Re: security headers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alejandro, On 11/1/17 3:37 PM, Alejandro Vargas M. wrote: > Hello, > > I recently used on web.xml > > httpHeaderSecurity > org.apache.catalina.filters.HttpHeaderSecurityFilter > > true > > httpHeaderSecurity > /* > > to enable some security headers, but it won't enable Content > Security Policy header. Is there anyway to enable Content Security > Policy at top server level??? What were you expecting that Filter to generate for you? A header which disables everything? Not terribly useful. My recommendation would be to use something like url-rewrite[1] to add headers to every outgoing response. url-rewrite has very similar capabilities to httpd's mod_headers (and much more, of course). - -chris [1] http://tuckey.org/urlrewrite/ -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8 pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE //iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj 98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP 37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRqP3vbN/+KU1KzqZmn2Q6KoYH+ Lf+gMJjeLE/0/8X9CnTaFPkmg7VbYgGmhGzgFkD85YTswT962L8M5evG1xdHaNiM ZZDEeYLWC/Cjdqvht3zQ0gvmI35pI1q2K/fnYb+mrV0eIi/rcosz99GQVpTTqS58 wCtIAKLChLuxuWoGp0+1+sI0ugwn9RmsIft34QBM1Us/FxGYc0Ou5VpBHE0JeYG8 G8RjZ+9eonM5ScwPrAZKZ7pd6qfCHY24/OvK6vT4HbRdqJbvWT8= =j1H+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
security headers
Hello, I recently used on web.xml httpHeaderSecurity org.apache.catalina.filters.HttpHeaderSecurityFilter true httpHeaderSecurity /* to enable some security headers, but it won't enable Content Security Policy header. Is there anyway to enable Content Security Policy at top server level??? Thanks in advance. --
Re: Beginner help setting up test vertical cluster
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Keiichi, On 11/1/17 3:28 AM, Keiichi Fujino wrote: > Hi Dave. > > Your Interceptor settings are as follows. > > >> > className="org.apache.catalina.tribes.group. >> interceptors.TcpFailureDetector"> > className="org.apache.catalina.tribes.group. >> interceptors.ThroughputInterceptor" /> > className="org.apache.catalina.tribes.group. >> interceptors.StaticMembershipInterceptor"> > className="org.apache. catalina.tribes.membership.StaticMember" >> domain="clustertest" >> uniqueId="{0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}"> >> >> > domain="clustertest" host="xxx.xxx.xxx.xxx" port="4001" >> securePort="-1" >> uniqueId="{1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,0}"> >> > className="org.apache.catalina.tribes.group. >> interceptors.DomainFilterInterceptor"> > className="org.apache.catalina.tribes.group. >> interceptors.MessageDispatchInterceptor"> >> >> >> > You specified domain="clustertest" in , but > DomainFilterInterceptor does not have a domain setting. If you want > to filter by domain, you have to set domain="clustertest" to > DomainFilterInterceptor. if you do not want to filter by domain, > you have to remove domain="clustertest" from or remove > DomainFilterInterceptor. > > Also, if you use DomainFilterInterceptor with static membership, > you must list it above StaticMembershipInterceptor. > > e.g. > TcpPingInterceptor->TcpFailureDetector->DomainFilterInterceptor->Stati cMembershipInterceptor > > or > DomainFilterInterceptor->TcpPingInterceptor->TcpFailureDetector->Stati cMembershipInterceptor Would > it be appropriate for Tomcat to sanity-check some of the settings above to catch this kind of oversight? Or are there too many possibilities of valid configuration that it's not possible to validate in this way? Thanks, - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6Ht8ACgkQHPApP6U8 pFhr6hAAtLVR0j+C5UorKkIJv1EIBZJcTS+ZDr/69U89ELLf91OKz0K+6mqmgXl/ TGpkKjKPAhDsmR+1uGh7SR89i0jZVMc29plo1qjd0XIYMJtgViGzA841XFN53Ndh XI2vIVh+XdunxKO4kWzWaAXdUPVmYkKiZ9A8Sc+c5hYkJA9Pa3PzMZoXWBfhcKHM hbmGyd1wsFCN+1iWrj2Hd9QAIG9v+gNfJvRQ9e773EOorQz3YMrgjIBUSPy5amC9 E/tng/el9x6jv7FaWIHTH2a12OGZAGSldzDV25w3a3tLq5dIzBGzQytYCPUkPpVr JOaQewjLLEGgfw39v5EwI4Z/WJAzOP+vozmdYRFyxPgvOwHOkWP7CuXEvHszZD9T Tggir4TLninyU9Hotq6mzsYeWnaF63OHAPECowOhxro7plZjHdBEqEy+kcn2/r+F CiGhZI4B7B+RqjK62sx2VNIxNPjiPZycSlt7zXkljkBCRQRWSip1JKcXmQjJgeCB 16mB4rYHSDsAezfvD+/3G20V0j1evl5MPSrn/f9bOj4blOIhMi48m1zEGSyihFr3 SiocXLgje+vXWRXX82IoqH6lR2rcGOwvrGfvO5qzQzT7G7OCRShMZNEBqgWclMOh tqy/ernLtrp7BuGpJpRn0twqK8qlhGlMyr4kYZ7GIcZEdq7hG/0= =fSTg -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: apr
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 10/31/17 12:18 PM, Cheltenham, Chris wrote: > I will need some help here. > > How do I generate a stack trace? If you are getting an exception in the log file, I'd expect a stack trace to accompany it. Something that looks like this: org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform Caused by: java.foo.BarException on Foo.java line 25 on Bar.java line 52 ... It's possible that this particular error doesn't generate a stack trace. If that's the case, we might need to fix that and get you a custom version of Tomcat that produces more information. For example, from the error message, I have no idea what function is being attempted by that particular part of the code. > TCAT 8.5.23 Are you using Apache Tomcat or are you using TCAT server (a product from MuleSoft)? > Many times I rely on stackoverflow or some web site but too often > they are usually half assed explanations. Or quarter assed. Error code 70023 = APR_OS_START_ERROR (2) + APR_OS_ERRSPACE_SIZE (5) + 23 which is likely the "real error" here[1]. APR error 23 is "APR_EABOVEROOT" which has no documentation[2], but which points to this definition[3]: " #define APR_STATUS_IS_EABOVEROOT (s) ((s) == APR_EABOVEROOT) The given path was above the root path. " So... how about that configuration? > Listener is default assuming you are referring to server.xml. Hmm. Maybe the problem is with a TLS-enabled with some paths in it? Can you please post any APR-based s you have, with any secrets removed? > I do not think FIPS is necessary , no. Okay. > I believe that is some federal govt standard? Yes, it's a (mostly useless IMO) US federal standard that mandates the use of certain algorithms and also requires that the code being used be certified and self-certifying on startup. At first, I thought you might be having a problem entering FIPS mode, but that seems unlikely given what I uncovered above. - -chris [1] https://apr.apache.org/docs/apr/1.6/group__apr__errno.html#ga191894048b7 bd0cca3cf0bdff1eb695b and https://apr.apache.org/docs/apr/1.6/group__apr__errno.html#gadb8d97e6836 ccdc57b43b6119a5acccf [2] https://apr.apache.org/docs/apr/1.6/group___a_p_r___error.html#ga4828cc0 4f97dc7bed691456adf7c073e [3] https://apr.apache.org/docs/apr/1.6/group___a_p_r___s_t_a_t_u_s___i_s.ht ml#ga641527647de2537c1946a0b2ef07e411 -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6HeIACgkQHPApP6U8 pFhRcQ//VRoiHOKqltO7ePUzskqYa7T5DyQkz74OAHqoEK0CW18ktFWm/1gCkT5n OL2SS3v6ZW56ZxpabczjMkpSy3xu0ABBbgacYg8VXGUxqyjxipf0s6jE2r2VaH4Z eGkIWStrNe0LwgRp90MkREon+RW82JA5IQdnC2P6PZdwIA7k8JIgkmHYFyJpCDvT raoILhaAoCFE7hMccZFqFU4T4DpH8+MMQp5obj6gkFoBQlRptSRNXIsLVEDfpHEQ /WJ/TN040ASXLUpxy5uNx6nP7BzXtylOk3ce00zFZZUVlONZXpBmJkY27tVbfbAe pRq4osbTSpNI7yET0NdSd5aH+Z3pcUHVD6zdellpT+gL4bRuOkhzmMZMykAYftpj Hfh+VvdK0QqVKIy4WNHAcHPft96nFE6Cca43pwoydRc2OsstMs2fk2uekLym31KK 46b+BN+cJW4G2VLpZ0Z7H7UslZE04bn4gcX6z2Lm0Rd/+x1/07S1vWN9WcyGyGXJ kLrriEPVLq82zBELBe/c36VADrkqzGzfzQGouBXSIBlnhGKwZ717QqeiK/3u9goP 9cuu9htXVkghx5kCEThtJIZrWDI497+4vP6KXcmrggEya6odcotljUPOlFmzH2UI jNcu5vAPp2Yn8pPa+xv7n4MVXWNuXJLBGa/cQkFx6mLXEk2YZqA= =xpKi -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: configuring jarscanner in 8.5 to ignore entire directory
Andre: cute! As for jar scanning, I have been playing with that. I don't think you need full pathnames in the pattern (perhaps in the context file, but not in the properties file), but not sure. I did two things and am very pleased with the result. a) in conf/context.xml: b) in catalina.properties 1) sorted the nasty list for TLD scans that comes with the distribution (8) so I could read it and search and found one pattern that was off (cannot remember which one but it had and extra "_" before the "*", I think) - it was a jar in the standard distribution .../lib/... dist. 2) and then added all the jars I use at the end (no full path needed for sure) The TLD startup time went from half a minute to under a second. Good luck! On Tuesday, October 31, 2017 4:44 PM, André Warnier (tomcat)wrote: On 31.10.2017 20:16, Chris Cheshire wrote: > PS JarScannerFilter above is a copypasta error, I do have the correct > tag in my config with the same result > As, I presume, is the new Italian delicacy above ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Logging framework !
