Re: Posting questions

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Shivaraj,

You have posted a question to the Apache Tomcat users' mailing list.
Apache Tomcat is a Java web application server.

It appears that you are asking a question about Apache httpd, a web
server. You should post your question to the Apache httpd users' list,
instead.

- -chris

On 2/19/19 08:35, Shivaraj wrote:
> This is shivaraj, am trying to increase the URL size in httpd using
> the below parameter, am also using https which is an option that we
> can enable or disable it. On switching over from https to http or
> vice versa. Virtual IP is redirecting every request to different
> server and obviously session will not maintained, due to this i
> couldn't login to use my web application hosted in apache tomcat.
> After removing this parameter it works as legacy. Your help on this
> regard will be much appreciated. Please let me know if you need
> clarifications.
> 
> Details: LimitRequestLine 128 declared under VirtualHost tag in
> httpd.conf
> 
> Application Server: apachetomcat-8.5.32_1 Server version:
> Apache/2.4.6 (Red Hat Enterprise Linux)
> 
> 
> regards, Shivaraj Sivasankaran +91 9790177704
> 
> 
> On Tue, Feb 19, 2019 at 6:47 PM Shivaraj 
> wrote:
> 
>> This is shivaraj, am trying to increase the URL size in httpd
>> using the below parameter, am also using https which is an option
>> that we can enable or disable it. On switching over from https to
>> http or vice versa. Virtual IP is redirecting every request to
>> different server and obviously session will not maintained, due
>> to this i couldn't login to use my web application hosted in
>> apache tomcat. After removing this parameter it works as legacy. 
>> Your help on this regard will be much appreciated. Please let me
>> know if you need clarifications.
>> 
>> Details: LimitRequestLine 128 declared under VirtualHost tag
>> in httpd.conf
>> 
>> Application Server: apachetomcat-8.5.32_1 Server version:
>> Apache/2.4.6 (Red Hat Enterprise Linux) Server built:   Oct  3
>> 2017 09:37:04
>> 
>> 
>> regards, Shivaraj Sivasankaran +91 9790177704
>> 
> 
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxshiQACgkQHPApP6U8
pFjzrQ/9FbErobwKXsSjSlgy3UXRchLaiK0WXuIZoniFklZSae5My31PYVslyi/2
Gn4pgdHJxcX20yMjpT/DFo6KJc14R53GMCH4G8zvh7RpjUzTahixzbF9Fd3JNd8u
totu2eL18lrLMMSkXTCVwtEgsAmMKKL9A4xhkkn1auX/98JdY0C+vg3cKt83qgqz
I6P7X0AmaNNHzGahoxJO7kOsqOAvMA2IETYmTWObB9CWq3gmRojY9C/xsW8tAGq1
3dSwERwmlklKcBfcyLbuJo0DPxb2+OslNcVYGqU1QZEdeUJXK50IA9X9HN4s3OJU
GBr4hro8hPbmHMqwqUTZzWKBEogd+sBCBwadpU5QalZ8dwfgHrT4W5VQitBC29RO
RX102cBaRCrje7+oynw0Jyy6ZQvwLSR7IqOphWmswoL9L+kH96+PVz9Q8vc5SeTL
p8d3RIgFgM11SdHdQvIXkVqpNkSRISzmJvbGTmcJax4Xk3ZS2iAxAlkP5RlX3PDL
XrIJbhC7EKUR9UHvhPl7I+P8CbZIc4GTwhC2GqZUbAYdm3SncT4IlXtH8ffWxy1g
StveaWbRQjSCKUERyM4sjeCvbFsqeBsSpwLxfdRDP7C+FFFbxh49g8dGMbJbibry
u0vBIfG7k/z2h3gPilRyACo/BUEzwB1op51tUsU4bEYA47RiMgk=
=mjY2
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Fwd: websocket connections consume too much memory

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Иналь,

On 2/19/19 12:12, Иналь Кятов wrote:
> I encountered a problem with embedded tomcat 8.5.29 (part of spring
> boot 1.5).

