[Bug 64051] mod_jk set_session_cookie not sending new cookie after node failover for sticky session
https://bz.apache.org/bugzilla/show_bug.cgi?id=64051 --- Comment #13 from Mohsen --- This is the correct connector: -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 7.0.x updated: Skip GCM test when running on a JVM where GCM isn't available
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new f459395 Skip GCM test when running on a JVM where GCM isn't available
f459395 is described below
commit f459395b59f8212265e142a42d19405e1abdb957
Author: Mark Thomas
AuthorDate: Tue Jan 21 07:30:53 2020 +
Skip GCM test when running on a JVM where GCM isn't available
---
.../group/interceptors/TestEncryptInterceptor.java | 18 ++
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git
a/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java
b/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java
index a69a68b..c5fe3c8 100644
---
a/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java
+++
b/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java
@@ -19,6 +19,7 @@ package org.apache.catalina.tribes.group.interceptors;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
+import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Collection;
@@ -27,6 +28,7 @@ import org.hamcrest.core.IsNot;
import org.junit.AfterClass;
import org.junit.Assert;
+import org.junit.Assume;
import org.junit.Before;
import org.junit.FixMethodOrder;
import org.junit.Ignore;
@@ -268,10 +270,18 @@ public class TestEncryptInterceptor {
@Test
public void testGCM() throws Exception {
-src.setEncryptionAlgorithm("AES/GCM/PKCS5Padding");
-src.start(Channel.SND_TX_SEQ);
-dest.setEncryptionAlgorithm("AES/GCM/PKCS5Padding");
-dest.start(Channel.SND_TX_SEQ);
+try {
+src.setEncryptionAlgorithm("AES/GCM/PKCS5Padding");
+src.start(Channel.SND_TX_SEQ);
+dest.setEncryptionAlgorithm("AES/GCM/PKCS5Padding");
+dest.start(Channel.SND_TX_SEQ);
+} catch (ChannelException ce) {
+Assume.assumeFalse("Skipping testGCM due to lack of JVM support",
+ce.getCause() instanceof NoSuchAlgorithmException
+&& ce.getCause().getMessage().contains("GCM"));
+
+throw ce;
+}
String testInput = "The quick brown fox jumps over the lazy dog.";
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in on tomcat-7-trunk
The Buildbot has detected a new failure on builder tomcat-7-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-7-trunk/builds/1574 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-7-commit' triggered this build Build Source Stamp: [branch 7.0.x] 5668ae6548722c6d78d5fa7d98e19f356454a1eb Blamelist: Christopher Schultz BUILD FAILED: failed compile_1 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 7.0.x updated: Back-port EncryptInterceptor from Tomcat 8.5.x onwards.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new 5668ae6 Back-port EncryptInterceptor from Tomcat 8.5.x onwards.
5668ae6 is described below
commit 5668ae6548722c6d78d5fa7d98e19f356454a1eb
Author: Christopher Schultz
AuthorDate: Sat Jan 5 20:52:28 2019 +
Back-port EncryptInterceptor from Tomcat 8.5.x onwards.
---
.../group/interceptors/EncryptInterceptor.java | 644 +
.../interceptors/EncryptInterceptorMBean.java | 31 +
.../group/interceptors/LocalStrings.properties | 24 +
res/checkstyle/org-import-control.xml | 1 +
.../group/interceptors/TestEncryptInterceptor.java | 542 +
webapps/docs/changelog.xml | 10 +
webapps/docs/config/cluster-interceptor.xml| 41 +-
webapps/docs/config/cluster.xml| 1 +
8 files changed, 1293 insertions(+), 1 deletion(-)
diff --git
a/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
b/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
new file mode 100644
index 000..827bf78
--- /dev/null
+++ b/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
@@ -0,0 +1,644 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.tribes.group.interceptors;
+
+import java.lang.reflect.Constructor;
+import java.lang.reflect.InvocationTargetException;
+import java.security.GeneralSecurityException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.SecureRandom;
+import java.security.spec.AlgorithmParameterSpec;
+import java.util.concurrent.ConcurrentLinkedQueue;
+
+import javax.crypto.Cipher;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+
+import org.apache.catalina.tribes.Channel;
+import org.apache.catalina.tribes.ChannelException;
+import org.apache.catalina.tribes.ChannelInterceptor;
+import org.apache.catalina.tribes.ChannelMessage;
+import org.apache.catalina.tribes.Member;
+import org.apache.catalina.tribes.group.ChannelInterceptorBase;
+import org.apache.catalina.tribes.group.InterceptorPayload;
+import org.apache.catalina.tribes.io.XByteBuffer;
+import org.apache.catalina.tribes.util.StringManager;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+
+/**
+ * Adds encryption using a pre-shared key.
