Re: Getting user role membership without context

p through the JNDIRealm with a debugger (I use > Eclipse) to see exactly what is going on. If you aren't set up for that, > enabling debug logging for the JNDIRealm should provide some insight but > it might not answer everything. > > Mark > > > On 04/08/17 21:24, Alex O'Ree

Re: Getting user role membership without context

Thanks for the clarification. To add to my description I'm running a task on the users behalf on a background thread with a task scheduler. I need to get the roles when the task is ran in case of a change in role membership between the time the task is scheduled and when it is executed. It

Getting user role membership without context

Hi Tomcat folks! I have a use case where i have reoccuring background process (quartz job) that needs to perform access control checks against a user prinicple. Normally, user role membership is only accessible via one of the http session, servlet request, objects, etc. Question, is there a way

Re: Getting user role membership without context

there's a way to get a reference to the realm via some static reference? On Jul 15, 2017 4:53 AM, "André Warnier (tomcat)" <a...@ice-sa.com> wrote: > On 15.07.2017 00:46, Alex O'Ree wrote: > >> Hi Tomcat folks! >> >> I have a use case where i have reoc

Re: Getting user role membership without context

P defined group or role into what the application is expecting. Am I on the right path here? On Sun, Jul 16, 2017 at 6:18 PM, Alex O'Ree <alexo...@apache.org> wrote: > bugger, this time replying with the correct reply address. Not sure > if the previous reply went through. > &g

Re: Getting user role membership without context

as it will probably be more sustainable in the long run On Sun, Jul 16, 2017 at 3:55 PM, Mark Thomas <ma...@apache.org> wrote: > On 16/07/17 15:31, Alex O'Ree wrote: >> Thanks for the clarification. To add to my description >> >> I'm running a task on the users be

Re: Getting user role membership without context

in ApplicationContextFacade and ApplicationContext I'll also further investigate the JMX/Mbean method with JNDI as it will probably be more sustainable in the long run On Sun, Jul 16, 2017 at 3:55 PM, Mark Thomas <ma...@apache.org> wrote: > On 16/07/17 15:31, Alex O'Ree wrote: >> Thanks for th

Re: Getting user role membership without context

Nice, any idea which method I need to call? On Jul 18, 2017 3:54 PM, "Mark Thomas" <ma...@apache.org> wrote: > On 18/07/17 17:41, Alex O'Ree wrote: > > Alright, quick update on this. > > > > At this point, I have servlet context and a username running off the

Re: Storing JNDI binding password using encryption

her Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Alex, > > On 7/19/17 1:53 PM, Alex O'Ree wrote: >> On Wed, Jul 19, 2017 at 12:09 PM, Mark Thomas <ma...@apache.org> >> wrote: >>> On 19/07/1

Re: Storing JNDI binding password using encryption

wrote: > On 19/07/17 16:22, Alex O'Ree wrote: >> Assuming I had access to a reversible encryption mechanism and wanted >> to store the JNDI binding password in an encrypted form by extending >> the JNDIRealm class, which method should i override to encrypt the >> passwor

Re: Getting user role membership without context

..@apache.org> wrote: > On 18/07/17 23:21, Alex O'Ree wrote: >> Nice, any idea which method I need to call? > > You already have the Context so you want > > Context.findChildren() > > for a list of all the Wrappers (and it is the wrapper object you need) or > > Con

Re: Getting user role membership without context

Got it to work! Thanks Mark! On Wed, Jul 19, 2017 at 10:40 AM, Mark Thomas <ma...@apache.org> wrote: > On 19/07/17 15:34, Alex O'Ree wrote: >> Context.findChild and findChildren returns an instance of "Container". >> It looks like StandardWrapper extends Container,

Storing JNDI binding password using encryption

Assuming I had access to a reversible encryption mechanism and wanted to store the JNDI binding password in an encrypted form by extending the JNDIRealm class, which method should i override to encrypt the password stored in server.xml on the fly?

