Re: Duplicate accept detected. This is a known OS bug.

On 09/02/2022 17:54, jonmcalexan...@wellsfargo.com.INVALID wrote: Hi all, I have an application team occasionally getting the following exception with their application. They are currently using Tomcat 9.0.56. I'm not finding much on the intertubes in regards to this. Does anyone have any info

Re: Odd EL resolution issue - java.lang.NoClassDefFoundError: package/Class1 (wrong name: package/class1)

On Tue, Feb 8, 2022 at 7:55 AM Robert Turner wrote: Thanks Mark. Much appreciated. On Tue., Feb. 8, 2022, 04:06 Mark Thomas, wrote: Robert, Thank you for putting the effort in to debugging this. Narrowing down the issue to a simple test case is extremely helpful. The behaviour you descri

Re: Odd EL resolution issue - java.lang.NoClassDefFoundError: package/Class1 (wrong name: package/class1)

Robert, Thank you for putting the effort in to debugging this. Narrowing down the issue to a simple test case is extremely helpful. The behaviour you describe looks odd to me. I'd expect consistent behaviour across platforms irrespective of the case sensitivity of the file system in use. I

Re: How do I post a question with the users?

Please do not hijack threads. Do not reply to an existing message and change the subject. Start a new message for a new topic. Mark On 08/02/2022 00:26, Shakila Rajaiah wrote: Hi Chris, I deployed a java war file to a remote windows server. However the Tomcat server stops running after a fe

Re: AW: AW: Redirect with 301 for directory requested without trailing slash

fairly low risk of problems there. Mark -chris -Ursprüngliche Nachricht- Von: Mark Thomas Gesendet: Donnerstag, 3. Februar 2022 17:41 An: users@tomcat.apache.org Betreff: Re: AW: Redirect with 301 for directory requested without trailing slash I didn't see a commit in the

Re: AW: Redirect with 301 for directory requested without trailing slash

urce code, but now I think the DefaultServlet somehow also commits the response. So what else could I do? Make the response buffer bigger? Do you see any other possibility? -Ursprüngliche Nachricht- Von: Mark Thomas Gesendet: Mittwoch, 2. Februar 2022 18:08 An: users@tomcat.apache.org

Re: Redirect with 301 for directory requested without trailing slash

On 02/02/2022 15:21, Benny Kannengießer wrote: Hi, I wonder how I could achieve that Tomcat sends a 301 (permanent redirect) instead of 302 (temporary redirect) when a directory is requested without a trailing slash. Currently, when Tomcat receives a request like http:///some-directory

Re: Tomcat 9 Session replication

example to which Im using on both nodes which are remote to eachother. -Original Message- From: Mark Thomas Sent: 28 January 2022 18:15 To: users@tomcat.apache.org Subject: Re: Tomcat 9 Session replication On 28/01/2022 17:05, Alan F wrote: We are currently

Re: Tomcat 9 Session replication

On 28/01/2022 17:05, Alan F wrote: We are currently getting traffic from all cluster members in other environments using .staticmember opposed to multicast can I confirm why this is see below. What do we need to set here for a clustered pair to make them unique and talk to eachother only witho

Re: Tomcat 7 - Log4j Vulnerability Guide Request

Further, Apache Tomcat 7 reached end of life as of 31 March 2021 and is no longer supported by this community. This means we no longer assess Tomcat 7 against reported security vulnerabilities so even if your client is running the latest Tomcat 7 version available, 7.0.109, there have been a n

Re: HttpHeaderSecurityFilter does not work for URLs specified in security-constraint

On 28/01/2022 13:28, Jasvant Singh wrote: The HttpHeaderSecurityFilter works for all URLs except the pattern provided in setting. That is expected. Security constraints are applied before the control is passed to the web application. Any help is really appreciated. Is this really an

[SECURITY] CVE-2022-23181 Apache Tomcat Local Privilege Escalation

CVE-2022-23181 Apache Tomcat Local Privilege Escalation Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M8 Apache Tomcat 10.0.0-M5 to 10.0.14 Apache Tomcat 9.0.35 to 9.0.56 Apache Tomcat 8.5.55 to 8.5.73 Description: The fix for bug CVE

Re: Jax-RS problem with Tomcat 10

On 23/01/2022 08:13, Julien Bréda wrote: Hello, I've been trying for days to run a Jax-RS application in the following environment : - Tomcat 10.0.16 - Windows 11 - Eclipse 2021-12 and I finally found something weird. I tried with two different implementations (RESTeasy and Jersey) and I get

Re: tomcat-10.0.x Problem https multiple IP

On 21/01/2022 09:29, Jaebo Nah wrote: Dear all, I want to use a Tomcat apache-tomcat-10.0.14 with https . The Linux Server have multiple ip Address with different Domain Names 10.100.142.30  =   one.domain.loc 10.100.142.31  =   two.domain.loc 10.100.142.32  =   three.domain.loc When I try

[ANN] Apache Tomcat 10.0.16 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.16. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $

[ANN] Apache Tomcat 10.1.0-M10 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M10 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: Tomcat jdbc connections

On 20/01/2022 14:33, Alan F wrote: I have an issue with connections on Tomcat9 Oracle showing connections made for about 2seconds then dropped again. Is this normal when the server is not being used? Seems unlikely. Can you provide the DataSource configuration? Remember to obfuscate any sen

Re: Tomcat dedicated server

On 20/01/2022 08:54, Olaf Kock wrote: My rule of thumb is: The more memory there is to be claimed in GC, the longer a full GC run takes. Nope. The time a GC run takes is proportional to the size of objects in memory that do not need to be GC'd. GC walks the active object tree so it is the

Re: Configuring TLS JSSE vs OpenSSL

On 18/01/2022 23:16, Christopher Schultz wrote: All, There are a bunch of parameters in SSLHostConfig which are documented[1] to be "OpenSSL Only" and "JSSE only". I thought we made it so either configuration could be used with either underlying crypto engine. Is that not true? Or is it only

Re: How to implement Surge protection mode on Tomcat

On 19/01/2022 09:37, Levent KAYA wrote: Hi All, Is there "Surge protection mode" feature on data source definition on Tomcat ? No. I'm not convinced it is necessary. A well configured database connection pool should handle spikes in demand. Mark Surge protection is designed to prevent o

Re: birthdate of AbstractHttp11Protocol.setRejectIllegalHeader

che issue is of less importance to me. Thanks, rjs On Jan 15, 2022, at 4:21 AM, Mark Thomas wrote: On 15/01/2022 02:42, Rob Sargent wrote: With version number as a surrogate date. I didn’t see any mention in the changelog. Look again. I see it in https://nightlies.apache.org/tomc

Re: birthdate of AbstractHttp11Protocol.setRejectIllegalHeader

On 15/01/2022 02:42, Rob Sargent wrote: With version number as a surrogate date. I didn’t see any mention in the changelog. Look again. I see it in https://nightlies.apache.org/tomcat/tomcat-9.0.x/docs/changelog.html https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html You w

Re: Obtaining jvmRoute from filter

On 14/01/2022 14:50, Christopher Schultz wrote: But I'm not sure how to get the "[Service]" name. I can cast HTtpServletRequest to o.a.c.connector.Request and from there I can get the o.a.coyote.Request but neither of those seem to have access to the engine, service, etc. I could make it a c

Re: HTTP2 : WINDOW_UPDATE not sent on stream level

On 13/01/2022 21:45, Doug Whitfield wrote: Hi Mark, In the newly opened bug report about this (https://bz.apache.org/bugzilla/show_bug.cgi?id=65773), you noted that logging at level FINE would show what is happening. What exactly are we looking at when it says it “Swallowed [0] bytes”? I c

Re: Obtaining jvmRoute from filter

On 13/01/2022 21:31, Christopher Schultz wrote: All, Does anyone know if it's possible and/or convenient to fetch the jvmRoute from a servlet filter? I'd like to write a Filter that puts some information like this into the response headers:   X-App-Server-IP: 10.0.0.1   X-App-Server-Rout

