Size Based Rolling
HI, How can we make catalina.out and access logs ( AccessLogsValve) roll log based on size instead of daily rolling ? Thanks, Akash
Session fixation Tomcat 7
Hi, I am trying to resolve session fixation issue with tomcat 7.0.52 We have a Spring MVC application running on it, and the Auth method is provided by another application which writes cookie, and we use the cookie value to check whether the user is valid or not. My application URL patterns are / - Home page /login - Redirect to another application to ask user to authenticate /myaccess/user*** -- All authenticated URL's Context path= docBase=myapplication sessionCookieName=mycookiename sessionCookieDomain=application.mydomain.com sessionCookiePath=/ As I cannot use org.apache.catalina.authenticator.FormAuthenticator here. How can i prevent the session fixation ? Thanks.
Tomcat 8 Slow ?
Hi, i recently tried to migrate from tomcat 7.0.53 to 8.0.5 I did some StopWatch ( Spring class) tests to compare the performance impact, and for same configurations, tomcat 8.0.5 showed its slightly slow compared to 7.0.53 Did anyone else also experienced same ? Thanks. Akash
CSRF protection in Tomcat 7
How can I prevent CSRF protection using Tomcat 7 ? I have heard that tomcat 7 provides CSRF filter http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/filters/CsrfPreventionFilter.html But is it thread safe ? Or shall we do a custom protection in our spring 3 application ?
Re: CSRF protection in Tomcat 7
Thanks. Do you know if tomcat 7 inbuilt CSRF has nonce thread safe issue ? On Mon, Mar 24, 2014 at 12:52 PM, Rossen Stoyanchev rstoyanc...@gopivotal.com wrote: Spring Security provides CSRF protection as well: http://docs.spring.io/spring-security/site/docs/3.2.2.RELEASE/reference/htmlsingle/#csrf On Mon, Mar 24, 2014 at 3:49 PM, Akash Jain akash.delh...@gmail.com wrote: How can I prevent CSRF protection using Tomcat 7 ? I have heard that tomcat 7 provides CSRF filter http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/filters/CsrfPreventionFilter.html But is it thread safe ? Or shall we do a custom protection in our spring 3 application ?
Re: CSRF protection in Tomcat 7
Yes, it uses LinkedHashMap internally which is not thread safe. http://tomcat.10.x6.nabble.com/CsrfPreventionFilter-LRU-cache-td2113069.html On Mon, Mar 24, 2014 at 1:09 PM, Daniel Mikusa dmik...@gopivotal.comwrote: On Mar 24, 2014, at 3:49 PM, Akash Jain akash.delh...@gmail.com wrote: How can I prevent CSRF protection using Tomcat 7 ? I have heard that tomcat 7 provides CSRF filter http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/filters/CsrfPreventionFilter.html Yes. The manager application uses it. You could look at the source code, if you need an example. But is it thread safe ? I do not know off the top of my head. Is there a reason that you are asking? Have you seen something that would indicate that it is not? Dan Or shall we do a custom protection in our spring 3 application ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CSRF protection in Tomcat 7
On Mon, Mar 24, 2014 at 1:33 PM, Daniel Mikusa dmik...@gopivotal.comwrote: On Mar 24, 2014, at 4:24 PM, Akash Jain akash.delh...@gmail.com wrote: Yes, it uses LinkedHashMap internally which is not thread safe. http://tomcat.10.x6.nabble.com/CsrfPreventionFilter-LRU-cache-td2113069.html First, please don't top post. The convention adopted by this list is to reply inline or at the bottom. I don't see what you mean here. Using LinkedHashMap does not automatically mean there will be threading issues and the link you've referenced is not discussing a threading issue. Can you explain your concern more? Version used is 7.0.52 ..its old thread but I want to know if Tomcat's inbuilt CSRF filter is thread safe or not ? As there are other CSRF protection mechanism like spring security's , so if tomcat is good then we need not consider other options. Dan On Mon, Mar 24, 2014 at 1:09 PM, Daniel Mikusa dmik...@gopivotal.com wrote: On Mar 24, 2014, at 3:49 PM, Akash Jain akash.delh...@gmail.com wrote: How can I prevent CSRF protection using Tomcat 7 ? I have heard that tomcat 7 provides CSRF filter http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/filters/CsrfPreventionFilter.html Yes. The manager application uses it. You could look at the source code, if you need an example. But is it thread safe ? I do not know off the top of my head. Is there a reason that you are asking? Have you seen something that would indicate that it is not? Dan Or shall we do a custom protection in our spring 3 application ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CSRF protection in Tomcat 7
On Mon, Mar 24, 2014 at 1:37 PM, Konstantin Kolinko knst.koli...@gmail.comwrote: 2014-03-25 0:24 GMT+04:00 Akash Jain akash.delh...@gmail.com: Yes, it uses LinkedHashMap internally which is not thread safe. http://tomcat.10.x6.nabble.com/CsrfPreventionFilter-LRU-cache-td2113069.html A 3 years old thread? The rules here: http://tomcat.apache.org/lists.html#tomcat-users - 1. your version = ? - 6. don't top-post. Version used is 7.0.52 ..its old thread but I want to know if Tomcat's inbuilt CSRF filter is thread safe or not ? As there are other CSRF protection mechanism like spring security's , so if tomcat is good then we need not consider other options. The source code is available (both downloadable and online from svn). All necessary syncs are there. http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?annotate=1148471diff_format=l#l313 So you are saying its thread safe as per the diff ? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Exception while running downloaded tomcat
I am getting following error when trying to run tomcat in Mac osx 10.7.5 ( using jdk 1.7 ) Can anybody please guide as to what is wrong ? r 14, 2014 12:04:59 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /Users/myuser/Downloads/apache-tomcat-7.0.52 2/webapps/docs Mar 14, 2014 12:04:59 AM org.apache.catalina.startup.HostConfig deployDirectory SEVERE: Error deploying web application directory /Users/myuser/Downloads/apache-tomcat-7.0.52 2/webapps/docs java.lang.ExceptionInInitializerError at org.apache.catalina.startup.ContextConfig.createWebXmlDigester(ContextConfig.java:515) at org.apache.catalina.startup.ContextConfig.init(ContextConfig.java:836) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:382) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1229) at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1875) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Caused by: java.lang.NullPointerException at org.apache.tomcat.util.descriptor.DigesterFactory.idFor(DigesterFactory.java:107) at org.apache.tomcat.util.descriptor.DigesterFactory.clinit(DigesterFactory.java:59) ... 18 more Mar 14, 2014 12:04:59 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /Users/myuser/Downloads/apache-tomcat-7.0.52 2/webapps/examples Mar 14, 2014 12:04:59 AM org.apache.catalina.startup.HostConfig deployDirectory SEVERE: Error deploying web application directory /Users/myuser/Downloads/apache-tomcat-7.0.52 2/webapps/examples java.lang.NoClassDefFoundError: Could not initialize class org.apache.tomcat.util.descriptor.DigesterFactory at org.apache.catalina.startup.ContextConfig.createWebXmlDigester(ContextConfig.java:515) at org.apache.catalina.startup.ContextConfig.init(ContextConfig.java:836) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:382) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:139) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1229) at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1875) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Mar 14, 2014 12:04:59 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /Users/myuser/Downloads/apache-tomcat-7.0.52 2/webapps/host-manager Mar 14, 2014 12:04:59 AM org.apache.catalina.startup.HostConfig deployDirectory SEVERE: Error deploying web application directory /Users/myuser/Downloads/apache-tomcat-7.0.52 2/webapps/host-manager java.lang.NoClassDefFoundError: Could not initialize class org.apache.tomcat.util.descriptor.DigesterFactory at org.apache.catalina.startup.ContextConfig.createWebXmlDigester(ContextConfig.java:515) at org.apache.catalina.startup.ContextConfig.init(ContextConfig.java:836) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:382) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at
Tomcat 7 : Configure redirect url for session timeout
I have following configuration in `web.xml` in tomcat 7. I am wondering if I can add any configurable parameter here, so that if user tries to do any operation post 30 minutes, I redirect the user to our home page. session-config session-timeout30/session-timeout cookie-config domainmydomain.mycompany.com/domain http-onlytrue/http-only securefalse/secure /cookie-config tracking-modeCOOKIE/tracking-mode /session-config
Re: Tomcat 7 : Configure redirect url for session timeout
Leo, If any request comes after session timeout interval ... why would it go into error ? I want to keep the session timeout and error scenarios different. On Fri, Mar 14, 2014 at 3:34 PM, Leo Donahue donahu...@gmail.com wrote: On Fri, Mar 14, 2014 at 3:04 PM, Akash Jain akash.delh...@gmail.com wrote: I have following configuration in `web.xml` in tomcat 7. I am wondering if I can add any configurable parameter here, so that if user tries to do any operation post 30 minutes, I redirect the user to our home page. session-config session-timeout30/session-timeout cookie-config domainmydomain.mycompany.com/domain http-onlytrue/http-only securefalse/secure /cookie-config tracking-modeCOOKIE/tracking-mode /session-config My first thought is you could catch the error in web.xml using an error-page and error-code 408, and then use a location to redirect? http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/HttpServletResponse.html
Re: Tomcat 7 : Configure redirect url for session timeout
I want to redirect user to / with a query parameter to indicate that session has timed out. On Fri, Mar 14, 2014 at 4:01 PM, Leo Donahue donahu...@gmail.com wrote: On Fri, Mar 14, 2014 at 3:48 PM, Akash Jain akash.delh...@gmail.com wrote: Leo, If any request comes after session timeout interval ... why would it go into error ? Perhaps because the request/response that was created with a session is no longer valid after the session timeout. What other option would you have if not an error-page?
