Sorry, getHttpServletRequest() came from my code :) It’s not a Jakarta
method.
In JAX-RS frameworks such as Jersey you can use @Context or @Inject
annotations to get request and servlet context objects (such as
HttpServletRequest):
https://jakarta.ee/specifications/dependency-injection/2.0/apidocs
You can get client certificates from ServletRequest:
X509Certificate[] certs =
(X509Certificate[])getHttpServletRequest().getAttribute("jakarta.servlet.request.X509Certificate");
https://jakarta.ee/specifications/servlet/5.0/apidocs/jakarta/servlet/servletrequest#getAttribute(java.lang.St
Thanks.
On Mon, 6 Mar 2023 at 13.32, Mark Thomas wrote:
> On 06/03/2023 12:24, Martynas Jusevičius wrote:
> > Hi,
> >
> > I have a JAX-RS application deployed on Tomcat.
> >
> > When a URL contains dots, I get a 422 Unprocessable Entity response
> > w
Hi,
I have a JAX-RS application deployed on Tomcat.
When a URL contains dots, I get a 422 Unprocessable Entity response
which looks like it's coming from Tomcat.
When I remove the dots, the request works fine and reaches my application.
Is that Tomcat's behavior?
Martynas
sually in response to request smuggling concerns.
>
> CR 0x0d carriage return
> LF 0x0a line fine
>
> HTH,
>
> Mark
>
>
> On 15/12/2022 21:23, Mark Thomas wrote:
> > Sounds good. Could you send it directly to me again please.
> >
> > Thanks.
> >
>
On 15/12/2022 20:03, Mark Thomas wrote:
> > Hi Martynas,
> >
> > The list strips (nearly all) attachments. Please send it to me directly
> > and I'll let you know if it is what we need.
> >
> > Mark
> >
> >
> > On 15/12/2022 19:51, Martyna
ind?
>
> Mark
>
>
> On 15/12/2022 16:17, Martynas Jusevičius wrote:
> > Hi,
> >
> > After upgrading from 9.0.59 to 10.1.4, I've started getting these kind
> > of errors:
> >
> > java.lang.IllegalArgumentException: The HTTP header l
Hi,
After upgrading from 9.0.59 to 10.1.4, I've started getting these kind
of errors:
java.lang.IllegalArgumentException: The HTTP header line
[if-none-match:"e76590d5""] does not conform to RFC 7230 and has been
ignored.
at
org.apache.coyote.http11.Http11InputBuffer.skipLine(Http11Input
Hi,
Wouldn’t this setup be easier to deploy as a Docker container?
We have an image with SSL server cert support:
https://github.com/AtomGraph/letsencrypt-tomcat
On Mon, 18 Jul 2022 at 16.09, Aryeh Friedman
wrote:
> Here are the steps to installing a SSL cert (it varies slightly based
> on who
My bad :) CATALINA_OPTS was malformed.
On Sat, May 15, 2021 at 10:19 AM Martynas Jusevičius
wrote:
>
> Hi,
>
> I have a Docker image that extends tomcat:9.0.39-jdk11 and at the very
> end of the entrypoint script calls 'catalina.sh run'.
>
> This has worked fine bo
Hi,
I have a Docker image that extends tomcat:9.0.39-jdk11 and at the very
end of the entrypoint script calls 'catalina.sh run'.
This has worked fine both on my local Windows and on a CentOS server.
However when I start a container on Amazon ECS with AMI Linux, I get
the error below when catalina
Rony,
you might want to look into containerizing your webapps. We use an
XSLT stylesheet (invoked by the entrypoint script) that transforms env
params into context.xml params:
https://github.com/AtomGraph/LinkedDataHub/blob/master/platform/context.xsl
Martynas
On Wed, Apr 14, 2021 at 2:16 PM Ro
I think this is where you need to wrap your apps into Docker images :)
See this base image for example:
https://hub.docker.com/r/atomgraph/letsencrypt-tomcat
It configures server.xml by using an XSLT stylesheet and environmental
parameters:
https://github.com/AtomGraph/letsencrypt-tomcat/blob/mas
Not sure if related, but JPDA address config changed from -
JPDA_ADDRESS=8000 on Tomcat 8 to - JPDA_ADDRESS=*:8000 on Tomcat 9
(i.e. host needs to be included, or a wildcard).
