About the comment of org.apache.tomcat.util.threads.TaskQueue

2021-10-23 Thread Poison
Tomcat version: 8.5.72 org.apache.tomcat.util.threads.TaskQueuesource code:https://github.com/apache/tomcat/blob/8.5.72/java/org/apache/tomcat/util/threads/TaskQueue.java#L33 In the comments of theTaskQueueclass, it mentions "If you use a normal queue, the executor will spawn threads when

Re: Upgrade Apache- Tomcat and HTTPD

2021-10-21 Thread Ivano Luberti
Hi, Tomcat 8.5 still runs on JDK 1.7 Documentation about migration from one version to another can be found here: https://tomcat.apache.org/migration.html Il 21/10/2021 18:45, Kumawat, Priyanka ha scritto: Hi Team , We have received some vulnerabilities for our Tomcat and Apache -httpd , as

Upgrade Apache- Tomcat and HTTPD

2021-10-21 Thread Kumawat, Priyanka
Hi Team , We have received some vulnerabilities for our Tomcat and Apache -httpd , as there multiple vulnerabilities reported we needs to upgrade the software. Is there any documentation/process is available for the tomcat and Apache upgrade or any tool which we can use to perform the upgrade

RE: Potential Memory Leak with StandardManager [EXTERNAL]

2021-10-21 Thread Beard, Shawn
There isn’t a memory leak I'm aware of. At least nothing is reported from what I can find. Have you tried setting maxActiveSessions? Its default is -1 which means infinite. Also there could be a bug in the code that is just creating new sessions for things instead of using the current session.

RE: xsd version used for web.xml etc

2021-10-21 Thread S Abirami
Thanks a lot Mark. -Original Message- From: Mark Thomas Sent: Thursday, October 21, 2021 4:23 PM To: users@tomcat.apache.org Subject: Re: xsd version used for web.xml etc On 21/10/2021 10:37, S Abirami wrote: > Hi Thomas, > > How I can identify whether the schema validation enabled or

Re: xsd version used for web.xml etc

2021-10-21 Thread Mark Thomas
On 21/10/2021 10:37, S Abirami wrote: Hi Thomas, How I can identify whether the schema validation enabled or not. I checked startup logs and other configuration. I am unable to find it. The quick test is to add an unknown element to web.xml and see what happens. If you get an error,

RE: xsd version used for web.xml etc

2021-10-21 Thread S Abirami
Hi Thomas, How I can identify whether the schema validation enabled or not. I checked startup logs and other configuration. I am unable to find it. Regards, Abirami.S -Original Message- From: Mark Thomas Sent: Thursday, October 21, 2021 2:40 PM To: users@tomcat.apache.org Subject:

RE: xsd version used for web.xml etc

2021-10-21 Thread S Abirami
Thanks Thomas. -Original Message- From: Mark Thomas Sent: Thursday, October 21, 2021 2:40 PM To: users@tomcat.apache.org Subject: Re: xsd version used for web.xml etc On 21/10/2021 09:45, S Abirami wrote: > Hi All, > > In web.xml, if we didn't define any xsd schema or dtd schema which

Re: xsd version used for web.xml etc

2021-10-21 Thread Mark Thomas
On 21/10/2021 09:45, S Abirami wrote: Hi All, In web.xml, if we didn't define any xsd schema or dtd schema which version of xsd will be loaded for Tomcat 9.0.45. By default none - whether a schema is defined or not. Schemas are only loaded if validation is enabled. With validation

RE: xsd version used for web.xml etc

2021-10-21 Thread S Abirami
Hi All, TOMCAT_BASE/conf/web.xml will be constructed by us during installation. So that web.xml also will not have xsd definition. Regards, Abirami.S -Original Message- From: Jean-Pierre Urkens Sent: Thursday, October 21, 2021 2:25 PM To: Tomcat Users List Subject: RE: xsd version

RE: xsd version used for web.xml etc

2021-10-21 Thread Jean-Pierre Urkens
My guess, the one that is specified in TOMCAT_BASE/conf/web.xml -Original Message- From: S Abirami Sent: donderdag 21 oktober 2021 10:46 To: Tomcat Users List Subject: xsd version used for web.xml etc Hi All, In web.xml, if we didn't define any xsd schema or dtd schema which version

xsd version used for web.xml etc

2021-10-21 Thread S Abirami
Hi All, In web.xml, if we didn't define any xsd schema or dtd schema which version of xsd will be loaded for Tomcat 9.0.45. Regards, Abirami.S

Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

2021-10-20 Thread Christopher Schultz
Mark, On 10/19/21 04:17, Mark Thomas wrote: On 19/10/2021 06:20, Natraj Thekkan wrote: Hi Mark or Chris, Based on Chris statement, it has to be addressed in tomcat. No, you has misunderstood Chris's statement. +1 I was suggesting a related beehavior in Tomcat that would not affect the

AW: How do I disable JNDI logging

2021-10-20 Thread Thomas Hoffmann (Speed4Trade GmbH)
Hello, it looks more related to spring framework and loglevel. All logs are produced by spring classes. The loglevel is set to DEBUG. The loglevel is set by a configuration file (e.g. log4j.xml, logging.properties or something else). Maybe you can check which logging framework you are using and

How do I disable JNDI logging

2021-10-19 Thread Salomon Mateo
Hello, I hope that someone here can shine some light. Recently upgraded to tomcat 8.5.72, and now in catalina.out I see a whole bunch of these. My apps don't seem to be affected, but would like to address/fix this. Thank you! Sal 11:48:55.621 [localhost-startStop-1] DEBUG

RE: Issue running Tomcat-8.5.72 with JDK15 under windows as a service

2021-10-19 Thread Jean-Pierre Urkens
The issue is due to a bunch of JVM options that are no longer supported in Java 15. After cleaning those up the server started normally. -Original Message- From: Jean-Pierre Urkens Sent: dinsdag 19 oktober 2021 14:46 To: 'users@tomcat.apache.org' Subject: Issue running Tomcat-8.5.72

RE: Issue running Tomcat-8.5.72 with JDK15 under windows as a service

2021-10-19 Thread Jean-Pierre Urkens
I did had Java 8/15 already on my local system before Java 16,17 came out and for my migrations the difference between 15, 16 or 17 doesn't really matter. So I started with what I got instead of installing the latest LTS version. Anyway the issue was due to a bunch of JVM options that are no

Re: Issue running Tomcat-8.5.72 with JDK15 under windows as a service

2021-10-19 Thread logo
Hi Jean Pierre, Am 2021-10-19 14:57, schrieb Jean-Pierre Urkens: I am verifying a migration from JDK8 to JDK15 and wanted to setup a Tomcat 8.5 server environment for this test (similar to the Tomcat8.5 with JDK8 we have running for the moment). certainly not related to your problem, but

Issue running Tomcat-8.5.72 with JDK15 under windows as a service

2021-10-19 Thread Jean-Pierre Urkens
I am verifying a migration from JDK8 to JDK15 and wanted to setup a Tomcat 8.5 server environment for this test (similar to the Tomcat8.5 with JDK8 we have running for the moment). I installed the instance as a service under my local (test) windows environment and configured the JVM through the

RE: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

2021-10-19 Thread Natraj Thekkan
Hi, @ Thomas Hoffmann, Mark and Chris, Thanks for your suggestion. We have done changes as per the xml configuration provided by Thomas Hoffmann and then verified the scenario. Now, client connection with TLS1.1 and TLS1.0 are restricted as expected.

Issue running Tomcat-8.5.72 with JDK15 under windows as a service

2021-10-19 Thread Jean-Pierre Urkens
I am verifying a migration from JDK8 to JDK15 and wanted to setup a Tomcat 8.5 server environment for this test (similar to the Tomcat8.5 with JDK8 we have running for the moment). I installed the instance as a service under my local (test) windows environment and configured the JVM through the

Re: Potential Memory Leak with StandardManager [EXTERNAL]

2021-10-19 Thread Tim K
On Mon, Oct 18, 2021 at 2:51 PM Beard, Shawn wrote: > Update to Tomcat 9.0.54. This could be a known security bug that is fixed > in this version. > > https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.54 > I tried updating to that version but it does not appear to be related;

AW: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

2021-10-19 Thread Thomas Hoffmann (Speed4Trade GmbH)
Hello, I can recommend SSLScan for verifying your configuration: https://github.com/rbsec/sslscan/releases/tag/2.0.10 Example configuration which I use: SSLScan reports this result: SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0

Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

2021-10-19 Thread Mark Thomas
On 19/10/2021 06:20, Natraj Thekkan wrote: Hi Mark or Chris, Based on Chris statement, it has to be addressed in tomcat. No, you has misunderstood Chris's statement. All the evidence so far points to user error. Again, you need to provide the simplest, *complete* test case (i.e. the

RE: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

2021-10-18 Thread Natraj Thekkan
Hi Mark or Chris, Based on Chris statement, it has to be addressed in tomcat. Can I raise a Bug in Bugzilla for this observation?. Regards, Natraj -Original Message- From: Christopher Schultz Sent: Monday, October 18, 2021 10:14 PM To: users@tomcat.apache.org Subject: Re: Restriction

RE: Potential Memory Leak with StandardManager [EXTERNAL]

2021-10-18 Thread Beard, Shawn
Update to Tomcat 9.0.54. This could be a known security bug that is fixed in this version. https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.54 ​ Shawn Beard• Sr. Systems Engineer Middleware Engineering [cid:image624605.png@3C243DDD.ADE52D22] 3840 109th Street

Potential Memory Leak with StandardManager

2021-10-18 Thread Tim K
Running 4 balanced nodes of tomcat 9.0.52 in Linux. While running with production load, memory usage is slowly growing, it does not appear to really drop unless the OS/tomcat is restarted. I did a load test locally with just login actions, did a heap dump, and MAT says: One instance of

Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

2021-10-18 Thread Christopher Schultz
Natraj, On 10/18/21 01:19, Natraj Thekkan wrote: @Mark Thanks for your response. We have tested by removing that line of code, still client able to establish the connection with server using TLSv1 and TLSv1.1. Below one is configured in java.security file.

Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

2021-10-18 Thread Mark Thomas
On 18/10/2021 06:19, Natraj Thekkan wrote: Hi, @Mark Thanks for your response. We have tested by removing that line of code, still client able to establish the connection with server using TLSv1 and TLSv1.1. Below one is configured in java.security file.

AW: How do I install and use Apache Tomcat?

2021-10-18 Thread Thomas Hoffmann (Speed4Trade GmbH)
Hello, centos should contain the tomcat application in it's repo. A "sudo yum install tomcat" should install tomcat. Additional / optional packages are: tomcat-webapps tomcat-admin-webapps tomcat-docs-webapp tomcat-javadoc For deploying own programs in Tomcat, you should be able to program java,

RE: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

2021-10-17 Thread Natraj Thekkan
Hi, @Mark Thanks for your response. We have tested by removing that line of code, still client able to establish the connection with server using TLSv1 and TLSv1.1. Below one is configured in java.security file.

Re: How do I install and use Apache Tomcat?

2021-10-17 Thread Turritopsis Dohrnii Teo En Ming
Dear Mark Thomas, I will be using CentOS 7.9 or Ubuntu Server 20.04 LTS. I don't have a specific version of Java in mind. Regards, Mr. Turritopsis Dohrnii Teo En Ming Targeted Individual in Singapore On Sun, 17 Oct 2021 at 02:44, Mark Thomas wrote: > > On 16/10/2021 10:41, Turritopsis

Re: How do I install and use Apache Tomcat?

2021-10-16 Thread Mark Thomas
On 16/10/2021 10:41, Turritopsis Dohrnii Teo En Ming wrote: Subject: How do I install and use Apache Tomcat? Good day from Singapore, How do I install and use Apache Tomcat? I understand it is a Java web server. Which operating system do you want to use? Do you have a specific version of

How do I install and use Apache Tomcat?

2021-10-16 Thread Turritopsis Dohrnii Teo En Ming
Subject: How do I install and use Apache Tomcat? Good day from Singapore, How do I install and use Apache Tomcat? I understand it is a Java web server. Article: What is Apache Tomcat? Introducing the Widely Used Java Servlet and JSP Container Link:

Re: Tomcat 8.5.37 is automatically redeploying apps on every Saturday

2021-10-16 Thread Mark Thomas
On 15/10/2021 21:15, Shekhar Naidu wrote: The tomcat is not running in any containers. We don’t have anything Linux cron. The containerbackgroundprocessor which I mentioned is within the tomcat. The tomcat’s Catalina.out file printing that name when doing the app undeploy and deploy on

Re: Tomcat 8.5.37 is automatically redeploying apps on every Saturday

2021-10-15 Thread Shekhar Naidu
The tomcat is not running in any containers. We don’t have anything Linux cron. The containerbackgroundprocessor which I mentioned is within the tomcat. The tomcat’s Catalina.out file printing that name when doing the app undeploy and deploy on Saturday. On Fri, Oct 15, 2021 at 11:17 AM Darryl

RE: Tomcat 9.0.x JDBC connection pool does not always remove abandoned connections

2021-10-15 Thread Martin, Gerhardt A
Chris, really appreciate you taking some time to respond. See my replies inline below. > -Original Message- > From: Christopher Schultz > Sent: Thursday, October 14, 2021 12:19 PM > To: users@tomcat.apache.org > Subject: Re: Tomcat 9.0.x JDBC connection pool does not always remove >

Re: Form based auth does not provide the option to show error reason in the error page

2021-10-15 Thread Christopher Schultz
Werner, On 10/15/21 09:10, Werner Dähn wrote: Thanks Mark. Why do you believe the refactoring is difficult? All we actually need is access to the response object. ... which requires a lot of refactoring. Have a look at all the code that handles authentication in Tomcat. This would allow to

Re: Tomcat 8.5.37 is automatically redeploying apps on every Saturday

2021-10-15 Thread Darryl Philip Baker
On 10/15/21, 10:05 AM, "jonmcalexan...@wellsfargo.com.INVALID" wrote: > -Original Message- > From: Shekhar Naidu > Sent: Friday, October 15, 2021 7:45 AM > To: users@tomcat.apache.org > Subject: Tomcat 8.5.37 is automatically redeploying apps on every Saturday >

RE: Tomcat 8.5.37 is automatically redeploying apps on every Saturday

2021-10-15 Thread jonmcalexander
> -Original Message- > From: Shekhar Naidu > Sent: Friday, October 15, 2021 7:45 AM > To: users@tomcat.apache.org > Subject: Tomcat 8.5.37 is automatically redeploying apps on every Saturday > > Hi all, > > > We are seeing a weird behavior in our new Linux environments. Since we > >>

Re: Form based auth does not provide the option to show error reason in the error page

2021-10-15 Thread Werner Dähn
Thanks Mark. Why do you believe the refactoring is difficult? All we actually need is access to the response object. This would allow to add session data, URL parameters, whatever. And this response object is available everywhere except in the actual RealmBase. By my analysis the change would be

Tomcat 8.5.37 is automatically redeploying apps on every Saturday

2021-10-15 Thread Shekhar Naidu
Hi all, > We are seeing a weird behavior in our new Linux environments. Since we >> migrated from RHEL6 to 8, we started seeing issue with tomcat. Tomcat is >> auto redeploying our apps on every Saturday around 12:20AM. >> We don’t have any schedulers running on our machines. We verified >>

Re: Form based auth does not provide the option to show error reason in the error page

2021-10-15 Thread Mark Thomas
On 15/10/2021 07:05, Werner Dähn wrote: So why has this not been done? What am I missing? Accepted security good practice is not to provide any information to a user as to the reason for a failed authentication. The idea is that it could help an attacker by, for example, letting them know

Form based auth does not provide the option to show error reason in the error page

2021-10-15 Thread Werner Dähn
I know it has been asked dozens of times but the response is always "Cannot be done in a standard way". But why can't we change Tomcat to provide further details to the error page of why the login failed? I would have thought tomcat can support that easily without any backward compatibility

Re: Tomcat 9.0.x JDBC connection pool does not always remove abandoned connections

2021-10-14 Thread Christopher Schultz
Gerhardt, On 10/12/21 13:27, Martin, Gerhardt A wrote: Running Tomcat 9.0.50 on Centos 7.9.x Linux and using Tomcat JDBC connection pool to connect to my application's databases. My app connects to about a dozen read only databases and one read/write database. Here is a typical resource

[SECURITY] CVE-2021-42340 Apache Tomcat DoS

2021-10-14 Thread Mark Thomas
CVE-2021-42340 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M5 Apache Tomcat 10.0.0-M10 to 10.0.11 Apache Tomcat 9.0.40 to 9.0.53 Apache Tomcat 8.5.60 to 8.5.71 Description: The fix for bug 63362 introduced a

[SECURITY] CVE-2021-42340 Apache Tomcat DoS

2021-10-14 Thread Mark Thomas
CVE-2021-41079 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M5 Apache Tomcat 10.0.0-M10 to 10.0.11 Apache Tomcat 9.0.40 to 9.0.53 Apache Tomcat 8.5.60 to 8.5.71 Description: The fix for bug 63362 introduced a

Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

2021-10-14 Thread Mark Thomas
On 14/10/2021 10:28, Natraj Thekkan wrote: Hi, We are using tomcat version 9.0.46. Could you please provide suggestion to restrict the TLS version in HTTP2 over HTTPS with OpenSSL implementation?. The code below is sufficient, assuming that is then the connector that is being used by the

RE: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

2021-10-14 Thread Natraj Thekkan
Hi, We are using tomcat version 9.0.46. Could you please provide suggestion to restrict the TLS version in HTTP2 over HTTPS with OpenSSL implementation?. Regards, Natraj From: Natraj Thekkan Sent: Wednesday, October 13, 2021 10:15 AM To: 'users@tomcat.apache.org' Subject: Restriction of TLS

RE: Security Vulnerability Question

2021-10-13 Thread George Stanchev
Upgrade to latest? -Original Message- From: Kenaw, Seretseab Sent: Wednesday, October 13, 2021 12:16 PM To: users@tomcat.apache.org Subject: Security Vulnerability Question Hello, Our IT team just notified us with a severe security vulnerability on our web application with the

Re: Security Vulnerability Question

2021-10-13 Thread Mark Eggers
On 10/13/2021 11:16 AM, Kenaw, Seretseab wrote: Hello, Our IT team just notified us with a severe security vulnerability on our web application with the Tomcat version that we are using (9.0.12). What remediations can we use to quickly fix the issue? Thank you Seretseab Kenaw

Re: Security Vulnerability Question

2021-10-13 Thread Mark Thomas
On 13/10/2021 19:16, Kenaw, Seretseab wrote: Hello, Our IT team just notified us with a severe security vulnerability on our web application with the Tomcat version that we are using (9.0.12). What remediations can we use to quickly fix the issue? Upgrade Tomcat. Mark

Security Vulnerability Question

2021-10-13 Thread Kenaw, Seretseab
Hello, Our IT team just notified us with a severe security vulnerability on our web application with the Tomcat version that we are using (9.0.12). What remediations can we use to quickly fix the issue? Thank you Seretseab Kenaw CONFIDENTIALITY NOTICE: This e-mail communication and any

Re: Help needed reg Context

2021-10-13 Thread Mark Thomas
On 13/10/2021 14:19, Mohan T wrote: Dear All, We are using Tomcat 8.5 on Suse linix. We are deploying one of our artifacts as below hub#app#classic#admin.war The components are also deployed and the context is also created Successfully. Is there any other alternative way to set the

Help needed reg Context

2021-10-13 Thread Mohan T
Dear All, We are using Tomcat 8.5 on Suse linix. We are deploying one of our artifacts as below hub#app#classic#admin.war The components are also deployed and the context is also created Successfully. Is there any other alternative way to set the context other than using # .

Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

2021-10-12 Thread Natraj Thekkan
Hi, We have tried to restrict the TLS version in https connection establishment in embedded tomcat for OpenSSL based implementation. With this part of the code, TLSv1.0/TLSv1.1 client also able to connect with our https server. Please let us know how we can restrict the TLS version in HTTP2

Tomcat 9.0.x JDBC connection pool does not always remove abandoned connections

2021-10-12 Thread Martin, Gerhardt A
Running Tomcat 9.0.50 on Centos 7.9.x Linux and using Tomcat JDBC connection pool to connect to my application's databases. My app connects to about a dozen read only databases and one read/write database. Here is a typical resource definition with tuning configurations for the pool and the

Re: Missing TLS cipher suite definition

2021-10-11 Thread Christopher Schultz
Mark, On 10/10/21 13:47, Mark Thomas wrote: On 10/10/2021 13:00, Christopher Schultz wrote: On 10/9/21 04:52, Mark Thomas wrote: If the user is using e.g. BouncyCastle, IBM's JRE, Corretto, etc. those ciphers might be available in those environments. (It looks like BC supports this

Re: Missing TLS cipher suite definition

2021-10-10 Thread Mark Thomas
On 10/10/2021 13:00, Christopher Schultz wrote: On 10/9/21 04:52, Mark Thomas wrote: If the user is using e.g. BouncyCastle, IBM's JRE, Corretto, etc. those ciphers might be available in those environments. (It looks like BC supports this cipher suite, but I couldn't find any information

Re: Missing TLS cipher suite definition

2021-10-10 Thread Christopher Schultz
Mark, On 10/9/21 04:52, Mark Thomas wrote: On 08/10/2021 19:34, Farber, Ilja wrote: Hi all, I noticed org.apache.tomcat.util.net.openssl.ciphers.Cipher does not define the cipher suites defined by rfc 6367 and 6209. The ciphers are listed

[ANN] Apache Tomcat 8.5.72 available

2021-10-10 Thread Christopher Schultz
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.72. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and Java Authentication Service Provider Interface for Containers

Re: Missing TLS cipher suite definition

2021-10-09 Thread Mark Thomas
On 08/10/2021 19:34, Farber, Ilja wrote: Hi all, I noticed org.apache.tomcat.util.net.openssl.ciphers.Cipher does not define the cipher suites defined by rfc 6367 and 6209. The ciphers are listed https://docs.oracle.com/javase/9/docs/specs/security/standard-names.html and should be valid for

