Re: Are there any known class loader leaks in Tomcat 9?

[Suvendu Sekhar Mondal]

Hello William,

On Mon, Nov 6, 2023 at 11:25 PM William Crowell
 wrote:
>
> Good afternoon,
>
> I am running Tomcat 9.0.78 with JDK 1.8.0_371 (running with G1GC), and I am 
> loading some very large Java classes into Metaspace.  I know this is not good 
> practice, but I inherited this library.  These classes have business rules 
> and are doing some basic primitive and array manipulations, and I am running 
> out of native memory.  I don’t think there are any JNI calls in this code 
> base.
>
How are you loading those large classes? using some custom classloader
OR Tomcat's normal classloader? Also, are you using a single
classloader to load all/multiple classes? Reason I asked is, until ALL
classes loaded by a classloader are de-referenced, the entire set of
classes loaded by the classloader will NOT be garbage collected. Most
possibly that is what is happening in your case.

Also, how fast Metaspace is growing? I will suggest checking the
contents of Metaspace by taking class stats details periodically.
GC.class_stats of Jcmd is helpful.

> Are there anything existing issues with the Tomcat 9 class loader?  I doubt 
> there are but wanted to check.
>

I have been using Tomcat 9 for the last two years and have not
experienced any problem where Tomcat is holding onto classes.

> Regards,
>
> William Crowell
>
>
> This e-mail may contain information that is privileged or confidential. If 
> you are not the intended recipient, please delete the e-mail and any 
> attachments and notify us immediately.
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Admin password for Tomcat

[Jerry Malcolm]

On 11/5/2023 11:54 AM, Jerry Malcolm wrote:


On 11/5/2023 9:26 AM, Christopher Schultz wrote:

Jerry,

On 11/4/23 20:17, Jerry Malcolm wrote:
My support team needs to be able to log in to our site as various 
users (on behalf of...) to be able to see exactly what they are 
seeing since roles, access groups, history is different for 
different users.  I would like to implement an admin password where 
I can log in as any userId with this password.  I totally realize 
the security risks involved in this.  But I am handling the security 
risks with additional authorizations.  I simply need to make every 
user have two passwords... their real personal password, and the 
admin password.  The only alternative I have right now is to save 
off the user's password hash in the USERS table, replace it with my 
password hash, then restore the user's original password when I'm 
done.  I'm not thrilled with that solution first because it's a pain 
and error prone, and also because the user can no longer log in 
while their password is replaced with my password.


  I figure this function is buried in the authenticator code 
somewhere. But I'd first like to see if anybody has done anything 
like this already.  If not, could somebody point me in the right 
direction to the tomcat source file that I'm going to need to modify 
and also what's involved in making authentication use my updated 
class instead of the default.


Suggestions?


This sounds like "impersonation" to me, which, I think, can be done 
differently. If you are indeed describing an X-Y problem above, then 
might I suggest the following?


Instead of figuring out how to "add" a second password to a user, 
what about allowing you to login as e.g. "jerry" and then assume the 
identity of the user "tom"? You should be able to do this by changing 
the UserPrincipal in the session to have a different username.


Which application are you trying to do this with? Your own 
application, or one which ships with Tomcat (e.g. Manager)?


-chris


Hi Chris, it's my own webapp.  Changing user principal is exactly what 
I'm trying to do.  I wasn't aware that the user principal could be 
easily swapped.  Where can I learn more about how to do that?


Chris, I'm not having any luck googling info on how to replace the user 
principal object in the session object.  This is exactly what I need to 
do.  But looks like I'm going to need a little bit of guidance to figure 
out how to implement it.


Thanks.

Jerry


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Vulnerabilities Patches

[James H. H. Lampert]

On 11/6/23 5:21 PM, Nithiyanandam BALASUBRAMANIYAN (Oneberry) wrote:

I am using Tomcat Apache Version 8.5.94 in Windows server 2012. Recently 
received following vulnerabilities alert to fix :


Short answer: you're already there. And the latest Tomcat 8 (which I 
just bumped a customer up to) is 8.5.95.


