[GitHub] [tomcat] aooohan commented on pull request #592: Improved regexp performance: "a-zA-Z0-9_" -> "\w"
aooohan commented on PR #592: URL: https://github.com/apache/tomcat/pull/592#issuecomment-1463387623 Merge manually, thanks. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] aooohan closed pull request #592: Improved regexp performance: "a-zA-Z0-9_" -> "\w"
aooohan closed pull request #592: Improved regexp performance: "a-zA-Z0-9_" -> "\w" URL: https://github.com/apache/tomcat/pull/592 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Improved regexp performance: "a-zA-Z0-9_" -> "\w" (#592)
This is an automated email from the ASF dual-hosted git repository. lihan pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 3f01b8bdec Improved regexp performance: "a-zA-Z0-9_" -> "\w" (#592) 3f01b8bdec is described below commit 3f01b8bdec0663c6f8f815225a1100900c1d9708 Author: lihan AuthorDate: Fri Mar 10 15:22:50 2023 +0800 Improved regexp performance: "a-zA-Z0-9_" -> "\w" (#592) Submitted by Andrei Briukhov --- conf/web.xml | 4 ++-- java/org/apache/catalina/servlets/CGIServlet.java | 4 ++-- test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java | 2 +- webapps/docs/cgi-howto.xml| 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/conf/web.xml b/conf/web.xml index 86777073bb..01eacede64 100644 --- a/conf/web.xml +++ b/conf/web.xml @@ -356,7 +356,7 @@ - + @@ -367,7 +367,7 @@ - + diff --git a/java/org/apache/catalina/servlets/CGIServlet.java b/java/org/apache/catalina/servlets/CGIServlet.java index a80c5d1911..a406a4a756 100644 --- a/java/org/apache/catalina/servlets/CGIServlet.java +++ b/java/org/apache/catalina/servlets/CGIServlet.java @@ -254,7 +254,7 @@ public final class CGIServlet extends HttpServlet { DEFAULT_SUPER_METHODS.add("TRACE"); if (JrePlatform.IS_WINDOWS) { -DEFAULT_CMD_LINE_ARGUMENTS_DECODED_PATTERN = Pattern.compile("[a-zA-Z0-9\\Q-_.\\/:\\E]+"); +DEFAULT_CMD_LINE_ARGUMENTS_DECODED_PATTERN = Pattern.compile("[\\w\\Q-.\\/:\\E]+"); } else { // No restrictions DEFAULT_CMD_LINE_ARGUMENTS_DECODED_PATTERN = null; @@ -323,7 +323,7 @@ public final class CGIServlet extends HttpServlet { * Uses \Q...\E to avoid individual quoting. */ private Pattern cmdLineArgumentsEncodedPattern = -Pattern.compile("[a-zA-Z0-9\\Q%;/?:@&,$-_.!~*'()\\E]+"); +Pattern.compile("[\\w\\Q%;/?:@&,$-.!~*'()\\E]+"); /** * Limits the decoded form of individual command line arguments. Default diff --git a/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java b/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java index c2bbae3bee..37e241f5a4 100755 --- a/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java +++ b/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java @@ -41,7 +41,7 @@ public class TestCGIServletCmdLineArguments { * here. This was chosen as it is simple and the tests are run on * Windows as part of every release cycle. */ -defaultDecodedPatternWindows = Pattern.compile("[a-zA-Z0-9\\Q-_.\\/:\\E]+"); +defaultDecodedPatternWindows = Pattern.compile("[\\w\\Q-.\\/:\\E]+"); if (JrePlatform.IS_WINDOWS) { Pattern p = null; diff --git a/webapps/docs/cgi-howto.xml b/webapps/docs/cgi-howto.xml index e00faf0a19..b3b76937f9 100644 --- a/webapps/docs/cgi-howto.xml +++ b/webapps/docs/cgi-howto.xml @@ -116,7 +116,7 @@ by Daniel Colascione. are enabled (via enableCmdLineArguments) individual encoded command line argument must match this pattern else the request will be rejected. The default matches the allowed values defined by RFC3875 and is -[a-zA-Z0-9\Q%;/?:@&,$-_.!~*'()\E]+ +[\w\Q%;/?:@&,$-.!~*'()\E]+ enableCmdLineArguments - Are command line arguments generated from the query string as per section 4.4 of 3875 RFC? The default is false. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Improved regexp performance: "a-zA-Z0-9_" -> "\w" (#592)
This is an automated email from the ASF dual-hosted git repository. lihan pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 6918c28c77 Improved regexp performance: "a-zA-Z0-9_" -> "\w" (#592) 6918c28c77 is described below commit 6918c28c776c7b7d2104b26b9768b46eeb4352a0 Author: lihan AuthorDate: Fri Mar 10 15:22:50 2023 +0800 Improved regexp performance: "a-zA-Z0-9_" -> "\w" (#592) Submitted by Andrei Briukhov --- conf/web.xml | 4 ++-- java/org/apache/catalina/servlets/CGIServlet.java | 4 ++-- test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java | 2 +- webapps/docs/cgi-howto.xml| 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/conf/web.xml b/conf/web.xml index ddabd5efa9..0b8b1edfe7 100644 --- a/conf/web.xml +++ b/conf/web.xml @@ -363,7 +363,7 @@ - + @@ -374,7 +374,7 @@ - + diff --git a/java/org/apache/catalina/servlets/CGIServlet.java b/java/org/apache/catalina/servlets/CGIServlet.java index 1c01714ff7..2c03cf7601 100644 --- a/java/org/apache/catalina/servlets/CGIServlet.java +++ b/java/org/apache/catalina/servlets/CGIServlet.java @@ -254,7 +254,7 @@ public final class CGIServlet extends HttpServlet { DEFAULT_SUPER_METHODS.add("TRACE"); if (JrePlatform.IS_WINDOWS) { -DEFAULT_CMD_LINE_ARGUMENTS_DECODED_PATTERN = Pattern.compile("[a-zA-Z0-9\\Q-_.\\/:\\E]+"); +DEFAULT_CMD_LINE_ARGUMENTS_DECODED_PATTERN = Pattern.compile("[\\w\\Q-.\\/:\\E]+"); } else { // No restrictions DEFAULT_CMD_LINE_ARGUMENTS_DECODED_PATTERN = null; @@ -323,7 +323,7 @@ public final class CGIServlet extends HttpServlet { * Uses \Q...\E to avoid individual quoting. */ private Pattern cmdLineArgumentsEncodedPattern = -Pattern.compile("[a-zA-Z0-9\\Q%;/?:@&,$-_.!~*'()\\E]+"); +Pattern.compile("[\\w\\Q%;/?:@&,$-.!~*'()\\E]+"); /** * Limits the decoded form of individual command line arguments. Default diff --git a/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java b/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java index c2bbae3bee..37e241f5a4 100755 --- a/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java +++ b/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java @@ -41,7 +41,7 @@ public class TestCGIServletCmdLineArguments { * here. This was chosen as it is simple and the tests are run on * Windows as part of every release cycle. */ -defaultDecodedPatternWindows = Pattern.compile("[a-zA-Z0-9\\Q-_.\\/:\\E]+"); +defaultDecodedPatternWindows = Pattern.compile("[\\w\\Q-.\\/:\\E]+"); if (JrePlatform.IS_WINDOWS) { Pattern p = null; diff --git a/webapps/docs/cgi-howto.xml b/webapps/docs/cgi-howto.xml index e00faf0a19..b3b76937f9 100644 --- a/webapps/docs/cgi-howto.xml +++ b/webapps/docs/cgi-howto.xml @@ -116,7 +116,7 @@ by Daniel Colascione. are enabled (via enableCmdLineArguments) individual encoded command line argument must match this pattern else the request will be rejected. The default matches the allowed values defined by RFC3875 and is -[a-zA-Z0-9\Q%;/?:@&,$-_.!~*'()\E]+ +[\w\Q%;/?:@&,$-.!~*'()\E]+ enableCmdLineArguments - Are command line arguments generated from the query string as per section 4.4 of 3875 RFC? The default is false. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.1.x updated: Improved regexp performance: "a-zA-Z0-9_" -> "\w" (#592)
This is an automated email from the ASF dual-hosted git repository. lihan pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new 7ed9261493 Improved regexp performance: "a-zA-Z0-9_" -> "\w" (#592) 7ed9261493 is described below commit 7ed92614933fcaecacf647e6bfbe8064e34adca1 Author: lihan AuthorDate: Fri Mar 10 15:22:50 2023 +0800 Improved regexp performance: "a-zA-Z0-9_" -> "\w" (#592) Submitted by Andrei Briukhov --- conf/web.xml | 4 ++-- java/org/apache/catalina/servlets/CGIServlet.java | 4 ++-- test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java | 2 +- webapps/docs/cgi-howto.xml| 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/conf/web.xml b/conf/web.xml index 123a9257ee..8f706c8290 100644 --- a/conf/web.xml +++ b/conf/web.xml @@ -363,7 +363,7 @@ - + @@ -374,7 +374,7 @@ - + diff --git a/java/org/apache/catalina/servlets/CGIServlet.java b/java/org/apache/catalina/servlets/CGIServlet.java index d0755c6fdd..e1cda7bb97 100644 --- a/java/org/apache/catalina/servlets/CGIServlet.java +++ b/java/org/apache/catalina/servlets/CGIServlet.java @@ -255,7 +255,7 @@ public final class CGIServlet extends HttpServlet { DEFAULT_SUPER_METHODS.add("TRACE"); if (JrePlatform.IS_WINDOWS) { -DEFAULT_CMD_LINE_ARGUMENTS_DECODED_PATTERN = Pattern.compile("[a-zA-Z0-9\\Q-_.\\/:\\E]+"); +DEFAULT_CMD_LINE_ARGUMENTS_DECODED_PATTERN = Pattern.compile("[\\w\\Q-.\\/:\\E]+"); } else { // No restrictions DEFAULT_CMD_LINE_ARGUMENTS_DECODED_PATTERN = null; @@ -324,7 +324,7 @@ public final class CGIServlet extends HttpServlet { * Uses \Q...\E to avoid individual quoting. */ private Pattern cmdLineArgumentsEncodedPattern = -Pattern.compile("[a-zA-Z0-9\\Q%;/?:@&,$-_.!~*'()\\E]+"); +Pattern.compile("[\\w\\Q%;/?:@&,$-.!~*'()\\E]+"); /** * Limits the decoded form of individual command line arguments. Default diff --git a/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java b/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java index c2bbae3bee..37e241f5a4 100755 --- a/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java +++ b/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java @@ -41,7 +41,7 @@ public class TestCGIServletCmdLineArguments { * here. This was chosen as it is simple and the tests are run on * Windows as part of every release cycle. */ -defaultDecodedPatternWindows = Pattern.compile("[a-zA-Z0-9\\Q-_.\\/:\\E]+"); +defaultDecodedPatternWindows = Pattern.compile("[\\w\\Q-.\\/:\\E]+"); if (JrePlatform.IS_WINDOWS) { Pattern p = null; diff --git a/webapps/docs/cgi-howto.xml b/webapps/docs/cgi-howto.xml index e00faf0a19..b3b76937f9 100644 --- a/webapps/docs/cgi-howto.xml +++ b/webapps/docs/cgi-howto.xml @@ -116,7 +116,7 @@ by Daniel Colascione. are enabled (via enableCmdLineArguments) individual encoded command line argument must match this pattern else the request will be rejected. The default matches the allowed values defined by RFC3875 and is -[a-zA-Z0-9\Q%;/?:@&,$-_.!~*'()\E]+ +[\w\Q%;/?:@&,$-.!~*'()\E]+ enableCmdLineArguments - Are command line arguments generated from the query string as per section 4.4 of 3875 RFC? The default is false. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Improved regexp performance: "a-zA-Z0-9_" -> "\w" (#592)
This is an automated email from the ASF dual-hosted git repository. lihan pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new c8fba3264d Improved regexp performance: "a-zA-Z0-9_" -> "\w" (#592) c8fba3264d is described below commit c8fba3264d0c75637a44eb403d10b163384981e7 Author: lihan AuthorDate: Fri Mar 10 15:22:50 2023 +0800 Improved regexp performance: "a-zA-Z0-9_" -> "\w" (#592) Submitted by Andrei Briukhov --- conf/web.xml | 4 ++-- java/org/apache/catalina/servlets/CGIServlet.java | 4 ++-- test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java | 2 +- webapps/docs/cgi-howto.xml| 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/conf/web.xml b/conf/web.xml index 00acceb763..1a5cbfecd0 100644 --- a/conf/web.xml +++ b/conf/web.xml @@ -359,7 +359,7 @@ - + @@ -370,7 +370,7 @@ - + diff --git a/java/org/apache/catalina/servlets/CGIServlet.java b/java/org/apache/catalina/servlets/CGIServlet.java index d0755c6fdd..e1cda7bb97 100644 --- a/java/org/apache/catalina/servlets/CGIServlet.java +++ b/java/org/apache/catalina/servlets/CGIServlet.java @@ -255,7 +255,7 @@ public final class CGIServlet extends HttpServlet { DEFAULT_SUPER_METHODS.add("TRACE"); if (JrePlatform.IS_WINDOWS) { -DEFAULT_CMD_LINE_ARGUMENTS_DECODED_PATTERN = Pattern.compile("[a-zA-Z0-9\\Q-_.\\/:\\E]+"); +DEFAULT_CMD_LINE_ARGUMENTS_DECODED_PATTERN = Pattern.compile("[\\w\\Q-.\\/:\\E]+"); } else { // No restrictions DEFAULT_CMD_LINE_ARGUMENTS_DECODED_PATTERN = null; @@ -324,7 +324,7 @@ public final class CGIServlet extends HttpServlet { * Uses \Q...\E to avoid individual quoting. */ private Pattern cmdLineArgumentsEncodedPattern = -Pattern.compile("[a-zA-Z0-9\\Q%;/?:@&,$-_.!~*'()\\E]+"); +Pattern.compile("[\\w\\Q%;/?:@&,$-.!~*'()\\E]+"); /** * Limits the decoded form of individual command line arguments. Default diff --git a/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java b/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java index c2bbae3bee..37e241f5a4 100755 --- a/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java +++ b/test/org/apache/catalina/servlets/TestCGIServletCmdLineArguments.java @@ -41,7 +41,7 @@ public class TestCGIServletCmdLineArguments { * here. This was chosen as it is simple and the tests are run on * Windows as part of every release cycle. */ -defaultDecodedPatternWindows = Pattern.compile("[a-zA-Z0-9\\Q-_.\\/:\\E]+"); +defaultDecodedPatternWindows = Pattern.compile("[\\w\\Q-.\\/:\\E]+"); if (JrePlatform.IS_WINDOWS) { Pattern p = null; diff --git a/webapps/docs/cgi-howto.xml b/webapps/docs/cgi-howto.xml index d1f3e0d0c9..cc5befa5d5 100644 --- a/webapps/docs/cgi-howto.xml +++ b/webapps/docs/cgi-howto.xml @@ -115,7 +115,7 @@ by Daniel Colascione. are enabled (via enableCmdLineArguments) individual encoded command line argument must match this pattern else the request will be rejected. The default matches the allowed values defined by RFC3875 and is -[a-zA-Z0-9\Q%;/?:@&,$-_.!~*'()\E]+ +[\w\Q%;/?:@&,$-.!~*'()\E]+ enableCmdLineArguments - Are command line arguments generated from the query string as per section 4.4 of 3875 RFC? The default is false. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] aooohan commented on pull request #596: Use SELECT...FOR UPDATE to update session data in the database instead of DELETE, INSERT.
aooohan commented on PR #596: URL: https://github.com/apache/tomcat/pull/596#issuecomment-1463201626 I have a question that why we don't add a real **primary key**(auto-increment) to solve the problem that primary key constraint violation when insert data to database simultaneously? And we can select session data from table by **session-id** and order (DSC) by **ID** (real primary key) when load session, then the newest result is what we need. Thus, we can avoid adding lock(FOR UPDATE or others) from the database level by this way. I think this will work and so simple, but I don't know if there will be any security issues. Thoughts? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Double-wrapping of byte-array in streams in DataSourceStore.java
> On Mar 9, 2023, at 22:52, Christopher Schultz > wrote: > > All, > > Please have a look at DataSourceStore.java:629 > > https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/session/DataSourceStore.java#L629 > > It looks to be like the byte array which contains the session data is being > first wrapped in a ByteArrayInputStream (which is necessary to robustly > supply the data to the JDBC driver), and then again in a BufferedInputStream. > > I don't see a need for this second wrapper. IMO it just adds overhead because > the underlying data is just byte[]. Copying that data to another buffer > doesn't improve anything. > > I'd like to remove this additional wrapper unless someone can provide a > justification for the double-wrapping. +1 Indeed, It doesn’t seem to improve anything. > > Thanks, > -chris > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Buildbot failure in on tomcat-9.0.x
Build status: BUILD FAILED: failed compile (failure) Logs copied. (failure) Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/37/builds/490 Blamelist: Mark Thomas Build Text: failed compile (failure) Logs copied. (failure) Status Detected: new failure Build Source Stamp: [branch 9.0.x] 149aa95a016d84e260a4739aa29ee92eda72e7b2 Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 compile: 1 shell_6: 0 shell_7: 0 shell_8: 0 shell_9: 0 Rsync docs to nightlies.apache.org: 0 shell_10: 0 Rsync RAT to nightlies.apache.org: 0 compile_1: 2 shell_11: 2 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] isapir commented on pull request #596: Use SELECT...FOR UPDATE to update session data in the database instead of DELETE, INSERT.
isapir commented on PR #596: URL: https://github.com/apache/tomcat/pull/596#issuecomment-1462467192 Yeah, I guess that site is not up to date. I also used SELECT FOR UPDATE in MySQL 5.7. There is also INSERT ON CONFLICT UPDATE support in MySQL and Postgres, but it would be difficult to find an optimized solution that fits all. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] isapir commented on a diff in pull request #596: Use SELECT...FOR UPDATE to update session data in the database instead of DELETE, INSERT.
isapir commented on code in PR #596: URL: https://github.com/apache/tomcat/pull/596#discussion_r1131364805 ## java/org/apache/catalina/session/DataSourceStore.java: ## @@ -626,15 +626,77 @@ public void save(Session session) throws IOException { byte[] obs = bos.toByteArray(); int size = obs.length; try (ByteArrayInputStream bis = new ByteArrayInputStream(obs, 0, size); -InputStream in = new BufferedInputStream(bis, size); -PreparedStatement preparedSaveSql = _conn.prepareStatement(saveSql)) { -preparedSaveSql.setString(1, session.getIdInternal()); -preparedSaveSql.setString(2, getName()); -preparedSaveSql.setBinaryStream(3, in, size); -preparedSaveSql.setString(4, session.isValid() ? "1" : "0"); -preparedSaveSql.setInt(5, session.getMaxInactiveInterval()); -preparedSaveSql.setLong(6, session.getLastAccessedTime()); -preparedSaveSql.execute(); + InputStream in = new BufferedInputStream(bis, size); + PreparedStatement preparedSaveSql = _conn.prepareStatement(saveSql, ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_UPDATABLE)) { + +// Store auto-commit state +boolean autoCommit = _conn.getAutoCommit(); + +try { +if(autoCommit) { +_conn.setAutoCommit(false); // BEGIN TRANSACTION +} + +preparedSaveSql.setString(1, getName()); +preparedSaveSql.setString(2, session.getIdInternal()); + +ResultSet rs = preparedSaveSql.executeQuery(); + +if(rs.next()) { +// Session already exists in the db; update the various fields +rs.updateBinaryStream(sessionDataCol, in, size); +rs.updateString(sessionValidCol, session.isValid() ? "1" : "0"); +rs.updateInt(sessionMaxInactiveCol, session.getMaxInactiveInterval()); +rs.updateLong(sessionLastAccessedCol, session.getLastAccessedTime()); + +rs.updateRow(); +} else { +// Session does not exist. Insert. +rs.moveToInsertRow(); + +rs.updateString(sessionAppCol, getName()); +rs.updateString(sessionIdCol, session.getIdInternal()); +rs.updateBinaryStream(sessionIdCol, in, size); +rs.updateString(sessionValidCol, session.isValid() ? "1" : "0"); +rs.updateInt(sessionMaxInactiveCol, session.getMaxInactiveInterval()); +rs.updateLong(sessionLastAccessedCol, session.getLastAccessedTime()); + +rs.updateRow(); +} + +_conn.commit(); +} catch (SQLException sqle) { Review Comment: The Stack Trace would be the same, true, but the exception class and message would still provide the details -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Buildbot failure in on tomcat-8.5.x
Build status: BUILD FAILED: failed compile (failure) Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/36/builds/425 Blamelist: Mark Thomas Build Text: failed compile (failure) Status Detected: new failure Build Source Stamp: [branch 8.5.x] d543e8e57b77a4e6ce1fa881a28a4cea12366a16 Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 compile: 2 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Rename digests to remove reference to specific algorithm
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 149aa95a01 Rename digests to remove reference to specific algorithm 149aa95a01 is described below commit 149aa95a016d84e260a4739aa29ee92eda72e7b2 Author: Mark Thomas AuthorDate: Thu Mar 9 15:29:10 2023 + Rename digests to remove reference to specific algorithm This is in preparation for implementing RFC 7616 --- java/org/apache/catalina/Realm.java | 5 ++--- .../catalina/authenticator/DigestAuthenticator.java | 4 ++-- java/org/apache/catalina/realm/CombinedRealm.java | 4 ++-- .../apache/catalina/realm/JAASCallbackHandler.java| 14 +++--- .../apache/catalina/realm/JAASMemoryLoginModule.java | 8 java/org/apache/catalina/realm/JAASRealm.java | 4 ++-- java/org/apache/catalina/realm/JNDIRealm.java | 4 ++-- java/org/apache/catalina/realm/LockOutRealm.java | 4 ++-- java/org/apache/catalina/realm/RealmBase.java | 14 +++--- .../authenticator/TestDigestAuthenticator.java| 10 +- .../TestSSOnonLoginAndDigestAuthenticator.java| 10 +- .../TesterDigestAuthenticatorPerformance.java | 8 test/org/apache/catalina/realm/TestJNDIRealm.java | 19 ++- 13 files changed, 54 insertions(+), 54 deletions(-) diff --git a/java/org/apache/catalina/Realm.java b/java/org/apache/catalina/Realm.java index 8003ba1d2f..1d6b35839b 100644 --- a/java/org/apache/catalina/Realm.java +++ b/java/org/apache/catalina/Realm.java @@ -98,15 +98,14 @@ public interface Realm extends Contained { * @param qop the "quality of protection" ({@code nc} and {@code cnonce} *will only be used, if {@code qop} is not {@code null}). * @param realm Realm name - * @param md5a2 Second MD5 digest used to calculate the digest : - * MD5(Method + ":" + uri) + * @param digestA2 Second digest calculated as digest(Method + ":" + uri) * * @return the associated principal, or {@code null} if there is none. */ Principal authenticate(String username, String digest, String nonce, String nc, String cnonce, String qop, String realm, - String md5a2); + String digestA2); /** diff --git a/java/org/apache/catalina/authenticator/DigestAuthenticator.java b/java/org/apache/catalina/authenticator/DigestAuthenticator.java index bb2504a9df..74ffdbee67 100644 --- a/java/org/apache/catalina/authenticator/DigestAuthenticator.java +++ b/java/org/apache/catalina/authenticator/DigestAuthenticator.java @@ -597,9 +597,9 @@ public class DigestAuthenticator extends AuthenticatorBase { String a2 = method + ":" + uri; byte[] buffer = ConcurrentMessageDigest.digestMD5(a2.getBytes(StandardCharsets.ISO_8859_1)); -String md5a2 = HexUtils.toHexString(buffer); +String digestA2 = HexUtils.toHexString(buffer); -return realm.authenticate(userName, response, nonce, nc, cnonce, qop, realmName, md5a2); +return realm.authenticate(userName, response, nonce, nc, cnonce, qop, realmName, digestA2); } } diff --git a/java/org/apache/catalina/realm/CombinedRealm.java b/java/org/apache/catalina/realm/CombinedRealm.java index 0b942a78e7..08804a29ac 100644 --- a/java/org/apache/catalina/realm/CombinedRealm.java +++ b/java/org/apache/catalina/realm/CombinedRealm.java @@ -89,7 +89,7 @@ public class CombinedRealm extends RealmBase { @Override public Principal authenticate(String username, String clientDigest, String nonce, String nc, String cnonce, -String qop, String realmName, String md5a2) { +String qop, String realmName, String digestA2) { Principal authenticatedUser = null; for (Realm realm : realms) { @@ -97,7 +97,7 @@ public class CombinedRealm extends RealmBase { log.debug(sm.getString("combinedRealm.authStart", username, realm.getClass().getName())); } -authenticatedUser = realm.authenticate(username, clientDigest, nonce, nc, cnonce, qop, realmName, md5a2); +authenticatedUser = realm.authenticate(username, clientDigest, nonce, nc, cnonce, qop, realmName, digestA2); if (authenticatedUser == null) { if (log.isDebugEnabled()) { diff --git a/java/org/apache/catalina/realm/JAASCallbackHandler.java b/java/org/apache/catalina/realm/JAASCallbackHandler.java index bf0205e9b1..a708befc0a 100644 --- a/java/org/apache/catalina/realm/JAASCallbackHandler.java +++ b/java/org/apache/catalina/realm/JAASCallbackHandler.java @@ -76,11 +76,11 @@ public class JAASCa
[tomcat] branch 9.0.x updated: Fix back-port
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 5914457f10 Fix back-port 5914457f10 is described below commit 5914457f109fa28e60ce5390f3e48492d49e1452 Author: Mark Thomas AuthorDate: Thu Mar 9 15:30:52 2023 + Fix back-port --- test/org/apache/catalina/realm/TestJNDIRealm.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/org/apache/catalina/realm/TestJNDIRealm.java b/test/org/apache/catalina/realm/TestJNDIRealm.java index 0760c0ed30..0d5cae1eff 100644 --- a/test/org/apache/catalina/realm/TestJNDIRealm.java +++ b/test/org/apache/catalina/realm/TestJNDIRealm.java @@ -112,7 +112,7 @@ public class TestJNDIRealm { // THEN assertThat(principal, instanceOf(GenericPrincipal.class)); -Assert.assertEquals(ha1(), ((GenericPrincipal)principal).getPassword()); +Assert.assertEquals(digestA1(), ((GenericPrincipal)principal).getPassword()); } @Test - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.1.x updated: Rename digests to remove reference to specific algorithm
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new e46f1f79d4 Rename digests to remove reference to specific algorithm e46f1f79d4 is described below commit e46f1f79d4cda70b6678be66520afa2e7dae5dff Author: Mark Thomas AuthorDate: Thu Mar 9 15:29:10 2023 + Rename digests to remove reference to specific algorithm This is in preparation for implementing RFC 7616 --- java/org/apache/catalina/Realm.java | 5 ++--- .../catalina/authenticator/DigestAuthenticator.java | 4 ++-- java/org/apache/catalina/realm/CombinedRealm.java | 4 ++-- .../apache/catalina/realm/JAASCallbackHandler.java| 14 +++--- .../apache/catalina/realm/JAASMemoryLoginModule.java | 8 java/org/apache/catalina/realm/JAASRealm.java | 4 ++-- java/org/apache/catalina/realm/JNDIRealm.java | 4 ++-- java/org/apache/catalina/realm/LockOutRealm.java | 4 ++-- java/org/apache/catalina/realm/RealmBase.java | 14 +++--- .../authenticator/TestDigestAuthenticator.java| 10 +- .../TestSSOnonLoginAndDigestAuthenticator.java| 10 +- .../TesterDigestAuthenticatorPerformance.java | 8 test/org/apache/catalina/realm/TestJNDIRealm.java | 19 ++- 13 files changed, 54 insertions(+), 54 deletions(-) diff --git a/java/org/apache/catalina/Realm.java b/java/org/apache/catalina/Realm.java index 09a7f8925d..cb27fdd487 100644 --- a/java/org/apache/catalina/Realm.java +++ b/java/org/apache/catalina/Realm.java @@ -98,15 +98,14 @@ public interface Realm extends Contained { * @param qop the "quality of protection" ({@code nc} and {@code cnonce} *will only be used, if {@code qop} is not {@code null}). * @param realm Realm name - * @param md5a2 Second MD5 digest used to calculate the digest : - * MD5(Method + ":" + uri) + * @param digestA2 Second digest calculated as digest(Method + ":" + uri) * * @return the associated principal, or {@code null} if there is none. */ Principal authenticate(String username, String digest, String nonce, String nc, String cnonce, String qop, String realm, - String md5a2); + String digestA2); /** diff --git a/java/org/apache/catalina/authenticator/DigestAuthenticator.java b/java/org/apache/catalina/authenticator/DigestAuthenticator.java index 247ea05d8c..0d5e681a3f 100644 --- a/java/org/apache/catalina/authenticator/DigestAuthenticator.java +++ b/java/org/apache/catalina/authenticator/DigestAuthenticator.java @@ -597,9 +597,9 @@ public class DigestAuthenticator extends AuthenticatorBase { String a2 = method + ":" + uri; byte[] buffer = ConcurrentMessageDigest.digestMD5(a2.getBytes(StandardCharsets.ISO_8859_1)); -String md5a2 = HexUtils.toHexString(buffer); +String digestA2 = HexUtils.toHexString(buffer); -return realm.authenticate(userName, response, nonce, nc, cnonce, qop, realmName, md5a2); +return realm.authenticate(userName, response, nonce, nc, cnonce, qop, realmName, digestA2); } } diff --git a/java/org/apache/catalina/realm/CombinedRealm.java b/java/org/apache/catalina/realm/CombinedRealm.java index 0b942a78e7..08804a29ac 100644 --- a/java/org/apache/catalina/realm/CombinedRealm.java +++ b/java/org/apache/catalina/realm/CombinedRealm.java @@ -89,7 +89,7 @@ public class CombinedRealm extends RealmBase { @Override public Principal authenticate(String username, String clientDigest, String nonce, String nc, String cnonce, -String qop, String realmName, String md5a2) { +String qop, String realmName, String digestA2) { Principal authenticatedUser = null; for (Realm realm : realms) { @@ -97,7 +97,7 @@ public class CombinedRealm extends RealmBase { log.debug(sm.getString("combinedRealm.authStart", username, realm.getClass().getName())); } -authenticatedUser = realm.authenticate(username, clientDigest, nonce, nc, cnonce, qop, realmName, md5a2); +authenticatedUser = realm.authenticate(username, clientDigest, nonce, nc, cnonce, qop, realmName, digestA2); if (authenticatedUser == null) { if (log.isDebugEnabled()) { diff --git a/java/org/apache/catalina/realm/JAASCallbackHandler.java b/java/org/apache/catalina/realm/JAASCallbackHandler.java index bf0205e9b1..a708befc0a 100644 --- a/java/org/apache/catalina/realm/JAASCallbackHandler.java +++ b/java/org/apache/catalina/realm/JAASCallbackHandler.java @@ -76,11 +76,11 @@ public class JAAS
[tomcat] branch 8.5.x updated: Rename digests to remove reference to specific algorithm
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new d543e8e57b Rename digests to remove reference to specific algorithm d543e8e57b is described below commit d543e8e57b77a4e6ce1fa881a28a4cea12366a16 Author: Mark Thomas AuthorDate: Thu Mar 9 15:29:10 2023 + Rename digests to remove reference to specific algorithm This is in preparation for implementing RFC 7616 --- java/org/apache/catalina/Realm.java | 5 ++--- .../catalina/authenticator/DigestAuthenticator.java | 4 ++-- java/org/apache/catalina/realm/CombinedRealm.java | 4 ++-- .../apache/catalina/realm/JAASCallbackHandler.java | 14 +++--- .../catalina/realm/JAASMemoryLoginModule.java | 8 java/org/apache/catalina/realm/JAASRealm.java | 4 ++-- java/org/apache/catalina/realm/JNDIRealm.java | 4 ++-- java/org/apache/catalina/realm/LockOutRealm.java| 4 ++-- java/org/apache/catalina/realm/RealmBase.java | 14 +++--- .../authenticator/TestDigestAuthenticator.java | 10 +- .../TestSSOnonLoginAndDigestAuthenticator.java | 10 +- .../TesterDigestAuthenticatorPerformance.java | 8 test/org/apache/catalina/realm/TestJNDIRealm.java | 21 +++-- 13 files changed, 55 insertions(+), 55 deletions(-) diff --git a/java/org/apache/catalina/Realm.java b/java/org/apache/catalina/Realm.java index 6c0096b9ac..48985283b7 100644 --- a/java/org/apache/catalina/Realm.java +++ b/java/org/apache/catalina/Realm.java @@ -96,15 +96,14 @@ public interface Realm extends Contained { * @param qop the "quality of protection" ({@code nc} and {@code cnonce} *will only be used, if {@code qop} is not {@code null}). * @param realm Realm name - * @param md5a2 Second MD5 digest used to calculate the digest : - * MD5(Method + ":" + uri) + * @param digestA2 Second digest calculated as digest(Method + ":" + uri) * * @return the associated principal, or {@code null} if there is none. */ Principal authenticate(String username, String digest, String nonce, String nc, String cnonce, String qop, String realm, - String md5a2); + String digestA2); /** diff --git a/java/org/apache/catalina/authenticator/DigestAuthenticator.java b/java/org/apache/catalina/authenticator/DigestAuthenticator.java index bb2504a9df..74ffdbee67 100644 --- a/java/org/apache/catalina/authenticator/DigestAuthenticator.java +++ b/java/org/apache/catalina/authenticator/DigestAuthenticator.java @@ -597,9 +597,9 @@ public class DigestAuthenticator extends AuthenticatorBase { String a2 = method + ":" + uri; byte[] buffer = ConcurrentMessageDigest.digestMD5(a2.getBytes(StandardCharsets.ISO_8859_1)); -String md5a2 = HexUtils.toHexString(buffer); +String digestA2 = HexUtils.toHexString(buffer); -return realm.authenticate(userName, response, nonce, nc, cnonce, qop, realmName, md5a2); +return realm.authenticate(userName, response, nonce, nc, cnonce, qop, realmName, digestA2); } } diff --git a/java/org/apache/catalina/realm/CombinedRealm.java b/java/org/apache/catalina/realm/CombinedRealm.java index 2ed646241e..352a06dac1 100644 --- a/java/org/apache/catalina/realm/CombinedRealm.java +++ b/java/org/apache/catalina/realm/CombinedRealm.java @@ -97,7 +97,7 @@ public class CombinedRealm extends RealmBase { @Override public Principal authenticate(String username, String clientDigest, String nonce, String nc, String cnonce, -String qop, String realmName, String md5a2) { +String qop, String realmName, String digestA2) { Principal authenticatedUser = null; for (Realm realm : realms) { @@ -105,7 +105,7 @@ public class CombinedRealm extends RealmBase { log.debug(sm.getString("combinedRealm.authStart", username, realm.getClass().getName())); } -authenticatedUser = realm.authenticate(username, clientDigest, nonce, nc, cnonce, qop, realmName, md5a2); +authenticatedUser = realm.authenticate(username, clientDigest, nonce, nc, cnonce, qop, realmName, digestA2); if (authenticatedUser == null) { if (log.isDebugEnabled()) { diff --git a/java/org/apache/catalina/realm/JAASCallbackHandler.java b/java/org/apache/catalina/realm/JAASCallbackHandler.java index 17dda364ce..fcacb64537 100644 --- a/java/org/apache/catalina/realm/JAASCallbackHandler.java +++ b/java/org/apache/catalina/realm/JAASCallbackHandler.java @@ -76,11 +76,11 @@ public class JAASCallbackHandler implemen
[tomcat] branch main updated: Rename digests to remove reference to specific algorithm
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 16ed41df3b Rename digests to remove reference to specific algorithm 16ed41df3b is described below commit 16ed41df3b9eb64dd3508a2df8ea09f9206d2060 Author: Mark Thomas AuthorDate: Thu Mar 9 15:29:10 2023 + Rename digests to remove reference to specific algorithm This is in preparation for implementing RFC 7616 --- java/org/apache/catalina/Realm.java | 5 ++--- .../catalina/authenticator/DigestAuthenticator.java | 4 ++-- java/org/apache/catalina/realm/CombinedRealm.java | 4 ++-- .../apache/catalina/realm/JAASCallbackHandler.java| 14 +++--- .../apache/catalina/realm/JAASMemoryLoginModule.java | 8 java/org/apache/catalina/realm/JAASRealm.java | 4 ++-- java/org/apache/catalina/realm/JNDIRealm.java | 4 ++-- java/org/apache/catalina/realm/LockOutRealm.java | 4 ++-- java/org/apache/catalina/realm/RealmBase.java | 14 +++--- .../authenticator/TestDigestAuthenticator.java| 10 +- .../TestSSOnonLoginAndDigestAuthenticator.java| 10 +- .../TesterDigestAuthenticatorPerformance.java | 8 test/org/apache/catalina/realm/TestJNDIRealm.java | 19 ++- 13 files changed, 54 insertions(+), 54 deletions(-) diff --git a/java/org/apache/catalina/Realm.java b/java/org/apache/catalina/Realm.java index 09a7f8925d..cb27fdd487 100644 --- a/java/org/apache/catalina/Realm.java +++ b/java/org/apache/catalina/Realm.java @@ -98,15 +98,14 @@ public interface Realm extends Contained { * @param qop the "quality of protection" ({@code nc} and {@code cnonce} *will only be used, if {@code qop} is not {@code null}). * @param realm Realm name - * @param md5a2 Second MD5 digest used to calculate the digest : - * MD5(Method + ":" + uri) + * @param digestA2 Second digest calculated as digest(Method + ":" + uri) * * @return the associated principal, or {@code null} if there is none. */ Principal authenticate(String username, String digest, String nonce, String nc, String cnonce, String qop, String realm, - String md5a2); + String digestA2); /** diff --git a/java/org/apache/catalina/authenticator/DigestAuthenticator.java b/java/org/apache/catalina/authenticator/DigestAuthenticator.java index 247ea05d8c..0d5e681a3f 100644 --- a/java/org/apache/catalina/authenticator/DigestAuthenticator.java +++ b/java/org/apache/catalina/authenticator/DigestAuthenticator.java @@ -597,9 +597,9 @@ public class DigestAuthenticator extends AuthenticatorBase { String a2 = method + ":" + uri; byte[] buffer = ConcurrentMessageDigest.digestMD5(a2.getBytes(StandardCharsets.ISO_8859_1)); -String md5a2 = HexUtils.toHexString(buffer); +String digestA2 = HexUtils.toHexString(buffer); -return realm.authenticate(userName, response, nonce, nc, cnonce, qop, realmName, md5a2); +return realm.authenticate(userName, response, nonce, nc, cnonce, qop, realmName, digestA2); } } diff --git a/java/org/apache/catalina/realm/CombinedRealm.java b/java/org/apache/catalina/realm/CombinedRealm.java index 0b942a78e7..08804a29ac 100644 --- a/java/org/apache/catalina/realm/CombinedRealm.java +++ b/java/org/apache/catalina/realm/CombinedRealm.java @@ -89,7 +89,7 @@ public class CombinedRealm extends RealmBase { @Override public Principal authenticate(String username, String clientDigest, String nonce, String nc, String cnonce, -String qop, String realmName, String md5a2) { +String qop, String realmName, String digestA2) { Principal authenticatedUser = null; for (Realm realm : realms) { @@ -97,7 +97,7 @@ public class CombinedRealm extends RealmBase { log.debug(sm.getString("combinedRealm.authStart", username, realm.getClass().getName())); } -authenticatedUser = realm.authenticate(username, clientDigest, nonce, nc, cnonce, qop, realmName, md5a2); +authenticatedUser = realm.authenticate(username, clientDigest, nonce, nc, cnonce, qop, realmName, digestA2); if (authenticatedUser == null) { if (log.isDebugEnabled()) { diff --git a/java/org/apache/catalina/realm/JAASCallbackHandler.java b/java/org/apache/catalina/realm/JAASCallbackHandler.java index bf0205e9b1..a708befc0a 100644 --- a/java/org/apache/catalina/realm/JAASCallbackHandler.java +++ b/java/org/apache/catalina/realm/JAASCallbackHandler.java @@ -76,11 +76,11 @@ public class JAASCall
Buildbot success in on tomcat-10.1.x
Build status: Build succeeded! Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/44/builds/709 Blamelist: Mark Thomas Build Text: build successful Status Detected: restored build Build Source Stamp: [branch 10.1.x] 166581b1d76c5ae95881ccc2183f4d9ffa096d35 Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 compile: 1 shell_6: 0 shell_7: 0 shell_8: 0 shell_9: 0 Rsync docs to nightlies.apache.org: 0 shell_10: 0 Rsync RAT to nightlies.apache.org: 0 compile_1: 1 shell_11: 0 Rsync Logs to nightlies.apache.org: 0 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Double-wrapping of byte-array in streams in DataSourceStore.java
All, Please have a look at DataSourceStore.java:629 https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/session/DataSourceStore.java#L629 It looks to be like the byte array which contains the session data is being first wrapped in a ByteArrayInputStream (which is necessary to robustly supply the data to the JDBC driver), and then again in a BufferedInputStream. I don't see a need for this second wrapper. IMO it just adds overhead because the underlying data is just byte[]. Copying that data to another buffer doesn't improve anything. I'd like to remove this additional wrapper unless someone can provide a justification for the double-wrapping. Thanks, -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Remove unnecessary Javadoc
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new b6a326 Remove unnecessary Javadoc b6a326 is described below commit b6a326c4d96783d35be1ca0511f67c90c347 Author: Mark Thomas AuthorDate: Thu Mar 9 14:37:46 2023 + Remove unnecessary Javadoc --- java/org/apache/catalina/Realm.java| 47 + java/org/apache/catalina/realm/CombinedRealm.java | 62 ++-- .../org/apache/catalina/realm/DataSourceRealm.java | 19 +--- .../catalina/realm/JAASMemoryLoginModule.java | 42 +--- java/org/apache/catalina/realm/JAASRealm.java | 36 --- java/org/apache/catalina/realm/JNDIRealm.java | 10 +- java/org/apache/catalina/realm/LockOutRealm.java | 39 +-- java/org/apache/catalina/realm/MemoryRealm.java| 25 - java/org/apache/catalina/realm/RealmBase.java | 112 ++--- .../apache/catalina/realm/UserDatabaseRealm.java | 15 +-- 10 files changed, 55 insertions(+), 352 deletions(-) diff --git a/java/org/apache/catalina/Realm.java b/java/org/apache/catalina/Realm.java index 4ea8ae577b..6c0096b9ac 100644 --- a/java/org/apache/catalina/Realm.java +++ b/java/org/apache/catalina/Realm.java @@ -63,8 +63,8 @@ public interface Realm extends Contained { * Try to authenticate with the specified username. * * @param username Username of the Principal to look up - * @return the associated principal, or null if none is - * associated. + * + * @return the associated principal, or {@code null} if none is associated. */ Principal authenticate(String username); @@ -76,7 +76,8 @@ public interface Realm extends Contained { * @param username Username of the Principal to look up * @param credentials Password or other credentials to use in * authenticating this username - * @return the associated principal, or null if there is none + * + * @return the associated principal, or {@code null} if there is none */ Principal authenticate(String username, String credentials); @@ -92,12 +93,13 @@ public interface Realm extends Contained { * for this request * @param nc the nonce counter * @param cnonce the client chosen nonce - * @param qop the "quality of protection" (nc and cnonce - *will only be used, if qop is not null). + * @param qop the "quality of protection" ({@code nc} and {@code cnonce} + *will only be used, if {@code qop} is not {@code null}). * @param realm Realm name * @param md5a2 Second MD5 digest used to calculate the digest : * MD5(Method + ":" + uri) - * @return the associated principal, or null if there is none. + * + * @return the associated principal, or {@code null} if there is none. */ Principal authenticate(String username, String digest, String nonce, String nc, String cnonce, @@ -106,22 +108,23 @@ public interface Realm extends Contained { /** - * Try to authenticate using a {@link GSSContext} + * Try to authenticate using a {@link GSSContext}. * * @param gssContext The gssContext processed by the {@link Authenticator}. * @param storeCreds Should the realm attempt to store the delegated * credentials in the returned Principal? - * @return the associated principal, or null if there is none + * @return the associated principal, or {@code null} if there is none */ Principal authenticate(GSSContext gssContext, boolean storeCreds); /** - * Try to authenticate using {@link X509Certificate}s + * Try to authenticate using a chain of {@link X509Certificate}s. * * @param certs Array of client certificates, with the first one in * the array being the certificate of the client itself. - * @return the associated principal, or null if there is none + * + * @return the associated principal, or {@code null} if there is none */ Principal authenticate(X509Certificate certs[]); @@ -139,9 +142,10 @@ public interface Realm extends Contained { * this request. * * @param request Request we are processing - * @param context {@link Context} for this request - * @return the configured {@link SecurityConstraint}, of null - * if there is none + * @param context Context the Request is mapped to + * + * @return the configured {@link SecurityConstraint}, or {@code null} if + * there is none */ SecurityConstraint [] findSecurityConstraints(Request request, Context context); @@ -154,8 +158,9 @@ public interface Realm extends Contained { * @param response Response we a
[tomcat] branch 9.0.x updated: Remove unnecessary Javadoc
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 9b4e9ea182 Remove unnecessary Javadoc 9b4e9ea182 is described below commit 9b4e9ea1825131e9a27d8ba5567694ffc6e6a930 Author: Mark Thomas AuthorDate: Thu Mar 9 14:37:46 2023 + Remove unnecessary Javadoc --- java/org/apache/catalina/Realm.java| 49 + java/org/apache/catalina/realm/CombinedRealm.java | 63 ++-- .../org/apache/catalina/realm/DataSourceRealm.java | 19 +--- .../catalina/realm/JAASMemoryLoginModule.java | 42 +--- java/org/apache/catalina/realm/JAASRealm.java | 36 --- java/org/apache/catalina/realm/JNDIRealm.java | 10 +- java/org/apache/catalina/realm/LockOutRealm.java | 39 +-- java/org/apache/catalina/realm/MemoryRealm.java| 25 - java/org/apache/catalina/realm/RealmBase.java | 112 ++--- .../apache/catalina/realm/UserDatabaseRealm.java | 15 +-- 10 files changed, 57 insertions(+), 353 deletions(-) diff --git a/java/org/apache/catalina/Realm.java b/java/org/apache/catalina/Realm.java index f624fa6504..8003ba1d2f 100644 --- a/java/org/apache/catalina/Realm.java +++ b/java/org/apache/catalina/Realm.java @@ -65,8 +65,8 @@ public interface Realm extends Contained { * Try to authenticate with the specified username. * * @param username Username of the Principal to look up - * @return the associated principal, or null if none is - * associated. + * + * @return the associated principal, or {@code null} if none is associated. */ Principal authenticate(String username); @@ -78,7 +78,8 @@ public interface Realm extends Contained { * @param username Username of the Principal to look up * @param credentials Password or other credentials to use in * authenticating this username - * @return the associated principal, or null if there is none + * + * @return the associated principal, or {@code null} if there is none */ Principal authenticate(String username, String credentials); @@ -94,12 +95,13 @@ public interface Realm extends Contained { * for this request * @param nc the nonce counter * @param cnonce the client chosen nonce - * @param qop the "quality of protection" (nc and cnonce - *will only be used, if qop is not null). + * @param qop the "quality of protection" ({@code nc} and {@code cnonce} + *will only be used, if {@code qop} is not {@code null}). * @param realm Realm name * @param md5a2 Second MD5 digest used to calculate the digest : * MD5(Method + ":" + uri) - * @return the associated principal, or null if there is none. + * + * @return the associated principal, or {@code null} if there is none. */ Principal authenticate(String username, String digest, String nonce, String nc, String cnonce, @@ -108,18 +110,18 @@ public interface Realm extends Contained { /** - * Try to authenticate using a {@link GSSContext} + * Try to authenticate using a {@link GSSContext}. * * @param gssContext The gssContext processed by the {@link Authenticator}. * @param storeCreds Should the realm attempt to store the delegated * credentials in the returned Principal? - * @return the associated principal, or null if there is none + * @return the associated principal, or {@code null} if there is none */ Principal authenticate(GSSContext gssContext, boolean storeCreds); /** - * Try to authenticate using a {@link GSSName} + * Try to authenticate using a {@link GSSName}. * * Note that this default method will be turned into an abstract one in * Tomcat 10. @@ -135,11 +137,12 @@ public interface Realm extends Contained { /** - * Try to authenticate using {@link X509Certificate}s + * Try to authenticate using a chain of {@link X509Certificate}s. * * @param certs Array of client certificates, with the first one in * the array being the certificate of the client itself. - * @return the associated principal, or null if there is none + * + * @return the associated principal, or {@code null} if there is none */ Principal authenticate(X509Certificate certs[]); @@ -157,9 +160,10 @@ public interface Realm extends Contained { * this request. * * @param request Request we are processing - * @param context {@link Context} for this request - * @return the configured {@link SecurityConstraint}, of null - * if there is none + * @param context Context the Request is mapped to + * + * @return the configured {@link SecurityConstraint}, or {@code n
[tomcat] branch main updated: Remove unnecessary Javadoc
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 43f4b5779a Remove unnecessary Javadoc 43f4b5779a is described below commit 43f4b5779a57ce8e3523c257b125e127093da039 Author: Mark Thomas AuthorDate: Thu Mar 9 14:37:46 2023 + Remove unnecessary Javadoc --- java/org/apache/catalina/Realm.java| 49 + java/org/apache/catalina/realm/CombinedRealm.java | 63 ++-- .../org/apache/catalina/realm/DataSourceRealm.java | 19 +--- .../catalina/realm/JAASMemoryLoginModule.java | 42 +--- java/org/apache/catalina/realm/JAASRealm.java | 36 --- java/org/apache/catalina/realm/JNDIRealm.java | 10 +- java/org/apache/catalina/realm/LockOutRealm.java | 39 +-- java/org/apache/catalina/realm/MemoryRealm.java| 25 - java/org/apache/catalina/realm/RealmBase.java | 112 ++--- .../apache/catalina/realm/UserDatabaseRealm.java | 15 +-- 10 files changed, 57 insertions(+), 353 deletions(-) diff --git a/java/org/apache/catalina/Realm.java b/java/org/apache/catalina/Realm.java index 769db66e85..09a7f8925d 100644 --- a/java/org/apache/catalina/Realm.java +++ b/java/org/apache/catalina/Realm.java @@ -65,8 +65,8 @@ public interface Realm extends Contained { * Try to authenticate with the specified username. * * @param username Username of the Principal to look up - * @return the associated principal, or null if none is - * associated. + * + * @return the associated principal, or {@code null} if none is associated. */ Principal authenticate(String username); @@ -78,7 +78,8 @@ public interface Realm extends Contained { * @param username Username of the Principal to look up * @param credentials Password or other credentials to use in * authenticating this username - * @return the associated principal, or null if there is none + * + * @return the associated principal, or {@code null} if there is none */ Principal authenticate(String username, String credentials); @@ -94,12 +95,13 @@ public interface Realm extends Contained { * for this request * @param nc the nonce counter * @param cnonce the client chosen nonce - * @param qop the "quality of protection" (nc and cnonce - *will only be used, if qop is not null). + * @param qop the "quality of protection" ({@code nc} and {@code cnonce} + *will only be used, if {@code qop} is not {@code null}). * @param realm Realm name * @param md5a2 Second MD5 digest used to calculate the digest : * MD5(Method + ":" + uri) - * @return the associated principal, or null if there is none. + * + * @return the associated principal, or {@code null} if there is none. */ Principal authenticate(String username, String digest, String nonce, String nc, String cnonce, @@ -108,18 +110,18 @@ public interface Realm extends Contained { /** - * Try to authenticate using a {@link GSSContext} + * Try to authenticate using a {@link GSSContext}. * * @param gssContext The gssContext processed by the {@link Authenticator}. * @param storeCreds Should the realm attempt to store the delegated * credentials in the returned Principal? - * @return the associated principal, or null if there is none + * @return the associated principal, or {@code null} if there is none */ Principal authenticate(GSSContext gssContext, boolean storeCreds); /** - * Try to authenticate using a {@link GSSName} + * Try to authenticate using a {@link GSSName}. * * @param gssName The {@link GSSName} of the principal to look up * @param gssCredential The {@link GSSCredential} of the principal, may be @@ -130,11 +132,12 @@ public interface Realm extends Contained { /** - * Try to authenticate using {@link X509Certificate}s + * Try to authenticate using a chain of {@link X509Certificate}s. * * @param certs Array of client certificates, with the first one in * the array being the certificate of the client itself. - * @return the associated principal, or null if there is none + * + * @return the associated principal, or {@code null} if there is none */ Principal authenticate(X509Certificate certs[]); @@ -152,9 +155,10 @@ public interface Realm extends Contained { * this request. * * @param request Request we are processing - * @param context {@link Context} for this request - * @return the configured {@link SecurityConstraint}, of null - * if there is none + * @param context Context the Request is mapped to + * + * @return t
[tomcat] branch 10.1.x updated: Remove unnecessary Javadoc
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new 8110b3d5fc Remove unnecessary Javadoc 8110b3d5fc is described below commit 8110b3d5fc791fb5bb2cd2c6991132998039b326 Author: Mark Thomas AuthorDate: Thu Mar 9 14:37:46 2023 + Remove unnecessary Javadoc --- java/org/apache/catalina/Realm.java| 49 + java/org/apache/catalina/realm/CombinedRealm.java | 63 ++-- .../org/apache/catalina/realm/DataSourceRealm.java | 19 +--- .../catalina/realm/JAASMemoryLoginModule.java | 42 +--- java/org/apache/catalina/realm/JAASRealm.java | 36 --- java/org/apache/catalina/realm/JNDIRealm.java | 10 +- java/org/apache/catalina/realm/LockOutRealm.java | 39 +-- java/org/apache/catalina/realm/MemoryRealm.java| 25 - java/org/apache/catalina/realm/RealmBase.java | 112 ++--- .../apache/catalina/realm/UserDatabaseRealm.java | 15 +-- 10 files changed, 57 insertions(+), 353 deletions(-) diff --git a/java/org/apache/catalina/Realm.java b/java/org/apache/catalina/Realm.java index 769db66e85..09a7f8925d 100644 --- a/java/org/apache/catalina/Realm.java +++ b/java/org/apache/catalina/Realm.java @@ -65,8 +65,8 @@ public interface Realm extends Contained { * Try to authenticate with the specified username. * * @param username Username of the Principal to look up - * @return the associated principal, or null if none is - * associated. + * + * @return the associated principal, or {@code null} if none is associated. */ Principal authenticate(String username); @@ -78,7 +78,8 @@ public interface Realm extends Contained { * @param username Username of the Principal to look up * @param credentials Password or other credentials to use in * authenticating this username - * @return the associated principal, or null if there is none + * + * @return the associated principal, or {@code null} if there is none */ Principal authenticate(String username, String credentials); @@ -94,12 +95,13 @@ public interface Realm extends Contained { * for this request * @param nc the nonce counter * @param cnonce the client chosen nonce - * @param qop the "quality of protection" (nc and cnonce - *will only be used, if qop is not null). + * @param qop the "quality of protection" ({@code nc} and {@code cnonce} + *will only be used, if {@code qop} is not {@code null}). * @param realm Realm name * @param md5a2 Second MD5 digest used to calculate the digest : * MD5(Method + ":" + uri) - * @return the associated principal, or null if there is none. + * + * @return the associated principal, or {@code null} if there is none. */ Principal authenticate(String username, String digest, String nonce, String nc, String cnonce, @@ -108,18 +110,18 @@ public interface Realm extends Contained { /** - * Try to authenticate using a {@link GSSContext} + * Try to authenticate using a {@link GSSContext}. * * @param gssContext The gssContext processed by the {@link Authenticator}. * @param storeCreds Should the realm attempt to store the delegated * credentials in the returned Principal? - * @return the associated principal, or null if there is none + * @return the associated principal, or {@code null} if there is none */ Principal authenticate(GSSContext gssContext, boolean storeCreds); /** - * Try to authenticate using a {@link GSSName} + * Try to authenticate using a {@link GSSName}. * * @param gssName The {@link GSSName} of the principal to look up * @param gssCredential The {@link GSSCredential} of the principal, may be @@ -130,11 +132,12 @@ public interface Realm extends Contained { /** - * Try to authenticate using {@link X509Certificate}s + * Try to authenticate using a chain of {@link X509Certificate}s. * * @param certs Array of client certificates, with the first one in * the array being the certificate of the client itself. - * @return the associated principal, or null if there is none + * + * @return the associated principal, or {@code null} if there is none */ Principal authenticate(X509Certificate certs[]); @@ -152,9 +155,10 @@ public interface Realm extends Contained { * this request. * * @param request Request we are processing - * @param context {@link Context} for this request - * @return the configured {@link SecurityConstraint}, of null - * if there is none + * @param context Context the Request is mapped to + * + * @retu
Re: Reduce default for maxParameterCount
Mark, On 3/9/23 05:56, Mark Thomas wrote: Hi all, In the context of CVE-2023-24998 (performance issues for large numbers of uploaded parts), I have been wondering about reducing the default value for maxParameterCount. The current default for maxParameterCount is 10,000. It was set based on it being low enough to mitigate CVE-2012-0022 (hash collisions in parameter names triggering performance issues) while being so high it was considered extremely unlikely to impact any web application. Also relevant: maxPostSize and maxHttpRequestHeaderSize which help to limit the total size of a request, regardless of the number of parameters. The current default is sufficiently low to mitigate CVE-2023-24998. There isn't any reason I am aware of that means we need to reduce the default for maxParameterCount. My thinking is more along the lines that when we last thought about this default in 2012, it was considered from the perspective of "How high can we set this and still be sure applications aren't exposed to CVE-2012-0022 or something like it?". If we consider it from the perspective of "How low can we make this without breaking many / most / (nearly) all applications?" I think we'll choose a much lower number. +1 Another benefit of a lower number is to harden Tomcat in advance against future vulnerabilities like CVE-2023-24998. I was wondering about a new default of 1000 or maybe even 500. This would certainly be for 11.0.x. I think it should be back-ported but maybe in stages (5000, 3000, 2000, 1000) and/or delayed so it is reduced in 10.1.x for a few releases before we reduce it in 9.0.x and the a few more releases before we reduce it in 8.5.x. Thoughts? +1 for 1000. 500 seems insane to me but I'm sure there is some application out there which uses 1000 parameters instead of JSON, etc. for some reason. A potential use-case for "large numbers of parameters" might be an application that uses something like a multi-select list and the number of choices is stupendously high. As in, when the application was designed, the designers said "we can use a multi-select list for this postal-code selector" and then 5-10 years later, someone said "hey let's dump all postal codes in the entire US into this multi-select" and there you have thousands of possibilities which the browser will happily package-off to the server. -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Remove unnecessary duplication of Javadoc
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new a1e60f36b4 Remove unnecessary duplication of Javadoc a1e60f36b4 is described below commit a1e60f36b4da8c248ba5386c6b668e5bcbed3d8e Author: Mark Thomas AuthorDate: Thu Mar 9 14:00:30 2023 + Remove unnecessary duplication of Javadoc --- java/org/apache/catalina/Valve.java| 6 +++- .../catalina/authenticator/AuthenticatorBase.java | 32 -- .../authenticator/NonLoginAuthenticator.java | 3 -- java/org/apache/catalina/valves/ValveBase.java | 24 ++-- 4 files changed, 13 insertions(+), 52 deletions(-) diff --git a/java/org/apache/catalina/Valve.java b/java/org/apache/catalina/Valve.java index d97545e3b4..b5a79954c7 100644 --- a/java/org/apache/catalina/Valve.java +++ b/java/org/apache/catalina/Valve.java @@ -43,7 +43,11 @@ public interface Valve { //-- Properties /** - * @return the next Valve in the pipeline containing this Valve, if any. + * Returns the next Valve in this pipeline, or null if this is + * the last Valve in the pipeline. + * + * @return the next Valve in the pipeline containing this Valve, or + * null if this is the last Valve in the pipeline. */ Valve getNext(); diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java index fc9bf8bea4..2dbaa7c312 100644 --- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java +++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java @@ -262,29 +262,18 @@ public abstract class AuthenticatorBase extends ValveBase implements Authenticat this.cache = cache; } -/** - * Return the Container to which this Valve is attached. - */ @Override public Container getContainer() { return this.context; } -/** - * Set the Container to which this Valve is attached. - * - * @param container The container to which we are attached - */ @Override public void setContainer(Container container) { - if (container != null && !(container instanceof Context)) { throw new IllegalArgumentException(sm.getString("authenticator.notContext")); } - super.setContainer(container); this.context = (Context) container; - } /** @@ -1146,6 +1135,11 @@ public abstract class AuthenticatorBase extends ValveBase implements Authenticat register(request, request.getResponse(), principal, getAuthMethod(), username, password); } +/** + * Return the authentication method, which is vendor-specific and not defined by HttpServletRequest. + * + * @return the authentication method, which is vendor-specific and not defined by HttpServletRequest. + */ protected abstract String getAuthMethod(); /** @@ -1201,13 +1195,6 @@ public abstract class AuthenticatorBase extends ValveBase implements Authenticat } -/** - * Start this component and implement the requirements of - * {@link org.apache.catalina.util.LifecycleBase#startInternal()}. - * - * @exception LifecycleException if this component detects a fatal error that prevents this component from being - * used - */ @Override protected synchronized void startInternal() throws LifecycleException { ServletContext servletContext = context.getServletContext(); @@ -1245,18 +1232,9 @@ public abstract class AuthenticatorBase extends ValveBase implements Authenticat } -/** - * Stop this component and implement the requirements of - * {@link org.apache.catalina.util.LifecycleBase#stopInternal()}. - * - * @exception LifecycleException if this component detects a fatal error that prevents this component from being - * used - */ @Override protected synchronized void stopInternal() throws LifecycleException { - super.stopInternal(); - sso = null; } diff --git a/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java b/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java index db9133f475..ba836c20e9 100644 --- a/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java +++ b/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java @@ -97,9 +97,6 @@ public final class NonLoginAuthenticator extends AuthenticatorBase { } -/** - * Return the authentication method, which is vendor-specific and not defined by HttpServletRequest. - */ @Override protected String getAuthMethod() { return "NON
[tomcat] branch main updated (a53eece969 -> 5d5e60b1fe)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git from a53eece969 Improve Javadoc add 5d5e60b1fe Remove unnecessary duplication of Javadoc No new revisions were added by this update. Summary of changes: java/org/apache/catalina/Valve.java| 6 +++- .../catalina/authenticator/AuthenticatorBase.java | 32 -- .../authenticator/NonLoginAuthenticator.java | 3 -- java/org/apache/catalina/valves/ValveBase.java | 24 ++-- 4 files changed, 13 insertions(+), 52 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Remove unnecessary duplication of Javadoc
