Rate Limiting support in Tomcat 9.x
Hello, https://tomcat.apache.org/ I see rate limiting support added in Tomcat 10.1.9 . (Side note: The Apache Tomcat Project is proud to announce the release of version 10.1.8 of Apache Tomcat - I think it should be 10.1.9) Are there any plans to add this filter in 9.x? Could an enhancement request be raised to get this in next Tomcat 9.x release? Thanks, Amit
Re: Tomcat connection pool 9.0.52 uses more then configured maxActive connections
On 22/05/2023 09:45, Stefan López Romero wrote:
Hello,
I have the problem that the Tomcat connection pool uses more than the
maxActive connections. In my Dropwizard application I have configured a
maxSize of 30, but I found the following message in the logs.
Timeout: Pool empty. Unable to fetch a connection in 15 seconds, none
available[size:31; busy:31; idle:0; lastwait:15000]
This seems to be related to a high pressure on the DB. In the DB logs I
also found some connection issues
The code in the PooledConnection class does not seem to be completely
bulletproof, because there can't be only two threads that have gone
through the first if-two, or am I wrong?
Given that size is an AtomicInteger, I don't see a sequence of calls
from multiple threads that could result in more than maxActive
connections being created.
Also, it would have saved me some time if you had referenced the correct
class. The quoted code is part of ConnectionPool, not PooledConnection.
//if we get here, see if we need to create one
//this is not 100% accurate since it doesn't use a shared
//atomic variable - a connection can become idle while we are creating
//a new connection
if (size.get() < getPoolProperties().getMaxActive()) {
//atomic duplicate check
if (size.addAndGet(1) > getPoolProperties().getMaxActive()) {
//if we got here, two threads passed through the first if
size.decrementAndGet();
} else {
//create a connection, we're below the limit
return createConnection(now, con, username, password);
}
} //end if
In the end, this problem causes all my available DB connections to be
used up and my application to fail.
Is this a known problem? Is there a workaround?
At worst, this appears to be an off-by-one error either in the error
message or the connection counting logic. Even with that addressed, it
looks as if either the application has a connection leak or you need a
bigger connection pool to support the required load.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2023-28709 Apache Tomcat - Fix for CVE-2023-24998 was incomplete
CVE-2023-28709 Apache Tomcat - Fix for CVE-2023-24998 was incomplete Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M2 to 11.0.0-M4 Apache Tomcat 10.1.5 to 10.1.7 Apache Tomcat 9.0.71 to 9.0.73 Apache Tomcat 8.5.85 to 8.5.87 Description: The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M5 or later - Upgrade to Apache Tomcat 10.1.8 or later - Upgrade to Apache Tomcat 9.0.74 or later - Upgrade to Apache Tomcat 8.5.88 or later Credit: This issue was identified by Chenwei Jiang, Chenfeng Nie and Yue Yang from the Huawei Nebula Security Lab History: 2023-05-22 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat connection pool 9.0.52 uses more then configured maxActive connections
Hello,
I have the problem that the Tomcat connection pool uses more than the maxActive
connections. In my Dropwizard application I have configured a maxSize of 30,
but I found the following message in the logs.
Timeout: Pool empty. Unable to fetch a connection in 15 seconds, none
available[size:31; busy:31; idle:0; lastwait:15000]
This seems to be related to a high pressure on the DB. In the DB logs I also
found some connection issues
The code in the PooledConnection class does not seem to be completely
bulletproof, because there can't be only two threads that have gone through the
first if-two, or am I wrong?
//if we get here, see if we need to create one
//this is not 100% accurate since it doesn't use a shared
//atomic variable - a connection can become idle while we are creating
//a new connection
if (size.get() < getPoolProperties().getMaxActive()) {
//atomic duplicate check
if (size.addAndGet(1) > getPoolProperties().getMaxActive()) {
//if we got here, two threads passed through the first if
size.decrementAndGet();
} else {
//create a connection, we're below the limit
return createConnection(now, con, username, password);
}
} //end if
In the end, this problem causes all my available DB connections to be used up
and my application to fail.
Is this a known problem? Is there a workaround?
Thanks for your answers,
Regards Stefan
Stefan López Romero
Senior Lead IT Architect
Theresienhöhe 13, 80339 München
stefan.lo...@maibornwolff.de
+49 151 544 22 050
[cid:image149c85.PNG@ee2dc33c.41920058]