Missing TLS cipher suite definition

2021-10-08 Thread Farber, Ilja
Hi all, I noticed org.apache.tomcat.util.net.openssl.ciphers.Cipher does not define the cipher suites defined by rfc 6367 and 6209. The ciphers are listed https://docs.oracle.com/javase/9/docs/specs/security/standard-names.html and should be valid for TLS 1.2. For example

Re: Tomcat 9.0 async read becomes blocking with chunked transfer-encoding

2021-10-08 Thread Javateck
Thank you Mark Andrew > On Oct 8, 2021, at 1:44 AM, Mark Thomas wrote: > > On 07/10/2021 22:23, Javateck wrote: >> Hi Mark, >> Just wondering whether we have a radar to track this, will it be in release >> notes for next release? > > The fix is in 9.0.54 and is listed in the changelog. > >

Re: JASPIC Plugin for OIDC/JWT/OAuth

2021-10-08 Thread Michael Kolenda
Thanks Mark! Will take a look On Fri, Oct 8, 2021, 5:01 AM Mark Thomas wrote: > On 07/10/2021 18:37, Michael Kolenda wrote: > > Hey Tomcat Users, > > > > I've run into an interesting behavior with a custom JASPIC provider. When > > there is an existing session i.e. JSESSIONID cookie, It appears

Re: Test valve with tomcat-embed 9?

2021-10-08 Thread Mark Thomas
On 08/10/2021 11:43, Me Self wrote: I would like to test a custom tomcat valve with tomcat-embed and junit. Is that possible? Found a few tomcat-embed samples on the web but most seem to only deal with setting up a webapp - something along the lines: @BeforeAll public static void setup()

Test valve with tomcat-embed 9?

2021-10-08 Thread Me Self
I would like to test a custom tomcat valve with tomcat-embed and junit. Is that possible? Found a few tomcat-embed samples on the web but most seem to only deal with setting up a webapp - something along the lines: @BeforeAll public static void setup() throws LifecycleException { Tomcat tomcat

Re: JASPIC Plugin for OIDC/JWT/OAuth

2021-10-08 Thread Mark Thomas
On 07/10/2021 18:37, Michael Kolenda wrote: Hey Tomcat Users, I've run into an interesting behavior with a custom JASPIC provider. When there is an existing session i.e. JSESSIONID cookie, It appears the groups/roles are not checked again... even when the new groups are provided in the client

Re: Tomcat 9.0 async read becomes blocking with chunked transfer-encoding

2021-10-08 Thread Mark Thomas
On 07/10/2021 22:23, Javateck wrote: Hi Mark, Just wondering whether we have a radar to track this, will it be in release notes for next release? The fix is in 9.0.54 and is listed in the changelog. Mark Thanks, Andrew On Sep 27, 2021, at 8:54 AM, Mark Thomas wrote: On 27/09/2021

Re: Tomcat 9.0 async read becomes blocking with chunked transfer-encoding

2021-10-07 Thread Javateck
Hi Mark, Just wondering whether we have a radar to track this, will it be in release notes for next release? Thanks, Andrew > On Sep 27, 2021, at 8:54 AM, Mark Thomas wrote: > > On 27/09/2021 15:55, Mark Thomas wrote: >>> On 27/09/2021 09:08, Goldengate liu wrote: >>> Hi Mark, >>> >>>

RE: Interesting log capability request

2021-10-07 Thread jonmcalexander
> -Original Message- > From: Robert Hicks > Sent: Thursday, October 7, 2021 2:23 PM > To: Tomcat Users List > Subject: Re: Interesting log capability request > > The catalina.out log should capture that information already, right? > > This is what I see when I shutdown my barebones

Re: Interesting log capability request

2021-10-07 Thread Robert Hicks
The catalina.out log should capture that information already, right? This is what I see when I shutdown my barebones Tomcat: 07-Oct-2021 15:19:03.276 INFO [main] org.apache.catalina.core.StandardServer.await A valid shutdown command was received via the shutdown port. Stopping the Server

Interesting log capability request

2021-10-07 Thread jonmcalexander
I have an app team that wants to know if it's possible to capture how long the Tomcat Shutdown takes? I don't think there is without modifying something in the Catalina.sh under the Stop section, but wondering if there is something already built in. Thanks, Dream * Excel * Explore * Inspire

JASPIC Plugin for OIDC/JWT/OAuth

2021-10-07 Thread Michael Kolenda
Hey Tomcat Users, I've run into an interesting behavior with a custom JASPIC provider. When there is an existing session i.e. JSESSIONID cookie, It appears the groups/roles are not checked again... even when the new groups are provided in the client Subject (JASPIC's validate() ). When attempting

