Re: Get Client Certificate Information

Sorry, getHttpServletRequest() came from my code :) It’s not a Jakarta method. In JAX-RS frameworks such as Jersey you can use @Context or @Inject annotations to get request and servlet context objects (such as HttpServletRequest):

Re: Get Client Certificate Information

You can get client certificates from ServletRequest: X509Certificate[] certs = (X509Certificate[])getHttpServletRequest().getAttribute("jakarta.servlet.request.X509Certificate");

Re: [10.1.4] Dots in URL

Thanks. On Mon, 6 Mar 2023 at 13.32, Mark Thomas wrote: > On 06/03/2023 12:24, Martynas Jusevičius wrote: > > Hi, > > > > I have a JAX-RS application deployed on Tomcat. > > > > When a URL contains dots, I get a 422 Unprocessable Entity response > > w

[10.1.4] Dots in URL

Hi, I have a JAX-RS application deployed on Tomcat. When a URL contains dots, I get a 422 Unprocessable Entity response which looks like it's coming from Tomcat. When I remove the dots, the request works fine and reaches my application. Is that Tomcat's behavior? Martynas

Re: [10.1.4] If-None-Match does not conform to RFC 7230 and has been ignored

sually in response to request smuggling concerns. > > CR 0x0d carriage return > LF 0x0a line fine > > HTH, > > Mark > > > On 15/12/2022 21:23, Mark Thomas wrote: > > Sounds good. Could you send it directly to me again please. > > > > Thanks. > > >

Re: [10.1.4] If-None-Match does not conform to RFC 7230 and has been ignored

5/12/2022 20:03, Mark Thomas wrote: > > Hi Martynas, > > > > The list strips (nearly all) attachments. Please send it to me directly > > and I'll let you know if it is what we need. > > > > Mark > > > > > > On 15/12/2022 19:51, Martynas Juseviči

Re: [10.1.4] If-None-Match does not conform to RFC 7230 and has been ignored

Mark > > > On 15/12/2022 16:17, Martynas Jusevičius wrote: > > Hi, > > > > After upgrading from 9.0.59 to 10.1.4, I've started getting these kind > > of errors: > > > > java.lang.IllegalArgumentException: The HTTP header line > > [if-no

[10.1.4] If-None-Match does not conform to RFC 7230 and has been ignored

Hi, After upgrading from 9.0.59 to 10.1.4, I've started getting these kind of errors: java.lang.IllegalArgumentException: The HTTP header line [if-none-match:"e76590d5""] does not conform to RFC 7230 and has been ignored. at

Re: Publishing Tomcat webapp

Hi, Wouldn’t this setup be easier to deploy as a Docker container? We have an image with SSL server cert support: https://github.com/AtomGraph/letsencrypt-tomcat On Mon, 18 Jul 2022 at 16.09, Aryeh Friedman wrote: > Here are the steps to installing a SSL cert (it varies slightly based > on

Re: Tomcat fails to start in Docker on Amazon ECS

My bad :) CATALINA_OPTS was malformed. On Sat, May 15, 2021 at 10:19 AM Martynas Jusevičius wrote: > > Hi, > > I have a Docker image that extends tomcat:9.0.39-jdk11 and at the very > end of the entrypoint script calls 'catalina.sh run'. > > This has worked fine bot

Tomcat fails to start in Docker on Amazon ECS

Hi, I have a Docker image that extends tomcat:9.0.39-jdk11 and at the very end of the entrypoint script calls 'catalina.sh run'. This has worked fine both on my local Windows and on a CentOS server. However when I start a container on Amazon ECS with AMI Linux, I get the error below when

Re: Defining environment variables for a webapp ?

