Re: AW: AW: FileUpload class not working with Tomcat 10.1

2023-11-15 Thread Mark Foley 
On Tue Nov 14 14:50:10 2023 "Thomas Hoffmann (Speed4Trade GmbH)" 
thomas.hoffm...@speed4trade.com.INVALID> wrote:
>
> Hi Mark!
>
> > -Ursprüngliche Nachricht-
> > Von: Mark Foley 
> > Gesendet: Dienstag, 14. November 2023 18:20
> > An: users@tomcat.apache.org
> > Betreff: Re: AW: FileUpload class not working with Tomcat 10.1
> > 
> > On Tue Nov 14 01:46:09 2023 "Thomas Hoffmann (Speed4Trade GmbH)"
> >  wrote:
> > >
> > > Hello Mark,
> > >
> > > > -Ursprüngliche Nachricht-
> > > > Von: Mark Foley 
> > > > Gesendet: Montag, 13. November 2023 23:12
> > > > An: users@tomcat.apache.org
> > > > Betreff: Re: AW: FileUpload class not working with Tomcat 10.1
> > > >
> > > > On Mon Nov 13 02:18:49 2023 "Thomas Hoffmann (Speed4Trade GmbH)"
> > > >  wrote:
> > > > > Hello,
> > > > >
> > > > > > -Ursprüngliche Nachricht-
> > > > > > Von: Mark Foley 
> > > > > > Gesendet: Sonntag, 12. November 2023 19:04
> > > > > > An: users@tomcat.apache.org
> > > > > > Betreff: Re: FileUpload class not working with Tomcat 10.1
> > > > > >
> > > > > > On Fri Nov 10 15:57:50 2023 Christopher Schultz
> > > > > >  wrote:
> > > > > > >
> > > > > > > Mark,
> > > > > > >
> > > > > > > On 11/10/23 12:53, Mark Foley wrote:
> > > > > > > > On Fri, 10 Nov 2023 17:11:59 Mark Thomas  > > > wrote:
> > > > > > > >>
> > > > > > > >> On 10/11/2023 16:49, Mark Foley wrote:
> > > > > > > >>> I recently upgraded from Tomcat 10.0.17 to 10.1.13.  ...
> > > > > > > >>>
> > > > > > > >>> [deleted]
> > > > > > >
> > > > > > I've put your suggested code in place.
> > > > > >
> > > > > > <%@ page import="jakarta.servlet.http.Part" %>
> > > > > >
> > > > > > I replaced your:
> > > > > >
> > > > > >   throw new IllegalStateException("Expected multi-part");
> > > > > >
> > > > > > with:
> > > > > >
> > > > > > out.println("Expected multi-part");
> > > > > >
> > > > > > Just to get things compiling OK.  I'll deal with errors later.
> > > > > > With that change, it compiled w/o problem.  I then attempted an
> > > > > > upload.  The
> > > > line:
> > > > > >
> > > > > >if(null == contentType ||
> > > > > > !contentType.startsWith("multipart/form-data;"))
> > > > > > {
> > > > > >
> > > > > > returned TRUE so it did detect a multipart upload. Yay! That was
> > > > > > a relief However
> > > > > >
> > > > > >Part fileUpload = request.getPart("param-name");
> > > > > >
> > > > > > Gave me the error:
> > > > > >
> > > > > > java.lang.IllegalStateException: Unable to process parts as no
> > > > > > multi-part configuration has been provided
> > > > > >
> > > > > > So, what does it mean that "no multi-part configuration has been
> > > > provided"?
> > > > > > Is "param-name" something I'm supposed to fill in? I tried
> > > > > > substituting the  field name, "taxResults",
> > > > > > but that
> > > > gave the same error.
> > > > >
> > > > > The form element must have the attribute enctype="multipart/form-
> > > > data".
> > > > > Furthermore, the servlet must be annotated by "@MultipartConfig"
> > > > >
> > > > > I think for jsp files, there is a similar setting in the web.xml.
> > > > > This link might help out:
> > > > > https://stackoverflow.com/questions/37965890/add-annotation-to-jsp
> > > >
> > > > Thanks for your reply Thomas.
> > > >
> > > > I've checked your suggested link and I have no idea where to put all
> > > > that  stuff.  Furthermore, the poster of that issue didn't say
> > > > he got it working.
> > > >
> > > > A respnder to the post said, "Actually every jsp file will be
> > > > converted to servlet because tomcat can only address servlet and so
> > > > every jsp file is indirectly a servlet and has all the features of
> > > > it". I think he is suggesting that the  code is superfluous, but 
> > > > not
> > exlpicitly stated as such.
> > > >
> > > > I am getting a TRUE return for
> > > >
> > > >   if(null == contentType ||
> > > > !contentType.startsWith("multipart/form-data;"))
> > > >
> > > > so I think it is recognizing it as "multipart/form-data;".
> > > >
> > > > Does anyone have an example of a JSP program with
> > > > jakarta.servlet.http.Part class?
> > > >
> > > > I'll search for examples as well, but I really have no idea how to 
> > > > proceed.
> > > >
> > > > --Mark F.
> > > >
> > >
> > > The servlet specification defines the special folder WEB-INF.
> > > Within this folder, there is the configuration file named web.xml.
> > > Within this xml-File, the application is configured including the 
> > > servlets.
> > > JSP-Files are compiled to servlets, either on-the-fly or during 
> > > compilation
> > time.
> > >
> > > I would recommend to take a look at some sample applications to get
> > familiar with some java web-applications and the web.xml file.
> > >
> > > It is not only about the jsp-file but also the combination with the
> > > application configuration within the web.xml Thus you will need both, jsp-
> > file and a corresponding web.xml configuration.
> > >
> > > Greetings!
> > > Thomas
> >

Re: [EXTERNAL] - Re: Partitioned cookies

2023-11-15 Thread Adam Warfield 
That's strange. I was not aware the proposal had expired. I've been working off 
of a few pages as it seemed Chrome/Edge were moving forward with Firefox at 
least showing positive support without committing.

https://developer.chrome.com/en/docs/privacy-sandbox/third-party-cookie-phase-out/
  (October 2023)

https://github.com/mozilla/standards-positions/issues/678  (Firefox showing 
positive support, last updated 2022)

https://developer.mozilla.org/en-US/docs/Web/Privacy/Partitioned_cookies

https://github.com/privacycg/CHIPS


Adam


From: Chuck Caldarale 
Sent: Wednesday, November 15, 2023 9:48 AM
To: Tomcat Users List 
Subject: [EXTERNAL] - Re: Partitioned cookies

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe. If you feel that the email is suspicious, please report it using 
PhishAlarm.


On Nov 15, 2023, at 08:06, Adam Warfield  wrote:

The Rfc6265CookieProcessor supports setting the SameSite cookie attribute but 
starting in 2024, browsers will begin enforcing the newer "Partitioned" 
attribute for third-party cookies. Is there a way to set this attribute within 
Tomcat for things like the JSESSIONID and XSRF-TOKEN cookies? This affects any 
webapps that are embedded within iframes across domains where those cookies 
will be rejected if not partitioned.


Looks like the CHIPS proposal:

Cookies Having Independent Partitioned State 
specification
datatracker.ietf.org
[ietf-logo-nor-180.png]

expired this past May and no updated version has been submitted to IETF. Is 
there some other active standards document describing cookie partitioning?

  - Chuck

Wondering about tomcat-users.xml could not be found

2023-11-15 Thread Christoph Kukulies 
I'm running tomcat9 under Ubuntu 22.04 with an haproxy 2.8 in front of it.

I'm wondering about the following in the logs:

Nov 15 16:19:23 mail tomcat9[832]: Reloading memory user database 
[UserDatabase] from updated source [file:/var/lib/tomcat9/conf/tomcat-users.xml]
Nov 15 16:19:23 mail tomcat9[832]: The specified user database 
[conf/tomcat-users.xml] could not be found
Nov 15 16:19:33 mail tomcat9[832]: Reloading memory user database 
[UserDatabase] from updated source [file:/var/lib/tomcat9/conf/tomcat-users.xml]
Nov 15 16:19:33 mail tomcat9[832]: The specified user database 
[conf/tomcat-users.xml] could not be found
Nov 15 16:19:43 mail tomcat9[832]: Reloading memory user database 
[UserDatabase] from updated source [file:/var/lib/tomcat9/conf/tomcat-users.xml]
Nov 15 16:19:43 mail tomcat9[832]: The specified user database 
[conf/tomcat-users.xml] could not be found
Nov 15 16:19:53 mail tomcat9[832]: Reloading memory user database 
[UserDatabase] from updated source [file:/var/lib/tomcat9/conf/tomcat-users.xml]
Nov 15 16:19:53 mail tomcat9[832]: The specified user database 
[conf/tomcat-users.xml] could not be found

  


File /var/lib/tomcat9/conf/tomcat-users.xml is definitely there. 

It occurs every 10 seconds.

Don't know who is causing this and why. Permissions? Ownership wrong?

-rw-r- 1 root root   2756 Jan 15  2022 tomcat-users.xml

Believe the ownership was wrong. Maybe it came from migrating an old 
installation.

What are the correct perms/ownership in /var/lib/tomcat9 and below?

--
Christoph





smime.p7s
Description: S/MIME cryptographic signature

Re: Partitioned cookies

2023-11-15 Thread Chuck Caldarale 

> On Nov 15, 2023, at 08:06, Adam Warfield  
> wrote:
> 
> The Rfc6265CookieProcessor supports setting the SameSite cookie attribute but 
> starting in 2024, browsers will begin enforcing the newer "Partitioned" 
> attribute for third-party cookies. Is there a way to set this attribute 
> within Tomcat for things like the JSESSIONID and XSRF-TOKEN cookies? This 
> affects any webapps that are embedded within iframes across domains where 
> those cookies will be rejected if not partitioned.



Looks like the CHIPS proposal:

https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/

expired this past May and no updated version has been submitted to IETF. Is 
there some other active standards document describing cookie partitioning?

  - Chuck

Partitioned cookies

2023-11-15 Thread Adam Warfield 
The Rfc6265CookieProcessor supports setting the SameSite cookie attribute but 
starting in 2024, browsers will begin enforcing the newer "Partitioned" 
attribute for third-party cookies. Is there a way to set this attribute within 
Tomcat for things like the JSESSIONID and XSRF-TOKEN cookies? This affects any 
webapps that are embedded within iframes across domains where those cookies 
will be rejected if not partitioned.

Adam

[ANN] Apache Tomcat 9.0.83 available

2023-11-15 Thread Rémy Maucherat 
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.83.

Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.

Apache Tomcat 9.0.83 is a bugfix and feature release. The notable
changes compared to 9.0.82 include:

- Fix reloading TLS configuration could cause the Connector to
   refuse new connections or the JVM to crash.

- Ensure that an IOException during the reading of the request
   always triggers error handling, regardless of whether the
   application swallows the exception.

Along with lots of other bug fixes and improvements.

Please refer to the change log for the complete list of changes:
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html


Downloads:
https://tomcat.apache.org/download-90.cgi

Migration guides from Apache Tomcat 7.x and 8.x:
https://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org