[SECURITY] CVE-2022-34305 Apache Tomcat - XSS in examples web application

2022-06-23 Thread Mark Thomas
CVE-2022-34305 Apache Tomcat - XSS in examples web application Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M16 Apache Tomcat 10.0.0-M1 to 10.0.22 Apache Tomcat 9.0.30 to 9.0.64 Apache Tomcat 8.5.50 to 8.5.81 Description: The Form

Re: How to configure Tomcat 8.5.x to run in with a different windows service user, and what are minimum permissions

2022-06-22 Thread Mark Thomas
On 22/06/2022 17:02, paul@stgconsulting.com wrote: Hello all, I been tasked with researching options for running Tomcat 8.5.x as a windows service, but with a different user. I need to know what minimum rights for user would be, and also how to pass user & password. I think I see how to

Re: Apache Tomcat 8 - Require Tomcat configuration to restrict exe's from downloading

2022-06-22 Thread Mark Thomas
On 22/06/2022 10:37, bharath Kumar wrote: Hi team, Any help on this ? Further this exe(*abc.exe*) downloads when i hit on the url* http://server_name/abc.exe/ * and is happening only in *Tomcat *not with *IIS*. Tomcat : *http:///abc.exe* -- exe is not

Re: CVE-2022-29885

2022-06-22 Thread Mark Thomas
On 22/06/2022 10:18, Stephane Passignat wrote: Hello, I'm trying to understand this CVE and EncryptInterceptor. So far my understanding is EncryptInterceptor is used in clustered environment. Am I right ? Reading the content of the commit and release content, that's only look like a

Re: Are Apache versions cumulative ?

2022-06-22 Thread Mark Thomas
On 22/06/2022 09:20, Jason Tan wrote: Hi there, Sorry to trouble you folks but I could not find on Google any proof/info that state Apache Tomcat fixes are cumulative. I have a customer asking me if fixes listed in https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.109

Re: AW: AW: AW: Filehandle left open when using sendfile

2022-06-20 Thread Mark Thomas
On 20/06/2022 11:39, Thomas Hoffmann (Speed4Trade GmbH) wrote: Hello Mark, thanks for your reply! -Ursprüngliche Nachricht- Von: Mark Thomas Gesendet: Montag, 20. Juni 2022 12:06 An: users@tomcat.apache.org Betreff: Re: AW: AW: Filehandle left open when using sendfile On 16/06/2022

Re: AW: AW: Filehandle left open when using sendfile

2022-06-20 Thread Mark Thomas
On 16/06/2022 19:58, Thomas Hoffmann (Speed4Trade GmbH) wrote: In the meantime I stumbled upon this bug-Report: https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4715154 So maybe the problem lies even deeper. Similar description here:

[ANN] Apache Tomcat Native 1.2.34 released

2022-06-14 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.34 stable. The key features of this release are: - Refactor the initialization of the native code so it is compatible with Tomcat 10.1.x where deprecated Java classes will be removed - Map the OpenSSL

Re: New Install - Manager/html issue

2022-06-13 Thread Mark Thomas
Take a look in manager/META-INF/context.xml. You'll need to adjust the RemoteAddrValve Mark On 13/06/2022 18:00, Bruce Gavin wrote: That might be the problem! A different machine. On 13 Jun 2022, at 17:41, Mark Thomas wrote: Where are you trying to access the Manager from? The same

Re: New Install - Manager/html issue

2022-06-13 Thread Mark Thomas
wouldn't be enabled by default. Have a look at the Ubuntu package documentation for how to enable those applications -- and only enable the ones you actually need. -chris -Original Message- From: Mark Thomas Sent: 13 June 2022 16:23 To: users@tomcat.apache.org Subject: Re: New Install

Re: New Install - Manager/html issue

2022-06-13 Thread Mark Thomas
On 13/06/2022 14:17, brucetobyga...@me.com.INVALID wrote: I have just installed Apache Tomcat 10.0.22 on Ubuntu 22.04. However, when I click on the Manager link I get a 404 /manager/html is not available and the description is "The origin server did not find a current representation for the

Re: Debugging Tomcat during shutdown

2022-06-13 Thread Mark Thomas
don't see any reason why that would impact behaviour during JVM shutdown. Mark JP -Original Message- From: Mark Thomas Sent: woensdag 8 juni 2022 14:50 To: users@tomcat.apache.org Subject: Re: Debugging Tomcat during shutdown On 08/06/2022 13:39, Jean Pierre URKENS wrote: Indeed

Re: Compile JSP pages dynamically using Tomcat 6.0.45

2022-06-13 Thread Mark Thomas
On 13/06/2022 10:48, Pavan Kumar Tiruvaipati wrote: Hi, Our application is running on Tomcat 6.0.45. *Operation System* - Linux & Windows Due to security reasons, we are replacing JDK 1.8 with JRE 1.8. As others have pointed out, your choice of Tomcat version is likely to be a larger

[ANN] Apache Tomcat 10.0.22 available

2022-06-11 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.22. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the

Re: [External] Re: SSL Handshake Failure - Logging Level

2022-06-10 Thread Mark Thomas
, in this case, we could change the Tomcat logging configuration and get this log. Thanks, Amit -Original Message- From: Mark Thomas Sent: Saturday, June 4, 2022 6:13 AM To: users@tomcat.apache.org Subject: Re: [External] Re: SSL Handshake Failure - Logging Level On 03/06/2022 21:29, Amit

[ANN] Apache Tomcat 10.1.0-M16 (beta) available

2022-06-09 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M16 (beta). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: LDAPS Configuration with Tomcat

2022-06-08 Thread Mark Thomas
On 08/06/2022 11:54, rakesh meka wrote: Hi Mark/Chirs, The tomact logs says Ldap exception : connection has timed out and sometimes it says error connecting with LDAp server. Time outs could be lots of things. "error" is pretty general. Can you please help me with how do we configure LDAPs

Re: Debugging Tomcat during shutdown

2022-06-08 Thread Mark Thomas
have running. Often you can get away with it, but sometimes I have had issues with breakpoints not activating because I was using the wrong source code. Glad you fixed the NPE anyway. Mark -Original Message- From: Mark Thomas Sent: woensdag 8 juni 2022 14:23 To: users

Re: Debugging Tomcat during shutdown

2022-06-08 Thread Mark Thomas
recreate the issue you are seeing. Mark J.P. -Original Message- From: Mark Thomas Sent: woensdag 8 juni 2022 12:45 To: users@tomcat.apache.org Subject: Re: Debugging Tomcat during shutdown On 08/06/2022 11:29, Jean Pierre URKENS wrote: I am trying to debug the cleanup of resources

Re: Debugging Tomcat during shutdown

2022-06-08 Thread Mark Thomas
On 08/06/2022 11:29, Jean Pierre URKENS wrote: I am trying to debug the cleanup of resources during a shutdown of Tomcat 8.5.43 That is a rather old version. I'd recommend upgrading. and notices that my debug session gets killed prior to performing any servlet cleanup actions. I am starting

Re: Log format access logs standard

2022-06-07 Thread Mark Thomas
Jun, 2022, 12:11 Mark Thomas, wrote: On 07/06/2022 07:06, rinilnath r wrote: Hi, What's the meaning of this? %>s If that appears in the pattern attribute of an AccessLogValve then it is an error and you'll see the following in the access log: ???>?

Re: Log format access logs standard

2022-06-07 Thread Mark Thomas
On 07/06/2022 07:06, rinilnath r wrote: Hi, What's the meaning of this? %>s If that appears in the pattern attribute of an AccessLogValve then it is an error and you'll see the following in the access log: ???>???s Mark

Re: Constant errors in Tomcat logs

2022-06-06 Thread Mark Thomas
On 06/06/2022 16:28, Alan F wrote: HI I have a Tomcat clustered pair running, I see this 3 times a minute in the logs. I don't see this IP in server.xml I do have a DEV Tomcat pair is this somehow interfering? Possibly. Does that IP match once of the servers in the dev pair? Are the two

Re: LDAPS Configuration with Tomcat

2022-06-06 Thread Mark Thomas
On 06/06/2022 14:54, rakesh meka wrote: Hi All, Greetings! Hope you are doing well. Currently we are using an internal application which is deployed on windows server. And we use http which means we didn't configure SSL or TLS setup with application. The current application is using LDAP

Re: [External] Re: SSL Handshake Failure - Logging Level

2022-06-04 Thread Mark Thomas
----- From: Mark Thomas Sent: Friday, June 3, 2022 12:24 PM To: users@tomcat.apache.org Subject: [External] Re: SSL Handshake Failure - Logging Level On 03/06/2022 15:33, Amit Pande wrote: Hello, First, thank you to Mark for adding the access logs in case of SSL handshake failures (htt

Re: SSL Handshake Failure - Logging Level

2022-06-03 Thread Mark Thomas
On 03/06/2022 15:33, Amit Pande wrote: Hello, First, thank you to Mark for adding the access logs in case of SSL handshake failures (https://github.com/apache/tomcat/commit/acf6076d7118571ebc881984b96792f861b72bb2#). Really useful enhancement. On a related note, I am trying to understand

Re: Memory Realm documentation issue?

2022-06-03 Thread Mark Thomas
On 03/06/2022 16:31, Mark Wick wrote: The Tomcat 8.5 documentation states for the Memory Realm: MemoryRealm operates according to the following rules: . When Tomcat first starts up, it loads all defined users and their associated information from the users file. Changes to the data in this

Re: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL [EXTERNAL]

2022-06-03 Thread Mark Thomas
Jon, If you want to secure the httpd <-> Tomcat link with mutually authenticated TLS then I believe it is possible based on reading the docs but a) haven't tested it and b) you are going to need to be careful to ensure Tomcat doesn't get confused about whether it is the actual client or the

Re: FIPS Mode is not getting enabled in Tomcat9 using Openssl 3.0.2 post successful FIPS module installation in windows

2022-06-01 Thread Mark Thomas
On 01/06/2022 17:00, Christopher Schultz wrote: Mark, On 6/1/22 09:49, Mark Thomas wrote: On 20/05/2022 12:43, Mark Thomas wrote: Tomcat Native has not been updated for OpenSSL 3.0.x and FIPS. Code changes in Tomcat Native are going to be required to get this to work. After doing some

Re: FIPS Mode is not getting enabled in Tomcat9 using Openssl 3.0.2 post successful FIPS module installation in windows

2022-06-01 Thread Mark Thomas
On 20/05/2022 12:43, Mark Thomas wrote: Tomcat Native has not been updated for OpenSSL 3.0.x and FIPS. Code changes in Tomcat Native are going to be required to get this to work. After doing some work on this I have an update. First of all, OpenSSL 3 has not yet obtained FIPS certification

Re: Apache Tomcat EncryptInterceptor DoS CVE-2022-29885 vulnerability question

2022-05-31 Thread Mark Thomas
On 31/05/2022 16:17, DeHaven, Jacob wrote: In regards, to the Low: Apache Tomcat EncryptInterceptor DoS  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29885 which is fixed in Apache Tomcat 9.0.63, it is being reporting as a Low vulnerability on the Apache Tomcat website but others

Re: allowHostHeaderMismatch option only works if the Host Header has an http or https prefix

2022-05-27 Thread Mark Thomas
acceptable and configure the default host (that handles all requests to other hosts) to reject all other requests. Mark Thanks, Ralph -Original Message- From: Mark Thomas Sent: Thursday, May 26, 2022 12:21 PM To: users@tomcat.apache.org Subject: Re: allowHostHeaderMismatch optio

Re: allowHostHeaderMismatch option only works if the Host Header has an http or https prefix

2022-05-26 Thread Mark Thomas
ost header that isn't one you recognize then there are multiple options: - write a Filter - write a Valve - configure a Host (or several) for the requests you want to allow and deploy an ROOT to the default host that rejects everything else. Mark Ralph -Original Message- From: Mark Thomas Sent:

Re: [External] Re: Maximum header size in Tomcat 9

2022-05-26 Thread Mark Thomas
applies for one header value. maxHttpHeaderSize The maximum size of the request and response HTTP header, specified in bytes. If not specified, this attribute is set to 8192 (8 KB). Done. Mark Thanks, Amit -Original Message- From: Mark Thomas Sent: Wednesday, May 25, 2022 6:16 AM

Re: allowHostHeaderMismatch option only works if the Host Header has an http or https prefix

2022-05-26 Thread Mark Thomas
On 26/05/2022 02:20, Ralph Atallah wrote: Hi, We use Tomcat 7.0.109 and Tomcat 8.5 in our Tomcat based webapp deployments and we have a new requirement to prevent Host Header injection. The allowHostHeaderMismatch option seems the perfect answer to this issue. However, configuring it in

Re: Maximum header size in Tomcat 9

2022-05-25 Thread Mark Thomas
On 25/05/2022 12:08, Aditya Kumar wrote: Thanks! Sorry I misread that article. So I suppose it's the same for maxHttpRequestHeaderSize and maxHttpResponseHeaderSize? Correct. Mark On Wed, May 25, 2022 at 10:45 AM Mark Thomas wrote: On 25/05/2022 10:33, Aditya Kumar wrote: I'm sorry

Re: Maximum header size in Tomcat 9

2022-05-25 Thread Mark Thomas
of the description for maxParameterCount, not maxHttpHeaderSize. What makes you think it might apply to maxHttpHeaderSize? Mark On Wed, May 25, 2022 at 10:19 AM Mark Thomas wrote: On 25/05/2022 09:51, Aditya Kumar wrote: Hi I'm using Tomcat 9.0.46 and I want to know what is the ma

Re: Maximum header size in Tomcat 9

2022-05-25 Thread Mark Thomas
On 25/05/2022 09:51, Aditya Kumar wrote: Hi I'm using Tomcat 9.0.46 and I want to know what is the maximum possible value for maxHttpHeaderSize Integer.MAX_VALUE I have Tomcat setup using kerberos authentication and for some users the Authorisation header is too large (too many AD groups).

Re: Unexpected messages in commons-daemon.log

2022-05-24 Thread Mark Thomas
On 24/05/2022 15:55, Bill Stewart wrote: On Tue, May 24, 2022 at 7:48 AM Mark Thomas wrote: Nothing to worry about. Just some new logging that should probably be logging at debug level. I reviewed the associated PR but didn't realize the code was called every minute. Having just looked

Re: Unexpected messages in commons-daemon.log

2022-05-24 Thread Mark Thomas
On 24/05/2022 10:19, Pontus Ågren wrote: Hi Since installing Tomcat 9.0.63 (as a service on Windows Server 2019) commons-daemon.log is filling up with this... [2022-05-24 09:19:27] [info] [ 6772] Service SERVICE_CONTROL_INTERROGATE signalled. [2022-05-24 09:19:27] [info] [ 6772] Service

Re: Asking Apache Tomcat Vulnerabilities(CVE-2022-25762)

2022-05-24 Thread Mark Thomas
On 24/05/2022 02:56, 오현택 wrote: hello. I Ask for CVE-2022-25762 Vulnerabilities. In the described part, it seems that the vulnerability is determined depending on whether or not Websocket is used. Even if you are using an affected version of Tomcat, if you do not use Websockets, we ask if

Re: FIPS Mode is not getting enabled in Tomcat9 using Openssl 3.0.2 post successful FIPS module installation in windows

2022-05-20 Thread Mark Thomas
On 18/05/2022 06:14, Rupesh P wrote: Hi Christopher Schultz, I am sorry for the inconvenience caused. Actually i am not able to enable the FIPS Mode in Tomcat 9 for windows. It gives an error "Failed to enter fips mode". Software Specifications: Tomcat version - 9.0.34 Openssl version - 3.0.2

Default limit on cluster message size

2022-05-20 Thread Mark Thomas
Hi all, The Tomcat developers would like to add a limit on cluster message size to provide some protection against OOME / DoS risks. Note: This would be a hardening measure. Clustering is designed to be operated over a secure, trusted network where it is assumed messages are not malicious.

Re: AW: embeded tomcat apache-jasper dependency

2022-05-19 Thread Mark Thomas
On 18/05/2022 20:24, Rob Sargent wrote: On 5/18/22 12:21, Rob Sargent wrote: On 5/17/22 01:24, Mark Thomas wrote: On 17/05/2022 08:13, Thomas Hoffmann (Speed4Trade GmbH) wrote: Hello, -Ursprüngliche Nachricht- Von: Rob Sargent Gesendet: Dienstag, 17. Mai 2022 00:38 An: users

Re: Encryption of Tomcat AJP

2022-05-19 Thread Mark Thomas
On 19/05/2022 01:32, Brian Eller wrote: TRADING PARTNER Hello, I am working on a Tomcat install embedded inside a vendor product that uses Apache to pass traffic to Tomcat. My cyber security group is asking if we can encrypt all connections. Does the mod_jk protocol, AJP

Re: Per context heap usage

2022-05-17 Thread Mark Thomas
On 17/05/2022 17:34, Christopher Schultz wrote: Mark, On 5/17/22 08:17, Mark Thomas wrote: On 17/05/2022 10:41, Thomas Meyer wrote: Hi, Is it possible to find out the per deployed context heap usage in tomcat? With a profiler you can look at the retained size of the web application class

Re: Per context heap usage

2022-05-17 Thread Mark Thomas
On 17/05/2022 10:41, Thomas Meyer wrote: Hi, Is it possible to find out the per deployed context heap usage in tomcat? With a profiler you can look at the retained size of the web application class loader instance associated with a web application. Mark

Re: AW: embeded tomcat apache-jasper dependency

2022-05-17 Thread Mark Thomas
On 17/05/2022 08:13, Thomas Hoffmann (Speed4Trade GmbH) wrote: Hello, -Ursprüngliche Nachricht- Von: Rob Sargent Gesendet: Dienstag, 17. Mai 2022 00:38 An: users@tomcat.apache.org Betreff: embeded tomcat apache-jasper dependency I'm seeing a new-to-me deployment failure and am at a

[ANN] Apache Tomcat 10.0.21 available

2022-05-16 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.21. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the

[ANN] Apache Tomcat 10.1.0-M15 (alpha) available

2022-05-16 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M15 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

[SECURITY] CVE-2022-25762 Apache Tomcat - Request Mix-up

2022-05-12 Thread Mark Thomas
CVE-2022-25762 Apache Tomcat - Request Mix-up Severity: High Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.20 Apache Tomcat 8.5.0 to 8.5.75 Description: If a web application sends a WebSocket message concurrently with the WebSocket connection

Re: Help Needed for Root cause - ApacheTomcat services stopped

2022-05-11 Thread Mark Thomas
That is an Apache Web Server (httpd) log message, not an Apache Tomcat log message. Are you sure you are using Apache Tomcat? Mark On 11/05/2022 19:01, Verma, Sahil wrote: Hi Team, In our production environment, ApacheTomcat services went down. We have checked the logs and found below

[SECURITY] CVE-2022-29885 Apache Tomcat EncryptInterceptor DoS

2022-05-10 Thread Mark Thomas
CVE-2022-29885 Apache Tomcat EncryptInterceptor Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M14 Apache Tomcat 10.0.0-M1 to 10.0.20 Apache Tomcat 9.0.13 to 9.0.62 Apache Tomcat 8.5.38 to 8.5.78 Description: The documentation for the

Re: [EXTERNAL] Re: Connection pool

2022-05-09 Thread Mark Thomas
/context.xml you get one instance of the resource for every web application deployed. Mark -Original Message- From: Mark Thomas Sent: Thursday, May 5, 2022 10:00 AM To: users@tomcat.apache.org Subject: Re: [EXTERNAL] Re: Connection pool CAUTION: This email originated from outside

Re: Tomcat with Security Manager for SAP Business Objects issues

2022-05-09 Thread Mark Thomas
On 09/05/2022 16:23, Chavez Ortiz, Oscar (Externo) wrote: Hello Mark, thank you for your answer. - With Security reasons i mean from head quarters the server must be certified by accomplishing a set of security hardening rules. One of those is Security Manager. It would be worth making sure

[ANN] Apache Tomcat Native 1.2.33 released

2022-05-09 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.33 stable. The key features of this release are: - Windows binaries built using OpenSSL 1.1.1o - Fixes a potential crash when attempting to read the TLS session ID after a handshake failure. Please refer

Re: Tomcat with Security Manager for SAP Business Objects issues

2022-05-09 Thread Mark Thomas
On 09/05/2022 13:20, Chavez Ortiz, Oscar (Externo) wrote: Hello group. I have a SAP Business Object 4.2 server wich uses Tomcat 9.0.58 as web container. For Security reasons this server needs to implement Security Manager for Tomcat on it, thus, i’ve configured starting configuration in

Re: [EXTERNAL] Re: Connection pool

2022-05-05 Thread Mark Thomas
in server.xml and then use a ResourceLink in CATALINA_BASE/conf/context.xml Alternatively, you can define individual pools in each of the web application's individual context.xml file (META-INF/context.xml). Mark -Original Message- From: Mark Thomas Sent: Thursday, May 5, 2022 8:43 AM

Re: [EXTERNAL] Re: Connection pool

2022-05-05 Thread Mark Thomas
\apache-tomcat-9.0.45\bin\tomcat-juli.jar" Using CATALINA_OPTS: "" -Original Message- From: Mark Thomas Sent: Wednesday, May 4, 2022 11:38 PM To: users@tomcat.apache.org Subject: [EXTERNAL] Re: Connection pool CAUTION: This email originated from outside the organizatio

Re: Connection pool

2022-05-05 Thread Mark Thomas
On 04/05/2022 22:29, Mohamed Eliyas Abdul Kadar wrote: Hi All I am trying to limit the db connections on the oracle side by limiting the size of connection pool in the datasource config as below. I tried setting the max size to 20 by maxTotal/ maxActive either of them didn't work. The db side

Re: Tomcat + Safari WebSocket issue

2022-05-04 Thread Mark Thomas
On 03/05/2022 14:12, Hagenauer, Florian wrote: Does anyone have an idea or is able to clarify if this is an issue with Tomcat or with Safari/WebKit? Or if there is a workaround to this issue? I've just run Safari on a fully updated macOS Monterey against the Autobahn|Testsuite for the

Re: Unable to transfer file above 60mb in Tomcat

2022-05-03 Thread Mark Thomas
There isn't a question in the post below. I am assuming that the implied question is "why doesn't this work?". The code uses memory inefficiently and the JVM is not configured with enough memory to handle the load. One of the following should solve this: 1. Re-write the server code to read

Re: Application specific el-api

2022-04-28 Thread Mark Thomas
. This keeps everything in the application but does require a little plumbing to register the customer resolver when the web app starts. Mark kind regards Vladimir čt 28. 4. 2022 v 17:46 odesílatel Mark Thomas napsal: On 28/04/2022 16:30, vladimir dvorak wrote: Hi, I'm trying to use

Re: Application specific el-api

2022-04-28 Thread Mark Thomas
On 28/04/2022 16:30, vladimir dvorak wrote: Hi, I'm trying to use jakarta-el, which is an alternative to el-api.jar from Tomcat. Jakarta-el is deployed with application, implementation part of lib works correctly since it uses separate package, but I can't force the Tomcat classloader

Re: Acceptor to report an incoimg connection more than once.

2022-04-28 Thread Mark Thomas
On 28/04/2022 05:15, Dharani Gajendiran wrote: Hi, In Tomcat 9.0.56, for the change log - "Provide protection against a known OS bug  that causes the acceptor to report an incoming connection more than once". Even though this is

Re: Tomcat 10 and Java 17

2022-04-25 Thread Mark Thomas
Rs. If you aren't embedding Tomcat, you shouldn't be referencing the Tomcat JARs in your compilation. Mark Thanks Navin On Mon, Apr 4, 2022 at 8:31 PM Mark Thomas wrote: 4 Apr 2022 16:09:21 Navin Chandra Mohan : 1. Is there a recommended version of Tomcat for Java 17. Tomcat 10 or the

Re: PostConstruct annotation in a filter since version 9.0.60

2022-04-06 Thread Mark Thomas
to the updated tomcat library versions. An application needs to be able to bring its own libraries. Unless I misunderstood the meaning of what you said you sir are completely wrong on this On Tue, Apr 5, 2022 at 5:37 PM Mark Thomas wrote: 5 Apr 2022 20:58:26 Cherio : I found what the issue

Re: PostConstruct annotation in a filter since version 9.0.60

2022-04-05 Thread Mark Thomas
5 Apr 2022 20:58:26 Cherio : I found what the issue is. This has to do with the sequence of loading of libraries/jars AND project supplied "annotation-api.jar" which declares PostConstruct annotation. The same set of annotations are also being supplied by Tomcat in an identically named JAR.

Re: Tomcat 10 and Java 17

2022-04-04 Thread Mark Thomas
4 Apr 2022 16:09:21 Navin Chandra Mohan : 1. Is there a recommended version of Tomcat for Java 17. Tomcat 10 or the 10.1 (once it is released) or I can continue with the 9.0.60 release itself? Latest stable release of any currently supported Tomcat branch. 2. Once 10.1 is formally

Re: Two context paths to same application

2022-04-01 Thread Mark Thomas
On 01/04/2022 15:59, Harri Pesonen wrote: Hello, while reading the documentation in https://tomcat.apache.org/tomcat-8.5-doc/config/context.html#Naming it is not clear to me how to achieve the following: Have one WAR file with corresponding directory, for example: app#1.war => app#1

Re: Information for Tomcat 8.5 End of support/Extended support

2022-04-01 Thread Mark Thomas
On 01/04/2022 15:16, Emen Eddine AISSAOUI wrote: Hi to all, I need your support please. Where can I find the following information regarding the version of Tomcat 8.5: - date of end of support Not currently set. When it is set we will provide at least 12 months notice. The Tomcat project

[ANN] Apache Tomcat 8.5.78 available

2022-04-01 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.78. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and Java Authentication Service Provider Interface for Containers

[ANN] Apache Tomcat 10.0.20 available

2022-04-01 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.20. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the

[ANN] Apache Tomcat 10.1.0-M14 (alpha) available

2022-04-01 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M14 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: AW: Many IllegalStateException when using http2 protocol

2022-03-30 Thread Mark Thomas
On 27/03/2022 19:43, Thomas Hoffmann (Speed4Trade GmbH) wrote: Hello Konstantin and Mark, I could further track down the issue. The stracktrace is not written any more to the log with Tomcat 9.0.18 but the client problem still persist. I am also able to reproduce the problem with few tries

Re: Question to possible memory leak by Threadlocal variable

2022-03-24 Thread Mark Thomas
On 24/03/2022 07:57, Thomas Hoffmann (Speed4Trade GmbH) wrote: Is it correct, that every spawned thread must call tl.remove() to cleanup all the references to prevent the logged warning (and not only the main thread)? Yes. Or the threads need to exit. Second question is: How might it

Re: Maybe a stupid (Windows related) question

2022-03-23 Thread Mark Thomas
On 23/03/2022 10:34, Rony G. Flatscher (Apache) wrote: The use case is testing Tomcat 10 in various ways, including running it in debug mode and attaching via IntelliJ for inspection. You can still do this when Tomcat is running as a service. Just set the appropriate properties. Mark

[ANN] Apache Tomcat Native 1.2.32 released

2022-03-22 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.32 stable. The key features of this release are: - Windows binaries built using OpenSSL 1.1.1n Please refer to the change log for the complete list of changes:

Re: [External] Re: RemoteAddrFilter (org.apache.catalina.filters)

2022-03-21 Thread Mark Thomas
On 21/03/2022 20:47, Scott,Tim wrote: Hi Chris and Mark, As Mark spotted, I'm editing the conf/web.xml file. If I move this to the application's web.xml, is there any way it can be overridden by the Tomcat configuration? Ideally, I'd like it to be somehow configurable by the person deploying

Re: RemoteAddrFilter (org.apache.catalina.filters)

2022-03-21 Thread Mark Thomas
On 21/03/2022 17:51, Scott,Tim wrote: Hi all, I’ve been trying to get this to work for a bit without any luck. What I’ve arrived at, in my main Tomcat web.xml, is: Everything in conf/web.xml effectively gets copied to each individual web application's web.xml. If it should work – can

Re: Question about Tomcat 8.5.77 and CVE-2022-0778

2022-03-21 Thread Mark Thomas
On 21/03/2022 16:26, Matthew Mellon wrote: Tomcat 8.5.77 was published on March 17. The Windows distribution contains tcnative-1.dll, version 1.2.31. Tcnative-1.dll appears to be statically linked to OpenSSL, and was built in 2021, prior to the fix for CVE-2022-0778 being published by

Re: NullPointerException in Tomcat startup while parsing XML configuration file

2022-03-15 Thread Mark Thomas
On 15/03/2022 14:42, Christopher Schultz wrote: Harri, On 3/15/22 06:45, Harri Pesonen wrote: Hello, that xml file is embedded in catalina.jar, so obviously I have not modified it: jar:file:/C:/Tomcat/tomcat_home/lib/catalina.jar!/org/apache/catalina/mbeans/mbeans-descriptors.xml It's

[ANN] Apache Tomcat 10.0.18 available

2022-03-14 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.18. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the

[ANN] Apache Tomcat 10.1.0-M12 (alpha) available

2022-03-14 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M12 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: Rename version 10.1 to 11

2022-03-13 Thread Mark Thomas
On 13/03/2022 13:29, Jose Illescas wrote: I think that Tomcat mayor version must be change when updateing some of their specs (servlet/jsp7/websockets/...) This strategy allow us to refer to tomcat with: Tomcat-9 or Tomcat-10 avoiding annoying names as tomcat-10.0.X or tomcat-10.1.X IMHO

Re: Tomcat 9 and request.newPushBuilder()

2022-03-10 Thread Mark Thomas
On 10/03/2022 17:09, Schönwald, Oliver wrote: Dear Community, I have begun to change my web application to support http/2. When preparing the push mechanism my application catches a NullPointerException, oh my. So I took a look into the Tomcat Sources and, surprise, the current

Re: Many IllegalStateException when using http2 protocol

2022-03-09 Thread Mark Thomas
On 08/03/2022 23:52, Konstantin Kolinko wrote: пн, 7 мар. 2022 г. в 16:26, Thomas Hoffmann (Speed4Trade GmbH) : Hello, Since upgrading from Tomcat 9.0.56 to Tomcat 10.0.16, the localhost-logfile is filling up with stacks of the form: 07-Mar-2022 07:24:01.780 SCHWERWIEGEND

Re: AW: Many IllegalStateException when using http2 protocol

2022-03-08 Thread Mark Thomas
On 08/03/2022 10:05, Thomas Hoffmann (Speed4Trade GmbH) wrote: Hello, today I got feedback from users, that pages are sometimes not shown. After pressing F5 the website shows up again. So this error also has effects on client side. I am not sure if it is related to Tomcat 10 Upgrade. At least