Re: Getting user role membership without context

text, it's returning false. I'm assuming there's something wrong with the JNDI realm configuration but since it works correctly under normal circumstances and not using the reflection solution, I'm a bit puzzled and am unsure how to proceed. On Wed, Jul 19, 2017 at 11:20 AM, Alex O'Ree

Re: Question - JVM Host display page

Try Tomcat/webapps/root/index.jsp On Aug 6, 2017 7:44 AM, "bebe böbe" wrote: > Hi, > > I reserved the domain "palibacsi.de" with "JVM Host". > When someone visits the page, I want it to display my "index.html" file. > Instead it now displays the Tomcat homepage. > How

Re: publishing tomcat server as maven artifact

They weren't, other than that releases were happening at some point. Ahh sorry you're right. What about the other variants, such as the windows x64 builds with the service wrappers? On Sat, Sep 23, 2017 at 4:05 AM, Mark Thomas <ma...@apache.org> wrote: > On 23/09/17 02:27, Alex O'

tomcat7 eol date?

Is there an approximate or estimated date in which ASF will stop supporting patches for Tomcat7? I'm assuming that the tomcat major versions are tied to oracle's support for the JRE, which implies that when oracle stops supporting JRE7 that tomcat7 support will stop around the same time. Is that

publishing tomcat server as maven artifact

In light of the recent security issues, has the tomcat dev's ever consider publishing the tomcat server as a maven artifact? I just tomcat as a base server for Apache jUDDI and for several other projects whereby I create preconfigured tomcat instance. It's also super useful for integration

Re: URL-encoding and "#"

Well that explains a lot. Similar issue for me. With url encoding, tomcat is dropping back slash and the plus symbol. On Oct 13, 2017 3:01 AM, "Mark Thomas" wrote: > On 13/10/2017 07:38, Peter Kreuser wrote: > > Chris, > > > > > > > > > > Peter Kreuser > >> Am 13.10.2017 um

Re: URL-encoding and "#"

...@flyingfischer.ch <i...@flyingfischer.ch> wrote: > Am 13.10.2017 um 12:48 schrieb Alex O'Ree: >> Well that explains a lot. Similar issue for me. With url encoding, tomcat >> is dropping back slash and the plus symbol. > > While I think it is perfectly eligible to strive for

Re: Tomcat unstable after updating apache http client

Ill see if I can make a test war they'd reduces it to the minium. On Oct 5, 2017 8:04 AM, "Mark Thomas" <ma...@apache.org> wrote: On 05/10/17 12:12, Alex O'Ree wrote: > I ran into a strange issue the other day. Running tomcat 7.0.81. I have a > war file with apache h

Tomcat unstable after updating apache http client

I ran into a strange issue the other day. Running tomcat 7.0.81. I have a war file with apache http client vs 4.3.3. I was having some issues with my code in the war and experimented with updating the http client to 4.5.3. The result was bizarre. Tomcat would start as normal but stop serving

Re: Invalid characters in request header

Is there a way too log whatever the offending header was? On Sep 9, 2017 6:30 AM, "Martynas Jusevičius" wrote: > Well then you're out of luck. Everything is as expected though, at least on > your end -- client sends invalid request, gets error response. What else do >

Re: installing certificates

Graphical keystore tool - http://keystore-explorer.org/ It may make things easier On Mon, Oct 9, 2017 at 6:13 PM, Adam Pease wrote: > Hi Chris, > Many thanks for the quick response! There's a lot of new terminology (to > me) to all this and it's quite confusing

Re: Skip resource path in TLD scanner?

I'm having similar issues after updating from tomcat7 to tomcat8.5. The build script for my app adds some sql drivers to tomcat's lib folder, specifically the derby driver. On bootup tomcat logs a ton of error messages saying that it couldn't find (what looks to be) internationalized resource

tomcat with laptop + windows sleep

I've noticed a behavioral difference from tomcat 7 to 8.5. In v7, I used to be able to put a computer to "sleep" with tomcat running. On resume, everything would be just fine. On tomcat 8.5, i'm noticing that all database connections are basically dropped and do not appear to to restart/resume

Re: tomcat with laptop + windows sleep

-- > Hash: SHA256 > > Alex, > > On 5/22/18 7:39 PM, Alex O'Ree wrote: > > I've noticed a behavioral difference from tomcat 7 to 8.5. In v7, I > > used to be able to put a computer to "sleep" with tomcat running. > > On resume, everything would be just fin

Re: tomcat with laptop + windows sleep

I did not copy any tomcat specific jars. I have validation queries implemented programmatically. On Sun, Jun 3, 2018 at 8:44 AM, Felix Schumacher < felix.schumac...@internetallee.de> wrote: > > > Am 02.06.2018 um 20:51 schrieb Alex O'Ree: > >> I think I've narrowed it d

Re: tomcat with laptop + windows sleep

: > > > Am 24. Mai 2018 23:30:10 MESZ schrieb Alex O'Ree : > >Yes it is a tomcat managed data source with postgres. The cpu usage is > >my > >app trying to get a managed data source. Perhaps the jdbc driver is the > >issue. .. > > Care to post your configuration? Ma

Requirements for servlet session attributes?

