Has any decision been made on how the original poster will do this?
As I read through the various responses, while you can always argue
certain structures are better, it's simply not true that if you create
messy/insecure JSPs, you'll somehow create clean/secure servlets. Any
error you would
I'll be curious to see the answers.
JSPs are servlets.
For us, the common way would be for your non-JSP servlets to
authenticate the request (and save the results in the request), and then
your JSPs can check if the request has been authenticated before
progressing further. Of course, if
We're doing good with this:
protocols="TLSv1.1, TLSv1.2" honorCipherOrder="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
On 8/9/17 8:35 AM, Mark Thomas wrote:
On 09/08/17 16:09, David Wall wrote:
We're using Tomcat 8.5.16 with Java 1.8.0_91, Vaadin 7.7.10 and
Atmosphere Websockets.
We have had reports of sessions logging out while users are active with
our Vaadin-based application. This has been frustrating
We're using Tomcat 8.5.16 with Java 1.8.0_91, Vaadin 7.7.10 and
Atmosphere Websockets.
We have had reports of sessions logging out while users are active with
our Vaadin-based application. This has been frustrating as we can't
seem to track down why Tomcat's session is not being updated, but
Does anybody know if the AES+GCM bug that causes a JVM Crash (I believe
only under JDK 8) when running TLS in Tomcat using Java's JSSE has been
fixed? I doubt this is a Tomcat issue, but since the bug likely only
appears for uses of TLS's AES+GCM in Tomcat, I hope someone here may
know the
:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
David,
On 8/28/15 2:47 PM, David Wall wrote:
I'm using Tomcat 8.0.23, but wondered if a filter defined in the
Tomcat conf/web.xml as well as defined in my app's WEB-INF/web.xml
file causes the filter to be loaded twice or whether duplicate
filters
I'm using Tomcat 8.0.23, but wondered if a filter defined in the Tomcat
conf/web.xml as well as defined in my app's WEB-INF/web.xml file causes
the filter to be loaded twice or whether duplicate filters are ignored?
If duplicates are ignored, what makes it a duplicate? Just the name,
the
We're on Tomcat 8 with Java 8, so it has more options for ciphers, but
this is what we use:
Connector port=8443
protocol=org.apache.coyote.http11.Http11NioProtocol SSLEnabled=true
connectionTimeout=2 acceptorThreadCount=2
URIEncoding=UTF-8
maxThreads=100
On 12/15/2014 12:19 PM, Anup Aggarwal wrote:
Hi,
I am new to learn the LambdaExpression , and I am trying to run a test with
JDK7 on Tomcat_8_0_15 server
Don't you need JDK8 for Lamdas?
-
To unsubscribe, e-mail:
On 4/17/2014 7:50 AM, Christopher Schultz wrote:
I'll take a look at the code to see if maybe we can conditionally log
something somewhere when we get a 400 error. You can probably get
information about it by enabling DEBUG logging on the component that
throws the 400 error, but you'll likely
Thanks, Christopher.
One last question has to do with the filter-mapping's url-pattern element.
Are url-pattern/*/url-pattern and url-pattern*/url-pattern the
same?
My impression is that /* is more correct since a * pattern implies a
file name suffix but there's nothing after it. Is that
I am running Tomcat 7.0.47 and it occasionally returns HTTP status codes
of 400, such as the following from my access log.
A 400 suggests a malformed request, but many of these are simple GET
requests on an image, so it seems odd they are malformed. We're not
positive, but it seems that as
On 4/16/2014 3:17 PM, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
The access log of course does not give the whole story. It's possible
that the client sent for example a badly-formed HTTP header value. In
those cases, the request-line (shown in the access log)
I've never done a request dumper before, but is there a way to trigger
it only if Tomcat is going to issue a 400?
Sorry for replying to my own posting, but for JSP urls, we do seem to
know that request.getScheme() for example returns null when things are
bad, though I'm not sure how a bad
On 10/15/2012 6:37 PM, 孙文 wrote:
You are not suitable the open source community and you are a selfish guy.
Wonderful, helpful and insightful!
I egregiously suggested that reverting a line of code back to 7.0.26,
which was also standards-compliant, would have been easy and would have
In researching a bug our users are now suffering, I found that it was
reported already as *Bug 53814- Could not display PDF file on Tomcat
7.0.27 above.*
Sadly, it also shows that's it's considered invalid and won't be fixed
because the change made between 7.0.26 and 7.0.27 is standards
Chris,
Thanks for the 'findbugs' tip. I'm running it now in Eclipse and it has
indeed found real bugs and some good stylistic ideas as well.