On an IBM Midrange box, I just manually copy the keystore, our webapps, 
and certain configuration settings over from the old version to the new 
version, then find a good time to switch the customer over (which 
involves shutting down the old Tomcat, renaming the old and new Tomcat 
directories, and restarting it with the new version in place. Piece of cake.


I understand that Linux, WinDoze, and Mac have ways to bump up the 
Tomcat version that are even easier.


--
JHHL


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Vulnerabilities Patches

[Chuck Caldarale]

> On Nov 6, 2023, at 19:27, Nithiyanandam BALASUBRAMANIYAN (Oneberry) 
>  wrote:
> 
> May I know how to apply to windows as my system is no internet allowed. 
> Thanks 


If you’re running 8.5.94, those four CVEs are already fixed in that version.

  - Chuck


> -Original Message-
> From: Evan Rempel  
> Sent: Tuesday, November 7, 2023 9:24 AM
> To: users@tomcat.apache.org
> Subject: Re: Vulnerabilities Patches
> 
> https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94
> 
> On 2023-11-06 17:21, Nithiyanandam BALASUBRAMANIYAN (Oneberry) wrote:
>> 
>> Hi ,
>> 
>> I am using Tomcat Apache Version 8.5.94 in Windows server 2012. 
>> Recently received following vulnerabilities alert to fix :
>> 
>> 1. *Request smuggling*CVE-2023-45648
>>
>> 2. *Denial of Service*CVE-2023-44487
>>
>> 3. *Denial of Service*CVE-2023-42794
>>
>> 4. * Information Disclosure*CVE-2023-42795
>>
>> 
>> Can help to let me know the steps how to fix these vulnerabilities for 
>> my current version in windows.
>> 
>> Thanks
>> 
>> ?Best regards,
>> 
>> Nithi,
>> 
>> Head Ops, Commercial and Industrial,
>> 
>> Product Management and SW apps
>> 
>> Mobile:92487954
>> 
>> *Oneberry Technologies Pte Ltd*
>> 
>> *Web: *www.oneberry.com 
>> 
>> *Tel: *(65) 6692 6760 | *Fax: *(65) 6280 2921
>> 
>> *Address: *One Pemimpin, 1 Pemimpin Drive, #08-03, Singapore 576151
>> 
>> 
>> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Vulnerabilities Patches

[Nithiyanandam BALASUBRAMANIYAN (Oneberry)]

Hi Even,

Thanks for the reply.

May I know how to apply to windows as my system is no internet allowed. Thanks 

-Original Message-
From: Evan Rempel  
Sent: Tuesday, November 7, 2023 9:24 AM
To: users@tomcat.apache.org
Subject: Re: Vulnerabilities Patches

https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94

On 2023-11-06 17:21, Nithiyanandam BALASUBRAMANIYAN (Oneberry) wrote:
>
> Hi ,
>
> I am using Tomcat Apache Version 8.5.94 in Windows server 2012. 
> Recently received following vulnerabilities alert to fix :
>
>  1. *Request smuggling*CVE-2023-45648
> 
>  2. *Denial of Service*CVE-2023-44487
> 
>  3. *Denial of Service*CVE-2023-42794
> 
>  4. * Information Disclosure*CVE-2023-42795
> 
>
> Can help to let me know the steps how to fix these vulnerabilities for 
> my current version in windows.
>
> Thanks
>
> ?Best regards,
>
> Nithi,
>
> Head Ops, Commercial and Industrial,
>
> Product Management and SW apps
>
> Mobile:92487954
>
> *Oneberry Technologies Pte Ltd*
>
> *Web: *www.oneberry.com 
>
> *Tel: *(65) 6692 6760 | *Fax: *(65) 6280 2921
>
> *Address: *One Pemimpin, 1 Pemimpin Drive, #08-03, Singapore 576151
>
> 
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Vulnerabilities Patches