Rony, you might want to look into containerizing your webapps. We use an XSLT stylesheet (invoked by the entrypoint script) that transforms env params into context.xml params: https://github.com/AtomGraph/LinkedDataHub/blob/master/platform/context.xsl Martynas On Wed, Apr 14, 2021 at 2:16 PM

Re: Dynamic Configuration on TC startup

I think this is where you need to wrap your apps into Docker images :) See this base image for example: https://hub.docker.com/r/atomgraph/letsencrypt-tomcat It configures server.xml by using an XSLT stylesheet and environmental parameters:

Re: Not able to connect to Tomcat 9.0.39 instance using jconsole/jvisualvm

Not sure if related, but JPDA address config changed from - JPDA_ADDRESS=8000 on Tomcat 8 to - JPDA_ADDRESS=*:8000 on Tomcat 9 (i.e. host needs to be included, or a wildcard). On Tue, Feb 2, 2021 at 12:22 PM Suvendu Sekhar Mondal wrote: > > Hello Everyone, > > We recently migrated Tomcat from

Rate limiting

Hi, How do I limit request rates using Tomcat 9.0.x? Something similar to limit_req in nginx: https://www.nginx.com/blog/rate-limiting-nginx/ Martynas atomgraph.com - To unsubscribe, e-mail:

Re: Max heap size when using -XX:MaxRAMPercentage

Christopher, thanks for your reply. Answers inline. > > What I see in the profiler is Max Heap Size 310378496 B, which is only 0.28 > > GiB. > > This is probably the maximum size of the /used/ heap. Can you confirm that? Nope. Netbeans profiler says: Max Heap Size 310378496 B, Max Used Heap

Max heap size when using -XX:MaxRAMPercentage

Hi, I am attempting to make my webapps that run in Tomcat to take advantage of the Docker container-specific JVM options such as -XX:MaxRAMPercentage: https://www.eclipse.org/openj9/docs/xxinitialrampercentage/ TL;DR It allows specifying JVM heap as % of the container memory limit rather than

Re: completely automated (for real) Let's Encrypt on embedded Tomcat

https://github.com/AtomGraph/letsencrypt-tomcat On Sun, Oct 4, 2020 at 8:04 PM Garret Wilson wrote: > > Hi, everyone. I'm back already. (I had intended to leave the list to > focus my efforts elsewhere, but … here I am again.) > > I just realized there is a big SSL problem for small

Connector compressibleMimeType

Hi, I enabled GZip compression on using 8.0.44. Then I noticed that text/html documents are getting compressed, but others were not. I guess this is due to the default compressibleMimeType? Which is "text/html,text/xml,text/plain,text/css,text/javascript,application/javascript".

Re: Security audit raises questions (Tomcat 7.0.93)

; > > >On 3/17/20 3:18 PM, Martynas Jusevičius wrote: > >> why should DELETE or OPTIONS not be enabled? They are standard HTTP > >methods. > > > >True, but (quoting the audit report) > >> . . . [DELETE] may allow a remote attacker to delete arbitrary file

Re: Security audit raises questions (Tomcat 7.0.93)

Hi, why should DELETE or OPTIONS not be enabled? They are standard HTTP methods. On Tue, Mar 17, 2020 at 11:05 PM James H. H. Lampert wrote: > > Ladies and Gentlemen: > > One of our customers did a security audit on the Tomcat server we > maintain on their system, and it found a few issues: > >

Re: Client cert auth on demand

%3A5443 test %{QUERY_STRING} to rule with pattern ^(.*)(localhost\%3A5443)(.*)$ and substitution $1localhost$3 On Mon, Mar 2, 2020 at 11:51 AM Martynas Jusevičius wrote: > > No matter where I place the rewrite.config, cannot get the > RewriteValve to find it. > > I tried: > * /usr

Re: Client cert auth on demand

] org.apache.catalina.util.LifecycleBase.setStateInternal Setting state for [org.apache.catalina.valves.rewrite.RewriteValve[]] to [STARTED] On Sun, Mar 1, 2020 at 2:15 PM Martynas Jusevičius wrote: > > I hit a snag with the query string. In some cases it contains the > webapp base URI in a query

Re: Client cert auth on demand

Martynas Jusevičius wrote: > > Thanks! I actually needed proxyPort="443" to make the URL > https://localhost, but your suggestion did the trick. > > On Sat, Feb 29, 2020 at 11:12 AM Mark Thomas wrote: > > > > > > > > On 28/02/2020 22:26, Martyna

Re: Client cert auth on demand

Thanks! I actually needed proxyPort="443" to make the URL https://localhost, but your suggestion did the trick. On Sat, Feb 29, 2020 at 11:12 AM Mark Thomas wrote: > > > > On 28/02/2020 22:26, Martynas Jusevičius wrote: > > Yes the clients connect only directly to

Re: Client cert auth on demand

/443 instead of localhost:90/5443. Absolute URIs matter in this case because they are used for direct lookups in an RDF triplestore and RDF uses absolute URIs. On Fri, Feb 28, 2020 at 10:59 PM Mark Thomas wrote: > > On 28/02/2020 21:00, Martynas Jusevičius wrote: > > Setti

Re: Client cert auth on demand

n context.xml would be ideal. On Thu, Feb 27, 2020 at 11:52 AM Martynas Jusevičius wrote: > > Tomcat is deep within the Docker image configured with a single > connector and a single ROOT webapp, so it's easier to deploy a second > container than to add a second connector or context :)

Re: Client cert auth on demand

10:28, Martynas Jusevičius wrote: > > Yes, that could be an option. Or, since we're on Docker, a second > > instance of the webapp on a different port would be easier. > > > > But we would need to add some URL rewriting proxy before that > > connector to strip tha

Re: Client cert auth on demand

with nginx which we are using anyway. So essentially 2 webapps on different ports, one configured without the clientAuth for the end-users, and one with clientAuth for the API access, correct? On Thu, Feb 27, 2020 at 11:18 AM Mark Thomas wrote: > > On 27/02/2020 09:58, Martynas Jusevičius wrote:

Client cert auth on demand

Hi list, I'm using a Docker image based on tomcat:8.0-jre8. It serves as an end-user facing webapp but also as a REST API which authenticates using client certificates. The same URLs serve both purposes, however only administrators are using the API. The Connector is configured using

Re: Tomcat app within docker container

Why build the webapp outside Docker? It means that docker build is not enough to give you an image, it needs some extra steps beforehand. On Fri, Jan 10, 2020 at 12:47 PM Alex K wrote: > > Just to follow-up on this in case it will be useful to anyone, I managed to > use also the official tomcat

Re: [OT] Tomcat app within docker container

Forget Kubernetes for now :) My recipe is using a multi-stage build. Very crudely: FROM maven as maven # build your webapp into a .war mvn clean install FROM tomcat COPY --from=maven /webapp/target/ROOT webapps/ROOT/ It copies the whole folder from the build directory rather than the .war

Re: HTTP to HTTPS redirect not happening

Richard, I think the rule goes that you should avoid touching server.xml for something that web.xml can do. On Sun, Jul 21, 2019 at 4:40 AM Richard Huntrods wrote: > > I apologise for top posting in advance, but just a quick update and > quicker question... > > After Konstantin found my typo, I

Re: OT: Tomcat on AWS for Dummies

My advice when it comes to making your setup environment-agnostic: Docker'ize it. I haven't used Docker on AWS, but once you have an image running locally you can be 98% sure it's gonna run on the server (e.g. mounting files from host can cause some differences still, so best to avoid that). See

Re: Modify web.xml in production war file

images have an entrypoint, which is the shell script making changes to server.xml in this case: https://github.com/AtomGraph/letsencrypt-tomcat/blob/master/entrypoint.sh On Wed, 17 Jul 2019 at 02.34, André Warnier (tomcat) wrote: > On 16.07.2019 19:54, Martynas Jusevičius wrote: > &g

Re: Modify web.xml in production war file

Grigor, I think this is a use case that Docker containers at least partially address. I find deploying containers way easier to share/deploy and more platform-independent than WAR files. I’ve created a Tomcat-based image that accepts ENV variables and modifies server.xml using their values:

Re: TLS client cert clarification

In my experience with 8.x -- on all requests. On Fri, Jul 12, 2019 at 3:06 AM Wilmoth, Jon wrote: > > I was hoping to get some clarification on when to expect client x509 certs in > http requests where the Tomcat server (v9.x) has been configured to “want” or > “need” client auth. >

Re: Redirecting to https URL when https port is accessed with http scheme

Ettra, see also this thread: https://mail-archives.apache.org/mod_mbox/tomcat-users/201808.mbox/%3ccae35vmwcm9dkxmvabofgjb5d_oa07a6mrjxwcgknksbzgjh...@mail.gmail.com%3E I did this with front nginx eventually. On Sat, Oct 6, 2018 at 7:29 AM ettra lancelot wrote: > > Thank you for the detailed

Re: [tomcat:8.0-jre8] CONFIDENTIAL adds Cache-Control: private?

t;> >>> On 8/17/18 4:09 AM, Mark Thomas wrote: >>>> On 16/08/18 13:40, Martynas Jusevičius wrote: >>>>> Hi, >>>>> >>>>> my initial observations suggest, and SO post [1] seems to >>>>> confirm, that when >>&

[tomcat:8.0-jre8] CONFIDENTIAL adds Cache-Control: private?

