Re: Tomcat session replication

2020-06-30 Thread Mark Thomas
On 29/06/2020 21:41, Christopher Schultz wrote:
> Mark,
> On 6/27/20 05:29, Mark Thomas wrote:
>> On 27/06/2020 10:19, Thomas Meyer wrote:
>>> Hi,
>>> A few questions regarding tomcat session replication:
>> load-balancing and session replication are two separate parts of
>> an overall clustering solution.
>>> 1) is the jvmRoute attribute on Engine object necessary for
>>> session replication to work correctly?
>> No, but if you don't use it it places a number of restrictions on
>> the web application behaviour and on the configuration of session
>> replication.
>> The limitations are: - you need to use the DeltaManager (which
>> doesn't scale as well as the BackupManager); - any requests made by
>> the client that depend on the session MUST be issued in series, not
>> in parallel; and
> This is only true of requests that would modify the session-state in a
> way that needed to be deterministic, right? A bunch of GET requests
> that don't change the session ought to be okay in parallel (as long as
> any prior state-changing requests have completed _ those changes
> replicated).

You don't want state changes in parallel on different nodes.
Any request that depends on a previous change in state can't be issued
until the state changing request has completed and the changes replicated.

>> - the session Manager must be configured to update all the other
>> nodes in the cluster BEFORE the current request returns to the
>> client.
> Same (negative) caveat here, right?


Essentially you want channelSendOptions="6".


To unsubscribe, e-mail:
For additional commands, e-mail:

Re: Tomcat Large Payload Truncated

2020-06-30 Thread Mark Thomas
On 30/06/2020 03:12, Bhavesh Mistry wrote:
> Hi Mark,
> Thank you for responding.  I have one more question.  This is spring-boot 2
> application REST API server and it does not accept Cookie or session
> (timeout is set to zero).Auth happens through Authorized header. We
> have set 10mb for maxPostSize.  Does maxSavePostSize takes precedence over
> maxPostSize ?

No. They are different settings.

>  I will set maxSavePostSize to -1 to disable it.

That is a DoS risk.

> Also, I have another question.  When Payload is as large as 10mb (json
> post),  does payload body in JVM MEMORY or offloaded to FileInputStream ?

Where POST data is saved for authentication is, it is always in memory.
For other POSTs, it will depend on the application configuration and/or


To unsubscribe, e-mail:
For additional commands, e-mail:

Problem with JarScanFilter, maybe a bug?

2020-06-30 Thread Vitor Medina Cruz

I am trying to configure Tomcat in a way that it makes SCI scan only in
jars I explicitly specify to. I followed instructions from, in
both Tomcat 8 and 9, but with no success. I posted a question on
stackoverflow that explains more in detail what I did:

And I also found other unanswered questions pointing to the same problem,
here is one example:

The thing is that it is looking like an error to me because logs tells that
scanning is done as configured — if I add a jar for scanning in
JarScanFilter, the log show it is scanned, if I remove it, the log stop
reporting it's scanning — but after that, no matter what configuration I
made with JarScanFilter, the WebappServiceLoader loads servlet annotated
classes, such as @WebListener.

Any leads? Ideas? Anyone can confirm if that is an error or if I am using
the functionality wrongly or if I understand it wrongly.


Re: Fwd: Reverse proxy and SSL redirect

2020-06-30 Thread rugman66 .
On Wed, Apr 22, 2020 at 9:21 AM Mark Thomas  wrote:
> On 22/04/2020 00:11, rugman66 . wrote:
> >Tomcat log  (I'm trying to get more debug level logging)
> > 2020-04-21 13:39:33 INFO  app.CompletionRestController
> > Unsupported Media Type in Header
> >
> >   Postman
> >415 Unsupported Media Type
> >
> >   GET URL
> >
> >
> > Both Tomcat and Apache are running SSL because all internal endpoints
> > are required to be secure.
> Looks like the app is generating the error. That moves us forwards.
> Try enabling the RequestDumperFilter. That should dump the full set of
> request headers received which will hopefully help explain what is going on.
> Mark

Hi Mark,

Was on unplanned leave for the past few months, but back.

I did try to enable RequestDumperFilter, however the file was created
but no log entries created. I did find something interesting. When I
test in Postman with
HTTP it does redirect to HTTPD but throws the error. However when I
change the URL in Postman using HTTPD I get the expected reply and see
proxy is indeed working. It's only throwing the error when the
redirect occurs. Seems to me the issue lies there, but I still can't
find a resolution. Any
suggestions would be appreciated.


To unsubscribe, e-mail:
For additional commands, e-mail: