Re: I forget: does Tomcat have any problems with *not* having a ROOT context?

On 25/09/2023 17:17, James H. H. Lampert wrote: I probably asked the question before, but does Tomcat have any problems with not having a ROOT context? None I am aware of although there may be some edge cases. Past precedence is that any such edge cases would be treated as bugs and fixed in

Re: Exception thrown whilst processing POSTed parameters when SSL is enabled in TOMCAT

On 25/09/2023 10:50, Aniket Pachpute wrote: Hi, We are getting a timeout exception when POST request size is >8k and SSL is enabled in the tomcat. Below are the exception details: org.apache.catalina.connector.Request.parseParameters Exception thrown whilst processing POSTed parameters

Re: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

On 13/09/2023 14:00, Shawn Heisey wrote: On 9/12/23 01:06, Thomas Hoffmann (Speed4Trade GmbH) wrote: I moved away from using the proprietary java keystore format. I switched to using Base64 PEM format. This is usually also the format you get from the certificate issuer. No need to convert it

[SECURITY] CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Information Disclosure

CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat Connectors mod_jk Connector 1.2.0 to 1.2.48 Description: In some circumstances, such as when a configuration included

[ANN] Apache Tomcat Connectors 1.2.49 released

The Apache Tomcat Connectors project is part of the Tomcat project and provides web server plugins for httpd (mod_jk) and IIS (ISAPI) to connect those web servers with Tomcat and other backends. The Apache Tomcat Project is proud to announce the release of version 1.2.49 of the Apache Tomcat

Re: page extends not working???

On 09/09/2023 11:52, Aryeh Friedman wrote: Every other jsp in my webapp (and other webapps on the same tomcat instance [9.0.75]) works and I am using a the default container but as curl/catalina.out show BasePage is *NEVER* being called (either the _jspService() or the getX()): How have you

Re: Virtual Threads

On 07/09/2023 15:41, Christopher Schultz wrote: On 9/6/23 16:29, Mark Thomas wrote: There isn't much point using an executor with virtual threads. Okay then perche https://tomcat.apache.org/tomcat-11.0-doc/config/executor.html#Virtual_Thread_Implementation ? That is the internal

Re: Virtual Threads

On 06/09/2023 21:24, Christopher Schultz wrote: On 9/6/23 03:29, Mark Thomas wrote: On 05/09/2023 22:02, Christopher Schultz wrote: Thanks for the correction. I just did a quick docs[1] search for "virtual" in Tomcat 10.x for example and I didn't see useVirtualThreads, so

Re: CVE referencing Tomcat are not also referencing Tomcat-embed

On 06/09/2023 20:04, Francois Marot wrote: Hello, I'm in the process of switching from Dependency-check [1] to Dependency-track [2] to analyse vulnerabilities on my dependencies. I analyze a classic spring boot webapp depending upon org.apache.tomcat.embed:tomcat-embed-core. Dependency Check

Re: Virtual Threads

On 05/09/2023 22:02, Christopher Schultz wrote: Mark, On 9/5/23 15:55, Mark Thomas wrote: On 05/09/2023 20:38, Christopher Schultz wrote: All, I have some questions about Virtual Threads and their use within Tomcat. Note that only Tomcat 11 currently has support for Virtual Threads when

Re: [External] Re: Supporting Proxy Protocol in Tomcat

state of the ticket isn't updated for long. Perhaps add comments/ask the folks on user list to vote? That is more likely to irritate folks rather than encourage them to help you progress your patch. Mark Thanks, Amit -Original Message----- From: Mark Thomas Sent: Monday, August 28, 2023

Re: Virtual Threads

On 05/09/2023 20:38, Christopher Schultz wrote: All, I have some questions about Virtual Threads and their use within Tomcat. Note that only Tomcat 11 currently has support for Virtual Threads when running on a version 19 or later JVM. Not quite. All current versions support virtual threads

Re: CIS Tomcat 8 Benchmark (v1.1.0) -- Questions

sibly not corrective. Improvements are definitely corrective as well as additive. Early versions of the guide had very odd advice regarding MIME type mapping that has since been removed. On Tue, Sep 5, 2023 at 9:36 AM Peter Kreuser wrote: Robert, While Mark Thomas will have a m

Re: Upgrading Embedded Tomcat 7.x to 10.x

On 30/08/2023 23:58, Matthew Robinson wrote: Please may I have some assistance to upgrade a JAVA Maven project which uses embedded Tomcat 7 to use embedded Tomcat 10? I’m having extreme difficulty determining the appropriate versions of the various components such that they play nice together.

Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

On 29/08/2023 21:51, Bhavesh Mistry wrote: Hi Mark, curl - -k "https://www.mydomain.com/login; -H 'Host: attackerHostHeaderInjection.com' *Why? What problem are you trying to solve?* Host Header injection is a vulnerability that needs to be addressed., I am trying to solve if the host

Re: war file timestamp change

On 29/08/2023 21:28, Loeschmann, Lori wrote: Hello, We have a Tomcat application which authenticates via CAS. The application and CAS reside on different servers. We also have an internal audit process that flags files on these servers when they change. It's a retroactive review of

Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

On 29/08/2023 08:00, Bhavesh Mistry wrote: Hi Mark, I am sorry for delayed response. Basically, when request url does not match host header then I would reject it. For example, curl - -k "https://www.mydomain.com/login; -H 'Host: attackerHostHeaderInjection.com' Why? What problem are

Re: [External] Re: Supporting Proxy Protocol in Tomcat

updated for long. Perhaps add comments/ask the folks on user list to vote? That is more likely to irritate folks rather than encourage them to help you progress your patch. Mark Thanks, Amit -Original Message- From: Mark Thomas Sent: Monday, August 28, 2023 11:20 AM To: Tomcat Users

Re: Disabling cipher warning

On 29/08/2023 20:53, David Cleary wrote: 2023-08-29T15:31:57.840-04:00 WARN [main] o.a.t.u.n.j.JSSEUtil - Some of the specified [ciphers] are not supported by the SSL engine and have been skipped: [Dozens of OpenSSL ciphers] We use OpenSSL and moving to Tomcat 10.1.13 has caused an overload

Re: [External] Re: Supporting Proxy Protocol in Tomcat

:29 AM To: Tomcat Users List Subject: RE: [External] Re: Supporting Proxy Protocol in Tomcat Yes, understood. Thank you for clarifying. Even I was referring to initial consensus without any timeline or approach conclusion. Thanks, Amit -Original Message- From: Mark Thomas Sent: Friday

[SECURITY] CVE-2023-41080 Apache Tomcat - open redirect

CVE-2023-41080 Apache Tomcat - Open redirect Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M10 Apache Tomcat 10.1.0-M1 to 10.1.12 Apache Tomcat 9.0.0-M1 to 9.0.79 Apache Tomcat 8.5.0 to 8.5.92 Description: If the ROOT (default)

[ANN] Apache Tomcat 8.5.93 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.93. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 8.5.93 is a bugfix and

[ANN] Apache Tomcat 9.0.80 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.80. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.80 is a bugfix and

[ANN] Apache Tomcat 10.1.13 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.13. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

[ANN] Apache Tomcat 11.0.0-M11 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M11 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: OT: where does JSTL set thsi cookie? javax.servlet.jsp.jstl.fmt.request.charset

On 25/08/2023 07:50, Ivano Luberti wrote: Hi, I understand that this question can be OT but I don't know where to search for. Looking into tomcat manager sessions I see this cookie set in each session     javax.servlet.jsp.jstl.fmt.request.charset     ISO-8859-1 The value ISO-8859-1 i

Re: Tomcat Native

On 24/08/2023 13:07, Mcalexander, Jon J. wrote: Getting a 404 error when trying to download the binaries for 2.0.5 https://dlcdn.apache.org/tomcat/tomcat-connectors/native/2.0.5/binaries/tomcat-native-2.0.5-openssl-3.0.9-ocsp-win32-bin.zip Is this a known issue? It is now. The OpenSSL

Re: How to integrate alternative SSLContext?

On 23/08/2023 14:20, John Jiang wrote: Hi Mark, Thanks for your reply! On Thu, Aug 24, 2023 at 12:15 AM Mark Thomas wrote: On 23/08/2023 00:44, John Jiang wrote: Hi, I'm using tomcat-embed-core 9.0.78 + OpenJDK 11.o.19. My project needs a custom javax.net.ssl.SSLContext implementation

Re: Virtual Thread Configuration In Tomcat 11

On 23/08/2023 10:07, William Crowell wrote: Mark, Thanks for your reply. Just to clarify…this is all I need in Tomcat 11’s server.xml (as well as JDK21): … Correct. Mark - To unsubscribe, e-mail:

Re: How to integrate alternative SSLContext?

On 23/08/2023 00:44, John Jiang wrote: Hi, I'm using tomcat-embed-core 9.0.78 + OpenJDK 11.o.19. My project needs a custom javax.net.ssl.SSLContext implementation. Why? What problem are you trying to solve? How can I integrate this custom SSLContext to the embedded Tomcat server? I don't

Re: Virtual Thread Configuration In Tomcat 11

https://tomcat.apache.org/tomcat-11.0-doc/config/http.html Search for useVirtualThreads The same option exists in the latest 8.5.x, 9.0.x and 10.1.x releases. You need to be using Java 21 to use virtual threads. Mark On 22/08/2023 14:14, William Crowell wrote: Hi, To use virtual threads

Re: overriding application log configuration at the container level

On 22/08/2023 11:53, Jason Guild wrote: Hi All: I have a web application MYAPP which embeds its logging configuration in WEB-INF/classes/logging.properties. I'd like to see more detailed logging when running the application inside my IDE without making any temporary changes to this file.

Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

Tomcat doesn't expose the SNI information. What problem are you trying to solve here? Tomcat rejects requests with mis-matched host headers by default and can be configured to allow them in 8.5.x, 9.0.x and 10.1.x. You shouldn't need to write any extra code for this. Mark On 21/08/2023

Re: Possible AbstractProtocol.waitingProcessors leak in Tomcat 9.0.75

On 20/08/2023 05:21, Mark Thomas wrote: On 18/08/2023 11:28, Rubén Pérez wrote: I started experiencing exactly the same issue when updating from Spring 6.0.7 to 6.0.9, therefore updating tomcat from 10.1.5 to 10.1.8. The Memory leak is very clearly visible in my monitoring tools

Re: Possible AbstractProtocol.waitingProcessors leak in Tomcat 9.0.75

On 18/08/2023 11:28, Rubén Pérez wrote: This is a response to an existing thread (about Memory leak in recent versions of Tomcat): https://www.mail-archive.com/users@tomcat.apache.org/msg141882.html I haven't found a way to reply publicly as a continuation of that thread. You need to reply

Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

19 Aug 2023 19:46:56 Bhavesh Mistry : Hi, Tomcat Dev team and Users, I am trying to block the request and give 404 bad requests or 403 when the HOST header does not match the requested server name.  My goal is to block whenever there is a mismatch in the host header and URL server name.

[ANN] Apache Tomcat 8.5.92 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.92. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 8.5.92 is a bugfix and

[ANN] Apache Tomcat 10.1.12 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.12. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

[ANN] Apache Tomcat 11.0.0-M10 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M10 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: Forwarding request to a different servlet

RequestDispatcher operates within a given ServletContext (web application). You are trying to do a cross-context dispatch - i.e. to another web application. To do this you will need to: - enable cross-context dispatch for the /plugins web application

Re: Using dedicated SSL handshake failure logger

On 03/08/2023 16:53, Amit Pande wrote: What am I missing in the logger configuration? Do we have to have the console handler configured? Is CATALINA_HOME set correctly? Do you see any log file at all in the expected location? Mark

Re: JSP to Servlet conversion missing HTML contents in Tomcat 8.5.91

On 01/08/2023 19:13, அருள்ராஜன் அ லை wrote: Hi We are recently upgraded tomcat 8.5.91 . While the below JSP compiled into JAVA it is missing some content JSP JAVA class generated try { response.setContentType("text/html"); pageContext =

