Re: Should allowHostHeaderMismatch be case sensitive

On 11/12/2023 17:20, Mark Thomas wrote: On 11/12/2023 17:08, David Cleary wrote: Just want to check if this is by design. The above property default was changed to better secure the default configuration. We started having some tests fail due to this. In our scenario ( as shown below

Re: [EXTERNAL] - Re: Partitioned cookies

On 14/12/2023 21:15, André van der Lugt wrote: From: Chuck Caldarale Sent: Wednesday, November 15, 2023 9:48 AM To: Tomcat Users List Subject: [EXTERNAL] - Re: Partitioned cookies On Nov 15, 2023, at 08:06, Adam Warfield

Re: Clarification on CVE-2023-46589

On 14/12/2023 16:13, Benny Prange wrote: Am Do., 14. Dez. 2023 um 16:51 Uhr schrieb Mark Thomas : On 14/12/2023 15:33, Benny Prange wrote: Hi all, I am having trouble understanding the description of CVE-2023-46589. Does this CVE affect scenarios where the Apache Tomcat is the reverse proxy

Re: Clarification on CVE-2023-46589

On 14/12/2023 15:33, Benny Prange wrote: Hi all, I am having trouble understanding the description of CVE-2023-46589. Does this CVE affect scenarios where the Apache Tomcat is the reverse proxy, or or when the Apache Tomcat is running behind a reverse proxy? Is the Tomcat vulnerable to request

Re: Should allowHostHeaderMismatch be case sensitive

On 11/12/2023 17:08, David Cleary wrote: Just want to check if this is by design. The above property default was changed to better secure the default configuration. We started having some tests fail due to this. In our scenario ( as shown below ), the Host header value in the HTTP request is

Re: JAVA -tomcat- Request header is too large

On 08/12/2023 22:01, Christopher Schultz wrote: Are request-ids always allocated, or only if they are "enabled"? Always allocated. I think adding the request-id to this exception detail message might be helpful, even if the request-id hasn't been enabled in the access-log. WDYT? Good

Re: Failing to decode the url correctly in tomcat 9.

On 07/12/2023 22:42, Kalaivani Sengottaiyan wrote: On Thu, Dec 7, 2023 at 2:34 PM Kalaivani Sengottaiyan < kalaivani.sengottai...@veeva.com> wrote: In one of our sample case, this is the url recorded by ngnix "-" 127.0.0.1 - - [07/Dec/2023:21:59:30 +] "GET

Re: JAVA -tomcat- Request header is too large

On 08/12/2023 09:27, Ivano Luberti wrote: Il 07/12/2023 17:51, Mark Thomas ha scritto: On 07/12/2023 15:37, Ivano Luberti wrote: Hi, since a few days these errors started showing in my log files: 06-Dec-2023 07:39:56.082 INFO [http-nio-8080-exec-5826] org.apache.coyote.http11

Re: Virtual Thread with Http11Nio2Protocol

On 08/12/2023 09:51, Mark Thomas wrote: On 08/12/2023 02:49, Han Li wrote: Hi Nicolas, I took a quick look that Tomcat's VirtualThreadExecutor does not implement the ExecutorService interface, which leads to this result. So I think this is a Tomcat bug. +1 This has been fixed for all

Re: Virtual Thread with Http11Nio2Protocol

On 08/12/2023 02:49, Han Li wrote: Hi Nicolas, I took a quick look that Tomcat's VirtualThreadExecutor does not implement the ExecutorService interface, which leads to this result. So I think this is a Tomcat bug. +1 On Dec 8, 2023, at 03:55, Nicolas BONAMY wrote: Hi, I try to use

Re: JAVA -tomcat- Request header is too large

On 07/12/2023 15:37, Ivano Luberti wrote: Hi, since a few days these errors started showing in my log files: 06-Dec-2023 07:39:56.082 INFO [http-nio-8080-exec-5826] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header  Note: further occurrences of HTTP request

Re: Possible AbstractProtocol.waitingProcessors leak in Tomcat 9.0.75

ode. Additional info - I've set the session timeout to 10minutes. The app uses Java 17 with Spring Boot 3.1.x stack. It does not use any external STOMP broker relay. Regards, Jakub. On 2023/08/20 22:44:46 Mark Thomas wrote: On 20/08/2023 05:21, Mark Thomas wrote: On 18/08/2023 11:28, Rubén Pérez wr

Re: Tomcat Build Issue

On 05/12/2023 15:15, Burle, Saicharan wrote: Hi Mark/Chris, We are getting this error without even deploying any application. Then start looking at your network to see what is sending this invalid data to Tomcat. Mark -

Re: Tomcat Build Issue

On 05/12/2023 09:45, Burle, Saicharan wrote: Hi All, I am trying to build a tomcat instance in a net new server and getting the below error while starting. Although instance has come up but I am unable to debug the below error. Can someone please assist in this regard?

Re: setenv.sh tomcat8 changelog

4 Dec 2023 15:10:13 Christoph Kukulies : The tomcat8 changelog shows the following remark among others: General • Tighten up the default file permissions for the .tar.gz distribution so no files or directories are world readable by default. Configure Tomcat to run with a default umask of 

Re: Ciphers Warning in logfile for Tomcat 8.5.96 (with Adoptium jdk-8.0.392.8-hotspot)

On 01/12/2023 14:29, Markus Schlegel wrote: Hi Peter, Thank you for your hint about "-Djdk.tls.ephemeralDHKeySize=2048". I indeed did not knew that this option exists. When I enable it, I get Grad "A" from SSLLabs while it still lists 8 weak ciphers out of 12. Because I get to grade "A" with

Re: (No members active in cluster group) Cannot discover members in cluster using Delta Manager with static membership Unicast

On 01/12/2023 08:27, Manak Bisht wrote: Hi, I am trying to implement non-sticky session replication using Delta Manager with static membership. The nodes are across two different machines. I am unable to discover members in the cluster with the following logs on both machines -

Re: Tomcat 9 build from scratch

On 30/11/2023 23:38, Aditya Shastri wrote: Thanks for the response Adwait. My ant skills are lacking. Does the minimum bytecode definition come from this line? Yes. Equally importantly it also ensures that the code is compiled against the Java 8 API. What does this line do? It is

Re: webdav and libreoffice

On 29/11/2023 21:46, Christopher Schultz wrote: Mark, On 11/29/23 14:09, Mark Thomas wrote: It was this change: https://github.com/apache/tomcat/commit/147fee447e27ec14e3001d9c727db1dcd4cb930c Reason phrase is an optional element of the HTTP response. This looks like a bug in whichever

Re: webdav and libreoffice

are for addressing this in the interim. I'll note though that, generally, we don't implement work-arounds for broken clients - especially ones no-one noticed for 3+ years. Mark On 29/11/2023 14:08, Mark Thomas wrote: On 28/11/2023 22:27, Jean-Max Reymond wrote: Hi, I have an application

Re: Ciphers Warning in logfile for Tomcat 8.5.96 (with Adoptium jdk-8.0.392.8-hotspot)

On 29/11/2023 10:46, Markus Schlegel wrote: Changing the config to add ":-CBC" to the default config as suggested by Mark in bugzilla does not have any effect. Still Grade B, 10 weak out of 12. It seems to me that -CBC might not be a valid option at all? Mark got different results when he

Re: webdav and libreoffice

On 28/11/2023 22:27, Jean-Max Reymond wrote: Hi, I have an application and a webdav servlet with tomcat. I am using libreoffice to edit and save files. the command is: /usr/lib/libreoffice/program/soffice.bin ms-excel:ofe|u|https://cloud.example.com/WebDav/NESTOR/GERARD/Documents.xls

[SECURITY] CVE-2023-46589 Apache Tomcat - Request Smuggling

CVE-2023-46589 Apache Tomcat - Request Smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M10 Apache Tomcat 10.1.0-M1 to 10.1.15 Apache Tomcat 9.0.0-M1 to 9.0.82 Apache Tomcat 8.5.0 to 8.5.95 Description: Tomcat did not

Re: 400 Bad Request - where do I find the detailed reason for the bad request so I can fix it?

On 27/11/2023 20:09, Graham Leggett wrote: Hi all, Long running webapps, tomcat recently updated from tomcat7 to tomcat v9.0.65. One webapp sends a request to another. The request fails with a 400 Bad Request, with the detail message "The server cannot or will not process the request due to

Re: Possible way to avoid Tomcat from recycling the request/response on error?

more complicated with asynchronous servlets but it boils down to avoid accessing the request, response and associated objects after complete()/dispatch() have been called. Mark On Sat, Nov 25, 2023 at 5:42 AM Mark Thomas wrote: On 25/11/2023 05:30, Adwait Kumar Singh wrote

Re: Using Async Servlets correctly to avoid smuggling.

On 25/11/2023 01:43, Adwait Kumar Singh wrote: Hey Tomcat users, I am using Async Servlets and have a question on how to safeguard my application from Request Smuggling. In my current setup I do the following, 1. `startAsync` on the ServletRequest. 2. Create a ReadListener and attach it to

Re: Possible way to avoid Tomcat from recycling the request/response on error?

On 25/11/2023 05:30, Adwait Kumar Singh wrote: Is there a way around this, to keep the async context open even on an error and not close it till complete is invoked? No. The spec requires the error handler to call complete() in onError() and error handler doesn't, the container must. Mark

Re: Breaking changes in 9.0.83 ?

19 Nov 2023 04:23:46 Adwait Kumar Singh : I can see that BND was updated to 7.0 in 9.0.83, however BND 7.0 requires at least JDK 17 runtime while Tomcat 9 still supports JDK 8. Is this breaking change intended? Yes, it was intended. It is not a breaking change. The minimum supported

Re: CredentialHandler not working for MD5

On 17/11/2023 19:36, Christopher Schultz wrote: Is there any reason why SHA-256 is the default? MD5 is the historical default / only implementation for HTTP DIGEST. RFC 7616 (2015) Chrome will choose SHA-256 if presented with a choice of SHA-256 and MD5. Mark

Re: CredentialHandler not working for MD5

On 16/11/2023 18:06, Peter Otto wrote: 1. Configure BASIC auth with clear-text passwords in the Realm and get that working. 2. Switch to DIGEST auth with clear-text passwords in the Realm and get that working. 3. Then configure DIGEST auth and digested passwords in the Realm. Hi

Re: Tomcat 8: Random 404 and 505 errors

On 16/11/2023 22:53, Pavan Veginati wrote: Hi, We are seeing random 404 and 505 errors with GET and POST requests. Out of the 10 million daily requests in one cluster, there are 2-3 such 404 errors. In another cluster with around 100 million daily requests, we are seeing 20-30 404s on average

Re: CredentialHandler not working for MD5

You are confusing DIGEST authentication and digested passwords. The two are separate but related processes. If you use both, you do need to ensure that they are using the same digest. There is no need to modify code. This call all be controlled via configuration.

Re: Accessing Credential handler inside the web application always returns null

On 12/11/2023 23:01, Усманов Азат Анварович wrote: Sorry for delayed response, Once I comment out the CredentialHandler in context xml both in my app's context.xml and in global context.xml, and add realm to server.xml. CredentialHandler returns null once again. This is by design. The

Re: Tomcat 10.1.15 JVM crashes randomly on startup

On 13/11/2023 07:52, Øyvind Flatval wrote: Greetings! We are currently experiencing a very vague problem with our Tomcat 10.1 instance, where the JVM will crash almost instantly after Tomcat is done starting up. The problem happens somewhat regularly, and only happens within the first minute

Re: FileUpload class not working with Tomcat 10.1

On 10/11/2023 16:49, Mark Foley wrote: I recently upgraded from Tomcat 10.0.17 to 10.1.13. When I previously upgraded from 9.0.41 to 10.0.17 (back in 2/22) the FileUpload class broke. I fixed that thanks to postings on stackoverflow, but now that I've upgraded to 10.1.13 it is broken again!