Can you retest with the current version of 8.5.x? Current version is
8.5.38, released 2019-02-11.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxshcsACgkQHPApP6U8
pFgaVg//TF4/DVpFjtTLk+d6Z/AOcFX7SEYg/0SEKjpKtxaUr5+19umt5mMi+Zqk
UkkCSB19KRpqLUY8o53xlgqL9SqqBF14Wh0T2FYqpXtKSfV/Nv6tvsEV6Bd9LqTz
/RSFcAmCTL+SDIwXQ4FzmW55aaPfous9lKgPYdZlYy4UwVvG7PP/EOD7swR470eU
DmvjkkOKPJ87mSFra3LJ5MxrvLAw+9PgEACLc4nF6Tkceisn7kTIP/s7SGKb4Few
PWXYKy7NfcBASMYfikS/SAdCHNbjD9Za+L6okTuUjjvlNwAQvM7BWnG2CurpX8wQ
oEinp/4OsXaD0yZ/pi+dmUOUS/AwSuaxD4YZWembSEvTW658bc+5YgpfcOLivcO+
iB4/erdLHW8dLW07Nl2EafTXvKTOXHNlL4HIrTLzoi8SlJ2b+j4U3/9b5LBke2TG
HpQSo7MxqVfllhDTiwsYMRIkPupZEqR41x8wG4CpcfpQjXJMmAvaeFpBQA0ZnVyn
OkbYDi3IF9C8uAd0sbEx2npZ05ptb8zyHmU0mTawBDSL/e+3xbcFvZ2v0LNujgVB
VqJdtXOJKRA66l6dN+nS377guMeL5BQJS4PeRMIapWotJbuCE2nYgcjcie3ipClq
SP00v4Vd85g4D5XPAWewoWJXRiOPMp1dc5pTYwviTgG6FNGtoCE=
=wHth
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Http insecure headers

[Peter@Kreuser-Online]

Hi Nitin,

Per se this can be done by enabling the  
org.apache.catalina.filters.HttpHeaderSecurityFilter
in the global or your webapp‘s web.xml

For CSP you should write your own Filter.

Beware though that Content Security Policy is nothing that can be enabled 
without application knowhow, the right settings for your needs and intensive 
testing. You may really break inline Javascript in your pages (css too).

Please check out the great websites of Scott Helme on the Headers
https://Securityheaders.io or https://scotthelme.co.uk/csp-cheat-sheet/


Peter

> Am 19.02.2019 um 19:13 schrieb Nitin Kadam :
> 
> Hello Team
> 
> Need help to enable below security headers in Apache tomcat 7.0.79
> Operating system is windows 2012 R2
> 
> 1. Content  security headers
> 2. HSTS header
> 
> Regards
> Nitin

Http insecure headers

[Nitin Kadam]

Hello Team

Need help to enable below security headers in Apache tomcat 7.0.79
Operating system is windows 2012 R2

1. Content  security headers
2. HSTS header

Regards
Nitin

Fwd: websocket connections consume too much memory

[Иналь Кятов]

Hi everyone!

I encountered a problem with embedded tomcat 8.5.29 (part of spring boot
1.5).
The number of websocket connections that are stored in a variable
"*connections"
(look below) *is increasing indefinitely.

package org.apache.coyote;

public abstract class AbstractProtocol implements ProtocolHandler,
MBeanRegistration {

...

protected static class ConnectionHandler implements
AbstractEndpoint.Handler {

...

private final Map connections = new
ConcurrentHashMap<>(); // <-- The number of websocket connections that
are stored in a variable is increasing indefinitely

...

}

...

}

As a result websocket connections consume too much memory.
I see the reason for the fact that the socket remains in
the SocketState.UPGRADED state even after closing the websocket. Although
expected SocketState.CLOSED.
Log:
2019-02-18 13:22:12.741 DEBUG
[test-service,e248a18fb0789f6c,e248a18fb0789f6c,true] 1 ---
[nio-8080-exec-9] org.apache.tomcat.websocket.WsSession: *Closing
WebSocket session [{1}]*
2019-02-18 13:22:12.742 DEBUG
[test-service,e248a18fb0789f6c,e248a18fb0789f6c,true] 1 ---
[nio-8080-exec-9] o.a.tomcat.util.net.SocketWrapperBase: Socket:
[org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@723dc871
:org.apache.tomcat.util.net.NioChannel@7587eeb9:java.nio.channels.SocketChannel[connected
local=attachment-8559c85989-w9k5r/10.244.4.175:8080
remote=/10.244.2.25:44986]], Read from buffer: [0]
2019-02-18 13:22:12.742 DEBUG
[test-service,e248a18fb0789f6c,e248a18fb0789f6c,true] 1 ---
[nio-8080-exec-9] o.a.c.h.u.UpgradeProcessorInternal   : Socket:
[org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@723dc871
:org.apache.tomcat.util.net.NioChannel@7587eeb9:java.nio.channels.SocketChannel[connected
local=attachment-8559c85989-w9k5r/10.244.4.175:8080
remote=/10.244.2.25:44986]], Status in: [OPEN_READ], State out: [UPGRADED]

Full log by request below (I disguised private data as ###):
2019-02-18 13:22:12.731 DEBUG [test-service,,,] 1 --- [nio-8080-exec-9]
o.a.tomcat.util.net.SocketWrapperBase: Socket:
[org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@723dc871
:org.apache.tomcat.util.net.NioChannel@7587eeb9:java.nio.channels.SocketChannel[connected
local=/10.244.4.175:8080 remote=/10.244.2.25:44986]], Read from buffer: [0]
2019-02-18 13:22:12.731 DEBUG [test-service,,,] 1 --- [nio-8080-exec-9]
o.a.coyote.http11.Http11InputBuffer  : Received [GET ### HTTP/1.1
X-Real-IP: 10.244.0.0
X-Forwarded-For: 10.244.0.0,10.244.6.23
Authorization: ###
Origin: http://ptdbo2kbm251lv:32175
Referer: http://ptdbo2lre202v:8081/DigestProcessor/
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: ###
X-Forwarded-Proto: http
X-Forwarded-Port: 80
X-Forwarded-Host: ###
upgrade: websocket
connection: upgrade
sec-websocket-key: ###
host: ptdbo2kbm251lv
sec-websocket-origin: ###
sec-websocket-version: 13

]
2019-02-18 13:22:12.731 DEBUG [test-service,,,] 1 --- [nio-8080-exec-9]
o.a.t.util.http.Rfc6265CookieProcessor   : Cookies: Parsing b[]: ###
2019-02-18 13:22:12.733 DEBUG
[test-service,e248a18fb0789f6c,e248a18fb0789f6c,true] 1 ---
[nio-8080-exec-9] org.apache.tomcat.util.http.Parameters   : Set encoding
to UTF-8
2019-02-18 13:22:12.734 DEBUG
[test-service,e248a18fb0789f6c,e248a18fb0789f6c,true] 1 ---
[nio-8080-exec-9] o.apache.coyote.http11.Http11Processor   : Socket:
[org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@723dc871
:org.apache.tomcat.util.net.NioChannel@7587eeb9:java.nio.channels.SocketChannel[connected
local=attachment-8559c85989-w9k5r/10.244.4.175:8080
remote=/10.244.2.25:44986]], Status in: [OPEN_READ], State out: [UPGRADING]
2019-02-18 13:22:12.734 DEBUG
[test-service,e248a18fb0789f6c,e248a18fb0789f6c,true] 1 ---
[nio-8080-exec-9] org.apache.tomcat.websocket.WsSession: Created
WebSocket session [15f]
2019-02-18 13:22:12.734 DEBUG
[test-service,e248a18fb0789f6c,e248a18fb0789f6c,true] 1 ---
[nio-8080-exec-9] o.a.t.websocket.server.WsFrameServer :
wsFrameServer.onDataAvailable
2019-02-18 13:22:12.735 DEBUG
[attachment,e248a18fb0789f6c,e248a18fb0789f6c,true] 1 --- [nio-8080-exec-9]
o.a.tomcat.util.net.SocketWrapperBase: Socket:
[org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@723dc871
:org.apache.tomcat.util.net.NioChannel@7587eeb9:java.nio.channels.SocketChannel[connected
local=attachment-8559c85989-w9k5r/10.244.4.175:8080
remote=/10.244.2.25:44986]], Read from buffer: [0]
2019-02-18 13:22:12.735 DEBUG
[test-service,e248a18fb0789f6c,e248a18fb0789f6c,true] 1 ---
[nio-8080-exec-9] o.a.t.websocket.server.WsFrameServer : Read [71]
bytes into input buffer ready for processing
2019-02-18 13:22:12.735 DEBUG
[test-service,e248a18fb0789f6c,e248a18fb0789f6c,true] 1 ---
[nio-8080-exec-9] o.a.t.websocket.server.WsFrameServer : WebSocket
frame received. fin [true], rsv [0], OpCode [1], payload length [65]
2019-02-18 13:22:12.741 DEBUG
[test-service,e248a18fb0789f6c,e248a18fb0789f6c,true] 1 ---
[ni

Re: Posting questions

[Shivaraj]

This is shivaraj, am trying to increase the URL size in httpd using the
below parameter, am also using https which is an option that we can enable
or disable it. On switching over from https to http or vice versa. Virtual
IP is redirecting every request to different server and obviously session
will not maintained, due to this i couldn't login to use my web application
hosted in apache tomcat. After removing this parameter it works as legacy.
Your help on this regard will be much appreciated. Please let me know if
you need clarifications.

Details:
LimitRequestLine 128 declared under VirtualHost tag in httpd.conf

Application Server: apachetomcat-8.5.32_1
Server version: Apache/2.4.6 (Red Hat Enterprise Linux)


regards,
Shivaraj Sivasankaran
+91 9790177704


On Tue, Feb 19, 2019 at 6:47 PM Shivaraj  wrote:

> This is shivaraj, am trying to increase the URL size in httpd using the
> below parameter, am also using https which is an option that we can enable
> or disable it. On switching over from https to http or vice versa. Virtual
> IP is redirecting every request to different server and obviously session
> will not maintained, due to this i couldn't login to use my web application
> hosted in apache tomcat. After removing this parameter it works as legacy.
> Your help on this regard will be much appreciated. Please let me know if
> you need clarifications.
>
> Details:
> LimitRequestLine 128 declared under VirtualHost tag in httpd.conf
>
> Application Server: apachetomcat-8.5.32_1
> Server version: Apache/2.4.6 (Red Hat Enterprise Linux)
> Server built:   Oct  3 2017 09:37:04
>
>
> regards,
> Shivaraj Sivasankaran
> +91 9790177704
>

Re: Tomcat 9_Setting property 'digest' to 'SHA-256'

[dheeraj joshi]

Thanks Christopher  and Peter, my query is answered now.

On Sat, Feb 16, 2019 at 1:54 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Dheeraj,
>
> On 2/15/19 04:08, dheeraj joshi wrote:
> >> I am getting warning “Setting property 'digest' to 'SHA-256' did
> >> not find a matching property” in tomcat9-stderr.log  when I use
> >> attribute "digest" in realms.
> >>
> >> Snip from server.xml that i am using when i get error -
> >>
> >>  >> autoDeploy="true">
> >>
> >>  >> digest="SHA-256" />
> >>
> >>
> >>
> >> If I remove digest="SHA-256" from line  >> className="org.apache.catalina.realm.MemoryRealm"
> >> digest="SHA-256" /> and restart tomcat service , I don’t see this
> >> warning after it.
> >>
> >>
> >>
> >> I did search for similar error reported by other users on
> >> internet but couldn’t confirm whether I am doing correct
> >> configuration. Some people say that digest attribute is removed
> >> since Tomcat 8.5 while some suggested me to use CredentialHandler
> >> sub element rather than using digest.
> >>
> >>
> >>
> >>
> >> https://stackoverflow.com/questions/41325893/tomcat-form-based-authen
> tication-datasourcerealm-configuration-errors
> 
> >>
> >>
> ,
> >> https://mail-archives.apache.org/mod_mbox/tomcat-dev/201511.mbox/raw/
> %3c564a60fb.70...@gmail.com%3e
> >>
> >>
> >>
> >>
> >>
> I couldn’t find  public documentation from Apache foundation confirming
> >> that digest should not be used with Tomcat 9 . When I check docu
> >> provided with Tomcat 9 I don’t see attribute named digest listed
> >> under Memory Based Realm section
> >>
> >>
> >>
> >>
> >> https://tomcat.apache.org/tomcat-9.0-doc/config/realm.html#Memory_Bas
> ed_Realm_-_org.apache.catalina.realm.MemoryRealm
> 
> >>
> >>
> >>
> >>
> >>
> >>
> Can you confirm whether digest attribute can be still used in Tomcat 9 i
> n
> >> realms, if yes then what should be the correct syntax to use it.
> >> If the use of digest is deprecated what should I be using
> >> instead?
> >>
> >>
> >>
> >> I have been using digest attribute in previous versions of Tomcat
> >> in realms and it used to work fine , problem is after Tomcat
> >> upgrade from Tomcat 6 to Tomcat 9.
>
> Peter has the correct answer in another reply, but I'd like you to
> consider whether or not using SHA-256 is something you actually want
> to do.
>
> Using a plain "digest" for password-munging is really insufficient for
> password-storage these days.
>
> Please give this presentation a good read-through to see how you can
> do a LOT better for your users:
>
> http://people.apache.org/~schultz/ApacheCon%20NA%202017/Seamless%20Upgra
> des%20for%20Credential%20Security%20in%20Apache%20Tomcat.pdf
> 
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxnIAUACgkQHPApP6U8
> pFiIkw/+I/OuBZ3VIHWRaWDT1m5clG6mNQd0Rm/BKIQ/xsrHLkpJPAYGH59FdJly
> W1FTToGLcr/UENP6Mc6m95vj+95B7qx0uNuHiEN2b0GFTbwFTgJOcyOa4GXpA0sl
> opNXBY5prjHQ/hFyL0P3Zl/xUWgleO1foIjkEozZu476iHfdJj8O8XKPa9Ka4cSk
> CKf11GSfrJWxhHKDrZnIhPwAHRrHTMKH+GXEVG6QS1xmEG/plZ6mfUdCHoodTMfD
> SmAhqRmR2V22eTaYYURBRtQccUZkjeOAY1KJDQCiaOISjJ3XVBl24iul4gTzoBir
> SCEFQwEJNj1S9NKJYYPPrHYkWkr7TCBwL6UczWF7h72xFsT/JwleEcdag4yQun6M
> e8inr5FPPXMmf+updtiRt3vI4cCozLO7RQZUm1iFqvnInWTmVhfoFUZB4i/lJooI
> 3tkaY6ua2FcpmpHOtlKPeWRwXxHsGUKMu2QnK1/T7gK9VoNk/XYecu3eHbV3+we2
> ur53Gi9wc/AtW5Utyv4AVELCnRg5BQRBRRFOin+SA47hNxqq5uWYlQ3xbjxyA95c
> VRLuPeNhI9QisA07ymJUKWjHPr7MiOVmmMCdoWH6Nvl9/f4i2cCSATrW532vHE7F
> EwhTHPYEHSzJPwpdqR/be9xM56RmJIzJFHxdVbmrsAoUQ0tCH7I=
> =MMrk
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>