I was working on attempting to increase performance on a web app which calls a jaxws service on behalf of the user. The process for creating the jaxws client is somewhat slow so I was to try and cache the the jaxws client object as an HTTP session attribute. It doesn't work for some reason. What

Programmatically unlocking an account?

Is it possible to programmatically unlock an account that's been locked via the lockoutrealm and the simple xml user store? If so, how?

Re: Programmatically unlocking an account?

D MESSAGE- > Hash: SHA256 > > Alex, > > On 6/25/18 3:24 PM, Alex O'Ree wrote: > > Is it possible to programmatically unlock an account that's been > > locked via the lockoutrealm and the simple xml user store? > > Regardless of the user-storage mechanism, the

Re: Requirements for servlet session attributes?

" wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alex, On 7/1/18 7:48 AM, Alex O'Ree wrote: > I was working on attempting to increase performance on a web app > which calls a jaxws service on behalf of the user. The process for > creating the jaxws client is somewhat slow so

Re: Valve to dump response messages?

wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Alex, > > On 1/13/18 9:03 PM, Alex O'Ree wrote: > > After googling, I've found the request dumper valve, but I was > > wondering if there was an equivalent for response content? I have > > been abl

Re: No movement at Debug mode

Do you mean you cannot get a debugger to attach to Tomcat and thus step through your app? Make sure you start tomcat with "catalina jpda run". I think it listens on port 8000 by default. You can then use just about any IDE to attach the debugger via JPDA to localhost port 8000. On Sun, Jan 21,

Re: ALv2 Tomcat Training material

Understanding web.xml Understanding webapps without web.xml Security, authn and authz, ldap setups fIle system permissions On Jan 25, 2018 6:04 AM, "Mark Thomas" wrote: > On 08/01/18 09:39, Mark Thomas wrote: > > On 05/01/18 22:09, Don Flinn wrote: > >> Hi Mark, > >> > >> I

jsp precompile options

Using tomcat 8.5... I have a web app that still uses jsp's and i'm looking into a few options to (a) aid development and (b) reduce or eliminate the need for the JDK in a production setup and just run a JRE. (a) Making development easier. My project is maven based and I'd like to run some kind

Re: jsp precompile options

Mark, thanks for the clarification. I don't know why I assumed it was needed. Awesome! Juan, I'll give that one a shot, thanks! On Sun, Jan 28, 2018 at 5:45 AM, Mark Thomas <ma...@apache.org> wrote: > On 27/01/18 13:35, Alex O'Ree wrote: > > Using tomcat 8.5... > >

How does tomcat handle session ids?

I was recently perusing security implementation guides and ran across one that required that sessions id's be "destroyed" after use and not reused. >From my understanding, it looks like the java/tomcat/servlet equivalent is the jessionid. I'm assuming this is probably a randomly generated id but I

web socket user roles

Is there any kind of trickery to get user roles from a web socket server running in tomcat? I'm looking at javax.websocket.Session and I'm not seeing anything other than obtaining the user principle. Further more, aside from SSL/TLS, are there any other security related guides that I should be

Re: web socket user roles

I think I answered my own question. Looks like `ServerEndpointConfig.Configurator` is the class i want and it can be attached to annotations of the web socket endpoint On Fri, Feb 9, 2018 at 4:42 PM, Alex O'Ree <alexo...@apache.org> wrote: > Is there any kind of trickery to get user r

Re: TomcatCon Training: Tomcat for Administrators

@Mark I just found the videos from the last tomcatcon. I actually watched/listened to them all. Great to here the inside scoop on stuff, hope you all make more! I think i must have ran into most of the issues that were discussed and rewrote most of my application (primarily due to me using

Re: Error parsing HTTP request header, HTTP method names must be tokens

Thanks. I'll try the logging change to see if i can at least narrow it down a bit more. On Wed, Feb 21, 2018 at 7:49 PM, Konstantin Kolinko <knst.koli...@gmail.com> wrote: > 2018-02-21 22:19 GMT+03:00 Alex O'Ree <alexo...@apache.org>: > > That's the error message. The prob

