Re: Tomcat http header size too large!

пн, 15 июл. 2024 г. в 11:24, Mark Thomas : > > On 14/07/2024 00:28, Pradeep wrote: > > Hi, > > > > I need some tips to solve below issue. > > I am getting 431 http error in API (code running in tomcat) when header > > size crosses 8KB. Tomcat server doesn't process request if header size is > >

Re: Tomcat http header size too large!

On 14/07/2024 00:28, Pradeep wrote: Hi, I need some tips to solve below issue. I am getting 431 http error in API (code running in tomcat) when header size crosses 8KB. Tomcat server doesn't process request if header size is more than 8KB. I tried adding below properties to increase the header

Re: Tomcat 10.x over 9.x

On Fri, Jul 12, 2024 at 1:04 PM Dimitris Soumis wrote: > > Hello, > > Regarding the end-of-life date for Tomcat 9.0.x, you can find the relevant > information in this link, which contains an email from the mailing list: End > of Lifecycle for Tomcat 9.0.x >

Re: Tomcat 10.x over 9.x

Hello, Regarding the end-of-life date for Tomcat 9.0.x, you can find the relevant information in this link, which contains an email from the mailing list: End of Lifecycle for Tomcat 9.0.x . As for the necessity of upgrading to

Re: Tomcat 10.x over 9.x

Hi https://googlethatforyou.com?q=tomcat%20lifecycle Result: https://endoflife.date/tomcat Regarding "necessity of upgrading tomcat to 10.1.x from 9.x": https://tomcat.apache.org/whichversion.html Specifically: * Apache Tomcat 9.x builds on Tomcat 8.0.x and 8.5.x and implements the

Re: Tomcat silently shuts down after 10 minutes - SOLVED

Bryan, On 7/5/24 17:08, Bryan Buchanan wrote: Thanks all for the replies. Turns out I needed to execute my "C" program with a "nohup" i.e. $ nohup /usr/local/bin/ManageTomcat START Tomcat was only stopping after about 10 mins because that's when I logged out. Doh ! In the business app code

Re: Tomcat silently shuts down after 10 minutes - SOLVED

Thanks all for the replies. Turns out I needed to execute my "C" program with a "nohup" i.e. $ nohup /usr/local/bin/ManageTomcat START Tomcat was only stopping after about 10 mins because that's when I logged out. Doh ! In the business app code I now execute the above and regular users can

Re: Tomcat silently shuts down after 10 minutes

Bryan, I would set Tomcat up as a service and let systemd handle startup and shutdown. Create a unit file for tomcat: /etc/systemd/system/tomcat.service - Begin Unit File Contents [Unit] Description=Tomcat 9.0 After=network.target [Service] Type=forking User=joe Group=joe

Re: Tomcat silently shuts down after 10 minutes

Hi, This looks like an orderly shutdown of tomcat, can you attach strace and see if tomcat process does receive a signal from somewhere? Mfg Thomas Am 4. Juli 2024 14:46:17 MESZ schrieb Bryan Buchanan : >I'm running Tomcat 9.0.14 on Centos 8 with JDK 15. > >Tomcat is loaded in /opt/tomcat,

Re: Tomcat silently shuts down after 10 minutes

> I think you should check the return value of setuid. > > I don't think you can change the uid of a process that easily. > > Otherwise you could also write setuid(0), become root and that would look to > me as a huge security hole. > You need to be root to "chmod u+s [your_program]" so

Re: Tomcat silently shuts down after 10 minutes

On 04.07.24 15:27, Zerro wrote: On 7/4/24 2:46 PM, Bryan Buchanan wrote: I'm running Tomcat 9.0.14 on Centos 8 with JDK 15. Tomcat is loaded in /opt/tomcat, the directory owned by "joe". If I login as "joe" and start Tomcat, everything is fine. We have people login to the Centos system to

Re: Tomcat silently shuts down after 10 minutes

On 7/4/24 2:46 PM, Bryan Buchanan wrote: I'm running Tomcat 9.0.14 on Centos 8 with JDK 15. Tomcat is loaded in /opt/tomcat, the directory owned by "joe". If I login as "joe" and start Tomcat, everything is fine. We have people login to the Centos system to run the business application as

Re: Tomcat 10.1.25 - How to enable access to the "/examples/jsp/security/protected/index.jsp"?

