Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure

2023-06-21 Thread Stefan Mayr
Hi, Am 21.06.2023 um 12:20 schrieb Mark Thomas: CVE-2023-34981 Apache Tomcat - Information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M5 Apache Tomcat 10.1.8 Apache Tomcat 9.0.74 Apache Tomcat 8.5.88 Description: The fix for

Re: Get Client Certificate Information

2023-06-21 Thread Timothy Ward
import javax.servlet.http.HttpServletRequest; import javax.security.cert.Certificate; import javax.security.cert.X509Certificate; public class GrabCert extends Object { public static String getCommonName() { try { X509Certificate[] certs = (X509Certificate[])

Re: Get Client Certificate Information

2023-06-21 Thread Martynas Jusevičius
Sorry, getHttpServletRequest() came from my code :) It’s not a Jakarta method. In JAX-RS frameworks such as Jersey you can use @Context or @Inject annotations to get request and servlet context objects (such as HttpServletRequest):

Re: Get Client Certificate Information

2023-06-21 Thread Christopher Schultz
Timothy, On 6/21/23 13:55, Timothy Ward wrote: Not sure it's lined up right, lost in copy/paste I think, the ^ seems to be initially under the (X509Certificate[]) right before the getHttpServletRequest(), so I thought it didn't like the getHttpServletRequest itself, maybe it doesn't like the

Re: Get Client Certificate Information

2023-06-21 Thread Timothy Ward
I'm attempting to run this from within Oracle 19c, so I believe that is throwing a whole other wrinkle in there. On Wed, Jun 21, 2023 at 1:48 PM Mark Thomas wrote: > > > On 21/06/2023 18:29, Timothy Ward wrote: > > I tried the following: > > > > import javax.servlet.http.HttpServletRequest; > >

Re: Get Client Certificate Information

2023-06-21 Thread Timothy Ward
Not sure it's lined up right, lost in copy/paste I think, the ^ seems to be initially under the (X509Certificate[]) right before the getHttpServletRequest(), so I thought it didn't like the getHttpServletRequest itself, maybe it doesn't like the getAttribute method. On Wed, Jun 21, 2023 at 1:52 

Re: Get Client Certificate Information

2023-06-21 Thread Rob Sargent
> On Jun 21, 2023, at 11:29 AM, Timothy Ward wrote: > > I tried the following: > > import javax.servlet.http.HttpServletRequest; > import javax.security.cert.Certificate; > import javax.security.cert.X509Certificate; > > X509Certificate[] certs = (X509Certificate[]) >

Re: Get Client Certificate Information

2023-06-21 Thread Mark Thomas
On 21/06/2023 18:29, Timothy Ward wrote: I tried the following: import javax.servlet.http.HttpServletRequest; If you are using the Java EE imports ... import javax.security.cert.Certificate; import javax.security.cert.X509Certificate; X509Certificate[] certs = (X509Certificate[])

Re: Get Client Certificate Information

2023-06-21 Thread Timothy Ward
I tried the following: import javax.servlet.http.HttpServletRequest; import javax.security.cert.Certificate; import javax.security.cert.X509Certificate; X509Certificate[] certs = (X509Certificate[]) getHttpServletRequest().getAttribute("jakarta.servlet.request.X509Certificate"); and I'm

Re: Tomcat Clustering, Mod_JK, Fail_on_Status, Stopped Application

2023-06-21 Thread Christopher Schultz
Mark and Dan, On 6/21/23 04:57, Mark Thomas wrote: On 20/06/2023 17:12, Dan McLaughlin wrote: Mark, What are your thoughts on changing the Tomcat codebase to return a 503 instead of a 404 if a context is marked as distributable or if clustering is enabled and deployed but stopped?  When I did

Re: Conclusion - Re: Crypto Randomly Not Getting Initialized

2023-06-21 Thread Christopher Schultz
Simon, On 6/21/23 03:19, Simon Matter wrote: Jerry, On 6/15/23 00:41, Jerry Malcolm wrote: On 6/13/2023 3:46 PM, Jerry Malcolm wrote: On 6/13/2023 12:39 PM, Jerry Malcolm wrote: Rob, On 6/13/2023 11:34 AM, Rob Sargent wrote: In /etc/rc.local I have: -- sleep 120s

Re: Tomcat hosting issue/bug:

2023-06-21 Thread Christopher Schultz
Virenda, On 6/21/23 00:20, Virendra Barad wrote: I have multiple application with jdk-1.8. And i have alredy checked there is no log printed of any files like stdout, stderror, etc... it's only buffering for particular that application. How are you launching Tomcat? If you are using the

Re: Words of Wisdom re: Context Versioning - Parallel Deployment

2023-06-21 Thread Christopher Schultz
Dan, On 6/20/23 18:03, Christopher Schultz wrote: Dan, On 6/16/23 12:54, Dan McLaughlin wrote: Does anyone have any advice on implementing Context Versioning (parallel deployment) in Tomcat? It seems to have been a feature for quite some time. Is it stable?   What are the typical issues

[SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure

2023-06-21 Thread Mark Thomas
CVE-2023-34981 Apache Tomcat - Information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M5 Apache Tomcat 10.1.8 Apache Tomcat 9.0.74 Apache Tomcat 8.5.88 Description: The fix for bug 66512 introduced a regression that was fixed

Re: Tomcat Clustering, Mod_JK, Fail_on_Status, Stopped Application

2023-06-21 Thread Mark Thomas
On 20/06/2023 17:12, Dan McLaughlin wrote: Mark, What are your thoughts on changing the Tomcat codebase to return a 503 instead of a 404 if a context is marked as distributable or if clustering is enabled and deployed but stopped? When I did searches years ago on this issue, most people at the

Re: Conclusion - Re: Crypto Randomly Not Getting Initialized

2023-06-21 Thread Simon Matter
> Jerry, > > On 6/15/23 00:41, Jerry Malcolm wrote: >> >> On 6/13/2023 3:46 PM, Jerry Malcolm wrote: >>> >>> On 6/13/2023 12:39 PM, Jerry Malcolm wrote: Rob, On 6/13/2023 11:34 AM, Rob Sargent wrote: > In /etc/rc.local I have: >> >> -- >> sleep