Re: Application name in log record

On 10/01/2022 13:20, Makarov Alexey wrote: Thank you, but this properties is not work or something wrong. I get "${classloader.webappName}", "${classloader.hostName}", or "${classloader.serviceName}" in catalina.out when I try to use this properties. But if I try to use "${catalina.base}" all f

Re: Application name in log record

y... Maybe there any other way, to get servlet context from InitialContext or application name from LogManager property: java.util.logging.LogManager.getLogManager().getProperty(...) Do you know desired property or how to list LogManager properties? 10.01.2022 12:53, Mark Thomas пишет: U

Re: Plugging a memory leak - where?

On 10/01/2022 09:22, Scott,Tim wrote: Hi all, We've started to use software from dependency tracker dot com to analyse dependencies in our web applications and it highlighted the following: "The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40

Re: Application name in log record

Use ServletContext.getContextPath()? If you have a more complex deployment you might want to preface it with ServletContext.getVirtualServerName() Mark On 10/01/2022 05:00, Makarov Alexey wrote: Hello! I want to print application name in my log files. As I know, I must implemet custom log fo

Re: HTTP2 : WINDOW_UPDATE not sent on stream level

, 9.0.48 and 9.0.50. If you want to be really sure, build Tomcat from source for the commits just before and just after each fix and test with those builds. Mark Thanks and Regards Arshiya Shariff -Original Message- From: Mark Thomas Sent: Wednesday, January 5, 2022 2:36 PM To

Re: HTTP2 : WINDOW_UPDATE not sent on stream level

On 05/01/2022 06:14, Arshiya Shariff wrote: Hi Team, On sending 3 requests of around 3KB size , we see that only the first request has processed fine. The other 2 requests are waiting for more Data as tomcat has not responded with WINDOW_UPDATE on stream level . Please help us understand t

Re: tomcat 7 slow to deploy web applications on m1 mac

On 04/01/2022 19:23, Robert J. Carr wrote: I've been using tomcat for many years but unfortunately I'm stuck on version 7 (long story). I recently picked up a new workstation, an Apple M1 MacBook (M1 Max - macOS 12.1), and I installed the ARM version of Azul Zulu (1.8.0_312), and by all accou

Re: Do I Need Network NameSpaces to Solve This Tomcat+Connector/J Problem?

On 29/12/2021 21:04, Eric Robinson wrote: My question is, is there a better way? I can only think of variations on a theme. The ~64k limit assumes client IP, server IP and server port remain constant. i.e. just client port is varying. That suggests there is a single IP for the database s

Re: issue with Form based authentication

This is an application design issue, not a Tomcat issue. FORM auth is not intended / designed to work in the following scenario: - user is not authenticated - multiple, concurrent requests are made for resources requiring authentication You need to design the application in such a way that onc

Re: javax.servlet vs jakarta.servlet?

On 29/12/2021 15:55, Michael B Allen wrote: On Tue, Dec 28, 2021 at 10:52 AM Mark Thomas wrote: Actually it seems the migration tool behind this feature: https://github.com/apache/tomcat-jakartaee-migration is a better and more general solution. If it's just re-writing package

Re: javax.servlet vs jakarta.servlet?

On 28/12/2021 14:58, Michael B Allen wrote: On Tue, Dec 28, 2021 at 3:29 AM Johan Compagner wrote: Will that really work? No. Clearly I'm not paying attention because after reading surprisingly little information about this fundamental incompatibility and downloading and trying Tomcat 10, t

Re: Critical Random "Can't read cryptographic policy directory: unlimited"

On 20/12/2021 06:59, Jerry Malcolm wrote: I'm adding a slight variation to the error I get at times (see bottom of stack trace below) This is the code that throws the root exception: if (!Files.isDirectory(cryptoPolicyPath) || !Files.isReadable(cryptoPolicyPath)) { throw new Securi