Hi, I think that I found the problem. The web.xml file has and auth-constraint: ``` tomcat role1 ``` If I log in as a user that has one of those roles, then the access is successful ! Jim On Mon, Jul 1, 2024 at 5:59 PM o haya wrote: > Hi, > > I just deployed Tomcat 10.1.25 to my

RE: Tomcat MySQL Connection Pooling JNDI lookup

? Dan -Original Message- From: Christopher Schultz Sent: Wednesday, June 19, 2024 5:10 PM To: users@tomcat.apache.org Subject: Re: Tomcat MySQL Connection Pooling JNDI lookup Daniel, On 6/19/24 16:37, Daniel Schwartz wrote: > I followed you instruction to move the context.xml f

Re: Tomcat MySQL Connection Pooling JNDI lookup

hristopher Schultz Sent: Wednesday, June 19, 2024 12:34 PM To: users@tomcat.apache.org Subject: Re: Tomcat MySQL Connection Pooling JNDI lookup Daniel, On 6/19/24 11:40, Daniel Schwartz wrote: Dear Felix, Thank you for your reply. The connector jar file is at C:\Program Files\apache-tomc

Re: Tomcat 9 symlinks ?

Chuck, On 6/19/24 15:49, Chuck Caldarale wrote: On Jun 19, 2024, at 14:42, Stephen Tenberg wrote: You asked why path="" instead of path="foo" in context at server.xml? That was our attempt to mount this application at "/" instead of at "/foo" which is a requirement here. Just deploy

RE: Tomcat MySQL Connection Pooling JNDI lookup

@tomcat.apache.org Subject: Re: Tomcat MySQL Connection Pooling JNDI lookup Daniel, On 6/19/24 11:40, Daniel Schwartz wrote: > Dear Felix, > > Thank you for your reply. The connector jar file is at > > C:\Program > Files\apache-tomcat-10.1.24\lib\mysql-connector-j-8.4.0.jar >

Re: Tomcat 9 symlinks ?

Also take a look at this: https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Default_web_applications - Chuck > On Jun 19, 2024, at 15:23, Robert Turner wrote: > > This page might be a useful resource to read if you haven't already: >

Re: Tomcat 9 symlinks ?

This page might be a useful resource to read if you haven't already: https://tomcat.apache.org/tomcat-9.0-doc/config/context.html The short version is -- to publish an application in the "root" web url path (of http(s)://your.server-name.com/), you can name your WAR file "ROOT.war" and copy it to

Re: Tomcat 9 symlinks ?

> On Jun 19, 2024, at 15:16, Stephen Tenberg wrote: > > Thank you. Do we just rename the existing ROOT to something else so the > admin stuff is available? The default ROOT application does not have any admin purpose itself, but it does have links to admin functions that are separate from

Re: Tomcat 9 symlinks ?

Thank you. Do we just rename the existing ROOT to something else so the admin stuff is available? The path="" was appealing as we want this existing large application to be available as "/". Is renaming ROOT a better way of achieving this? On Wed, Jun 19, 2024 at 3:50 PM Chuck Caldarale wrote:

Re: Tomcat 9 symlinks ?

> On Jun 19, 2024, at 14:42, Stephen Tenberg wrote: > > You asked why path="" instead of path="foo" in context at server.xml? > > That was our attempt to mount this application at "/" instead of at "/foo" > which is a requirement here. Just deploy the application as ROOT (case matters)

Re: Tomcat 9 symlinks ?