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new e6744b4a40 Remove unnecessary duplication of Javadoc e6744b4a40 is described below commit e6744b4a40c677fd716ff80ee1dd1be3dc97c1a4 Author: Mark Thomas AuthorDate: Thu Mar 9 14:00:30 2023 + Remove unnecessary duplication of Javadoc --- java/org/apache/catalina/Valve.java| 6 +++- .../catalina/authenticator/AuthenticatorBase.java | 32 -- .../authenticator/NonLoginAuthenticator.java | 3 -- java/org/apache/catalina/valves/ValveBase.java | 24 ++-- 4 files changed, 13 insertions(+), 52 deletions(-) diff --git a/java/org/apache/catalina/Valve.java b/java/org/apache/catalina/Valve.java index d97545e3b4..b5a79954c7 100644 --- a/java/org/apache/catalina/Valve.java +++ b/java/org/apache/catalina/Valve.java @@ -43,7 +43,11 @@ public interface Valve { //-- Properties /** - * @return the next Valve in the pipeline containing this Valve, if any. + * Returns the next Valve in this pipeline, or null if this is + * the last Valve in the pipeline. + * + * @return the next Valve in the pipeline containing this Valve, or + * null if this is the last Valve in the pipeline. */ Valve getNext(); diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java index 24d82fd2a3..e25174750f 100644 --- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java +++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java @@ -264,29 +264,18 @@ public abstract class AuthenticatorBase extends ValveBase implements Authenticat this.cache = cache; } -/** - * Return the Container to which this Valve is attached. - */ @Override public Container getContainer() { return this.context; } -/** - * Set the Container to which this Valve is attached. - * - * @param container The container to which we are attached - */ @Override public void setContainer(Container container) { - if (container != null && !(container instanceof Context)) { throw new IllegalArgumentException(sm.getString("authenticator.notContext")); } - super.setContainer(container); this.context = (Context) container; - } /** @@ -1148,6 +1137,11 @@ public abstract class AuthenticatorBase extends ValveBase implements Authenticat register(request, request.getResponse(), principal, getAuthMethod(), username, password); } +/** + * Return the authentication method, which is vendor-specific and not defined by HttpServletRequest. + * + * @return the authentication method, which is vendor-specific and not defined by HttpServletRequest. + */ protected abstract String getAuthMethod(); /** @@ -1203,13 +1197,6 @@ public abstract class AuthenticatorBase extends ValveBase implements Authenticat } -/** - * Start this component and implement the requirements of - * {@link org.apache.catalina.util.LifecycleBase#startInternal()}. - * - * @exception LifecycleException if this component detects a fatal error that prevents this component from being - * used - */ @Override protected synchronized void startInternal() throws LifecycleException { ServletContext servletContext = context.getServletContext(); @@ -1247,18 +1234,9 @@ public abstract class AuthenticatorBase extends ValveBase implements Authenticat } -/** - * Stop this component and implement the requirements of - * {@link org.apache.catalina.util.LifecycleBase#stopInternal()}. - * - * @exception LifecycleException if this component detects a fatal error that prevents this component from being - * used - */ @Override protected synchronized void stopInternal() throws LifecycleException { - super.stopInternal(); - sso = null; } diff --git a/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java b/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java index db9133f475..ba836c20e9 100644 --- a/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java +++ b/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java @@ -97,9 +97,6 @@ public final class NonLoginAuthenticator extends AuthenticatorBase { } -/** - * Return the authentication method, which is vendor-specific and not defined by HttpServletRequest. - */ @Override protected String getAuthMethod() { return "NON
[tomcat] branch 10.1.x updated: Remove unnecessary duplication of Javadoc
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new 166581b1d7 Remove unnecessary duplication of Javadoc 166581b1d7 is described below commit 166581b1d76c5ae95881ccc2183f4d9ffa096d35 Author: Mark Thomas AuthorDate: Thu Mar 9 14:00:30 2023 + Remove unnecessary duplication of Javadoc --- java/org/apache/catalina/Valve.java| 6 +++- .../catalina/authenticator/AuthenticatorBase.java | 32 -- .../authenticator/NonLoginAuthenticator.java | 3 -- java/org/apache/catalina/valves/ValveBase.java | 24 ++-- 4 files changed, 13 insertions(+), 52 deletions(-) diff --git a/java/org/apache/catalina/Valve.java b/java/org/apache/catalina/Valve.java index b986d27e80..a3704fc03b 100644 --- a/java/org/apache/catalina/Valve.java +++ b/java/org/apache/catalina/Valve.java @@ -43,7 +43,11 @@ public interface Valve { //-- Properties /** - * @return the next Valve in the pipeline containing this Valve, if any. + * Returns the next Valve in this pipeline, or null if this is + * the last Valve in the pipeline. + * + * @return the next Valve in the pipeline containing this Valve, or + * null if this is the last Valve in the pipeline. */ Valve getNext(); diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java index 6bf98bd9e2..e53ffc7297 100644 --- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java +++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java @@ -263,29 +263,18 @@ public abstract class AuthenticatorBase extends ValveBase implements Authenticat this.cache = cache; } -/** - * Return the Container to which this Valve is attached. - */ @Override public Container getContainer() { return this.context; } -/** - * Set the Container to which this Valve is attached. - * - * @param container The container to which we are attached - */ @Override public void setContainer(Container container) { - if (container != null && !(container instanceof Context)) { throw new IllegalArgumentException(sm.getString("authenticator.notContext")); } - super.setContainer(container); this.context = (Context) container; - } /** @@ -1147,6 +1136,11 @@ public abstract class AuthenticatorBase extends ValveBase implements Authenticat register(request, request.getResponse(), principal, getAuthMethod(), username, password); } +/** + * Return the authentication method, which is vendor-specific and not defined by HttpServletRequest. + * + * @return the authentication method, which is vendor-specific and not defined by HttpServletRequest. + */ protected abstract String getAuthMethod(); /** @@ -1202,13 +1196,6 @@ public abstract class AuthenticatorBase extends ValveBase implements Authenticat } -/** - * Start this component and implement the requirements of - * {@link org.apache.catalina.util.LifecycleBase#startInternal()}. - * - * @exception LifecycleException if this component detects a fatal error that prevents this component from being - * used - */ @Override protected synchronized void startInternal() throws LifecycleException { ServletContext servletContext = context.getServletContext(); @@ -1246,18 +1233,9 @@ public abstract class AuthenticatorBase extends ValveBase implements Authenticat } -/** - * Stop this component and implement the requirements of - * {@link org.apache.catalina.util.LifecycleBase#stopInternal()}. - * - * @exception LifecycleException if this component detects a fatal error that prevents this component from being - * used - */ @Override protected synchronized void stopInternal() throws LifecycleException { - super.stopInternal(); - sso = null; } diff --git a/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java b/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java index 40e112be01..ac786a347c 100644 --- a/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java +++ b/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java @@ -97,9 +97,6 @@ public final class NonLoginAuthenticator extends AuthenticatorBase { } -/** - * Return the authentication method, which is vendor-specific and not defined by HttpServletRequest. - */ @Override protected String getAuthMethod() { return "N
[tomcat] branch 9.0.x updated: Improve Javadoc
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 023aa4e0d7 Improve Javadoc 023aa4e0d7 is described below commit 023aa4e0d7283c856d59e73b5f79b794e8acffc7 Author: Mark Thomas AuthorDate: Thu Mar 9 13:43:19 2023 + Improve Javadoc Remove unnecessary Javadoc on overridden methods and better document differences when they occur. --- java/javax/el/BeanELResolver.java| 3 --- java/javax/el/CompositeELResolver.java | 3 --- java/javax/el/StaticFieldELResolver.java | 2 +- 3 files changed, 1 insertion(+), 7 deletions(-) diff --git a/java/javax/el/BeanELResolver.java b/java/javax/el/BeanELResolver.java index e3823b7c8b..10d428aa51 100644 --- a/java/javax/el/BeanELResolver.java +++ b/java/javax/el/BeanELResolver.java @@ -130,9 +130,6 @@ public class BeanELResolver extends ELResolver { } } -/** - * @since EL 2.2 - */ @Override public Object invoke(ELContext context, Object base, Object method, Class[] paramTypes, Object[] params) { Objects.requireNonNull(context); diff --git a/java/javax/el/CompositeELResolver.java b/java/javax/el/CompositeELResolver.java index 61a88e6e32..bed5375929 100644 --- a/java/javax/el/CompositeELResolver.java +++ b/java/javax/el/CompositeELResolver.java @@ -67,9 +67,6 @@ public class CompositeELResolver extends ELResolver { return null; } -/** - * @since EL 2.2 - */ @Override public Object invoke(ELContext context, Object base, Object method, Class[] paramTypes, Object[] params) { context.setPropertyResolved(false); diff --git a/java/javax/el/StaticFieldELResolver.java b/java/javax/el/StaticFieldELResolver.java index 90f7eacd6e..41365a2414 100644 --- a/java/javax/el/StaticFieldELResolver.java +++ b/java/javax/el/StaticFieldELResolver.java @@ -186,7 +186,7 @@ public class StaticFieldELResolver extends ELResolver { } /** - * Always returns String.class. + * @return This resolver always returns String.class */ @Override public Class getCommonPropertyType(ELContext context, Object base) { - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Improve Javadoc
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 21c16a86c2 Improve Javadoc 21c16a86c2 is described below commit 21c16a86c2f18da81f82d7808fa04e7e1d7ed426 Author: Mark Thomas AuthorDate: Thu Mar 9 13:43:19 2023 + Improve Javadoc Remove unnecessary Javadoc on overridden methods and better document differences when they occur. --- java/javax/el/BeanELResolver.java| 3 --- java/javax/el/CompositeELResolver.java | 3 --- java/javax/el/StaticFieldELResolver.java | 2 +- 3 files changed, 1 insertion(+), 7 deletions(-) diff --git a/java/javax/el/BeanELResolver.java b/java/javax/el/BeanELResolver.java index b9798dbc20..7226cd0bc4 100644 --- a/java/javax/el/BeanELResolver.java +++ b/java/javax/el/BeanELResolver.java @@ -134,9 +134,6 @@ public class BeanELResolver extends ELResolver { } } -/** - * @since EL 2.2 - */ @Override public Object invoke(ELContext context, Object base, Object method, Class[] paramTypes, Object[] params) { Objects.requireNonNull(context); diff --git a/java/javax/el/CompositeELResolver.java b/java/javax/el/CompositeELResolver.java index 61a88e6e32..bed5375929 100644 --- a/java/javax/el/CompositeELResolver.java +++ b/java/javax/el/CompositeELResolver.java @@ -67,9 +67,6 @@ public class CompositeELResolver extends ELResolver { return null; } -/** - * @since EL 2.2 - */ @Override public Object invoke(ELContext context, Object base, Object method, Class[] paramTypes, Object[] params) { context.setPropertyResolved(false); diff --git a/java/javax/el/StaticFieldELResolver.java b/java/javax/el/StaticFieldELResolver.java index 90f7eacd6e..41365a2414 100644 --- a/java/javax/el/StaticFieldELResolver.java +++ b/java/javax/el/StaticFieldELResolver.java @@ -186,7 +186,7 @@ public class StaticFieldELResolver extends ELResolver { } /** - * Always returns String.class. + * @return This resolver always returns String.class */ @Override public Class getCommonPropertyType(ELContext context, Object base) { - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.1.x updated: Improve Javadoc
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new 8c441e35b5 Improve Javadoc 8c441e35b5 is described below commit 8c441e35b525e6c29ad64173805d654087c24910 Author: Mark Thomas AuthorDate: Thu Mar 9 13:43:19 2023 + Improve Javadoc Remove unnecessary Javadoc on overridden methods and better document differences when they occur. --- java/jakarta/el/BeanELResolver.java| 3 --- java/jakarta/el/CompositeELResolver.java | 3 --- java/jakarta/el/StaticFieldELResolver.java | 2 +- 3 files changed, 1 insertion(+), 7 deletions(-) diff --git a/java/jakarta/el/BeanELResolver.java b/java/jakarta/el/BeanELResolver.java index 25ac2c2fe2..a909b231ea 100644 --- a/java/jakarta/el/BeanELResolver.java +++ b/java/jakarta/el/BeanELResolver.java @@ -136,9 +136,6 @@ public class BeanELResolver extends ELResolver { } } -/** - * @since EL 2.2 - */ @Override public Object invoke(ELContext context, Object base, Object method, Class[] paramTypes, Object[] params) { Objects.requireNonNull(context); diff --git a/java/jakarta/el/CompositeELResolver.java b/java/jakarta/el/CompositeELResolver.java index 5b1fa9f433..335a71b473 100644 --- a/java/jakarta/el/CompositeELResolver.java +++ b/java/jakarta/el/CompositeELResolver.java @@ -67,9 +67,6 @@ public class CompositeELResolver extends ELResolver { return null; } -/** - * @since EL 2.2 - */ @Override public Object invoke(ELContext context, Object base, Object method, Class[] paramTypes, Object[] params) { context.setPropertyResolved(false); diff --git a/java/jakarta/el/StaticFieldELResolver.java b/java/jakarta/el/StaticFieldELResolver.java index f6fcc77e1e..c72a90ce51 100644 --- a/java/jakarta/el/StaticFieldELResolver.java +++ b/java/jakarta/el/StaticFieldELResolver.java @@ -185,7 +185,7 @@ public class StaticFieldELResolver extends ELResolver { } /** - * Always returns String.class. + * @return This resolver always returns String.class */ @Override public Class getCommonPropertyType(ELContext context, Object base) { - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Improve Javadoc
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new a53eece969 Improve Javadoc a53eece969 is described below commit a53eece969f1d861248c8244d13116df6d1db49c Author: Mark Thomas AuthorDate: Thu Mar 9 13:43:19 2023 + Improve Javadoc Remove unnecessary Javadoc on overridden methods and better document differences when they occur. --- java/jakarta/el/BeanELResolver.java| 3 --- java/jakarta/el/CompositeELResolver.java | 3 --- java/jakarta/el/StaticFieldELResolver.java | 2 +- 3 files changed, 1 insertion(+), 7 deletions(-) diff --git a/java/jakarta/el/BeanELResolver.java b/java/jakarta/el/BeanELResolver.java index c661730ec3..9551b43489 100644 --- a/java/jakarta/el/BeanELResolver.java +++ b/java/jakarta/el/BeanELResolver.java @@ -121,9 +121,6 @@ public class BeanELResolver extends ELResolver { } } -/** - * @since EL 2.2 - */ @Override public Object invoke(ELContext context, Object base, Object method, Class[] paramTypes, Object[] params) { Objects.requireNonNull(context); diff --git a/java/jakarta/el/CompositeELResolver.java b/java/jakarta/el/CompositeELResolver.java index 4c844371d6..2f52713ebb 100644 --- a/java/jakarta/el/CompositeELResolver.java +++ b/java/jakarta/el/CompositeELResolver.java @@ -64,9 +64,6 @@ public class CompositeELResolver extends ELResolver { return null; } -/** - * @since EL 2.2 - */ @Override public Object invoke(ELContext context, Object base, Object method, Class[] paramTypes, Object[] params) { context.setPropertyResolved(false); diff --git a/java/jakarta/el/StaticFieldELResolver.java b/java/jakarta/el/StaticFieldELResolver.java index 0e7d8a48b5..e4b32461a9 100644 --- a/java/jakarta/el/StaticFieldELResolver.java +++ b/java/jakarta/el/StaticFieldELResolver.java @@ -172,7 +172,7 @@ public class StaticFieldELResolver extends ELResolver { /** - * Always returns String.class. + * @return This resolver always returns String.class */ @Override public Class getCommonPropertyType(ELContext context, Object base) { - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] ChristopherSchultz commented on a diff in pull request #596: Use SELECT...FOR UPDATE to update session data in the database instead of DELETE, INSERT.
ChristopherSchultz commented on code in PR #596: URL: https://github.com/apache/tomcat/pull/596#discussion_r1131033698 ## java/org/apache/catalina/session/DataSourceStore.java: ## @@ -626,15 +626,77 @@ public void save(Session session) throws IOException { byte[] obs = bos.toByteArray(); int size = obs.length; try (ByteArrayInputStream bis = new ByteArrayInputStream(obs, 0, size); -InputStream in = new BufferedInputStream(bis, size); -PreparedStatement preparedSaveSql = _conn.prepareStatement(saveSql)) { -preparedSaveSql.setString(1, session.getIdInternal()); -preparedSaveSql.setString(2, getName()); -preparedSaveSql.setBinaryStream(3, in, size); -preparedSaveSql.setString(4, session.isValid() ? "1" : "0"); -preparedSaveSql.setInt(5, session.getMaxInactiveInterval()); -preparedSaveSql.setLong(6, session.getLastAccessedTime()); -preparedSaveSql.execute(); + InputStream in = new BufferedInputStream(bis, size); + PreparedStatement preparedSaveSql = _conn.prepareStatement(saveSql, ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_UPDATABLE)) { + +// Store auto-commit state +boolean autoCommit = _conn.getAutoCommit(); + +try { +if(autoCommit) { +_conn.setAutoCommit(false); // BEGIN TRANSACTION +} + +preparedSaveSql.setString(1, getName()); +preparedSaveSql.setString(2, session.getIdInternal()); + +ResultSet rs = preparedSaveSql.executeQuery(); + +if(rs.next()) { +// Session already exists in the db; update the various fields +rs.updateBinaryStream(sessionDataCol, in, size); +rs.updateString(sessionValidCol, session.isValid() ? "1" : "0"); +rs.updateInt(sessionMaxInactiveCol, session.getMaxInactiveInterval()); +rs.updateLong(sessionLastAccessedCol, session.getLastAccessedTime()); + +rs.updateRow(); +} else { +// Session does not exist. Insert. +rs.moveToInsertRow(); + +rs.updateString(sessionAppCol, getName()); +rs.updateString(sessionIdCol, session.getIdInternal()); +rs.updateBinaryStream(sessionIdCol, in, size); +rs.updateString(sessionValidCol, session.isValid() ? "1" : "0"); +rs.updateInt(sessionMaxInactiveCol, session.getMaxInactiveInterval()); +rs.updateLong(sessionLastAccessedCol, session.getLastAccessedTime()); + +rs.updateRow(); +} + +_conn.commit(); +} catch (SQLException sqle) { Review Comment: I would be okay merging them together, but we might want to use different error messages. This is one of the things I wanted to get feedback on: how important is it to say "we got an Error" vs "we got an SQLException", etc. when the actual exception and stack trace will likely be logged? I think it's probably okay to merge these exception handlers together but wanted some feedback about the logging. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] ChristopherSchultz commented on a diff in pull request #596: Use SELECT...FOR UPDATE to update session data in the database instead of DELETE, INSERT.
ChristopherSchultz commented on code in PR #596: URL: https://github.com/apache/tomcat/pull/596#discussion_r1131019399 ## java/org/apache/catalina/session/DataSourceStore.java: ## @@ -626,15 +626,77 @@ public void save(Session session) throws IOException { byte[] obs = bos.toByteArray(); int size = obs.length; try (ByteArrayInputStream bis = new ByteArrayInputStream(obs, 0, size); -InputStream in = new BufferedInputStream(bis, size); -PreparedStatement preparedSaveSql = _conn.prepareStatement(saveSql)) { -preparedSaveSql.setString(1, session.getIdInternal()); -preparedSaveSql.setString(2, getName()); -preparedSaveSql.setBinaryStream(3, in, size); -preparedSaveSql.setString(4, session.isValid() ? "1" : "0"); -preparedSaveSql.setInt(5, session.getMaxInactiveInterval()); -preparedSaveSql.setLong(6, session.getLastAccessedTime()); -preparedSaveSql.execute(); + InputStream in = new BufferedInputStream(bis, size); + PreparedStatement preparedSaveSql = _conn.prepareStatement(saveSql, ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_UPDATABLE)) { + +// Store auto-commit state +boolean autoCommit = _conn.getAutoCommit(); + +try { +if(autoCommit) { +_conn.setAutoCommit(false); // BEGIN TRANSACTION +} + +preparedSaveSql.setString(1, getName()); +preparedSaveSql.setString(2, session.getIdInternal()); + +ResultSet rs = preparedSaveSql.executeQuery(); + +if(rs.next()) { +// Session already exists in the db; update the various fields +rs.updateBinaryStream(sessionDataCol, in, size); +rs.updateString(sessionValidCol, session.isValid() ? "1" : "0"); +rs.updateInt(sessionMaxInactiveCol, session.getMaxInactiveInterval()); +rs.updateLong(sessionLastAccessedCol, session.getLastAccessedTime()); + +rs.updateRow(); +} else { +// Session does not exist. Insert. +rs.moveToInsertRow(); + +rs.updateString(sessionAppCol, getName()); +rs.updateString(sessionIdCol, session.getIdInternal()); +rs.updateBinaryStream(sessionIdCol, in, size); +rs.updateString(sessionValidCol, session.isValid() ? "1" : "0"); +rs.updateInt(sessionMaxInactiveCol, session.getMaxInactiveInterval()); +rs.updateLong(sessionLastAccessedCol, session.getLastAccessedTime()); + +rs.updateRow(); Review Comment: Duh, thanks! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] ChristopherSchultz commented on pull request #596: Use SELECT...FOR UPDATE to update session data in the database instead of DELETE, INSERT.
ChristopherSchultz commented on PR #596: URL: https://github.com/apache/tomcat/pull/596#issuecomment-1462052065 > @ChristopherSchultz Is there a list of supported database systems with which the DataSourceStore is compatible? Are you sure that they all support "SELECT FOR UPDATE"? I tried to look that up and the "best" thing I found was https://www.sql-workbench.eu/dbms_comparison.html Good question. I was originally going to use `MERGE` but the database I have at-hand (MariaDB) doesn't support it, so I went with `SELECT...FOR UPDATE`. It's not clear to me if the `SELECT...FOR UPDATE NOWAIT` listed in that table is specifically talking about the `NOWAIT` part of the query. For example, I know that both MariaDB and MySQL have supported `SELECT...FOR UPDATE` for a long time, but the entry for MySQL states "_Since 8.0_" and MariaDB says "_No_". A quick check of the [HSQLDB Documentation](http://hsqldb.org/doc/2.0/guide/dataaccess-chapt.html#dac_jdbc_cursor_updatability) shows that `SELECT...FOR UPDATE` is available while that list claims it is not supported. Same thing with [IBM DB2](https://www.ibm.com/docs/en/informix-servers/12.10?topic=statement-update-clause) and [SQL Server](https://learn.microsoft.com/en-us/sql/odbc/reference/appendixes/processing-select-for-update-statements?view=sql-server-ver16). But it's clear that not all RDMBSs support that syntax. Maybe it's not possible to write a single code-path to satisfy all major RDBMS systems. I'd be happy to change the PR to offer a selection between the two via configuration. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Buildbot failure in on tomcat-10.1.x
Build status: BUILD FAILED: failed Snapshot deployed to ASF Maven snapshot repository (failure) Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/44/builds/708 Blamelist: Mark Thomas Build Text: failed Snapshot deployed to ASF Maven snapshot repository (failure) Status Detected: new failure Build Source Stamp: [branch 10.1.x] fe6ffca0a31fc59a57fcbfec5c948c61786d7ce8 Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 compile: 1 shell_6: 0 shell_7: 0 shell_8: 2 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Reduce default for maxParameterCount
Hi all, In the context of CVE-2023-24998 (performance issues for large numbers of uploaded parts), I have been wondering about reducing the default value for maxParameterCount. The current default for maxParameterCount is 10,000. It was set based on it being low enough to mitigate CVE-2012-0022 (hash collisions in parameter names triggering performance issues) while being so high it was considered extremely unlikely to impact any web application. The current default is sufficiently low to mitigate CVE-2023-24998. There isn't any reason I am aware of that means we need to reduce the default for maxParameterCount. My thinking is more along the lines that when we last thought about this default in 2012, it was considered from the perspective of "How high can we set this and still be sure applications aren't exposed to CVE-2012-0022 or something like it?". If we consider it from the perspective of "How low can we make this without breaking many / most / (nearly) all applications?" I think we'll choose a much lower number. Another benefit of a lower number is to harden Tomcat in advance against future vulnerabilities like CVE-2023-24998. I was wondering about a new default of 1000 or maybe even 500. This would certainly be for 11.0.x. I think it should be back-ported but maybe in stages (5000, 3000, 2000, 1000) and/or delayed so it is reduced in 10.1.x for a few releases before we reduce it in 9.0.x and the a few more releases before we reduce it in 8.5.x. Thoughts? Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Harden FORM authentication by limiting session duration
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 7b321d7de9 Harden FORM authentication by limiting session duration 7b321d7de9 is described below commit 7b321d7de9f2ea5ba2a75ab64c815c615b8732d6 Author: Mark Thomas AuthorDate: Thu Mar 9 10:25:00 2023 + Harden FORM authentication by limiting session duration If the session is created by the FORM authentication process, limit the duration of the session (120s by default) to limit the time the saved request body must be retained. --- .../catalina/authenticator/FormAuthenticator.java | 45 +- .../catalina/authenticator/SavedRequest.java | 15 webapps/docs/changelog.xml | 7 webapps/docs/config/valve.xml | 7 webapps/docs/security-howto.xml| 12 -- 5 files changed, 82 insertions(+), 4 deletions(-) diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java index cdc357c118..a57db51776 100644 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java @@ -27,6 +27,7 @@ import javax.servlet.RequestDispatcher; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; import org.apache.catalina.Realm; import org.apache.catalina.Session; @@ -68,6 +69,13 @@ public class FormAuthenticator extends AuthenticatorBase { */ protected String landingPage = null; +/** + * If the authentication process creates a session, this is the maximum session timeout (in seconds) during the + * authentication process. Once authentication is complete, the default session timeout will apply. Sessions that + * exist before the authentication process starts will retain their original session timeout throughout. + */ +protected int authenticationSessionTimeout = 120; + // - Properties @@ -111,9 +119,32 @@ public class FormAuthenticator extends AuthenticatorBase { } -// -- Protected Methods +/** + * Returns the maximum session timeout to be used during authentication if the authentication process creates a + * session. + * + * @return the maximum session timeout to be used during authentication if the authentication process creates a + * session + */ +public int getAuthenticationSessionTimeout() { +return authenticationSessionTimeout; +} +/** + * Configures the maximum session timeout to be used during authentication if the authentication process creates a + * session. + * + * @param authenticationSessionTimeout The maximum session timeout to use duriing authentication if the + * authentication process creates a session + */ +public void setAuthenticationSessionTimeout(int authenticationSessionTimeout) { +this.authenticationSessionTimeout = authenticationSessionTimeout; +} + + +// -- Protected Methods + /** * Authenticate the user making this request, based on the specified login configuration. Return true * if any specified constraint has been satisfied, or false if we have created a response challenge @@ -616,6 +647,10 @@ public class FormAuthenticator extends AuthenticatorBase { request.getQueryString(); request.getProtocol(); +if (saved.getOriginalMaxInactiveInterval() > 0) { + session.setMaxInactiveInterval(saved.getOriginalMaxInactiveInterval()); +} + return true; } @@ -681,6 +716,14 @@ public class FormAuthenticator extends AuthenticatorBase { saved.setRequestURI(request.getRequestURI()); saved.setDecodedRequestURI(request.getDecodedRequestURI()); +if (session instanceof HttpSession && ((HttpSession) session).isNew()) { +int originalMaxInactiveInterval = session.getMaxInactiveInterval(); +if (originalMaxInactiveInterval > getAuthenticationSessionTimeout()) { + saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval); + session.setMaxInactiveInterval(getAuthenticationSessionTimeout()); +} +} + // Stash the SavedRequest in our session for later use session.setNote(Constants.FORM_REQUEST_NOTE, saved); } diff --git a/java/org/apache/catalina/authenticator/SavedRequest.java b/java/org/apache/cata
[tomcat] branch 9.0.x updated: Harden FORM authentication by limiting session duration
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new fea89e2128 Harden FORM authentication by limiting session duration fea89e2128 is described below commit fea89e2128a8e16cfb06e91ccdb712993ab61e64 Author: Mark Thomas AuthorDate: Thu Mar 9 10:25:00 2023 + Harden FORM authentication by limiting session duration If the session is created by the FORM authentication process, limit the duration of the session (120s by default) to limit the time the saved request body must be retained. --- .../catalina/authenticator/FormAuthenticator.java | 45 +- .../catalina/authenticator/SavedRequest.java | 15 webapps/docs/changelog.xml | 7 webapps/docs/config/valve.xml | 7 webapps/docs/security-howto.xml| 12 -- 5 files changed, 82 insertions(+), 4 deletions(-) diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java index cdc357c118..a57db51776 100644 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java @@ -27,6 +27,7 @@ import javax.servlet.RequestDispatcher; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; import org.apache.catalina.Realm; import org.apache.catalina.Session; @@ -68,6 +69,13 @@ public class FormAuthenticator extends AuthenticatorBase { */ protected String landingPage = null; +/** + * If the authentication process creates a session, this is the maximum session timeout (in seconds) during the + * authentication process. Once authentication is complete, the default session timeout will apply. Sessions that + * exist before the authentication process starts will retain their original session timeout throughout. + */ +protected int authenticationSessionTimeout = 120; + // - Properties @@ -111,9 +119,32 @@ public class FormAuthenticator extends AuthenticatorBase { } -// -- Protected Methods +/** + * Returns the maximum session timeout to be used during authentication if the authentication process creates a + * session. + * + * @return the maximum session timeout to be used during authentication if the authentication process creates a + * session + */ +public int getAuthenticationSessionTimeout() { +return authenticationSessionTimeout; +} +/** + * Configures the maximum session timeout to be used during authentication if the authentication process creates a + * session. + * + * @param authenticationSessionTimeout The maximum session timeout to use duriing authentication if the + * authentication process creates a session + */ +public void setAuthenticationSessionTimeout(int authenticationSessionTimeout) { +this.authenticationSessionTimeout = authenticationSessionTimeout; +} + + +// -- Protected Methods + /** * Authenticate the user making this request, based on the specified login configuration. Return true * if any specified constraint has been satisfied, or false if we have created a response challenge @@ -616,6 +647,10 @@ public class FormAuthenticator extends AuthenticatorBase { request.getQueryString(); request.getProtocol(); +if (saved.getOriginalMaxInactiveInterval() > 0) { + session.setMaxInactiveInterval(saved.getOriginalMaxInactiveInterval()); +} + return true; } @@ -681,6 +716,14 @@ public class FormAuthenticator extends AuthenticatorBase { saved.setRequestURI(request.getRequestURI()); saved.setDecodedRequestURI(request.getDecodedRequestURI()); +if (session instanceof HttpSession && ((HttpSession) session).isNew()) { +int originalMaxInactiveInterval = session.getMaxInactiveInterval(); +if (originalMaxInactiveInterval > getAuthenticationSessionTimeout()) { + saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval); + session.setMaxInactiveInterval(getAuthenticationSessionTimeout()); +} +} + // Stash the SavedRequest in our session for later use session.setNote(Constants.FORM_REQUEST_NOTE, saved); } diff --git a/java/org/apache/catalina/authenticator/SavedRequest.java b/java/org/apache/cata
[tomcat] branch 10.1.x updated: Harden FORM authentication by limiting session duration
