[Bug 62343] New: CORS security: reflecting any origin header value when configured to * is dangerous

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62343

Bug ID: 62343
   Summary: CORS security: reflecting any origin header value when
configured to * is dangerous
   Product: Tomcat 8
   Version: 8.5.x-trunk
  Hardware: All
OS: All
Status: NEW
  Severity: normal
  Priority: P2
 Component: Catalina
  Assignee: dev@tomcat.apache.org
  Reporter: whu...@gmail.com
  Target Milestone: 

What's the Problem?
When CORS policy is configured to "Origin:*" and "Credentials:true"(default
setting), current Tomcat CORS filter will actively convert it to reflect any
Origin header value. This kind of behavior is dangerous and has caused many
security problems in the past[1-5].

Why is that?
Current CORS standards(both W3C CORS and WHATWG fetch standard) have a clear
definition for the wildcard '*', which means any domain is allowed. But they
also have another important security requirement: "Origin: *" and "Credentials:
true" cannot be used at the same time, to avoid overly loose permissions.
Currently all browsers follow this requirement to disallow this configuration
combination.

If a framework actively converts '*' to reflect any origin header value, it
means "Origin: *" and "Credentials: true" can be used at the same time. This
behavior leads to CORS protocol's security design to be bypassed, causing many
misconfiguration security problems.

How to fix?
Therefore, I suggest frameworks to follow the standard definition of *. When a
user configures "Origin:*", frameworks just directly returns
"Access-control-Allow-Access: *". When a user configures both "Origin:*" and
"Credentials: true" , frameworks should warn users that this is a
misconfiguration, instead of return any origin header value.


Some similar security issues:
[1] https://github.com/cyu/rack-cors/issues/126
[2] https://nodesecurity.io/advisories/148
[3] https://github.com/yiisoft/yii2/issues/16193

Some related blog posts:
[4]
http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
[5] https://ejj.io/misconfigured-cors/

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GUMP@vmgump-vm3]: Project tomcat-trunk-validate (in module tomcat-trunk) failed

[Bill Barker]

To whom it may engage...

This is an automated request, but not an unsolicited one. For 
more information please visit http://gump.apache.org/nagged.html, 
and/or contact the folk at gene...@gump.apache.org.

Project tomcat-trunk-validate has an issue affecting its community integration.
This issue affects 1 projects,
 and has been outstanding for 19 runs.
The current state of this project is 'Failed', with reason 'Build Failed'.
For reference only, the following projects are affected by this:
- tomcat-trunk-validate :  Tomcat 9.x, a web server implementing the Java 
Servlet 4.0,
...


Full details are available at:
http://vmgump-vm3.apache.org/tomcat-trunk/tomcat-trunk-validate/index.html

That said, some information snippets are provided here.

The following annotations (debug/informational/warning/error messages) were 
provided:
 -DEBUG- Dependency on checkstyle exists, no need to add for property 
checkstyle.jar.
 -INFO- Failed with reason build failed



The following work was performed:
http://vmgump-vm3.apache.org/tomcat-trunk/tomcat-trunk-validate/gump_work/build_tomcat-trunk_tomcat-trunk-validate.html
Work Name: build_tomcat-trunk_tomcat-trunk-validate (Type: Build)
Work ended in a state of : Failed
Elapsed: 37 secs
Command Line: /usr/lib/jvm/java-8-oracle/bin/java -Djava.awt.headless=true 
-Dbuild.sysclasspath=only org.apache.tools.ant.Main 
-Dgump.merge=/srv/gump/public/gump/work/merge.xml 
-Dbase.path=/srv/gump/public/workspace/tomcat-trunk/tomcat-build-libs 
-Dcheckstyle.jar=/srv/gump/public/workspace/checkstyle/target/checkstyle-8.11-SNAPSHOT.jar
 -Dexecute.validate=true validate 
[Working Directory: /srv/gump/public/workspace/tomcat-trunk]
CLASSPATH: 
/usr/lib/jvm/java-8-oracle/lib/tools.jar:/srv/gump/public/workspace/ant/dist/lib/ant.jar:/srv/gump/public/workspace/ant/dist/lib/ant-launcher.jar:/srv/gump/public/workspace/ant/dist/lib/ant-jmf.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit4.jar:/srv/gump/public/workspace/ant/dist/lib/ant-swing.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-resolver.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-xalan2.jar:/srv/gump/public/workspace/xml-commons/java/build/resolver.jar:/srv/gump/public/workspace/checkstyle/target/checkstyle-8.11-SNAPSHOT.jar:/srv/gump/packages/antlr/antlr-3.1.3.jar:/srv/gump/public/workspace/commons-beanutils/dist/commons-beanutils-20180501.jar:/srv/gump/packages/commons-collections3/commons-collections-3.2.1.jar:/srv/gump/public/workspace/commons-cli/target/commons-cli-1.5-SNAPSHOT.jar:/srv/gump/public/workspace/commons-lang-trunk/target/commons-lang3-3.8-SNAPSHOT.jar:/srv/gump/pu
 
blic/workspace/apache-commons/logging/target/commons-logging-20180501.jar:/srv/gump/public/workspace/apache-commons/logging/target/commons-logging-api-20180501.jar:/srv/gump/public/workspace/google-guava/guava/target/guava-HEAD-jre-SNAPSHOT.jar
-
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-trunk/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:37:1:
 Disallowed import - org.apache.catalina.tribes.transport.AbstractRxTask. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-trunk/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:38:1:
 Disallowed import - org.apache.catalina.tribes.transport.ReceiverBase. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-trunk/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:39:1:
 Disallowed import - org.apache.catalina.tribes.transport.RxTaskPool. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-trunk/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:40:1:
 Disallowed import - org.apache.catalina.tribes.util.ExceptionUtils. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-trunk/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:41:1:
 Disallowed import - org.apache.catalina.tribes.util.StringManager. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-trunk/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java:29:1:
 Disallowed import - org.apache.catalina.tribes.ChannelMessage. [ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-trunk/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java:30:1:
 Disallowed import - org.apache.catalina.tribes.ChannelReceiver. [ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-trunk/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java:31:1:
 Disallowed import - org.apache.catalina.tribes.RemoteProcessException. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-trunk/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java:32:1:
 Disallowed import - org.apache.catalina.tribes.UniqueId. [ImportControl]
[checkstyle] [ERROR] 

[GUMP@vmgump-vm3]: Project tomcat-tc8.0.x-validate (in module tomcat-8.0.x) failed

[Bill Barker]

To whom it may engage...

This is an automated request, but not an unsolicited one. For 
more information please visit http://gump.apache.org/nagged.html, 
and/or contact the folk at gene...@gump.apache.org.

Project tomcat-tc8.0.x-validate has an issue affecting its community 
integration.
This issue affects 1 projects,
 and has been outstanding for 19 runs.
The current state of this project is 'Failed', with reason 'Build Failed'.
For reference only, the following projects are affected by this:
- tomcat-tc8.0.x-validate :  Tomcat 8.x, a web server implementing the Java 
Servlet 3.1,
...


Full details are available at:
http://vmgump-vm3.apache.org/tomcat-8.0.x/tomcat-tc8.0.x-validate/index.html

That said, some information snippets are provided here.