Thanks very much for the comprehensive reply. I tried as you suggested and it worked fine, resolving symbolic links both inside and outside the tomcat webapps directory. You asked why path="" instead of path="foo" in context at server.xml? That was our attempt to mount this application at "/"

Re: Tomcat 9 symlinks ?

Stephen, On 6/19/24 13:55, Stephen Tenberg wrote: Hello I have scoured the web trying to get symlinks working for jsp pages or folders in Tomcat 9 using Ubuntu 20.04. Here is how to repeat the issue, and what I have tried. 1. Create a new folder in webapps, say "foo" 2. Put HelloWorld.jsp

Re: Tomcat MySQL Connection Pooling JNDI lookup

On 6/19/2024 1:02 PM, Chuck Caldarale wrote: On Jun 19, 2024, at 10:09, Daniel Schwartz wrote: Dear Thomas, Your email came with no content. Please try again. Thomas’ message looked fine here as well. Check your e-mail client. - Chuck I saw the quoted message Mark was responding to

Re: Tomcat MySQL Connection Pooling JNDI lookup

> On Jun 19, 2024, at 10:09, Daniel Schwartz wrote: > > Dear Thomas, > > Your email came with no content. Please try again. Thomas’ message looked fine here as well. Check your e-mail client. - Chuck - To unsubscribe,

Re: Tomcat MySQL Connection Pooling JNDI lookup

Daniel, On 6/19/24 11:40, Daniel Schwartz wrote: Dear Felix, Thank you for your reply. The connector jar file is at C:\Program Files\apache-tomcat-10.1.24\lib\mysql-connector-j-8.4.0.jar The latest entry in catalina.2024-06-17.log is copied below. The latest entry in

Re: Tomcat MySQL Connection Pooling JNDI lookup

Daniel, On 6/19/24 11:09, Daniel Schwartz wrote: Dear Thomas, Your email came with no content. Please try again. His reply email looks fine to me. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org

RE: Tomcat MySQL Connection Pooling JNDI lookup

olExecutor.java:1190) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) at java.base/java.lang.Thread.run(Thread.java:1583) -----Original Message- From: Felix Schumac

RE: Tomcat MySQL Connection Pooling JNDI lookup

Dear Thomas, Your email came with no content. Please try again. Dan Schwartz From: Thomas Hoffmann (Speed4Trade GmbH) Sent: Wednesday, June 19, 2024 2:05 AM To: Tomcat Users List Subject: AW: Tomcat MySQL Connection Pooling JNDI lookup

Re: Tomcat MySQL Connection Pooling JNDI lookup

Am 17. Juni 2024 22:18:53 MESZ schrieb Daniel Schwartz : >Hello, > > > >I'm trying to set up MySQL 8.0.11 database connection pooling in Tomcat >10.1.24 on Windows 10. The MySQL database is "holidays" with user name >"root" and password "rootpwd". I've tried to follow the examples at

Re: Tomcat 9: Java 11 to Java 17

Ryan, Word-wrapping didn't help on this one... On 6/10/24 15:44, Ryan Esch wrote: Hi folks,I have a webapp running Apache Tomcat 9.0.67 with Java 11, using JASPIC for authentication. For reference, using these:             org.apache.tomcat            tomcat-catalina            9.0.85      

Re: Tomcat 9: Java 11 to Java 17

> On Jun 10, 2024, at 14:48, Paul Leo wrote: > > I could be wrong, but I don't think you need jakarta for Tomcat 9. You need > it for TomEE 9 and Tomcat 10. But please someone verify. Not sure about TomEE, but Tomcat 9 certainly expects javax.* classes, not jakarta.* ones; the use of

Re: Tomcat 9: Java 11 to Java 17

I could be wrong, but I don't think you need jakarta for Tomcat 9.  You need it for TomEE 9 and Tomcat 10.  But please someone verify. On 6/10/2024 1:44 PM, Ryan Esch wrote: Hi folks,I have a webapp running Apache Tomcat 9.0.67 with Java 11, using JASPIC for authentication. For reference,

Re: Tomcat 9.0.xx JDK Version Support and EOL

Chaitanya, On 6/5/24 09:11, Chaitanya Gopisetti wrote: Also can you update on the End of life expected date for Tomcat 9.0.x version -Original Message- From: Christopher Schultz Sent: Wednesday, June 5, 2024 6:37 PM To: users@tomcat.apache.org Subject: Re: Tomcat 9.0.xx JDK Version

Re: Tomcat 9.0.xx JDK Version Support and EOL

: Wednesday, June 5, 2024 6:37 PM To: users@tomcat.apache.org Subject: Re: Tomcat 9.0.xx JDK Version Support and EOL Chaitanya, On 6/5/24 08:47, Chaitanya Gopisetti wrote: It was mentioned that Tomcat 9.0.x supports java 8 and later. So wanted to know whether it supports Jdk 21? Also wanted to know

RE: Tomcat 9.0.xx JDK Version Support and EOL

Also can you update on the End of life expected date for Tomcat 9.0.x version -Original Message- From: Christopher Schultz Sent: Wednesday, June 5, 2024 6:37 PM To: users@tomcat.apache.org Subject: Re: Tomcat 9.0.xx JDK Version Support and EOL Chaitanya, On 6/5/24 08:47, Chaitanya

Re: Tomcat 9.0.xx JDK Version Support and EOL

Chaitanya, On 6/5/24 08:47, Chaitanya Gopisetti wrote: It was mentioned that Tomcat 9.0.x supports java 8 and later. So wanted to know whether it supports Jdk 21? Also wanted to know the End of life expected date for Tomcat 9.0.x version. Tomcat 9 should run jut fine on any Java version from

Re: Tomcat 9 memory leak message

Jenny, On 6/3/24 12:35, Ying Jin wrote: Chris, Thanks for your suggestion! Another question I would like to confirm with you is if we have to remove the ojdbc jar file from our web application’s web-inf/lib folder or not. The reason of our concern is that we need to use the same code base to

Re: Tomcat 9 memory leak message

Terence, thanks for your reply! best, Jenny On Sun, Jun 2, 2024 at 3:11 AM Terence M. Bandoian wrote: > A long time ago (Tomcat 7), I would see a Tomcat memory leak detection > error on shutdown if the JDBC driver was located in WEB-INF/lib but not > if it was in the Tomcat lib directory.

Re: Tomcat 9 memory leak message

Chris, Thanks for your suggestion! Another question I would like to confirm with you is if we have to remove the ojdbc jar file from our web application’s web-inf/lib folder or not. The reason of our concern is that we need to use the same code base to create a jar file and deploy it to stone

Re: Tomcat 9 memory leak message

A long time ago (Tomcat 7), I would see a Tomcat memory leak detection error on shutdown if the JDBC driver was located in WEB-INF/lib but not if it was in the Tomcat lib directory. Explicitly de-registering the driver with a ServletContextListener on shutdown eliminated the error. I'm not

Re: Tomcat 9 memory leak message

Jenny, (Apologies for top-posting) “Safely ignored” can mean many things. You are only in danger of running out of heap space. So if you aren’t worried about that, feel free to ignore the error message. If it were my system, I would want to ensure a clean unload of the driver when the

Re: Tomcat 9 memory leak message

: > Hello Jenny, > > > -Ursprüngliche Nachricht- > > Von: Ying Jin > > Gesendet: Samstag, 1. Juni 2024 00:18 > > An: Tomcat Users List > > Betreff: Re: Tomcat 9 memory leak message > > > > Chris, > > > > Thanks for your reply! > >

Re: Tomcat 9 memory leak message

Chris, Thanks for your reply! We already removed the ojdbc8.jar file from the application's Web-inf/lib folder as suggested in the following post, however, we still got the warning messages below after the application is deployed to the Tomcat 9 server.