+ *
+ * The length of the key (in bytes) must be acceptable for the encryption
+ * algorithm being used. For example, for AES, you must use a key of either
+ * 16 bytes (128 bits, 24 bytes 192 bits), or 32 bytes (256 bits).
+ *
+ * You can supply the raw key bytes by calling {@link
#setEncryptionKey(byte[])}
+ * or the hex-encoded binary bytes by calling
+ * {@link #setEncryptionKey(String)}.
+ */
+public class EncryptInterceptor extends ChannelInterceptorBase implements
EncryptInterceptorMBean {
+
+private static final Log log = LogFactory.getLog(EncryptInterceptor.class);
+protected static final StringManager sm =
StringManager.getManager(EncryptInterceptor.class);
+
+private static final String DEFAULT_ENCRYPTION_ALGORITHM =
"AES/CBC/PKCS5Padding";
+
+private String providerName;
+private String encryptionAlgorithm = DEFAULT_ENCRYPTION_ALGORITHM;
+private byte[] encryptionKeyBytes;
+private String encryptionKeyString;
+
+
+private BaseEncryptionManager encryptionManager;
+
+public EncryptInterceptor() {
+}
+
+@Override
+public void start(int svc) throws ChannelException {
+validateChannelChain();
+
+if(Channel.SND_TX_SEQ == (svc & Channel.SND_TX_SEQ)) {
+try {
+encryptionManager =
createEncryptionManager(getEncryptionAlgorithm(),
+getEncryptionKeyInternal(),
+getProviderName());
+} catch (GeneralSecurityException gse) {
+throw new
[tomcat] branch 8.5.x updated: Remove unused code
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 51fa03b Remove unused code
51fa03b is described below
commit 51fa03bb27ee6b3122f3442f1f6ec9e7a26786b5
Author: Mark Thomas
AuthorDate: Mon Jan 20 21:17:03 2020 +
Remove unused code
---
.../group/interceptors/EncryptInterceptor.java | 29 --
1 file changed, 29 deletions(-)
diff --git
a/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
b/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
index 65d9933..d98b5d8 100644
--- a/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
+++ b/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
@@ -349,9 +349,6 @@ public class EncryptInterceptor extends
ChannelInterceptorBase implements Encryp
return new BaseEncryptionManager(algorithm,
new SecretKeySpec(encryptionKey, algorithmName),
providerName);
-//else if("ECB".equalsIgnoreCase(algorithmMode)) {
-// Note: ECB is not an appropriate mode for secure communications.