Http with client certificate authentication

Howdy folks, If I setup a tomcat connector in server.xml with clientAuth="true" and have the key store for tomcat and a trust store is the following true? - all public key certificates issued by CA's the trust store are allowed in? - all user public key certificates in the trust store are

Possibility of simplifying a UI vs services war setup

Hi everyone, yet another email. I'm not too sure who to ask but I figured the tomcat crew would be a good place to start. Maybe SO is more appropriate I have a two web app (war files) system, one containing just the UI and the other containing a collection of CXF soap services and some rest

Re: using default cacerts AND custom keystore

anything related to SSL, key stores, trust stores, X509 certificates, etc will do that to you! On Mon, Feb 19, 2018 at 9:16 AM, Chris Cheshire wrote: > On Fri, Feb 16, 2018 at 2:11 PM, Christopher Schultz > wrote: > > -BEGIN PGP SIGNED

Re: Error parsing HTTP request header, HTTP method names must be tokens

e, Feb 20, 2018 at 4:01 PM, Alex O'Ree <alexo...@apache.org> wrote: > > I keep running into the an IllegalArgumentException at or near startup of > > tomcat 8.5 with a bunch of cxf web services deployed and I have no idea > > what's causing it. The error message mentions tu

Error parsing HTTP request header, HTTP method names must be tokens

I keep running into the an IllegalArgumentException at or near startup of tomcat 8.5 with a bunch of cxf web services deployed and I have no idea what's causing it. The error message mentions turning on logging at the debug level. Question: Assuming i need to edit the logging.properties file,

Re: Programmatically unlocking an account?

No problem. Thanks! On Mon, Aug 13, 2018, 3:52 AM Mark Thomas wrote: > On 13/08/18 00:32, Alex O'Ree wrote: > > Thanks everyone. Would it be possible to get this backported to 8.5? > > Done. Although I'm afraid it just missed the cut for the 8.5.33 release. > It will be

Re: Programmatically unlocking an account?

Thanks everyone. Would it be possible to get this backported to 8.5? On Tue, Jun 26, 2018 at 12:17 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Alex, > > On 6/25/18 8:49 PM, Alex O'Ree wrote: >

Re: user lockout realm, logging ip addresses

, 2018 at 9:58 AM, Alex O'Ree wrote: > after looking at the code, it's not a simple 1 liner and would require a > number of api changes. I was able to get it working, but it is a large > change set. Anyone that extends or builds a custom one of these: > -Realm > -AuthenticatorBase

org.apache.tomcat.jdbc.pool casting to original connection class

I have a use case where i need to downcast a pooled database connection down to the native class that is in use for the driver. Unfortunately I don't see any APIs that I can use to do this. Is there any backdoors or mechanisms I can use? Background, I'm using postgres with tomcat 8.5 and need to

Re: org.apache.tomcat.jdbc.pool casting to original connection class

Perfect, thanks On Fri, Aug 24, 2018, 5:05 PM Torsten Krah wrote: > The isWrapperFor(..) and unwrap(..) methods on the connection API should > work for this. >

Re: org.apache.tomcat.jdbc.pool casting to original connection class

>From what i understand, the postgres jdbc driver does support reading/writing from a result set or command via a input or output stream, however from my testing, it looks like it just buffers the whole thing in memory. I actually had one case where i was able to insert 1.2GB of content into a

user lockout realm, logging ip addresses

Is it possible to configure the user lockout realm to log what ip address the failed login attempt came from? I know the information needed will also be in the access log but added it to the "attempt to login from a locked account" message would be super helpful. Would it be more advisable to

programmatically adding new users to tomcat-users.xml

I'd like to provide users a mechanism to create their own user accounts via browser instead of requiring access to the server + editing xml files. I found this solution here https://stackoverflow.com/a/39770319/1203182 and i found the APIs here

Re: user lockout realm, logging ip addresses

impact. I'm not sure how this community feels about API changes and backwards compatibility. For the PR, do you all have a branch naming strategy? On Sat, Aug 18, 2018 at 8:20 AM, Alex O'Ree wrote: > Cool beans. I can do a PR if there's interest. > > On Sat, Aug 18, 2018 at 7:59 AM, Ch

Re: org.apache.tomcat.jdbc.pool casting to original connection class

I figured it out. Classpath issue. I had the postgres driver in my web app and in tomcat's lib folder. Removing from the web app fixed it. On Mon, Aug 27, 2018 at 9:47 AM Alex O'Ree wrote: > Unfortunately, it's not working. I've tried unwrap for both > org.postgresql.jdbc.PgConnection (co

