnabled()) { log.debug(sm.getString( @@ -331,4 +344,153 @@ public class SpnegoAuthenticator extends return realm.authenticate(gssContext, storeDelegatedCredential); } } + + +/** + * This class implements a hack around an incompatibility between the + * SPNEGO implementation in Windows and the SPNEGO implementation in Java 8 + * update 40 onwards. It was introduced by the change to fix this bug: + * https://bugs.openjdk.java.net/browse/JDK-8048194 + * (note: the change applied is not the one suggested in the bug report) + * p + * It is not clear to me if Windows, Java or Tomcat is at fault here. I + * think it is Java but I could be wrong. + * p + * This hack works by re-ordering the list of mechTypes in the NegTokenInit + * token. + */ +private static class SpnegoTokenFixer { + +public static void fix(byte[] token) { +SpnegoTokenFixer fixer = new SpnegoTokenFixer(token); +fixer.fix(); +} + + +private final byte[] token; +private int pos = 0; + + +private SpnegoTokenFixer(byte[] token) { +this.token = token; +} + + +// Fixes the token in-place +private void fix() { +/* + * Useful references: + * http://tools.ietf.org/html/rfc4121#page-5 + * http://tools.ietf.org/html/rfc2743#page-81 + * https://msdn.microsoft.com/en-us/library/ms995330.aspx + */ + +// Scan until we find the mech types list. If we find anything +// unexpected, abort the fix process. +if (!tag(0x60)) return; +if (!length()) return; +if (!oid(1.3.6.1.5.5.2)) return; +if (!tag(0xa0)) return; +if (!length()) return; +if (!tag(0x30)) return; +if (!length()) return; +if (!tag(0xa0)) return; +lengthAsInt(); +if (!tag(0x30)) return; +// Now at the start of the mechType list. +// Read the mechTypes into an ordered set +int mechTypesLen = lengthAsInt(); +int mechTypesStart = pos; +LinkedHashMapString, int[] mechTypeEntries = new LinkedHashMap(); +while (pos mechTypesStart + mechTypesLen) { +int[] value = new int[2]; +value[0] = pos; +String key = oidAsString(); +value[1] = pos - value[0]; +mechTypeEntries.put(key, value); +} +// Now construct the re-ordered mechType list +byte[] replacement = new byte[mechTypesLen]; +int replacementPos = 0; + +int[] first = mechTypeEntries.remove(1.2.840.113554.1.2.2); +if (first != null) { +System.arraycopy(token, first[0], replacement, replacementPos, first[1]); +replacementPos += first[1]; +} +for (int[] markers : mechTypeEntries.values()) { +System.arraycopy(token, markers[0], replacement, replacementPos,
svn commit: r1679536 - in /tomcat/tc8.0.x/trunk: ./ java/org/apache/catalina/authenticator/SpnegoAuthenticator.java webapps/docs/changelog.xml webapps/docs/config/valve.xml
Author: markt Date: Fri May 15 10:39:45 2015 New Revision: 1679536 URL: http://svn.apache.org/r1679536 Log: Fix a problem with SPNEGO auth and Java 8 update 40 onwards. Modified: tomcat/tc8.0.x/trunk/ (props changed) tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml tomcat/tc8.0.x/trunk/webapps/docs/config/valve.xml Propchange: tomcat/tc8.0.x/trunk/ -- --- svn:mergeinfo (original) +++ svn:mergeinfo Fri May 15 10:39:45 2015 @@ -1 +1 @@ -/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892 ,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655438,1655441,1655454,168,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657592,1657607,1657609,1657682,1657 907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659905,1659919,1659948,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924,1661386,1661867,1661972,1661990,1662200,1662308-1662309,1662548,1662614,1662736,1662985,1662988-1662989,1663264,1663277,1663298,1663534,1663562,1663676,1663715,1663754,1663768,1663772,1663781,1663893,1663995,1664143,1664163,1664174,1664301,1664317,1664347,1664657,1664659,1664710,1664863-1664864,1664866,1665085,1665292,1665559,1665653,1665661,1665672,1665694,1665697,1665736,1665779,1665976-1665977,1665980-1665981,1665985-1665986,1665989,1665998,1666004,1666008,1666013,1666017,1666024,1666116,1666386-1666387,1666494,1666496,1666552,1666569,1666579,137,149,1 666757,1666966,1666972,1666985,1666995,1666997,1667292,1667402,1667406,1667546,1667615,1667630,1667636,1667688,1667764,1667871,1668026,1668135,1668193,1668593,1668596,1668630,1668639,1668843,1669353,1669370,1669451,1669800,1669838,1669876,1669882,1670394,1670433,1670591,1670598-1670600,1670610,1670631,1670719,1670724,1670726,1670730,1670940,1671112,1672272,1672284,1673754,1674294,1675461,1675486,1675594,1675830,1676231,1676250-1676251,1676364,1676381,1676393,1676479,1676525,1676552,1676615,1676630,1676634,1676721,1676926,1676943,1677140,1677802,1678011,1678162,1678174,1678701