-//return new ECBEncryptionManager(algorithm, new
SecretKeySpec(encryptionKey, algorithmName), providerName);
else
throw new
IllegalArgumentException(sm.getString("encryptInterceptor.algorithm.unsupported-mode",
algorithmMode));
}
@@ -601,32 +598,6 @@ public class EncryptInterceptor extends
ChannelInterceptorBase implements Encryp
}
}
-@SuppressWarnings("unused")
-private static class ECBEncryptionManager extends BaseEncryptionManager
-{
-public ECBEncryptionManager(String algorithm, SecretKeySpec secretKey,
String providerName)
-throws NoSuchAlgorithmException, NoSuchPaddingException,
NoSuchProviderException {
-super(algorithm, secretKey, providerName);
-}
-
-private static final byte[] EMPTY_IV = new byte[0];
-
-@Override
-protected int getIVSize() {
-return 0;
-}
-
-@Override
-protected byte[] generateIVBytes() {
-return EMPTY_IV;
-}
-
-@Override
-protected AlgorithmParameterSpec generateIV(byte[] bytes, int offset,
int length) {
-return null;
-}
-}
-
static class ChannelConfigException
extends ChannelException
{
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Remove unused code
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 679626e Remove unused code
679626e is described below
commit 679626ee5c6d0aba29cad1248175ff9db5cc1011
Author: Mark Thomas
AuthorDate: Mon Jan 20 21:17:03 2020 +
Remove unused code
---
.../group/interceptors/EncryptInterceptor.java | 29 --
1 file changed, 29 deletions(-)
diff --git
a/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
b/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
index 65d9933..d98b5d8 100644
--- a/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
+++ b/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
@@ -349,9 +349,6 @@ public class EncryptInterceptor extends
ChannelInterceptorBase implements Encryp
return new BaseEncryptionManager(algorithm,
new SecretKeySpec(encryptionKey, algorithmName),
providerName);
-//else if("ECB".equalsIgnoreCase(algorithmMode)) {
-// Note: ECB is not an appropriate mode for secure communications.
-//return new ECBEncryptionManager(algorithm, new
SecretKeySpec(encryptionKey, algorithmName), providerName);
else
throw new
IllegalArgumentException(sm.getString("encryptInterceptor.algorithm.unsupported-mode",
algorithmMode));
}
@@ -601,32 +598,6 @@ public class EncryptInterceptor extends
ChannelInterceptorBase implements Encryp
}
}
-@SuppressWarnings("unused")
-private static class ECBEncryptionManager extends BaseEncryptionManager
-{
-public ECBEncryptionManager(String algorithm, SecretKeySpec secretKey,
String providerName)
-throws NoSuchAlgorithmException, NoSuchPaddingException,
NoSuchProviderException {
-super(algorithm, secretKey, providerName);
-}
-
-private static final byte[] EMPTY_IV = new byte[0];
-
-@Override
-protected int getIVSize() {
-return 0;
-}
-
-@Override
-protected byte[] generateIVBytes() {
-return EMPTY_IV;
-}
-
-@Override
-protected AlgorithmParameterSpec generateIV(byte[] bytes, int offset,
int length) {
-return null;
-}
-}
-
static class ChannelConfigException
extends ChannelException
{
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Remove unused code
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new c9021f6 Remove unused code
c9021f6 is described below
commit c9021f68af79b6b278d839c367b961be52109307
Author: Mark Thomas
AuthorDate: Mon Jan 20 21:17:03 2020 +
Remove unused code
---
.../group/interceptors/EncryptInterceptor.java | 29 --
1 file changed, 29 deletions(-)
diff --git
a/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
b/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
index 65d9933..d98b5d8 100644
--- a/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
+++ b/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
@@ -349,9 +349,6 @@ public class EncryptInterceptor extends
ChannelInterceptorBase implements Encryp
return new BaseEncryptionManager(algorithm,
new SecretKeySpec(encryptionKey, algorithmName),
providerName);
-//else if("ECB".equalsIgnoreCase(algorithmMode)) {
-// Note: ECB is not an appropriate mode for secure communications.