Re: org.apache.tomcat.jdbc.pool casting to original connection class

I'm storing large files. Postgres has a limit for blobs and uses a different api for larger stuff. Cut off is 1gb On Mon, Aug 27, 2018, 7:19 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Alex, > >

Re: user lockout realm, logging ip addresses

Cool beans. I can do a PR if there's interest. On Sat, Aug 18, 2018 at 7:59 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > Mark and Alex, > > > On Aug 18, 2018, at 05:46, Mark Thomas wrote: > > > >> On 18/08/18 10:36, Olaf Kock wrote: > >

Re: org.apache.tomcat.jdbc.pool casting to original connection class

Unfortunately, it's not working. I've tried unwrap for both org.postgresql.jdbc.PgConnection (concrete class) and org.psotgresql.PGConnection (interface) and both of them fail to unwrap. Any other suggestions? On Sun, Aug 26, 2018 at 10:04 AM Alex O'Ree wrote: > Perfect, thanks > > On

websocket endpoints not released

I ran into a strange issue today. Running tomcat 8.5 with a websocket endpoint + some javascript to wire up a browser to the socket. All works as normal, however sometimes if the user refreshes the browser, it seems as if second web socket is opened by the browser. This leads to the user seeing

Valve to dump response messages?

After googling, I've found the request dumper valve, but I was wondering if there was an equivalent for response content? I have been able to rig up a http servlet filter that can capture and log response messages but i was looking for a more universal way to accomplish this for all http

Re: intermittent connectivity failure under ssl

, you'll need a windows box to replicate (x64) On Fri, Mar 9, 2018 at 3:01 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Alex, > > On 3/9/18 2:50 PM, Mark Thomas wrote: > > On 09/03/18 19:39, Alex

Re: intermittent connectivity failure under ssl

that comes with the windows build of tomcat has something wrong with it. On Mon, Mar 5, 2018 at 9:29 AM, Alex O'Ree <spyhunte...@gmail.com> wrote: > thanks. what else could be cause this? Chrome says error empty response > frequently > > On Mon, Mar 5, 2018 at 9:27 AM,

SSL: Unexpected end of file from server

I have a CXF web service client accessing a CXF SOAP service running in tomcat. I'm seeing intermitent issues only when using SSL and I'm not entirely sure why. The client logs the following SocketException: Unexpected end of file from server at sun.net.www.http.Client.parseHTTPHeader I'm using

Re: Tomcat Silent Remote Uninstall - How to do it?

Pretty sure there is a script in the bin folder that can be ran from an elevated the command line. Something like 'service install', then call 'net start tomcat8' On Fri, Apr 20, 2018 at 4:53 PM, < ross.a.reichenber...@wellsfargo.com.invalid> wrote: > Hello, > I need to know how to silently

User session validation

Does tomcat do any validation on session id's based on up addresses? I'm thinking that if some one intercepts the session token and tries to use it from another ip address, then it's feasible to detect this and invalidate the session.

Re: User session validation

Thanks for the info On Thu, Mar 29, 2018, 12:30 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Alex, > > On 3/28/18 7:20 PM, Alex O'Ree wrote: > > Does tomcat do any validation on session id's

Tomcat shutdown, webapp vs database pools

I have a war file that defines a context.xml file, some cxf based web services and a few other background tasks using quartz that are initialized in a servlet context listener. When tomcat shuts down, it appears that tomcat stops the database connection pool before the cxf services or the quartz

Re: Tomcat shutdown, webapp vs database pools

Thanks for the info. I'll investigate further into the listeners. On Sat, Mar 17, 2018 at 4:27 AM, Mark Thomas <ma...@apache.org> wrote: > On 16/03/18 22:42, Alex O'Ree wrote: > > I have a war file that defines a context.xml file, some cxf based web > > services and a few o

Re: intermittent connectivity failure under ssl

be related to the problem as it looks like the protocol attribute must be one of HTTP/1.1, etc. Assuming this is the issue, which attribute can i used to specify my overridden class? On Fri, Mar 2, 2018 at 1:58 PM, Alex O'Ree <alexo...@apache.org> wrote: > Remy, what more information