Re: Async WriteListener#onWritePossible not getting called

On 15/12/2021 22:23, Samuel Cox wrote: Hello, We are using tomcat-embedded 9.0.55. OS is mac 10.15.7. We have quite a bit of config, but I'm guessing the most relevant is that we use the NIO2 protocol. We have been working on a reproducer, but we have many, many layers involved. However, I b

Re: Tomcat Times out with CAN'T REACH THIS PAGE msg after new SSL Certs imported

On 17/12/2021 15:27, Nobles, Craig (Charles) wrote: Greetings - we're looking for any help available on this error we're getting after importing new SSL certificates. Everything appears to go well with all of the SSL certificate steps but our Tomcat 9.0.26 Web Front-End server (used to operate

[SECURITY] Apache Tomcat and CVE-2021-44228 (Log4j vulnerability)

The following represents the current understanding of the Apache Tomcat security team at the time this announcement was issued. There is a lot of security research being focussed on log4j2 at the moment and it is probable that additional information will emerge. Currently supported Tomcat vers

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

On 13/12/2021 18:31, James H. H. Lampert wrote: The thing I'm still utterly unclear about is how simply logging traffic could, by itself, create a vulnerability. In our case, the log entries are not even viewable unless you are signed on to a command line session on the server (ssh for headles

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

rds, Saurav On Sun, Dec 12, 2021 at 7:32 PM Christopher Schultz < ch...@christopherschultz.net> wrote: Mark, On 12/11/21 18:39, Mark Thomas wrote: On 11/12/2021 22:04, Sebastian Hennebrüder wrote: Hi all, I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java 11. A

Re: CVE-2021-44228 Log4j 2 Vulnerability - Runtime vs compile time Java version

On 13/12/2021 09:21, David Weisgerber wrote: Hi, as far as I read through the details, it is a runtime option of the JRE. So, it does not need any recompilation. However, some websites pointed out that if you are using Tomcat you could bypass the JRE protection. Correct, it is the runtime ver

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

On 11/12/2021 22:04, Sebastian Hennebrüder wrote: Hi all, I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java 11. Actually the Java path version is not relevant. Utter nonsense. Tomcat is not vulnerable to this attack. It is possible with a deployed Tomcat 9 and Spring

Re: Disable a library in Tomcat configuration

On 11/12/2021 02:02, jonmcalexan...@wellsfargo.com.INVALID wrote: Is there a way to forcibly prevent a library from loading in Tomcat during startup that will also prevent an app from loading the library? Trying to find­ a way to block vulnerabilities. Dependencies are rarely optional. Blocki

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

On 10/12/2021 22:17, James H. H. Lampert wrote: A customer brought this to my attention: https://www.randori.com/blog/cve-2021-44228/ I have no idea how (or if) Tomcat is affected. I have only the vaguest idea what this vulnerability even *is.* Can anybody here shed any light? Currently su

Re: Odd messages in catalina.out

On 10/12/2021 16:25, James H. H. Lampert wrote: Could anybody here shed some light on this message? A whole bunch of them appeared in catalina.out. WARNING [https-jsse-nio-443-exec-29] org.apache.catalina.realm.LockOutRealm.filterLockedAccounts An attempt was made to authenticate the locked u

[ANN] Apache Tomcat 10.0.14 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.14. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $

[ANN] Apache Tomcat 10.1.0-M8 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M8 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations s

Re: Tomcat testing

On 08/12/2021 08:44, Hiran CHAUDHURI wrote: Hello there. My organization requires that Tomcat releases - especially patches - get tested before we propagate them into production environments. For sure similar tests are run by the ASF before releasing the software at all. Is there a way to run

Re: AW: JASPIC Provider for FORM based Authentication

thanks for reporting back. It is always good to have the solution in the archives. Mark Best regards Matthias Keil -Ursprüngliche Nachricht- Von: Mark Thomas Gesendet: Montag, 22. November 2021 18:28 An: users@tomcat.apache.org Betreff: Re: JASPIC Provider for FORM based

