svn commit: r1679516 - in /tomcat/site/trunk/docs: ./ tomcat-7.0-doc/ tomcat-7.0-doc/api/ tomcat-7.0-doc/api/org/apache/catalina/ tomcat-7.0-doc/api/org/apache/catalina/ant/ tomcat-7.0-doc/api/org/apa
Author: violetagg Date: Fri May 15 09:06:06 2015 New Revision: 1679516 URL: http://svn.apache.org/r1679516 Log: Update docs for Apache Tomcat 7.0.62 release. [This commit notification would consist of 329 parts, which exceeds the limit of 50 ones, so it was shortened to the summary.] - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1679508 - in /tomcat/site/trunk: ./ docs/ xdocs/
Author: violetagg Date: Fri May 15 08:22:49 2015 New Revision: 1679508 URL: http://svn.apache.org/r1679508 Log: Updates (excluding docs) for 7.0.62 release Modified: tomcat/site/trunk/build.properties.default tomcat/site/trunk/docs/doap_Tomcat.rdf tomcat/site/trunk/docs/download-70.html tomcat/site/trunk/docs/index.html tomcat/site/trunk/docs/migration-7.html tomcat/site/trunk/docs/oldnews.html tomcat/site/trunk/docs/whichversion.html tomcat/site/trunk/xdocs/doap_Tomcat.rdf tomcat/site/trunk/xdocs/download-70.xml tomcat/site/trunk/xdocs/index.xml tomcat/site/trunk/xdocs/migration-7.xml tomcat/site/trunk/xdocs/oldnews.xml tomcat/site/trunk/xdocs/whichversion.xml Modified: tomcat/site/trunk/build.properties.default URL: http://svn.apache.org/viewvc/tomcat/site/trunk/build.properties.default?rev=1679508r1=1679507r2=1679508view=diff == --- tomcat/site/trunk/build.properties.default (original) +++ tomcat/site/trunk/build.properties.default Fri May 15 08:22:49 2015 @@ -37,7 +37,7 @@ tomcat.loc=http://www.apache.org/dist/to # - Tomcat versions - tomcat60=6.0.43 -tomcat70=7.0.61 +tomcat70=7.0.62 tomcat80=8.0.22 Modified: tomcat/site/trunk/docs/doap_Tomcat.rdf URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/doap_Tomcat.rdf?rev=1679508r1=1679507r2=1679508view=diff == --- tomcat/site/trunk/docs/doap_Tomcat.rdf (original) +++ tomcat/site/trunk/docs/doap_Tomcat.rdf Fri May 15 08:22:49 2015 @@ -64,8 +64,8 @@ release Version nameLatest Stable 7.0.x Release/name -created2015-04-07/created -revision7.0.61/revision +created2015-05-14/created +revision7.0.62/revision /Version /release release Modified: tomcat/site/trunk/docs/download-70.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/download-70.html?rev=1679508r1=1679507r2=1679508view=diff == --- tomcat/site/trunk/docs/download-70.html (original) +++ tomcat/site/trunk/docs/download-70.html Fri May 15 08:22:49 2015 @@ -206,7 +206,7 @@ h3 id=Quick_NavigationQuick Navigation/h3 div class=text -[define v]7.0.61[end] +[define v]7.0.62[end] a href=https://www.apache.org/dist/tomcat/tomcat-7/KEYS;KEYS/a | a href=#[v][v]/a | a href=[preferred]tomcat/tomcat-7/v[v] rel=nofollowBrowse/a | Modified: tomcat/site/trunk/docs/index.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/index.html?rev=1679508r1=1679507r2=1679508view=diff == --- tomcat/site/trunk/docs/index.html (original) +++ tomcat/site/trunk/docs/index.html Fri May 15 08:22:49 2015 @@ -227,6 +227,30 @@ project logo are trademarks of the Apach /div +h3 id=Tomcat_7.0.62_Released +span style=float: right;2015-05-14/span Tomcat 7.0.62 Released/h3 +div class=text + +p +The Apache Tomcat Project is proud to announce the release of version 7.0.62 of +Apache Tomcat. This release contains a number of bug fixes +and improvements compared to version 7.0.61. +/p + +p +Full details of these changes, and all the other changes, are available in the +a href=tomcat-7.0-doc/changelog.htmlTomcat 7 changelog/a. +/p + + +p style=text-align: center; + +a href=download-70.cgiDownload/a | +a href=tomcat-7.0-doc/changelog.htmlChangeLog for 7.0.62/a + +/p + +/div h3 id=Tomcat_6.0.44_Released span style=float: right;2015-05-12/span