The following annotations (debug/informational/warning/error messages) were 
provided:
 -DEBUG- Dependency on checkstyle exists, no need to add for property 
checkstyle.jar.
 -INFO- Failed with reason build failed



The following work was performed:
http://vmgump-vm3.apache.org/tomcat-8.0.x/tomcat-tc8.0.x-validate/gump_work/build_tomcat-8.0.x_tomcat-tc8.0.x-validate.html
Work Name: build_tomcat-8.0.x_tomcat-tc8.0.x-validate (Type: Build)
Work ended in a state of : Failed
Elapsed: 43 secs
Command Line: /usr/lib/jvm/java-8-oracle/bin/java -Djava.awt.headless=true 
-Dbuild.sysclasspath=only org.apache.tools.ant.Main 
-Dgump.merge=/srv/gump/public/gump/work/merge.xml 
-Dbase.path=/srv/gump/public/workspace/tomcat-8.0.x/tomcat-build-libs 
-Dcheckstyle.jar=/srv/gump/public/workspace/checkstyle/target/checkstyle-8.11-SNAPSHOT.jar
 -Dexecute.validate=true validate 
[Working Directory: /srv/gump/public/workspace/tomcat-8.0.x]
CLASSPATH: 
/usr/lib/jvm/java-8-oracle/lib/tools.jar:/srv/gump/public/workspace/ant/dist/lib/ant.jar:/srv/gump/public/workspace/ant/dist/lib/ant-launcher.jar:/srv/gump/public/workspace/ant/dist/lib/ant-jmf.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit4.jar:/srv/gump/public/workspace/ant/dist/lib/ant-swing.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-resolver.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-xalan2.jar:/srv/gump/public/workspace/xml-commons/java/build/resolver.jar:/srv/gump/public/workspace/checkstyle/target/checkstyle-8.11-SNAPSHOT.jar:/srv/gump/packages/antlr/antlr-3.1.3.jar:/srv/gump/public/workspace/commons-beanutils/dist/commons-beanutils-20180501.jar:/srv/gump/packages/commons-collections3/commons-collections-3.2.1.jar:/srv/gump/public/workspace/commons-cli/target/commons-cli-1.5-SNAPSHOT.jar:/srv/gump/public/workspace/commons-lang-trunk/target/commons-lang3-3.8-SNAPSHOT.jar:/srv/gump/pu
 
blic/workspace/apache-commons/logging/target/commons-logging-20180501.jar:/srv/gump/public/workspace/apache-commons/logging/target/commons-logging-api-20180501.jar:/srv/gump/public/workspace/google-guava/guava/target/guava-HEAD-jre-SNAPSHOT.jar
-
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-8.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:38:1:
 Disallowed import - org.apache.catalina.tribes.transport.AbstractRxTask. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-8.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:39:1:
 Disallowed import - org.apache.catalina.tribes.transport.ReceiverBase. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-8.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:40:1:
 Disallowed import - org.apache.catalina.tribes.transport.RxTaskPool. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-8.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:41:1:
 Disallowed import - org.apache.catalina.tribes.util.ExceptionUtils. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-8.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:42:1:
 Disallowed import - org.apache.catalina.tribes.util.StringManager. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-8.0.x/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java:29:1:
 Disallowed import - org.apache.catalina.tribes.ChannelMessage. [ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-8.0.x/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java:30:1:
 Disallowed import - org.apache.catalina.tribes.ChannelReceiver. [ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-8.0.x/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java:31:1:
 Disallowed import - org.apache.catalina.tribes.RemoteProcessException. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-8.0.x/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java:32:1:
 Disallowed import - org.apache.catalina.tribes.UniqueId. [ImportControl]
[checkstyle] [ERROR] 

[GUMP@vmgump-vm3]: Project tomcat-tc7.0.x-validate (in module tomcat-7.0.x) failed

[Bill Barker]

To whom it may engage...

This is an automated request, but not an unsolicited one. For 
more information please visit http://gump.apache.org/nagged.html, 
and/or contact the folk at gene...@gump.apache.org.

Project tomcat-tc7.0.x-validate has an issue affecting its community 
integration.
This issue affects 1 projects,
 and has been outstanding for 19 runs.
The current state of this project is 'Failed', with reason 'Build Failed'.
For reference only, the following projects are affected by this:
- tomcat-tc7.0.x-validate :  Tomcat 7.x, a web server implementing Java 
Servlet 3.0,
...


Full details are available at:
http://vmgump-vm3.apache.org/tomcat-7.0.x/tomcat-tc7.0.x-validate/index.html

That said, some information snippets are provided here.

The following annotations (debug/informational/warning/error messages) were 
provided:
 -DEBUG- Dependency on checkstyle exists, no need to add for property 
checkstyle.jar.
 -INFO- Failed with reason build failed



The following work was performed:
http://vmgump-vm3.apache.org/tomcat-7.0.x/tomcat-tc7.0.x-validate/gump_work/build_tomcat-7.0.x_tomcat-tc7.0.x-validate.html
Work Name: build_tomcat-7.0.x_tomcat-tc7.0.x-validate (Type: Build)
Work ended in a state of : Failed
Elapsed: 38 secs
Command Line: /usr/lib/jvm/java-8-oracle/bin/java -Djava.awt.headless=true 
-Dbuild.sysclasspath=only org.apache.tools.ant.Main 
-Dgump.merge=/srv/gump/public/gump/work/merge.xml 
-Dbase.path=/srv/gump/public/workspace/tomcat-7.0.x/tomcat-build-libs 
-Dcheckstyle.jar=/srv/gump/public/workspace/checkstyle/target/checkstyle-8.11-SNAPSHOT.jar
 -Dexecute.validate=true validate 
[Working Directory: /srv/gump/public/workspace/tomcat-7.0.x]
CLASSPATH: 
/usr/lib/jvm/java-8-oracle/lib/tools.jar:/srv/gump/public/workspace/ant/dist/lib/ant.jar:/srv/gump/public/workspace/ant/dist/lib/ant-launcher.jar:/srv/gump/public/workspace/ant/dist/lib/ant-jmf.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit4.jar:/srv/gump/public/workspace/ant/dist/lib/ant-swing.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-resolver.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-xalan2.jar:/srv/gump/public/workspace/xml-commons/java/build/resolver.jar:/srv/gump/public/workspace/checkstyle/target/checkstyle-8.11-SNAPSHOT.jar:/srv/gump/packages/antlr/antlr-3.1.3.jar:/srv/gump/public/workspace/commons-beanutils/dist/commons-beanutils-20180501.jar:/srv/gump/packages/commons-collections3/commons-collections-3.2.1.jar:/srv/gump/public/workspace/commons-cli/target/commons-cli-1.5-SNAPSHOT.jar:/srv/gump/public/workspace/commons-lang-trunk/target/commons-lang3-3.8-SNAPSHOT.jar:/srv/gump/pu
 
blic/workspace/apache-commons/logging/target/commons-logging-20180501.jar:/srv/gump/public/workspace/apache-commons/logging/target/commons-logging-api-20180501.jar:/srv/gump/public/workspace/google-guava/guava/target/guava-HEAD-jre-SNAPSHOT.jar
-
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-7.0.x/java/org/apache/catalina/tribes/transport/bio/util/LinkObject.java:23:1:
 Disallowed import - org.apache.catalina.tribes.group.InterceptorPayload. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-7.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:35:1:
 Disallowed import - org.apache.catalina.tribes.group.GroupChannel. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-7.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:36:1:
 Disallowed import - org.apache.catalina.tribes.io.ObjectReader. [ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-7.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:37:1:
 Disallowed import - org.apache.catalina.tribes.transport.AbstractRxTask. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-7.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:38:1:
 Disallowed import - org.apache.catalina.tribes.transport.Constants. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-7.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:39:1:
 Disallowed import - org.apache.catalina.tribes.transport.ReceiverBase. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-7.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:40:1:
 Disallowed import - org.apache.catalina.tribes.transport.RxTaskPool. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-7.0.x/java/org/apache/catalina/tribes/transport/nio/NioReceiver.java:41:1:
 Disallowed import - org.apache.catalina.tribes.util.StringManager. 
[ImportControl]
[checkstyle] [ERROR] 
/srv/gump/public/workspace/tomcat-7.0.x/java/org/apache/catalina/tribes/transport/nio/NioReplicationTask.java:29:1:
 Disallowed import - org.apache.catalina.tribes.ChannelMessage. [ImportControl]
[checkstyle] [ERROR] 

Re: [Git migration] Old git repositories

[Coty Sutherland]

On Mon, Apr 30, 2018, 16:48 Mark Thomas  wrote:

> The current plan is to merge all of the existing branches into a single
> Git repo. This will be mirrored at GitHub under apache/tomcat. This is
> currently used for the svn mirror for trunk only.
>
> This raises the question what to do with:
> apache/tomcat7
> apache/tomcat8
> apache/tomcat85
>
> I think there are two options:
>
> 1. Retain them but make them read-only
>
> 2. Delete them
>
> Suggestions for other options welcome.
>
> I'm actually leaning towards deleting them. My reasoning is that we
> deleted apache/tomcat55 and apache/tomcat6 when those releases reached
> EOL and no-one complained. As far as I recall, no-one even mentioned the
> deletions on list. Therefore, I'd be happy to delete those mirrors just
> as soon as apache/tomcat was up and running.
>

I don't see a reason for keeping them so I'm +1 for deleting them.


> Mark
>
> P.S. Don't forget that apache/tomcat will become writeable as part of
> the migration and will sync with gitbox.apache.org in a dual master
> configuration
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

[Git migration] Old git repositories

[Mark Thomas]

The current plan is to merge all of the existing branches into a single
Git repo. This will be mirrored at GitHub under apache/tomcat. This is
currently used for the svn mirror for trunk only.

This raises the question what to do with:
apache/tomcat7
apache/tomcat8
apache/tomcat85

I think there are two options:

1. Retain them but make them read-only

2. Delete them

Suggestions for other options welcome.

I'm actually leaning towards deleting them. My reasoning is that we
deleted apache/tomcat55 and apache/tomcat6 when those releases reached
EOL and no-one complained. As far as I recall, no-one even mentioned the
deletions on list. Therefore, I'd be happy to delete those mirrors just
as soon as apache/tomcat was up and running.

Mark

P.S. Don't forget that apache/tomcat will become writeable as part of
the migration and will sync with gitbox.apache.org in a dual master
configuration

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [Tomcat Wiki] Update of "Security/Ciphers" by markt

[Mark Thomas]

On 30/04/18 21:11, Christopher Schultz wrote:
> Mark,
> 
> On 4/30/18 1:48 PM, Apache Wiki wrote:
>> You have subscribed to a wiki page or wiki category on "Tomcat
>> Wiki" for change notification.
> 
>> The "Security/Ciphers" page has been changed by markt: 
>> https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=20
> v2=21
> 
>>  Comment: Update versions, add Java 9 and update JSSE results
> 
> 
>> == BIO/NIO/NIO2 with JSSE Results (Default) ==
> 
>> - |||| Java 6 || Java 7 || Java 8 || + ||||
>> Java 6 || Java 7 || Java 8 || Java 9 || - || Tomcat 7   ||   C
>> ||   A||   A|| + || Tomcat 7   ||   C||   B||   A
>> ||   A|| - || Tomcat 8   ||  N/A   ||   A||   A|| + ||
>> Tomcat 8   ||  N/A   ||   B||   A||   A|| - || Tomcat
>> 8.5 ||  N/A   ||   A||   A|| + || Tomcat 8.5 ||  N/A   ||
>> B||   A||   A|| - || Tomcat 9   ||  N/A   ||  N/A   ||
>> A|| + || Tomcat 9   ||  N/A   ||  N/A   ||   A||   A||
> 
>> Note: These results were obtained using the JCE Unlimited Strength
>> Jurisdiction Policy Files
> 
>> - Note: The 6 results are capped at C because Java 6 does not
>> support TLS 1.1 or 1.2. + Note: The Java 6 results are capped at C
>> because Java 6 does not support TLS 1.1 or 1.2.
> 
> The latest releases (after "update 111") of Java 1.6 to support TLSv1.1.

That assumes that you are paying Oracle for extended support. I'm not,
so I don't have access to those versions.

If someone wants to update the wiki for info for the paid support
versions, I've no objections but I'd ask that they be given a separate
column so it is clear to folks what they are looking at.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 62334] Filter by remote IP address of request for status worker of ISAPI redirector

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62334

Christopher Schultz  changed:

   What|Removed |Added

 Status|NEW |NEEDINFO

--- Comment #3 from Christopher Schultz  ---
Changing to NEEDINFO, since it's not clear this feature is even necessary.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 62334] Filter by remote IP address of request for status worker of ISAPI redirector

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62334

--- Comment #2 from Marat Abrarov  ---
(In reply to Christopher Schultz from comment #1)
> Does IIS not already provide such a facility?

It looks like you are right, and it looks logical for me to handle this stuff
at web server side. 

I am not sure why my colleagues found just workaround with Microsoft URL
Rewrite Module for IIS (see original description of this issue) - I just
googled for 30 min and found below solution myself:

1. I installed "IP and Domain Restrictions" feature of IIS according to
https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/ipsecurity/.
2. Then I configured delegation of this feature according to
https://stackoverflow.com/questions/16220819/internal-server-error-with-web-config-ipsecurity
3. Then I changed web.config file located at the root of IIS site - added below
lines at the end (ISAPI redirector status worker is mapped to /jkmanager):












4. Then I restarted IIS with below PowerShell commands (not sure if this is
needed, maybe just restart of site is sufficient and maybe restart is not
needed at all):

Stop-Service -Name "was" -Force
Start-Service -Name "w3svc"


This solution works for me. I'll test it sooner with larger number of scenarios
(want to ensure that this solution wasn't taken in the past just because it
wasn't found at that time and not because of any issues it may have) and will
close this issue if no pitfalls / missing features will be found.

Thank you.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [Tomcat Wiki] Update of "Security/Ciphers" by markt

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 4/30/18 1:48 PM, Apache Wiki wrote:
> You have subscribed to a wiki page or wiki category on "Tomcat
> Wiki" for change notification.
> 
> The "Security/Ciphers" page has been changed by markt: 
> https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=20
v2=21
>
>  Comment: Update versions, add Java 9 and update JSSE results
> 
> 
> == BIO/NIO/NIO2 with JSSE Results (Default) ==
> 
> - |||| Java 6 || Java 7 || Java 8 || + ||||
> Java 6 || Java 7 || Java 8 || Java 9 || - || Tomcat 7   ||   C
> ||   A||   A|| + || Tomcat 7   ||   C||   B||   A
> ||   A|| - || Tomcat 8   ||  N/A   ||   A||   A|| + ||
> Tomcat 8   ||  N/A   ||   B||   A||   A|| - || Tomcat
> 8.5 ||  N/A   ||   A||   A|| + || Tomcat 8.5 ||  N/A   ||
> B||   A||   A|| - || Tomcat 9   ||  N/A   ||  N/A   ||
> A|| + || Tomcat 9   ||  N/A   ||  N/A   ||   A||   A||
> 
> Note: These results were obtained using the JCE Unlimited Strength
> Jurisdiction Policy Files
> 
> - Note: The 6 results are capped at C because Java 6 does not
> support TLS 1.1 or 1.2. + Note: The Java 6 results are capped at C
> because Java 6 does not support TLS 1.1 or 1.2.

The latest releases (after "update 111") of Java 1.6 to support TLSv1.1.

If you have an environment handy for testing, could you see what
rating you get when TLSv1.2 is available?