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new fe6ffca0a3 Harden FORM authentication by limiting session duration fe6ffca0a3 is described below commit fe6ffca0a31fc59a57fcbfec5c948c61786d7ce8 Author: Mark Thomas AuthorDate: Thu Mar 9 10:25:00 2023 + Harden FORM authentication by limiting session duration If the session is created by the FORM authentication process, limit the duration of the session (120s by default) to limit the time the saved request body must be retained. --- .../catalina/authenticator/FormAuthenticator.java | 45 +- .../catalina/authenticator/SavedRequest.java | 15 webapps/docs/changelog.xml | 7 webapps/docs/config/valve.xml | 7 webapps/docs/security-howto.xml| 12 -- 5 files changed, 82 insertions(+), 4 deletions(-) diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java index 5abdb07998..2876a2d04c 100644 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java @@ -27,6 +27,7 @@ import jakarta.servlet.RequestDispatcher; import jakarta.servlet.http.Cookie; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; +import jakarta.servlet.http.HttpSession; import org.apache.catalina.Realm; import org.apache.catalina.Session; @@ -68,6 +69,13 @@ public class FormAuthenticator extends AuthenticatorBase { */ protected String landingPage = null; +/** + * If the authentication process creates a session, this is the maximum session timeout (in seconds) during the + * authentication process. Once authentication is complete, the default session timeout will apply. Sessions that + * exist before the authentication process starts will retain their original session timeout throughout. + */ +protected int authenticationSessionTimeout = 120; + // - Properties @@ -111,9 +119,32 @@ public class FormAuthenticator extends AuthenticatorBase { } -// -- Protected Methods +/** + * Returns the maximum session timeout to be used during authentication if the authentication process creates a + * session. + * + * @return the maximum session timeout to be used during authentication if the authentication process creates a + * session + */ +public int getAuthenticationSessionTimeout() { +return authenticationSessionTimeout; +} +/** + * Configures the maximum session timeout to be used during authentication if the authentication process creates a + * session. + * + * @param authenticationSessionTimeout The maximum session timeout to use duriing authentication if the + * authentication process creates a session + */ +public void setAuthenticationSessionTimeout(int authenticationSessionTimeout) { +this.authenticationSessionTimeout = authenticationSessionTimeout; +} + + +// -- Protected Methods + /** * Authenticate the user making this request, based on the specified login configuration. Return true * if any specified constraint has been satisfied, or false if we have created a response challenge @@ -616,6 +647,10 @@ public class FormAuthenticator extends AuthenticatorBase { request.getQueryString(); request.getProtocol(); +if (saved.getOriginalMaxInactiveInterval() > 0) { + session.setMaxInactiveInterval(saved.getOriginalMaxInactiveInterval()); +} + return true; } @@ -681,6 +716,14 @@ public class FormAuthenticator extends AuthenticatorBase { saved.setRequestURI(request.getRequestURI()); saved.setDecodedRequestURI(request.getDecodedRequestURI()); +if (session instanceof HttpSession && ((HttpSession) session).isNew()) { +int originalMaxInactiveInterval = session.getMaxInactiveInterval(); +if (originalMaxInactiveInterval > getAuthenticationSessionTimeout()) { + saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval); + session.setMaxInactiveInterval(getAuthenticationSessionTimeout()); +} +} + // Stash the SavedRequest in our session for later use session.setNote(Constants.FORM_REQUEST_NOTE, saved); } diff --git a/java/org/apache/catalina/authenticator/SavedRequest.java b/java/org
[tomcat] branch main updated: Harden FORM authentication by limiting session duration
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new d5ead98581 Harden FORM authentication by limiting session duration d5ead98581 is described below commit d5ead9858102f215abcb829689179d969fd1dbb7 Author: Mark Thomas AuthorDate: Thu Mar 9 10:25:00 2023 + Harden FORM authentication by limiting session duration If the session is created by the FORM authentication process, limit the duration of the session (120s by default) to limit the time the saved request body must be retained. --- java/org/apache/catalina/Session.java | 9 + .../catalina/authenticator/FormAuthenticator.java | 44 +- .../catalina/authenticator/SavedRequest.java | 15 .../apache/catalina/manager/DummyProxySession.java | 5 +++ webapps/docs/changelog.xml | 7 webapps/docs/config/valve.xml | 7 webapps/docs/security-howto.xml| 12 -- 7 files changed, 95 insertions(+), 4 deletions(-) diff --git a/java/org/apache/catalina/Session.java b/java/org/apache/catalina/Session.java index 4ec7aca0ed..da3a4f2b55 100644 --- a/java/org/apache/catalina/Session.java +++ b/java/org/apache/catalina/Session.java @@ -206,6 +206,15 @@ public interface Session { void setMaxInactiveInterval(int interval); +/** + * Returns whether the session was created during the current request. + * + * @return {@code true} if the session was created during the current + * request. + */ +boolean isNew(); + + /** * Set the isNew flag for this session. * diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java index 5abdb07998..9ac928caae 100644 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java @@ -68,6 +68,13 @@ public class FormAuthenticator extends AuthenticatorBase { */ protected String landingPage = null; +/** + * If the authentication process creates a session, this is the maximum session timeout (in seconds) during the + * authentication process. Once authentication is complete, the default session timeout will apply. Sessions that + * exist before the authentication process starts will retain their original session timeout throughout. + */ +protected int authenticationSessionTimeout = 120; + // - Properties @@ -111,9 +118,32 @@ public class FormAuthenticator extends AuthenticatorBase { } -// -- Protected Methods +/** + * Returns the maximum session timeout to be used during authentication if the authentication process creates a + * session. + * + * @return the maximum session timeout to be used during authentication if the authentication process creates a + * session + */ +public int getAuthenticationSessionTimeout() { +return authenticationSessionTimeout; +} +/** + * Configures the maximum session timeout to be used during authentication if the authentication process creates a + * session. + * + * @param authenticationSessionTimeout The maximum session timeout to use duriing authentication if the + * authentication process creates a session + */ +public void setAuthenticationSessionTimeout(int authenticationSessionTimeout) { +this.authenticationSessionTimeout = authenticationSessionTimeout; +} + + +// -- Protected Methods + /** * Authenticate the user making this request, based on the specified login configuration. Return true * if any specified constraint has been satisfied, or false if we have created a response challenge @@ -616,6 +646,10 @@ public class FormAuthenticator extends AuthenticatorBase { request.getQueryString(); request.getProtocol(); +if (saved.getOriginalMaxInactiveInterval() > 0) { + session.setMaxInactiveInterval(saved.getOriginalMaxInactiveInterval()); +} + return true; } @@ -681,6 +715,14 @@ public class FormAuthenticator extends AuthenticatorBase { saved.setRequestURI(request.getRequestURI()); saved.setDecodedRequestURI(request.getDecodedRequestURI()); +if (session.isNew()) { +int originalMaxInactiveInterval = session.getMaxInactiveInterval(); +if (originalMaxInactiveInterval > getAuthenticationSessionTimeout()) { + saved.setOriginalMaxInactiveInt
[tomcat] branch 8.5.x updated: Fix grammar
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 61a48cfb59 Fix grammar 61a48cfb59 is described below commit 61a48cfb595ba60f0e1c97a9273d28fbff07412a Author: Mark Thomas AuthorDate: Thu Mar 9 09:52:32 2023 + Fix grammar --- webapps/docs/security-howto.xml | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index 0a8f4fa6b6..d2cd44127c 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -561,11 +561,11 @@ text. Web applications using these authentication mechanisms with clients connecting over untrusted networks should use SSL. -The session cookie for a session with an authenticated user are nearly -as useful as the user's password to an attacker and in nearly all -circumstances should be afforded the same level of protection as the -password itself. This usually means authenticating over SSL and continuing -to use SSL until the session ends. +The session cookie for a session with an authenticated user is nearly as +useful as the user's password to an attacker and should be afforded the same +level of protection as the password itself. This usually means +authenticating over SSL and continuing to use SSL until the session +ends. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Fix grammar
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new d0642b50d8 Fix grammar d0642b50d8 is described below commit d0642b50d8972428619a8a17327973a0031587bf Author: Mark Thomas AuthorDate: Thu Mar 9 09:52:32 2023 + Fix grammar --- webapps/docs/security-howto.xml | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index 0dc8a24f59..1529af5659 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -561,11 +561,11 @@ text. Web applications using these authentication mechanisms with clients connecting over untrusted networks should use SSL. -The session cookie for a session with an authenticated user are nearly -as useful as the user's password to an attacker and in nearly all -circumstances should be afforded the same level of protection as the -password itself. This usually means authenticating over SSL and continuing -to use SSL until the session ends. +The session cookie for a session with an authenticated user is nearly as +useful as the user's password to an attacker and should be afforded the same +level of protection as the password itself. This usually means +authenticating over SSL and continuing to use SSL until the session +ends. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.1.x updated: Fix grammar
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new 4cd826addb Fix grammar 4cd826addb is described below commit 4cd826addb000e33086de05afdff3aca7f316ae1 Author: Mark Thomas AuthorDate: Thu Mar 9 09:52:32 2023 + Fix grammar --- webapps/docs/security-howto.xml | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index d2edb4a3d2..73c228000e 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -551,11 +551,11 @@ text. Web applications using these authentication mechanisms with clients connecting over untrusted networks should use SSL. -The session cookie for a session with an authenticated user are nearly -as useful as the user's password to an attacker and in nearly all -circumstances should be afforded the same level of protection as the -password itself. This usually means authenticating over SSL and continuing -to use SSL until the session ends. +The session cookie for a session with an authenticated user is nearly as +useful as the user's password to an attacker and should be afforded the same +level of protection as the password itself. This usually means +authenticating over SSL and continuing to use SSL until the session +ends. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Fix grammar
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 0a13efb7c4 Fix grammar 0a13efb7c4 is described below commit 0a13efb7c423dd1caffb984a491d6e10507516a1 Author: Mark Thomas AuthorDate: Thu Mar 9 09:52:32 2023 + Fix grammar --- webapps/docs/security-howto.xml | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index a271988a25..98e2b3cb0b 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -531,11 +531,11 @@ text. Web applications using these authentication mechanisms with clients connecting over untrusted networks should use SSL. -The session cookie for a session with an authenticated user are nearly -as useful as the user's password to an attacker and in nearly all -circumstances should be afforded the same level of protection as the -password itself. This usually means authenticating over SSL and continuing -to use SSL until the session ends. +The session cookie for a session with an authenticated user is nearly as +useful as the user's password to an attacker and should be afforded the same +level of protection as the password itself. This usually means +authenticating over SSL and continuing to use SSL until the session +ends. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Update meaning of maxParameterCount to include uploaded files
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 71ed8cd98d Update meaning of maxParameterCount to include uploaded files 71ed8cd98d is described below commit 71ed8cd98d4152aa15fe210d51c40f8a83c9c700 Author: Mark Thomas AuthorDate: Thu Mar 9 09:48:04 2023 + Update meaning of maxParameterCount to include uploaded files --- webapps/docs/security-howto.xml | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index b0278e40cf..0a8f4fa6b6 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -287,10 +287,12 @@ duration of the authentication (which may be many minutes) so this is limited to 4KB by default to reduce exposure to a DOS attack. - The maxParameterCount attribute controls the - maximum number of parameter and value pairs (GET plus POST) that can - be parsed and stored in the request. Excessive parameters are ignored. - If you want to reject such requests, configure a + The maxParameterCount attribute controls the maximum + total number of request parameters (including uploaded files) obtained + from the query string and, for POST requests, the request body if the + content type is application/x-www-form-urlencoded or + multipart/form-data. Excessive parameters are ignored. If you + want to reject such requests, configure a FailedRequestFilter. The xpoweredBy attribute controls whether or not the - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Update meaning of maxParameterCount to include uploaded files
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 1679ced19a Update meaning of maxParameterCount to include uploaded files 1679ced19a is described below commit 1679ced19a932395c216320ab8c1bcaa1780f8bc Author: Mark Thomas AuthorDate: Thu Mar 9 09:48:04 2023 + Update meaning of maxParameterCount to include uploaded files --- webapps/docs/security-howto.xml | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index 3ef294dbce..0dc8a24f59 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -287,10 +287,12 @@ duration of the authentication (which may be many minutes) so this is limited to 4KB by default to reduce exposure to a DOS attack. - The maxParameterCount attribute controls the - maximum number of parameter and value pairs (GET plus POST) that can - be parsed and stored in the request. Excessive parameters are ignored. - If you want to reject such requests, configure a + The maxParameterCount attribute controls the maximum + total number of request parameters (including uploaded files) obtained + from the query string and, for POST requests, the request body if the + content type is application/x-www-form-urlencoded or + multipart/form-data. Excessive parameters are ignored. If you + want to reject such requests, configure a FailedRequestFilter. The xpoweredBy attribute controls whether or not the - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 10.1.x updated: Update meaning of maxParameterCount to include uploaded files
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new 8a7ea2bc4e Update meaning of maxParameterCount to include uploaded files 8a7ea2bc4e is described below commit 8a7ea2bc4ec958e91fe224c9f2eaf4f03b16a5a7 Author: Mark Thomas AuthorDate: Thu Mar 9 09:48:04 2023 + Update meaning of maxParameterCount to include uploaded files --- webapps/docs/security-howto.xml | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index c437558f11..d2edb4a3d2 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -299,10 +299,12 @@ duration of the authentication (which may be many minutes) so this is limited to 4KB by default to reduce exposure to a DOS attack. - The maxParameterCount attribute controls the - maximum number of parameter and value pairs (GET plus POST) that can - be parsed and stored in the request. Excessive parameters are ignored. - If you want to reject such requests, configure a + The maxParameterCount attribute controls the maximum + total number of request parameters (including uploaded files) obtained + from the query string and, for POST requests, the request body if the + content type is application/x-www-form-urlencoded or + multipart/form-data. Excessive parameters are ignored. If you + want to reject such requests, configure a FailedRequestFilter. The xpoweredBy attribute controls whether or not the - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Update meaning of maxParameterCount to include uploaded files