Tomcat 6.0.44 Released/h3 div class=text @@ -309,48 +333,6 @@ changelog/a. /p -/div -h3 id=Tomcat_7.0.61_Released -span style=float: right;2015-04-07/span Tomcat 7.0.61 Released/h3 -div class=text - -p -The Apache Tomcat Project is proud to announce the release of version 7.0.61 of -Apache Tomcat. This release contains a number of bug fixes -and improvements compared to version 7.0.59. The notable changes -since 7.0.59 include: -/p - -ul - -liAdd support for Java 8 JSSE server-preferred TLS cipher suite ordering. - This feature requires Java 8./li - -liUpdate to Tomcat Native Library version 1.1.33 to pick up the Windows - binaries that are based on OpenSSL 1.0.1m and APR 1.5.1./li - -liImplement a new feature for AJP connectors - Tomcat Authorization. If - enabled Tomcat, will take an authenticated user name from the AJP protocol - and use the appropriate Realm for the request to authorize (i.e. add - roles) to that user./li - -liUpdate the Eclipse JDT compiler to version 4.4.2./li - -/ul - -p -Full details of these changes, and all the other changes, are available in the -a href=tomcat-7.0-doc/changelog.htmlTomcat 7 changelog/a. -/p - - -p style=text-align: center; - -a href=download-70.cgiDownload/a | -a href=tomcat-7.0-doc/changelog.htmlChangeLog for 7.0.61/a - -/p
svn commit: r9013 - /release/tomcat/tomcat-7/v7.0.61/
Author: violetagg Date: Fri May 15 08:53:23 2015 New Revision: 9013 Log: Remove 7.0.61 Removed: release/tomcat/tomcat-7/v7.0.61/ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1679506 - /tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Author: violetagg Date: Fri May 15 07:52:59 2015 New Revision: 1679506 URL: http://svn.apache.org/r1679506 Log: Update the release date for 7.0.62 Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1679506r1=1679505r2=1679506view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri May 15 07:52:59 2015 @@ -76,7 +76,7 @@ /changelog /subsection /section -section name=Tomcat 7.0.62 (violetagg) +section name=Tomcat 7.0.62 (violetagg) rtext=released 2015-05-14 subsection name=Catalina changelog add - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1679541 - /tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
Author: violetagg
Date: Fri May 15 10:59:19 2015
New Revision: 1679541
URL: http://svn.apache.org/r1679541
Log:
Fix typos in changelog
Modified:
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1679541r1=1679540r2=1679541view=diff
==
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Fri May 15 10:59:19 2015
@@ -82,7 +82,7 @@
provided by VIN. (markt)
/fix
fix
-bug57802/bug: Correct the default impementation of
+bug57802/bug: Correct the default implementation of
codeconvertToType()/code provided by
codejavax.el.ELResolver/code. (markt)
/fix
@@ -151,7 +151,7 @@
pattern code%{remote}p/code. (rjung)
/add
fix
-bug57556/bug: Refine the previous fix fo rthis issue so that the
+bug57556/bug: Refine the previous fix for this issue so that the
real path returned only has a trialing separator if the requested path
ended with code//code. (markt)
/fix
@@ -216,7 +216,7 @@
/fix
scode
Remove the experimental support for SPDY. No current user agent
supports
-the version of SPDY that the experiment targetted. Note: HTTP/2 support
+the version of SPDY that the experiment targeted. Note: HTTP/2 support
is under development for Tomcat 9 and may be back-ported to Tomcat 8
once complete. (markt)
/scode
@@ -234,7 +234,7 @@
/fix
fix
bug57833/bug: When using JKS based keystores for NIO or NIO2,
ensure
-that the key alias is always converted to lower caes since that is what
+that the key alias is always converted to lower case since that is what
JKS key stores expect. Based on a patch by Santosh Giri Govind M.
(markt)
/fix
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1679537 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/authenticator/SpnegoAuthenticator.java webapps/docs/changelog.xml webapps/docs/config/valve.xml
Author: markt Date: Fri May 15 10:42:29 2015 New Revision: 1679537 URL: http://svn.apache.org/r1679537 Log: Fix a problem with SPNEGO auth and Java 8 update 40 onwards. Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml tomcat/tc7.0.x/trunk/webapps/docs/config/valve.xml Propchange: tomcat/tc7.0.x/trunk/ -- --- svn:mergeinfo (original) +++ svn:mergeinfo Fri May 15 10:42:29 2015 @@ -1,2 +1,2 @@ -/tomcat/tc8.0.x/trunk:1636525,1637336,1637685,1637709,1638726,1640089,1640276,1640349,1640363,1640366,1640642,1640672,1640674,1640689,1640884,1641001,1641065,1641067,1641375,1641638,1641723,1641726,1641729-1641730,1641736,1641988,1642669-1642670,1642698,1642701,1643205,1643215,1643217,1643230,1643232,1643273,1643285,1643329-1643330,1643511,1643513,1643521,1643539,1643571,1643581-1643582,1643635,1643655,1643738,1643964,1644018,1644333,1644954,1644992,1645014,1645360,1645456,1645627,1645642,1645686,1645903-1645904,1645908-1645909,1645913,1645920,1646458,1646460-1646462,1646735,1646738-1646741,1646744,1646746,1646748-1646755,1646757,1646759-1646760,1647043,1648816,1651420-1651422,1651844,1652926,1652939-1652940,1652973,1653798,1653817,1653841,1654042,1654161,1654736,1654767,1654787,1656592,1662986,1663265,1663278,1663325,1663535,1663567,1663679,1663997,1664175,1664321,1664872,1665061,1665086,1666027,1666395,1666503,1666506,1666560,1666570,1666581,1666759,1666967,1666988,1667553-1667555 ,1667558,1667617,1667633,1667637,1667747,1667767,1667873,1668028,1668137,1668634,1669432,1669801,1669840,1669895-1669896,1670398,1670435,1670592,1670605-1670607,1670609,1670632,1670720,1670725,1670727,1670731,1671114,1672273,1672285,1673759,1674220,1674295,1675469,1675488,1675595,1675831,1676232,1676367-1676369,1676382,1676394,1676483,1676556,1676635,1678178 -/tomcat/trunk:1156115-1157160,1157162-1157859,1157862-1157942,1157945-1160347,1160349-1163716,1163718-1166689,1166691-1174340,1174342-1175596,1175598-1175611,1175613-1175932,1175934-1177783,1177785-1177980,1178006-1180720,1180722-1183094,1183096-1187753,1187755,1187775,1187801,1187806,1187809,1187826-1188312,1188314-1188401,1188646-1188840,1188842-1190176,1190178-1195223,1195225-1195953,1195955,1195957-1201238,1201240-1203345,1203347-1206623,1206625-1208046,1208073,1208096,1208114,1208145,1208772,1209194-1212125,1212127-1220291,1220293,1220295-1221321,1221323-1222329,1222332-1222401,1222405-1222795,1222850-1222950,1222969-1225326,1225328-1225463,1225465,1225627,1225629-1226534,1226536-1228908,1228911-1228923,1228927-1229532,1229534-1230766,1230768-1231625,1231627-1233414,1233419-1235207,1235209-1237425,1237427,1237429-1237977,1237981,1237985,1237995,1238070,1238073,1239024-1239048,1239050-1239062,1239135,1239256,1239258-1239485,1239785-1240046,1240101,1240106,1240109,1240112,1240114 ,1240116,1240118,1240121,1240329,1240474-1240850,1240857,1241087,1241160,1241408-1241822,1241908-1241909,1241912-1242110,1242371-1292130,1292134-1292458,1292464-1292670,1292672-1292776,1292780-1293392,1293397-1297017,1297019-1297963,1297965-1299820,1300108,1300111-1300460,1300520-1300948,1300997,1301006,1301280,1302332,1302348,1302608-1302610,1302649,1302837,1303138,1303163,1303338,1303521,1303587,1303698,1303803,1303852,1304011,1304035,1304037,1304135,1304249,1304253,1304260,1304271,1304275,1304468,1304895,1304930-1304932,1305194,1305943,1305965,1306556,1306579-1306580,1307084,1307310,1307511-1307512,1307579,1307591,1307597,1310636,1310639-1310640,1310642,1310701,1311212,1311995,1327617,1327670,1331766,1333161,1333173,1333827,1334787,1335026,1335257,1335547,1335692,1335711,1335731,1336515,1336813,1336864,1336868,1336884,1337419,1337426,1337546,1337572,1337591-1337595,1337643,1337707,1337719,1337734,1337741,1337745,1338151-1338154,1338178,1342027,1342029,1342315,1342320,1342476,1342 