Re: TLSCertificateReloadListener Detects Expiration But Never Reads New Cert & Key Files

2024-03-18 Thread Mark Thomas
On 18/03/2024 08:21, Mark Thomas wrote: On 17/03/2024 15:26, Justin Y wrote: Hi Everyone --    I've spent a few hours scratching my head and then diving into the source code of 10.1.19 to figure out what's going on. Could you test with 10.1.18? I'm wondering if the user provided SSLContext

Re: problems with partitioned cookies

2024-03-18 Thread Mark Thomas
On 18/03/2024 15:16, info@klawitter.de wrote: What am I doing wrong here? (Tomcat 9.0.82) https://tomcat.apache.org/tomcat-9.0-doc/changelog.html Search for "partitioned" The problem is you are using Tomcat 9.0.82. Support for a default partitioned attribute wasn't added until 9.0.85.

Re: Regression in mutual authentication in 9.0.86+?

2024-03-18 Thread Mark Thomas
I've just tested 9.0.x and mutual TLS authentication appears to be working as expected. I suggest starting with testing a simple JSP that echoes that attribute and if you still see the issue, provide us with your configuration. Note that the issue may be related to the certs you are using so

Re: TLSCertificateReloadListener Detects Expiration But Never Reads New Cert & Key Files

2024-03-18 Thread Mark Thomas
On 17/03/2024 15:26, Justin Y wrote: Hi Everyone --   I've spent a few hours scratching my head and then diving into the source code of 10.1.19 to figure out what's going on. Could you test with 10.1.18? I'm wondering if the user provided SSLContext changes in 10.1.19 have triggered a

[ANN] Apache Tomcat 11.0.0-M18 (alpha) available

2024-03-14 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M18 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: reloading context with manager-script

2024-03-14 Thread Mark Thomas
On 12/03/2024 13:47, Christopher Schultz wrote: Greg and Mark, On 3/12/24 05:00, Greg Huber wrote: On 11/03/2024 18:17, Christopher Schultz wrote: Mark, On 3/10/24 08:49, Mark Thomas wrote: On 10/03/2024 10:50, Greg Huber wrote: Hello, Using http://tomcat/manager-app/text/reload?path

Re: What does the number preceding the catalina.org.apache.juli.AsyncFileHandler in Tomcat's conf/logging.properties mean?

2024-03-14 Thread Mark Thomas
On 14/03/2024 11:51, Vincent Daniel wrote: Thank you so much. I am ashamed that I did not read the documentation carefully. No problem. It is only a single line in the docs and it helps a lot if you know what you are looking for. Mark On Thu, Mar 14, 2024 at 7:46 PM Mark Thomas wrote

Re: What does the number preceding the catalina.org.apache.juli.AsyncFileHandler in Tomcat's conf/logging.properties mean?

2024-03-14 Thread Mark Thomas
On 14/03/2024 11:36, Vincent Daniel wrote: Hi, community When I configured Tomcat logs, I found the following configuration in logging.properties 1catalina.org.apache.juli.AsyncFileHandler 2localhost.org.apache.juli.AsyncFileHandler 3manager.org.apache.juli.AsyncFileHandler

[SECURITY] CVE-2024-23672 Apache Tomcat - Denial of Service

2024-03-13 Thread Mark Thomas
CVE-2024-23672 Apache Tomcat - Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M16 Apache Tomcat 10.1.0-M1 to 10.1.18 Apache Tomcat 9.0.0-M1 to 9.0.85 Apache Tomcat 8.5.0 to 8.5.98 Description: It was possible

[SECURITY] CVE-2024-24549 Apache Tomcat - Denial of Service

2024-03-13 Thread Mark Thomas
CVE-2024-24549 Apache Tomcat - Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M16 Apache Tomcat 10.1.0-M1 to 10.1.18 Apache Tomcat 9.0.0-M1 to 9.0.85 Apache Tomcat 8.5.0 to 8.5.98 Description: When processing

Re: Tomcat 9 returning 404 for audio files

2024-03-11 Thread Mark Thomas
it is created? The resources implementation can cache "not found" results for a short period of time. You might want to test the code with a simple text file to determine whether file type is a factor (which seems unlikely but you never know). Mark On Mon, Mar 11, 2024, 5:22 a.m. M

Re: contextVersion NullPointerException due to race condition

2024-03-11 Thread Mark Thomas
On 29/02/2024 13:32, FRANTS Patrick wrote: Not sure this is the right mailing list or that it should go to dev. users@ is fine. Generally, if you aren't sure use users@. One of our unit tests will occasionally have a null pointer exception durin= g shutdown. Unfortunately I have not been

Re: Tomcat not syncing existing sessions on restart

2024-03-11 Thread Mark Thomas
On 10/03/2024 16:59, Manak Bisht wrote: On Fri, Feb 9, 2024 at 4:45 PM Mark Thomas wrote: Using 0.0.0.0 as the address for the receiver is going to cause problems. I see similar issues with 11.0.x as 8.5.x. I haven't dug too deeply into things as a) I am short of time and b) I'm not convinced

Re: Tomcat 9 returning 404 for audio files

2024-03-11 Thread Mark Thomas
On 11/03/2024 02:21, Sam wrote: I just upgraded a legacy application from Tomcat 7 to Tomcat 9. It's deployed as a war file. I'm facing a weird issue with audio files playback. When loading a page that contains an audio file. First time Tomcat returns 404 error but if reloading the page, audio

Re: reloading context with manager-script

2024-03-10 Thread Mark Thomas
On 10/03/2024 10:50, Greg Huber wrote: Hello, Using http://tomcat/manager-app/text/reload?path=/ When I reload an application (in java), I get a reply OK - Reloaded application at context path [/] but when the application is not present I get this reply: FAIL - No context exists named []

Re: Need help for a problem on migrating from Tomcat-8 to Tomcat-9

2024-02-26 Thread Mark Thomas
On 26/02/2024 06:11, Saha, Rajib wrote: Hi Experts, In our product, we are using Tomcat [OriginalFileName: prunsrv.exe] for creating a service[Say, Service-A]. It's a huge product running in market for last 20 years. We are in progress of moving from Tomcat-8 to tomcat-9. When we are

Re: A curious case of Tomcat 10.1.x NIO(1) acceptor not stopping clearly on some setups

2024-02-26 Thread Mark Thomas
On 25/02/2024 18:18, Michał Szymborski wrote: On quick inspection the acceptor thread (https://github.com/apache/tomcat/blob/10.1.x/java/org/apache/tomcat/util/net/Acceptor.java#L128) was listening on [/[0:0:0:0:0:0:0:0]:39033] , which was correctly picked up at first, but then this local

Re: NoClassDefFoundError for SSL operations

2024-02-22 Thread Mark Thomas
On 23/02/2024 01:14, bigelytechnol...@yahoo.com wrote: This spammer has been unsubscribed and banned from re-subscribing. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail:

Re: The custom 404 page of Tomcat8 suddenly becomes invalid

2024-02-19 Thread Mark Thomas
On 19/02/2024 01:35, LeventLee wrote: Hello, Here is my information: openjdk version "1.8.0_345" | OpenJDK Runtime Environment (build 1.8.0_345-b01) | OpenJDK 64-Bit Server VM (build 25.345-b01, mixed mode) Linux 5.10.134-12.al8.x86_64 Apache Tomcat/8.0.24 That version is over 8 years old.

Re: Tomcat Manager 403's with LDAP Realm

2024-02-19 Thread Mark Thomas
On 17/02/2024 21:42, Dan McLaughlin wrote: We've had the same LDAP realm configured for probably 10 years, and the same roles in our LDAP for probably the same. We have 4 roles configured in LDAP manager-gui, manager-jmx, manager-script, and manager-status. My user only has the manager-gui

Re: Compile with JDK 17, run on JRE 11?

2024-02-17 Thread Mark Thomas
On 17/02/2024 16:01, Troels Arvin wrote: Hello, Since 9.0.83, building Tomcat has required JDK 17, according to the release notes. Is it possible to take the resulting binaries and run them on JRE 11? Yes. The minimum Java version at runtime (8) is unchanged. Mark

Re: Long lasting websocket sessions

2024-02-16 Thread Mark Thomas
On 09/02/2024 13:47, Alex O'Ree wrote: I've been experimenting with tomcat 9.x in seeing how long i can get a web socket session to last. I'm currently struggling to get past 30 minutes or so. Looking for guidance on how to best increase this or if this is a bad idea. Here's the current

Re: [EXT]Re: [EXT]Re: jakartaee-migration-1.0.7 migration tool failure

2024-02-13 Thread Mark Thomas
ransaction\ROOT##0001 directory. That is where I believe my application to be Here is how I have my context defined in server.xml.. Is my server.xml wrong? When I place my .war in webapps-javaee\transaction dir? -Original Message----- From: Mark Thomas Sent: Thursday, February 8, 20

Re: [ANN] Apache Tomcat Native 1.3.0 released

2024-02-13 Thread Mark Thomas
On 13/02/2024 10:21, Michael Osipov wrote: On 2024/02/13 08:46:42 Mark Thomas wrote: The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.3.0 stable. The key features of this release are: - The minimum supported OpenSSL version is 1.1.1 - The minimum supported

[ANN] Apache Tomcat Native 1.3.0 released

2024-02-13 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.3.0 stable. The key features of this release are: - The minimum supported OpenSSL version is 1.1.1 - The minimum supported APR version in 1.6.3 - The windows binaries in this release have been built with