Re: 回覆: Persist function in host manager working in 9.0.60 but not 10.1.x

This has been fixed (by Rémy) for the August release round. Mark On 27/07/2023 01:41, Fong Mason wrote: Hi Chris, 寄件者: Christopher Schultz 寄件日期: 2023年7月27日 0:35 收件者: users@tomcat.apache.org 主旨: Re: Persist function in host manager working in 9.0.60 but not

Re: [External] Re: Supporting Proxy Protocol in Tomcat

: Christopher Schultz Sent: Thursday, July 27, 2023 4:13 PM To: users@tomcat.apache.org Subject: Re: [External] Re: Supporting Proxy Protocol in Tomcat All, On 7/27/23 12:39, Mark Thomas wrote: On 27/07/2023 16:27, Jonathan S. Fisher wrote: On the topic of security, may we consider a trustedProxies

Re: Pinned threads for HTTP2 using Virtual Threads on Tomcat 10.1.7

On 28/07/2023 13:50, Rémy Maucherat wrote: On Thu, Jul 27, 2023 at 5:04 PM Mark Thomas wrote: I've refactored things to the point where the unit tests run without generating any warnings for pinning. I suspect further issues will be identified over time and we can address those

Re: [External] Re: Supporting Proxy Protocol in Tomcat

Socket. I'm not sure if this is super useful, but the goal would be an added layer of security to prevent Proxy Protocol header injection. On Thu, Jul 27, 2023 at 3:47 AM Mark Thomas wrote: On 26/07/2023 21:53, Christopher Schultz wrote: Mark, On 7/26/23 13:58, Mark Thomas wrote: I'm

Re: Pinned threads for HTTP2 using Virtual Threads on Tomcat 10.1.7

I've refactored things to the point where the unit tests run without generating any warnings for pinning. I suspect further issues will be identified over time and we can address those as they are found. Mark On 25/07/2023 10:21, Mark Thomas wrote: Never mind. Pretty much as soon as I hit

Re: Possible AbstractProtocol.waitingProcessors leak in Tomcat 9.0.75

I've taken a look at the code and can't see how this might be happening. I think a reproducible test case is going to be required to investigate this further. Mark On 12/07/2023 09:25, Mark Thomas wrote: Hi Mario, That does look like a possible bug. I'll try and do a code review before

Re: [External] Re: Supporting Proxy Protocol in Tomcat

On 26/07/2023 21:53, Christopher Schultz wrote: Mark, On 7/26/23 13:58, Mark Thomas wrote: I'm not a huge fan of this feature in general. I prefer supporting features backed by specifications rather than vendor specific hacks. I think the PROXY protocol is fairly standard, even if it's

Re: [External] Re: Supporting Proxy Protocol in Tomcat

I'm not a huge fan of this feature in general. I prefer supporting features backed by specifications rather than vendor specific hacks. My support for any patch is going to depend on the specifics of the patch. In addition to the comments in the BZ - exposing the data as a request attribute is

Re: Pinned threads for HTTP2 using Virtual Threads on Tomcat 10.1.7

Never mind. Pretty much as soon as I hit send I managed to trigger the issue. Mark On 25/07/2023 10:19, Mark Thomas wrote: Daniel, How did you trigger the pinning? I'm running some basic tests with -Djdk.tracePinnedThreads=short and I'm not seeing any pinned threads reported. Mark

Re: Pinned threads for HTTP2 using Virtual Threads on Tomcat 10.1.7

to test. Regards. El jue, 6 jul 2023 a las 15:13, Mark Thomas () escribió: 6 Jul 2023 20:09:01 Daniel Andres Pelaez Lopez : I am aware Tomcat community did a great effort to move Tomat to Virtual Threads friendly, but I am not sure why HTTP2 was not part of that effort? The plan was always

Re: Problem with the redirect after j_security_check

22 Jul 2023 17:03:50 Wiemann, Helge (ESI) : Hi all, we are using Tomcat 9 and the still the JDBC Realm for authentication. Our starting URL (which is protected) ends with “/boot1#index” The form authentication is then processed through the common url j_security_check. But after a

Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2

ny setting in Tomcat or mod_proxy_http2 that might cause the POST of the larger JSON to fail? -- Thanks, Dan On Wed, Jul 12, 2023 at 2:36 PM Mark Thomas wrote: 12 Jul 2023 13:40:18 Dan McLaughlin : I can confirm that if I switch h2 to http, everything works as expected, change it back to h

Re: CVE-2023-28709 incomplete fix

;Affects: 9.0.71 to 9.0.73" What isn't clear about the affected versions from that information? Mark -----Original Message- From: Mark Thomas Sent: Wednesday, July 12, 2023 10:25 PM To: Tomcat Users List Subject: Re: CVE-2023-28709 incomplete fix 12 Jul 2023 13:23:32 Prodan, Andree

Re: Update javax libs to Jakarta libs in Apache Taglibs.

12 Jul 2023 11:08:23 CHILUKA BHARATH : Hi Team, The latest Apache Taglibs( https://tomcat.apache.org/download-taglibs.cgi#Standard-1.2.5) jar classes using javax.servlet.* packages. Do we have any information w.r.t supporting Jakarta when using this specific jar ? If not, is there any plan

Re: Tomcat returning faulty "empty" header

12 Jul 2023 14:28:40 Lasse Lindqvist : Hi. Every once in a while in automatic tests I see an error Caused by: org.apache.http.ProtocolException: Invalid header: :     at app//org.apache.http.impl.io.AbstractMessageParser.parseHeaders(AbstractMessageParser.java:230)     at

Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2

at 3:34 AM Mark Thomas wrote: On 11/07/2023 19:10, Dan McLaughlin wrote: One other note, is I can switch to h2c, and it still fails, and a packet capture shows the entire JSON is delivered to Tomcat, and when I put the JSON from the packet inspection together (Packets 10199 --> 10

Re: CVE-2023-28709 incomplete fix

12 Jul 2023 13:23:32 Prodan, Andreea Adriana : Hello, In regard to CVE-2023-28709 we would like to know if the vulnerability caused by the incomplete fix, "If non-default HTTP connector settings were used such that the

Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2

On 11/07/2023 19:10, Dan McLaughlin wrote: One other note, is I can switch to h2c, and it still fails, and a packet capture shows the entire JSON is delivered to Tomcat, and when I put the JSON from the packet inspection together (Packets 10199 --> 10208) and compare it to what the browser says

Re: Possible AbstractProtocol.waitingProcessors leak in Tomcat 9.0.75

Hi Mario, That does look like a possible bug. I'll try and do a code review before the next release but from experience f you are able to figure out how to reproduce it that would help a lot. Thanks, Mark On 06/07/2023 15:19, ma...@datenwort.at.INVALID wrote: Hello! I guess I found a

[ANN] Apache Tomcat 11.0.0-M9 (alpha) available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M9 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: View Differences for Tomcat Configuration file versions

On 02/07/2023 11:41, Mark Thomas wrote: On 30/06/2023 20:15, Christopher Schultz wrote: Nadine, On 6/29/23 12:38, Nadine Young wrote:  From the following page, the View Differences button nolonger lists the differences in versions of the Configuration file selected

Re: Pinned threads for HTTP2 using Virtual Threads on Tomcat 10.1.7

6 Jul 2023 20:09:01 Daniel Andres Pelaez Lopez : I am aware Tomcat community did a great effort to move Tomat to Virtual Threads friendly, but I am not sure why HTTP2 was not part of that effort? The plan was always to see where the bottlenecks were as folks start to experiment with Loom

Re: Can We Disable Chunked Encoding?

Please don't hijack threads by replying to a previous message and changing the subject. Start a new thread by sending a new message to the list. You also need to provide some version information. Mark On 06/07/2023 00:36, Eric Robinson wrote: We've been seeing problems with failed requests

Re: Apache Tomcat request smuggling in 9.0.68?

III#: 47QTCB21D0030 CIO-SP3 Contract#: HHSN316201800033W(SDVOSB) CIO-SP3 Contract#: HHSN316201800054W(HUBZone) Seaport-NXG Contract#: N00178-19-D-8420 eFAST Contract#: DTFAWA-13-A-00074 -Original Message- From: Mark Thomas Sent: Wednesday, July 5, 2023 12:59 PM To: users@tomcat

Re: Apache Tomcat request smuggling in 9.0.68?