Hi, my initial observations suggest, and SO post [1] seems to confirm, that when CONFIDENTIAL is specified on a security-constraint in web.xml, Tomcat does two things: 1. automatically redirects to HTTPS 2. appends Cache-Control: private and Expires: Thu, 01 Jan

Re: Using existing LetsEncrypt certs with tomcat

Paul, see if this Docker setup could help: https://github.com/AtomGraph/letsencrypt-tomcat I also have nginx config that works with it. Martynas atomgraph.com On Sat, Jan 6, 2018 at 7:46 PM, Paul Beard wrote: > > > > On Jan 4, 2018, at 1:53 AM, Mark Thomas

Re: Am I reinventing the wheel to get letsencrypt certs for Tomcat

I think Tomcat 9 suppors PEM files directly, but if you want to use PKCS12, this might help: https://github.com/AtomGraph/letsencrypt-tomcat/blob/master/entrypoint.sh#L33 On Fri, Oct 27, 2017 at 1:22 PM, Don Flinn wrote: > I am writing a Java program to get a certificate

Re: Invalid characters in request header

s not one that appears on my website, it's > something that was manually written by some client. > > On Sat, Sep 9, 2017 at 1:12 PM, Martynas Jusevičius < > marty...@atomgraph.com> > wrote: > > > Tomcat is an HTTP sever, and if your client is sending invalid HTTP > >

Re: Invalid characters in request header

> exception? But I would be happy to hear thoughts on this as I'm still > fairly new to programming. I'm not sure what is considered best practice > here. > > Thanks. > > On Sat, Sep 9, 2017 at 12:24 PM, Martynas Jusevičius < > marty...@atomgraph.com > > wrote: >

Re: Invalid characters in request header

How is 404 beter than 400? On Sat, Sep 9, 2017 at 9:46 AM, Yuval Schwartz wrote: > Tomcat version:8.0.43 > jdk1.8.0_05 > > Hello, > > I've asked a similar question in the past about illegal characters in the > http request header (May 15, 2017). > > Certain users are

Re: letsencrypt integration?

Hi, we have made a Docker image that configures Tomcat with LE certs: https://hub.docker.com/r/atomgraph/letsencrypt-tomcat/ It hasn't been tested in production though. Martynas atomgraph.com On Thu, 24 Aug 2017 at 20.50, Chris Cheshire wrote: > Currently I am using

Re: [8.0.44] NPE when deploying to /manager/text/list with RemoteHostValve

ave problem > resolving hostname in your env? Try to disable the valve and test "<%= > request.getRemoteHost() %>" in a simple jsp until you can get the right > value before re-enable the valve again. > > --Zemian > > On Mon, Aug 7, 2017 at 11:46 AM, Martynas J

[8.0.44] NPE when deploying to /manager/text/list with RemoteHostValve

Hi, I'm deploying WAR from Jenkins Docker container to Tomcat Docker container. In server.xml I have enableLookups to enable DNS lookups and in conf/Catalina/localhost/manager.xml I have There is also manager-script role and user in tomcat-users.xml but I won't post it because

Re: [8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?

Actually I am using Tomcat on Docker: https://hub.docker.com/_/tomcat/ I do not really know the answer to your question :/ On Sun, 30 Jul 2017 at 23.12, Mark Thomas <ma...@apache.org> wrote: > On 30/07/17 21:35, Martynas Jusevičius wrote: > > Hey list, > > > > I need

[8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?

Hey list, I need my webapp to accept all SSL client certificates and do its own validation. I'm upgrading server.xml from the JSSE SSL Connector which used clientAuth="want" and a custom trustManagerClassName in order to do that. The 8.5.16 docs indicate that this should be replaced with