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlrneH4ACgkQHPApP6U8
pFgyzA//Zj71FU/WiA6/YJQt/NQU95jdFn84ebx9PdWvpravTFucr2uqsBLBM1Zq
59Wz/FEfqlhvVCo8F+aC8PKyf2yh8t29jwgaqO79h58CjETjD+WQNRKWoImZUDz9
IjdC7FQZd1Y7xOVtsEQEu+LGXOw5EfjGwYx/GxJLNd0ii3PyMG2L+py8wtkGLySH
strRVyN2PzFT99pNlMEdqtkyY2zbHbX9nBTjB6/YwCuyeTwUpPFU/IMSEfegUN4V
HU7hdMp0P6nqe+X9HGAXTS6TOrYbW1mcRIkW+jo9Ccs8cGd+3woY/JQKncx1DW2N
xZ8OTSHrtl+7dB8V/9QTcOe/Co0PjdVggDnovzSVE0/7SZzj45SHcPnqnkyVowoD
HquioxOoEqBciWejbCRxQws+/x/3m9WJbbfi5MO9CIEmyRBcxLaQzGX6ksNS4Ou0
an6ZnejfZk8tUWgQlxqhDtgHYV8OeKrq7OKGJbqIafFi7sXSXt8DU2ausTZdKDT/
DnqvuugVM1qoPp74D+xI+vcEVCUdNEvAF6FpyC51rPttizjqK+IFJPv7A5E2Wbqd
0LcBzDxpXEoYv0p3l8DFbuSqJUsZwEjS3eqTg3ltVig1P/6Li7f7UmwLwVNDY4Dk
TWpG9unRWtSSqmE8BuQeJHxujOHSHkMrNirLP/URLIKUB1qeyfQ=
=YmDT
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of "Security/Ciphers" by markt

[Apache Wiki]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "Security/Ciphers" page has been changed by markt:
https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=23=24

Comment:
Update OpenSSL table

  
  == APR with OpenSSL Results (Default) ==
  
- |||| Java 6 || Java 7 || Java 8 ||
+ |||| Java 6 || Java 7 || Java 8 || Java 9 || Java 10 ||
- || Tomcat 7   ||   A||   A||   A||
+ || Tomcat 7   ||   A||   A||   A||   A||A||
- || Tomcat 8   ||  N/A   ||   A||   A||
+ || Tomcat 8   ||  N/A   ||   A||   A||   A||A||
- || Tomcat 8.5 ||  N/A   ||   A||   A||
+ || Tomcat 8.5 ||  N/A   ||   A||   A||   A||A||
- || Tomcat 9   ||  N/A   ||  N/A   ||   A||
+ || Tomcat 9   ||  N/A   ||  N/A   ||   A||   A||A||
  
  The OpenSSL cipher configuration used was 
'''HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA'''. Up-to-date selection of 
secure cipher suites in OpenSSL format is available at 
[[https://wiki.mozilla.org/Security/Server_Side_TLS|Mozilla wiki]].
  

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of "Security/Ciphers" by markt

[Apache Wiki]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "Security/Ciphers" page has been changed by markt:
https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=22=23

Comment:
Update JSSE+OpenSSL table

  
  == NIO/NIO2 with JSSE+OpenSSL Results (Default) ==
  
- |||| Java 6 || Java 7 || Java 8 ||
+ |||| Java 6 || Java 7 || Java 8 || Java 9 || Java 10 ||
- || Tomcat 8.5 ||  N/A   ||   A||   A||
+ || Tomcat 8.5 ||  N/A   ||   A||   A||   A||A||
- || Tomcat 9   ||  N/A   ||  N/A   ||   A||
+ || Tomcat 9   ||  N/A   ||  N/A   ||   A||   A||A||
  
  The OpenSSL cipher configuration used was 
'''HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA'''. Up-to-date selection of 
secure cipher suites in OpenSSL format is available at 
[[https://wiki.mozilla.org/Security/Server_Side_TLS|Mozilla wiki]].
- 
- Note: JSSE+OpenSSL and JSSE config requires a 1.2.6 tc-native release to 
achieve an A since, without it, the full certificate chain is not presented to 
the client.
  
  == APR with OpenSSL Results (Default) ==
  

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of "Security/Ciphers" by markt

[Apache Wiki]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "Security/Ciphers" page has been changed by markt:
https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=21=22

Comment:
Add Java 10 for JSSE

  
  == BIO/NIO/NIO2 with JSSE Results (Default) ==
  
- |||| Java 6 || Java 7 || Java 8 || Java 9 ||
+ |||| Java 6 || Java 7 || Java 8 || Java 9 || Java 10 ||
- || Tomcat 7   ||   C||   B||   A||   A||
+ || Tomcat 7   ||   C||   B||   A||   A||A||
- || Tomcat 8   ||  N/A   ||   B||   A||   A||
+ || Tomcat 8   ||  N/A   ||   B||   A||   A||A||
- || Tomcat 8.5 ||  N/A   ||   B||   A||   A||
+ || Tomcat 8.5 ||  N/A   ||   B||   A||   A||A||
- || Tomcat 9   ||  N/A   ||  N/A   ||   A||   A||
+ || Tomcat 9   ||  N/A   ||  N/A   ||   A||   A||A||
  
  Note: These results were obtained using the JCE Unlimited Strength 
Jurisdiction Policy Files
  

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of "Security/Ciphers" by markt

[Apache Wiki]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "Security/Ciphers" page has been changed by markt:
https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=20=21

Comment:
Update versions, add Java 9 and update JSSE results

  
  == BIO/NIO/NIO2 with JSSE Results (Default) ==
  
- |||| Java 6 || Java 7 || Java 8 ||
+ |||| Java 6 || Java 7 || Java 8 || Java 9 ||
- || Tomcat 7   ||   C||   A||   A||
+ || Tomcat 7   ||   C||   B||   A||   A||
- || Tomcat 8   ||  N/A   ||   A||   A||
+ || Tomcat 8   ||  N/A   ||   B||   A||   A||
- || Tomcat 8.5 ||  N/A   ||   A||   A||
+ || Tomcat 8.5 ||  N/A   ||   B||   A||   A||
- || Tomcat 9   ||  N/A   ||  N/A   ||   A||
+ || Tomcat 9   ||  N/A   ||  N/A   ||   A||   A||
  
  Note: These results were obtained using the JCE Unlimited Strength 
Jurisdiction Policy Files
  
- Note: The 6 results are capped at C because Java 6 does not support TLS 1.1 
or 1.2.
+ Note: The Java 6 results are capped at C because Java 6 does not support TLS 
1.1 or 1.2.
+ 
+ Note: The Java 7 results are capped at B because Java 7 does not support AEAD 
ciphers.
  
  The equivalent OpenSSL cipher configurations used to obtain the above results 
are:
  
  || Java 6 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!DHE ||
  || Java 7 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!DHE ||
  || Java 8 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA ||
+ || Java 9 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA ||
  
  Note: kRSA ciphers are not excluded in Java 6 since they are likely to be the 
only ones left
  
@@ -51, +54 @@

  The results above were generated with:
   * Java 6, 64-bit, update 45
   * Java 7, 64-bit, update 80
-  * Java 8, 64-bit, update 77
+  * Java 8, 64-bit, update 172
+  * Java 9, 9.0.4
-  * Apache Tomcat 7.0.69-dev, r1737253.
+  * Apache Tomcat 7.0.88-dev, r1737253.
-  * Apache Tomcat 8.0.34-dev, r1737224.
+  * Apache Tomcat 8.0.53-dev, r1737224.
-  * Apache Tomcat 8.5.1-dev, r1737241.
+  * Apache Tomcat 8.5.32-dev, r1737241.
-  * Apache Tomcat 9.0.0.M5-dev, r1737193.
+  * Apache Tomcat 9.0.9-dev, r1737193.
-  * tc-native 1.2.5
+  * tc-native 1.2.16
  

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

buildbot success in on tomcat-trunk

[buildbot]

The Buildbot has detected a restored build on builder tomcat-trunk while 
building . Full details are available at:
https://ci.apache.org/builders/tomcat-trunk/builds/3228

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: silvanus_ubuntu

Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' 
triggered this build
Build Source Stamp: [branch tomcat/trunk] 1830595
Blamelist: csutherl,remm

Build succeeded!

