RE: Increase Transfer-Encoding limit in Apache Tomcat 9.0.14
Hi Mark, Thanks for your response, yes the source application is not able to handle "Chunked" response so we want to disable it or at least increase the size. We recently ,moved from IIS to apache tomcat as default webserver for application. Also, I tried adding below in server.xml in HTTP/1.1 section but that did not helped. - maxTrailerSize="-1" - maxExtensionSize="-1" Thanks & Regards, Suraj Agrawal -Original Message- From: Mark Thomas Sent: Tuesday, March 31, 2020 12:51 PM To: users@tomcat.apache.org Subject: Re: Increase Transfer-Encoding limit in Apache Tomcat 9.0.14 WARNING: Do not click links or open attachments unless you recognize the source of the email and know the contents are safe. ********** On 31/03/2020 17:35, Agrawal, Suraj (CORP) wrote: > > Hi Team, > > We are getting webserver response failure when the response message is large > then 20 kb, I was reading and looks like Apache Tomcat set "Transfer-Encoding > = Chunked" when the size of message increases 8 kb by default. You haven't demonstrated that those two statements are cause and effect. Please describe the failure in detail. Tomcat will quite happily serve responses that are multiple Gb in size so I'd be surprised if this turned out to be a Tomcat issue. Are you saying that the client you are using can't handled a chunked response? > Can you please help how we can disable "Transfer-Encoding = Chunked" > or increase its size in Apache Tomcat 9.0.14 (we are using Windows > Server). I also tried adding below in server.xml but that did not > help; Adding what, exactly? The entire Connector? An attribute? Something to an attribute? Mark > > relaxedQueryChars="" > > relaxedPathChars="" > compressableMimeType="text/html,text/xml,text/css,text/javascript, > application/x-javascript,application/javascript" > compression="on" > compressionMinSize="128" > connectionTimeout="200" > noCompressionUserAgents="gozilla, traviata" > maxpostsize="-1" > maxHttpHeaderSize="65536" > maxTrailerSize="-1" > maxExtensionSize="-1" > redirectPort="9011" /> > > Many thanks for your help in advance. > > Thanks & Regards, > Suraj Agrawal > > -- > This message and any attachments are intended only for the use of the > addressee and may contain information that is privileged and confidential. If > the reader of the message is not the intended recipient or an authorized > representative of the intended recipient, you are hereby notified that any > dissemination of this communication is strictly prohibited. If you have > received this communication in error, notify the sender immediately by return > email and delete the message and any attachments from your system. > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Increase Transfer-Encoding limit in Apache Tomcat 9.0.14
Hi Team, We are getting webserver response failure when the response message is large then 20 kb, I was reading and looks like Apache Tomcat set "Transfer-Encoding = Chunked" when the size of message increases 8 kb by default. Can you please help how we can disable "Transfer-Encoding = Chunked" or increase its size in Apache Tomcat 9.0.14 (we are using Windows Server). I also tried adding below in server.xml but that did not help; Many thanks for your help in advance. Thanks & Regards, Suraj Agrawal -- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
RE: Use IIS Authentication in Apache Tomcat 8.0.22 (HTTP/1.1 Connector protocol)
Hi Charlie, We are using Oracle Siebel CRM application, which with the newer version is offering Apache Tomcat as the default webserver. The application is configured to use HTTP/1.1 connector protocol to connect to the server. I am new to Apache webservers, don't know much about connectors and protocols. Thus am looking a way to get Windows authentication working with Apache tomcat on HTTP Connector. Thanks & Regards, Suraj Agrawal -Original Message- From: charlie arehart [mailto:charlie_li...@carehart.org] Sent: Thursday, May 24, 2018 12:01 PM To: 'Tomcat Users List' <users@tomcat.apache.org> Subject: RE: Use IIS Authentication in Apache Tomcat 8.0.22 (HTTP/1.1 Connector protocol) Can you clarify why you would not want to use the AJP connector in your case? I'm just asking this simpler question, since no one offered any answer when you asked essentially the same question last week. More important, have you confirmed whether things WOULD work as expected if you used the AJP connector instead? And if so, then again why not use it? Or are you thinking for some reason you CANNOT? /charlie PS I have a different question on IIS authentication and Tomcat, which I will ask separately. -Original Message----- From: Agrawal, Suraj (CORP) <suraj.agra...