Re: Testing OpenSSL integration using the FFM API with Tomcat 11 on Windows 10

(or whatever it is called) in an appropriate directory - ensure that directory is included in java.library.path (use setenv.bat) - ensure the OpenSSLLifecycleListener is configured in server.xml - start Tomcat HTH, Mark On Fri, Nov 10, 2023, 01:48 Mark Thomas wrote: On 10/11/2023 00:59, Eduardo

Re: Testing OpenSSL integration using the FFM API with Tomcat 11 on Windows 10

On 10/11/2023 00:59, Eduardo Guadalupe wrote: Hi, I wanted to test the OpenSSL integration using the FFM API rather than Tomcat Native in Apache Tomcat 11.0.0-M14. Starting Tomcat is printing an error: Failed to initialize the SSLEngine. java.lang.UnsatisfiedLinkError: no ssl in

Re: Chunk size error after upgrading JRE

On 07/11/2023 14:05, Tuukka Ilomäki wrote: We have a very old application running on Tomcat 8.5.90. After upgrading from JRE 8.0.252.09 from AdoptOpenJDK to 8u302b08 from Temurin (both pretty old, I know, also newer JREs exhibit the same issue) we started having NS_ERROR_NET_PARTIAL_TRANSFER

Re:

g On 06/11/2023 12:19, Mark Thomas wrote: On 06/11/2023 10:57, Greg Huber wrote:  >> The maximum useful size will be the total size of static resources (i.e. everything NOT under WEB-INF/lib or WEB-INF/classes). Since I have nothing in either of these, its all mapped in the PostReso

Re: TLD jar scanning at Tomcat Startup

On 06/11/2023 20:53, charles didonato wrote: Good Evening, Tomcat 9.082 on Windows 11. Tomcat runs as a Windows service. When I start Tomcat and deploy my war file, it hangs at the following in the Catalina Log: 06-Nov-2023 15:21:59.819 INFO [main]

Re: WebApp Mutual TLS for connecting to thrid party REST service

On 06/11/2023 17:03, Brian Wolfe wrote: Is there a way to use JSSE in tomcat to manage TLS mutual auth for when a process in tomcat is acting as a client during a REST call to use a client certificate from a keystore to authenticate to the third party? Or is this something that has to be handled

Re:

e jars, and add a bit for luck.  (ie 85mb +5mb). The "i.e. everything NOT under WEB-INF/lib or WEB-INF/classes" is irrespective of which resource collection it is in. So JARs from PostResources won't be cached. Mark Thanks On 06/11/2023 09:43, Mark Thomas wrote: On 05/11/2023 1

Re: tomcat 10

On 06/11/2023 06:46, 一直以来 wrote: Why do I print System. out. println (request) as different objects in the servlet for the request in tomcat10? Is the request object not reused in tomcat10? There is a pool of cached request objects. Each request is also accessed via a facade (which is

Re:

the cache brings. Those benefits are going to be application (and hardware) dependent. Mark Thanks Greg On Sun, 5 Nov 2023 at 15:31, Christopher Schultz < ch...@christopherschultz.net> wrote: Greg and Mark, On 11/5/23 09:31, Mark Thomas wrote: On 05/11/2023 10:18, Greg Huber wrot

Re:

asses. eg: As its purely for development guess it makes no difference? I doubt you'll notice if you disable it. Mark Cheers Greg On 05/11/2023 10:02, Mark Thomas wrote: On 04/11/2023 11:03, Greg Huber wrote: Hello, I am using the and to run tomcat for debugging my app (and it is pret

Re:

On 04/11/2023 11:03, Greg Huber wrote: Hello, I am using the and to run tomcat for debugging my app (and it is pretty awesome).  I am getting the cache warning limit, as it is 10mb, what effect would it have if I turned off the cache ie cachingAllowed="false" rather than having to increase

Re: Verifying Tomcat downloads

On 03/11/2023 15:45, James H. H. Lampert wrote: Forgive me if this might be a bit off-topic. But I haven't found a lot of resources on the subject (and that includes a search of List archives). For years now, I've been ignoring the note on the Tomcat download pages to verify the downloads,

Re: Need Help : Unable to write back a response error code from ReadListener#onError

