date:20180427

Cannot update HTTP status code in error pages

2018-04-27 Thread Shinsuke Sugaya

Hi,

Tomcat 9.0.7 does not seem to be able to update a status code in an
error page(JSP).
But it works on Tomcat 8.5 and 9.0.5.

Steps to reproduce:
1. Set JSP path to  in web.xml
 ex. 
https://github.com/codelibs/fess/blob/fess-12.1.2/src/main/webapp/WEB-INF/web.xml#L148
2. Redirect in JSP page
 ex. 
https://github.com/codelibs/fess/blob/fess-12.1.2/src/main/webapp/WEB-INF/view/error/redirect.jsp#L24
3. Access to a non-existent page(404 access)
 $ curl -I localhost:8080/aaa
 HTTP/1.1 404
 Set-Cookie: JSESSIONID=0AE0A09F8CAF0A60AB169B24C660A993; Path=/; HttpOnly
 Location: /error/notfound/?url=%2Faaa
 Content-Type: text/html;charset=UTF-8
 Transfer-Encoding: chunked
 Date: Sat, 28 Apr 2018 05:47:16 GMT

In Step 3, Tomcat 8.5 and 9.0.5 prints "HTTP/1.1 302".

I think that the cause is the following fix:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/Response.java?r1=1823565&r2=1823564&pathrev=1823565

Could you check if this behavior is correct in Tomcat 9.0.7?

Thanks in advance,
 shinsuke

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Training material is now on-line

2018-04-27 Thread John Byrne

On 11 April 2018 at 23:32, Mark Thomas  wrote:
> Hi all,
>
> Thanks to the magic of GitHub pages, the Tomcat training material that
> was used for the recent training session is now available on-line here:
>
> https://apache.github.io/tomcat-training/
>
> The source code is here:
>
> https://github.com/apache/tomcat-training
>
>
> We plan to add more modules and courses over time. All contributions
> large and small welcome.
>
> Enjoy.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>



-- 
Mult-i-tel better by design.

http://www.multitel.co.uk

tel: 44(0)151 548 8122
fax: 44(0)709 210 1464
skype jcbyrne

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 9 ;jsessionid

2018-04-27 Thread Greg Huber

It was not the ;jsessionidxx, but changes to Spring StrictHttpFirewall, the
default config now does not allow some characters in the url :

   - Rejects URLs that are not normalized to avoid bypassing security
   constraints...
   - Rejects URLs that contain characters that are not printable ASCII
   characters.
   - Rejects URLs that contain semicolons.
   

   - Rejects URLs that contain a URL encoded slash.
   

   - Rejects URLs that contain a backslash.
   

   - Rejects URLs that contain a URL encoded percent.
   



26-Apr-2018 15:16:43.356 SEVERE [ajp-nio-8009-exec-2]
org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for
servlet [default] in context with path [] threw exception
 org.springframework.security.web.firewall.RequestRejectedException: The
request was rejected because the URL contained a potentially malicious
String ";"
at org.springframework.security.web.firewall.StrictHttpFirewall
.rejectedBlacklistedUrls(StrictHttpFirewall.java:265)
at org.springframework.security.web.firewall.StrictHttpFirewall
.getFirewalledRequest(StrictHttpFirewall.java:245)

Had to go with defaulting to COOKIE as
suggested, rather than overriding Spring defaults.

Cheers Greg


On 27 April 2018 at 13:23, Berneburg, Cris J. - US 
wrote:

> Hi Greg
>
> -Original Message-
> From: Greg Huber [mailto:gregh3...@gmail.com]
> Sent: Thursday, April 26, 2018 4:53 AM
> To: Tomcat Users List 
> Subject: Tomcat 9 ;jsessionid
>
> > Hello,
> >
> > One thing I have noticed with Tomcat 9.0.x I get alot
> > ;jsessionid=xxx appended to my urls.  This did not happen with 8.5.x.
> >
> > /images/image_32x32.png;jsessionid=BF27C604B287CCF6DF3DBDB180C2CBEB
> >
> >  500 Internal Server Error
> >   /images/image_32x32.png;jsessionid= ... 23784378307846F: 1 Time(s)
> >   /images/image_32x32.png;jsessionid= ... 85D9B02C5A030FF: 1 Time(s)
> >
> > From previous experience this happens when there is no session.
> > I use struts and have used encode="false" on the tags to prevent this:
> >
> > 
> >
> > Also I have used (in the past) <%@ page session="false" %> but have
> > commented this out as it causes down stream problems for me.
> >
> > Would there be a reason why these has now started happening on 9?
> >
> > Cheers Greg
>
> A while ago we had problems in TC6 with new sessions being created for
> each image.  The issue was that there was an invalid character, underscore
> "_", in the URL.  I can't remember if Internet Explorer was acting
> weird(er) or if that was expected TC behavior for an invalid URL.
>
> Also, Chris Shultz mentioned that jsessionid appended to the URL can mean
> that cookies are not being used.
>
> Might your problem be more than one issue combined?
>
> --
> Cris Berneburg
> CACI Lead Software Engineer
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

RE: Tomcat 9 ;jsessionid

2018-04-27 Thread Berneburg, Cris J. - US

Hi Greg

-Original Message-
From: Greg Huber [mailto:gregh3...@gmail.com] 
Sent: Thursday, April 26, 2018 4:53 AM
To: Tomcat Users List 
Subject: Tomcat 9 ;jsessionid

> Hello,
>
> One thing I have noticed with Tomcat 9.0.x I get alot
> ;jsessionid=xxx appended to my urls.  This did not happen with 8.5.x.
>
> /images/image_32x32.png;jsessionid=BF27C604B287CCF6DF3DBDB180C2CBEB
>
>  500 Internal Server Error
>   /images/image_32x32.png;jsessionid= ... 23784378307846F: 1 Time(s)
>   /images/image_32x32.png;jsessionid= ... 85D9B02C5A030FF: 1 Time(s)
>
> From previous experience this happens when there is no session.
> I use struts and have used encode="false" on the tags to prevent this:
>
> 
>
> Also I have used (in the past) <%@ page session="false" %> but have
> commented this out as it causes down stream problems for me.
>
> Would there be a reason why these has now started happening on 9?
>
> Cheers Greg

A while ago we had problems in TC6 with new sessions being created for each 
image.  The issue was that there was an invalid character, underscore "_", in 
the URL.  I can't remember if Internet Explorer was acting weird(er) or if that 
was expected TC behavior for an invalid URL.

Also, Chris Shultz mentioned that jsessionid appended to the URL can mean that 
cookies are not being used.

Might your problem be more than one issue combined?

--
Cris Berneburg
CACI Lead Software Engineer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Cannot update HTTP status code in error pages

Re: Training material is now on-line

Re: Tomcat 9 ;jsessionid

RE: Tomcat 9 ;jsessionid

4 matches

Site Navigation

Mail list logo

Footer information