Support and EOL
Chaitanya,
On 6/5/24 08:47, Chaitanya Gopisetti wrote:
It was mentioned that Tomcat 9.0.x supports java 8 and later. So
wanted to know whether it supports Jdk 21? Also wanted to know the End
of life expected date for Tomcat 9.0.x version.
Tomcat 9 should run jut fine on any Java
Java EE APIs.
We will provide at least 12 months notice of any offical EOL date for 9.0.x.
We expect to support 9.x for an extended period of time.
When 10.x reaches EOL so will 9.10.x and then we'll have 9.11.x and so on.
Mark
-Original Message-
From: Christopher Schultz
Also can you update on the End of life expected date for Tomcat 9.0.x version
-Original Message-
From: Christopher Schultz
Sent: Wednesday, June 5, 2024 6:37 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat 9.0.xx JDK Version Support and EOL
Chaitanya,
On 6/5/24 08:47, Chaitanya
Chaitanya,
On 6/5/24 08:47, Chaitanya Gopisetti wrote:
It was mentioned that Tomcat 9.0.x supports java 8 and later. So
wanted to know whether it supports Jdk 21? Also wanted to know the
End of life expected date for Tomcat 9.0.x version.
Tomcat 9 should run jut fine on any Java version from 8
Hi,
It was mentioned that Tomcat 9.0.x supports java 8 and later. So wanted to know
whether it supports Jdk 21?
Also wanted to know the End of life expected date for Tomcat 9.0.x version.
Regards,
Chaitanya
To the extent permitted by law, we may monitor electronic communications for
the purpos
Christopher,
2023年12月16日(土) 3:41 Christopher Schultz :
>
> Jun,
>
> On 12/15/23 08:56, Jun Suzuki wrote:
> > 2023年12月15日(金) 20:37 Rémy Maucherat :
> >>
> >> On Fri, Dec 15, 2023 at 11:54 AM Jun Suzuki
> >> wrote:
> >>>
> >>>
Jun,
On 12/15/23 08:56, Jun Suzuki wrote:
2023年12月15日(金) 20:37 Rémy Maucherat :
On Fri, Dec 15, 2023 at 11:54 AM Jun Suzuki wrote:
Rémy
Thank you so much for your support.
May I confirm a little bit further regarding your reply.
2023年12月15日(金) 17:08 Rémy Maucherat :
On Fri, Dec 15, 2023
2023年12月15日(金) 20:37 Rémy Maucherat :
>
> On Fri, Dec 15, 2023 at 11:54 AM Jun Suzuki wrote:
> >
> > Rémy
> > Thank you so much for your support.
> > May I confirm a little bit further regarding your reply.
> >
> > 2023年12月15日(金) 17:08 Rémy Maucherat :
&
On Fri, Dec 15, 2023 at 11:54 AM Jun Suzuki wrote:
>
> Rémy
> Thank you so much for your support.
> May I confirm a little bit further regarding your reply.
>
> 2023年12月15日(金) 17:08 Rémy Maucherat :
> >
> > On Fri, Dec 15, 2023 at 4:18 AM Jun Suzuki wrote:
>
&
Rémy
Thank you so much for your support.
May I confirm a little bit further regarding your reply.
2023年12月15日(金) 17:08 Rémy Maucherat :
>
> On Fri, Dec 15, 2023 at 4:18 AM Jun Suzuki wrote:
> > (1) Guidance is not so clear about following points:
> > Should I copy the deploye
.util.logging.FileHandler
> (3) When using JDK17, the first step of maven build failed with following
> error:
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-compiler-plugin:3.11.0:compile
> (default-compile) on project tomcat-stuffed: Fatal error compiling:
> error: relea
ld failed with following error:
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-compiler-plugin:3.11.0:compile
(default-compile) on project tomcat-stuffed: Fatal error compiling:
error: release version 21 not supported.
After I switched to JDK21, build completed successfully. Is t
FYI I share this mail from the freemarker-mailsystem for your entertainment,
enjoy.
> Gesendet: Dienstag, 07. November 2023 um 23:50 Uhr
> Von: "Daniel Dekany"
> An: "FreeMarker developer list"
> Subject: Jakarta Servlet support decision
>
> The package
Thank you Mark for quick response.
Yes, I see that in the change log for 9.0.76 (dev). 😊
Thanks,
Amit
From: Mark Thomas
Sent: Tuesday, May 23, 2023 2:29:21 AM
To: users@tomcat.apache.org
Subject: [External] Re: Rate Limiting support in Tomcat 9.x
On 22/05
On 22/05/2023 21:16, Amit Pande wrote:
Hello,
https://tomcat.apache.org/ I see rate limiting support added in Tomcat 10.1.9 .
(Side note: The Apache Tomcat Project is proud to announce the release of
version 10.1.8 of Apache Tomcat - I think it should be 10.1.9)
Thanks. The typo has been
Hello,
https://tomcat.apache.org/ I see rate limiting support added in Tomcat 10.1.9 .
(Side note: The Apache Tomcat Project is proud to announce the release of
version 10.1.8 of Apache Tomcat - I think it should be 10.1.9)
Are there any plans to add this filter in 9.x? Could an enhancement
Ok -- makes sense.
Thank you,
Vincent
-Original Message-
From: Christopher Schultz
Sent: Tuesday, April 25, 2023 10:28 AM
To: users@tomcat.apache.org
Subject: [External] Re: Tomcat Native 1.2.30 -- Windows 2016 TLSv1.3 support?
WARNING: This message has originated from an External
@tomcat.apache.org/msg152993.html
However, per Microsoft, Windows 2016 does not support TLSv1.3:
https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-
Do Tomcat Native or OpenSSL depend upon support for TLSv1.3 in the
underlying OS?
No.
:)
To be more specific, OpenSSL
2016 does not support TLSv1.3:
https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-
Do Tomcat Native or OpenSSL depend upon support for TLSv1.3 in the underlying
OS?
No.
Mark
-
To
Hello all,
We have an application packaged with Tomcat Native 1.2.30, which, per the
following, the Windows binaries were built using OpenSSL 1.1.1k:
https://www.mail-archive.com/dev@tomcat.apache.org/msg152993.html
However, per Microsoft, Windows 2016 does not support TLSv1.3:
https
Perfect. Thanks, Mark!
On Sat, Mar 25, 2023 at 2:37 PM Mark Thomas wrote:
>
>
> On 25/03/2023 14:16, Blake McBride wrote:
> > Greetings,
> >
> > I wanted to confirm my suspicions regarding packages needed in tomcat to
> > support HTTPS.
On 25/03/2023 14:16, Blake McBride wrote:
Greetings,
I wanted to confirm my suspicions regarding packages needed in tomcat to
support HTTPS.
The config I am using is:
No. For that configuration you can use Tomcat Native 1.2.x or 2.0.x.
Tomcat Native depends on OpenSSL and APR. Whether
stopher Schultz <
ch...@christopherschultz.net> wrote:
> Blake,
>
> On 3/25/23 10:16, Blake McBride wrote:
> > I wanted to confirm my suspicions regarding packages needed in tomcat to
> > support HTTPS.
>
> You don't need anything except the core Tomcat and a reasona
idk I went overboard and made my own CA and signed some certs lol
On Sat, Mar 25, 2023, 13:54 Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Blake,
>
> On 3/25/23 10:16, Blake McBride wrote:
> > I wanted to confirm my suspicions regarding packages needed in
Blake,
On 3/25/23 10:16, Blake McBride wrote:
I wanted to confirm my suspicions regarding packages needed in tomcat to
support HTTPS.
You don't need anything except the core Tomcat and a reasonably recent
JVM to support HTTPS. You may have some other requirements you'd like to
pl
Greetings,
I wanted to confirm my suspicions regarding packages needed in tomcat to
support HTTPS.
The config I am using is:
On 21/02/2023 10:08, Vivek Naruka (EXT-NSB) wrote:
Hi,
Currently we use APCAHE TOMCAT 9.0.69 which supports OpenSSL1.1.1 version.
It is not that simple.
Tomcat 9.0.x can be used with Tomcat Native 1.2.x which provides:
- TLS support when using the HTTP APR/native connector
- an alternative
Hi,
Currently we use APCAHE TOMCAT 9.0.69 which supports OpenSSL1.1.1 version. We
would like to know the APACHE TOMCAT version that supports openSSL3.0 with Java
8 version?