[Evan Rempel]

https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94

On 2023-11-06 17:21, Nithiyanandam BALASUBRAMANIYAN (Oneberry) wrote:


Hi ,

I am using Tomcat Apache Version 8.5.94 in Windows server 2012. 
Recently received following vulnerabilities alert to fix :


 1. *Request smuggling*CVE-2023-45648

 2. *Denial of Service*CVE-2023-44487

 3. *Denial of Service*CVE-2023-42794

 4. * Information Disclosure*CVE-2023-42795


Can help to let me know the steps how to fix these vulnerabilities for 
my current version in windows.


Thanks

?Best regards,

Nithi,

Head Ops, Commercial and Industrial,

Product Management and SW apps

Mobile:92487954

*Oneberry Technologies Pte Ltd*

*Web: *www.oneberry.com 

*Tel: *(65) 6692 6760 | *Fax: *(65) 6280 2921

*Address: *One Pemimpin, 1 Pemimpin Drive, #08-03, Singapore 576151

Vulnerabilities Patches

[Nithiyanandam BALASUBRAMANIYAN (Oneberry)]

Hi ,

I am using Tomcat Apache Version 8.5.94 in Windows server 2012. Recently 
received following vulnerabilities alert to fix :


  1.  Request smuggling 
CVE-2023-45648
  2.  Denial of Service 
CVE-2023-44487
  3.  Denial of Service 
CVE-2023-42794
  4.   Information Disclosure 
CVE-2023-42795

Can help to let me know the steps how to fix these vulnerabilities for my 
current version in windows.

Thanks

?Best regards,

Nithi,
Head Ops, Commercial and Industrial,
Product Management and SW apps
Mobile:92487954

Oneberry Technologies Pte Ltd
Web: www.oneberry.com
Tel: (65) 6692 6760 | Fax: (65) 6280 2921
Address: One Pemimpin, 1 Pemimpin Drive, #08-03, Singapore 576151
[cid:image001.png@01DA115B.DA13D580]

TLD jar scanning at Tomcat Startup

[charles didonato]

Good Evening,
Tomcat 9.082 on Windows 11.
Tomcat runs as a Windows service.

When I start Tomcat and deploy my war file, it hangs at the following in
the Catalina Log:

06-Nov-2023 15:21:59.819 INFO [main]
org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned
for TLDs yet contained no TLDs. Enable debug logging for this logger for a
complete list of JARs that were scanned but no TLDs were found in them.
Skipping unneeded JARs during scanning can improve startup time and JSP
compilation time.

I see nothing in stderr or stdout

I have enabled the logging in logging.properties
# To see debug messages in TldLocationsCache, uncomment the following line:
org.apache.jasper.compiler.TldLocationsCache.level = FINE

I have also edited the default list of jars to scan as below:

# Default list of JAR files that should be scanned that overrides the
default
# jarsToSkip list above. This is typically used to include a specific JAR
that
# has been excluded by a broad file name pattern in the jarsToSkip list.
# The list of JARs to scan may be over-ridden at a Context level for
individual
# scan types by configuring a JarScanner with a nested JarScanFilter.
tomcat.util.scan.StandardJarScanFilter.jarsToScan=\
log4j-taglib*.jar,\
log4j-web*.jar,\
log4javascript*.jar,\
slf4j-taglib*.jar,\
jstl-1.2.jar,\
CKFinder-2.3.1.jar, \
sitemesh-2.4.2.jar, \
ckeditor-java-core-3.5.3.jar, \
spring-security-taglibs-4.0.3.RELEASE.jar

It is my understanding that the jarsToScan overrides the
jarsToSkip.
I believe I have no override in my app context war file.

I am not seeing the intended behavior of the jar scanning and the tomcat
server never deploys the single war file.
Eventually the server encounters an OOM state and crashes.
Am I configuring something incorrectly?
Thanks
Charlie D

Are there any known class loader leaks in Tomcat 9?

[William Crowell]

Good afternoon,

I am running Tomcat 9.0.78 with JDK 1.8.0_371 (running with G1GC), and I am 
loading some very large Java classes into Metaspace.  I know this is not good 
practice, but I inherited this library.  These classes have business rules and 
are doing some basic primitive and array manipulations, and I am running out of 
native memory.  I don’t think there are any JNI calls in this code base.

Are there anything existing issues with the Tomcat 9 class loader?  I doubt 
there are but wanted to check.

Regards,

William Crowell


This e-mail may contain information that is privileged or confidential. If you 
are not the intended recipient, please delete the e-mail and any attachments 
and notify us immediately.

Re: WebApp Mutual TLS for connecting to thrid party REST service

[Mark Thomas]

On 06/11/2023 17:03, Brian Wolfe wrote:

Is there a way to use JSSE in tomcat to manage TLS mutual auth for when a
process in tomcat is acting as a client during a REST call to use a client
certificate from a keystore to authenticate to the third party? Or is this
something that has to be handled at the application level?

I know in Java you can specify these system settings on the commandline.
-Djavax.net.ssl.keyStore=/path/to/clientkeystore.p12 \
-Djavax.net.ssl.keyStorePassword=password

I was wondering if anyone else has experience with this use case.

I want to be clear I am not referring to configuring tomcat to enforce
mutual Authn TLS on the connectors.


No. Tomcat has no involvement in outgoing TLS connections. They are 
entirely an application concern.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

WebApp Mutual TLS for connecting to thrid party REST service

[Brian Wolfe]

Is there a way to use JSSE in tomcat to manage TLS mutual auth for when a
process in tomcat is acting as a client during a REST call to use a client
certificate from a keystore to authenticate to the third party? Or is this
something that has to be handled at the application level?

I know in Java you can specify these system settings on the commandline.
-Djavax.net.ssl.keyStore=/path/to/clientkeystore.p12 \
-Djavax.net.ssl.keyStorePassword=password

I was wondering if anyone else has experience with this use case.

I want to be clear I am not referring to configuring tomcat to enforce
mutual Authn TLS on the connectors.

-- 
Thanks,
Brian Wolfe
https://www.linkedin.com/in/brian-wolfe-3136425a/

Re:

[Mark Thomas]

On 06/11/2023 10:57, Greg Huber wrote:
 >> The maximum useful size will be the total size of static resources 
(i.e. everything NOT under WEB-INF/lib or WEB-INF/classes).


Since I have nothing in either of these, its all mapped in the 
PostResources,  I can just calculate the size of the jars, and add a bit 
for luck.  (ie 85mb +5mb).


The "i.e. everything NOT under WEB-INF/lib or WEB-INF/classes" is 
irrespective of which resource collection it is in. So JARs from 
PostResources won't be cached.


Mark




Thanks

On 06/11/2023 09:43, Mark Thomas wrote:

On 05/11/2023 17:23, Greg Huber wrote:

Thanks Mark and Chris.





I have not noticed any slowness yet.

There are alot of jars (approx 160), but the target/classes folder 
are my
app's classes that I am working on.  These can change (ie not 
static), so

may be better to switch it off.

Is there anyway to calculate the size needed for the cache setting?


The maximum useful size will be the total size of static resources 
(i.e. everything NOT under WEB-INF/lib or WEB-INF/classes).


The right size is going to be a trade-off between the cost of the 
memory for the cache and the benefits the cache brings. Those benefits 
are going to be application (and hardware) dependent.


Mark




Thanks Greg


On Sun, 5 Nov 2023 at 15:31, Christopher Schultz <
ch...@christopherschultz.net> wrote:


Greg and Mark,

On 11/5/23 09:31, Mark Thomas wrote:

On 05/11/2023 10:18, Greg Huber wrote:

OK thanks, the docs mention "static resource cache" but I could not
find info on what it actually is.


It caches the content of static resources in memory and uses that 
rather

than accessing disk.


I am loading maven jars and /target/classes.

eg:






base="/home/devuser/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar"

className="org.apache.catalina.webresources.FileResourceSet"
webAppMount="/WEB-INF/lib/commons-logging-1.2.jar" />


As its purely for development guess it makes no difference?


I doubt you'll notice if you disable it.


+1

Since you are using JAR files, the caching won't matter once the 
classes

themselves are loaded-into memory. So you may observe some slowness
early in the lifetime of the web application after deployment, but at
long as your code, etc. isn't trying to re-scan JAR files all the time,
etc. then you should be fine.

-chris


On 05/11/2023 10:02, Mark Thomas wrote:

On 04/11/2023 11:03, Greg Huber wrote:

Hello,

I am using the  and  to run tomcat for
debugging my app (and it is pretty awesome).  I am getting the 
cache

warning limit, as it is 10mb, what effect would it have if I turned
off the cache ie cachingAllowed="false" rather than having to
increase the limit all the time?


This is one of those "it depends" questions. There are lots of
factors that will influence how effective the cache is. You could 
try

and reason what the impact would be but you will likely get a more
accurate answer, faster by just trying it and measuring the impact.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re:

[Greg Huber]

>> The maximum useful size will be the total size of static resources 
(i.e. everything NOT under WEB-INF/lib or WEB-INF/classes).


Since I have nothing in either of these, its all mapped in the 
PostResources,  I can just calculate the size of the jars, and add a bit 
for luck.  (ie 85mb +5mb).


Thanks

On 06/11/2023 09:43, Mark Thomas wrote:

On 05/11/2023 17:23, Greg Huber wrote:

Thanks Mark and Chris.





I have not noticed any slowness yet.

There are alot of jars (approx 160), but the target/classes folder 
are my
app's classes that I am working on.  These can change (ie not 
static), so

may be better to switch it off.

Is there anyway to calculate the size needed for the cache setting?


The maximum useful size will be the total size of static resources 
(i.e. everything NOT under WEB-INF/lib or WEB-INF/classes).


The right size is going to be a trade-off between the cost of the 
memory for the cache and the benefits the cache brings. Those benefits 
are going to be application (and hardware) dependent.


Mark




Thanks Greg


On Sun, 5 Nov 2023 at 15:31, Christopher Schultz <
ch...@christopherschultz.net> wrote:


Greg and Mark,

On 11/5/23 09:31, Mark Thomas wrote:

On 05/11/2023 10:18, Greg Huber wrote:

OK thanks, the docs mention "static resource cache" but I could not
find info on what it actually is.


It caches the content of static resources in memory and uses that 
rather

than accessing disk.


I am loading maven jars and /target/classes.

eg:





base="/home/devuser/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar" 


className="org.apache.catalina.webresources.FileResourceSet"
webAppMount="/WEB-INF/lib/commons-logging-1.2.jar" />


As its purely for development guess it makes no difference?


I doubt you'll notice if you disable it.


+1

Since you are using JAR files, the caching won't matter once the 
classes

themselves are loaded-into memory. So you may observe some slowness
early in the lifetime of the web application after deployment, but at
long as your code, etc. isn't trying to re-scan JAR files all the time,
etc. then you should be fine.

-chris


On 05/11/2023 10:02, Mark Thomas wrote:

On 04/11/2023 11:03, Greg Huber wrote:

Hello,

I am using the  and  to run tomcat for
debugging my app (and it is pretty awesome).  I am getting the 
cache

warning limit, as it is 10mb, what effect would it have if I turned
off the cache ie cachingAllowed="false" rather than having to
increase the limit all the time?


This is one of those "it depends" questions. There are lots of
factors that will influence how effective the cache is. You could 
try

and reason what the impact would be but you will likely get a more
accurate answer, faster by just trying it and measuring the impact.

Mark

- 


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re:

[Suvendu Sekhar Mondal]

On Mon, Nov 6, 2023 at 3:15 PM Mark Thomas  wrote:
>
> On 05/11/2023 17:23, Greg Huber wrote:
> > Thanks Mark and Chris.
> >
> >>>  >>>   base="/home/devuser/git/myproject/target/classes"
> >>> className="org.apache.catalina.webresources.DirResourceSet"
> >>>   webAppMount="/WEB-INF/classes" />
> >
> > I have not noticed any slowness yet.
> >
> > There are alot of jars (approx 160), but the target/classes folder are my
> > app's classes that I am working on.  These can change (ie not static), so
> > may be better to switch it off.
> >
> > Is there anyway to calculate the size needed for the cache setting?
>
> The maximum useful size will be the total size of static resources (i.e.
> everything NOT under WEB-INF/lib or WEB-INF/classes).
>
> The right size is going to be a trade-off between the cost of the memory
> for the cache and the benefits the cache brings. Those benefits are
> going to be application (and hardware) dependent.
>
> Mark

+1

You can also explore the combination of cacheTtl and cache size. By
default, TTL is 5 sec. If the cache is not full, a longer TTL means
better performance BUT if cache is getting filled up because of longer
TTL then tomcat will evict elements even before TTL elapsed. Again,
it's a bit tricky.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 10

[Mark Thomas]

On 06/11/2023 06:46, 一直以来 wrote:

Why do I print System. out. println (request) as different objects in the 
servlet for the request in tomcat10? Is the request object not reused in 
tomcat10?


There is a pool of cached request objects. Each request is also accessed 
via a facade (which is probably what you are seeing). Depending on 
settings, those facades may be reused or discarded between requests.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re:

[Mark Thomas]

On 05/11/2023 17:23, Greg Huber wrote:

Thanks Mark and Chris.





I have not noticed any slowness yet.

There are alot of jars (approx 160), but the target/classes folder are my
app's classes that I am working on.  These can change (ie not static), so
may be better to switch it off.

Is there anyway to calculate the size needed for the cache setting?


The maximum useful size will be the total size of static resources (i.e. 
everything NOT under WEB-INF/lib or WEB-INF/classes).


The right size is going to be a trade-off between the cost of the memory 
for the cache and the benefits the cache brings. Those benefits are 
going to be application (and hardware) dependent.


Mark




Thanks Greg


On Sun, 5 Nov 2023 at 15:31, Christopher Schultz <
ch...@christopherschultz.net> wrote:


Greg and Mark,

On 11/5/23 09:31, Mark Thomas wrote:

On 05/11/2023 10:18, Greg Huber wrote:

OK thanks, the docs mention "static resource cache" but I could not
find info on what it actually is.


It caches the content of static resources in memory and uses that rather
than accessing disk.


I am loading maven jars and /target/classes.

eg:






base="/home/devuser/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar"

className="org.apache.catalina.webresources.FileResourceSet"
  webAppMount="/WEB-INF/lib/commons-logging-1.2.jar" />


As its purely for development guess it makes no difference?


I doubt you'll notice if you disable it.


+1

Since you are using JAR files, the caching won't matter once the classes
themselves are loaded-into memory. So you may observe some slowness
early in the lifetime of the web application after deployment, but at
long as your code, etc. isn't trying to re-scan JAR files all the time,
etc. then you should be fine.

-chris


On 05/11/2023 10:02, Mark Thomas wrote:

On 04/11/2023 11:03, Greg Huber wrote:

Hello,

I am using the  and  to run tomcat for
debugging my app (and it is pretty awesome).  I am getting the cache
warning limit, as it is 10mb, what effect would it have if I turned
off the cache ie cachingAllowed="false" rather than having to
increase the limit all the time?


This is one of those "it depends" questions. There are lots of
factors that will influence how effective the cache is. You could try
and reason what the impact would be but you will likely get a more
accurate answer, faster by just trying it and measuring the impact.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org