Without knowing which vulnerability is being tested for and how the vulnerability is being tested for I don't think anyone here will be able to help. A (cleartext) tcpdump of the associated request(s) and response(s) would also be helpful. Mark On 05/07/2023 17:51, James Boggs wrote: Hi,

Re: View Differences for Tomcat Configuration file versions

On 30/06/2023 20:15, Christopher Schultz wrote: Nadine, On 6/29/23 12:38, Nadine Young wrote:  From the following page, the View Differences button nolonger lists the differences in versions of the Configuration file selected.   tomcat.apache.org/migration-9.html#Upgrading_9.0.x Is

Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure

On 29/06/2023 14:24, George Angeletos wrote: Hello, I presume this only affects setups using AJP connectors - right? Correct. Mark Thanks George On Wed, 21 Jun 2023 at 13:21, Mark Thomas wrote: CVE-2023-34981 Apache Tomcat - Information disclosure Severity: Important Vendor

Re: Unexpected Cache-Control Header Transmission in Dual-Server API Setup

On 28/06/2023 16:49, Uday Kumar wrote: Hello Mark, In continuation of my previous mail, *Just in a while, I could replicate the issue on my local machine by installing Tomcat 9 explicitly [Now, I could see cache-control headers are being transmitted to Varnish of server2]* *Point to note

Re: Unexpected Cache-Control Header Transmission in Dual-Server API Setup

On 28/06/2023 14:23, Uday Kumar wrote: Hello All, Our application operates on a dual-server setup, where each server is dedicated to running a distinct API. *Technical specifications:* Framework: Spring-boot v2.4 (Java 1.8) Runtime Environment: Tomcat Version: Apache Tomcat/7.0.42 Tomcat 7

Re: Tomcat 10.1.x: Using CoyoteInputStream to read a Chunked Transfer Encoding (CTE) stream, manually, skiping ChunkedInputFilter

On 26/06/2023 20:34, Christopher Schultz wrote: Daniel, On 6/26/23 12:47, Daniel Andres Pelaez Lopez wrote: Hi Tomcat community, I have a requirement where we want to manually decode a Chunked Transfer Encoding (CTE) stream using CoyoteInputStream to have access to the chunk size. This means

Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure

On 22/06/2023 00:17, Stefan Mayr wrote: Hi, Am 21.06.2023 um 12:20 schrieb Mark Thomas: CVE-2023-34981 Apache Tomcat - Information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M5 Apache Tomcat 10.1.8 Apache Tomcat 9.0.74

Re: Get Client Certificate Information

ything to compile. On Mon, Jun 12, 2023 at 12:11 PM Mark Thomas wrote: On 12/06/2023 12:00, Timothy Ward wrote: Changing the CGI Servlet may be the easiest route, but if I wanted to use it as intended, I'm guessing I would use the original Java code that you sent below? X509

[SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure

CVE-2023-34981 Apache Tomcat - Information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M5 Apache Tomcat 10.1.8 Apache Tomcat 9.0.74 Apache Tomcat 8.5.88 Description: The fix for bug 66512 introduced a regression that was fixed

Re: Tomcat Clustering, Mod_JK, Fail_on_Status, Stopped Application

anks for the tips. -- Thanks, Dan On Tue, Jun 20, 2023 at 10:28 AM Mark Thomas wrote: On 20/06/2023 15:41, Dan McLaughlin wrote: So I tried to create a Valve to check to see if the application is stopped and convert the 404 response to a 503, but I haven't had any luck getting it to work.