[ANN] Apache Tomcat Native 2.0.7 released

2024-02-13 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 2.0.7 stable. The key features of this release are: - Align default pass phrase prompt with httpd on Windows - The windows binaries in this release have been built with OpenSSL 3.0.13 The 2.0.x branch is

Re: Tomcat not syncing existing sessions on restart

2024-02-09 Thread Mark Thomas
On 09/02/2024 07:51, Manak Bisht wrote: On Fri, Feb 9, 2024 at 3:25 AM Mark Thomas wrote: Same JRE? Yes, 8.0.402 Generally, I wouldn't use 0.0.0.0, I'd use a specific IP address. I'm not sure how the clustering would behave with 0.0.0.0 Using 0.0.0.0 as the address for the receiver

Re: Tomcat Instance unable to connect to DB with TCPS

2024-02-09 Thread Mark Thomas
On 09/02/2024 02:54, Kebret, Michael wrote: Tomcat version 9.0.83 running on Linux redhat 7 java 11.0.20. When changing the protocol from TCP to TCPS in Catalina.properties and in server.xml we have attribute truststorePassword= (tested with both cleartext and encrypted) password connection

Re: Getting provider/properties from jaspic-providers.xml to my ServerAuthModule

2024-02-08 Thread Mark Thomas
On 08/02/2024 14:37, Ryan Esch wrote: I'm using Tomcat 9. I have a provider in jaspic-providers.xml: I am not sure how to get these properties to my ServerAuthModule. I have a ServletContextListener and can see that the jaspic-providers.xml file is being processed if I call:

Re: Persistent Manager Implementation Question

2024-02-08 Thread Mark Thomas
Try turning on ALL logging for the org.apache.catalina.session package. Mark On 08/02/2024 20:49, Miguel Vidal wrote: demo4.zip Hello, Specifications Windows 10 Tomcat 8.5 this is a configuration

Re: [EXT]Re: [EXT]Re: jakartaee-migration-1.0.7 migration tool failure

2024-02-08 Thread Mark Thomas
Confirmed this is user error. There is no bug in the migration tool. Steps to demonstrate this: - Create new, blank Eclipse dynamic web project - Add provided servlet code - Add required libraries - Remove referenced to internal logging code - Add web.xml with basic mapping to "/test" - Export

Re: Tomcat not syncing existing sessions on restart

2024-02-08 Thread Mark Thomas
address. I'm not sure how the clustering would behave with 0.0.0.0 Mark Sincerely, Manak Bisht On Fri, Feb 2, 2024 at 9:41 PM Mark Thomas wrote: On 31/01/2024 13:33, Manak Bisht wrote: I tried tweaking all the settings that I could think of but I am unable to sync sessions on restart

Re: [EXT]Re: jakartaee-migration-1.0.7 migration tool failure

2024-02-08 Thread Mark Thomas
}); return mapping; } } Rick Noel Systems Programmer | Westwood One rn...@westwoodone.com -Original Message- From: Mark Thomas Sent: Thursday, February 8, 2024 9:27 AM To: users@tomcat.apache.org Subject: Re: [EXT]Re: jakartaee-migration-1.0.7 migration tool fa

Re: [EXT]Re: jakartaee-migration-1.0.7 migration tool failure

2024-02-08 Thread Mark Thomas
One rn...@westwoodone.com -Original Message- From: Mark Thomas Sent: Thursday, February 8, 2024 8:54 AM To: users@tomcat.apache.org Subject: [EXT]Re: jakartaee-migration-1.0.7 migration tool failure [You don't often get email from ma...@apache.org. Learn why this is important at https

Re: jakartaee-migration-1.0.7 migration tool failure

2024-02-08 Thread Mark Thomas
On 08/02/2024 13:45, Rick Noel wrote: Our application uses classes in this jar xmlrpc-server3.1.3.jar .(it is the latest version) We are trying to migrate to Tomcat 10 but that jar uses the javax.server. package classes instead of the needed jakarta.server. pacakage. I have tried

Re: Tomcat taglibs 2.0.0 release?

2024-02-05 Thread Mark Thomas
On 05/02/2024 15:49, Jeroen Hoffman wrote: On Mon, Feb 5, 2024 at 4:05 PM Mark Thomas wrote: Are there plans to release the 2.0.0 version? No plans. Tomcat 10.1.x onwards uses the 1.2.5 taglibs release converted for Jakarta EE using the Tomcat migration tool. Thanks for the quick

Re: Tomcat taglibs 2.0.0 release?