David
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional
Just a quick update on these several threads of Tomcat 7 oddball
exceptions. It looks to be as Chuck believed that it was a coding error
on our end that was causing this. In particular, it was the no-no
misuse of instance variables in a controlling servlet.
Thanks for everyone's help!
Just a quick update on these several threads of Tomcat 7 oddball
exceptions. It looks to be as Chuck believed that it was a coding error
on our end that was causing this. In particular, it was the no-no
misuse of instance variables in a controlling servlet.
Thanks for everyone's help!
Just a quick update on these several threads of Tomcat 7 oddball
exceptions. It looks to be as Chuck believed that it was a coding error
on our end that was causing this. In particular, it was the no-no
misuse of instance variables in a controlling servlet.
Thanks for everyone's help!
We are running Tomcat 7.0.26 (no httpd front end) with BIO/NIO and SSL
(entire webapp is in security context) and see this exception
periodically on our Linux server:
May 2, 2012 3:03:45 AM org.apache.jasper.runtime.JspFactoryImpl
internalGetPageContext
SEVERE: Exception initializing page
I am running Tomcat 7.0.26 on Linux we received a lot of the following
exceptions during load testing:
May 2, 2012 3:04:03 AM org.apache.tomcat.util.net.NioEndpoint$Acceptor run
SEVERE: Socket accept failed
java.io.IOException: Too many open files
at
On 5/2/2012 12:34 PM, Pid * wrote:
It's an OS issue: google 'ulimit'.
p
Yes, I am familiar with ulimit -Sn (it's 1024), but I suspect this could
be a Tomcat issue somehow opening too many files and/or not releasing
them. I had never seen this issue before we upgraded from Tomcat 5.5
We are running Tomcat 7.0.26 and have not see this except before running
high load testing. It's an odd exception in that our getParam() code is
just calling: String[] pv = request.getParameterValues(name);
That is, we are not making a call that should be attempting to change
any parameter
Here's another odd exception we are receiving on Tomcat 7.0.26 when
doing load testing.
When this exception occurs, our code is basically calling:
response.encodeURL(url);
It's in a FORM tag we created that is defined on a JSP page that should
already have a session object created by:
On 5/2/2012 2:17 PM, Caldarale, Charles R wrote:
Both this symptom and your earlier one about creating a session after a
response has been committed are representative of the kinds of errors seen when
a webapp stores references in an inappropriate scope. For example, keeping a
reference to
On 5/2/2012 2:41 PM, Caldarale, Charles R wrote:
Look carefully at the code in your webapp(s) for issues like the ones
described in an earlier response.
Has anybody seen this?
Lots of times - and it's _always_ been a problem in a webapp.
- Chuck
I hope my comment about our session
On 5/2/2012 2:17 PM, Caldarale, Charles R wrote:
Both this symptom and your earlier one about creating a session after a
response has been committed are representative of the kinds of errors seen when
a webapp stores references in an inappropriate scope. For example, keeping a
reference to
Thanks for the ideas, Mark, but it's still the same undesirable result.
On 9/1/2011 6:58 AM, Mark Thomas wrote:
I suspect you need:
%@ page pageEncoding=UTF-8 %
at the start of your JSP.
.java files are written using UTF-8 by default so if what you see there
is wrong then the original .jsp
You are right about the encoding of the .java file in Eclipse. I tried
in 'vi' and sure enough the codes are in there correctly. Interesting
that Eclipse opened the .jsp file and showed it nicely, but the .java
file was not. I couldn't do the properties, though, since these files
are not
I'm trying to track down a character encoding issue that I've been
having, but don't really understand. Hopefully one of you will know what
the answer is.
I am using CKEditor to generate some user-specified HTML. CKEditor
offers an insert special character function that often creates named
On 6/24/2011 5:48 AM, Rainer Jung wrote:
On 24.06.2011 14:08, Tim Funk wrote:Looks like this is the root cause from
DefaultServlet ...
While the ISE is caught ... since the mimetype for js was changed - it
doesn't match the fallback method
try {
ostream =
This was working under TC 6, but I have a tag that extends
BodyTagSupport, and in my doStartTag() method I get my JspWRiter 'out'
using pageContext.getOut().
I have a bunch of out.write() statements that all work fine.
Then I have these:
out.write(style type=\text/css\\n/* platform esf.css
out.write(script type=\text/javascript\\n);
pageContext.include(/static/esf/esf.js,true);
out.write(/script\n);
But the exception IllegalStateException is thrown on the include of
the esf.js file. The reason is null, so there's no more details. I
find it odd in that the two prior includes
out.write(script type=\text/javascript\\n);
pageContext.include(/static/esf/esf.js,true);
out.write(/script\n);
But the exception IllegalStateException is thrown on the include of
the esf.js file. The reason is null, so there's no more details. I
find it odd in that the two prior
Yes. You'll need to extend BaseDirContext in
org.apache.naming.resources. For some examples, see FileDirContext and
WarDirContext in the same package.