Re: Tomcat Clustering, Mod_JK, Fail_on_Status, Stopped Application

pplication is not available, sending 503"); response.sendError(503); } else { log.fine("Application is available, passing to next valve"); getNext().invoke(request, response); } } } -- Thanks, Dan On Wed, Jun 14, 2023 at 2:32 PM Mark Thomas wrote: On 14/06/2023 19:49, Dan McLaughlin

Re: Tomcat hosting issue/bug:

On 20/06/2023 14:36, Virendra Barad wrote: Dear Team, I have hosted multiple application in tomcat server 9.0.73, But after some time one application continually stop responding or stop working after 1 or 2 hours however other application works fine. Please guide me what can i do for

Re: Tomcat 9, websocket server, threading

On 17/06/2023 16:54, Nikolai Zhubr wrote: Hi, On 6/14/23 19:43, Mark Thomas wrote: [...] There is no multi-threading within a single WebSocket connection. It is explicitly not allowed by the Jakarta WebSocket specification and Tomcat follows that rule. Could you please point out where

Re: Tomcat 9 returns INameEnvironment error

On 16/06/2023 09:07, Rémy Maucherat wrote: On Thu, Jun 15, 2023 at 9:54 PM Mark Thomas wrote: On 15/06/2023 19:23, Joel Griffith wrote: It looks like the JDT you mention is the Ubuntu package `libeclipse-jdt-core-java`. When I installed Tomcat 9 (9.0.31) on the functioning Ubuntu 20.04

Re: Tomcat 9 returns INameEnvironment error

On 15/06/2023 19:23, Joel Griffith wrote: It looks like the JDT you mention is the Ubuntu package `libeclipse-jdt-core-java`. When I installed Tomcat 9 (9.0.31) on the functioning Ubuntu 20.04 system, version 3.18.0+eclipse4.12-1 of this JDT package was installed as a dependency. When I

Re: Tomcat webserver is not logging any DEBUG or FINEST logs in catalina.out even after enabling FINEST in logging.proprties file(tomcat-8.5.79/conf/)

On 15/06/2023 11:26, Thomson Waghmare wrote: I am facing an issue in Linux server that webserver service is restarting automatically frequently. I tried to enable debug logs by changing the all logging properties in tomcat-8.5.79/conf/logging.proprties. But I see only INFO logs but no FINE or

Re: Tomcat Clustering, Mod_JK, Fail_on_Status, Stopped Application

On 14/06/2023 19:49, Dan McLaughlin wrote: Hello, This is probably a question that would be better suited for the dev list, but I thought I'd start here first. That depends. It is generally better to start on the users list. Does anyone understand the reasoning behind why Tomcat, when

Re: Tomcat 9, websocket server, threading

On 14/06/2023 15:21, Nikolai Zhubr wrote: Hi all, I'm trying to migrate my servlet previously running on Tomcat 7 for ages, to Tomcat 9.0.36 as per openSuse 15.4, and facing some problem. The servlet in question is using websocket, basically as a security-enhanced http-friendly replacement

Re: Factory already defined error with Tomcat 9

) at org.apache.catalina.webresources.StandardRoot.initInternal(StandardRoot.java:698) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) Regards, Nitish On Wed, Jun 14, 2023 at 4:52 PM Mark Thomas wrote: On 14/06/2023 12:16, Nitish Chitta wrote: Hello, I am trying to connect to a Weblogic server and have

Re: Factory already defined error with Tomcat 9

On 14/06/2023 12:16, Nitish Chitta wrote: Hello, I am trying to connect to a Weblogic server and have an embedded Tomcat 9 instance running in my application as well. I suppose the factory is being set twice and hence I am getting this error. I wanted to know why this issue was not occuring

Re: Tomcat 9 data source configuration error

read it. Mark image.png Many thanks! Jenny On Mon, Jun 12, 2023 at 11:21 AM Mark Thomas <mailto:ma...@apache.org>> wrote: On 12/06/2023 16:52, Ying Jin wrote: > BTW, the ojdbc6_g.jar has been put in the Tomcat9.0.75/lib folder as > well as in the project's WEB

Re: Informal CIS Benchmark question

On 13/06/2023 15:07, Christopher Schultz wrote: On 6/12/23 15:52, Mark Thomas wrote: On 12/06/2023 19:13, jonmcalexan...@wellsfargo.com.INVALID wrote: I'm asking because we are doing a review of our base settings. We are using the CIS Benchmarks as a verification. One of these states to set

Re: How to implement a cluster with static membership when the StaticMembershipService does not exist in tomcat 8.5?

On 12/06/2023 21:04, Manak Bisht wrote: But then why do both of them exist in later tomcat versions? *StaticMembershipInterceptor *is not deprecated. In tomcat 9 (example - https://people.apache.org/~markt/dev/server-static-cluster-example.xml), only StaticMembershipService seems to be used. Do

Re: Error "Unable to send message through cluster sender" in a cluster with static members using delta manager

On 12/06/2023 21:00, Manak Bisht wrote: On Tue, Jun 13, 2023 at 1:26 AM Mark Thomas wrote: Try https://people.apache.org/~markt/dev/cluster-test.war instead. Mark Sure, I will give that a try. But is there some issue with the *carts.jsp *example? Or is it not meant for this purpose

Re: Is it possible to use the PersistentManager with the DeltaManager?

On 13/06/2023 08:07, Manak Bisht wrote: Is it not possible to extract the sessions from the servlet container in my application code? I could elect a node to schedule a periodic serialization to a data store. On restarts, I could deserialize from this store to inject the sessions back into the

Re: Error "Unable to send message through cluster sender" in a cluster with static members using delta manager

Try https://people.apache.org/~markt/dev/cluster-test.war instead. Mark On 12/06/2023 20:13, Manak Bisht wrote: Thank you for the clarification. Sorry, it took me a while to understand your point. I have successfully changed the cluster settings, For node with http port 8090 ```

Re: Informal CIS Benchmark question

On 12/06/2023 19:13, jonmcalexan...@wellsfargo.com.INVALID wrote: I'm asking because we are doing a review of our base settings. We are using the CIS Benchmarks as a verification. One of these states to set matadata-complete to true. We have never used this setting in the past and I am worried

Re: Error "Unable to send message through cluster sender" in a cluster with static members using delta manager

Again, you are mixing HTTP ports and cluster ports. They must be different. On 12/06/2023 17:22, Manak Bisht wrote: Node 1: Cluster listening on 8090 Node 2: Cluster listening on 8190 12-Jun-2023 14:18:17.719 INFO [main]

Re: Is it possible to use the PersistentManager with the DeltaManager?

On 12/06/2023 16:59, Manak Bisht wrote: I am using the DeltaManager to support non-sticky sessions. Every node has a copy of the session information, therefore, there's no issues with this setup in a live application. However, sometimes, in a new build, there are changes which require downtime

Re: Tomcat 9 data source configuration error

bedded images don't work. Please paste the full stack trace and/or post it online somewhere we can read it. Mark Your help is greatly appreciated! Thanks, Jenny On Mon, Jun 12, 2023 at 3:26 AM Mark Thomas mailto:ma...@apache.org>> wrote: On 11/06/2023 19:33, Ying

Re: Error "Unable to send message through cluster sender" in a cluster with static members using delta manager

On 12/06/2023 16:44, Manak Bisht wrote: I am not sure if the receiver port should be the same or different from the localmember port. However, changing that to 4001 for node with localmember at 8090 and to 4002 for node with localmember at 8190, I am encountering the following error - You are

Re: Get Client Certificate Information

("jakarta.servlet.request.X509Certificate"); I would just have to figure out how to do that within Oracle. That should get you the value with ORDS (I've never used ORDS). I don't think you'll be able to pass it to the CGI though. Mark On Mon, Jun 12, 2023 at 6:17 AM Mark Thomas wrote: If

Re: Get Client Certificate Information

OWA_UTIL.GET_CGI_ENV('SSL_CLIENT_S_DN'); So, I guess if there is a different way of doing that without using CGI Environment variables I can try that. I'm just having issues finding any useful examples of what I want to do. Thanks for your help, it is really appreciated. On Mon, Jun 12, 2023 at 4:31 AM Mark

Re: How to implement a cluster with static membership when the StaticMembershipService does not exist in tomcat 8.5?

On 12/06/2023 07:33, Manak Bisht wrote: I am trying to implement a cluster with static members in tomcat 8. However, according to the documentation, StaticMembershipService only exists in tomcat 9

<    1   2   3   4   5   6   7   8   9   10   >