RE: Regarding context.xml changes impact other web service not deployed
Hi Mark Thomas, Thanks a lot for the information. Answers for your question In which context.xml file? The global one, the host one or a web application specific one? I have changed in global context.xml which is located in conf/context.xml. Regards, Abirami.S -Original Message- From: Mark Thomas Sent: Tuesday, June 9, 2020 1:50 PM To: users@tomcat.apache.org Subject: Re: Regarding context.xml changes impact other web service not deployed On 09/06/2020 06:59, S Abirami wrote: > Hi Team, > > In our product to address security vulnerability in context.xml, > we have introduced following entry > > In which context.xml file? The global one, the host one or a web application specific one? > After introducing the above line, I noticed few rest service which is not > deployed in that Tomcat also getting impact. I'd guess not a web application specific one the > Deployment Details > > Deployed :RHEL > Tomcat Installation format : tar.gz > > Hence, interested to know about the internal implementation of the context > in Tomcat to understand the impact. Global web.xml provides defaults for all web applications. Host level provides defaults for all web applications in a given host. Web application provides settings for just that web application. Don't add elements to server.xml Settings in more specific files take priority. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Regarding context.xml changes impact other web service not deployed
Hi Luis, Thanks for the information. My question is mainly whether the changes in context.xml will impact the web application, which is not deployed in the Tomcat. From Mark reply, I understood that the changes in context.xml will impact the web application even though it is not deployed in Tomcat. Regards, Abirami.S -Original Message- From: Luis Rodríguez Fernández Sent: Tuesday, June 9, 2020 12:33 PM To: Tomcat Users List Subject: Re: Regarding context.xml changes impact other web service not deployed Hello Abirami, Well, strict does what it promises, so if those third-party rest services were expecting some cookies that now are not being sent by the browser, it is normal that they do not work as expected. Internal implementation: sure! You can always have a look at the code of the different CookieProcessors [1] & [2] Hope it helps, Luis [1] https://protect2.fireeye.com/v1/url?k=05de6036-5b7ea273-05de20ad-86b568293eb5-4944602a8cd168fc&q=1&e=1f87817f-d293-4635-8855-bd59ff97ee4b&u=https%3A%2F%2Fgithub.com%2Fapache%2Ftomcat%2Fblob%2Ff3c9fdd40bdbc3dc22b512596954e2bc6d424d5a%2Fjava%2Forg%2Fapache%2Ftomcat%2Futil%2Fhttp%2FRfc6265CookieProcessor.java [2] https://protect2.fireeye.com/v1/url?k=1f48aa13-41e86856-1f48ea88-86b568293eb5-6b24c935f0126d6d&q=1&e=1f87817f-d293-4635-8855-bd59ff97ee4b&u=https%3A%2F%2Fgithub.com%2Fapache%2Ftomcat%2Fblob%2F623b2c9d0997481f1c5229135fa2f92e24303e47%2Fjava%2Forg%2Fapache%2Ftomcat%2Futil%2Fhttp%2FLegacyCookieProcessor.java El mar., 9 jun. 2020 a las 7:59, S Abirami () escribió: > Hi Team, > > In our product to address security vulnerability in context.xml, > we have introduced following entry > > > > > After introducing the above line, I noticed few rest service which is > not deployed in that Tomcat also getting impact. > > Deployment Details > > Deployed :RHEL > Tomcat Installation format : tar.gz > > Hence, interested to know about the internal implementation of the > context in Tomcat to understand the impact. > > Thanks in advance for the support. > > Regards, > Abirami.S > > > > > > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett
Re: Regarding context.xml changes impact other web service not deployed
On 09/06/2020 06:59, S Abirami wrote: > Hi Team, > > In our product to address security vulnerability in context.xml, we have > introduced following entry > > In which context.xml file? The global one, the host one or a web application specific one? > After introducing the above line, I noticed few rest service which is not > deployed in that Tomcat also getting impact. I'd guess not a web application specific one the > Deployment Details > > Deployed :RHEL > Tomcat Installation format : tar.gz > > Hence, interested to know about the internal implementation of the context > in Tomcat to understand the impact. Global web.xml provides defaults for all web applications. Host level provides defaults for all web applications in a given host. Web application provides settings for just that web application. Don't add elements to server.xml Settings in more specific files take priority. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regarding context.xml changes impact other web service not deployed
Hello Abirami, Well, strict does what it promises, so if those third-party rest services were expecting some cookies that now are not being sent by the browser, it is normal that they do not work as expected. Internal implementation: sure! You can always have a look at the code of the different CookieProcessors [1] & [2] Hope it helps, Luis [1] https://github.com/apache/tomcat/blob/f3c9fdd40bdbc3dc22b512596954e2bc6d424d5a/java/org/apache/tomcat/util/http/Rfc6265CookieProcessor.java [2] https://github.com/apache/tomcat/blob/623b2c9d0997481f1c5229135fa2f92e24303e47/java/org/apache/tomcat/util/http/LegacyCookieProcessor.java El mar., 9 jun. 2020 a las 7:59, S Abirami () escribió: > Hi Team, > > In our product to address security vulnerability in context.xml, we > have introduced following entry > > > > > After introducing the above line, I noticed few rest service which is not > deployed in that Tomcat also getting impact. > > Deployment Details > > Deployed :RHEL > Tomcat Installation format : tar.gz > > Hence, interested to know about the internal implementation of the > context in Tomcat to understand the impact. > > Thanks in advance for the support. > > Regards, > Abirami.S > > > > > > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett