Specifying a Custom Authenticator Class
I need to write a custom BasicAuthenticator class to decode a specialized encoding of the authToken. I have been scouring google for info. I found one post where the answer included the statement: "Extending from AuthenticatorBase is a great idea, and you can avoid Tomcat's standard authenticator by configuring your authenticator as a in your application's META-INF/context.xml file." That is precisely what I want to do. But I cannot find any documentation on how to configure a different authenticator class in a context.xml file. I'm sure I'm just missing it, or I'm using totally incorrect words in the googe searches to find it. Can someone please point me to the documentation for this? Thx, Jerry
Re: manager best practice
Greg, On 9/28/21 06:52, Greg Huber wrote: Hello, Are there any best practice notes for the manager app? eg, if include the app in webapps I get a context on my site, do I create a long name for the folder (the url) to hide it? eg folder called reallylongmanager1234567890 so I get http://xxx.site/reallylongmanager1234567890 Or is there a better way? Hiding the name is just security-by-obscurity. But in this case, it's a useful one if you want to go through the effort. No script kiddie is going to scan the internet for host/reallylongmanager1234567890, they'll try host/manager and, getting a 404, will move-on to others. At $work, we enable the RemoteAddrValve and make sure it only allows connections from localhost. It turns out this is the default these days, so I may adjust my build process to stop doing that explicitly. We also require authentication so local miscreants, if they exist, can't mess with our applications. Well, at least non-root miscreants. ;) We also run everything through a reverse proxy (httpd) and only map our "real" web applications from the outside world into the back-end Tomcat notes. This is the real protection: you can't get to our manager from the outside world at all. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat presentations on ApacheCon 2021
Mark, On 9/27/21 16:21, Mark Thomas wrote: On 27/09/2021 20:27, Усманов Азат Анварович wrote: Hi everyone! Does anybody know where/when to find the video/audio/slides (if any) from the last weeks's tomcat track on ApacheCon 2021?Because I completely missed it last week. I'm assuming all of these would be added to tomcat presentations page http://tomcat.apache.org/presentations.html or https://www.youtube.com/c/ApacheTomcatOfficial/videos at some point in time.I'm in no rush , just wanna make sure I haven't missed anything which could be useful on a daily basis. Especialy considering the fact that I've had a few aha ("I wish I'd knew this earlier") type moments after watching tomcat presentations before. The conference team has a few hundred videos to process. They should start to appear over the next few weeks. Mine was pretty much the same as the one from ApacheCon Asia which is already available. +1 Also the team who processes those videos are all at another conference this week, so nothing has yet been done for ApacheCon. I'm the track chair, and I'll be helping to get the Tomcat-related talks up on YouTube as soon as possible. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can I set the version of sessionId cookie which tomcat send to the client to 0?
Kuang Neu, On 9/25/21 04:48, Yi Kuang Niu wrote: As is known,when the client accesses the server, the server will create a session and send the sessionId (in the form of cookie) to the client.But these days,I met a problem.I found the IE11 browser doesn’t support cookie if the cookie version is 1.In client side,every time a new request is sent to the server,tomcat will always set a new sessionId as cookie.But when I simulate manually as tomcat to send the sessionId(cookie version is 0) to client in IE11,the session works well,and the problem above didn't exist.Therefore,how can I set the configuration of tomcat to ensure it will always send the version 0 cookie of sessionId to client? I would be much grateful if you could help me solve this problem.Looking forward to hearing from you! Could this be your issue? https://stackoverflow.com/a/3470/276232 If not, maybe you can give us some more information? - Tomcat version - Contents of cookie which is ignored - URL you are trying to access (specifically, protocol and whether the hostname matches any domain that might be a part of the cookie) I'm using Tomcat 8.5 and I don't get a v1 cookie. I get: Set-Cookie JSESSIONID=[id]; Path=/context; HttpOnly; SameSite=Lax I have manually set SameSite=Lax due to my own requirements. No version. No domain. Nothing funny. Does anybody really use MSIE 11? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9.0.52 http2 flow control issues
On 20/09/2021 07:28, Mark Thomas wrote: On 10/09/2021 11:42, Mark Thomas wrote: Hi Erik, Thanks for the report. I'm looking at this now. I'm testing with a simple index page that references 3 largish images (~6MB each). I've found an issue with HTTP/2, sendfile and StackOverflowExcpetion that I have a local fix for. With that fix in place, I can see a flow control issue. Somehow, a stream is getting a larger allocation from the connection control window than the stream control window. That leads to some internal values having unexpected (negative) values and things quickly escalate to the connection closing abruptly from there. I'm currently looking into how this happens. I'm not sure if I am seeing a different issue to you or just a different symptom of the same issue. I'll keep the thread updated with progress. I found the root cause - there were further concurrency issues in the connection flow control window management. I've refactored the code to simplify the approach and (hopefully) make it more robust. I am no longer able to recreate the issue I was seeing. The fixes will be in the October release round. If anyone would like to test this sooner than that, you can build from source or I can make a test build available on request. The 9.0.54 release vote is in progress. If you'd like to test this, details of where to get the files are on 9.0.54 VOTE thread on the dev list. (Note: Only if the VOTE passes is this an official release. Until then it is made available for testing purposes only). There will be announcement on this list if the VOTE passes and the release becomes official. If all goes well, that should be early next week. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org