Does TOMCAT depend on OS (like RHEL, Windows, etc) for OpenSSL support or does
it package OpenSSL on its own?
Regards
On 15/02/2023 10:30, Vivek Naruka (EXT-NSB) wrote:
Hi Tomcat Support Team,
There is new version of Openssl i.e. Openssl 3.0 available for which tomcat
provide support in its newly released versions.
We are using Openssl version 1.1.1 in our project and need to know that if
tomcat will
Hi Tomcat Support Team,
There is new version of Openssl i.e. Openssl 3.0 available for which tomcat
provide support in its newly released versions.
We are using Openssl version 1.1.1 in our project and need to know that if
tomcat will continue its support towards Openssl 1.1.1 as well till year
On 09/01/2023 06:12, Deepti Sharma S wrote:
Hello Tomcat Team,
Can you please confirm, if any Tomcat version is supported on/with RHEL9?
As far as the Tomcat community is concerned, Tomcat is supported on any
platform an appropriate version of Java is available.
As far the official RedHat p
Hello Tomcat Team,
Can you please confirm, if any Tomcat version is supported on/with RHEL9?
Regards,
Deepti Sharma
PMP(r) & ITIL
Hello,
> -Ursprüngliche Nachricht-
> Von: dineshk
> Gesendet: Donnerstag, 15. Dezember 2022 06:19
> An: Tomcat Users List
> Betreff: JTA transactions support in Tomcat 9 !!
>
> Hi ,
> Could anybody provide the information if JTA transactions are supported or not
Hi ,
Could anybody provide the information if JTA transactions are supported or not
in Tomcat 9.X. If not , is there any way to achieve the JTA transactions ? We
are using hibernate for our persistence layer.
RegardsDinesh
Rémy,
On 11/17/22 05:07, Rémy Maucherat wrote:
On Wed, Nov 16, 2022 at 6:14 PM Christopher Schultz
wrote:
Rémy,
On 11/16/22 07:53, Rémy Maucherat wrote:
On Wed, Nov 16, 2022 at 1:36 PM Christopher Schultz
wrote:
Thorsten,
On 11/16/22 03:20, Thorsten Schöning wrote:
Guten Tag Christophe
sted
> application would be able to brute force a Realm it hasn't defined.
>
> A trusted app can obtain a reference to the Realm via other means.
>
> I know untrusted apps are rare and becoming rarer but at long as we have
> to support the SecurityManager (hopefully not fo
ealm it hasn't defined.
A trusted app can obtain a reference to the Realm via other means.
I know untrusted apps are rare and becoming rarer but at long as we have
to support the SecurityManager (hopefully not for much longer) then we
On Wed, Nov 16, 2022 at 6:14 PM Christopher Schultz
wrote:
>
> Rémy,
>
> On 11/16/22 07:53, Rémy Maucherat wrote:
> > On Wed, Nov 16, 2022 at 1:36 PM Christopher Schultz
> > wrote:
> >>
> >> Thorsten,
> >>
> >> On 11/16/22 03:20, Thorsten Schöning wrote:
> >>> Guten Tag Christopher Schultz,
> >>>
Rémy,
On 11/16/22 07:53, Rémy Maucherat wrote:
On Wed, Nov 16, 2022 at 1:36 PM Christopher Schultz
wrote:
Thorsten,
On 11/16/22 03:20, Thorsten Schöning wrote:
Guten Tag Christopher Schultz,
am Mittwoch, 16. November 2022 um 04:50 schrieben Sie:
That worked right from the start, I had
Guten Tag Christopher Schultz,
am Mittwoch, 16. November 2022 um 13:35 schrieben Sie:
> I really don't know why you are seeing that warning. You aren't
> explicitly-setting a CredentialHandler on your LockOutRealm and
> that's the only time this warning should be shown.[...]
Yes I did during test
On Wed, Nov 16, 2022 at 1:36 PM Christopher Schultz
wrote:
>
> Thorsten,
>
> On 11/16/22 03:20, Thorsten Schöning wrote:
> > Guten Tag Christopher Schultz,
> > am Mittwoch, 16. November 2022 um 04:50 schrieben Sie:
> >
> >> >> resourceName="UserDatabase">
> >> >> className="org.apache.catalina.r
Thorsten,
On 11/16/22 03:20, Thorsten Schöning wrote:
Guten Tag Christopher Schultz,
am Mittwoch, 16. November 2022 um 04:50 schrieben Sie:
That worked right from the start, I had a DIGEST in tomcat-users.xml
and was able to login with plain-text password provided to the
browser.
The use
Thorsten,
On 11/16/22 02:28, Thorsten Schöning wrote:
Guten Tag Christopher Schultz,
am Mittwoch, 16. November 2022 um 04:00 schrieben Sie:
Thorsten, what makes you say "it doesn't work" and "LockoutRealm
ignores any credential handler"? When you say "it doesn't work"...
what DOES it do?
IGN
Guten Tag Christopher Schultz,
am Mittwoch, 16. November 2022 um 04:50 schrieben Sie:
> resourceName="UserDatabase">
> className="org.apache.catalina.realm.SecretKeyCredentialHandler"
> algorithm="PBKDF2WithHmacSHA512"
> iterations="10"
>
Guten Tag Christopher Schultz,
am Mittwoch, 16. November 2022 um 04:00 schrieben Sie:
> Thorsten, what makes you say "it doesn't work" and "LockoutRealm
> ignores any credential handler"? When you say "it doesn't work"...
> what DOES it do?
IGNORES because it logs a corresponding warning on expli
Thorsten,
On 11/15/22 05:09, Thorsten Schöning wrote:
I have some webapp hosted by Tomcat and need to restrict user access
to some part of that. One additional requirement is that this app
needs to be CIS benchmark compliant and that requires to use
LockOutRealm and restricts to store plain-text
Rémy and Thorsten,
On 11/15/22 06:59, Rémy Maucherat wrote:
On Tue, Nov 15, 2022 at 11:11 AM Thorsten Schöning
wrote:
Hi everyone,
I have some webapp hosted by Tomcat and need to restrict user access
to some part of that. One additional requirement is that this app
needs to be CIS benchmark
Guten Tag Rémy Maucherat,
am Dienstag, 15. November 2022 um 12:59 schrieben Sie:
> Maybe NestedCredentialHandler could be used to construct a
> CredentialHandler that could be useful to the application, but this
> needs more thought.
That wouldn't change anything, as that handler would be ignored
On Tue, Nov 15, 2022 at 11:11 AM Thorsten Schöning
wrote:
>
> Hi everyone,
>
> I have some webapp hosted by Tomcat and need to restrict user access
> to some part of that. One additional requirement is that this app
> needs to be CIS benchmark compliant and that requires to use
> LockOutRealm and
Hi everyone,
I have some webapp hosted by Tomcat and need to restrict user access
to some part of that. One additional requirement is that this app
needs to be CIS benchmark compliant and that requires to use
LockOutRealm and restricts to store plain-text passwords. Therefore,
the ultimate solutio
On 21/09/2022 09:16, Terry ST SY/OGCIO wrote:
Dear Mark,
Many thanks for your reply.
As there is some limitation/dependence on upgrade Tomcat 7, may I know Tomcat 7
the windows platform support status before Tomcat 7 end of support.
Tomcat 7 was supported on any Windows platform supported by
Dear Mark,
Many thanks for your reply.
As there is some limitation/dependence on upgrade Tomcat 7, may I know Tomcat 7
the windows platform support status before Tomcat 7 end of support.
Regards,
Terry
-Original Message-
From: Mark Thomas
Sent: Wednesday, September 21, 2022 4:10 PM
On 21/09/2022 08:03, Terry ST SY/OGCIO wrote:
Dear Support,
We are using Tomcat 7 with Windows Server 2012 R2 at our servers and planned to
upgrade tomcat and windows platform.
Can you update us the windows support platform for Tomcat 7 and Tomcat 9 for
our ease planning.
Apache Tomcat 7
Dear Support,
We are using Tomcat 7 with Windows Server 2012 R2 at our servers and planned to
upgrade tomcat and windows platform.
Can you update us the windows support platform for Tomcat 7 and Tomcat 9 for
our ease planning.
Regards,
Terry
Thanks for all the responses.
Regards,
Nitish
On Wed, Aug 3, 2022 at 2:58 PM Konstantin Kolinko
wrote:
> ср, 3 авг. 2022 г. в 10:19, Nitish Chitta :
> >
> > Hello Team,
> > I wanted to know if Tomcat 7 supports requests with IPv6 addresses in the
> > URL as I am getting an HTTP 404 error when t
ср, 3 авг. 2022 г. в 10:19, Nitish Chitta :
>
> Hello Team,
> I wanted to know if Tomcat 7 supports requests with IPv6 addresses in the
> URL as I am getting an HTTP 404 error when trying to hit the server with an
> IPv6 address.
1. Tomcat 7 has reached End of Life and is no longer supported.
2.
check if tomcat is listening on ipv6, using ss or netstat command.
need more details about your environment, how requests are pass to
container, etc...
On Wed, Aug 3, 2022 at 3:26 PM Nitish Chitta wrote:
>
> I have done the required changes i.e added the IPv6 address to the
> connector that the s
> 2022年8月3日 15:18,Nitish Chitta 写道:
>
> Hello Team,
> I wanted to know if Tomcat 7 supports requests with IPv6 addresses in the
> URL as I am getting an HTTP 404 error when trying to hit the server with an
> IPv6 address.
Don’t you get a 404 error when you use an IPV4 address?
>
> Thanks &
I have done the required changes i.e added the IPv6 address to the
connector that the server should listen on. Do I have to add any other
property or am I missing something?
On Wed, Aug 3, 2022 at 12:51 PM Jason Wee wrote:
> yes, it should, read here
> https://tomcat.apache.org/tomcat-7.0-doc/co
yes, it should, read here
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
On Wed, Aug 3, 2022 at 3:19 PM Nitish Chitta wrote:
>
> Hello Team,
> I wanted to know if Tomcat 7 supports requests with IPv6 addresses in the
> URL as I am getting an HTTP 404 error when trying to hit the server
Hello Team,
I wanted to know if Tomcat 7 supports requests with IPv6 addresses in the
URL as I am getting an HTTP 404 error when trying to hit the server with an
IPv6 address.
Thanks & Regards,
Nitish
On 01/04/2022 15:16, Emen Eddine AISSAOUI wrote:
Hi to all,
I need your support please.
Where can I find the following information regarding the version of Tomcat
8.5:
- date of end of support
Not currently set. When it is set we will provide at least 12 months notice.
The Tomcat project
Hi to all,
I need your support please.
Where can I find the following information regarding the version of Tomcat
8.5:
- date of end of support
-extended support (definition, date and the services which are included in
this support)
Please provide me the link of each informatique.
Thank you
On 06/10/2021 11:02, Deshmukh, Kedar wrote:
Hi,
I would like to understand,
How many concurrent websocket connections are allowed in tomcat ?
As many as your hardware / OS will support.
Is there any limit ?
maxConnections on the Connector. Defaults to 8192. Use -1 for unlimited.
Are
Hi,
I would like to understand,
How many concurrent websocket connections are allowed in tomcat ? Is there any
limit ?
Are connector worker-threads consumed for any websocket connect ? If not, then,
is there any special configuration available for websockets ?
Thanks,
Kedar
RSA or EC?
Try adding:
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
... to your list.
Note that you have both RSA and EC-based cipher suites in your cipher
suites string, and with only a single certificate, you cannot possibly
actually support both.
-chri
My guess would be that whatever JRE webstart is using to launch does not
support TLS 1.3. We used webstart for a long time, and this type of error
looks pretty familiar. As I am sure you have experienced, just because the
browser can connect (with its certifications, proxies, protocols
)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unkn
-Original Message-
From: Daniel Savard
Sent: Tuesday, June 29, 2021 11:33 AM
To: Tomcat Users List
Subject: Re: TLSv1.3 Support in Tomcat
ginal Message-
From: Daniel Savard
Sent: Tuesday, June 29, 2021 11:33 AM
To: Tomcat Users List
Subject: Re: TLSv1.3 Support in Tomcat
https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites
TLSv1.3 supports 5 cipher suites and none is in your list.
-
Daniel Savard
Le mar. 29
CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"
> sslEnabledProtocols=" TLSv1.3"/>
>
>
>
> Regards,
> Abirami.S
>
> -Original Message-
> From: Christopher Schultz
> Sen
,
Abirami.S
-Original Message-
From: Christopher Schultz
Sent: Monday, June 28, 2021 7:27 PM
To: users@tomcat.apache.org
Subject: Re: TLSv1.3 Support in Tomcat
Abirami,
On 6/28/21 07:16, S Abirami wrote:
> TLSv1.3 support is available in Tomcat.
>
> I tried just updating s
Original Message-
From: Christopher Schultz
Sent: Monday, June 28, 2021 9:57 AM
To: users@tomcat.apache.org
Subject: [Possible Spam] Re: TLSv1.3 Support in Tomcat
Importance: Low
Abirami,
On 6/28/21 07:16, S Abirami wrote:
> TLSv1.3 support is available in Tomcat.
>
> I t
Abirami,
On 6/28/21 07:16, S Abirami wrote:
TLSv1.3 support is available in Tomcat.
I tried just updating server.xml[sslEnabledProtocols=TLSv1.3] and
restarted tomcat. It doesn't work.
[We are using Tomcat 9.0.46 and JDK 8u291]
Please let me know any other configuration also needs
Hi All,
We are using Tomcat 9.0.46 and JDK 8u291
Regards,
Abirami.S
-Original Message-
From: S Abirami
Sent: Monday, June 28, 2021 4:47 PM
To: Tomcat Users List
Subject: TLSv1.3 Support in Tomcat
Hi All,
TLSv1.3 support is available in Tomcat.
I tried just updating server.xml
On Mon, Jun 28, 2021, 06:17 S Abirami
wrote:
> Hi All,
>
> TLSv1.3 support is available in Tomcat.
>
> I tried just updating server.xml[sslEnabledProtocols=TLSv1.3] and
> restarted tomcat. It doesn't work.
>
> Please let me know any other configuration also needs
Hi All,
TLSv1.3 support is available in Tomcat.
I tried just updating server.xml[sslEnabledProtocols=TLSv1.3] and restarted
tomcat. It doesn't work.
Please let me know any other configuration also needs to be changed.
Regards,
Abirami.S
x27;s JSSE. YOu may
be able to use BouncyCastle, which appears to support it at least for
clients.
Tomcat has no configuration for this kind of thing because (a) it's not
terribly secure and (b) nobody really wants it and (c) we don't have an
example of a JSSE provider which suppo
Hi All,
I am using Tomcat server with version 9.0.37 and JSSE is configured for TLS.
*Use Case:* TLS Client, that uses OpenSSL1.1.1d internally, is trying to
connect this Tomcat server using PSK and SRP based ciphers(Ex :
_RSA-PSK-AES256-GCM-SHA384). Here we are observing a Fatal error on the
clien
Hi All,
I am using Tomcat server with version 9.0.37 and JSSE is configured for TLS.
*Use Case:* TLS Client, that uses OpenSSL1.1.1d internally, is trying to
connect this Tomcat server using PSK and SRP based ciphers(Ex :
_RSA-PSK-AES256-GCM-SHA384). Here we are observing a Fatal error on the
clien
hers requires method invocations and maybe
instanceof tests. Both are adding extra overhead, so I decided to use a
more C-like approach.)
That simple algorithm takes about 42 ns and so, is still 2 times slower
than the HashSet test. I already made more than half the way down to
support * an
Carsten,
On 9/27/20 05:53, Carsten Klein wrote:
> Any comments on that? Is it worth preparing a PR?
Regular expressions are fairly expensive.
If there is a way to build the code such that some subset of wildcards
can be serviced without regex (and of course exact matches without using
regex), th
Any comments on that? Is it worth preparing a PR?
ill have this issue when combined with a
>> server that does support them.
> This statement can be generalized to the following:
>
> "When HTTP proxies and origin-servers disagree about how to process
> requests (specifically their URLs), Bad Things can happen."
>
>
t;>>> - Envoy allows the request based on the /v1/* rule, because it
>>>>> does not support path parameters, because they are not part of
>>>>> any recent standard (RFC 2396 dropped them in 1998 [1])
>>>>
>>>> Envoy does support path par
Mark,
On 9/24/20 12:41, Mark Thomas wrote:
> On 24/09/2020 17:28, Christopher Schultz wrote:
>
>
>
>> Tomcat will only use path parameters in the final segment of a URL e.g.