2024-02-05 Thread Mark Thomas
On 05/02/2024 14:16, Jeroen Hoffman wrote: Hi everybody, I have a question on Tomcat taglibs, I chose this mailing list because the taglibs-user one seems inactive. We in the process of updating our application to use Java 17 and Tomcat 10, including javax/jakarta change. It uses Tomcat

Re: Return a custom page in the event of a client requesting a non-existent resource on tomcat9

2024-02-04 Thread Mark Thomas
On 02/02/2024 18:48, Kaushal Shriyan wrote: Hi, I am running tomcat version 9.0.84 on Red Hat Enterprise Linux release 8.7 (Ootpa). Is there a way to configure the server to return a custom page in the event of a client requesting a non-existent resource. Yes. Please guide me. To do this

Re: Tomcat not syncing existing sessions on restart

2024-02-02 Thread Mark Thomas
On 31/01/2024 13:33, Manak Bisht wrote: I tried tweaking all the settings that I could think of but I am unable to sync sessions on restart even on a stock Tomcat 8.5.98 installation using your provided war. I am unable to identify whether this is actually a bug or something wrong with my

Re: How does the user principal get set on the servlet container session?

2024-02-01 Thread Mark Thomas
On 01/02/2024 17:48, Ryanesch@yahoo wrote: On Feb 1, 2024, at 10:34 AM, Mark Thomas wrote: On 31/01/2024 00:15, Ryan Esch wrote: From what I understand, the container knows if a user is authenticated by using the session id passed to it and then looking up the user principal

Re: How does the user principal get set on the servlet container session?

2024-02-01 Thread Mark Thomas
On 31/01/2024 00:15, Ryan Esch wrote: From what I understand, the container knows if a user is authenticated by using the session id passed to it and then looking up the user principal. If this is non-null, the user is authenticated. I am using web.xml with security constraints and

Re: Session Cookie Logging

2024-02-01 Thread Mark Thomas
On 27/01/2024 14:38, Dan McLaughlin wrote: Hey Mark, If you see a bug report, then that will mean I was able to reproduce it. I see different behaviors in our local docker environment. Still, it's nowhere as complex as our production environment--where everything is clustered and behind

Re: Session Cookie Logging

2024-01-26 Thread Mark Thomas
On 26/01/2024 22:22, Dan McLaughlin wrote: Hey Konstantin, Thanks for the reply. I synced the source last night. I haven't had a chance to step through with a debugger yet. But the only way I could get the Cookie Path set was to modify the context.xml and add sessionCookiePath to every

Re: How to access the request URL in a custom valve implementation?

2024-01-26 Thread Mark Thomas
On 26/01/2024 10:46, Manak Bisht wrote: Hi, I am trying to extend the AccessLogValve to modify logging behaviour for certain URLs. However, I don't have access to the request object in the AccessLogValve API. So, I am left with regex matching on the CharArrayWriter message object. Is there a

Re: Tomcat Version 9.0.79 - SAML2 - - Error occurred while attempting to refresh metadata from ':\WEB-INF\idp-meta-downloaded.xml'

2024-01-25 Thread Mark Thomas
On 25/01/2024 13:55, Tobias Blum (Fujitsu) wrote: Hello together, we have updated the Tomcat from Version 9.0.65 to Version 9.0.79. We are running tomcat on Windows Server 2019 Our Tomcat Version is delivered with SAP BusinessObjects. We have configured for our Web Application which runs on

Re: Getting wrong value calling request.getScheme()

2024-01-24 Thread Mark Thomas
On 24/01/2024 15:48, joan.balagu...@ventusproxy.com wrote: Any help would be really appreciated. Configuration error. Someone has done the equivalent of Or possibly a mis-configured RemoteIpFilter (or Valve). Or similar. Mark

Re: Tomcat not syncing existing sessions on restart

2024-01-23 Thread Mark Thomas
I have configured my standard cluster test environment for a 2-node cluster, using DeltaManager and static membership. httpd is configured for non-sticky load-balancing. Each node has the Manager web application and my simple cluster-test deployed.

Re: EOL - Tomcat versions

2024-01-19 Thread Mark Thomas
On 19/01/2024 19:06, Francisco Dellanio Leite Alencar wrote: @Mark Thomas, Is it possible to consider that the minimum support time of Apache Tomcat 9.0.X is until 2027 (10 years since Released)? I'd say 2027 is a reasonable estimate of the likely EOL date for 9.0.x but I'm not going

Re: [SECURITY] CVE-2024-21733 Apache Tomcat - Information Disclosure

2024-01-19 Thread Mark Thomas
Correcting the CVE reference in the text (the subject line is correct) Mark On 19/01/2024 10:17, Mark Thomas wrote: CVE-2023-21733 Apache Tomcat - Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0-M11 to 9.0.43 Apache

[SECURITY] CVE-2024-21733 Apache Tomcat - Information Disclosure

2024-01-19 Thread Mark Thomas
CVE-2023-46589 Apache Tomcat - Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0-M11 to 9.0.43 Apache Tomcat 8.5.7 to 8.5.63 Description: Incomplete POST requests triggered an error response that could contain data from a

Re: Consultation on disabling insecure HTTP requests in Tomcat

2024-01-18 Thread Mark Thomas
On 18/01/2024 09:22, 2460873257 wrote: Hi Tomcat Experts:       I'm trying to Looking for a solution to disable the tomcat * Options request, Why? but upon checking the source code, it seems that it is directly defined in the code. Is there a configuration provided to disable it? No.

[ANN] Apache Tomcat 11.0.0-M16 (alpha) available

2024-01-09 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M16 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: Regarding Tomcat is creating the zombie processes

2024-01-09 Thread Mark Thomas
onus is on you to provide the steps necessary for someone on this list to recreate the problem you are seeing starting from a Tomcat distribution downloaded from tomcat.apache.org Mark Thanks, Omkar V. -Original Message- From: Mark Thomas Sent: Friday, January 5, 2024 6:00 PM To: users

Re: EOL - Tomcat versions

2024-01-08 Thread Mark Thomas
On 08/01/2024 06:47, i...@flyingfischer.ch wrote: https://endoflife.date/tomcat Am 08.01.24 um 07:39 schrieb Deshmukh, Kedar: Hello, Could you please throw some light on Tomcat versions and its EOL plan? See https://tomcat.apache.org/whichversion.html    1.  8.5.X EOL 31 March 2024

Re: Regarding Tomcat is creating the zombie processes

2024-01-05 Thread Mark Thomas
You will need to provide more details. A default Tomcat install does not create parent and child processes so zombie processes cannot occur. I'll also note that zombie process do not consume system resources (apart from a process ID). Please provide the steps you used to recreate this

Re: EOL for Tomcat 9.0.x and Tomcat 10.1.x

2023-12-19 Thread Mark Thomas
On 19/12/2023 12:32, Kaluva S wrote: Hi, We are planning to migrate from tomcat 9.0.x to Tomcat 10.1.x but want to know about EOL for both the releases. On the official tomcat website, we couldn't find any information about this. If anyone knows, please share so that we will plan accordingly.

Re: Clarification on CVE-2023-46589

2023-12-18 Thread Mark Thomas
On 18/12/2023 09:50, purtrator wrote: There are many types of things one can do with HTTP Request Smuggling, is this an attack where header theft, cache poisoning or even response queue poisoning is possible? What are the possible damage scenarios? Assume that any attack enabled by request

Re: JSP EL - How to

2023-12-18 Thread Mark Thomas
17 Dec 2023 21:31:10 Chuck Caldarale : On Dec 16, 2023, at 23:05, Arbol One wrote: Hello. In my NetBeans IDE, I have a ANT web project, to which I have added under Libraries the JSTL 1.2.7 - jstl-impl.jar and the JSTL 1.2.7 - jstl-api.jar libraries. However, when adding this code :

Re: Tomcat with IIS

2023-12-18 Thread Mark Thomas
18 Dec 2023 05:31:24 Mohammed Ramadan Ghallab : Hello I’m using tomcat and I want to create a virtual directory but I can’t do that if it isn’t possible can you please tell me how to integrate tomcat with IIS https://tomcat.apache.org/connectors-doc/webserver_howto/iis.html Tested and

Re: Should allowHostHeaderMismatch be case sensitive

2023-12-15 Thread Mark Thomas
On 15/12/2023 14:48, Christopher Schultz wrote: Do we need to argue over encoding and/or rules of case-insensitive-matching? Could we? Probably. Do we need to? Unlikely. My expectation is that most clients aren't even including the host in the request line these days. Non-ASCII hostnames

Re: security-constraint url-pattern question

2023-12-15 Thread Mark Thomas
On 14/12/2023 17:28, ResSoft wrote: Chris, I figured out how to make this work. It works in my dev dox but not in my prod box. Both have the same version of tomcat. Here is the web.xml entry. I any ideas would be great. Those constraints look correct to me and a quick test using

Re: Should allowHostHeaderMismatch be case sensitive

2023-12-15 Thread Mark Thomas
On 11/12/2023 17:20, Mark Thomas wrote: On 11/12/2023 17:08, David Cleary wrote: Just want to check if this is by design. The above property default was changed to better secure the default configuration. We started having some tests fail due to this. In our scenario ( as shown below

Re: [EXTERNAL] - Re: Partitioned cookies

2023-12-15 Thread Mark Thomas
On 14/12/2023 21:15, André van der Lugt wrote: From: Chuck Caldarale Sent: Wednesday, November 15, 2023 9:48 AM To: Tomcat Users List Subject: [EXTERNAL] - Re: Partitioned cookies On Nov 15, 2023, at 08:06, Adam Warfield

Re: Clarification on CVE-2023-46589

2023-12-14 Thread Mark Thomas
On 14/12/2023 16:13, Benny Prange wrote: Am Do., 14. Dez. 2023 um 16:51 Uhr schrieb Mark Thomas : On 14/12/2023 15:33, Benny Prange wrote: Hi all, I am having trouble understanding the description of CVE-2023-46589. Does this CVE affect scenarios where the Apache Tomcat is the reverse proxy

Re: Clarification on CVE-2023-46589

2023-12-14 Thread Mark Thomas
On 14/12/2023 15:33, Benny Prange wrote: Hi all, I am having trouble understanding the description of CVE-2023-46589. Does this CVE affect scenarios where the Apache Tomcat is the reverse proxy, or or when the Apache Tomcat is running behind a reverse proxy? Is the Tomcat vulnerable to request

Re: Should allowHostHeaderMismatch be case sensitive

2023-12-11 Thread Mark Thomas
On 11/12/2023 17:08, David Cleary wrote: Just want to check if this is by design. The above property default was changed to better secure the default configuration. We started having some tests fail due to this. In our scenario ( as shown below ), the Host header value in the HTTP request is

Re: JAVA -tomcat- Request header is too large

2023-12-11 Thread Mark Thomas
On 08/12/2023 22:01, Christopher Schultz wrote: Are request-ids always allocated, or only if they are "enabled"? Always allocated. I think adding the request-id to this exception detail message might be helpful, even if the request-id hasn't been enabled in the access-log. WDYT? Good

Re: Failing to decode the url correctly in tomcat 9.

2023-12-08 Thread Mark Thomas
On 07/12/2023 22:42, Kalaivani Sengottaiyan wrote: On Thu, Dec 7, 2023 at 2:34 PM Kalaivani Sengottaiyan < kalaivani.sengottai...@veeva.com> wrote: In one of our sample case, this is the url recorded by ngnix "-" 127.0.0.1 - - [07/Dec/2023:21:59:30 +] "GET

Re: JAVA -tomcat- Request header is too large

2023-12-08 Thread Mark Thomas
On 08/12/2023 09:27, Ivano Luberti wrote: Il 07/12/2023 17:51, Mark Thomas ha scritto: On 07/12/2023 15:37, Ivano Luberti wrote: Hi, since a few days these errors started showing in my log files: 06-Dec-2023 07:39:56.082 INFO [http-nio-8080-exec-5826] org.apache.coyote.http11

Re: Virtual Thread with Http11Nio2Protocol

2023-12-08 Thread Mark Thomas
On 08/12/2023 09:51, Mark Thomas wrote: On 08/12/2023 02:49, Han Li wrote: Hi Nicolas, I took a quick look that Tomcat's VirtualThreadExecutor does not implement the ExecutorService interface, which leads to this result. So I think this is a Tomcat bug. +1 This has been fixed for all

Re: Virtual Thread with Http11Nio2Protocol

2023-12-08 Thread Mark Thomas
On 08/12/2023 02:49, Han Li wrote: Hi Nicolas, I took a quick look that Tomcat's VirtualThreadExecutor does not implement the ExecutorService interface, which leads to this result. So I think this is a Tomcat bug. +1 On Dec 8, 2023, at 03:55, Nicolas BONAMY wrote: Hi, I try to use

Re: JAVA -tomcat- Request header is too large

2023-12-07 Thread Mark Thomas
On 07/12/2023 15:37, Ivano Luberti wrote: Hi, since a few days these errors started showing in my log files: 06-Dec-2023 07:39:56.082 INFO [http-nio-8080-exec-5826] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header  Note: further occurrences of HTTP request

Re: Possible AbstractProtocol.waitingProcessors leak in Tomcat 9.0.75

2023-12-06 Thread Mark Thomas
ode. Additional info - I've set the session timeout to 10minutes. The app uses Java 17 with Spring Boot 3.1.x stack. It does not use any external STOMP broker relay. Regards, Jakub. On 2023/08/20 22:44:46 Mark Thomas wrote: On 20/08/2023 05:21, Mark Thomas wrote: On 18/08/2023 11:28, Rubén Pérez wr

Re: Tomcat Build Issue

2023-12-05 Thread Mark Thomas
On 05/12/2023 15:15, Burle, Saicharan wrote: Hi Mark/Chris, We are getting this error without even deploying any application. Then start looking at your network to see what is sending this invalid data to Tomcat. Mark -

Re: Tomcat Build Issue

2023-12-05 Thread Mark Thomas
On 05/12/2023 09:45, Burle, Saicharan wrote: Hi All, I am trying to build a tomcat instance in a net new server and getting the below error while starting. Although instance has come up but I am unable to debug the below error. Can someone please assist in this regard?