Re: servletcontext.log filename

On 01/12/2021 19:24, Rob Sargent wrote: I'm using an embedded tomcat (ver9.0.54) and I don't see how to name/redirect the output of ServletContext.log(String). I see in the manual    This logging is performed according to the Tomcat logging    configuration. You cannot overwrite it in a web

Re: Authentication with Browser stopped working / missing exception handling in getRemainingLifetime

On 24/11/2021 08:06, Mark Thomas wrote: On 23/11/2021 20:42, Michael B Allen wrote: On Tue, Nov 23, 2021 at 2:59 PM Thomas Hoffmann (Speed4Trade GmbH) wrote: Short Addendum: The "destroyed" flag gets set, when the dispose-method of the GSSCredentialImpl was invoked. Currently,

Re: Authentication with Browser stopped working / missing exception handling in getRemainingLifetime

On 23/11/2021 20:42, Michael B Allen wrote: On Tue, Nov 23, 2021 at 2:59 PM Thomas Hoffmann (Speed4Trade GmbH) wrote: Short Addendum: The "destroyed" flag gets set, when the dispose-method of the GSSCredentialImpl was invoked. Currently, I have no clue when and how it happens, but I have see

Re: help with Valve

On 23/11/2021 17:42, Rob Sargent wrote: Thank you.  Does this look like a believable deployment (presuming the property is in fact set)?    cat ./localhost/sgs/META-INF/context-valve.xml             No. A context.xml file placed in META-INF must be called context.xml The contents needs

Re: help with Valve

On 23/11/2021 16:48, Rob Sargent wrote: Is the Access Log Valve available for use in an embedded environment? Yes. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h..

Re: Handling database connection pooling outside Java, without DBCP et al?

On 23/11/2021 13:34, Olaf Kock wrote: I don't have experience with this particular setup, but one sentence (in fact, one word) caught my attention: On 23.11.21 14:23, jkla...@iki.fi wrote: We're in the process of adopting ProxySQL in front of MySQL, to act as the connection pooler and for sepa

Re: [OT] Handling database connection pooling outside Java, without DBCP et al?

On 23/11/2021 13:51, Richardson, Diane wrote: I get the emails but how can I send an email for assistance? Please don't hijack threads. See http://tomcat.apache.org/lists.html#taglibs-user Specifically, "Posting questions to the list" Mark ---

Re: Authentication with Browser stopped working / missing exception handling in getRemainingLifetime

On 22/11/2021 07:38, Thomas Hoffmann (Speed4Trade GmbH) wrote: Hello, we are using apache-tomcat-9.0.54 with LDAP authentication under Windows 2012R2. One of the user complained that access with Firefox stopped working. Would it be better to also catch IllegalStateException and instead of ch

Re: JASPIC Provider for FORM based Authentication

On 22/11/2021 12:00, Keil, Matthias (ORISA Software GmbH) wrote: Hello everyone, I take up a topic of my own again. The point there was that I would like to accommodate both the configuration and the actual Server Auth module within the application. That worked well with your advice. Unfortun

[ANN] Apache Tomcat 10.0.13 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.13. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $

[ANN] Apache Tomcat 10.1.0-M7 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M7 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations s

Re: Mimicking two distinct virtual hosts just like in HTTPd

On 08/11/2021 15:36, Michael Osipov wrote: Folks, consider the following in httpd.conf: Listen {IP}:8443 Listen {IP}:8444 later:   DocumentRoot /www/webapps1   ServerName {hostname}   mod_ssl config...   DocumentRoot /www/webapps2   ServerName {hostname}   mod_ssl config2... The sec

Re: ROOT.xml and META-INF/context.xml

On 07/11/2021 10:44, Greg Huber wrote: Hello, I am testing CookieProcessor for SameSite stuff. In my dev environment,  I use ROOT.xml with workDir="/home/me/project/work" /> I have a context.xml file in META-INF but it seems to ignore it. When I deploy via a war it is picked up OK. A web

Re: End of life dates

On 04/11/2021 13:50, David J Pearson wrote: Hi - What are the end of life / end of support dates for v8.5 and v9 please ? They haven't been set yet. The Tomcat project will provide at least 12 months notice of EOL for any major Tomcat version. That said, major versions have been reaching EO

Re: Strange Oracle JDBC Driver error on Application Deployment

On 02/11/2021 22:26, jonmcalexan...@wellsfargo.com.INVALID wrote: I have an application team that is getting the following stack trace while starting Tomcat 8.5.70. I've done some searching but can't find anything. In looking at their context.xml it appears that they have jmxEnabled="false" in

Re: Host-wide Singleton Instance

On 02/11/2021 20:47, Jerry Malcolm wrote: I am adding a redis implementation  (jedis) to my application.  I have a jedis implementation class that holds the connection pool and interfaces with jedis.  That class needs to be instantiated once per host and then referenced from that point on by al

Re: About the comment of org.apache.tomcat.util.threads.TaskQueue

On 27/10/2021 02:58, Poison wrote: Ok, I'm just curious, because org.apache.catalina.tribes.util.ExecutorFactory.TribesThreadPoolExecutor inherits java.util.concurrent.ThreadPoolExecutor but org.apache.tomcat.util.threads.ThreadPoolExecutor does not. They are implementing different behaviour

Re: About the comment of org.apache.tomcat.util.threads.TaskQueue

On 26/10/2021 09:47, Poison wrote: Thank you for your detailed explanation. Now I understand the background of this part of the comment. When corePoolSize is equal to maxThreads, the native implementation will create threads first. There is another question. Why does org.apache.tomcat.util.t

Re: About the comment of org.apache.tomcat.util.threads.TaskQueue

On 26/10/2021 02:45, Poison wrote: Thank you, I know the role of TaskQueue, but the comment about "normal queue" on the TaskQueue class is still incomprehensible. In the java.util.concurrent.ThreadPoolExecutor#execute method, the comment mentions: "3. If we cannot queue task, then we try to a

Re: xsd version used for web.xml etc

- From: Mark Thomas Sent: Thursday, October 21, 2021 2:40 PM To: users@tomcat.apache.org Subject: Re: xsd version used for web.xml etc On 21/10/2021 09:45, S Abirami wrote: Hi All, In web.xml, if we didn't define any xsd schema or dtd schema which version of xsd will be loaded for T

Re: xsd version used for web.xml etc

On 21/10/2021 09:45, S Abirami wrote: Hi All, In web.xml, if we didn't define any xsd schema or dtd schema which version of xsd will be loaded for Tomcat 9.0.45. By default none - whether a schema is defined or not. Schemas are only loaded if validation is enabled. With validation disabled

Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

On 19/10/2021 06:20, Natraj Thekkan wrote: Hi Mark or Chris, Based on Chris statement, it has to be addressed in tomcat. No, you has misunderstood Chris's statement. All the evidence so far points to user error. Again, you need to provide the simplest, *complete* test case (i.e. the source

Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

Mark Regards, Natraj -Original Message- From: Mark Thomas Sent: Thursday, October 14, 2021 4:11 PM To: users@tomcat.apache.org Subject: Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL On 14/10/2021 10:28, Natraj Thekkan wrote: Hi, We are using tomcat version 9.0.46. Cou

Re: How do I install and use Apache Tomcat?

On 16/10/2021 10:41, Turritopsis Dohrnii Teo En Ming wrote: Subject: How do I install and use Apache Tomcat? Good day from Singapore, How do I install and use Apache Tomcat? I understand it is a Java web server. Which operating system do you want to use? Do you have a specific version of Jav

Re: Tomcat 8.5.37 is automatically redeploying apps on every Saturday

On 15/10/2021 21:15, Shekhar Naidu wrote: The tomcat is not running in any containers. We don’t have anything Linux cron. The containerbackgroundprocessor which I mentioned is within the tomcat. The tomcat’s Catalina.out file printing that name when doing the app undeploy and deploy on Saturday.

Re: Form based auth does not provide the option to show error reason in the error page

On 15/10/2021 07:05, Werner Dähn wrote: So why has this not been done? What am I missing? Accepted security good practice is not to provide any information to a user as to the reason for a failed authentication. The idea is that it could help an attacker by, for example, letting them know

[SECURITY] CVE-2021-42340 Apache Tomcat DoS

CVE-2021-42340 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M5 Apache Tomcat 10.0.0-M10 to 10.0.11 Apache Tomcat 9.0.40 to 9.0.53 Apache Tomcat 8.5.60 to 8.5.71 Description: The fix for bug 63362 introduced a

[SECURITY] CVE-2021-42340 Apache Tomcat DoS

CVE-2021-41079 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M5 Apache Tomcat 10.0.0-M10 to 10.0.11 Apache Tomcat 9.0.40 to 9.0.53 Apache Tomcat 8.5.60 to 8.5.71 Description: The fix for bug 63362 introduced a

Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

On 14/10/2021 10:28, Natraj Thekkan wrote: Hi, We are using tomcat version 9.0.46. Could you please provide suggestion to restrict the TLS version in HTTP2 over HTTPS with OpenSSL implementation?. The code below is sufficient, assuming that is then the connector that is being used by the cli

Re: Security Vulnerability Question

On 13/10/2021 19:16, Kenaw, Seretseab wrote: Hello, Our IT team just notified us with a severe security vulnerability on our web application with the Tomcat version that we are using (9.0.12). What remediations can we use to quickly fix the issue? Upgrade Tomcat. Mark -

Re: Help needed reg Context

On 13/10/2021 14:19, Mohan T wrote: Dear All, We are using Tomcat 8.5 on Suse linix. We are deploying one of our artifacts as below hub#app#classic#admin.war The components are also deployed and the context is also created Successfully. Is there any other alternative way to set the context

Re: Missing TLS cipher suite definition

On 10/10/2021 13:00, Christopher Schultz wrote: On 10/9/21 04:52, Mark Thomas wrote: If the user is using e.g. BouncyCastle, IBM's JRE, Corretto, etc. those ciphers might be available in those environments. (It looks like BC supports this cipher suite, but I couldn't find any i

Re: Missing TLS cipher suite definition

On 08/10/2021 19:34, Farber, Ilja wrote: Hi all, I noticed org.apache.tomcat.util.net.openssl.ciphers.Cipher does not define the cipher suites defined by rfc 6367 and 6209. The ciphers are listed https://docs.oracle.com/javase/9/docs/specs/security/standard-names.html and should be valid for T

Re: Test valve with tomcat-embed 9?

On 08/10/2021 11:43, Me Self wrote: I would like to test a custom tomcat valve with tomcat-embed and junit. Is that possible? Found a few tomcat-embed samples on the web but most seem to only deal with setting up a webapp - something along the lines: @BeforeAll public static void setup() throws

Re: JASPIC Plugin for OIDC/JWT/OAuth

On 07/10/2021 18:37, Michael Kolenda wrote: Hey Tomcat Users, I've run into an interesting behavior with a custom JASPIC provider. When there is an existing session i.e. JSESSIONID cookie, It appears the groups/roles are not checked again... even when the new groups are provided in the client Su

Re: Tomcat 9.0 async read becomes blocking with chunked transfer-encoding

On 07/10/2021 22:23, Javateck wrote: Hi Mark, Just wondering whether we have a radar to track this, will it be in release notes for next release? The fix is in 9.0.54 and is listed in the changelog. Mark Thanks, Andrew On Sep 27, 2021, at 8:54 AM, Mark Thomas wrote: On 27/09/2021 15

Re: Understanding websocket support in Tomcat

On 06/10/2021 11:02, Deshmukh, Kedar wrote: Hi, I would like to understand, How many concurrent websocket connections are allowed in tomcat ? As many as your hardware / OS will support. Is there any limit ? maxConnections on the Connector. Defaults to 8192. Use -1 for unlimited. Are con