On Tue, Feb 2, 2021 at 12:22 PM Suvendu Sekhar Mondal wrote:
>
> Hello Everyone,
>
> We recently migrated Tomcat from 7.0
Hi,
How do I limit request rates using Tomcat 9.0.x?
Something similar to limit_req in nginx:
https://www.nginx.com/blog/rate-limiting-nginx/
Martynas
atomgraph.com
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
Christopher,
thanks for your reply. Answers inline.
> > What I see in the profiler is Max Heap Size 310378496 B, which is only 0.28
> > GiB.
>
> This is probably the maximum size of the /used/ heap. Can you confirm that?
Nope. Netbeans profiler says: Max Heap Size 310378496 B, Max Used Heap
261
Hi,
I am attempting to make my webapps that run in Tomcat to take
advantage of the Docker container-specific JVM options such as
-XX:MaxRAMPercentage:
https://www.eclipse.org/openj9/docs/xxinitialrampercentage/
TL;DR It allows specifying JVM heap as % of the container memory limit
rather than usin
https://github.com/AtomGraph/letsencrypt-tomcat
On Sun, Oct 4, 2020 at 8:04 PM Garret Wilson wrote:
>
> Hi, everyone. I'm back already. (I had intended to leave the list to
> focus my efforts elsewhere, but … here I am again.)
>
> I just realized there is a big SSL problem for small applications,
Hi,
I enabled GZip compression on using 8.0.44.
Then I noticed that text/html documents are getting compressed, but
others were not.
I guess this is due to the default compressibleMimeType? Which is
"text/html,text/xml,text/plain,text/css,text/javascript,application/javascript".
https://tomcat.
; >
> >On 3/17/20 3:18 PM, Martynas Jusevičius wrote:
> >> why should DELETE or OPTIONS not be enabled? They are standard HTTP
> >methods.
> >
> >True, but (quoting the audit report)
> >> . . . [DELETE] may allow a remote attacker to delete arbitrary file
Hi,
why should DELETE or OPTIONS not be enabled? They are standard HTTP methods.
On Tue, Mar 17, 2020 at 11:05 PM James H. H. Lampert
wrote:
>
> Ladies and Gentlemen:
>
> One of our customers did a security audit on the Tomcat server we
> maintain on their system, and it found a few issues:
>
>
%3A5443 test %{QUERY_STRING} to rule with pattern
^(.*)(localhost\%3A5443)(.*)$ and substitution $1localhost$3
On Mon, Mar 2, 2020 at 11:51 AM Martynas Jusevičius
wrote:
>
> No matter where I place the rewrite.config, cannot get the
> RewriteValve to find it.
>
> I tried:
> * /usr
]
org.apache.catalina.util.LifecycleBase.setStateInternal Setting state
for [org.apache.catalina.valves.rewrite.RewriteValve[]] to [STARTED]
On Sun, Mar 1, 2020 at 2:15 PM Martynas Jusevičius
wrote:
>
> I hit a snag with the query string. In some cases it contains the
> webapp base URI in a query parameter
2020 at 4:21 PM Martynas Jusevičius
wrote:
>
> Thanks! I actually needed proxyPort="443" to make the URL
> https://localhost, but your suggestion did the trick.
>
> On Sat, Feb 29, 2020 at 11:12 AM Mark Thomas wrote:
> >
> >
> >
> > On 28/02/2020
Thanks! I actually needed proxyPort="443" to make the URL
https://localhost, but your suggestion did the trick.
On Sat, Feb 29, 2020 at 11:12 AM Mark Thomas wrote:
>
>
>
> On 28/02/2020 22:26, Martynas Jusevičius wrote:
> > Yes the clients connect only directly to
calhost:80/443 instead of
localhost:90/5443.
Absolute URIs matter in this case because they are used for direct
lookups in an RDF triplestore and RDF uses absolute URIs.
On Fri, Feb 28, 2020 at 10:59 PM Mark Thomas wrote:
>
> On 28/02/2020 21:00, Martynas Jusevičius wrote:
> > Se
ething placed in context.xml would be ideal.
On Thu, Feb 27, 2020 at 11:52 AM Martynas Jusevičius
wrote:
>
> Tomcat is deep within the Docker image configured with a single
> connector and a single ROOT webapp, so it's easier to deploy a second
> container than to add a second con
/2020 10:28, Martynas Jusevičius wrote:
> > Yes, that could be an option. Or, since we're on Docker, a second
> > instance of the webapp on a different port would be easier.
> >
> > But we would need to add some URL rewriting proxy before that
> > connector to str
with nginx which we are using
anyway.
So essentially 2 webapps on different ports, one configured without
the clientAuth for the end-users, and one with clientAuth for the API
access, correct?
On Thu, Feb 27, 2020 at 11:18 AM Mark Thomas wrote:
>
> On 27/02/2020 09:58, Martynas Jusevičius wr
Hi list,
I'm using a Docker image based on tomcat:8.0-jre8. It serves as an
end-user facing webapp but also as a REST API which authenticates
using client certificates. The same URLs serve both purposes, however
only administrators are using the API.
The Connector is configured using clientAuth="
Why build the webapp outside Docker? It means that docker build is not
enough to give you an image, it needs some extra steps beforehand.
On Fri, Jan 10, 2020 at 12:47 PM Alex K wrote:
>
> Just to follow-up on this in case it will be useful to anyone, I managed to
> use also the official tomcat i
Forget Kubernetes for now :)
My recipe is using a multi-stage build. Very crudely:
FROM maven as maven
# build your webapp into a .war
mvn clean install
FROM tomcat
COPY --from=maven /webapp/target/ROOT webapps/ROOT/
It copies the whole folder from the build directory rather than the .war file.
Richard,
I think the rule goes that you should avoid touching server.xml for
something that web.xml can do.
On Sun, Jul 21, 2019 at 4:40 AM Richard Huntrods wrote:
>
> I apologise for top posting in advance, but just a quick update and
> quicker question...
>
> After Konstantin found my typo, I
My advice when it comes to making your setup environment-agnostic:
Docker'ize it.
I haven't used Docker on AWS, but once you have an image running
locally you can be 98% sure it's gonna run on the server (e.g.
mounting files from host can cause some differences still, so best to
avoid that).
See
images have an entrypoint, which is the shell script making changes to
server.xml in this case:
https://github.com/AtomGraph/letsencrypt-tomcat/blob/master/entrypoint.sh
On Wed, 17 Jul 2019 at 02.34, André Warnier (tomcat) wrote:
> On 16.07.2019 19:54, Martynas Jusevičius wrote:
> &g
Grigor,
I think this is a use case that Docker containers at least partially
address.
I find deploying containers way easier to share/deploy and more
platform-independent than WAR files.
I’ve created a Tomcat-based image that accepts ENV variables and modifies
server.xml using their values:
http
In my experience with 8.x -- on all requests.
On Fri, Jul 12, 2019 at 3:06 AM Wilmoth, Jon
wrote:
>
> I was hoping to get some clarification on when to expect client x509 certs in
> http requests where the Tomcat server (v9.x) has been configured to “want” or
> “need” client auth.
> https://j
Ettra,
see also this thread:
https://mail-archives.apache.org/mod_mbox/tomcat-users/201808.mbox/%3ccae35vmwcm9dkxmvabofgjb5d_oa07a6mrjxwcgknksbzgjh...@mail.gmail.com%3E
I did this with front nginx eventually.