498,1342503,1342717,1342795,1342805,1343044-1343046,1343335,1343394,1343400,1343629,1343708,1343718,1343895,1344063,1344068,1344250,1344266,1344515,1344528,1344612,1344629,1344725,1344868,1344890,1344893,1344896,1344901,1345020,1345029,1345039,1345287-1345290,1345294,1345309,1345325,1345357,1345367,1345579-1345580,1345582,1345688,1345699,1345704,1345731-1345732,1345737,1345744,1345752,1345754,1345779,1345781,1345846,1346107,1346365,1346376,1346404,1346510,1346514,1346519,1346581,1346635,1346644,1346683,1346794,1346885,1346932,1347034,1347047,1347087,1347108-1347109,1347583,1347737,1348105,1348357,1348398,1348425,1348461-1348495,1348498,1348752,1348762,1348772,1348776,1348859,1348968,1348973,1348989,1349007,1349237,1349298,1349317,1349410,1349473,1349539,1349879,1349887,1349893,1349922,1349984,1350124,1350241,1350243,1350294-1350295,1350299,1350864,1350900,1351010,1351054,1351056,1351068,1351134-1351135,1351148,1351259,1351604,1351636-1351640,1351991,1351993,1352011,1352056,1352059,1
svn commit: r1679538 - /tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
Author: markt Date: Fri May 15 10:45:03 2015 New Revision: 1679538 URL: http://svn.apache.org/r1679538 Log: whitespace Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1679538r1=1679537r2=1679538view=diff == --- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Fri May 15 10:45:03 2015 @@ -61,7 +61,7 @@ Java 8 update 40 and later. The workaround should be safe for earlier Java versions but it can be disabled with the codeapplyJava8u40Fix/code attribute of the SPNEGO authenticator if -necessary. (markt) +necessary. (markt) /fix /changelog /subsection - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1679542 - /tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Author: violetagg Date: Fri May 15 11:04:00 2015 New Revision: 1679542 URL: http://svn.apache.org/r1679542 Log: Fix typos in changelog Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1679542r1=1679541r2=1679542view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri May 15 11:04:00 2015 @@ -158,7 +158,7 @@ /fix fix bug57833/bug: When using JKS based keystores for NIO, ensure that -the key alias is always converted to lower caes since that is what JKS +the key alias is always converted to lower case since that is what JKS key stores expect. Based on a patch by Santosh Giri Govind M. (markt) /fix fix - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1679534 - in /tomcat/trunk: java/org/apache/catalina/authenticator/SpnegoAuthenticator.java webapps/docs/config/valve.xml
Author: markt
Date: Fri May 15 10:24:11 2015
New Revision: 1679534
URL: http://svn.apache.org/r1679534
Log:
Fix a problem with SPNEGO auth and Java 8 update 40 onwards.
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
tomcat/trunk/webapps/docs/config/valve.xml
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java?rev=1679534r1=1679533r2=1679534view=diff
==
---
tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
(original)
+++
tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
Fri May 15 10:24:11 2015
@@ -22,6 +22,7 @@ import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
+import java.util.LinkedHashMap;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
@@ -91,6 +92,14 @@ public class SpnegoAuthenticator extends
}
}
+private boolean applyJava8u40Fix = true;
+public boolean getApplyJava8u40Fix() {
+return applyJava8u40Fix;
+}
+public void setApplyJava8u40Fix(boolean applyJava8u40Fix) {
+this.applyJava8u40Fix = applyJava8u40Fix;
+}
+
@Override
protected String getAuthMethod() {
@@ -164,6 +173,10 @@ public class SpnegoAuthenticator extends
authorizationBC.getOffset(),
authorizationBC.getLength());
+if (getApplyJava8u40Fix()) {
+SpnegoTokenFixer.fix(decoded);
+}
+
if (decoded.length == 0) {
if (log.isDebugEnabled()) {
log.debug(sm.getString(
@@ -331,4 +344,153 @@ public class SpnegoAuthenticator extends
return realm.authenticate(gssContext, storeDelegatedCredential);
}
}
+
+
+/**
+ * This class implements a hack around an incompatibility between the
+ * SPNEGO implementation in Windows and the SPNEGO implementation in Java 8
+ * update 40 onwards. It was introduced by the change to fix this bug:
+ * https://bugs.openjdk.java.net/browse/JDK-8048194
+ * (note: the change applied is not the one suggested in the bug report)
+ * p
+ * It is not clear to me if Windows, Java or Tomcat is at fault here. I
+ * think it is Java but I could be wrong.