Sincerely,
 -The Buildbot




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 62334] Filter by remote IP address of request for status worker of ISAPI redirector

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62334

Christopher Schultz  changed:

   What|Removed |Added

 OS||All

--- Comment #1 from Christopher Schultz  ---
Does IIS not already provide such a facility?

For example, in Apache httpd, this kind of thing can be done easily with this
configuration:


  Order allow,deny
  Allow from 127.0.0.1
  Deny from all


-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1830595 - in /tomcat/trunk: java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java webapps/docs/changelog.xml

[remm]

Author: remm
Date: Mon Apr 30 16:00:59 2018
New Revision: 1830595

URL: http://svn.apache.org/viewvc?rev=1830595=rev
Log:
Revert r1830592 due to unexpected CI failure.

Modified:

tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java
tomcat/trunk/webapps/docs/changelog.xml

Modified: 
tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java?rev=1830595=1830594=1830595=diff
==
--- 
tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java
 (original)
+++ 
tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java
 Mon Apr 30 16:00:59 2018
@@ -20,10 +20,7 @@ import java.io.EOFException;
 import java.io.IOException;
 import java.net.SocketTimeoutException;
 import java.nio.ByteBuffer;
-import java.nio.channels.CompletionHandler;
-import java.nio.channels.InterruptedByTimeoutException;
 import java.util.concurrent.RejectedExecutionException;
-import java.util.concurrent.TimeUnit;
 
 import javax.websocket.SendHandler;
 import javax.websocket.SendResult;
@@ -31,10 +28,6 @@ import javax.websocket.SendResult;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.net.SocketWrapperBase;
-import org.apache.tomcat.util.net.SocketWrapperBase.BlockingMode;
-import org.apache.tomcat.util.net.SocketWrapperBase.CompletionCheck;
-import org.apache.tomcat.util.net.SocketWrapperBase.CompletionHandlerCall;
-import org.apache.tomcat.util.net.SocketWrapperBase.CompletionState;
 import org.apache.tomcat.util.res.StringManager;
 import org.apache.tomcat.websocket.Transformation;
 import org.apache.tomcat.websocket.WsRemoteEndpointImplBase;
@@ -72,92 +65,16 @@ public class WsRemoteEndpointImplServer
 @Override
 protected void doWrite(SendHandler handler, long 
blockingWriteTimeoutExpiry,
 ByteBuffer... buffers) {
-if (socketWrapper.hasAsyncIO()) {
-final boolean block = (blockingWriteTimeoutExpiry != -1);
-long timeout = -1;
-if (block) {
-timeout = blockingWriteTimeoutExpiry - 
System.currentTimeMillis();
-if (timeout <= 0) {
-SendResult sr = new SendResult(new 
SocketTimeoutException());
-handler.onResult(sr);
-return;
-}
-} else {
-this.handler = handler;
-if (timeout > 0) {
-// Register with timeout thread
-timeoutExpiry = timeout + System.currentTimeMillis();
-wsWriteTimeout.register(this);
-}
-timeout = getSendTimeout();
-}
-socketWrapper.write(block ? BlockingMode.BLOCK : 
BlockingMode.SEMI_BLOCK, timeout,
-TimeUnit.MILLISECONDS, null,
-new CompletionCheck() {
-@Override
-public CompletionHandlerCall 
callHandler(CompletionState state, ByteBuffer[] buffers,
-int offset, int length) {
-for (int i = 0; i < length; i++) {
-if (buffers[offset + i].remaining() > 0) {
-return CompletionHandlerCall.CONTINUE;
-}
-}
-return CompletionHandlerCall.DONE;
-}
-},
-new CompletionHandler() {
-@Override
-public void completed(Long result, Void attachment) {
-if (block) {
-long timeout = blockingWriteTimeoutExpiry - 
System.currentTimeMillis();
-if (timeout <= 0) {
-failed(new SocketTimeoutException(), null);
-} else {
-handler.onResult(SENDRESULT_OK);
-}
-} else {
-
wsWriteTimeout.unregister(WsRemoteEndpointImplServer.this);
-clearHandler(null, true);
-if (close) {
-close();
-}
-}
-}
-@Override
-public void failed(Throwable exc, Void attachment) {
-if (exc instanceof InterruptedByTimeoutException) {
-exc = new SocketTimeoutException();
-   

svn commit: r1830594 - /tomcat/trunk/webapps/docs/changelog.xml

[csutherl]

Author: csutherl
Date: Mon Apr 30 15:59:11 2018
New Revision: 1830594

URL: http://svn.apache.org/viewvc?rev=1830594=rev
Log:
Fix typo

Modified:
tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1830594=1830593=1830594=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Apr 30 15:59:11 2018
@@ -116,7 +116,7 @@
 attribute allowMultipleLeadingForwardSlashInPath. (markt)
   
   
-Improve handing of overflow in the UTF-8 decoder with supplementary
+Improve handling of overflow in the UTF-8 decoder with supplementary
 characters. (markt)
   
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

buildbot failure in on tomcat-trunk

[buildbot]

The Buildbot has detected a new failure on builder tomcat-trunk while building 
. Full details are available at:
https://ci.apache.org/builders/tomcat-trunk/builds/3227

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: silvanus_ubuntu

Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' 
triggered this build
Build Source Stamp: [branch tomcat/trunk] 1830592
Blamelist: remm

BUILD FAILED: failed compile_1

Sincerely,
 -The Buildbot




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1830592 - in /tomcat/trunk: java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java webapps/docs/changelog.xml

[remm]

Author: remm
Date: Mon Apr 30 15:28:26 2018
New Revision: 1830592

URL: http://svn.apache.org/viewvc?rev=1830592=rev
Log:
Add async IO API use in websockets writes. Although I doubt there's an actual 
benefit at the moment, the change is small and it still improves testing of the 
API as the usage is different from HTTP/2. Tested with the testsuite, the 
examples and Autobahn.

Modified:

tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java
tomcat/trunk/webapps/docs/changelog.xml

Modified: 
tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java?rev=1830592=1830591=1830592=diff
==
--- 
tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java
 (original)
+++ 
tomcat/trunk/java/org/apache/tomcat/websocket/server/WsRemoteEndpointImplServer.java
 Mon Apr 30 15:28:26 2018
@@ -20,7 +20,10 @@ import java.io.EOFException;
 import java.io.IOException;
 import java.net.SocketTimeoutException;
 import java.nio.ByteBuffer;
+import java.nio.channels.CompletionHandler;
+import java.nio.channels.InterruptedByTimeoutException;
 import java.util.concurrent.RejectedExecutionException;
+import java.util.concurrent.TimeUnit;
 
 import javax.websocket.SendHandler;
 import javax.websocket.SendResult;
@@ -28,6 +31,10 @@ import javax.websocket.SendResult;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.net.SocketWrapperBase;
+import org.apache.tomcat.util.net.SocketWrapperBase.BlockingMode;
+import org.apache.tomcat.util.net.SocketWrapperBase.CompletionCheck;
+import org.apache.tomcat.util.net.SocketWrapperBase.CompletionHandlerCall;
+import org.apache.tomcat.util.net.SocketWrapperBase.CompletionState;
 import org.apache.tomcat.util.res.StringManager;
 import org.apache.tomcat.websocket.Transformation;
 import org.apache.tomcat.websocket.WsRemoteEndpointImplBase;
@@ -62,20 +69,95 @@ public class WsRemoteEndpointImplServer
 return false;
 }
 