>> https://www.example.com/app/servlet;jsessionid=ABCD1234?q=search
>
> Not quite. Tomcat will only *add* the jsessionid
Christopher Schultz wrote:
> On 9/24/20 07:46, Nils Breunese wrote:
>> Mark Thomas wrote:
>>
>>> On 24/09/2020 11:02, Nils Breunese wrote:
>>>
>>>
>>>
>>>> - Envoy allows the request based on the /v1/* rule, because it
>
On 24/09/2020 17:28, Christopher Schultz wrote:
> Tomcat will only use path parameters in the final segment of a URL e.g.
> https://www.example.com/app/servlet;jsessionid=ABCD1234?q=search
Not quite. Tomcat will only *add* the jsessionid at the end but it will
accept it on any segment.
Interna
Nils,
On 9/24/20 07:46, Nils Breunese wrote:
> Mark Thomas wrote:
>
>> On 24/09/2020 11:02, Nils Breunese wrote:
>>
>>
>>
>>> - Envoy allows the request based on the /v1/* rule, because it
>>> does not support path parameters, because they a
Mark Thomas wrote:
> On 24/09/2020 11:02, Nils Breunese wrote:
>
>
>
>> - Envoy allows the request based on the /v1/* rule, because it does not
>> support path parameters, because they are not part of any recent standard
>> (RFC 2396 dropped them in 1998 [1]
Martin Grigorov wrote:
> Someone else had the same/similar problem and the conclusion was that
> according to the Servlet specification this is the proper way to process
> the request - the request url should be normalized. If you need to protect
> some paths then you should do whatever is necess
ccess control checks and does not support path parameters,
>> your combined setup could be vulnerable.
>>
>> Consider this setup:
>>
>> 1. A Tomcat application without access restrictions
>> 2. An reverse proxy that only allows requests to /v1/* on the Tomcat
Am 24.09.2020 um 12:02 schrieb Nils Breunese:
Hello,
I recently learned that when a server that supports path parameters [0] — like
Tomcat (I found Jetty also does) — is run behind a reverse proxy that does
path-based access control checks and does not support path parameters, your
combined
On 24/09/2020 11:02, Nils Breunese wrote:
> - Envoy allows the request based on the /v1/* rule, because it does not
> support path parameters, because they are not part of any recent standard
> (RFC 2396 dropped them in 1998 [1])
Envoy does support path parameters and is correctly
behind a reverse proxy that
>> does path-based access control checks and does not support path parameters,
>> your combined setup could be vulnerable.
>>
>> Consider this setup:
>>
>> 1. A Tomcat application without access restrictions
>> 2. An reverse pr
Hi,
On Thu, Sep 24, 2020 at 1:02 PM Nils Breunese wrote:
> Hello,
>
> I recently learned that when a server that supports path parameters [0] —
> like Tomcat (I found Jetty also does) — is run behind a reverse proxy that
> does path-based access control checks and does n
Hello,
I recently learned that when a server that supports path parameters [0] — like
Tomcat (I found Jetty also does) — is run behind a reverse proxy that does
path-based access control checks and does not support path parameters, your
combined setup could be vulnerable.
Consider this setup
Hi there,
I'd like to contribute a CORS filter enhancement, making it accept both
wildcard-based and 'regular expression'-based expressions for its
allowed origins list.
I know this from a project based on Jetty, which has support for, at
least, simple wildcard matching
Hi Andre (and Christopher and Olaf),
I think that that is a good summary of where this is at this point.
Thanks!
Jim
On Saturday, May 16, 2020, 08:23:54 AM EDT, André Warnier (tomcat/perl)
wrote:
In summary, yes, I think you're right in your final conclusion below.
If the tomcat a
In summary, yes, I think you're right in your final conclusion below.
If the tomcat access log shows the authenticated user, it means that tomcat got it, and I
see no other way than from Apache and through that "tomcatAuthentication=false" option of
the tomcat AJP connector.
And that in turn
Hi,
When I configure the OAM protection, they have the ability to configure values
that go into HTTP headers (among other things) upon successful authentication
(to OAM).
I usually test this by protecting /cgi-bin/printenv on the Apache. printenv has
this :
##
## printenv -- demo CGI progra
1 - 100 of 1011 matches
Mail list logo
