Bug 59317 change to encode getRequestURI dispatches

2016-08-19 Thread Sean Dawson 
So we ran into this too - with a customer who downloaded the latest rev of
Tomcat 8.  Took us half the day yesterday and most of today to get to the
bottom of it.  In troubleshooting, I tried using 7 instead but it was still
failing there (and now I see that the change is in recent revs of all
versions).

Is there a setting we can use to revert to the previous behavior?  Or
what's the best way to workaround/fix this?

I'm not sure if it's in this particular set of changes, but if so, it looks
like we might be able to turn it off...

https://github.com/apache/tomcat/commit/eb195bebac8239b994fa921aeedb136a93e4ccaf

Protect Management

2016-08-19 Thread Diego Gomes 
Hi all!!!

I would like to know if is possible to protect/prevent access to 
https://server.com:PORT/manager from the Internet. I need to keep my webapp 
working for ANY but the management. server status, etc... just for 
192.168.0.0/24 for instance. Is this possible?

Another question is, to prevent brute force, there is a LockOutRealm, right? 
Where should I implement it and how?

I am running Tomcat 7.0.70

Thanks!

Diego

Tomcat CORS filter not allowing origin with file:// when resource access done from WebView

2016-08-19 Thread Chandrashekar H . S 
Hi,


We are facing a problem in tomcat cors filter. Below is the filter 
configurations added in web.xml for cors request processing.


  CorsFilter
  org.apache.catalina.filters.CorsFilter
  
cors.allowed.origins
*
  

  
cors.allowed.methods
GET,POST,HEAD,OPTIONS,PUT
  
  
cors.allowed.headers

Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,KN-X-UserAgent
  
  
cors.exposed.headers

Access-Control-Allow-Origin,Access-Control-Allow-Credentials
  
  
cors.support.credentials
true
  
  
cors.preflight.maxage
10
  


  CorsFilter
  /*



The Tomcat server processes all the cors request successfully when the Origin 
in the request contains a domain for all sachems like http://www.kodiakptt.com 
, file://local etc.


POST http://kodiakptt.com/poc/ HTTP/1.1
Host: medistreet.in
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://www.kodiakptt.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like 
Gecko) Chrome/34.0.1847.116 Safari/537.36


The http request fails if the Origin header contains only scheme and not a 
domain name. The Server sends 403 when the request is as below.


POST http://kodiakptt.com/poc/ HTTP/1.1
Accept: application/json, text/plain, */*
Origin: file://
User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; XT1033 Build/KXB20.25-1.31) 
AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile 
Safari/537.36
Content-Type: application/json;charset=UT

The Difference in request headers from the successfull operation and failed 
operations are

1. Origin is file:// in falied and 
http://www.kodiakptt.com in successfully processed 
request

2. The User-Agent header.


Regards,

Chandra

AW: A way for user to specify DH parameter to tomcat !

2016-08-19 Thread Kreuser, Peter 
Hi Utkarsh

>Von: Utkarsh Dave [mailto:utkarshkd...@gmail.com] 
>Gesendet: Donnerstag, 18. August 2016 08:18
>An: Tomcat Users List
>Betreff: Re: A way for user to specify DH parameter to tomcat !
>
>Thanks a lot Chris and Violeta.
>
>On Wed, Aug 17, 2016 at 1:59 PM, Utkarsh Dave 
>wrote:
>
>> Hi All,
>>
>> My project is using tomcat 7.0.70, JDK 1.7.0_101 and is based on linux OS
>> We have been using BIO connectors.
>> 1. I need help to find out how to provide user specified DH parameter to
>> tomcat.
>> 2. What all ciphers are categorized under modern ciphers ?
>>
>> Thanks for your time in advance.
>>
>> -Utkarsh
>>

You probably won't be able to set a higher DH Key Size than 1024bit on Java 7. 
With your java version at least the default is 1024bit. With Java 8 you can add 
the -D option (-Djdk.tls.ephemeralDHKeySize=2048) to the CATALINA_OPTS (in 
bin/setenv.sh).

Best regards.

Peter

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 8.5 Regarding PostResources for Web-Inf\lib and Web-Inf\classes

2016-08-19 Thread Mark Thomas 
On 12/08/2016 23:44, Vimil Saju wrote:
> This is regarding the Resources feature of tomcat 8.5 that allows us to add 
> external jars and class folder to the webapp classpath.
> There seems to be an issue with the order in which class folder and jar files 
> are added to the classpath.
>   className="org.apache.catalina.webresources.StandardRoot">   base="D:\Projects\external\classes" 
> className="org.apache.catalina.webresources.DirResourceSet" 
> webAppMount="/WEB-INF/classes">   base="D:\Projects\lib\library1.jar" 
> className="org.apache.catalina.webresources.FileResourceSet" 
> webAppMount="/WEB-INF/lib/library1.jar">
>  
> 
> With the above configuration
> the webapp classpath becomes - 
> WEB-INF\classes;WEB-INF\lib\*.jar;D:\Projects\lib\library1.jar;D:\Projects\external\classes
> I expect the order to be 
> WEB-INF\classes;WEB-INF\lib\*.jar;D:\Projects\external\classes;D:\Projects\lib\library1.jar;
> Is there a way to configure Context xml so that the classfolders added 
> through PostResources appear before jar files added through PostResources in 
> the classpath?

How are you obtaining the class path?

Note that the class loader will always look in WEB-INF/classes before
WEB-INF lib.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat won't start

2016-08-19 Thread Mark Thomas 
On 19/08/2016 08:51, Leon Vergottini wrote:



> May I kindly ask for direction.

What, exactly are you typing on the command line when you see the above?

What is the current working directory when you do this?

Where is Tomcat installed?

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat won't start

2016-08-19 Thread Leon Vergottini 
Hi

 

I think I am being stupid this morning, but for some reason a Tomcat instance 
does not want to start.

 

When starting Tomcat, I only get the following:

 

Using CATALINA_BASE:   /opt/current/tomcat

Using CATALINA_HOME:   /opt/current/tomcat

Using CATALINA_TMPDIR: /opt/current/tomcat/temp

Using JRE_HOME:    /opt/current/java

Using CLASSPATH:   
/opt/current/tomcat/bin/bootstrap.jar:/opt/current/tomcat/bin/tomcat-juli.jar

Usage: catalina.sh ( commands ... )

commands:

  debug Start Catalina in a debugger

  debug -security   Debug Catalina with a security manager

  jpda start    Start Catalina under JPDA debugger

  run   Start Catalina in the current window

  run -security Start in the current window with security manager

  start Start Catalina in a separate window

  start -security   Start in a separate window with security manager

  stop  Stop Catalina, waiting up to 5 seconds for the process to 
end

  stop n    Stop Catalina, waiting up to n seconds for the process to 
end

  stop -force   Stop Catalina, wait up to 5 seconds and then use kill -KILL 
if still running

  stop n -force Stop Catalina, wait up to n seconds and then use kill -KILL 
if still running

  configtest    Run a basic syntax check on server.xml - check exit code 
for result

  version   What version of tomcat are you running?

Note: Waiting for the process to end and use of the -force option require that 
$CATALINA_PID is defined

 

The Tomcat instances is ver 8.0.32 and Java 1.8.0_77 installed.

 

No logs files are created to troubleshoot.

 

May I kindly ask for direction.

 

Kind Regards

Leon