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new b6837648fc Update meaning of maxParameterCount to include uploaded files b6837648fc is described below commit b6837648fc4d7d07be58adfb13cab6dd9177c27b Author: Mark Thomas AuthorDate: Thu Mar 9 09:48:04 2023 + Update meaning of maxParameterCount to include uploaded files --- webapps/docs/security-howto.xml | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index d0cdf3e946..a271988a25 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -266,10 +266,12 @@ duration of the authentication (which may be many minutes) so this is limited to 4KB by default to reduce exposure to a DOS attack. - The maxParameterCount attribute controls the - maximum number of parameter and value pairs (GET plus POST) that can - be parsed and stored in the request. Excessive parameters are ignored. - If you want to reject such requests, configure a + The maxParameterCount attribute controls the maximum + total number of request parameters (including uploaded files) obtained + from the query string and, for POST requests, the request body if the + content type is application/x-www-form-urlencoded or + multipart/form-data. Excessive parameters are ignored. If you + want to reject such requests, configure a FailedRequestFilter. The xpoweredBy attribute controls whether or not the - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Try and keep attributes in alphabetical order
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 73e638440f Try and keep attributes in alphabetical order 73e638440f is described below commit 73e638440f1ce894dcaad769b8f4cbd8d2e07c61 Author: Mark Thomas AuthorDate: Thu Mar 9 09:38:29 2023 + Try and keep attributes in alphabetical order --- webapps/docs/config/valve.xml | 80 +-- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml index 0d6ac1afe2..7599493947 100644 --- a/webapps/docs/config/valve.xml +++ b/webapps/docs/config/valve.xml @@ -1465,6 +1465,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + Controls the caching of pages that are protected by security constraints. Setting this to false may help work around @@ -1520,14 +1528,6 @@ true. - -Name of the Java class of the -javax.security.auth.callback.CallbackHandler implementation -which should be used by JASPIC. If none is specified the default - org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl -will be used. - - @@ -1610,6 +1610,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + The secret key used by digest authentication. If not set, a secure random value is generated. This should normally only be set when it is @@ -1702,14 +1710,6 @@ authentication always fails. - -Name of the Java class of the -javax.security.auth.callback.CallbackHandler implementation -which should be used by JASPIC. If none is specified the default - org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl -will be used. - - @@ -1781,6 +1781,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + Controls the behavior of the FORM authentication process if the process is misused, for example by directly requesting the login page @@ -1843,14 +1851,6 @@ If not specified, the default value is false. - -Name of the Java class of the -javax.security.auth.callback.CallbackHandler implementation -which should be used by JASPIC. If none is specified the default - org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl -will be used. - - @@ -1922,6 +1922,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + Controls the caching of pages that are protected by security constraints. Setting this to false may help work around @@ -1958,14 +1966,6 @@ specified, the platform default provider will be used. - -Name of the Java class of the -javax.security.auth.callback.CallbackHandler implementation -which should be used by JASPIC. If none is specified the default - org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl -will be used. - - @@ -2061,6 +2061,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + The name of the JAAS login configuration to be used to login as the service. If not specified, the default of @@ -2144,14 +2152,6 @@ will be used. - -Name of the Java class of the -javax.securi
[tomcat] branch 9.0.x updated: Try and keep attributes in alphabetical order
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 87b268a95d Try and keep attributes in alphabetical order 87b268a95d is described below commit 87b268a95db63fc5dc8f64b8383fea8502a2d207 Author: Mark Thomas AuthorDate: Thu Mar 9 09:38:29 2023 + Try and keep attributes in alphabetical order --- webapps/docs/config/valve.xml | 80 +-- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml index 13b8e78372..906aaa460d 100644 --- a/webapps/docs/config/valve.xml +++ b/webapps/docs/config/valve.xml @@ -1465,6 +1465,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + Controls the caching of pages that are protected by security constraints. Setting this to false may help work around @@ -1520,14 +1528,6 @@ true. - -Name of the Java class of the -javax.security.auth.callback.CallbackHandler implementation -which should be used by JASPIC. If none is specified the default - org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl -will be used. - - @@ -1610,6 +1610,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + The secret key used by digest authentication. If not set, a secure random value is generated. This should normally only be set when it is @@ -1702,14 +1710,6 @@ authentication always fails. - -Name of the Java class of the -javax.security.auth.callback.CallbackHandler implementation -which should be used by JASPIC. If none is specified the default - org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl -will be used. - - @@ -1781,6 +1781,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + Controls the behavior of the FORM authentication process if the process is misused, for example by directly requesting the login page @@ -1843,14 +1851,6 @@ If not specified, the default value is false. - -Name of the Java class of the -javax.security.auth.callback.CallbackHandler implementation -which should be used by JASPIC. If none is specified the default - org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl -will be used. - - @@ -1922,6 +1922,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + Controls the caching of pages that are protected by security constraints. Setting this to false may help work around @@ -1958,14 +1966,6 @@ specified, the platform default provider will be used. - -Name of the Java class of the -javax.security.auth.callback.CallbackHandler implementation -which should be used by JASPIC. If none is specified the default - org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl -will be used. - - @@ -2061,6 +2061,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + The name of the JAAS login configuration to be used to login as the service. If not specified, the default of @@ -2144,14 +2152,6 @@ will be used. - -Name of the Java class of the -javax.securi
[tomcat] branch 10.1.x updated: Try and keep attributes in alphabetical order
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new f467bfe15c Try and keep attributes in alphabetical order f467bfe15c is described below commit f467bfe15c37c0975fb09be8960397c2d0b7b787 Author: Mark Thomas AuthorDate: Thu Mar 9 09:38:29 2023 + Try and keep attributes in alphabetical order --- webapps/docs/config/valve.xml | 80 +-- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml index da187ebacd..35c1f3f3ac 100644 --- a/webapps/docs/config/valve.xml +++ b/webapps/docs/config/valve.xml @@ -1464,6 +1464,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + Controls the caching of pages that are protected by security constraints. Setting this to false may help work around @@ -1519,14 +1527,6 @@ true. - -Name of the Java class of the -javax.security.auth.callback.CallbackHandler implementation -which should be used by JASPIC. If none is specified the default - org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl -will be used. - - @@ -1609,6 +1609,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + The secret key used by digest authentication. If not set, a secure random value is generated. This should normally only be set when it is @@ -1701,14 +1709,6 @@ authentication always fails. - -Name of the Java class of the -javax.security.auth.callback.CallbackHandler implementation -which should be used by JASPIC. If none is specified the default - org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl -will be used. - - @@ -1780,6 +1780,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + Controls the behavior of the FORM authentication process if the process is misused, for example by directly requesting the login page @@ -1842,14 +1850,6 @@ If not specified, the default value is false. - -Name of the Java class of the -javax.security.auth.callback.CallbackHandler implementation -which should be used by JASPIC. If none is specified the default - org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl -will be used. - - @@ -1921,6 +1921,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + Controls the caching of pages that are protected by security constraints. Setting this to false may help work around @@ -1957,14 +1965,6 @@ specified, the platform default provider will be used. - -Name of the Java class of the -javax.security.auth.callback.CallbackHandler implementation -which should be used by JASPIC. If none is specified the default - org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl -will be used. - - @@ -2060,6 +2060,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + The name of the JAAS login configuration to be used to login as the service. If not specified, the default of @@ -2143,14 +2151,6 @@ will be used. - -Name of the Java class of the -javax.secu
[tomcat] branch main updated: Try and keep attributes in alphabetical order
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 02d21de32c Try and keep attributes in alphabetical order 02d21de32c is described below commit 02d21de32c34b8762233a63cdd3c663e946e8742 Author: Mark Thomas AuthorDate: Thu Mar 9 09:38:29 2023 + Try and keep attributes in alphabetical order --- webapps/docs/config/valve.xml | 80 +-- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml index fc27e20c40..0d13e839ff 100644 --- a/webapps/docs/config/valve.xml +++ b/webapps/docs/config/valve.xml @@ -1464,6 +1464,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + Controls the caching of pages that are protected by security constraints. Setting this to false may help work around @@ -1519,14 +1527,6 @@ true. - -Name of the Java class of the -javax.security.auth.callback.CallbackHandler implementation -which should be used by JASPIC. If none is specified the default - org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl -will be used. - - @@ -1609,6 +1609,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + The secret key used by digest authentication. If not set, a secure random value is generated. This should normally only be set when it is @@ -1701,14 +1709,6 @@ authentication always fails. - -Name of the Java class of the -javax.security.auth.callback.CallbackHandler implementation -which should be used by JASPIC. If none is specified the default - org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl -will be used. - - @@ -1780,6 +1780,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + Controls the behavior of the FORM authentication process if the process is misused, for example by directly requesting the login page @@ -1842,14 +1850,6 @@ If not specified, the default value is false. - -Name of the Java class of the -javax.security.auth.callback.CallbackHandler implementation -which should be used by JASPIC. If none is specified the default - org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl -will be used. - - @@ -1921,6 +1921,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + Controls the caching of pages that are protected by security constraints. Setting this to false may help work around @@ -1957,14 +1965,6 @@ specified, the platform default provider will be used. - -Name of the Java class of the -javax.security.auth.callback.CallbackHandler implementation -which should be used by JASPIC. If none is specified the default - org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl -will be used. - - @@ -2060,6 +2060,14 @@ true will be used. + +Name of the Java class of the +javax.security.auth.callback.CallbackHandler implementation +which should be used by JASPIC. If none is specified the default + org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl +will be used. + + The name of the JAAS login configuration to be used to login as the service. If not specified, the default of @@ -2143,14 +2151,6 @@ will be used. - -Name of the Java class of the -javax.security
[Bug 66508] Tomcat after a GC pause causes the HTTP threads to be blocked to acquire a semaphore to process WebSockets connection closure.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66508 --- Comment #7 from Mark Thomas --- If it helps, dev build with the fix is available from: https://people.apache.org/~markt/dev/v9.0.74-dev/ Note: - this is not an official release - use it at your own risk -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Rate Limiter Filter or Valve
On Wed, Mar 8, 2023 at 8:37 PM Igal Sapir wrote: > > All, > > I would like to add a Rate Limiter Filter or Valve which will help mitigate > DoS and Brute Force attacks, and want to get feedback from the community > and the PMC. The checks will run before the request reaches the servlet > and will be dropped if too many requests arrive from the same IP address > within a certain time window. > > It has been suggested that a Valve might be the better choice because it > can be set up on a Host or Engine level, but in my opinion a Filter is a > good choice for the following reasons: > > 1) While in the past it was common to reuse the same server for different > applications due to costs and challenges in setting up servers, nowadays it > is more common to set up a single application per server, many times in a > containerized environment, so setting up a Rate Limiter on a Host or Engine > does not offer much benefit over setting it up on the Context level. > > 2) Different applications have different requirements In fact, different > URIs of the same application could have different requirements: a Login / > Authentication script expects far less requests from a single IP address > compared to a Dashboard page, for example. Filter mapping allows us to map > different URIs to different configurations. > > 3) Filters are part of the Servlet spec, and therefore more users are > familiar with them and know how to configure them. > > Either way it is implemented, I propose the following requirements for the > Rate Limiter itself (with the possibility of adding some of the features > later): > > A) Low overhead - The checks will take place with every request so the > implementation must be efficient and make good utilization of resources. > > B) Close approximation is good enough - If a URI is configured to allow 300 > requests per minute and instead it allows 300 requests per 1:05 minute > before dropping the requests then that should be good enough, if that > allows the implementation to be more efficient with computation time and > memory consumption. The approximation can offer leniency but not > strictness, meaning that it's ok if it allows more requests than the > configured value, but not less. > > C) Drop excessive requests - Requests from an IP that exceeds the allowed > limit will be dropped and "429 Too Many Requests" will be returned to the > client. > > D) Tag only mode - If configured as such, then rather than dropping the > request with a 429 error code, a Request Attribute will be set and that > would allow the Servlet to determine what to do next, e.g. it might allow > authenticated clients more requests than it would to unauthenticated > clients. > > E) Allow list of URI patterns - Static resources have very little overhead, > so requests for "*.jpg" or "*.png" should not be counted by the Rate > Limiter. > > F) Allow list of IP addresses - Known IP addresses that are used by your > organization, or 3rd party partners, should not be blocked. > > G) Block list of IP addresses - Repeat offenders can be added automatically > to the block list for 4 hours, for example, preventing them from hitting > the server each minute and contributing to a DDoS attack. > > H) Logging > > Please offer your thoughts and ideas. That's a good feature idea overall. Of course, no matter what you do, it's going to be better if done on a front end server, and any serious setup will do it like that. As for filter or valve, well, it's your choice ;) Rémy - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org