On Sat, Oct 6, 2018 at 7:29 AM ettra lancelot wrote:
>
> Thank you for the detailed ans
gt;>>
>>> On 8/17/18 4:09 AM, Mark Thomas wrote:
>>>> On 16/08/18 13:40, Martynas Jusevičius wrote:
>>>>> Hi,
>>>>>
>>>>> my initial observations suggest, and SO post [1] seems to
>>>>> confirm, that when
>
Hi,
my initial observations suggest, and SO post [1] seems to confirm, that when
CONFIDENTIAL
is specified on a security-constraint in web.xml, Tomcat does two things:
1. automatically redirects to HTTPS
2. appends Cache-Control: private and Expires: Thu, 01 Jan 197
Paul,
see if this Docker setup could help:
https://github.com/AtomGraph/letsencrypt-tomcat
I also have nginx config that works with it.
Martynas
atomgraph.com
On Sat, Jan 6, 2018 at 7:46 PM, Paul Beard wrote:
>
>
> > On Jan 4, 2018, at 1:53 AM, Mark Thomas wrote:
> >
> > This might help.
I think Tomcat 9 suppors PEM files directly, but if you want to use PKCS12,
this might help:
https://github.com/AtomGraph/letsencrypt-tomcat/blob/master/entrypoint.sh#L33
On Fri, Oct 27, 2017 at 1:22 PM, Don Flinn wrote:
> I am writing a Java program to get a certificate from letsencrypt put it
te, it's
> something that was manually written by some client.
>
> On Sat, Sep 9, 2017 at 1:12 PM, Martynas Jusevičius <
> marty...@atomgraph.com>
> wrote:
>
> > Tomcat is an HTTP sever, and if your client is sending invalid HTTP
> > requests, Tomcat is righ
ion? But I would be happy to hear thoughts on this as I'm still
> fairly new to programming. I'm not sure what is considered best practice
> here.
>
> Thanks.
>
> On Sat, Sep 9, 2017 at 12:24 PM, Martynas Jusevičius <
> marty...@atomgraph.com
> > wrot
How is 404 beter than 400?
On Sat, Sep 9, 2017 at 9:46 AM, Yuval Schwartz
wrote:
> Tomcat version:8.0.43
> jdk1.8.0_05
>
> Hello,
>
> I've asked a similar question in the past about illegal characters in the
> http request header (May 15, 2017).
>
> Certain users are able to send http requests t
Hi,
we have made a Docker image that configures Tomcat with LE certs:
https://hub.docker.com/r/atomgraph/letsencrypt-tomcat/
It hasn't been tested in production though.
Martynas
atomgraph.com
On Thu, 24 Aug 2017 at 20.50, Chris Cheshire wrote:
> Currently I am using httpd to handle SSL (becaus
hostname in your env? Try to disable the valve and test "<%=
> request.getRemoteHost() %>" in a simple jsp until you can get the right
> value before re-enable the valve again.
>
> --Zemian
>
> On Mon, Aug 7, 2017 at 11:46 AM, Martynas Jusevičius <
> marty
Hi,
I'm deploying WAR from Jenkins Docker container to Tomcat Docker container.
In server.xml I have enableLookups to enable DNS lookups
and in conf/Catalina/localhost/manager.xml I have
There is also manager-script role and user in tomcat-users.xml but I won't
post it because authe
Actually I am using Tomcat on Docker:
https://hub.docker.com/_/tomcat/
I do not really know the answer to your question :/
On Sun, 30 Jul 2017 at 23.12, Mark Thomas wrote:
> On 30/07/17 21:35, Martynas Jusevičius wrote:
> > Hey list,
> >
> > I need my webapp to
Hey list,
I need my webapp to accept all SSL client certificates and do its own
validation.
I'm upgrading server.xml from the JSSE SSL Connector which used
clientAuth="want" and a custom trustManagerClassName in order to do that.
The 8.5.16 docs indicate that this should be replaced with SSLHost
50 matches
Mail list logo