-
 @Override
 protected void doWrite(SendHandler handler, long 
blockingWriteTimeoutExpiry,
 ByteBuffer... buffers) {
-if (blockingWriteTimeoutExpiry == -1) {
-this.handler = handler;
-this.buffers = buffers;
-// This is definitely the same thread that triggered the write so a
-// dispatch will be required.
-onWritePossible(true);
+if (socketWrapper.hasAsyncIO()) {
+final boolean block = (blockingWriteTimeoutExpiry != -1);
+long timeout = -1;
+if (block) {
+timeout = blockingWriteTimeoutExpiry - 
System.currentTimeMillis();
+if (timeout <= 0) {
+SendResult sr = new SendResult(new 
SocketTimeoutException());
+handler.onResult(sr);
+return;
+}
+} else {
+this.handler = handler;
+if (timeout > 0) {
+// Register with timeout thread
+timeoutExpiry = timeout + System.currentTimeMillis();
+wsWriteTimeout.register(this);
+}
+timeout = getSendTimeout();
+}
+socketWrapper.write(block ? BlockingMode.BLOCK : 
BlockingMode.SEMI_BLOCK, timeout,
+TimeUnit.MILLISECONDS, null,
+new CompletionCheck() {
+@Override
+public CompletionHandlerCall 
callHandler(CompletionState state, ByteBuffer[] buffers,
+int offset, int length) {
+for (int i = 0; i < length; i++) {
+if (buffers[offset + i].remaining() > 0) {
+return CompletionHandlerCall.CONTINUE;
+}
+}
+return CompletionHandlerCall.DONE;
+}
+},
+new CompletionHandler() {
+@Override
+public void completed(Long result, Void attachment) {
+if (block) {
+long timeout = blockingWriteTimeoutExpiry - 
System.currentTimeMillis();
+if (timeout <= 0) {
+failed(new SocketTimeoutException(), null);
+} else {
+handler.onResult(SENDRESULT_OK);
+}
+} else {
+
wsWriteTimeout.unregister(WsRemoteEndpointImplServer.this);
+ 

[Tomcat Wiki] Update of "Security/Ciphers" by markt

[Apache Wiki]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "Security/Ciphers" page has been changed by markt:
https://wiki.apache.org/tomcat/Security/Ciphers?action=diff=19=20

Comment:
Remove references to Java 5 and Tomcat 6

  
  == BIO/NIO/NIO2 with JSSE Results (Default) ==
  
- |||| Java 5 || Java 6 || Java 7 || Java 8 ||
+ |||| Java 6 || Java 7 || Java 8 ||
- || Tomcat 6   ||   C||   C||   A||   A||
- || Tomcat 7   ||  N/A   ||   C||   A||   A||
+ || Tomcat 7   ||   C||   A||   A||
- || Tomcat 8   ||  N/A   ||  N/A   ||   A||   A||
+ || Tomcat 8   ||  N/A   ||   A||   A||
- || Tomcat 8.5 ||  N/A   ||  N/A   ||   A||   A||
+ || Tomcat 8.5 ||  N/A   ||   A||   A||
- || Tomcat 9   ||  N/A   ||  N/A   ||  N/A   ||   A||
+ || Tomcat 9   ||  N/A   ||  N/A   ||   A||
  
  Note: These results were obtained using the JCE Unlimited Strength 
Jurisdiction Policy Files
  
- Note: The Java 5 and 6 results are capped at C because neither Java 5 nor 6 
support TLS 1.1 or 1.2.
+ Note: The 6 results are capped at C because Java 6 does not support TLS 1.1 
or 1.2.
  
  The equivalent OpenSSL cipher configurations used to obtain the above results 
are:
  
- || Java 5 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!DHE ||
  || Java 6 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!DHE ||
  || Java 7 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!DHE ||
  || Java 8 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA ||
  
- Note: kRSA ciphers are not excluded in Java 6 and earlier since they are 
likely to be the only ones left
+ Note: kRSA ciphers are not excluded in Java 6 since they are likely to be the 
only ones left
  
  Note: In Java 7 and earlier DHE ciphers use insecure DH keys with no means to 
configure longer keys which is why DHE ciphers are excluded in those Java 
versions.
  
  == NIO/NIO2 with JSSE+OpenSSL Results (Default) ==
  
- |||| Java 5 || Java 6 || Java 7 || Java 8 ||
+ |||| Java 6 || Java 7 || Java 8 ||
- || Tomcat 8.5 ||  N/A   ||  N/A   ||   A||   A||
+ || Tomcat 8.5 ||  N/A   ||   A||   A||
- || Tomcat 9   ||  N/A   ||  N/A   ||  N/A   ||   A||
+ || Tomcat 9   ||  N/A   ||  N/A   ||   A||
  
  The OpenSSL cipher configuration used was 
'''HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA'''. Up-to-date selection of 
secure cipher suites in OpenSSL format is available at 
[[https://wiki.mozilla.org/Security/Server_Side_TLS|Mozilla wiki]].
  
@@ -40, +38 @@

  
  == APR with OpenSSL Results (Default) ==
  
- |||| Java 5 || Java 6 || Java 7 || Java 8 ||
+ |||| Java 6 || Java 7 || Java 8 ||
- || Tomcat 6   ||   A||   A||   A||   A||
- || Tomcat 7   ||  N/A   ||   A||   A||   A||
+ || Tomcat 7   ||   A||   A||   A||
- || Tomcat 8   ||  N/A   ||  N/A   ||   A||   A||
+ || Tomcat 8   ||  N/A   ||   A||   A||
- || Tomcat 8.5 ||  N/A   ||  N/A   ||   A||   A||
+ || Tomcat 8.5 ||  N/A   ||   A||   A||
- || Tomcat 9   ||  N/A   ||  N/A   ||  N/A   ||   A||
+ || Tomcat 9   ||  N/A   ||  N/A   ||   A||
  
  The OpenSSL cipher configuration used was 
'''HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA'''. Up-to-date selection of 
secure cipher suites in OpenSSL format is available at 
[[https://wiki.mozilla.org/Security/Server_Side_TLS|Mozilla wiki]].
  
  == Environment ==
  
  The results above were generated with:
-  * Java 5, 64-bit, update 22
   * Java 6, 64-bit, update 45
   * Java 7, 64-bit, update 80
   * Java 8, 64-bit, update 77
-  * Apache Tomcat 6.0.46-dev, r1737284.
   * Apache Tomcat 7.0.69-dev, r1737253.
   * Apache Tomcat 8.0.34-dev, r1737224.
   * Apache Tomcat 8.5.1-dev, r1737241.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 9.0.8

[Rémy Maucherat]

On Fri, Apr 27, 2018 at 10:03 PM Mark Thomas  wrote:

> The proposed Apache Tomcat 9.0.8 release is now available for voting.
>
> The major changes compared to the 9.0.7 release are:
>
> - Implement configuration options to work-around specification
>   non-compliant user agents (including all the major browsers) that do
>   not correctly %nn encode URI paths and query strings as required by
>   RFC 7230 and RFC 3986
>
> - Enable the CrawlerSessionManagerValve to correctly handle bots that
>   crawl multiple hosts and/or web applications when the Valve is
>   configured on a Host or an Engine.
>
> - Add support for annotation scanning of classes built with Java 11 EA
>
>
> Along with lots of other bug fixes and improvements.
>
> For full details, see the changelog:
> http://svn.apache.org/repos/asf/tomcat/trunk/webapps/docs/changelog.xml
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.8/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1180/
> The svn tag is:
> http://svn.apache.org/repos/asf/tomcat/tags/TOMCAT_9_0_8/
>
> The proposed 9.0.8 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 9.0.8
>

Rémy

Re: svn commit: r1830548 - /tomcat/trunk/webapps/docs/changelog.xml

[Mark Thomas]

On 30/04/18 12:17, r...@apache.org wrote:
> Author: remm
> Date: Mon Apr 30 11:17:26 2018
> New Revision: 1830548
> 
> URL: http://svn.apache.org/viewvc?rev=1830548=rev
> Log:
> Changelog format.

Tx.

Mark


> 
> Modified:
> tomcat/trunk/webapps/docs/changelog.xml
> 
> Modified: tomcat/trunk/webapps/docs/changelog.xml
> URL: 
> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1830548=1830547=1830548=diff
> ==
> --- tomcat/trunk/webapps/docs/changelog.xml (original)
> +++ tomcat/trunk/webapps/docs/changelog.xml Mon Apr 30 11:17:26 2018
> @@ -45,13 +45,15 @@
>issues do not "pop up" wrt. others).
>  -->
>  
> -  
> +  
>  
> +  
>Correct a regression in the error page handling that prevented error 
> pages
>from issuing redirects or taking other action that required the 
> response
>status code to be changed. (markt)
> +  
>  
> -  
> +  
>  
>  
>
> 
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1830556 - /tomcat/trunk/webapps/docs/changelog.xml

[markt]

Author: markt
Date: Mon Apr 30 12:13:32 2018
New Revision: 1830556

URL: http://svn.apache.org/viewvc?rev=1830556=rev
Log:
Fix indent

Modified:
tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1830556=1830555=1830556=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Apr 30 12:13:32 2018
@@ -48,9 +48,9 @@
   
 
   
-  Correct a regression in the error page handling that prevented error 
pages
-  from issuing redirects or taking other action that required the response
-  status code to be changed. (markt)
+Correct a regression in the error page handling that prevented error
+pages from issuing redirects or taking other action that required the
+response status code to be changed. (markt)
   
   
 Consistent exception propagation for NIO2 SSL close. (remm)



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1830555 - /tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java

[markt]

Author: markt
Date: Mon Apr 30 12:12:31 2018
New Revision: 1830555

URL: http://svn.apache.org/viewvc?rev=1830555=rev
Log:
Remove unnecessary code

Modified:
tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java

Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java?rev=1830555=1830554=1830555=diff
==
--- tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java Mon Apr 30 
12:12:31 2018
@@ -571,7 +571,6 @@ public class Http11Processor extends Abs
 }
 MessageBytes protocolMB = request.protocol();
 if (protocolMB.equals(Constants.HTTP_11)) {
-http11 = true;
 protocolMB.setString(Constants.HTTP_11);
 } else if (protocolMB.equals(Constants.HTTP_10)) {
 http11 = false;



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1830549 - in /tomcat/trunk: java/org/apache/tomcat/util/net/SecureNio2Channel.java webapps/docs/changelog.xml

[remm]

Author: remm
Date: Mon Apr 30 11:19:57 2018
New Revision: 1830549

URL: http://svn.apache.org/viewvc?rev=1830549=rev
Log:
Sometimes Future write will cause an ISE with NIO2 (timeout or cancel on a 
channel). Not a very good idea IMO. Make things more consistent with SSL close.

Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java
tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java?rev=1830549=1830548=1830549=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java Mon Apr 
30 11:19:57 2018
@@ -146,30 +146,41 @@ public class SecureNio2Channel extends N
 
 private class FutureFlush implements Future {
 private Future integer;
+private Exception e = null;
 protected FutureFlush() {
-integer = sc.write(netOutBuffer);
+try {
+integer = sc.write(netOutBuffer);
+} catch (IllegalStateException e) {
+this.e = e;
+}
 }
 @Override
 public boolean cancel(boolean mayInterruptIfRunning) {
-return integer.cancel(mayInterruptIfRunning);
+return (e != null) ? true : integer.cancel(mayInterruptIfRunning);
 }
 @Override
 public boolean isCancelled() {
-return integer.isCancelled();
+return (e != null) ? true : integer.isCancelled();
 }
 @Override
 public boolean isDone() {
-return integer.isDone();
+return (e != null) ? true : integer.isDone();
 }
 @Override
 public Boolean get() throws InterruptedException,
 ExecutionException {
+if (e != null) {
+throw new ExecutionException(e);
+}
 return Boolean.valueOf(integer.get().intValue() >= 0);
 }
 @Override
 public Boolean get(long timeout, TimeUnit unit)
 throws InterruptedException, ExecutionException,
 TimeoutException {
+if (e != null) {
+throw new ExecutionException(e);
+}
 return Boolean.valueOf(integer.get(timeout, unit).intValue() >= 0);
 }
 }

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1830549=1830548=1830549=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Apr 30 11:19:57 2018
@@ -52,6 +52,9 @@
   from issuing redirects or taking other action that required the response
   status code to be changed. (markt)
   
+  
+Consistent exception propagation for NIO2 SSL close. (remm)
+  
 
   
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1830548 - /tomcat/trunk/webapps/docs/changelog.xml

[remm]

Author: remm
Date: Mon Apr 30 11:17:26 2018
New Revision: 1830548

URL: http://svn.apache.org/viewvc?rev=1830548=rev
Log:
Changelog format.

Modified:
tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1830548=1830547=1830548=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Apr 30 11:17:26 2018
@@ -45,13 +45,15 @@
   issues do not "pop up" wrt. others).
 -->
 
-  
+  
 
+  
   Correct a regression in the error page handling that prevented error 
pages
   from issuing redirects or taking other action that required the response
   status code to be changed. (markt)
+  
 
-  
+  
 
 
   



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1830547 - in /tomcat/trunk: java/org/apache/coyote/Response.java java/org/apache/coyote/http11/Http11InputBuffer.java webapps/docs/changelog.xml

[markt]

Author: markt
Date: Mon Apr 30 10:57:27 2018
New Revision: 1830547

URL: http://svn.apache.org/viewvc?rev=1830547=rev
Log:
Correct a regression in the error page handling that prevented error pages from 
issuing redirects or taking other action that required the response status code 
to be changed.

Modified:
tomcat/trunk/java/org/apache/coyote/Response.java
tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java
tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/coyote/Response.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/Response.java?rev=1830547=1830546=1830547=diff
==
--- tomcat/trunk/java/org/apache/coyote/Response.java (original)
+++ tomcat/trunk/java/org/apache/coyote/Response.java Mon Apr 30 10:57:27 2018
@@ -227,10 +227,6 @@ public final class Response {
  * @param status The status value to set
  */
 public void setStatus(int status) {
-if (this.status > 399) {
-// Don't overwrite first recorded error status
-return;
-}
 this.status = status;
 }
 

Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java?rev=1830547=1830546=1830547=diff
==
--- tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java Mon Apr 
30 10:57:27 2018
@@ -409,6 +409,8 @@ public class Http11InputBuffer implement
 pos - parsingRequestLineStart);
 } else if (!HttpParser.isToken(chr)) {
 byteBuffer.position(byteBuffer.position() - 1);
+// Avoid unknown protocol triggering an additional error
+request.protocol().setString(Constants.HTTP_11);
 throw new 
IllegalArgumentException(sm.getString("iib.invalidmethod"));
 }
 }
@@ -459,9 +461,13 @@ public class Http11InputBuffer implement
 } else if (chr == Constants.QUESTION && parsingRequestLineQPos 
== -1) {
 parsingRequestLineQPos = pos;
 } else if (parsingRequestLineQPos != -1 && 
!httpParser.isQueryRelaxed(chr)) {
+// Avoid unknown protocol triggering an additional error
+request.protocol().setString(Constants.HTTP_11);
 // %nn decoding will be checked at the point of decoding
 throw new 
IllegalArgumentException(sm.getString("iib.invalidRequestTarget"));
 } else if (httpParser.isNotRequestTargetRelaxed(chr)) {
+// Avoid unknown protocol triggering an additional error
+request.protocol().setString(Constants.HTTP_11);
 // This is a general check that aims to catch problems 
early
 // Detailed checking of each part of the request target 
will
 // happen in Http11Processor#prepareRequest()

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1830547=1830546=1830547=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Apr 30 10:57:27 2018
@@ -45,6 +45,13 @@
   issues do not "pop up" wrt. others).
 -->
 