Thanks for the pointers, Mark. From what you are saying, this would be
a Tomcat-specific solution. I was hoping for something that would work
On 12/26/2010 2:04 AM, Mark Thomas wrote:
Yes. You'll need to extend BaseDirContext in
org.apache.naming.resources. For some examples, see FileDirContext and
WarDirContext in the same package.
Thanks for the pointers, Mark. From what you are saying, this would be
a Tomcat-specific
Is there a way to have Jasper (or other...) retrieve the JSP source code
it'll compile from a database instead of a regular file? It's fine that
Jasper write the .java/.class files as normal, but the .jsp would come
from my database instead. A servlet that could return the JSP source
code
Another issue to consider is that Tomcat runs a single instance of Java
VM, but often runs multiple webapps. If each webapp takes the approach
that it can set the default timezone to its liking, you'll find that
you get a mixed bag based on which webapp was the last to reload. At
least
Caldarale, Charles R wrote:
From: David Wall [mailto:d.w...@computer.org]
Subject: Re: TC 6.0.20 - how to know session restored on restart?
This must be a multi-thread timing issue because I had
not had this happen on several other restarts.
AFAIK, Tomcat initialization is single
work well enough for me. We already stored some info in the session
so that we could also determine the user who is associated with the
session among others, so we just created an object to hold this info
and it implements HttpSessionActivationListener and sure enough, on
tomcat restart, it
I am using Tomcat 6.0.20 and have implemented the SessionListener
interface. We can then use this to show a list of active sessions to
our users, and when they are logged in, we even know which user is
tied to the session. This is very handy.
However, on tomcat restart, all existing
It seems if I can see all sessions that are started and stopped using
SessionListener, there should be no reason why we can't get the sessions
auto-built from session persistence when Tomcat restarts a web app,
too. Any tricks to figure this out?
Try reading the reply I wrote about 9
My first attempt was to implement those two methods in my class that
already implements HttpSessionListener, but these methods were never
called. On closer reading, it appears that this is an interface to be
implemented by an object that I then store in the session attributes.
Do I create an
I am using Tomcat 6.0.20 and have implemented the SessionListener
interface. We can then use this to show a list of active sessions to
our users, and when they are logged in, we even know which user is tied
to the session. This is very handy.
However, on tomcat restart, all existing
In a production environment in which JSPs do not change frequently, I'd
like to reduce the overhead of checking for JSP recompiles, assuming
that such checks are in fact costly, and instruct Tomcat to recompile a
given JSP should it change. In our environment, the JSP is written out
by our
Manually, the Tomcat Manager web app allows me to easily restart a web
app. So, assuming I have the tomcat manager username and password, I
can make a program invoke the same URL that probably would cause the web
app to reload, using something like:
We are running Tomcat 5.5.27 on Linux 2.6.18-53.1.4.el5xen (Red Hat
4.1.2-14) with Java 1.6.0_05 (32 bit) in a Xen virtualization
environment (not my server, so unsure what version that is). It has 3
webapps running, two of ours and Tomcat's manager.
Normally, when we run 'top', Java and
F.ex. from my toy machine;
$ ps -fLp 7044
UIDPID PPID LWP C NLWP STIME TTY TIME CMD
tomcat7044 1 7044 0 40 2008 ?00:00:12 /usr/lib/jvm/java/bin
tomcat7044 1 7118 0 40 2008 ?00:02:58 /usr/lib/jvm/java/bin
tomcat7044 1 7119
John Shilling wrote:
I am looking at having to support tens or even hundres of instances of our
web application in an ASP Model.
We basically do this now using a single Tomcat instance with multiple
webapps (https://host.com/App1/, https//host.com/App2/ etc) and
don't use virtual
I have a java application under Tomcat that is supposed to track people'
downloads.
The user clicks on a link (to download a file) and a new record has to be
inserted into a postgreSQL table informing which file was downloaded.
However, I need to insert into postgreSQL only after the
It may not be worth the resources, but you can develop/use a download
manager could do this for you. Especially if these are large files, the
users may be happy to use something like that.