+ * p
+ * This hack works by re-ordering the list of mechTypes in the NegTokenInit
+ * token.
+ */
+private static class SpnegoTokenFixer {
+
+public static void fix(byte[] token) {
+SpnegoTokenFixer fixer = new SpnegoTokenFixer(token);
+fixer.fix();
+}
+
+
+private final byte[] token;
+private int pos = 0;
+
+
+private SpnegoTokenFixer(byte[] token) {
+this.token = token;
+}
+
+
+// Fixes the token in-place
+private void fix() {
+/*
+ * Useful references:
+ * http://tools.ietf.org/html/rfc4121#page-5
+ * http://tools.ietf.org/html/rfc2743#page-81
+ * https://msdn.microsoft.com/en-us/library/ms995330.aspx
+ */
+
+// Scan until we find the mech types list. If we find anything
+// unexpected, abort the fix process.
+if (!tag(0x60)) return;
+if (!length()) return;
+if (!oid(1.3.6.1.5.5.2)) return;
+if (!tag(0xa0)) return;
+if (!length()) return;
+if (!tag(0x30)) return;
+if (!length()) return;
+if (!tag(0xa0)) return;
+lengthAsInt();
+if (!tag(0x30)) return;
+// Now at the start of the mechType list.
+// Read the mechTypes into an ordered set
+int mechTypesLen = lengthAsInt();
+int mechTypesStart = pos;
+LinkedHashMapString, int[] mechTypeEntries = new
LinkedHashMap();
+while (pos mechTypesStart + mechTypesLen) {
+int[] value = new int[2];
+value[0] = pos;
+String key = oidAsString();
+value[1] = pos - value[0];
+mechTypeEntries.put(key, value);
+}
+// Now construct the re-ordered mechType list
+byte[] replacement = new byte[mechTypesLen];
+int replacementPos = 0;
+
+int[] first = mechTypeEntries.remove(1.2.840.113554.1.2.2);
+if (first != null) {
+System.arraycopy(token, first[0], replacement, replacementPos,
first[1]);
+replacementPos += first[1];
+}
+for (int[] markers : mechTypeEntries.values()) {
+System.arraycopy(token, markers[0], replacement,
replacementPos,
svn commit: r1679536 - in /tomcat/tc8.0.x/trunk: ./ java/org/apache/catalina/authenticator/SpnegoAuthenticator.java webapps/docs/changelog.xml webapps/docs/config/valve.xml
Author: markt Date: Fri May 15 10:39:45 2015 New Revision: 1679536 URL: http://svn.apache.org/r1679536 Log: Fix a problem with SPNEGO auth and Java 8 update 40 onwards. Modified: tomcat/tc8.0.x/trunk/ (props changed) tomcat/tc8.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml tomcat/tc8.0.x/trunk/webapps/docs/config/valve.xml Propchange: tomcat/tc8.0.x/trunk/ -- --- svn:mergeinfo (original) +++ svn:mergeinfo Fri May 15 10:39:45 2015 @@ -1 +1 @@ -/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892 ,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655438,1655441,1655454,168,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657592,1657607,1657609,1657682,1657 907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659905,1659919,1659948,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924,1661386,1661867,1661972,1661990,1662200,1662308-1662309,1662548,1662614,1662736,1662985,1662988-1662989,1663264,1663277,1663298,1663534,1663562,1663676,1663715,1663754,1663768,1663772,1663781,1663893,1663995,1664143,1664163,1664174,1664301,1664317,1664347,1664657,1664659,1664710,1664863-1664864,1664866,1665085,1665292,1665559,1665653,1665661,1665672,1665694,1665697,1665736,1665779,1665976-1665977,1665980-1665981,1665985-1665986,1665989,1665998,1666004,1666008,1666013,1666017,1666024,1666116,1666386-1666387,1666494,1666496,1666552,1666569,1666579,137,149,1 666757,1666966,1666972,1666985,1666995,1666997,1667292,1667402,1667406,1667546,1667615,1667630,1667636,1667688,1667764,1667871,1668026,1668135,1668193,1668593,1668596,1668630,1668639,1668843,1669353,1669370,1669451,1669800,1669838,1669876,1669882,1670394,1670433,1670591,1670598-1670600,1670610,1670631,1670719,1670724,1670726,1670730,1670940,1671112,1672272,1672284,1673754,1674294,1675461,1675486,1675594,1675830,1676231,1676250-1676251,1676364,1676381,1676393,1676479,1676525,1676552,1676615,1676630,1676634,1676721,1676926,1676943,1677140,1677802,1678011,1678162,1678174,1678701
[Bug 57129] Regression. Load WEB-INF/lib jarfiles in alphabetical order
https://bz.apache.org/bugzilla/show_bug.cgi?id=57129
--- Comment #5 from Guillaume Smet guillaume.s...@gmail.com ---
Hi Mark,
(In reply to Mark Thomas from comment #3)
Applications that depend on JARs being searched for classes in a particular
order are broken and should be fixed.
I am -1 on adding this unncessary bloat to the new resources implementation
in Tomcat 8.
Any chance this could be revisited? I see 2 reasons why having a predictible
order is necessary:
- you might consider an application which depends on the order of the jars
broken but the issue here is that, if the order is inconsistent depending on
the OS/filesystem, you have a good chance to have your application failing when
you deploy it on another OS/FS or even from a deploy to another.
- I'm pretty sure a lot of people used this feature to override classes of
other jars in a easily maintanable way (eg having
000-hibernate-override-1.0.0.jar for instance).
Broken web applications that need a JAR to be searched for classes before
all other JARs can force this via configuration in the context.xml file.
Something along the lines of the following should work:
Resources
!-- Trick to force this JAR to be searched for classes before all others
to work around a Jira bug --
PreResources className=org.apache.catalina.webresources.FileResourceSet
base=${catalina.base}/webapps/jira/WEB-INF/lib/jira-api-6.2.jar
webAppMount=/WEB-INF/lib/jira-api-6.2.jar /
/Resources
It's not something maintanable in a continuous deployment/Maven/gradle world.
We update the jar versions very often and it's really not something we can do.
I really think guaranteeing a predictible order is following the POLA and
adding a sort is really worth it.
Thanks for your feedback!
--
Guillaume
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57129] Regression. Load WEB-INF/lib jarfiles in alphabetical order
https://bz.apache.org/bugzilla/show_bug.cgi?id=57129 Guillaume Smet guillaume.s...@gmail.com changed: What|Removed |Added CC||guillaume.s...@gmail.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57129] Regression. Load WEB-INF/lib jarfiles in alphabetical order
https://bz.apache.org/bugzilla/show_bug.cgi?id=57129 --- Comment #6 from Mark Thomas ma...@apache.org --- My position - and reasons for that position - remain unchanged. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1679534 - in /tomcat/trunk: java/org/apache/catalina/authenticator/SpnegoAuthenticator.java webapps/docs/config/valve.xml
On 15/05/2015 11:24, ma...@apache.org wrote:
Author: markt
Date: Fri May 15 10:24:11 2015
New Revision: 1679534
URL: http://svn.apache.org/r1679534
Log:
Fix a problem with SPNEGO auth and Java 8 update 40 onwards.
I've just found the mailing list posts where the OpenJDK security folks
have found and are in the process of fixing this issue. Once there is a
Java8 release with a fix, I'll change the default to disabled for this hack.