+  
+
+  Correct a regression in the error page handling that prevented error 
pages
+  from issuing redirects or taking other action that required the response
+  status code to be changed. (markt)
+
+  
 
 
   



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.5.31

[Mark Thomas]

On 27/04/18 21:47, Mark Thomas wrote:

> The proposed 8.5.31 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 8.5.31

Unit tests pass for NIO, NIO2 and APR/native on Windows, Linux and OSX.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 9.0.8

[Mark Thomas]

On 27/04/18 21:03, Mark Thomas wrote:
> The proposed 9.0.8 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 9.0.8

Unit tests pass for NIO, NIO2 and APR/native on Windows, Linux and OSX.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: svn commit: r1830251 - in /tomcat/tc8.0.x/trunk: ./ java/org/apache/tomcat/util/http/parser/HttpParser.java res/maven/mvn-pub.xml test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java we

[Mark Thomas]

On 29/04/18 23:14, Violeta Georgieva wrote:
> On Sun, 29 Apr 2018 at 17:10, Violeta Georgieva 
> wrote:
>> On Sun, 29 Apr 2018 at 6:54, Mark Thomas  wrote:
>>> On 28/04/18 17:50, Violeta Georgieva wrote:



 Is this file really part of that change?
>>>
>>> No. I think it got  caught up with that commit by mistake. I don't think
>>> it does any harm though.
>>>
>>
>> Only for the release ;)

Sorry.

> If you don’t mind I’ll revert this file to its previous version. Wdyt?

No objection.

Looking at the diff, there are rather more changes between 8.0.x and
8.5.x than I was expecting. Another option would be to update 8.0.x with
all the changes from 8.5.x and 9.0.x (and the same for 7.0.x). I'd be
happy to do that if folks are agreeable.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[ANN] TomcatCon Schedules Announced

[Mark Thomas]

All,

I am delighted to announce the schedules are now available for:

TomcatCon Berlin 13-14 June, 2018:
http://apachecon.com/euroadshow18/tomcat-schedule.html

TomcatCon Montréal 24-25 September, 2018:
http://apachecon.dukecon.org/acna/2018/#/schedule/2018-09-24

Full details, including registration links are available on the Tomcat
website:
http://tomcat.apache.org/conference.html

See you there!

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1830536 - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/

[markt]

Author: markt
Date: Mon Apr 30 08:01:55 2018
New Revision: 1830536

URL: http://svn.apache.org/viewvc?rev=1830536=rev
Log:
Add EU Roadshow and NA to website

Modified:
tomcat/site/trunk/docs/bugreport.html
tomcat/site/trunk/docs/ci.html
tomcat/site/trunk/docs/conference.html
tomcat/site/trunk/docs/contact.html
tomcat/site/trunk/docs/download-70.html
tomcat/site/trunk/docs/download-80.html
tomcat/site/trunk/docs/download-90.html
tomcat/site/trunk/docs/download-connectors.html
tomcat/site/trunk/docs/download-native.html
tomcat/site/trunk/docs/download-taglibs.html
tomcat/site/trunk/docs/findhelp.html
tomcat/site/trunk/docs/getinvolved.html
tomcat/site/trunk/docs/heritage.html
tomcat/site/trunk/docs/index.html
tomcat/site/trunk/docs/irc.html
tomcat/site/trunk/docs/legal.html
tomcat/site/trunk/docs/lists.html
tomcat/site/trunk/docs/maven-plugin.html
tomcat/site/trunk/docs/migration-6.html
tomcat/site/trunk/docs/migration-7.html
tomcat/site/trunk/docs/migration-8.html
tomcat/site/trunk/docs/migration-85.html
tomcat/site/trunk/docs/migration-9.html
tomcat/site/trunk/docs/migration.html
tomcat/site/trunk/docs/oldnews-2010.html
tomcat/site/trunk/docs/oldnews-2011.html
tomcat/site/trunk/docs/oldnews-2012.html
tomcat/site/trunk/docs/oldnews-2013.html
tomcat/site/trunk/docs/oldnews-2014.html
tomcat/site/trunk/docs/oldnews-2015.html
tomcat/site/trunk/docs/oldnews-2016.html
tomcat/site/trunk/docs/oldnews-2017.html
tomcat/site/trunk/docs/oldnews.html
tomcat/site/trunk/docs/presentations.html
tomcat/site/trunk/docs/resources.html
tomcat/site/trunk/docs/security-3.html
tomcat/site/trunk/docs/security-4.html
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/docs/security-9.html
tomcat/site/trunk/docs/security-impact.html
tomcat/site/trunk/docs/security-jk.html
tomcat/site/trunk/docs/security-native.html
tomcat/site/trunk/docs/security-taglibs.html
tomcat/site/trunk/docs/security.html
tomcat/site/trunk/docs/svn.html
tomcat/site/trunk/docs/taglibs.html
tomcat/site/trunk/docs/tomcat-55-eol.html
tomcat/site/trunk/docs/tomcat-60-eol.html
tomcat/site/trunk/docs/tomcat-80-eol.html
tomcat/site/trunk/docs/tools.html
tomcat/site/trunk/docs/whichversion.html
tomcat/site/trunk/docs/whoweare.html
tomcat/site/trunk/xdocs/conference.xml
tomcat/site/trunk/xdocs/stylesheets/project.xml

Modified: tomcat/site/trunk/docs/bugreport.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/bugreport.html?rev=1830536=1830535=1830536=diff
==
--- tomcat/site/trunk/docs/bugreport.html (original)
+++ tomcat/site/trunk/docs/bugreport.html Mon Apr 30 08:01:55 2018
@@ -51,6 +51,14 @@
 
 
 
+TomcatCon
+
+
+EU  North America
+
+
+
+
 Download
 
 

Modified: tomcat/site/trunk/docs/ci.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/ci.html?rev=1830536=1830535=1830536=diff
==
--- tomcat/site/trunk/docs/ci.html (original)
+++ tomcat/site/trunk/docs/ci.html Mon Apr 30 08:01:55 2018
@@ -50,6 +50,14 @@
 
 
 
+TomcatCon
+
+
+EU  North America
+
+
+
+
 Download
 
 

Modified: tomcat/site/trunk/docs/conference.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/conference.html?rev=1830536=1830535=1830536=diff
==
--- tomcat/site/trunk/docs/conference.html (original)
+++ tomcat/site/trunk/docs/conference.html Mon Apr 30 08:01:55 2018
@@ -50,6 +50,14 @@
 
 
 
+TomcatCon
+
+
+EU  North America
+
+
+
+
 Download
 
 
@@ -205,16 +213,35 @@
 
 
 Content
-TomcatCon Training: 
Tomcat for Administrators
+TomcatCon
+
+
+
+TomcatCon is the place for all users of Tomcat to expand their Tomcat
+   knowledge in areas such as networking, security, performance and deployment.
+   It also offers an opportunity to discuss the current Tomcat roadmap and
+   help inform future development.
+
+
+
+Quick Navigation
+
+  
+
+TomcatCon Berlin TomcatCon Montreal
+
+
+
+TomcatCon Berlin
 
 
 
 
-When
+When
 
 
 
-Tuesday, 10 April 2018
+June 13 to 14, 2018. 
 
 
 
@@ -222,11 +249,16 @@
 
 
 
-Where
+Where
 
 
 
-Hotel Novotel Manchester Centre | 21 Dickinson Street | M1 4LX Manchester | 
United Kingdom
+
+http://apachecon.com/euroadshow18/venue.html;>KulturBrauerei,
+   Berlin, Germany, as part of the
+   http://apachecon.com/euroadshow18/index.html;>ApacheCon EU
+   Roadshow and alongside https://foss-backstage.de/;>FOSS
+   Backstage. 
 
 
 
@@ -234,23 +266,18 @@
 
 
 
-What
+What
 
 
 
-This training course is aimed at system administrators who are not very
-   familiar with Apache