Re: setenv.sh tomcat8 changelog

2023-12-04 Thread Mark Thomas
4 Dec 2023 15:10:13 Christoph Kukulies : The tomcat8 changelog shows the following remark among others: General • Tighten up the default file permissions for the .tar.gz distribution so no files or directories are world readable by default. Configure Tomcat to run with a default umask of 

Re: Ciphers Warning in logfile for Tomcat 8.5.96 (with Adoptium jdk-8.0.392.8-hotspot)

2023-12-01 Thread Mark Thomas
On 01/12/2023 14:29, Markus Schlegel wrote: Hi Peter, Thank you for your hint about "-Djdk.tls.ephemeralDHKeySize=2048". I indeed did not knew that this option exists. When I enable it, I get Grad "A" from SSLLabs while it still lists 8 weak ciphers out of 12. Because I get to grade "A" with

Re: (No members active in cluster group) Cannot discover members in cluster using Delta Manager with static membership Unicast

2023-12-01 Thread Mark Thomas
On 01/12/2023 08:27, Manak Bisht wrote: Hi, I am trying to implement non-sticky session replication using Delta Manager with static membership. The nodes are across two different machines. I am unable to discover members in the cluster with the following logs on both machines -

Re: Tomcat 9 build from scratch

2023-12-01 Thread Mark Thomas
On 30/11/2023 23:38, Aditya Shastri wrote: Thanks for the response Adwait. My ant skills are lacking. Does the minimum bytecode definition come from this line? Yes. Equally importantly it also ensures that the code is compiled against the Java 8 API. What does this line do? It is

Re: webdav and libreoffice

2023-11-29 Thread Mark Thomas
On 29/11/2023 21:46, Christopher Schultz wrote: Mark, On 11/29/23 14:09, Mark Thomas wrote: It was this change: https://github.com/apache/tomcat/commit/147fee447e27ec14e3001d9c727db1dcd4cb930c Reason phrase is an optional element of the HTTP response. This looks like a bug in whichever

Re: webdav and libreoffice

2023-11-29 Thread Mark Thomas
are for addressing this in the interim. I'll note though that, generally, we don't implement work-arounds for broken clients - especially ones no-one noticed for 3+ years. Mark On 29/11/2023 14:08, Mark Thomas wrote: On 28/11/2023 22:27, Jean-Max Reymond wrote: Hi, I have an application

Re: Ciphers Warning in logfile for Tomcat 8.5.96 (with Adoptium jdk-8.0.392.8-hotspot)

2023-11-29 Thread Mark Thomas
On 29/11/2023 10:46, Markus Schlegel wrote: Changing the config to add ":-CBC" to the default config as suggested by Mark in bugzilla does not have any effect. Still Grade B, 10 weak out of 12. It seems to me that -CBC might not be a valid option at all? Mark got different results when he

Re: webdav and libreoffice

2023-11-29 Thread Mark Thomas
On 28/11/2023 22:27, Jean-Max Reymond wrote: Hi, I have an application and a webdav servlet with tomcat. I am using libreoffice to edit and save files. the command is: /usr/lib/libreoffice/program/soffice.bin ms-excel:ofe|u|https://cloud.example.com/WebDav/NESTOR/GERARD/Documents.xls

[SECURITY] CVE-2023-46589 Apache Tomcat - Request Smuggling

2023-11-28 Thread Mark Thomas
CVE-2023-46589 Apache Tomcat - Request Smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M10 Apache Tomcat 10.1.0-M1 to 10.1.15 Apache Tomcat 9.0.0-M1 to 9.0.82 Apache Tomcat 8.5.0 to 8.5.95 Description: Tomcat did not

Re: 400 Bad Request - where do I find the detailed reason for the bad request so I can fix it?

2023-11-28 Thread Mark Thomas
On 27/11/2023 20:09, Graham Leggett wrote: Hi all, Long running webapps, tomcat recently updated from tomcat7 to tomcat v9.0.65. One webapp sends a request to another. The request fails with a 400 Bad Request, with the detail message "The server cannot or will not process the request due to

Re: Possible way to avoid Tomcat from recycling the request/response on error?

2023-11-27 Thread Mark Thomas
more complicated with asynchronous servlets but it boils down to avoid accessing the request, response and associated objects after complete()/dispatch() have been called. Mark On Sat, Nov 25, 2023 at 5:42 AM Mark Thomas wrote: On 25/11/2023 05:30, Adwait Kumar Singh wrote

Re: Using Async Servlets correctly to avoid smuggling.

2023-11-25 Thread Mark Thomas
On 25/11/2023 01:43, Adwait Kumar Singh wrote: Hey Tomcat users, I am using Async Servlets and have a question on how to safeguard my application from Request Smuggling. In my current setup I do the following, 1. `startAsync` on the ServletRequest. 2. Create a ReadListener and attach it to

Re: Possible way to avoid Tomcat from recycling the request/response on error?

2023-11-25 Thread Mark Thomas
On 25/11/2023 05:30, Adwait Kumar Singh wrote: Is there a way around this, to keep the async context open even on an error and not close it till complete is invoked? No. The spec requires the error handler to call complete() in onError() and error handler doesn't, the container must. Mark

Re: Breaking changes in 9.0.83 ?