Mark
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
tomcat/trunk/webapps/docs/config/valve.xml
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java?rev=1679534r1=1679533r2=1679534view=diff
==
---
tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
(original)
+++
tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
Fri May 15 10:24:11 2015
@@ -22,6 +22,7 @@ import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
+import java.util.LinkedHashMap;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
@@ -91,6 +92,14 @@ public class SpnegoAuthenticator extends
}
}
+private boolean applyJava8u40Fix = true;
+public boolean getApplyJava8u40Fix() {
+return applyJava8u40Fix;
+}
+public void setApplyJava8u40Fix(boolean applyJava8u40Fix) {
+this.applyJava8u40Fix = applyJava8u40Fix;
+}
+
@Override
protected String getAuthMethod() {
@@ -164,6 +173,10 @@ public class SpnegoAuthenticator extends
authorizationBC.getOffset(),
authorizationBC.getLength());
+if (getApplyJava8u40Fix()) {
+SpnegoTokenFixer.fix(decoded);
+}
+
if (decoded.length == 0) {
if (log.isDebugEnabled()) {
log.debug(sm.getString(
@@ -331,4 +344,153 @@ public class SpnegoAuthenticator extends
return realm.authenticate(gssContext, storeDelegatedCredential);
}
}
+
+
+/**
+ * This class implements a hack around an incompatibility between the
+ * SPNEGO implementation in Windows and the SPNEGO implementation in
Java 8
+ * update 40 onwards. It was introduced by the change to fix this bug:
+ * https://bugs.openjdk.java.net/browse/JDK-8048194
+ * (note: the change applied is not the one suggested in the bug report)
+ * p
+ * It is not clear to me if Windows, Java or Tomcat is at fault here. I
+ * think it is Java but I could be wrong.
+ * p
+ * This hack works by re-ordering the list of mechTypes in the
NegTokenInit
+ * token.
+ */
+private static class SpnegoTokenFixer {
+
+public static void fix(byte[] token) {
+SpnegoTokenFixer fixer = new SpnegoTokenFixer(token);
+fixer.fix();
+}
+
+
+private final byte[] token;
+private int pos = 0;
+
+
+private SpnegoTokenFixer(byte[] token) {
+this.token = token;
+}
+
+
+// Fixes the token in-place
+private void fix() {
+/*
+ * Useful references:
+ * http://tools.ietf.org/html/rfc4121#page-5
+ * http://tools.ietf.org/html/rfc2743#page-81
+ * https://msdn.microsoft.com/en-us/library/ms995330.aspx
+ */
+
+// Scan until we find the mech types list. If we find anything
+// unexpected, abort the fix process.
+if (!tag(0x60)) return;
+if (!length()) return;
+if (!oid(1.3.6.1.5.5.2)) return;
+if (!tag(0xa0)) return;
+if (!length()) return;
+if (!tag(0x30)) return;
+if (!length()) return;
+if (!tag(0xa0)) return;
+lengthAsInt();
+if (!tag(0x30)) return;
+// Now at the start of the mechType list.
+// Read the mechTypes into an ordered set
+int mechTypesLen = lengthAsInt();
+int mechTypesStart = pos;
+LinkedHashMapString, int[] mechTypeEntries = new
LinkedHashMap();
+while (pos mechTypesStart + mechTypesLen) {
+int[] value = new int[2];
+value[0] = pos;
+String key = oidAsString();
+value[1] = pos - value[0];
+mechTypeEntries.put(key, value);
+}
+// Now construct the re-ordered mechType list
+byte[] replacement = new byte[mechTypesLen];
+int replacementPos = 0;
+
buildbot exception in ASF Buildbot on tomcat-8-trunk
The Buildbot has detected a build exception on builder tomcat-8-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-8-trunk/builds/255 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: silvanus_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-8-commit' triggered this build Build Source Stamp: [branch tomcat/tc8.0.x/trunk] 1679541 Blamelist: markt,violetagg BUILD FAILED: exception svn upload_2 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57931] New: NIO connector incorrectly closes connection when client certificate verification fails
https://bz.apache.org/bugzilla/show_bug.cgi?id=57931
Bug ID: 57931
Summary: NIO connector incorrectly closes connection when
client certificate verification fails
Product: Tomcat 7
Version: 7.0.61
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: loths...@yahoo.com
Created attachment 32738
-- https://bz.apache.org/bugzilla/attachment.cgi?id=32738action=edit
Test program to reproduce the issue
If tomcat is set to use TLS and clientAuth=want or clientAuth=true, it
appears the NIO connector closes the connection in response to an untrusted
client certificate. This behavior differs from the BIO connector, and violates
RFC 5246, which states that a fatal alert must be provided if some aspect of
the cert chain was unacceptable. By closing the connection, this causes
OpenSSL to provide an obscure error Unexpected EOF, which indicates the TLS
protocol was violated.
I have attached a Python test program which demonstrates this behavior. Simply
run this program against a tomcat server, configured with the given server.xml
Connector shown below. Removal of the protocol attribute will use the BIO
connector, and inclusion of the protocol attribute will demonstrate the NIO
connector.
Steps to reproduce:
1) Setup a tomcat server with the connector configuration shown below
2) Install Python as well as pyOpenSSL
3) (If necessary) Modify the test.py program to communicate with the
appropriate server and port.
4) Run the test.py program.
(Alternatively, if Python is not available, you should be able to use
Desired behavior:
Instead of closing the connection, the NIO connector should provide a fatal
error response to an invalid certificate, like the BIO connector.
I would strongly prefer if the response would match the response provided by
Java through the BIO connector: alert certificate unknown. This would allow
our program to use either connector without any changes.
Impact:
Due to this bug, when using the NIO connector, our program cannot differentiate
between an unexpected network problem and a certificate issue during the
handshake. Because of this, the program is not able to flag and react to the
possibility the certificate is invalid--it assumes an unexpected network error
occurred.
RFC 5246, 7.4.6. Client Certificate:
If the client does not send any certificates, the
server MAY at its discretion either continue the handshake without
client authentication, or respond with a fatal handshake_failure
alert. Also, if some aspect of the certificate chain was
unacceptable (e.g., it was not signed by a known, trusted CA), the
server MAY at its discretion either continue the handshake
(considering the client unauthenticated) or send a fatal alert.
NIO Connector (Incorrect behavior):
python test.py
Connecting...
Performing SSL handshake...
Traceback (most recent call last):
File test.py, line 18, in module
conn.do_handshake()
OpenSSL.SSL.SysCallError: (-1, 'Unexpected EOF')
BIO connector (Correct behavior):
python test.py
Connecting...
Performing SSL handshake...
Traceback (most recent call last):
File test.py, line 18, in module
conn.do_handshake()
File build/bdist.linux-x86_64/egg/OpenSSL/SSL.py, line 1442, in
do_handshake
File build/bdist.linux-x86_64/egg/OpenSSL/SSL.py, line 1187, in
_raise_ssl_error
File build/bdist.linux-x86_64/egg/OpenSSL/_util.py, line 48, in
exception_from_error_queue
OpenSSL.SSL.Error: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert
certificate unknown')]
Connector Configuration:
Connector port=10443 maxHttpHeaderSize=4096
maxThreads=75 minSpareThreads=25
maxKeepAliveRequests=-1
keepAliveTimeout=18
enableLookups=false disableUploadTimeout=true
acceptCount=10 scheme=https secure=true SSLEnabled=true
clientAuth=want sslProtocol=TLS
sslEnabledProtocols=TLSv1.2,TLSv1
connectionTimeout=1
protocol=org.apache.coyote.http11.Http11NioProtocol
keystoreFile=example.keystore
keystorePass=example algorithm=SunX509
truststoreFile=example.keystore
truststorePass=example
truststoreType=JKS
keyAlias=tomcat
compression=on
compressionMinSize=2048
ciphers=TLS_DHE_RSA_WITH_AES_128_CBC_SHA/
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: HTTP/2 progress report
2015-05-13 22:57 GMT+02:00 Mark Thomas ma...@apache.org: Just a quick overview to save folks digging through the commit messages. If you want to play with this you'll need: - APR + tc-native build from *trunk* (to get ALPN support). - an EC based cert or set the FireFox option network.http.spdy.enforce-tls-profile to false I've been testing with FireFox 38.0 and the examples application. To see what is going on, enable debug logging for the org.apache.coyote.http2 package. With the current code: - the connection prefaces are sent / received and processed - additional settings frames are processed - priority frames are processed - header frames are partially processed (the decoded headers and values are logged) In terms of what this means for a basic working HTTP/2 implementation (i.e. one that works with simple requests but breaks for anything remotely close to an edge case) - You can see the initial connection set-up - You can see the initial streams set up (to create a dependency hierarchy with priorities to manage relative priorities of subsequent requests) - You can see the initial request - And then the connection fails. The HPACK decoder is working (thanks to Stuart Douglas and remm - that made today a lot more productive). Very good overall progress. From my testing the decoder/encoder appeared to be working very well, and uses the Tomcat structures so it is supposed to be usable as is. Obviously if there's anything to fix there, I'll have to contribute it back. The next steps are to get a basic implementation working which means: - figure out how to feed requests into Tomcat's processing chain - figure out how to extract the response back into the HTTP/2 implementation. Is it really a good idea to use the same API for HTTP/2 servlets ? I haven't seen anything going on in the expert group. Rémy
