Missing TLS cipher suite definition

2021-10-08 Thread Farber, Ilja
Hi all,

I noticed org.apache.tomcat.util.net.openssl.ciphers.Cipher does not define the 
cipher suites defined by rfc 6367 and 6209. The ciphers are listed
https://docs.oracle.com/javase/9/docs/specs/security/standard-names.html

and should be valid for TLS 1.2.



For example TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256

or TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256



Is there a reason, why these cipher suites are not in enum Cipher?



Kind Regards,
Ilja


Re: Tomcat 9.0 async read becomes blocking with chunked transfer-encoding

2021-10-08 Thread Javateck
Thank you Mark

Andrew

> On Oct 8, 2021, at 1:44 AM, Mark Thomas  wrote:
> 
> On 07/10/2021 22:23, Javateck wrote:
>> Hi Mark,
>> Just wondering whether we have a radar to track this, will it be in release 
>> notes for next release?
> 
> The fix is in 9.0.54 and is listed in the changelog.
> 
> Mark
> 
>> Thanks,
>> Andrew
 On Sep 27, 2021, at 8:54 AM, Mark Thomas  wrote:
>>> 
>>> On 27/09/2021 15:55, Mark Thomas wrote:
> On 27/09/2021 09:08, Goldengate liu wrote:
> Hi Mark,
> 
>I’m uploading some test files
 Thanks for the test case. I'm looking at this now.
>>> 
>>> Bug found and fixed.
>>> 
>>> One thing to note is that with chunked encoding it is possible for you to 
>>> see isReady() return true only for the subsequent read to return 0 bytes. 
>>> This happens when just (or only part of) the chunked header is available.
>>> 
>>> The sample code you provided handled this correctly.
>>> 
>>> The fix will be in the October release round. The release process for that 
>>> should hopefully start later today.
>>> 
>>> Mark
>>> 
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: JASPIC Plugin for OIDC/JWT/OAuth

2021-10-08 Thread Michael Kolenda
Thanks Mark! Will take a look

On Fri, Oct 8, 2021, 5:01 AM Mark Thomas  wrote:

> On 07/10/2021 18:37, Michael Kolenda wrote:
> > Hey Tomcat Users,
> >
> > I've run into an interesting behavior with a custom JASPIC provider. When
> > there is an existing session i.e. JSESSIONID cookie, It appears the
> > groups/roles are not checked again... even when the new groups are
> provided
> > in the client Subject (JASPIC's validate() ). When attempting stateless
> > authentication via JWT/OAuth how can I ignore a previously set session
> for
> > an individual request?
> >
> > It appears to be based around equals() on my Principal object. I can make
> > it so Principal's generated via stateless authentication protocols are
> > never equal, but then I get a new session id in the response. I don't
> want
> > a session id at all for this request
>
> I'm only basing this on looking at Tomcat's source code so I may be on
> the wrong track.
>
> You probably want to set cache="false" on your authenticator. That will
> stop Tomcat trying to cache the authenticated principal in the session.
>
>  From your description and looking at the source for AuthenticatorBase,
> I think that should address the issue you are seeing.
>
> You might also want to check if alwaysUseSession has been set. If not,
> the default of false is fine but I don't think you want this set to true.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: Test valve with tomcat-embed 9?

2021-10-08 Thread Mark Thomas

On 08/10/2021 11:43, Me Self wrote:

I would like to test a custom tomcat valve with tomcat-embed and junit. Is
that possible?

Found a few tomcat-embed samples on the web but most seem to only deal with
setting up a webapp - something along the lines:

@BeforeAll
public static void setup() throws LifecycleException {
   Tomcat tomcat = new Tomcat();
   tomcat.setPort(...);
   StandardContext ctx = (StandardContext) tomcat.addWebapp("/", new
File("src/main/webapp/").getAbsolutePath());

What would I need to do to add a valve? And btw. it's a maven project so
the valve is compiled to "target/classes".


https://github.com/apache/tomcat/tree/main/test/org/apache/catalina/valves

Mark



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Test valve with tomcat-embed 9?

2021-10-08 Thread Me Self
I would like to test a custom tomcat valve with tomcat-embed and junit. Is
that possible?

Found a few tomcat-embed samples on the web but most seem to only deal with
setting up a webapp - something along the lines:

@BeforeAll
public static void setup() throws LifecycleException {
  Tomcat tomcat = new Tomcat();
  tomcat.setPort(...);
  StandardContext ctx = (StandardContext) tomcat.addWebapp("/", new
File("src/main/webapp/").getAbsolutePath());

What would I need to do to add a valve? And btw. it's a maven project so
the valve is compiled to "target/classes".


Re: JASPIC Plugin for OIDC/JWT/OAuth

2021-10-08 Thread Mark Thomas

On 07/10/2021 18:37, Michael Kolenda wrote:

Hey Tomcat Users,

I've run into an interesting behavior with a custom JASPIC provider. When
there is an existing session i.e. JSESSIONID cookie, It appears the
groups/roles are not checked again... even when the new groups are provided
in the client Subject (JASPIC's validate() ). When attempting stateless
authentication via JWT/OAuth how can I ignore a previously set session for
an individual request?

It appears to be based around equals() on my Principal object. I can make
it so Principal's generated via stateless authentication protocols are
never equal, but then I get a new session id in the response. I don't want
a session id at all for this request


I'm only basing this on looking at Tomcat's source code so I may be on 
the wrong track.


You probably want to set cache="false" on your authenticator. That will 
stop Tomcat trying to cache the authenticated principal in the session.


From your description and looking at the source for AuthenticatorBase, 
I think that should address the issue you are seeing.


You might also want to check if alwaysUseSession has been set. If not, 
the default of false is fine but I don't think you want this set to true.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat 9.0 async read becomes blocking with chunked transfer-encoding

2021-10-08 Thread Mark Thomas

On 07/10/2021 22:23, Javateck wrote:

Hi Mark,

Just wondering whether we have a radar to track this, will it be in release 
notes for next release?


The fix is in 9.0.54 and is listed in the changelog.

Mark



Thanks,
Andrew


On Sep 27, 2021, at 8:54 AM, Mark Thomas  wrote:

On 27/09/2021 15:55, Mark Thomas wrote:

On 27/09/2021 09:08, Goldengate liu wrote:
Hi Mark,

I’m uploading some test files

Thanks for the test case. I'm looking at this now.


Bug found and fixed.

One thing to note is that with chunked encoding it is possible for you to see 
isReady() return true only for the subsequent read to return 0 bytes. This 
happens when just (or only part of) the chunked header is available.

The sample code you provided handled this correctly.

The fix will be in the October release round. The release process for that 
should hopefully start later today.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org