[Bug 57129] Regression. Load WEB-INF/lib jarfiles in alphabetical order
https://bz.apache.org/bugzilla/show_bug.cgi?id=57129 --- Comment #5 from Guillaume Smet guillaume.s...@gmail.com --- Hi Mark, (In reply to Mark Thomas from comment #3) Applications that depend on JARs being searched for classes in a particular order are broken and should be fixed. I am -1 on adding this unncessary bloat to the new resources implementation in Tomcat 8. Any chance this could be revisited? I see 2 reasons why having a predictible order is necessary: - you might consider an application which depends on the order of the jars broken but the issue here is that, if the order is inconsistent depending on the OS/filesystem, you have a good chance to have your application failing when you deploy it on another OS/FS or even from a deploy to another. - I'm pretty sure a lot of people used this feature to override classes of other jars in a easily maintanable way (eg having 000-hibernate-override-1.0.0.jar for instance). Broken web applications that need a JAR to be searched for classes before all other JARs can force this via configuration in the context.xml file. Something along the lines of the following should work: Resources !-- Trick to force this JAR to be searched for classes before all others to work around a Jira bug -- PreResources className=org.apache.catalina.webresources.FileResourceSet base=${catalina.base}/webapps/jira/WEB-INF/lib/jira-api-6.2.jar webAppMount=/WEB-INF/lib/jira-api-6.2.jar / /Resources It's not something maintanable in a continuous deployment/Maven/gradle world. We update the jar versions very often and it's really not something we can do. I really think guaranteeing a predictible order is following the POLA and adding a sort is really worth it. Thanks for your feedback! -- Guillaume -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57129] Regression. Load WEB-INF/lib jarfiles in alphabetical order
https://bz.apache.org/bugzilla/show_bug.cgi?id=57129 Guillaume Smet guillaume.s...@gmail.com changed: What|Removed |Added CC||guillaume.s...@gmail.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57129] Regression. Load WEB-INF/lib jarfiles in alphabetical order
https://bz.apache.org/bugzilla/show_bug.cgi?id=57129 --- Comment #6 from Mark Thomas ma...@apache.org --- My position - and reasons for that position - remain unchanged. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1679534 - in /tomcat/trunk: java/org/apache/catalina/authenticator/SpnegoAuthenticator.java webapps/docs/config/valve.xml
On 15/05/2015 11:24, ma...@apache.org wrote: Author: markt Date: Fri May 15 10:24:11 2015 New Revision: 1679534 URL: http://svn.apache.org/r1679534 Log: Fix a problem with SPNEGO auth and Java 8 update 40 onwards. I've just found the mailing list posts where the OpenJDK security folks have found and are in the process of fixing this issue. Once there is a Java8 release with a fix, I'll change the default to disabled for this hack. Mark Modified: tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java tomcat/trunk/webapps/docs/config/valve.xml Modified: tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java?rev=1679534r1=1679533r2=1679534view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java Fri May 15 10:24:11 2015 @@ -22,6 +22,7 @@ import java.security.Principal; import java.security.PrivilegedAction; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; +import java.util.LinkedHashMap; import java.util.regex.Pattern; import javax.security.auth.Subject; @@ -91,6 +92,14 @@ public class SpnegoAuthenticator extends } } +private boolean applyJava8u40Fix = true; +public boolean getApplyJava8u40Fix() { +return applyJava8u40Fix; +} +public void setApplyJava8u40Fix(boolean applyJava8u40Fix) { +this.applyJava8u40Fix = applyJava8u40Fix; +} + @Override protected String getAuthMethod() { @@ -164,6 +173,10 @@ public class SpnegoAuthenticator extends authorizationBC.getOffset(), authorizationBC.getLength()); +if (getApplyJava8u40Fix()) { +SpnegoTokenFixer.fix(decoded); +} + if (decoded.length == 0) { if (log.isDebugEnabled()) { log.debug(sm.getString( @@ -331,4 +344,153 @@ public class SpnegoAuthenticator extends return realm.authenticate(gssContext, storeDelegatedCredential); } } + + +/** + * This class implements a hack around an incompatibility between the + * SPNEGO implementation in Windows and the SPNEGO implementation in Java 8 + * update 40 onwards. It was introduced by the change to fix this bug: + * https://bugs.openjdk.java.net/browse/JDK-8048194 + * (note: the change applied is not the one suggested in the bug report) + * p + * It is not clear to me if Windows, Java or Tomcat is at fault here. I + * think it is Java but I could be wrong. + * p + * This hack works by re-ordering the list of mechTypes in the NegTokenInit + * token. + */ +private static class SpnegoTokenFixer { + +public static void fix(byte[] token) { +SpnegoTokenFixer fixer = new SpnegoTokenFixer(token); +fixer.fix(); +} + + +private final byte[] token; +private int pos = 0; + + +private SpnegoTokenFixer(byte[] token) { +this.token = token; +} + + +// Fixes the token in-place +private void fix() { +/* + * Useful references: + * http://tools.ietf.org/html/rfc4121#page-5 + * http://tools.ietf.org/html/rfc2743#page-81 + * https://msdn.microsoft.com/en-us/library/ms995330.aspx + */ + +// Scan until we find the mech types list. If we find anything +// unexpected, abort the fix process. +if (!tag(0x60)) return; +if (!length()) return; +if (!oid(1.3.6.1.5.5.2)) return; +if (!tag(0xa0)) return; +if (!length()) return; +if (!tag(0x30)) return; +if (!length()) return; +if (!tag(0xa0)) return; +lengthAsInt(); +if (!tag(0x30)) return; +// Now at the start of the mechType list. +// Read the mechTypes into an ordered set +int mechTypesLen = lengthAsInt(); +int mechTypesStart = pos; +LinkedHashMapString, int[] mechTypeEntries = new LinkedHashMap(); +while (pos mechTypesStart + mechTypesLen) { +int[] value = new int[2]; +value[0] = pos; +String key = oidAsString(); +value[1] = pos - value[0]; +mechTypeEntries.put(key, value); +} +// Now construct the re-ordered mechType list +byte[] replacement = new byte[mechTypesLen]; +int replacementPos = 0; +
buildbot exception in ASF Buildbot on tomcat-8-trunk
The Buildbot has detected a build exception on builder tomcat-8-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-8-trunk/builds/255 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: silvanus_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-8-commit' triggered this build Build Source Stamp: [branch tomcat/tc8.0.x/trunk] 1679541 Blamelist: markt,violetagg BUILD FAILED: exception svn upload_2 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57931] New: NIO connector incorrectly closes connection when client certificate verification fails
https://bz.apache.org/bugzilla/show_bug.cgi?id=57931 Bug ID: 57931 Summary: NIO connector incorrectly closes connection when client certificate verification fails Product: Tomcat 7 Version: 7.0.61 Hardware: PC Status: NEW Severity: normal Priority: P2 Component: Connectors Assignee: dev@tomcat.apache.org Reporter: loths...@yahoo.com Created attachment 32738 -- https://bz.apache.org/bugzilla/attachment.cgi?id=32738action=edit Test program to reproduce the issue If tomcat is set to use TLS and clientAuth=want or clientAuth=true, it appears the NIO connector closes the connection in response to an untrusted client certificate. This behavior differs from the BIO connector, and violates RFC 5246, which states that a fatal alert must be provided if some aspect of the cert chain was unacceptable. By closing the connection, this causes OpenSSL to provide an obscure error Unexpected EOF, which indicates the TLS protocol was violated. I have attached a Python test program which demonstrates this behavior. Simply run this program against a tomcat server, configured with the given server.xml Connector shown below. Removal of the protocol attribute will use the BIO connector, and inclusion of the protocol attribute will demonstrate the NIO connector. Steps to reproduce: 1) Setup a tomcat server with the connector configuration shown below 2) Install Python as well as pyOpenSSL 3) (If necessary) Modify the test.py program to communicate with the appropriate server and port. 4) Run the test.py program. (Alternatively, if Python is not available, you should be able to use Desired behavior: Instead of closing the connection, the NIO connector should provide a fatal error response to an invalid certificate, like the BIO connector. I would strongly prefer if the response would match the response provided by Java through the BIO connector: alert certificate unknown. This would allow our program to use either connector without any changes. Impact: Due to this bug, when using the NIO connector, our program cannot differentiate between an unexpected network problem and a certificate issue during the handshake. Because of this, the program is not able to flag and react to the possibility the certificate is invalid--it assumes an unexpected network error occurred. RFC 5246, 7.4.6. Client Certificate: If the client does not send any certificates, the server MAY at its discretion either continue the handshake without client authentication, or respond with a fatal handshake_failure alert. Also, if some aspect of the certificate chain was unacceptable (e.g., it was not signed by a known, trusted CA), the server MAY at its discretion either continue the handshake (considering the client unauthenticated) or send a fatal alert. NIO Connector (Incorrect behavior): python test.py Connecting... Performing SSL handshake... Traceback (most recent call last): File test.py, line 18, in module conn.do_handshake() OpenSSL.SSL.SysCallError: (-1, 'Unexpected EOF') BIO connector (Correct behavior): python test.py Connecting... Performing SSL handshake... Traceback (most recent call last): File test.py, line 18, in module conn.do_handshake() File build/bdist.linux-x86_64/egg/OpenSSL/SSL.py, line 1442, in do_handshake File build/bdist.linux-x86_64/egg/OpenSSL/SSL.py, line 1187, in _raise_ssl_error File build/bdist.linux-x86_64/egg/OpenSSL/_util.py, line 48, in exception_from_error_queue OpenSSL.SSL.Error: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert certificate unknown')] Connector Configuration: Connector port=10443 maxHttpHeaderSize=4096 maxThreads=75 minSpareThreads=25 maxKeepAliveRequests=-1 keepAliveTimeout=18 enableLookups=false disableUploadTimeout=true acceptCount=10 scheme=https secure=true SSLEnabled=true clientAuth=want sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1 connectionTimeout=1 protocol=org.apache.coyote.http11.Http11NioProtocol keystoreFile=example.keystore keystorePass=example algorithm=SunX509 truststoreFile=example.keystore truststorePass=example truststoreType=JKS keyAlias=tomcat compression=on compressionMinSize=2048 ciphers=TLS_DHE_RSA_WITH_AES_128_CBC_SHA/ -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: HTTP/2 progress report
2015-05-13 22:57 GMT+02:00 Mark Thomas ma...@apache.org: Just a quick overview to save folks digging through the commit messages. If you want to play with this you'll need: - APR + tc-native build from *trunk* (to get ALPN support). - an EC based cert or set the FireFox option network.http.spdy.enforce-tls-profile to false I've been testing with FireFox 38.0 and the examples application. To see what is going on, enable debug logging for the org.apache.coyote.http2 package. With the current code: - the connection prefaces are sent / received and processed - additional settings frames are processed - priority frames are processed - header frames are partially processed (the decoded headers and values are logged) In terms of what this means for a basic working HTTP/2 implementation (i.e. one that works with simple requests but breaks for anything remotely close to an edge case) - You can see the initial connection set-up - You can see the initial streams set up (to create a dependency hierarchy with priorities to manage relative priorities of subsequent requests) - You can see the initial request - And then the connection fails. The HPACK decoder is working (thanks to Stuart Douglas and remm - that made today a lot more productive). Very good overall progress. From my testing the decoder/encoder appeared to be working very well, and uses the Tomcat structures so it is supposed to be usable as is. Obviously if there's anything to fix there, I'll have to contribute it back. The next steps are to get a basic implementation working which means: - figure out how to feed requests into Tomcat's processing chain - figure out how to extract the response back into the HTTP/2 implementation. Is it really a good idea to use the same API for HTTP/2 servlets ? I haven't seen anything going on in the expert group. Rémy