Re: Tomcat 7 Session Persistence disable not working as expected
Christopher, I have changed in server.xml. Below is the server.xml part - Context path= docBase=ROOT sessionCookieName=mycookie sessionCookieDomain=myapp.mydomain.com sessionCookiePath=/ useHttpOnly=true reloadable=false WatchedResourceWEB-INF/web.xml/WatchedResource Manager pathname= / !-- Disables session persistence -- /Context As indicated above, I write JSESSIONID in mycookie cookie. Even after restart, the JSESSIONID is not getting invalidated. Before and after restart of apache, I can keep browsing the site with the same JSESSIONID in cookie.
Re: Difference between process kill and shutdown
kill -15 On Sun, Mar 2, 2014 at 4:42 AM, Mark Thomas ma...@apache.org wrote: On 01/03/2014 12:11, Akash Jain wrote: On our linux boxes, we have multiple users who run tomcat. Currently we are using process kill commands to kill the respective user's tomcat , instead of using shutdown.sh Which signal are you sending to shutdown the process? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 7 Session Persistence disable not working as expected
As documented in https://tomcat.apache.org/tomcat-5.5-doc/config/manager.html#Disable_Session_Persistence, I added the following code piece to disable session persistence in Tomcat 7. Manager pathname= / After this change I can see that SESSIONS.ser is not getting created as expected, but even after restarting tomcat, the previous JSESSIONID is still valid. Why is tomcat not invalidating the previous JSESSIONID ?
Re: Tomcat 7 Session Persistence disable not working as expected
Hi Violeta, Its latest version ( 7.0.52 ) On Sun, Mar 9, 2014 at 10:28 PM, Violeta Georgieva violet...@apache.orgwrote: Hi, На понеделник, 10 март 2014 г. Akash Jain akash.delh...@gmail.com написа: As documented in https://tomcat.apache.org/tomcat-5.5-doc/config/manager.html#Disable_Session_Persistence , I added the following code piece to disable session persistence in Tomcat 7. What is the exact version of Tomcat? The correct documentation for Tomcat 7 is [1]. Regards, Violeta [1] http://tomcat.apache.org/tomcat-7.0-doc/config/manager.html#Disable_Session_Persistence Manager pathname= / After this change I can see that SESSIONS.ser is not getting created as expected, but even after restarting tomcat, the previous JSESSIONID is still valid. Why is tomcat not invalidating the previous JSESSIONID ?
Difference between process kill and shutdown
On our linux boxes, we have multiple users who run tomcat. Currently we are using process kill commands to kill the respective user's tomcat , instead of using shutdown.sh Are there any downsides of using this approach ? Thanks, Akash
GZIP support in Tomcat 7
I have following configuration in my server.xml : Connector port=19380 protocol=HTTP/1.1 compression=on compressableMimeType=text/ html,text/xml,text/plain,application/javascript,application/json,text/javascript,text/json connectionTimeout=2 redirectPort=8443 / But still when I am checking for JS/CSS files in browser, the size returned is not less. Can anybody guide as to what I am missing here.