Re: The import javax.servlet cannot be resolved

On 05/10/2021 04:08, Dick Hildreth wrote: Tomcat 9.0.53 Windows Server 2019 Standard version 1809 OpenJDK jdk-11.0.8.10-hotspot I have a JSP/JavaBean webapp. I deployed all of the class files into the webapp's classes subdirectory (no WAR file) and the external JAR files are in the webapp's li

Re: Specifying a Custom Authenticator Class

On 05/10/2021 03:40, Jerry Malcolm wrote: An earlier post suggested I just implement a CredentialHandler, which would be great.  But it looked like the credential handler is given "id/pw" extracted from the base64.  Or will it actually return whatever it finds in the base64 token?  "A:B:C:D:E:F

[ANN] Apache Tomcat 10.0.12 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.12. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $

[ANN] Apache Tomcat 10.1.0-M6 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M6 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations s

Re: Specifying a Custom Authenticator Class

On 02/10/2021 01:48, Jerry Malcolm wrote: I need to write a custom BasicAuthenticator class to decode a specialized encoding of the authToken.  I have been scouring google for info.  I found one post where the answer included the statement: "Extending from AuthenticatorBase is a great idea, an

Re: Tomcat 9.0.52 http2 flow control issues

On 20/09/2021 07:28, Mark Thomas wrote: On 10/09/2021 11:42, Mark Thomas wrote: Hi Erik, Thanks for the report. I'm looking at this now. I'm testing with a simple index page that references 3 largish images (~6MB each). I've found an issue with HTTP/2, sendfile and StackOv

Re: tomcat presentations on ApacheCon 2021

On 27/09/2021 20:27, Усманов Азат Анварович wrote: Hi everyone! Does anybody know where/when to find the video/audio/slides (if any) from the last weeks's tomcat track on ApacheCon 2021?Because I completely missed it last week. I'm assuming all of these would be added to tomcat presentation

Re: AW: JASPIC AuthConfigProvider packaged with the web application not found

On 23/09/2021 07:03, Keil, Matthias (ORISA Software GmbH) wrote: Hi Bernd, Yes, I would like to define my Server Auth module in the jaspic-providers.xml and then provide the class with the web application. Sorry, that isn't going to be supported. You either need to provide everything at the

Re: Tomcat 9.0 async read becomes blocking with chunked transfer-encoding

On 27/09/2021 15:55, Mark Thomas wrote: On 27/09/2021 09:08, Goldengate liu wrote: Hi Mark,    I’m uploading some test files Thanks for the test case. I'm looking at this now. Bug found and fixed. One thing to note is that with chunked encoding it is possible for you to see is

Re: Tomcat 9.0 async read becomes blocking with chunked transfer-encoding

? this is a basic use case.   Thanks,   Andrew On Sep 22, 2021, at 1:14 AM, Mark Thomas <mailto:ma...@apache.org>> wrote: On 22/09/2021 08:22, Goldengate liu wrote: Hi Chris, Servlet 3.1 spec defines that ServletInputStream can be used to read as non-blocking way as long as there is d

Re: Possible UpgradeInfo memory leak

On 23/09/2021 09:36, Harri Pesonen wrote: Hello, while looking at Tomcat 8.5.61 heap dump in VisualVM, in Dominators by Retained Size, two biggest ones are: org.apache.tomcat.util.net.NioEndpoint#1 12 382 781 B (13,7%) org.apache.coyote.http11.upgrade.UpgradeGroupInfo#1 7 066 212 B (7,8%) I

Re: Custom error page

On 24/09/2021 11:56, Jan Pernica wrote: Hi how can I easly create error page for the whole server? Curretly if I add to conf/web.xml         500     /error/error.html             404     /error/error.html     And put into webapps/ROOT/error/error.html page it works

<    4   5   6   7   8   9   10   11   12   13   >