-//return new ECBEncryptionManager(algorithm, new
SecretKeySpec(encryptionKey, algorithmName), providerName);
else
throw new
IllegalArgumentException(sm.getString("encryptInterceptor.algorithm.unsupported-mode",
algorithmMode));
}
@@ -601,32 +598,6 @@ public class EncryptInterceptor extends
ChannelInterceptorBase implements Encryp
}
}
-@SuppressWarnings("unused")
-private static class ECBEncryptionManager extends BaseEncryptionManager
-{
-public ECBEncryptionManager(String algorithm, SecretKeySpec secretKey,
String providerName)
-throws NoSuchAlgorithmException, NoSuchPaddingException,
NoSuchProviderException {
-super(algorithm, secretKey, providerName);
-}
-
-private static final byte[] EMPTY_IV = new byte[0];
-
-@Override
-protected int getIVSize() {
-return 0;
-}
-
-@Override
-protected byte[] generateIVBytes() {
-return EMPTY_IV;
-}
-
-@Override
-protected AlgorithmParameterSpec generateIV(byte[] bytes, int offset,
int length) {
-return null;
-}
-}
-
static class ChannelConfigException
extends ChannelException
{
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix typo
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 2e1718d Fix typo 2e1718d is described below commit 2e1718d7275d99d00cf06409b96bfccdef2dcfdb Author: Mark Thomas AuthorDate: Mon Jan 20 20:30:51 2020 + Fix typo --- webapps/docs/config/cluster-interceptor.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/config/cluster-interceptor.xml b/webapps/docs/config/cluster-interceptor.xml index 648a884..836c4cd 100644 --- a/webapps/docs/config/cluster-interceptor.xml +++ b/webapps/docs/config/cluster-interceptor.xml @@ -205,7 +205,7 @@ If using the TcpFailureDetector, the EncryptInterceptor must be inserted into the interceptor chain before the - TcpFailureDetector. This is becuase when validating cluster + TcpFailureDetector. This is because when validating cluster members, TcpFailureDetector writes channel data directly to the other members without using the remainder of the interceptor chain, but on the receiving side, the message still goes through the chain (in reverse). - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Fix typo
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 0e27b9e Fix typo 0e27b9e is described below commit 0e27b9e01af21390737bae87f1b6abe3b785ef4d Author: Mark Thomas AuthorDate: Mon Jan 20 20:30:51 2020 + Fix typo --- webapps/docs/config/cluster-interceptor.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/config/cluster-interceptor.xml b/webapps/docs/config/cluster-interceptor.xml index 648a884..836c4cd 100644 --- a/webapps/docs/config/cluster-interceptor.xml +++ b/webapps/docs/config/cluster-interceptor.xml @@ -205,7 +205,7 @@ If using the TcpFailureDetector, the EncryptInterceptor must be inserted into the interceptor chain before the - TcpFailureDetector. This is becuase when validating cluster + TcpFailureDetector. This is because when validating cluster members, TcpFailureDetector writes channel data directly to the other members without using the remainder of the interceptor chain, but on the receiving side, the message still goes through the chain (in reverse). - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated (e8cadf9 -> 65a53c6)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git. from e8cadf9 Add encryption as the first option to secure a cluster add 65a53c6 Fix typo No new revisions were added by this update. Summary of changes: webapps/docs/config/cluster-interceptor.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [tomcat] branch master updated: Add encryption as the first option to secure a cluster
On 20/01/2020 17:21, Mark Thomas wrote: > On 20/01/2020 17:08, Christopher Schultz wrote: >> On 1/20/20 12:01 PM, ma...@apache.org wrote: > > > >>> Add encryption as the first option to secure a cluster --- > > > >> I could have sworn I added this, already. Thanks for doing it. > > I'm looking at back-porting the Interceptor to 7.0.x. I've got > everything done apart from GCMParameterSpec which is new in Java 7. > > I don't suppose you've looked into this previously and know if there is > a Java 6 equivalent? It would save me the time to research it. > > If not, I'll make it a Java 7+ feature with JreCompat. Java 6 doesn't support GCM. JreCompat it is. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64080] Graceful shutdown does not occur for connected clients that have not yet submitted their request payload
https://bz.apache.org/bugzilla/show_bug.cgi?id=64080 --- Comment #12 from carbatt...@hotmail.com --- > If the expectation is that a request (from the client's perspective) will > not be dropped, then I think you can solve this at the load-balancer with > retry-based fail-over: the lb takes care of the fail-over and the client > detects no problems at all. The problem here is that the loadbalancer is in-house developed using Java, and the HttpURLConnection class does not distinguish between SocketTimeOutException for request payload sent and not sent, due to its built-in retry functionality. Therefore neither the exception nor the message is any indication of whether the loadbalancer can retry or not. I can provide links explaining this in detail, if this is of interest. To solve this we will have to either handle sockets ourselves, or switch to another http client instead of HttpUrlConnection > If you refuse to allow a request to an individual node to be dropped, that > is a much taller order. > > In my environment, we tell the lb that the nodes are coming down so we avoid > any of this. The lb allows all in-flight requests to complete and we only > shut-down the node after that point. No new requests are sent to the target > node after the lb is told to take it (softly) out of service. The only time > requests should ever be dropped in this situation is if a node unexpectedly > goes down. We do this using mod_jk with DISABLED and STOP states. > mod_proxy_* has these same states and can be used with either AJP or HTTP as > the communication protocol. That is plan B, depending on the conclusion for this bug: Do a custom integration between our build server and the load balancer. Even a 503 could be use able, provided that we can retry knowing, the request was rejected by tomcat. Who can provide a conclusion on this defect, in terms of next step? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [tomcat] branch master updated: Add encryption as the first option to secure a cluster
On 20/01/2020 17:08, Christopher Schultz wrote: > On 1/20/20 12:01 PM, ma...@apache.org wrote: >> Add encryption as the first option to secure a cluster --- > I could have sworn I added this, already. Thanks for doing it. I'm looking at back-porting the Interceptor to 7.0.x. I've got everything done apart from GCMParameterSpec which is new in Java 7. I don't suppose you've looked into this previously and know if there is a Java 6 equivalent? It would save me the time to research it. If not, I'll make it a Java 7+ feature with JreCompat. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [tomcat] branch master updated: Add encryption as the first option to secure a cluster
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 1/20/20 12:01 PM, ma...@apache.org wrote: > This is an automated email from the ASF dual-hosted git > repository. > > markt pushed a commit to branch master in repository > https://gitbox.apache.org/repos/asf/tomcat.git > > > The following commit(s) were added to refs/heads/master by this > push: new e8cadf9 Add encryption as the first option to secure a > cluster e8cadf9 is described below > > commit e8cadf94b63c4dce947ad5d0cb72b0fdea540cb1 Author: Mark Thomas > AuthorDate: Mon Jan 20 16:58:02 2020 + > > Add encryption as the first option to secure a cluster --- > webapps/docs/config/cluster.xml | 1 + 1 file changed, 1 > insertion(+) > > diff --git a/webapps/docs/config/cluster.xml > b/webapps/docs/config/cluster.xml index 36bbf0d..91e8328 100644 --- > a/webapps/docs/config/cluster.xml +++ > b/webapps/docs/config/cluster.xml @@ -52,6 +52,7 @@ to run a > cluster on a insecure, untrusted network. There are many > options for providing a secure, trusted network for use by a Tomcat > cluster. These include: + href="cluster-interceptor.html#org.apache.catalina.tribes.group.interc eptors.EncryptInterceptor_Attributes">EncryptInterceptor > > private LAN > a Virtual Private Network (VPN) IPSEC I could have sworn I added this, already. Thanks for doing it. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4l3pMACgkQHPApP6U8 pFhV8Q//dkavwcauOXAE6OPkBfLLoClORYZ8mopQ0Pjfwnf9SPvnDO49bZNrPF8o JVmt+XiwyhuKxMFI0M7t+GssoH6HGabDHZ8LtkOAWqvzivcKf2lWC9GzFvrq1fgf eljO6FccQXH8KWODA9G0X+5yrmXFjMKVvkwb4wT6m/nKrKP1hC0QsbSH22qvuG5O qjOmxlsgWrJQe/5XdTugD4WP2eqBE5fjNmvL5GAXGDMhEpyFfeZ3PbdffCORdRkK CwH36qEP/qFhPJAuRR6CURQa8K2y8GQuWXLuouXt2Ul6niPeakAE+6NShjGe92a7 Z8EKkv79S3FVSRFWW1ZxC6SsQh936BTqvG9eBV51v7EVJrnJzaVzYygNMETCiERZ NFI0Q4v3XrkPNXctMutext5nnx+6ICyXTVEygYWJQSP16QUBQtlMQYMwqI4X6DJ1 NAtiBx7K3hkg769CgWMYRiMRfIyHahZJXvipAtLOHxA6RycrSLlM+TlsAVMz0qec 9OQu736EGOa6cieroahJrG4oRVUknvjCoER0SvmlFQRJUHxV64qiSnWHRlMX1LEc iqk7D/tkCyJHgafYdt+Def2i8VfB0Z7Y7/PQhwC8JQI841+IuBH8V+aV1HjwKYTk nrhpDY71+10XriYIHvOD54WNVGtWBXih8IO+qjBDDDXNR3nh2Wk= =4wzn -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64080] Graceful shutdown does not occur for connected clients that have not yet submitted their request payload
https://bz.apache.org/bugzilla/show_bug.cgi?id=64080 --- Comment #11 from Christopher Schultz --- (In reply to carbattles from comment #8) > If it is any help, our setup is 12 tomcat servers, with load balancer in > front. Our build process will restart the tomcat servers in sequence. We > expect that not a single request is dropped, however may process slower. If the expectation is that a request (from the client's perspective) will not be dropped, then I think you can solve this at the load-balancer with retry-based fail-over: the lb takes care of the fail-over and the client detects no problems at all. If you refuse to allow a request to an individual node to be dropped, that is a much taller order. In my environment, we tell the lb that the nodes are coming down so we avoid any of this. The lb allows all in-flight requests to complete and we only shut-down the node after that point. No new requests are sent to the target node after the lb is told to take it (softly) out of service. The only time requests should ever be dropped in this situation is if a node unexpectedly goes down. We do this using mod_jk with DISABLED and STOP states. mod_proxy_* has these same states and can be used with either AJP or HTTP as the communication protocol. I'm not sure if this gives you any viable alternatives, here, but I believe it allows you to accomplish your goal without adding a lot of complexity to the application server (i.e. Tomcat). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Add encryption as the first option to secure a cluster
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 9af9be0 Add encryption as the first option to secure a cluster 9af9be0 is described below commit 9af9be0e412bbf104e6da7e0fb8272f4c41c438a Author: Mark Thomas AuthorDate: Mon Jan 20 16:58:02 2020 + Add encryption as the first option to secure a cluster --- webapps/docs/config/cluster.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/webapps/docs/config/cluster.xml b/webapps/docs/config/cluster.xml index 6c57e74..f6cd407 100644 --- a/webapps/docs/config/cluster.xml +++ b/webapps/docs/config/cluster.xml @@ -52,6 +52,7 @@ to run a cluster on a insecure, untrusted network. There are many options for providing a secure, trusted network for use by a Tomcat cluster. These include: + EncryptInterceptor private LAN a Virtual Private Network (VPN) IPSEC - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Add encryption as the first option to secure a cluster
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 15a6366 Add encryption as the first option to secure a cluster 15a6366 is described below commit 15a63661d3cf110fa8169c3464bba1e113c2d9fc Author: Mark Thomas AuthorDate: Mon Jan 20 16:58:02 2020 + Add encryption as the first option to secure a cluster --- webapps/docs/config/cluster.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/webapps/docs/config/cluster.xml b/webapps/docs/config/cluster.xml index 36bbf0d..91e8328 100644 --- a/webapps/docs/config/cluster.xml +++ b/webapps/docs/config/cluster.xml @@ -52,6 +52,7 @@ to run a cluster on a insecure, untrusted network. There are many options for providing a secure, trusted network for use by a Tomcat cluster. These include: + EncryptInterceptor private LAN a Virtual Private Network (VPN) IPSEC - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Add encryption as the first option to secure a cluster
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new e8cadf9 Add encryption as the first option to secure a cluster e8cadf9 is described below commit e8cadf94b63c4dce947ad5d0cb72b0fdea540cb1 Author: Mark Thomas AuthorDate: Mon Jan 20 16:58:02 2020 + Add encryption as the first option to secure a cluster --- webapps/docs/config/cluster.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/webapps/docs/config/cluster.xml b/webapps/docs/config/cluster.xml index 36bbf0d..91e8328 100644 --- a/webapps/docs/config/cluster.xml +++ b/webapps/docs/config/cluster.xml @@ -52,6 +52,7 @@ to run a cluster on a insecure, untrusted network. There are many options for providing a secure, trusted network for use by a Tomcat cluster. These include: + EncryptInterceptor private LAN a Virtual Private Network (VPN) IPSEC - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64051] mod_jk set_session_cookie not sending new cookie after node failover for sticky session
https://bz.apache.org/bugzilla/show_bug.cgi?id=64051 --- Comment #12 from Christopher Schultz --- You still need to post your correct configuration. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] ChristopherSchultz commented on issue #232: Fix handling of query parameters with no value, like `?foo`
ChristopherSchultz commented on issue #232: Fix handling of query parameters with no value, like `?foo` URL: https://github.com/apache/tomcat/pull/232#issuecomment-576357046 I stiil don't understand the ask, here. It looks like you are taking a situation where you CAN tell whether a parameter exists and turning it into a situation where you CANNOT tell that it exists. That's a net loss in functionality IMO. It also violates a part of the servlet specification IMO: `getParameter` states that it returns `null` if a parameter does not exist, and I believe that, implicitly, it is stating that the method will return non-`null` if the parameter *does* exist. This PR violates that implicit requirement and is therefore rejected. You may publish your own code if you choose to, but this PR will not be merged. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] ChristopherSchultz edited a comment on issue #232: Fix handling of query parameters with no value, like `?foo`
ChristopherSchultz edited a comment on issue #232: Fix handling of query parameters with no value, like `?foo` URL: https://github.com/apache/tomcat/pull/232#issuecomment-576357046 I still don't understand the ask, here. It looks like you are taking a situation where you CAN tell whether a parameter exists and turning it into a situation where you CANNOT tell that it exists. That's a net loss in functionality IMO. It also violates a part of the servlet specification IMO: `getParameter` states that it returns `null` if a parameter does not exist, and I believe that, implicitly, it is stating that the method will return non-`null` if the parameter *does* exist. This PR violates that implicit requirement and is therefore rejected. You may publish your own code if you choose to, but this PR will not be merged. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] ChristopherSchultz closed pull request #232: Fix handling of query parameters with no value, like `?foo`
ChristopherSchultz closed pull request #232: Fix handling of query parameters with no value, like `?foo` URL: https://github.com/apache/tomcat/pull/232 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55477] Add a solution to map a realm name to a security role
https://bz.apache.org/bugzilla/show_bug.cgi?id=55477
--- Comment #18 from Christopher Schultz ---
How applicable is in web.xml, here?
(In reply to Stefan Mayr from comment #16)
> After a quick look into Michael's documentation I'm only concerned about the
> placement of the default config in WEB-INF/role-mapping.properties. As an
> admin I would expect to look for it in the conf folder.
I would expect a file without any explicit path information to be in the
application's WEB-INF/ directory if the component were to be configured in the
applications' WEB-INF/web.xml file. If it is configured in conf/server.xml for
the server, I might expect the config file to be found in the server's conf/
directory. I'm not sure it's possible to detect the difference between the two
situations from within the code. Therefore, I'd prefer to default to
relative-to-WEB-INF but also allow (as Michael suggests) arbitrary file:// URI
support as well as allowing ${catalina.base} replacement in the path to make it
easy to build an installation-relative path.
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