The manager would basically tell the service to start the download and
if you do something like resume
We set a secure cookie over HTTPS using:
javax.servlet.http.Cookie cookie = new javax.servlet.http.Cookie(name,
value);
cookie.setVersion(1);
cookie.setMaxAge(60*60*24*90); // 90 days in seconds
cookie.setSecure(request.isSecure());
response.addCookie(cookie);
This works in Firefox and
cookie.setVersion(1);
I think I found my own answer in that it appears that Firefox can accept
a version 1 (RFC 2109) cookie, which we were using because the email
address contains an '@' that's not allowed as a value in version 0
cookies. When we converted to version 0 and encoded the @,
While it makes sense, I was just checking to see if upgrading from
Tomcat 5.5.26 to 5.5.27, not thinking such an upgrade would require JSP
source code changes, will hold true going forward with subsequent Tomcat
releases.
We have a few places where JSP tag attribute values have Java code that
No, I don't want SSL enabled. I want Tomcat to NOT do SSL, but I want it
to report to my application that SSL is being used.
So you want quality software to lie to you? It would be a bug if Tomcat
said it was secure when it's not, and it sounds pretty goofy to want it.
The deal is that
I'm trying to configure an HTTP Connector that reports to the
application that the connection is secure. According to the TC
documentation
(http://tomcat.apache.org/tomcat-5.5-doc/config/http.html), you should
be able to simply set:
secure=true
in the Connector and all should be well.
Yes,
We've used the following in Tomcat 5.5 with JDK 1.6:
Connector port=8443 maxHttpHeaderSize=8192 maxPostSize=0
maxThreads=2000 minSpareThreads=25 maxSpareThreads=75
enableLookups=false disableUploadTimeout=true
acceptCount=100 scheme=https secure=true
Thanks for the code idea. I like what you wrote.
If there's no '?' in the URL, then you can return false right away,
right?
Indeed!
public boolean isParamInUrl(String url, String paramName)
{
~ return url.contains('?' + paramName + '=')
~ || url.contains('' + paramName + '=');
}
Is there an API call to parse an URL I have as a String so that I can
determine if a given param exists?
I know that when processing from Tomcat, I can do
request.getParameterValues() for the URL of my servlet, but I'd like to
know if the URL used to arrive at my page includes a given
http://java.sun.com/docs/books/tutorial/networking/urls/urlInfo.html
It breaks down every component of the url (protocol, domain name, etc). Is
that what you're looking for?
Not really since I just need to process the query string portion to see
if a given param exists or not. I'm
if ( pos 0 )
url = url.substring(pos);
Found a bug in that this should be pos+1 to remove the ?.
if ( paramAndValue[0].equals(paramName) )
return true;
We're also doing a URLDecoder.decode on the paramAndValue[0] in case the
param
I'd like to allow a web app to define custom code, such as for custom
data validators or data formatters to be added by a user through
configuration in my web app.
That is, I'd like to have a user of my web app specify some Java code
snippets (either a few lines of code, or perhaps a complete
Is there any problem run Tomcat under 64 bits platform? And about JDK? Is it
possible install JDK 32 bits for 64 bits platform?
We run Tomcat 5.5 using CentOS 5 X86_64 and Java 6 (x64 -- previously
amd64 also worked) without any issues.
David
My Tomcat directory is c:\Tomcat6\apache-tomcat-6.0.14. I tried starting
startup.bat but got the error:
The CATALINA_HOME environment variable is not defined correctly This
environment variable is needed to run this program
My CATALINA_HOME environment variable is set to
After some times, my Tomcat will stop responding and the stdout log
says OutOfMemoryError!
You could try increasing the perm space with the Java option:
-XX:MaxPermSize=256m
Obviously, you can choose any value you want. We've seen the same
problem on systems that have lots of webapps
Moritz wrote:
But still I think it's never a good idea to write a password in plain
text in any file. If the password is stored in plain text and
something goes wrong an attacker could be able to steal my private key
and use it. And this would be really bad.
Obviously, this depends on your web
Assuming you'll want to do other redirects in the future to different
webapps (not all sharing ROOT's / for example and just using subdirs,
but actual distinct webapps), you might take a look at URL rewrite at
http://tuckey.org/urlrewrite/
David
Frank W. Zammetti wrote:
I can say with 100% certainty that a servlet invoked with XMLHttpRequest
**DOES** have the same access to server-side objects as a non-AJAX
request. I say this based on two applications in production that do this
all day long, one Struts-based, one not. I also say it
Martin,
All encryption systems need a way to boot themselves. This either means
you store the password somewhere so the program can self-boot itself, or
you need user intervention, such as typing in the password (or inserting
a dongle or other security hardware device).
Once the system has
I hope all this 'bot' talk doesn't prevent a resolution to the bug
long-standing bug regarding sessions that never terminate, long after
they should have expired. All of our web apps have a background thread
that periodically terminates sessions that haven't been accessed in 24
hours, even
It seems that Tomcat 5.5.17 (and earlier) has had some sort of problem
in timing out sessions. I'm not sure if it would clean itself up if the
person really came back and did another HTTP transaction or not, but
I've noted that Tomcat Manager will show sessions that are have been
idle much
Mark Thomas wrote:
David Wall wrote:
Does anybody know how to find the list of SSL ciphers that TC will use
(I'm running on Linux)? There's a Connector param to set the ciphers,
but I don't know where to find the list of available ciphers that I have.
http://marc.theaimsgroup.com/?l
?
Thanks,
David
David Wall wrote:
Does anybody know how to find the list of SSL ciphers that TC will use
(I'm running on Linux)? There's a Connector param to set the ciphers,
but I don't know where to find the list of available ciphers that I have.
Thanks,
David
That's exactly what I was looking for. Thanks. David
Mark Thomas wrote:
$JAVA_HOME/docs/guide/security/jsse/JSSERefGuide.html
You want appendix A.
Mark
-
To start a new topic, e-mail: users@tomcat.apache.org
To
Does anybody know how to find the list of SSL ciphers that TC will use
(I'm running on Linux)? There's a Connector param to set the ciphers,
but I don't know where to find the list of available ciphers that I have.
Thanks,
David
What are most people doing to detect so-called weak SSL ciphers in
Tomcat?
I've noted that I can configure the Tomcat Connector's 'ciphers' list to
specify only those that are not weak, but I'm not sure how best to
generate that list. For example, how would I list all ciphers except
Is there a correct way to retrieve a typed List from a request/session
attribute? The attribute is returned as an Object, but using a cast like:
ListMyType var = (ListMyType)request.getAttribute(name);
results in a warning:
Type safety: The cast from Object to ListMyType is actually checking
Is there a way to call a JSP within my web app so that I can capture the
HTML that the JSP produces? I'd like to capture that HTML and store it
in a file rather than returning it as part of the response.
I have tried java.net.URL, but it has issues when testing over HTTPS
(self-signed certs)
Leon Rosenberg wrote:
On 6/2/06, Bill Barker [EMAIL PROTECTED] wrote:
TC 3.3.x had an optional module to do this. It never got ported.
I generally agree with most of the people that say that this is the
least of
your problems. If you are usings a self-signed cert, then you are just
java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.util.net;
David
David Wall wrote:
Since upgrading from Tomcat from 5.5.9 to 5.5.17, I found that my two
webapps that both need to use encryption via JCE providers are not
working. Only the first to load webapp works as it installs
into the same file. So it seems to
have some static initializations too that introduce this oddity.
David
David Wall wrote:
Martin,
Thanks for your suggestion, but it's unlikely that web.xml was
misconfigured just because of this TC upgrade (it wouldn't have needed
to change). Also, when
Shankar Unni wrote:
Robert Harper wrote:
One thing to think of is that if you have to do that to protect it, then
everything else on that system is suspect.
Yeah, yeah. I used to use this argument a lot, too. But that's like
saying: if your harness isn't secure, then why bother with an
We have multiple webapps running in a single Tomcat instance, and when
we need to upgrade a given webapp, we install a system down web.xml
that defines a null operation listener (we normally have one that
bootstraps the application, connects to databases, etc.) and maps
everything to a servlet
I may have found this was fixed in 5.5.17 since I see this line in the
changelog:
Correctly reset listeners when reloading a webapp (remm)
I'll give that a try
David
David Wall wrote:
We have multiple webapps running in a single Tomcat instance, and when
we need to upgrade a given
We've used UrlRewriteFilter with good success so far:
http://tuckey.org/urlrewrite/
David
Lothar Krenzien wrote:
Hi there,
I'm using tomcat 5.5 and want to redirect some requests to another URL. For example the URL
localhost:80/siteA should be forwarded to localhost:8080/siteB. Of course
Well, you should check out the url rewrite documention for details. In
your webapp's web.xml, you put something like this in to tell it you
want it to examine all URLs that come into the web app:
filter
filter-nameUrlRewriteFilter/filter-name
Does anybody know of any good Java/servlet code that handles email
bounce processing? When our automated systems send an email that
bounces (lots of hotmail bounce if the user has an account but just
hasn't logged in the past 30 days), we'd like a somewhat reliable
mechanism to associate the
-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --
!--
Connector
port=8443 minProcessors=5 maxProcessors=75
enableLookups=true disableUploadTimeout=true
acceptCount=100 debug=0 scheme=https secure=true;
clientAuth=false sslProtocol=TLS/
--
90 matches
Mail list logo