RE: How to acess HttpServletRequest in Jaas login module in Tomcat

Hi Mark, Thanks for your reply. I am already extending JAASCallbackHandler and getting Name and password through that. How can we get HTTLServletRequest through JAASCallbackHandler? SAURABH SUMAN Software Developer Markets & International Banking RBS Block No 1, Tower A, Unitech Infospace

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

2016-05-25 13:42 GMT-04:00 Mark Thomas : (...) > For example, this issue only applies if you are using JMX/RMI. If you > are, it is likely to be a significant risk. If you aren't, it won't > affect you. One of the reasons I published that blog post was to provide > folks with

JSON Logging of Tomcat Access Log.

I am wanting to change the access logging format to JSON (for easier parsing with logstash) I currently have the following config in my server.xml … How would i change this to JSON formatted?

Re: Webapp in the same thread context

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Daniel, On 5/25/16 11:03 AM, Daniel Rocha wrote: > I have a java application that was running with "Embedded" class > from Tomcat 6.0.Now I am trying to upgrade it to run with Tomcat > 7.0.69. > > The current java application is initializing

Re: [ANN] Apache Tomcat 8.0.35 available

Does anybody know if the AES+GCM bug that causes a JVM Crash (I believe only under JDK 8) when running TLS in Tomcat using Java's JSSE has been fixed? I doubt this is a Tomcat issue, but since the bug likely only appears for uses of TLS's AES+GCM in Tomcat, I hope someone here may know the

[ANN] Apache Tomcat 8.0.35 available

Apologies for the delay in sending this out. The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.35. Apache Tomcat 8.0 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies.

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

On 25/05/2016 16:12, Christopher Schultz wrote: > Mark, > > On 5/24/16 10:06 AM, Mark Thomas wrote: >> TL;DR If you use remote JMX, you need to update your JVM to address >> CVE-2016-3427 > >> For the longer version, see the blog post I just published on >> this:

Re: Xwiki-Entreprise-Web-8.1 WAR File Installation issues... Tomcat error

On 25.05.2016 18:09, sebastien.boulia...@cpu.ca wrote: Hi all, I tried to install the Xwiki-Entreprise-Web-8.1 WAR File on Tomcat and I get these errors... http://pastebin.com/T0Kfa7MS http://imgur.com/ejT0zAe ps aux | grep tomcat tomcat2152 4.4 15.0 3802340 724216 ? Ssl 10:45

Xwiki-Entreprise-Web-8.1 WAR File Installation issues... Tomcat error

Hi all, I tried to install the Xwiki-Entreprise-Web-8.1 WAR File on Tomcat and I get these errors... http://pastebin.com/T0Kfa7MS http://imgur.com/ejT0zAe ps aux | grep tomcat tomcat2152 4.4 15.0 3802340 724216 ? Ssl 10:45 0:12 /usr/lib/jvm/jre/bin/java -classpath

Xwiki-Entreprise-Web-8.1 WAR File Installation issues... Tomcat error

Hi all, I tried to install the Xwiki-Entreprise-Web-8.1 WAR File on Tomcat and I get these errors... http://pastebin.com/T0Kfa7MS http://imgur.com/ejT0zAe ps aux | grep tomcat tomcat2152 4.4 15.0 3802340 724216 ? Ssl 10:45 0:12 /usr/lib/jvm/jre/bin/java -classpath

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, On 5/25/16 11:41 AM, David kerber wrote: > On 5/25/2016 11:12 AM, Christopher Schultz wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> Mark, >> >> On 5/24/16 10:06 AM, Mark Thomas wrote: >>> TL;DR If you use remote JMX, you need

Re: Secured connection between Apache Httpd and Tomcat over AJP protocol

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, On 5/25/16 11:30 AM, Christopher Schultz wrote: > Mohanavelu, > > On 5/25/16 10:21 AM, Mohanavelu Subramanian wrote: >> I have Httpd process and Tomcat instances both running on 2 >> different machines. The communication between them happens

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

On 5/25/2016 11:12 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 5/24/16 10:06 AM, Mark Thomas wrote: TL;DR If you use remote JMX, you need to update your JVM to address CVE-2016-3427 For the longer version, see the blog post I just published on this:

Re: Secured connection between Apache Httpd and Tomcat over AJP protocol

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mohanavelu, On 5/25/16 10:21 AM, Mohanavelu Subramanian wrote: > I have Httpd process and Tomcat instances both running on 2 > different machines. The communication between them happens through > AJP protocol (mod_jk) which doesn't support

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

On Wed, May 25, 2016 at 11:12 AM, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Mark, > > On 5/24/16 10:06 AM, Mark Thomas wrote: >> TL;DR If you use remote JMX, you need to update your JVM to address >> CVE-2016-3427 >> >> For the

Re: Can tomcat be configured for ECDHE and DHE cipher suites

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 5/25/16 10:38 AM, Mark Thomas wrote: > On 25/05/2016 15:17, Utkarsh Dave wrote: >> Hello Mark, >> >> I have a question for SSL Support - BIO and NIO. It is mention >> that useServerCipherSuitesOrder can be used with Java 8 only So >> is

Re: Secured connection between Apache Httpd and Tomcat over AJP protocol

On 25.05.2016 16:21, Mohanavelu Subramanian wrote: Hi All, Good Morning. I have Httpd process and Tomcat instances both running on 2 different machines. The communication between them happens through AJP protocol (mod_jk) which doesnt support encryption. But we are using some features of