@adp.com> Sent: Wednesday, May 23, 2018 04:41 PM To: users@tomcat.apache.org Subject: Use IIS Authentication in Apache Tomcat 8.0.22 (HTTP/1.1 Connector protocol) Hi Team, We are trying to implement SSO using windows integrated authentication (NTLM) on Apache Tomcat 8.0.22 through reverse proxy in IIS. We were able to pass the Authentication token to Apache , but the apache is not allowing the IIS authentication to pass through. It is not recognizing what authentication is coming by the reverse proxy IIS server request. [Authentication (NTLM) --> Reverse proxy --> pass the call with NTLM token to to Apache Tomcat] For "AJP/1.3" connection protocol there is an attribute "tomcatAuthentication" which allows Apache to use the authentication user information from IIS. But we didn't found anything similar for "HTTP/1.1" connection protocol, can you please help. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
Use IIS Authentication in Apache Tomcat 8.0.22 (HTTP/1.1 Connector protocol)
Hi Team, We are trying to implement SSO using windows integrated authentication (NTLM) on Apache Tomcat 8.0.22 through reverse proxy in IIS. We were able to pass the Authentication token to Apache , but the apache is not allowing the IIS authentication to pass through. It is not recognizing what authentication is coming by the reverse proxy IIS server request. [Authentication (NTLM) --> Reverse proxy --> pass the call with NTLM token to to Apache Tomcat] For "AJP/1.3" connection protocol there is an attribute "tomcatAuthentication" which allows Apache to use the authentication user information from IIS. But we didn't found anything similar for "HTTP/1.1" connection protocol, can you please help. Our application is hosted on HTTP 1.1 connector using SSL, Please find the below Server.xml details ; Many Thanks for your help Regards, Suraj -- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
SSO using Reverse Proxy from IIS to Apache Tomcat 8.0.22 (Use Windows Authentication NTLM)
Hi Team, We are trying to do implement SSO using windows integrated authentication (NTLM) on Apache Tomcat 8.0.22 for Rest API calls. We are following "Windows Authentication How To" --> Reverse Proxies --> Microsoft IIS. We configured ISAPI_Redirect.dll for reverse proxy. But facing some issues with it, can you please help us with the below : 1. Our application (Siebel) listens to HTTP protocol but seems like ISAPI_Redirect reverse proxy uses AJP connector Protocol, Is there any document which can help us configure reverse proxy with HTTP protocol? 2. We are using Windows Authentication NTLM approach (We cannot use Kerberos as per the company guidelines), are there any known issue using WIA with Apache 3. Please suggest if there is any better approach to achieve SSO for Rest calls using Windows Integrated Authentication on windows server. Any help would be very much appreciated, thanks again for your time. Thanks & Regards, Suraj Agrawal -- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
RE: WELCOME to users@tomcat.apache.org
Thanks Andre for the help, We are routing the request from IIS 7.5 to Apache using reverse Proxy. It seems like Apache is not allowing the authentication nor its accepting the username and password passed from IIS. -- The AJP connector details in Server to XML were uncommented as shown in below, we added tomcatAuthentication="false" and still it was failing with empty username and password error. -- We are currently on Apache Tomcat 8.0.22, this is installation was part of our Siebel application suite, thus could not have all the necessary connector setting installed in it. Is there a way we can check and install AJP connector on the top of Apache Tomcat we got as a part of Siebel Application. -- Also with IIS we were using [UserSpecSource = Server] and [UserSpec = REMOTE_USER], are they the correct value for Tomcat webserver as well. Thanks & Regards, Suraj Agrawal -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Thursday, January 4, 2018 9:07 AM To: users@tomcat.apache.org Subject: Re: WELCOME to users@tomcat.apache.org Hi. On 03.01.2018 18:31, Agrawal, Suraj (CORP) wrote: > Hi Team, > > We are currently working on "Apache Tomcat Version 8.0.22". We are > using Apache to host javacontainer for Rest calls for our Siebel > application. The javacontainer is listening to Port 9001 as below- > > protocol="HTTP/1.1"/> > > We are trying to setup Windows Authentication in Apache by using Reverse > Proxy with IIS, and have followed the below steps as per the Apache > documentation. > > ---Steps followed : > There are three steps to configuring IIS to provide Windows authentication. > They are: > 1. Configure IIS as a reverse proxy for Tomcat (see the IIS Web Server > How-To). > This is done and working as expected There is a bit of confusing information in the page http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html in that it talks (in the title and elsewhere) of the "ISAPI redirector", but then later it mentions "The mod_jk module uses the AJP protocol to send requests to the Tomcat containers". In fact, "mod_jk" and "ISAPI redirector" are functionaly the same thing (and probably much the same code), but - mod_jk is the plugin proxy module to use with an Apache httpd webserver front-end (under Linux and/or Windows) - isapi_redirector is the plugin proxy module to use with an IIS webserver front-end (Windows only) But /both/ use the same protocol to talk with the back-end Tomcat, and that protocol is AJP, not HTTP. So in both cases, what they are "talking to" is the AJP Connector in Tomcat, and not the HTTP Connector. The AJP protocol is somewhat different from HTTP : - both essentially carry the same information (requests and responses) but - HTTP carries all its information back and forth in a text form as per HTTP RFC - AJP encodes some of this information in a binary form (a bit more efficient) - one of the "binary" parameters which the AJP protocol does transmit from the front-end to the back-end, is the authenticated user-id on the front-end, if any. (HTTP does not normally do this in any standard way). At the Tomcat level (the AJP Connector), the attribute "tomcatAuthentication" (true/false) serves to tell Tomcat to either "believe" (false) the user-id that it receives from the front-end through AJP, or to ignore it (true) and do its own authentication anyway. At the Tomcat level, this "tomcatAuthentication" attribute only makes sense with the AJP Connector (and protocol). See : http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Common_Attributes (tomcatAuthentication AND tomcatAuthorization) while here : http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Common_Attributes this attribute is not mentioned (so if you add it, it will simply be ignored). > > 2. Configure IIS to use Windows authentication > This is done and working as expected > > 3. Configure Tomcat to use the authentication user information from IIS by > setting the tomcatAuthentication attribute on the AJP connector to false. > Alternatively, set the tomcatAuthorization attribute to true to allow IIS to > authenticate, while Tomcat performs the authorization. > Right. But on which Tomcat connector did you set this ? (HTTP or AJP ?) > Q1 We were able to configure the reverse proxy with Anon user but the > Windows authentication is failing at Apache level with below error :- > Thread[http-nio-9001-exec-15,5,main] [2017-12-27 13:17:12.637] [null] Error > while login : The username cannot be empty. Please select a username. > Your problem may be there, with this "anonymous" authentication at the IIS level. Maybe the isapi_redirector interprets this as &qu
authentication via IIS front-end proxy
Hi Team, We are currently working on "Apache Tomcat Version 8.0.22". We are using Apache to host javacontainer for Rest calls for our Siebel application. The javacontainer is listening to Port 9001 as below- We are trying to setup Windows Authentication in Apache by using Reverse Proxy with IIS, and have followed the below steps as per the Apache documentation. ---Steps followed : There are three steps to configuring IIS to provide Windows authentication. They are: 1. Configure IIS as a reverse proxy for Tomcat (see the IIS Web Server How-To). This is done and working as expected 2. Configure IIS to use Windows authentication This is done and working as expected 3. Configure Tomcat to use the authentication user information from IIS by setting the tomcatAuthentication attribute on the AJP connector to false. Alternatively, set the tomcatAuthorization attribute to true to allow IIS to authenticate, while Tomcat performs the authorization. Q1 We were able to configure the reverse proxy with Anon user but the Windows authentication is failing at Apache level with below error :- Thread[http-nio-9001-exec-15,5,main][2017-12-27 13:17:12.637] [null] Error while login : The username cannot be empty. Please select a username. Q2 Our configuration is using "HTTP" protocol, do we need to change the server.xml entry for 9001 to use AJP protocol and then add entry " tomcatAuthentication=False" Q3 Do we need to install AJP connector on top of Tomcat or its installed by default, or we do not need it for Windows Authentication. Thanks & Regards, Suraj Agrawal -Original Message- From: users-h...@tomcat.apache.org [mailto:users-h...@tomcat.apache.org] Sent: Wednesday, January 3, 2018 12:03 PM To: Agrawal, Suraj (CORP) <suraj.agra...@adp.com> Subject: WELCOME to users@tomcat.apache.org Hi! This is the ezmlm program. I'm managing the users@tomcat.apache.org mailing list. I'm working for my owner, who can be reached at users-ow...@tomcat.apache.org. Acknowledgment: I have added the address suraj.agra...@adp.com to the users mailing list. Welcome to users@tomcat.apache.org! Please save this message so that you know the address you are subscribed under, in case you later want to unsubscribe or change your subscription address. --- Administrative commands for the users list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: To subscribe to the list, send a message to: <users-subscr...