2017-11-01 8:17 GMT+03:00 Utkarsh Dave: > Hi All, > > I am using Tomcat 7.0.81 on centos 7.2 and using openjdk 1.7.0.141. > The problem I am seeing recently is manager*.log and localhost*.log files > are not created. Instead, I see the messages that were to be written into, > manager.log are going into Catalina.out. catalina.out and > localhost_access.log continue to work like before. > May I know how and from where to start debugging this? > I have verified logging.properties, there is no issue with it. > My guess is that "java.util.logging.manager" and "java.util.logging.config.file" system properties are not set, and thus java uses default implementation of java.util.logging instead of the one provided by Tomcat's org.apache.juli.ClassLoaderLogManager. Those properties are usually set by catalina.sh (and there is a comment at that top of that file). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is there any way to make a little delay or sequencing of the requests coming to tomcat.
Am 01.11.2017 um 10:53 schrieb Olaf Kock: On 01.11.2017 06:00, Chaitanya Sabbineni wrote: I had a application where multiple requests are coming at same time because of which 1 request is overridden by other.Is so can Any one let me know if there is a way to achieve this. Tomcat easily handles simultaneous requests - it rather looks like your application can't do so. A common cause for this are servlets that keep state in member variables. I'd say, the way to fix it is to debug your application, not artificially limit the number of requests that you can accept. Yes, I should have also said that. You can limit concurrency, but concurrency is how you typically achieve performance and is something not to prevent, but to make it work instead. So in this case the semaphore valve is just a dirty workaround, not the solution you should aim for. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is there any way to make a little delay or sequencing of the requests coming to tomcat.
On 01.11.2017 06:00, Chaitanya Sabbineni wrote: I had a application where multiple requests are coming at same time because of which 1 request is overridden by other.Is so can Any one let me know if there is a way to achieve this. Tomcat easily handles simultaneous requests - it rather looks like your application can't do so. A common cause for this are servlets that keep state in member variables. I'd say, the way to fix it is to debug your application, not artificially limit the number of requests that you can accept. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is there any way to make a little delay or sequencing of the requests coming to tomcat.
Am 01.11.2017 um 06:00 schrieb Chaitanya Sabbineni: I had a application where multiple requests are coming at same time because of which 1 request is overridden by other.Is so can Any one let me know if there is a way to achieve this. Maybe this: https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Semaphore_Valve Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Cannot start TomCat on Windows10
On 01.11.2017 05:21, wrote: Hello, ?0?2 ?0?2 ?0?2 I've been using eclipse neon to run a j2ee project on Tomcat Server, but I can't start the Tomcat, and I google the errors but no solutions to it. And I've set the environment variables. Please help me, thank you. The attache is error log. As attachment are stripped by the list software, please describe your configuration and give steps to reproduce. Reduce the error log to relevant portions and copy/paste them into the mail. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Logging framework !
On 01.11.2017 06:17, Utkarsh Dave wrote: Hi All, I am using Tomcat 7.0.81 on centos 7.2 and using openjdk 1.7.0.141. The problem I am seeing recently is manager*.log and localhost*.log files are not created. Instead, I see the messages that were to be written into, manager.log are going into Catalina.out. catalina.out and localhost_access.log continue to work like before. May I know how and from where to start debugging this? I have verified logging.properties, there is no issue with it. Any help will be appreciable. The first question here is : where does that tomcat 7.0.81 come from ? If it is the "vanilla" tomcat from the tomcat website, then chances are that we can help you. If it is from a centos packaged version of tomcat, then there are less chances that we can help you, because we do not know exactly how the packagers of centos have set this up. You probably need to start in that case by looking at the startup script(s) of tomcat, in /etc/init.d or similar, to find out what happens in terms of redirection of logfiles etc. The people who create the tomcat packaged versions for the different Linux/Unix/Windows etc. distributions, each have their own logic about this kind of thing. Their intent is usually to try to "force" the tomcat logging to happen according to the general conventions on their particular platform, which can be quite different from the standard logging conventions of the various pieces of software that should run on each platform. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Beginner help setting up test vertical cluster
Hi Dave. Your Interceptor settings are as follows. > > > > >uniqueId="{0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}"> >className="org.apache.catalina.tribes.membership.StaticMember" > domain="clustertest" host="xxx.xxx.xxx.xxx" port="4001" securePort="-1" > uniqueId="{1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,0}"> > > > > > > You specified domain="clustertest" in , but DomainFilterInterceptor does not have a domain setting. If you want to filter by domain, you have to set domain="clustertest" to DomainFilterInterceptor. if you do not want to filter by domain, you have to remove domain="clustertest" from or remove DomainFilterInterceptor. Also, if you use DomainFilterInterceptor with static membership, you must list it above StaticMembershipInterceptor. e.g. TcpPingInterceptor->TcpFailureDetector->DomainFilterInterceptor->StaticMembershipInterceptor or DomainFilterInterceptor->TcpPingInterceptor->TcpFailureDetector->StaticMembershipInterceptor -- Keiichi.Fujino