On 30/10/2023 22:25, Adwait Kumar Singh wrote: Hi, I am using the async Servlet API and NIO, by setting a ReadListener. In the onError of the ReadListener, I am catching a SocketTimeoutException and trying to send back an error code 408. Here is the simplified example of what I am trying to

Re: Java 9+ and custom JCE/JSSE providers

On 31/10/2023 14:22, Amit Pande wrote: Hello, I am in the process of updating https://github.com/amitlpande/tomcat-9-fips page for version later than Java 8. Ran into an issue: 1. Was looking the configure the additional bouncy castle providers in the Java install itself by: *

Re: How to custom java program to decrypt keystore password in Tomcat 10.1.15

On 26/10/2023 11:05, yanyizhong wrote: Hi Tomcat team, Version: Tomcat 10.1.15 I am trying to upgrade Tomcat from version 9.0.56 into 10.1.15, and found that there is no setKeystorePass(String) method in tomcat 10.1.15. As we want to use the custom keystore encryption password in

Re: Need Help : Tomcat 9.0.75 not honoring session timeout configured in tomcat web.xml for FORM Authentication

1. Do not cross-post the same question to multiple lists. 2. Do not post the same question multiple times if you don't get an answer as quickly as you would like. We all all volunteers here. If you want a guaranteed SLA then pick you preferred vendor and pay for support. Mark 27 Oct 2023

Re: Tomcat 9.0.75 ignoring session timeout configured in tomcat conf web.xml

26 Oct 2023 05:01:49 Channa Puchakayala : Hi All,   Tomcat Version : 9.0.75 Operating System: Windows and Linux Bits: 64      Tomcat 9.0.75 ignoring session timeout configured in tomcat/conf/web.xml, it is overriding previous session timeout setting and effecting existing customers.

Re: Question about releases available for download

On 18/10/2023 18:29, Mcalexander, Jon J. wrote: Hi Mark, et-al, With the recursion error with these releases in mind, should 8.5.94, 9.0.81, and 10.1.15 be available for download via the archives? Should they not be removed and a not placed in the location that they have been removed due to

Re: Tomcat minor update

On 17/10/2023 22:47, Aditya Shastri wrote: Hello, We have several tomcat instances that use a single CATALINA_HOME which is a symlink for a specific version. The Tomcat instance we use is very barebones and doesn't have any of the apps that come with it. For example, The CATALINA_HOME points

Re: [IE] Re: CVE-2023-42794 on 10.1.x

Anglin* On Tue, Oct 17, 2023 at 6:23 PM Mark Thomas wrote: 17 Oct 2023 16:51:38 Donal Anglin : Hey all, Sonatype are of the opinion that CVE-2023-42794 is also applicable to the 10.x and 11.x streams of Tomcat and issued the notice: The Sonatype Security Research team discovered

Re: CVE-2023-42794 on 10.1.x

17 Oct 2023 16:51:38 Donal Anglin : Hey all, Sonatype are of the opinion that CVE-2023-42794 is also applicable to the 10.x and 11.x streams of Tomcat and issued the notice: The Sonatype Security Research team discovered that this vulnerability is also present and remains unfixed in the

Re: error valve

On 16/10/2023 23:04, Mcalexander, Jon J. wrote: Good afternoon all! I have a question around the error valve. It mentions that if you want you can supply custom error pages that need to be relative to $CATALINA_BASE. My question is, just where should this go? Do you typically create an errors

[ANN] Apache Tomcat 11.0.0-M13 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M13 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: Deploy an application (upgrade/downgrade) - Remove Cache/Directories

On 10/10/2023 13:38, a.grub...@bluewin.ch wrote: Dear all I have a question. When I deploy a new application (either downgrade or upgrade), what is mandatory to be done apart from ReleaseNotes for the application? I ask specific for remove certain directories from Tomcat structure, also topic

Re: Problems with tomcat-users.xml

On 10/10/2023 13:03, Mark Linton wrote: Hello Tomcat users. Is there a forum (like a webpage that we can search for previous questions?)... lists.apache.org I am experiencing an issue with logging on to the manager and hosts webpage(s). What issue? Please see the tomcat-users.xml

[SECURITY] CVE-2023-45648 Apache Tomcat - Request Smuggling

CVE-2023-45648 Apache Tomcat - Request Smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M11 Apache Tomcat 10.1.0-M1 to 10.1.13 Apache Tomcat 9.0.0-M1 to 9.0.80 Apache Tomcat 8.5.0 to 8.5.93 Description: Tomcat did not

[SECURITY] CVE-2023-44487 Apache Tomcat - HTTP/2 DoS

CVE-2023-44487 Apache Tomcat - HTTP/2 DoS Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M11 Apache Tomcat 10.1.0-M1 to 10.1.13 Apache Tomcat 9.0.0-M1 to 9.0.80 Apache Tomcat 8.5.0 to 8.5.93 Description: Tomcat's HTTP/2

[SECURITY] CVE-2023-42795 Apache Tomcat - information disclosure

CVE-2023-42795 Apache Tomcat - information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M11 Apache Tomcat 10.1.0-M1 to 10.1.13 Apache Tomcat 9.0.0-M1 to 9.0.80 Apache Tomcat 8.5.0 to 8.5.93 Description: When

[SECURITY] CVE-2023-42794 Apache Tomcat - denial of service

CVE-2023-42794 Apache Tomcat - denial of service Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.70 to 9.0.80 Apache Tomcat 8.5.85 to 8.5.93 Description: Tomcat's internal fork of a Commons FileUpload included an unreleased, in progress refactoring

Re: Sharing catalina home among tomcat machines in a load balanced environment gives problems with log files

Running multiple instances of Tomcat from the same CATALINA_BASE is totally unsupported. This isn't one of those "We don't technically support that but you should be OK situations". This is one of the rare "You do that and it *will* break and you will be on your own when it does." situations.

Re: Need help tomcat

Deepak Lalchandani, wrote: Hi Mark, In Apache Tomcat website I can install 10.1 only ,when I configure the server by clicking on Add server and select location of tomcat server, it adds 10.1.3 and the error with red symbol appears Regards, Deepak On Mon, 2 Oct 2023, 10:58 pm Mark

Re: need help in solving CVE-2020-1938 error regards

On 03/10/2023 06:16, Nithin P wrote: Hi, I'm using Apache Ofbiz v18.12.06 While I'm trying to upload an image for vulnerability scanning it shows CVE-2020-1938. I have tried to update to the latest version having the same issue, Does Anyone know where the tomcat conf files are stored in the

[ANN] Apache Tomcat Native 1.2.39 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.39 stable. The key features of this release are: - Disable OCSP if the insecure optionalNoCA certificate verification option is used - The binaries for Windows in this release have been built with OpenSSL

Re: Need help tomcat

On 02/10/2023 18:23, Deepak Lalchandani wrote: The Apache Tomcat installation at this directory is version 10.1.13. A Tomcat 10.0 installation is expected The above is error message I'm getting. Please resolve and screenshots are detached from e mail The error looks pretty clear to me.

Re: Websocket: Disable compression/permessage-deflate

On 02/10/2023 09:35, Leonard wrote: Hi, I am debugging a performance issue related to sending binary WebSocket messages using Tomcat (embed/Spring Boot) 10.1.4 on Java 20 and MacOS 13.5.2. For this I try to disable compression ("PerMessageDeflate") when sending messages. The solution

[ANN] Apache Tomcat Native 2.0.6 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 2.0.6 stable. The key features of this release are: - Disable OCSP if the insecure optionalNoCA certificate verification option is used - The binaries for Windows in this release have been built with OpenSSL

Re: Best way to *programmatically* detect that all webapps are fully deployed and running?