@tomcat.apache.org> To remove your address from the list, send a message to: <users-unsubscr...@tomcat.apache.org> Send mail to the following for info and FAQ for this list: <users-i...@tomcat.apache.org> <users-...@tomcat.apache.org> Similar addresses exist for the digest list: <users-digest-subscr...@tomcat.apache.org> <users-digest-unsubscr...@tomcat.apache.org> To get messages 123 through 145 (a maximum of 100 per request), mail: <users-get.123_...@tomcat.apache.org> To get an index with subject and author for messages 123-456 , mail: <users-index.123_...@tomcat.apache.org> They are always returned as sets of 100, max 2000 per request, so you'll actually get 100-499. To receive all messages with the same subject as message 12345, send a short message to: <users-thread.12...@tomcat.apache.org> The messages should contain one line or word of text to avoid being treated as sp@m, but I will ignore their content. Only the ADDRESS you send to is important. You can start a subscription for an alternate address, for example "john@host.domain", just add a hyphen and your address (with '=' instead of '@') after the command word:
RE: WELCOME to users@tomcat.apache.org
Hi Team, We are currently working on "Apache Tomcat Version 8.0.22". We are using Apache to host javacontainer for Rest calls for our Siebel application. The javacontainer is listening to Port 9001 as below- We are trying to setup Windows Authentication in Apache by using Reverse Proxy with IIS, and have followed the below steps as per the Apache documentation. ---Steps followed : There are three steps to configuring IIS to provide Windows authentication. They are: 1. Configure IIS as a reverse proxy for Tomcat (see the IIS Web Server How-To). This is done and working as expected 2. Configure IIS to use Windows authentication This is done and working as expected 3. Configure Tomcat to use the authentication user information from IIS by setting the tomcatAuthentication attribute on the AJP connector to false. Alternatively, set the tomcatAuthorization attribute to true to allow IIS to authenticate, while Tomcat performs the authorization. Q1 We were able to configure the reverse proxy with Anon user but the Windows authentication is failing at Apache level with below error :- Thread[http-nio-9001-exec-15,5,main][2017-12-27 13:17:12.637] [null] Error while login : The username cannot be empty. Please select a username. Q2 Our configuration is using "HTTP" protocol, do we need to change the server.xml entry for 9001 to use AJP protocol and then add entry " tomcatAuthentication=False" Q3 Do we need to install AJP connector on top of Tomcat or its installed by default, or we do not need it for Windows Authentication. Thanks & Regards, Suraj Agrawal -Original Message- From: users-h...@tomcat.apache.org [mailto:users-h...@tomcat.apache.org] Sent: Wednesday, January 3, 2018 12:03 PM To: Agrawal, Suraj (CORP) <suraj.agra...@adp.com> Subject: WELCOME to users@tomcat.apache.org Hi! This is the ezmlm program. I'm managing the users@tomcat.apache.org mailing list. I'm working for my owner, who can be reached at users-ow...@tomcat.apache.org. Acknowledgment: I have added the address suraj.agra...@adp.com to the users mailing list. Welcome to users@tomcat.apache.org! Please save this message so that you know the address you are subscribed under, in case you later want to unsubscribe or change your subscription address. --- Administrative commands for the users list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: To subscribe to the list, send a message to: <users-subscr...@tomcat.apache.org> To remove your address from the list, send a message to: <users-unsubscr...@tomcat.apache.org> Send mail to the following for info and FAQ for this list: <users-i...@tomcat.apache.org> <users-...@tomcat.apache.org> Similar addresses exist for the digest list: <users-digest-subscr...@tomcat.apache.org> <users-digest-unsubscr...@tomcat.apache.org> To get messages 123 through 145 (a maximum of 100 per request), mail: <users-get.123_...@tomcat.apache.org> To get an index with subject and author for messages 123-456 , mail: <users-index.123_...@tomcat.apache.org> They are always returned as sets of 100, max 2000 per request, so you'll actually get 100-499. To receive all messages with the same subject as message 12345, send a short message to: <users-thread.12...@tomcat.apache.org> The messages should contain one line or word of text to avoid being treated as sp@m, but I will ignore their content. Only the ADDRESS you send to is important. You can start a subscription for an alternate address, for example "john@host.domain", just add a hyphen and your address (with '=' instead of '@') after the command word: