>
>
>
>
>> E.g. "Transfer-Encoding: chunked" and "Content-Length" are mutually
>> exclusive, cannot be used at the same time, cannot be used more than
>> once. They should not be blindly copied.
>>
>
> Good question on that, I can take a look. I remove Content-Length from
> the downstream response
>
>
>
> Status 500 means that some error happened during processing.
>
> Is there anything in the logs? Exceptions?
>
>
The 500 was generated by a downstream Tomcat 8.5.11 server, this one is
just trying to proxy the message.
> Maybe the browser closes the connection by its own decision, without
>
>
> I'm working directly with the servlet api. Whats odd is it worked fine in
> 8.0.39. The response is set first:
>
>
>
Also, I just verified the issue doesn't occur using undertow 1.3.25
Mark & Olaf,
I'm working directly with the servlet api. Whats odd is it worked fine in
8.0.39. The response is set first:
https://github.com/TremoloSecurity/OpenUnison/blob/1.0.9/unison/unison-server-core/src/main/java/com/tremolosecurity/proxy/filter/PostProcess.java
- lines 110-121
Then I se
I'm running tomcat 8.0.41 on a CentOS7 Docker container. Something very
strange is happening. If I use a GET and return a 200 with JSON content
the data gets back to my browser. But if I run a POST and return a 500
with the content being JSON written to response.getOutputStream()
(including a fl
>
>
>
> Your request wrappers store their own reference to a
> HttpServletRequest in addition to the one stored by the
> ServletRequestWrapper class.
>
>
> My guess is that your issue will be solved if you either override
> ServletRequestWrapper.setRequest() to update your request field, or
> use
>
> You have to provide the actual source code.
>
> There is an example in the examples webapp that performs forwarding to
> a JSP and it works,
>
> \webapps\examples\WEB-INF\classes\ServletToJsp.java
>
>
So the good news is that I got it to work by getting rid of any of the
methods that were overi
All,
I'm having a very strange issue with
request.getServletContext().getRequestDispatcher().forward(). It gives me
a 404 on a JSP page that if I go to directly, works fine. This is with
tomcat 8.0.30 on OSX on JDK :
ava version "1.7.0_65"
Java(TM) SE Runtime Environment (build 1.7.0_65-b17)
I need to be more dynamic. I need to be able to setthe session name and
domain based on the url.
On Sep 8, 2013 9:12 AM, "Michael-O" <1983-01...@gmx.net> wrote:
> Am 2013-09-08 14:15, schrieb Marc Boorshtein:
>
>> I'm trying to figure out how I can create custo
I'm trying to figure out how I can create custom session cookies. I've
found the Manager interface for creating the sessions, but there's nothing
about the actual session cookie. I don't see anything in the Valve
interface that will let me do this either. Is this possible in Tomcat 7
(or 8?).
T
Governments Not Unix? sounds counter productive...
On Tue, Feb 14, 2012 at 12:56 PM, Andrew Todd wrote:
> On Tue, Feb 14, 2012 at 11:51 AM, Christopher Schultz
> wrote:
>> Stallman as a government adviser? :)
>
> Shouldn't that be GNU/Government?
>
>
>
>> On 01/06/2011 16:16, Marc Boorshtein wrote:
>>> So for some reason the addHeader is not doing anything
>>
>> I'm guessing you haven't looked at the source for this yet.
>>
>> org.apache.catalina.connector#addHeader(String,String) is a
To quote one of my favorite tv showswell there's your problem! Thanks,
I'll give this a try.
Marc
Sent from my iPad
On Jun 1, 2011, at 4:47 PM, Mark Thomas wrote:
> On 01/06/2011 16:16, Marc Boorshtein wrote:
>> So for some reason the addHeader is not doing anythin
> Hi, Marc-
>
> Is that a carriage return and/or line feed before the attribute name in the
> log file or just the formatting of the e-mail?
>
> -Terence Bandoian
>
just email formatting
-
To unsubscribe, e-mail: users-unsubscr..
>
> Can you try this:
>
> request.addHeader(attrib.getName(), val);
>
> logger.info("After added header: "
> + attrib.getName() + "="
> + request.getHeader(attrib.getName()));
>
> I wonder if the header value is being ignored because the request is
> frozen or someth
So I tried moving the configuraiton of the valve into the app's
META-INF/context.xml with no success. One thing I didn't mention that
is interesting is that the I do set the request's setUserPrincipal(..)
and that works.
Thanks
Marc
On Tue, May 31, 2011 at 5:27 PM, Marc Bo
>
> Do you have any filters or other valves that might be wrapping the request
> and choosing to ignore your extra headers?
>
No, the app is just a servlet that loops over all the headers and
cookies and generates a properties response
> 1) Show us your modified conf/context.xml.
WE
I've got a simple Valve that creates some headers running on Tomcat6
6.0.32 that creates headers by calling request.addHeader(...). The
valve is configured in tomcat_home/conf/context.xml. The valve runs,
the headers are added but they don't make it to the underlying web
application. Am I missin
> Marc,
>
> On 5/24/2011 11:39 AM, Marc Boorshtein wrote:
>> SSLOptions +StdEnvVars
>> SSLOptions +ExportCertData
>>
>> JkExtractSSL On
>>
>>
>
> I'm not entirely sure about the JkExtractSSL option, but some other
> mod_jk options are
>
> And your SSLOptions are what exactly?
>
> Also Tomcat and mod_jk version info might be relevant.
>
oadModulejk_module modules/mod_jk.so
LoadFile "/home/sys/ssl-poc/webgate/access/oblix/lib/libgcc_s.so.1"
LoadFile "/home/sys/ssl-poc/webgate/access/oblix/lib/libstdc++.so.5"
SSLOptions +St
I've setup a pretty generic httpd(2.2.19)+mod_jk to tomcat 6 on Oracle
Linux 5 (CentOS 5 equiv) with SSL setup. With JkExtractSSL and the
correct SSLOptions in the httpd configuration files. I can see the
SSL environment variables in /cgi-bin/printenv but no headers or
environment variables in th
Original Message
> From: Marc Boorshtein
> To: Tomcat Users List
> Sent: Sun, November 7, 2010 7:08:01 PM
> Subject: Re: Malicious host is crashing my server
>
> Do a search on SQL injection and you will get plenty of results
>
> Sent from my iPad
>
>
Do a search on SQL injection and you will get plenty of results
Sent from my iPad
On Nov 7, 2010, at 1:03 PM, "Caldarale, Charles R"
wrote:
>> From: Martin Gainty [mailto:mgai...@hotmail.com]
>> Subject: RE: Malicious host is crashing my server
>
>> the culprit will change IPs
>
> That's wh
JDBC? Are you sure its not an attempted SQL Injection attack?
On Sun, Nov 7, 2010 at 12:23 PM, Assaf wrote:
> Hello,
>
> I have a recurring visitor (from a fixed IP
> address: bzq-79-177-23-102.red.bezeqint.net) who is constantly visiting my
> site
> and EACH time causes the server to crash. My
On Wed, Jun 23, 2010 at 8:49 AM, Savoy, Melinda
wrote:
> Let me ask, what maybe a stupid question now, but when I print out the
> enumeration value of the request header names, see below, using
> request.getHeaderNames() should the user be listed as one of the headers
> which is passed on from
>
> Unless you are going to authenticate via one of Tomcat's authentication
> methods; BASIC, FORM, etc, then getRemoteUser() is going to return null.
>
> You'll need to add a security constraint, login-config and security-role to
> your web.xml to test getRemoteUser(); in just Tomcat.
>
This sh
On Tue, Jun 22, 2010 at 8:16 AM, Savoy, Melinda
wrote:
> Thanks Marc. I actually have that setting in my server.xml file as well.
>
Hmm, I've only gotten the ISAPI filter working once and not in this
context. Unless there are other ways to do this Pid's idea is
probably the best.
Marc
---
I haven't tried this with IIS, but we had quite the discussion on this
last week with Apache & tomcat with JK. In your server.xml file add
tomcatAuthentication="false" to the AJP connector object. If you look
in the archives of this list for JK_REMOTE_USER there is a very
interesting discussion o
>
> You're talking about having to change your app, but you've only
> described having to make modifications to a Tomcat internal support class.
>
> You seem to be saying that Tomcat has a compliancy issue - IMO the
> problem with leaving that unchallenged is that it breeds
> misunderstanding that
>> Hi.
>> I must say that, with my limited knowledge of the Tomcat internals taken
>> into consideration, I tend to agree with Marc in this case, if he is
>> right in claiming that the Tomcat Realm mixes authentication with
>> authorization and does not allow to separate the two.
>
> Well, he said
On Thu, Jun 17, 2010 at 9:11 AM, Mark Thomas wrote:
> On 17/06/2010 13:26, André Warnier wrote:
>> I must say that, with my limited knowledge of the Tomcat internals taken
>> into consideration, I tend to agree with Marc in this case, if he is
>> right in claiming that the Tomcat Realm mixes authe
>>
>> I'm not looking to start a holy war here, but is there anything
>> incorrect in what I said? Tomcat is a servlet container, the servlet
>
> Yes.
>
> You made a sweeping statement about container managed security which
> implied that things should just work. Someone has to make them work.
>
>>
>> The problem with the Realm system is its designed with the assumption
>> that tomcat is doing the authentication which is not a valid
>> assumption in an environment where the authentication is seperated
>> from authorization. The entire point of container security is that as
>> a coder I do
>
> To look at this from a very strict point of view, the whole area is already
> a bit stretched. Tomcat has this notion of "roles" (because the Servlet
> Spec has this same notion). But if you look at common authentication
> schemes, like NTLM or LDAP, they do not have this notion. It is possi
Sent from my iPhone
On Jun 16, 2010, at 11:12 AM, David kerber wrote:
On 6/16/2010 10:58 AM, Marc Boorshtein wrote:
...
That being said, the sequence of events should be:
1. Web server authenticates the user (works)
2. Pass the context to Tomcat (works)
3. Tomcat calls the realm to
OK, come context first:
What I'm trying to do is integrate a Commercial Off The Shelf (COTS)
application that relies on container security into a Web Access
Manager (WAM). In a typical WAM deployment there are AAA is broken up
into multiple layers:
Web Server - Authentication (via the WAM) and c
>
> You should not need to do that, it should be automatic.
> Just make sure that in the Tomcat for AJP (in server.xml), you
> set the attribute
> tomcatAuthentication="false"
>
> If the request is authenticated by Apache, mod_jk will (always) pass it
> internally to Tomcat, along with the request
All,
I'm trying to setup apache in front of tomcat and have apache do the
authentication for access and pass the user's context back to tomcat.
I've seen documentation that says that I should set the JK_REMOTE_USER
environment variable but it doesn't seem to be working. Here is my
httpd configura
38 matches
Mail list logo