2023-11-19 Thread Mark Thomas
19 Nov 2023 04:23:46 Adwait Kumar Singh : I can see that BND was updated to 7.0 in 9.0.83, however BND 7.0 requires at least JDK 17 runtime while Tomcat 9 still supports JDK 8. Is this breaking change intended? Yes, it was intended. It is not a breaking change. The minimum supported

Re: CredentialHandler not working for MD5

2023-11-18 Thread Mark Thomas
On 17/11/2023 19:36, Christopher Schultz wrote: Is there any reason why SHA-256 is the default? MD5 is the historical default / only implementation for HTTP DIGEST. RFC 7616 (2015) Chrome will choose SHA-256 if presented with a choice of SHA-256 and MD5. Mark

Re: CredentialHandler not working for MD5

2023-11-17 Thread Mark Thomas
On 16/11/2023 18:06, Peter Otto wrote: 1. Configure BASIC auth with clear-text passwords in the Realm and get that working. 2. Switch to DIGEST auth with clear-text passwords in the Realm and get that working. 3. Then configure DIGEST auth and digested passwords in the Realm. Hi

Re: Tomcat 8: Random 404 and 505 errors

2023-11-17 Thread Mark Thomas
On 16/11/2023 22:53, Pavan Veginati wrote: Hi, We are seeing random 404 and 505 errors with GET and POST requests. Out of the 10 million daily requests in one cluster, there are 2-3 such 404 errors. In another cluster with around 100 million daily requests, we are seeing 20-30 404s on average

Re: CredentialHandler not working for MD5

2023-11-14 Thread Mark Thomas
You are confusing DIGEST authentication and digested passwords. The two are separate but related processes. If you use both, you do need to ensure that they are using the same digest. There is no need to modify code. This call all be controlled via configuration.

Re: Accessing Credential handler inside the web application always returns null

2023-11-14 Thread Mark Thomas
On 12/11/2023 23:01, Усманов Азат Анварович wrote: Sorry for delayed response, Once I comment out the CredentialHandler in context xml both in my app's context.xml and in global context.xml, and add realm to server.xml. CredentialHandler returns null once again. This is by design. The

Re: Tomcat 10.1.15 JVM crashes randomly on startup

2023-11-13 Thread Mark Thomas
On 13/11/2023 07:52, Øyvind Flatval wrote: Greetings! We are currently experiencing a very vague problem with our Tomcat 10.1 instance, where the JVM will crash almost instantly after Tomcat is done starting up. The problem happens somewhat regularly, and only happens within the first minute

Re: FileUpload class not working with Tomcat 10.1

2023-11-10 Thread Mark Thomas
On 10/11/2023 16:49, Mark Foley wrote: I recently upgraded from Tomcat 10.0.17 to 10.1.13. When I previously upgraded from 9.0.41 to 10.0.17 (back in 2/22) the FileUpload class broke. I fixed that thanks to postings on stackoverflow, but now that I've upgraded to 10.1.13 it is broken again!

Re: Testing OpenSSL integration using the FFM API with Tomcat 11 on Windows 10

2023-11-10 Thread Mark Thomas
(or whatever it is called) in an appropriate directory - ensure that directory is included in java.library.path (use setenv.bat) - ensure the OpenSSLLifecycleListener is configured in server.xml - start Tomcat HTH, Mark On Fri, Nov 10, 2023, 01:48 Mark Thomas wrote: On 10/11/2023 00:59, Eduardo

Re: Testing OpenSSL integration using the FFM API with Tomcat 11 on Windows 10

2023-11-09 Thread Mark Thomas
On 10/11/2023 00:59, Eduardo Guadalupe wrote: Hi, I wanted to test the OpenSSL integration using the FFM API rather than Tomcat Native in Apache Tomcat 11.0.0-M14. Starting Tomcat is printing an error: Failed to initialize the SSLEngine. java.lang.UnsatisfiedLinkError: no ssl in

Re: Chunk size error after upgrading JRE

2023-11-07 Thread Mark Thomas
On 07/11/2023 14:05, Tuukka Ilomäki wrote: We have a very old application running on Tomcat 8.5.90. After upgrading from JRE 8.0.252.09 from AdoptOpenJDK to 8u302b08 from Temurin (both pretty old, I know, also newer JREs exhibit the same issue) we started having NS_ERROR_NET_PARTIAL_TRANSFER

Re:

2023-11-07 Thread Mark Thomas
g On 06/11/2023 12:19, Mark Thomas wrote: On 06/11/2023 10:57, Greg Huber wrote:  >> The maximum useful size will be the total size of static resources (i.e. everything NOT under WEB-INF/lib or WEB-INF/classes). Since I have nothing in either of these, its all mapped in the PostReso

  1   2   3   4   5   6   7   8   9   10   >