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 5/24/16 10:06 AM, Mark Thomas wrote: > TL;DR If you use remote JMX, you need to update your JVM to address > CVE-2016-3427 > > For the longer version, see the blog post I just published on > this:

Webapp in the same thread context

Hi, I have a question related to Tomcat 7.0.69 running in a voyage (debian) system. I have a java application that was running with "Embedded" class from Tomcat 6.0.Now I am trying to upgrade it to run with Tomcat 7.0.69. The current java application is initializing some static objects and then

Re: Can tomcat be configured for ECDHE and DHE cipher suites

On 25/05/2016 15:17, Utkarsh Dave wrote: > Hello Mark, > > I have a question for SSL Support - BIO and NIO. > It is mention that useServerCipherSuitesOrder can be used with Java 8 only > So is there a way (in java 7 and BIO and NIO support ) or another parameter > we can use with "ciphers" to

Secured connection between Apache Httpd and Tomcat over AJP protocol

Hi All, Good Morning. I have Httpd process and Tomcat instances both running on 2 different machines. The communication between them happens through AJP protocol (mod_jk) which doesnt support encryption. But we are using some features of mod_jk like automatic passing of security information like

Re: Can tomcat be configured for ECDHE and DHE cipher suites

Hello Mark, I have a question for SSL Support - BIO and NIO. It is mention that useServerCipherSuitesOrder can be used with Java 8 only So is there a way (in java 7 and BIO and NIO support ) or another parameter we can use with "ciphers" to force client follow the order of ciphers. The JSSE

Re: Problem with monitoring with JMX

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 5/24/16 5:54 PM, André Warnier (tomcat) wrote: > To both : > > Do not guess. Agreed. You should also not guess. > Read the start of the "bin/catalina.sh" script (Linux) or the > "bin/catalina.bat" script (Windows). It explains the

Re: nio connector

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Igor, On 5/24/16 6:52 PM, Igor Cicimov wrote: > On 24 May 2016 12:33 pm, "Christopher Schultz" > wrote: >> > Jakub, > > On 5/23/16 8:03 PM, Ja kub wrote: Christopher, Thx for response, pleas confirm or deny if I

Re: Problem with monitoring with JMX

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Edwin, On 5/24/16 6:08 PM, Edwin Quijada wrote: > Tomcat 8.0.33 Java 1.8 Debian 8 Stop Tomcat, change setenv.sh back to use CATALINA_OPTS, and re-launch Tomcat. What is the (sanitized?) command-line you get for the running JVM that results?

Re: Prepared statements are not cached with XA in tomcat jdbc connection pool implementation

I don't know if it is a bug or not, but I learned today that org.apache.tomcat.jdbc.** is a different tomcat implementation from the default dbcp based implementation (org.apache.tomcat.dbcp.**). And, you seem to use the former one. Therefore, I think you should file a bug in tomcat, not in

Re: JNDI DataSource in Tomcat 8: maxTotal and maxWaitMillis

Hi Mark, On Wed, May 25, 2016 at 4:56 AM, Mark Thomas wrote: > On 24/05/2016 23:23, Woonsan Ko wrote: >> Hi, >> >> Since 8.0, I think we should use maxTotal instead of maxActive and >> maxWaitMillis instead of maxWait. [1,2] >> However, if I use maxTotal for instance, the jmx

RE: tomcat8.0.33 classpath/classloader issues

You can put in catalina.properties. There is entry with common.loader in catalina.properties under conf folder. Please see below # Note: Values are enclosed in double quotes ("...") in case either the # ${catalina.base} path or the ${catalina.home} path contains a comma.

RE: tomcat8.0.33 classpath/classloader issues

Many thanks Mark. I will give a retry it. Is there a way to set all jars in folder (c:\poc\lib) to classpath on startup? -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Wednesday, May 25, 2016 2:25 PM To: Tomcat Users List Subject: Re: tomcat8.0.33

Re: Integrated Windows Authentication for TomCat 7

On 25/05/2016 07:02, Clinton Breed wrote: > Good day All > > We are running a web app named n-able Helpdesk Manager via TomCat 7 on a > Windows Server 2008. > > The Tomcat gets installed via the n-able helpdesk installation. I have > been assigned a task to get the Helpdesk Webapp to login

Re: JNDI DataSource in Tomcat 8: maxTotal and maxWaitMillis

On 24/05/2016 23:23, Woonsan Ko wrote: > Hi, > > Since 8.0, I think we should use maxTotal instead of maxActive and > maxWaitMillis instead of maxWait. [1,2] > However, if I use maxTotal for instance, the jmx console doesn't show > it but show the old maxActive value (100, probably the default >

Re: tomcat8.0.33 classpath/classloader issues

On 25/05/2016 06:14, Venkata Reddy P wrote: > Can anyone please help me on this? Don't mess with the classpath. You should (almost) never need to do that. Put shared JARs in Tomcat's lib directory. Mark > > From: Venkata Reddy P > Sent: 24 May 2016 14:44 > To: Tomcat Users List > Subject:

Integrated Windows Authentication for TomCat 7

Good day All We are running a web app named n-able Helpdesk Manager via TomCat 7 on a Windows Server 2008. The Tomcat gets installed via the n-able helpdesk installation. I have been assigned a task to get the Helpdesk Webapp to login automatically gathering the information from the windows