On 29/09/2023 20:20, Bruno Melloni wrote: On a tomcat server I have a number of REST services deployed as WARs. There are interdependencies and even applications on other servers that call them, so I really don't want to start calling services after starting Tomcat until every single webapp is

Re: Jakarta migration issue in Tomcat 10.1.12 with Java 11

28 Sept 2023 03:22:26 Muralisankar Srinivasan : Dear Users, I am facing the following Exceptions from the Java Maven application which is migrated from Javax to Jakarta, using "jakartaee-migration-1.0.7". The application was successful in "Apache Tomcat Version 9.0.64". Please suggest the

Re: [External]Re: Tomcat 10 on RHEL 8 with Java 17

n 28/09/2023 00:22, Christopher Bland wrote: Hi Everyone, I’m making progress. I started from scratch again adding pieces back one by one. It seems like I am seeing the following errors with my configuration Could not load Logmanager "org.apache.logging.log4j.jul.LogManager"

Re: SSLHostConfig question

On 26/09/2023 16:50, Christopher Schultz wrote: Jon, On 9/26/23 11:32, Mcalexander, Jon J. wrote: I have a question around the SSLHostConfig SSL Connector in Tomcat. In the   section, if the SSL Certificate is in a Windows PFS Keystore, is it appropriate to add certificateKeystoreType="PFX"

Re: I forget: does Tomcat have any problems with *not* having a ROOT context?

On 25/09/2023 17:17, James H. H. Lampert wrote: I probably asked the question before, but does Tomcat have any problems with not having a ROOT context? None I am aware of although there may be some edge cases. Past precedence is that any such edge cases would be treated as bugs and fixed in

Re: Exception thrown whilst processing POSTed parameters when SSL is enabled in TOMCAT

On 25/09/2023 10:50, Aniket Pachpute wrote: Hi, We are getting a timeout exception when POST request size is >8k and SSL is enabled in the tomcat. Below are the exception details: org.apache.catalina.connector.Request.parseParameters Exception thrown whilst processing POSTed parameters

Re: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

On 13/09/2023 14:00, Shawn Heisey wrote: On 9/12/23 01:06, Thomas Hoffmann (Speed4Trade GmbH) wrote: I moved away from using the proprietary java keystore format. I switched to using Base64 PEM format. This is usually also the format you get from the certificate issuer. No need to convert it

[SECURITY] CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Information Disclosure

CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat Connectors mod_jk Connector 1.2.0 to 1.2.48 Description: In some circumstances, such as when a configuration included

[ANN] Apache Tomcat Connectors 1.2.49 released

The Apache Tomcat Connectors project is part of the Tomcat project and provides web server plugins for httpd (mod_jk) and IIS (ISAPI) to connect those web servers with Tomcat and other backends. The Apache Tomcat Project is proud to announce the release of version 1.2.49 of the Apache Tomcat

Re: page extends not working???

On 09/09/2023 11:52, Aryeh Friedman wrote: Every other jsp in my webapp (and other webapps on the same tomcat instance [9.0.75]) works and I am using a the default container but as curl/catalina.out show BasePage is *NEVER* being called (either the _jspService() or the getX()): How have you

Re: Virtual Threads

On 07/09/2023 15:41, Christopher Schultz wrote: On 9/6/23 16:29, Mark Thomas wrote: There isn't much point using an executor with virtual threads. Okay then perche https://tomcat.apache.org/tomcat-11.0-doc/config/executor.html#Virtual_Thread_Implementation ? That is the internal

Re: Virtual Threads

On 06/09/2023 21:24, Christopher Schultz wrote: On 9/6/23 03:29, Mark Thomas wrote: On 05/09/2023 22:02, Christopher Schultz wrote: Thanks for the correction. I just did a quick docs[1] search for "virtual" in Tomcat 10.x for example and I didn't see useVirtualThreads, so

Re: CVE referencing Tomcat are not also referencing Tomcat-embed

On 06/09/2023 20:04, Francois Marot wrote: Hello, I'm in the process of switching from Dependency-check [1] to Dependency-track [2] to analyse vulnerabilities on my dependencies. I analyze a classic spring boot webapp depending upon org.apache.tomcat.embed:tomcat-embed-core. Dependency Check

Re: Virtual Threads

On 05/09/2023 22:02, Christopher Schultz wrote: Mark, On 9/5/23 15:55, Mark Thomas wrote: On 05/09/2023 20:38, Christopher Schultz wrote: All, I have some questions about Virtual Threads and their use within Tomcat. Note that only Tomcat 11 currently has support for Virtual Threads when

