Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x

[Christopher Schultz]

Kaushal,

On 4/28/22 15:37, Kaushal Shriyan wrote:

On Fri, Apr 29, 2022 at 12:44 AM Peter Chiu  wrote:


This is what I am using. Hope this helps.

https://orclcs.blogspot.com/2017/04/enable-hsts-in-tomcat.html


Thanks Peter. Do I need to run tomcat on port 443 or 8443 to enable HTTP
Strict Transport Security (HSTS). I will be unable to run tomcat service on
port 443 as it is a privileged port for root user only. Currently I am
running tomcat service as tomcat user on port 8080.


You must use HTTPS to connect to a server in order for the HSTS header 
to be respected.


https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

"
Note: The Strict-Transport-Security header is ignored by the browser 
when your site is accessed using HTTP; this is because an attacker may 
intercept HTTP connections and inject the header or remove it. When your 
site is accessed over HTTPS with no certificate errors, the browser 
knows your site is HTTPS capable and will honor the 
Strict-Transport-Security header.

"

Is your server available via https:// ? If you are running on port 80, 
that doesn't tell us if it's encrypted.


If you are enabling HSTS, how do you expect users to connect to your 
service if you are running non-secure HTTP on port 8080?


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x

[Kaushal Shriyan]

On Fri, Apr 29, 2022 at 12:44 AM Peter Chiu  wrote:

> This is what I am using. Hope this helps.
>
> https://orclcs.blogspot.com/2017/04/enable-hsts-in-tomcat.html


Thanks Peter. Do I need to run tomcat on port 443 or 8443 to enable HTTP
Strict Transport Security (HSTS). I will be unable to run tomcat service on
port 443 as it is a privileged port for root user only. Currently I am
running tomcat service as tomcat user on port 8080.

Please suggest further. Thanks in advance

Best Regards,

Kaushal

Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x

[Peter Chiu]

This is what I am using. Hope this helps.

https://orclcs.blogspot.com/2017/04/enable-hsts-in-tomcat.html

On Thu, Apr 28, 2022 at 3:11 PM Kaushal Shriyan 
wrote:

> Hi,
>
> I am running the tomcat version 9.0.56 on CentOS Linux release 7.9.2009
> (Core) and trying to configure HTTP Strict Transport Security (HSTS)
> using /opt/tomcat9/conf/web.xml
>
> # ./version.sh
> Using CATALINA_BASE:   /opt/tomcat9
> Using CATALINA_HOME:   /opt/tomcat9
> Using CATALINA_TMPDIR: /opt/tomcat9/temp
> Using JRE_HOME:
>  /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64
> Using CLASSPATH:
> /opt/tomcat9/bin/bootstrap.jar:/opt/tomcat9/bin/tomcat-juli.jar
> Using CATALINA_OPTS:
> Server version: Apache Tomcat/9.0.56
> Server built:   Dec 2 2021 14:30:07 UTC
> Server number:  9.0.56.0
> OS Name:Linux
> OS Version: 3.10.0-1160.62.1.el7.x86_64
> Architecture:   amd64
> JVM Version:1.8.0_322-b06
> JVM Vendor: Red Hat, Inc.
> # cat /etc/redhat-release
> CentOS Linux release 7.9.2009 (Core)
> #
>
>
> > */opt/tomcat9/conf/web.xml*
> >   httpHeaderSecurity
> >
> >
> org.apache.catalina.filters.HttpHeaderSecurityFilter
> >   true
> >   
> > hstsEnabled
> > true
> >   
> >   
> > hstsMaxAgeSeconds
> > 31536000
> >   
> >   
> > hstsIncludeSubDomains
> > true
> >   
> > 
> > 
> >   httpHeaderSecurity
> >   /*
> >   REQUEST
> > 
>
>
> When I scan the https://tomcatURL FQDN using
> https://www.ssllabs.com/ssltest/ I do not see the Strict Transport
> Security
> response header. Please guide me. Thanks in advance
>
> Best Regards,
>
> Kaushal
>

Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x

[Kaushal Shriyan]

Hi,

I am running the tomcat version 9.0.56 on CentOS Linux release 7.9.2009
(Core) and trying to configure HTTP Strict Transport Security (HSTS)
using /opt/tomcat9/conf/web.xml

# ./version.sh
Using CATALINA_BASE:   /opt/tomcat9
Using CATALINA_HOME:   /opt/tomcat9
Using CATALINA_TMPDIR: /opt/tomcat9/temp
Using JRE_HOME:
 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64
Using CLASSPATH:
/opt/tomcat9/bin/bootstrap.jar:/opt/tomcat9/bin/tomcat-juli.jar
Using CATALINA_OPTS:
Server version: Apache Tomcat/9.0.56
Server built:   Dec 2 2021 14:30:07 UTC
Server number:  9.0.56.0
OS Name:Linux
OS Version: 3.10.0-1160.62.1.el7.x86_64
Architecture:   amd64
JVM Version:1.8.0_322-b06
JVM Vendor: Red Hat, Inc.
# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
#