Re: 403 whilst reading from ROOT

2022-03-04 Thread Mark Thomas
On 04/03/2022 09:50, Alan F wrote: Im trying to read robots.txt from '/' on a few tomcat servers to block web search engines. Obviously placed the txt file in ./webapps/ROOT/ Works fine on a few tomcat hosts that have identical server.xml / web.xml so im puzzled as to why these two Tomcat

Re: Odd EL resolution issue - java.lang.NoClassDefFoundError: package/Class1 (wrong name: package/class1)

2022-03-03 Thread Mark Thomas
he volume to the host OS, and how Docker is mapping those and handling filename casing, etc. My MacOS file system is APFS, Encrypted (and I thought I had case sensitivity enabled, but I can no longer see that option -- maybe not an option for APFS). I will try to confirm suspicions and provide details in a

Re: [ANN] Apache Tomcat 8.5.76 available

2022-03-01 Thread Mark Thomas
On 01/03/2022 16:47, Evan Rempel wrote: The JMX remote for Tomcat 8.5.76 is not in the download folder. I just get 404 errors when trying to download it. Correct. The JmxRemoteLifecycleListener was deprecated for 8.5.x in December 2019 with the following notice: "This listener will be

Re: java.lang.OutOfMemoryError: Metaspace while deploying application

2022-03-01 Thread Mark Thomas
https://home.apache.org/~markt/presentations/2010-08-05-Memory-Leaks-JavaOne-60mins.pdf Written for Java 7 but applies equally later versions of Tomcat. Mark On 01/03/2022 13:49, Rengaswamy, Nagarajan wrote: Hi Team, Currently we are running 6 applications in Tomcat version 8.5.70 Our

[ANN] Apache Tomcat 10.0.17 available

2022-02-28 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.17. This release is targeted at Jakarta EE 9. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the

[ANN] Apache Tomcat 10.1.0-M11 (alpha) available

2022-02-28 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.0-M11 (alpha). Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: In what directory was tomcat installed

2022-02-24 Thread Mark Thomas
How did you install Tomcat in Debian? Mark On 24/02/2022 13:15, Amn Ojee Uw wrote: Thank you so much for the help. I tried that solution, but when I type 'echo $CATALINA_HOME' at the command prompt I get a blank return. I'd like to mention that Tomcat documentation, so far, has not provide

Re: Configure Tomcat development using NetBeans IDE

2022-02-23 Thread Mark Thomas
On 22/02/2022 17:59, John Barrow wrote: John, Thanks for separating this out into a new thread. As a life-long supporter of Subversion, this was my first foray into the world of git, but I believe, after a quick crash course, I have managed to have forked and cloned Tomcat onto my laptop!

Re: AW: ERR_HTTP2_PROTOCOL_ERROR with Tomcat 9.0.58

2022-02-22 Thread Mark Thomas
the point where it is closed due to excessive overhead. Mark -Original Message----- From: Mark Thomas Sent: Monday, February 21, 2022 7:37 PM To: users@tomcat.apache.org Subject: Re: AW: ERR_HTTP2_PROTOCOL_ERROR with Tomcat 9.0.58 External email from: users-return-274607-

Re: AW: ERR_HTTP2_PROTOCOL_ERROR with Tomcat 9.0.58

2022-02-21 Thread Mark Thomas
Try overheadCountFactor="0" rather than "-1" Mark On 21/02/2022 13:52, Deshmukh, Kedar wrote: I am getting same error even I turned off overhead protection. ~Kedar -Original Message----- From: Mark Thomas Sent: Monday, February 21, 2022 6:59 PM To: users@tomcat.ap

Re: AW: ERR_HTTP2_PROTOCOL_ERROR with Tomcat 9.0.58

2022-02-21 Thread Mark Thomas
al Message----- From: Mark Thomas Sent: Monday, February 21, 2022 2:26 PM To: users@tomcat.apache.org Subject: Re: ERR_HTTP2_PROTOCOL_ERROR with Tomcat 9.0.58 External email from: users-return-274602-dkedar=ptc@tomcat.apache.org On 21/02/2022 08:17, Deshmukh, Kedar wrote: Hello, We are co

Re: ERR_HTTP2_PROTOCOL_ERROR with Tomcat 9.0.58

2022-02-21 Thread Mark Thomas
On 21/02/2022 08:17, Deshmukh, Kedar wrote: Hello, We are consistently seeing error "ERR_HTTP2_PROTOCOL_ERROR" in browser console when we try to open any web page deployed on Tomcat 9.0.58 server in test environment. This issue is observed only when HTTP/2 is enabled. Otherwise, we do not see

  1   2   3   4   5   6   7   8   9   10   >