Re: [OT] Specifying a Custom Authenticator Class

2021-10-07 Thread Christopher Schultz
Jerry, On 10/6/21 15:09, Jerry Malcolm wrote: Chris, thanks so much.  But please bear with me.  I'm in the slow group I think I have a pretty good handle on creating the authenticator.  But take me from the top, using manager as an example. In the web.xml file it has login auth-method set

Re: [OT] Specifying a Custom Authenticator Class

2021-10-06 Thread Jerry Malcolm
Chris, thanks so much.  But please bear with me.  I'm in the slow group I think I have a pretty good handle on creating the authenticator.  But take me from the top, using manager as an example.  In the web.xml file it has login auth-method set to BASIC.  I'm assuming that invokes

Re: Understanding websocket support in Tomcat

2021-10-06 Thread Mark Thomas
On 06/10/2021 11:02, Deshmukh, Kedar wrote: Hi, I would like to understand, How many concurrent websocket connections are allowed in tomcat ? As many as your hardware / OS will support. Is there any limit ? maxConnections on the Connector. Defaults to 8192. Use -1 for unlimited. Are

Understanding websocket support in Tomcat

2021-10-06 Thread Deshmukh, Kedar
Hi, I would like to understand, How many concurrent websocket connections are allowed in tomcat ? Is there any limit ? Are connector worker-threads consumed for any websocket connect ? If not, then, is there any special configuration available for websockets ? Thanks, Kedar

Re: [OT] Specifying a Custom Authenticator Class

2021-10-05 Thread Christopher Schultz
Jerry, On 10/5/21 12:23, Jerry Malcolm wrote: hi Chris, thanks for the feedback. I'm not using JWTs.  I'm just sending a base64 token made up of "a:b:c:d:e".   I don't mind cloning the BasicAuthenticator if that's what's required.  I'm still not understanding how TC will handle my modified

Re: [OT] Specifying a Custom Authenticator Class

2021-10-05 Thread Jerry Malcolm
hi Chris, thanks for the feedback. I'm not using JWTs.  I'm just sending a base64 token made up of "a:b:c:d:e".   I don't mind cloning the BasicAuthenticator if that's what's required.  I'm still not understanding how TC will handle my modified header.  I assume that if TC finds an

Re: [OT] Specifying a Custom Authenticator Class

2021-10-05 Thread Christopher Schultz
Jerry, On 10/4/21 22:40, Jerry Malcolm wrote: I really don't care whether it's called Basic, Malcolm, RollYourOwn, or whatever.  I was just emulating techniques I've had to implement as a client for credit card gateways and other services in the past that all use BASIC prefix with their own

Re: Specifying a Custom Authenticator Class

2021-10-05 Thread Christopher Schultz
Mark, On 10/5/21 04:46, Mark Thomas wrote: On 05/10/2021 03:40, Jerry Malcolm wrote: An earlier post suggested I just implement a CredentialHandler, which would be great.  But it looked like the credential handler is given "id/pw" extracted from the base64.  Or will it actually return

Re: The import javax.servlet cannot be resolved

2021-10-05 Thread Mark Thomas
On 05/10/2021 04:08, Dick Hildreth wrote: Tomcat 9.0.53 Windows Server 2019 Standard version 1809 OpenJDK jdk-11.0.8.10-hotspot I have a JSP/JavaBean webapp. I deployed all of the class files into the webapp's classes subdirectory (no WAR file) and the external JAR files are in the webapp's

Re: Specifying a Custom Authenticator Class

2021-10-05 Thread Mark Thomas
On 05/10/2021 03:40, Jerry Malcolm wrote: An earlier post suggested I just implement a CredentialHandler, which would be great.  But it looked like the credential handler is given "id/pw" extracted from the base64.  Or will it actually return whatever it finds in the base64 token? 

The import javax.servlet cannot be resolved

2021-10-04 Thread Dick Hildreth
Tomcat 9.0.53 Windows Server 2019 Standard version 1809 OpenJDK jdk-11.0.8.10-hotspot I have a JSP/JavaBean webapp. I deployed all of the class files into the webapp's classes subdirectory (no WAR file) and the external JAR files are in the webapp's lib directory. Of course, the JSPs are in

Re: Specifying a Custom Authenticator Class

2021-10-04 Thread Jerry Malcolm
I really don't care whether it's called Basic, Malcolm, RollYourOwn, or whatever.  I was just emulating techniques I've had to implement as a client for credit card gateways and other services in the past that all use BASIC prefix with their own token definition.  I can easily rename the

[ANN] Apache Tomcat 9.0.54 available

2021-10-04 Thread Rémy Maucherat
The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.54. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.54 is a bugfix and

[ANN] Apache Tomcat 10.0.12 available

2021-10-04 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.12. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the

[ANN] Apache Tomcat 10.1.0-M6 (alpha) available

2021-10-04 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M6 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: Specifying a Custom Authenticator Class

2021-10-04 Thread Christopher Schultz
Michael, On 10/3/21 11:58, Michael Osipov wrote: Am 2021-10-02 um 02:48 schrieb Jerry Malcolm: I need to write a custom BasicAuthenticator class to decode a specialized encoding of the authToken.  I have been scouring google for info.  I found one post where the answer included the statement:

Re: Specifying a Custom Authenticator Class

2021-10-03 Thread Michael Osipov
Am 2021-10-02 um 02:48 schrieb Jerry Malcolm: I need to write a custom BasicAuthenticator class to decode a specialized encoding of the authToken.  I have been scouring google for info.  I found one post where the answer included the statement: This would clearly violate Basic auth scheme and

Re: Specifying a Custom Authenticator Class

2021-10-03 Thread Christopher Schultz
Jerry, On 10/1/21 20:48, Jerry Malcolm wrote: I need to write a custom BasicAuthenticator class to decode a specialized encoding of the authToken.  I have been scouring google for info.  I found one post where the answer included the statement: "Extending from AuthenticatorBase is a great

Re: Specifying a Custom Authenticator Class

2021-10-02 Thread Mark Thomas
On 02/10/2021 01:48, Jerry Malcolm wrote: I need to write a custom BasicAuthenticator class to decode a specialized encoding of the authToken.  I have been scouring google for info.  I found one post where the answer included the statement: "Extending from AuthenticatorBase is a great idea,

Specifying a Custom Authenticator Class

2021-10-01 Thread Jerry Malcolm
I need to write a custom BasicAuthenticator class to decode a specialized encoding of the authToken.  I have been scouring google for info.  I found one post where the answer included the statement: "Extending from AuthenticatorBase is a great idea, and you can avoid Tomcat's standard

Re: manager best practice

2021-10-01 Thread Christopher Schultz
Greg, On 9/28/21 06:52, Greg Huber wrote: Hello, Are there any best practice notes for the manager app? eg, if include the app in webapps I get a context on my site, do I create a long name for the folder (the url) to hide it? eg folder called reallylongmanager1234567890 so I get

Re: tomcat presentations on ApacheCon 2021

2021-10-01 Thread Christopher Schultz
Mark, On 9/27/21 16:21, Mark Thomas wrote: On 27/09/2021 20:27, Усманов Азат Анварович wrote: Hi everyone! Does anybody know where/when to find the video/audio/slides (if any) from the last weeks's tomcat track on ApacheCon 2021?Because I completely missed it last week.   I'm assuming all

Re: How can I set the version of sessionId cookie which tomcat send to the client to 0?

2021-10-01 Thread Christopher Schultz
Kuang Neu, On 9/25/21 04:48, Yi Kuang Niu wrote: As is known,when the client accesses the server, the server will create a session and send the sessionId (in the form of cookie) to the client.But these days,I met a problem.I found the IE11 browser doesn’t support cookie if the cookie version

Re: Tomcat 9.0.52 http2 flow control issues

2021-10-01 Thread Mark Thomas
On 20/09/2021 07:28, Mark Thomas wrote: On 10/09/2021 11:42, Mark Thomas wrote: Hi Erik, Thanks for the report. I'm looking at this now. I'm testing with a simple index page that references 3 largish images (~6MB each). I've found an issue with HTTP/2, sendfile and StackOverflowExcpetion

AW: AW: JASPIC AuthConfigProvider packaged with the web application not found

2021-09-30 Thread Keil, Matthias (ORISA Software GmbH)
Dear Mark and Bernd, Thank you for your help and your advice. That helped me alot. I now have an implementation that resides exclusively in the application. Thanks very much :-) Best regards Matthias Keil -Ursprüngliche Nachricht- Von: Mark Thomas Gesendet: Montag, 27. September

RE: Tomcat SSL - Issue

2021-09-28 Thread Kumawat, Priyanka
Hello Christopher/Niranjan, Thankyou very much for the below information !!! The issue was with the Java version , we needs to upgrade the java version inorder to install the cert . Thankyou again for your support !!!. Thanks & Regards, Priyanka Kumawat | Middleware Admin T +91.7879364483

  1   2   3   4   5   6   7   8   9   10   >