Re: [External] Re: Supporting Proxy Protocol in Tomcat

state of the ticket isn't updated for long. Perhaps add comments/ask the folks on user list to vote? That is more likely to irritate folks rather than encourage them to help you progress your patch. Mark Thanks, Amit -Original Message----- From: Mark Thomas Sent: Monday, August 28, 2023

Re: Virtual Threads

On 05/09/2023 20:38, Christopher Schultz wrote: All, I have some questions about Virtual Threads and their use within Tomcat. Note that only Tomcat 11 currently has support for Virtual Threads when running on a version 19 or later JVM. Not quite. All current versions support virtual threads

Re: CIS Tomcat 8 Benchmark (v1.1.0) -- Questions

sibly not corrective. Improvements are definitely corrective as well as additive. Early versions of the guide had very odd advice regarding MIME type mapping that has since been removed. On Tue, Sep 5, 2023 at 9:36 AM Peter Kreuser wrote: Robert, While Mark Thomas will have a m

Re: Upgrading Embedded Tomcat 7.x to 10.x

On 30/08/2023 23:58, Matthew Robinson wrote: Please may I have some assistance to upgrade a JAVA Maven project which uses embedded Tomcat 7 to use embedded Tomcat 10? I’m having extreme difficulty determining the appropriate versions of the various components such that they play nice together.

Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

On 29/08/2023 21:51, Bhavesh Mistry wrote: Hi Mark, curl - -k "https://www.mydomain.com/login; -H 'Host: attackerHostHeaderInjection.com' *Why? What problem are you trying to solve?* Host Header injection is a vulnerability that needs to be addressed., I am trying to solve if the host

Re: war file timestamp change

On 29/08/2023 21:28, Loeschmann, Lori wrote: Hello, We have a Tomcat application which authenticates via CAS. The application and CAS reside on different servers. We also have an internal audit process that flags files on these servers when they change. It's a retroactive review of

Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

On 29/08/2023 08:00, Bhavesh Mistry wrote: Hi Mark, I am sorry for delayed response. Basically, when request url does not match host header then I would reject it. For example, curl - -k "https://www.mydomain.com/login; -H 'Host: attackerHostHeaderInjection.com' Why? What problem are

Re: [External] Re: Supporting Proxy Protocol in Tomcat

updated for long. Perhaps add comments/ask the folks on user list to vote? That is more likely to irritate folks rather than encourage them to help you progress your patch. Mark Thanks, Amit -Original Message- From: Mark Thomas Sent: Monday, August 28, 2023 11:20 AM To: Tomcat Users

Re: Disabling cipher warning

On 29/08/2023 20:53, David Cleary wrote: 2023-08-29T15:31:57.840-04:00 WARN [main] o.a.t.u.n.j.JSSEUtil - Some of the specified [ciphers] are not supported by the SSL engine and have been skipped: [Dozens of OpenSSL ciphers] We use OpenSSL and moving to Tomcat 10.1.13 has caused an overload

Re: [External] Re: Supporting Proxy Protocol in Tomcat

:29 AM To: Tomcat Users List Subject: RE: [External] Re: Supporting Proxy Protocol in Tomcat Yes, understood. Thank you for clarifying. Even I was referring to initial consensus without any timeline or approach conclusion. Thanks, Amit -Original Message- From: Mark Thomas Sent: Friday

[SECURITY] CVE-2023-41080 Apache Tomcat - open redirect

CVE-2023-41080 Apache Tomcat - Open redirect Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M10 Apache Tomcat 10.1.0-M1 to 10.1.12 Apache Tomcat 9.0.0-M1 to 9.0.79 Apache Tomcat 8.5.0 to 8.5.92 Description: If the ROOT (default)

[ANN] Apache Tomcat 8.5.93 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.93. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 8.5.93 is a bugfix and

[ANN] Apache Tomcat 9.0.80 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.80. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.80 is a bugfix and

[ANN] Apache Tomcat 10.1.13 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.13. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

[ANN] Apache Tomcat 11.0.0-M11 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M11 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

<    1   2   3   4   5   6   7   8   9   10   >