Re: intermittent connectivity failure under ssl

thanks. what else could be cause this? Chrome says error empty response frequently On Mon, Mar 5, 2018 at 9:27 AM, Rémy Maucherat <r...@apache.org> wrote: > On Mon, Mar 5, 2018 at 2:59 PM, Alex O'Ree <alexo...@apache.org> wrote: > > > I may be on to something. I found

Re: intermittent connectivity failure under ssl

Remy, what more information would you like? Any more info on the issue that you are referencing? On Fri, Mar 2, 2018 at 10:56 AM, Rémy Maucherat <r...@apache.org> wrote: > On Fri, Mar 2, 2018 at 4:19 PM, Alex O'Ree <alexo...@apache.org> wrote: > > > Ran into a strange pr

Re: No reliable way to know if the request emerged from localhost

I think this means, no remote http access, but allow admins remote desktop access. Once in a local desktop sessions, allow the http access since the request comes from local host This issue is get remote address usually returns a non loop back ip address, even if the url was to localhost On

intermittent connectivity failure under ssl

Ran into a strange problem, not too sure what the problem is. Basically, I'm getting intermittent connectivity from a http client to tomcat but only through SSL using the Http11NioProtocol. Some http requests go through, others fail with the stack trace below. Usually, restarting tomcat fixes it,

Re: tomcat with laptop + windows sleep

I also see a lot of jdbc/my name is not bound in this context. Unable to find jdbc On Thu, May 24, 2018, 5:30 PM Alex O'Ree wrote: > Yes it is a tomcat managed data source with postgres. The cpu usage is my > app trying to get a managed data source. Perhaps the jdbc driver is the &

Re: tomcat with laptop + windows sleep

un 3, 2018 at 11:13 AM, Alex O'Ree wrote: > I did not copy any tomcat specific jars. I have validation queries > implemented programmatically. > > On Sun, Jun 3, 2018 at 8:44 AM, Felix Schumacher internetallee.de> wrote: > >> >> >> Am 02.06.2018 um 20:51 schrieb Al

Re: [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect

Is there perhaps a patch that can be applied or better yet, a list of jars that are were affected by this? (I'm just trying to find a simple way to patch a large volume of servers) On Wed, Oct 10, 2018 at 10:23 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED

Re: [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect

AM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Alex, > > On 10/14/18 18:06, Alex O'Ree wrote: > > Is there perhaps a patch that can be applied or better yet, a list > > of jars that are wer

Re: [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect

Roger that, thanks On Thu, Oct 18, 2018, 9:38 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Alex, > > On 10/18/18 11:08, Alex O'Ree wrote: > > Basically. I start with the tomcat distro, apply m

Re: Tomcat with half open tcp sockets

Sorry, mobile typo. Soap stack, as in cxf, axis, sun jaxws ri On Thu, Oct 4, 2018, 12:57 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Alex, > > On 10/3/18 20:25, Alex O'Ree wrote: > > T

Tomcat with half open tcp sockets

Does tomcat detect or mitigate against half open tcp connections? I recently ran into an issue where something in between a java jaxws client and a jaxws service running in tomcat is interfering with the tcp stream. Resolving this client side has been a challenge due the transmitting thread

Re: Tomcat with half open tcp sockets

< ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Alex, > > On 9/29/18 08:31, Alex O'Ree wrote: > > Does tomcat detect or mitigate against half open tcp connections? > > Not directly. Basically, that's the OS's job

Re: JMS Testing

JMS is a programming api that is an abstraction for a messaging service. There's a bunch of implementations of the JMS API, such like car's have the same human to car interface (steering wheel, pedals, etc), however there's tons of types and manufacturers. Tomcat serves up web content. Some JMS

Re: on 8.5.40, random tmpFile.renameTo with jsp files

: > On 06/06/2019 20:38, Alex O'Ree wrote: > > I've upgraded from .34 to .40 somewhat recently (on windows) and have > been > > getting random errors rendering jsp pages recently. The trace is always > > related to jasper failing to rename a file. I'm not really sure what the

on 8.5.40, random tmpFile.renameTo with jsp files

I've upgraded from .34 to .40 somewhat recently (on windows) and have been getting random errors rendering jsp pages recently. The trace is always related to jasper failing to rename a file. I'm not really sure what the issue is. Has anyone seen this or something similar? Usually retrying the

Re: on 8.5.40, random tmpFile.renameTo with jsp files

Yes I can give it a try. > One more idea. Virus scanner locking files? I've seen it on systems with and without a/v. On the system with it, I was able to temporarily disable it but still got on the tmp.rename error. On Mon, Jun 10, 2019 at 2:48 PM Mark Thomas wrote: > On 10/06/2019 12:08, Alex

Re: on 8.5.40, random tmpFile.renameTo with jsp files

I am on windows 7. Same partition as the os. On Mon, Jun 10, 2019, 3:20 AM Mark Thomas wrote: > On 07/06/2019 15:35, Alex O'Ree wrote: > > HTTP Status 500 – Internal Server Error > > Type Exception Report > > > > Message Unable to compile class for JSP > > >

Re: on 8.5.40, random tmpFile.renameTo with jsp files

BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Alex, > > On 6/10/19 03:20, Mark Thomas wrote: > > On 07/06/2019 15:35, Alex O'Ree wrote: > >> HTTP Status 500 – Internal Server Error Type Exception Report > >> > >> Message Unable to compile c

Re: on 8.5.40, random tmpFile.renameTo with jsp files

jsps, now it's closer to 1 of 400. Definitely better, but is it because of the update to the newer code base or is it due to the code change i made. I'll do some more experiments tomorrow to try and narrow it down On Mon, Jun 10, 2019 at 3:32 PM Alex O'Ree wrote: > > Anything unusual

Re: Jmx example for adding or removing users?

i missing something? On Fri, Apr 26, 2019 at 7:14 PM Alex O'Ree wrote: > Ahh perfect, thanks. > > On Fri, Apr 26, 2019 at 12:34 PM Mark Thomas wrote: > >> On 26/04/2019 12:11, Alex O'Ree wrote: >> > I am looking for a way to programmatically add or remove user accou

Re: Jmx example for adding or removing users?

Ahh i missed the exception, had the logs redirected. thanks On Fri, May 10, 2019 at 3:46 AM Mark Thomas wrote: > On 10/05/2019 03:45, Alex O'Ree wrote: > > Well less than perfect. Tomcat out of the box is setup with the users xml > > file. What's ex

Re: Jmx example for adding or removing users?

the answer is no but I may have missed something. Can anyone confirm this? On Fri, May 10, 2019 at 7:07 AM Alex O'Ree wrote: > Ahh i missed the exception, had the logs redirected. thanks > > On Fri, May 10, 2019 at 3:46 AM Mark Thomas wrote: > >> On 10/05/2019 03:45

Re: Jmx example for adding or removing users?

Ahh perfect, thanks. On Fri, Apr 26, 2019 at 12:34 PM Mark Thomas wrote: > On 26/04/2019 12:11, Alex O'Ree wrote: > > I am looking for a way to programmatically add or remove user accounts > > using tomcats user xml file as a store without restarting tomcat. Can > this >

Jmx example for adding or removing users?

I am looking for a way to programmatically add or remove user accounts using tomcats user xml file as a store without restarting tomcat. Can this be done using jmx?

Re: Is it possible to disable JMX?

you may have to edit catalina.bat and add --no-jmx to the command line On Mon, Aug 26, 2019 at 2:05 PM Pascal Schumacher wrote: > |Hi, > > according to https://tomcat.apache.org/tomcat-9.0-doc/changelog.html it > should be possible to disable JMX when using Tomcat 9.0.20+. > > I tried different

Re: how to enable OCSP for Tomcat w OpenSSL

This thread was super useful. thanks for sharing On Wed, Apr 17, 2019 at 3:29 PM John Palmer wrote: > I'm still struggling with getting APR/OpenSSL to do the OCSP check. > > I'd appreciate some tips: > versions: Java 8 (1.8.0_202), 64-bit, tomcat 8.5.38, APR 1.2.21 > using APR/OpenSSL (the

Re: Intermittent JSP Caching/Compiling Issue while under load

Sounds a lot like the issue I reported a few months ago On Mon, Nov 4, 2019, 3:12 PM Tim K wrote: > On Mon, Nov 4, 2019, 10:30 AM Mark Thomas wrote: > > > > > Thanks. That helps as it means the issue should be reproducible on a > > single, stand-alone instance. > > > > Mark > > > > I was

Re: user self registration/account creation

thanks i'll look into it On Mon, Oct 7, 2019 at 3:36 AM Mark Thomas wrote: > On 06/10/2019 20:31, Alex O'Ree wrote: > > i have a password protected web app and would like to provide users with > > the ability to self register for a new account. looks like the easiest

  1   2   >