> */opt/tomcat9/conf/web.xml*
>   httpHeaderSecurity
>
> org.apache.catalina.filters.HttpHeaderSecurityFilter
>   true
>   
> hstsEnabled
> true
>   
>   
> hstsMaxAgeSeconds
> 31536000
>   
>   
> hstsIncludeSubDomains
> true
>   
> 
> 
>   httpHeaderSecurity
>   /*
>   REQUEST
> 


When I scan the https://tomcatURL FQDN using
https://www.ssllabs.com/ssltest/ I do not see the Strict Transport Security
response header. Please guide me. Thanks in advance

Best Regards,

Kaushal

Re: Application specific el-api

[Christopher Schultz]

Mark, Vladimir,

On 4/28/22 12:10, Mark Thomas wrote:

On 28/04/2022 16:54, vladimir dvorak wrote:

   Hi,

my intention is to use custom el-api with modified BeanELResolver, that
uses instead slow reflection API much faster
https://github.com/EsotericSoftware/reflectasm


You have a couple of options.

1. Replace the el-api.jar in $CATALINA_BASE/lib.

Not ideal as deploy just got a lot more complicated than just copying a 
WAR file but it does give you exactly what you want.


2. If you are using the EL in JSPs, then you can add your custom 
ELResolver to the JspApplicationContext and it will get used in 
preference to the BeanELResolver.


This keeps everything in the application but does require a little 
plumbing to register the customer resolver when the web app starts.


I wonder how much of a performance benefit reflectasm gives, since 
Tomcat's implementation should be providing not just reflective-access 
to object properties, but /cached/ reflective access to properties.


It's not just calling Class.forName(beanType).getMethod("get" + 
capicalize(propertyName)) every time it sees a property-access.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Testing Tomcat pre-releases

[Christopher Schultz]

David,

(Replying to the Tomcat users@ list)

On 4/28/22 08:45, David Cleary wrote:
Hi Chris. We have spoken over the years at various Apachecons. In one of 
your presentations, you talked about smoke testing Tomcat pre-releases. 
We just got bitten by a regression in 9.0.62, and the team that is 
responsible for updating it is interested in the details on doing this. 
Can you give me details on where we would pick up pre-release builds and 
what mailing list we should monitor and report any issues.


Sure.

Briefly, the release process goes like this[1]:

1. Announce intent to do a release on dev@ mailing list; call for any 
last-minute commits or conversations. This often doesn't happen because 
we have a release-cadence that follows a rough schedule of 
prep-and-release around the beginning of each month.


2. Tag the release + prepare a release candidate build. This is a formal 
process which results in a vote.


3. Declare a vote on Tomcat x.y.z for a [VOTE] thread posted to the dev@ 
mailing list. Here is your opportunity to give feedback on the release. 
(See below). Information about where to get the release candidates is 
available in that [VOTE] message.


4. Assuming the [VOTE] passes, the release is promoted from "candidate" 
to "official release", distributed to mirrors, and announced.


So, how can you participate in #3 above?

Well, the release candidate includes all the binary artifacts from a 
regular release, so you can use it just as you would usually use a 
"real" release. You can also build it from source as you always could, etc.


The "Getting Started Hacking Tomcat" presentation[2] contains some 
information about how to build from source, run the unit-tests, etc. if 
you'd like some guidance.


If you find a bug and are able to contribute a test-case for us to 
include in our test process, that would be great: it will prevent the 
bug from coming-back as a regression in the future.


Simply reply to the [VOTE] thread with any concerns you may have, or, if 
everything is great, we'd love to have your "+1 to release" vote as 
well. Technically speaking, non-PMC-members don't have a binding vote, 
but I have never seen a vote move-forward in spite of legitimate 
negative community feedback. If something is wrong with the release, 
we'll cancel it, the fix issue, and repeat the process with a new 
release candidate (and version number).


Let us know if you have any questions.

-chris

[1] Subject to the whims of the release managers, who are -- remember -- 
unpaid volunteers

[2] https://tomcat.apache.org/presentations.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Application specific el-api

[Mark Thomas]

On 28/04/2022 16:54, vladimir dvorak wrote:

   Hi,

my intention is to use custom el-api with modified BeanELResolver, that
uses instead slow reflection API much faster
https://github.com/EsotericSoftware/reflectasm


You have a couple of options.

1. Replace the el-api.jar in $CATALINA_BASE/lib.

Not ideal as deploy just got a lot more complicated than just copying a 
WAR file but it does give you exactly what you want.


2. If you are using the EL in JSPs, then you can add your custom 
ELResolver to the JspApplicationContext and it will get used in 
preference to the BeanELResolver.


This keeps everything in the application but does require a little 
plumbing to register the customer resolver when the web app starts.


Mark




kind regards Vladimir

čt 28. 4. 2022 v 17:46 odesílatel Mark Thomas  napsal:


On 28/04/2022 16:30, vladimir dvorak wrote:

Hi,

I'm trying to use jakarta-el, which is an alternative to el-api.jar from
Tomcat. Jakarta-el is deployed with application, implementation part of

lib

works correctly since it uses separate package,
but I can't force the Tomcat classloader mechanism to not use the classes
from api part TOMCAT_DIR/lib/el-api.jar but rather jakarta-el-api.jar.

I've

excluded all transitive deps on apache-el,
but nothing helps. Is there any configuration on how to force Tomcat to

use

classes from the application jar in advance of the system tomcat jar?


No.

The Jakarta EE platform specification requires that the container
(Tomcat) prevents applications loading alternative API JARs.

Why do you want to use an alternative API JAR?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Application specific el-api

[vladimir dvorak]

  Hi,

my intention is to use custom el-api with modified BeanELResolver, that
uses instead slow reflection API much faster
https://github.com/EsotericSoftware/reflectasm

kind regards Vladimir

čt 28. 4. 2022 v 17:46 odesílatel Mark Thomas  napsal:

> On 28/04/2022 16:30, vladimir dvorak wrote:
> >Hi,
> >
> > I'm trying to use jakarta-el, which is an alternative to el-api.jar from
> > Tomcat. Jakarta-el is deployed with application, implementation part of
> lib
> > works correctly since it uses separate package,
> > but I can't force the Tomcat classloader mechanism to not use the classes
> > from api part TOMCAT_DIR/lib/el-api.jar but rather jakarta-el-api.jar.
> I've
> > excluded all transitive deps on apache-el,
> > but nothing helps. Is there any configuration on how to force Tomcat to
> use
> > classes from the application jar in advance of the system tomcat jar?
>
> No.
>
> The Jakarta EE platform specification requires that the container
> (Tomcat) prevents applications loading alternative API JARs.
>
> Why do you want to use an alternative API JAR?
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Application specific el-api

[Mark Thomas]

On 28/04/2022 16:30, vladimir dvorak wrote:

   Hi,

I'm trying to use jakarta-el, which is an alternative to el-api.jar from
Tomcat. Jakarta-el is deployed with application, implementation part of lib
works correctly since it uses separate package,
but I can't force the Tomcat classloader mechanism to not use the classes
from api part TOMCAT_DIR/lib/el-api.jar but rather jakarta-el-api.jar. I've
excluded all transitive deps on apache-el,
but nothing helps. Is there any configuration on how to force Tomcat to use
classes from the application jar in advance of the system tomcat jar?


No.

The Jakarta EE platform specification requires that the container 
(Tomcat) prevents applications loading alternative API JARs.


Why do you want to use an alternative API JAR?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Application specific el-api

[vladimir dvorak]

  Hi,

I'm trying to use jakarta-el, which is an alternative to el-api.jar from
Tomcat. Jakarta-el is deployed with application, implementation part of lib
works correctly since it uses separate package,
but I can't force the Tomcat classloader mechanism to not use the classes
from api part TOMCAT_DIR/lib/el-api.jar but rather jakarta-el-api.jar. I've
excluded all transitive deps on apache-el,
but nothing helps. Is there any configuration on how to force Tomcat to use
classes from the application jar in advance of the system tomcat jar?

Regards Vladimir

Automated migration for Tomcat 9 to 10

[Chetna Agrawal]

Hi,

I want to migrate my webapp from Java EE8 to Jakarta EE 9 in order to run it on 
tomcat 10.0.18. I am trying to run jakartaee migration tool at runtime by 
adding - , in  my context defined in 
server.xml. The tomcat version that I am using is 10.0.18. I am providing the 
value of path as /chetna and docbase as absolute path to my webapp's folder. On 
starting Tomcat, it is running fine and is not giving any error in logs but 
seems like it is not able to access my webapp folder. When trying to hit url - 
https://localhost/chetna, it is giving error 404. While when I run migration 
tool on my webapp explicitly and then use that migrated webapp's path in 
docbase, my app is running fine.

In changelog of Tomcat 10.0.3, it is given that -
Allow the loader to directly use the Tomcat Migration Tool for JakartaEE as a 
ClassFileTransformer using the jakartaConverter attribute. This only supports 
javax to jakarta conversion for classes, not for classloader resources or 
static files.

Is there a way I can migrate my webapp at runtime while running it on tomcat 
10. Please let me know if I am doing something wrong in this method.

Regards,
Chetna Agrawal
Disclaimer: The information in this email is strictly confidential and may be 
legally privileged. If you are not the intended recipient, any use of this 
email or the information contained therein or disclosure or any action taken or 
omissions made including but not limited to copying, distribution or placing 
reliance on it, is expressly prohibited and may be unlawful. This email is 
intended solely for the addressee, access to this email by anyone else is 
unauthorized, the recipient is requested to notify Seclore and delete this 
email from their system immediately.

Re: Acceptor to report an incoimg connection more than once.

[Mark Thomas]

On 28/04/2022 05:15, Dharani Gajendiran wrote:

Hi,

In Tomcat 9.0.56, for the change log - "Provide protection against a 
known OS bug 
 that 
causes the acceptor to report an incoming connection more than once". 
Even though this is marked for Ubuntu,


Can you confirm if this is applicable for RHEL also.


Yes, it is a Linux Kernel bug.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org