Re: Tomcat 9 memory leak message

Jenny, On 5/31/24 14:52, Ying Jin wrote: We removed the ojdbc8 driver jar from web-inf/lib from the web application and kept the ojdbc8 jar file in the Tomcat/lib folder, but we still can see the following memory link warning message whenever we redeploy the web application. We use the Tomcat

RE: Re: Tomcat Console - 401 Unauthorized

And the winner is: Chuck  I tried Chrome (instead of the Corporate mandated browser Edge) and I was right away challenged for credentials. Thanks for all those who responded. From: Chuck Caldarale Sent: Wednesday, May 22, 2024 4:36 PM To: Tomcat Users List Subject: {EXTERNAL} Re: Tomcat

Re: Tomcat Console - 401 Unauthorized

> On May 22, 2024, at 13:31, Garber, Frank > wrote: > > Not knowing how it’s supposed to behave, here’s another clue. When I click on > the “Server Status” button, I never get prompted for credentials. This sounds like a browser configuration problem. On the first attempt to access a

RE: Re: Tomcat Console - 401 Unauthorized

: Wednesday, May 22, 2024 2:26 PM To: Tomcat Users List Subject: RE: {EXTERNAL} Re: Tomcat Console - 401 Unauthorized I’m not sure how the URLs got munged up. What I have on my side is valid XML, so I’m not worried about that. I’m really just concerned that the following isn’t working

RE: Re: Tomcat Console - 401 Unauthorized

Subject: {EXTERNAL} Re: Tomcat Console - 401 Unauthorized > On May 22, 2024, at 10: 51, Garber, Frank com. INVALID> wrote: > > I've just installed Tomcat 9. 0. 89. > > Tomcat runs, and I can get to the console at https: //urldefense.  > com/v3/__http: //localhost:

Re: Tomcat Console - 401 Unauthorized

> On May 22, 2024, at 10:51, Garber, Frank > wrote: > > I've just installed Tomcat 9.0.89. > Tomcat runs, and I can get to the console at http://localhost:8080/ but, when > I click on "Server Status" I get the 401 Unauthorized page. > I've been editing the conf\tomcat-users.xml file

Re: Tomcat closes connections on unexpected status codes

Chris, On Fri, Apr 19, 2024 at 4:40 AM Christopher Schultz wrote: > > Pawel, > > On 4/18/24 20:21, Pawel Veselov wrote: > >> On 18/04/2024 15:18, Stefan Ansing wrote: > >>> Hi Rémy, Mark, > >>> I just want to make sure that we’re understanding each other. I can see > >>> that the connection

Re: Tomcat closes connections on unexpected status codes

> Assuming it's easy for Tomcat to differentiate between errors generated My PR was based on the assumption that it is easy, since Tomcat always invokes this method[1] if it's a badRequest. [1]

Re: Tomcat closes connections on unexpected status codes

Stefan, On 4/24/24 13:58, Stefan Ansing wrote: Op do 18 apr 2024 om 17:42 schreef Mark Thomas : On 18/04/2024 15:18, Stefan Ansing wrote: Hi Rémy, Mark, I just want to make sure that we’re understanding each other. I can see that the connection needs to be closed in certain conditions to

Re: Tomcat closes connections on unexpected status codes

Op do 18 apr 2024 om 17:42 schreef Mark Thomas : > On 18/04/2024 15:18, Stefan Ansing wrote: > > Hi Rémy, Mark, > > > > > > > > I just want to make sure that we’re understanding each other. I can see > > that the connection needs to be closed in certain conditions to prevent > > request smuggling

Re: Tomcat closes connections on unexpected status codes

es. 404 means "this >> resource does not exist" and 204 means "this resource DOES EXIST but it >> doesn't contain anything". Your application may not differentiate >> between those two cases, but as a client I would be confused if "Not >> Found&qu

RE: [EXT]Re: [EXT]Re: [EXT]Re: Tomcat 10 skipping state transfer. No members active in cluster group

List Cc: Voodoo nmulcahy gmail ; Rob Kowald Subject: RE: [EXT]Re: [EXT]Re: [EXT]Re: Tomcat 10 skipping state transfer. No members active in cluster group Your suggestion worked Chuck, Thank you! I now see this in cat log.. 23-Apr-2024 08:30:10.969 INFO [Catalina-utility-1

RE: [EXT]Re: [EXT]Re: [EXT]Re: Tomcat 10 skipping state transfer. No members active in cluster group

]Re: [EXT]Re: Tomcat 10 skipping state transfer. No members active in cluster group > On Apr 22, 2024, at 18:48, Rick Noel wrote: > > So you mean we use the VM's IP as the address value below > Instead or using the value of auto ? > >

Re: [EXT]Re: [EXT]Re: Tomcat 10 skipping state transfer. No members active in cluster group

> On Apr 22, 2024, at 18:48, Rick Noel wrote: > > So you mean we use the VM's IP as the address value below > Instead or using the value of auto ? > > address="auto" >port="4001" > autoBind="100" >

Re: Tomcat log warnings for connection parameter limits?

Thanks, Mark. Submitted < https://bz.apache.org/bugzilla/show_bug.cgi?id=68934> On Tue, Apr 16, 2024 at 4:44 AM Mark Thomas wrote: > It would be worth creating an enhancement request for this in Bugzilla > to ensure the request doesn't get forgotten about. > > Mark > > > On 16/04/2024 01:06,

RE: [EXT]Re: [EXT]Re: Tomcat 10 skipping state transfer. No members active in cluster group

Subject: [EXT]Re: [EXT]Re: Tomcat 10 skipping state transfer. No members active in cluster group > On Apr 22, 2024, at 16:33, Rick Noel wrote: > > Tomcats are two different VMs Which explains why they can’t talk to each other over 127.0.0.1. > What do you mean each containers

Re: [EXT]Re: Tomcat 10 skipping state transfer. No members active in cluster group

> On Apr 22, 2024, at 16:33, Rick Noel wrote: > > Tomcats are two different VMs Which explains why they can’t talk to each other over 127.0.0.1. > What do you mean each containers published IP Each VM or container will have an assigned, individual IP address so it can communicate with

RE: [EXT]Re: Tomcat 10 skipping state transfer. No members active in cluster group

Rick Noel Systems Programmer | Westwood One rn...@westwoodone.com -Original Message- From: Chuck Caldarale Sent: Monday, April 22, 2024 4:41 PM To: Tomcat Users List Subject: [EXT]Re: Tomcat 10 skipping state transfer. No members active in cluster group > On Apr 22, 2024, at 09

Re: Tomcat 10 skipping state transfer. No members active in cluster group

> On Apr 22, 2024, at 09:54, Rick Noel wrote: > > Could someone please explain why I am getting the error > > skipping state transfer. No members active in cluster group Need a bit more information. > On one sever the reciever is bound to >

Re: Tomcat 10 skipping state transfer. No members active in cluster group

Would you please take me off of this list On Mon, Apr 22, 2024 at 9:01 AM Rick Noel wrote: > Hello, > > Could someone please explain why I am getting the error > > skipping state transfer. No members active in cluster group > > On one sever the reciever is bound to >

Re: Tomcat closes connections on unexpected status codes

04 No Content is normally used with PUT and DELETE requests. > > Yes, you can use those. 200 would also make sense and, of course 201 for > new resources. > > -chris > > > -Original Message- > > From: Christopher Schultz > > Sent: perjantai 19. huhtikuuta 202

Re: Tomcat closes connections on unexpected status codes

if "Not Found" was replaced by "Found to be empty" in all cases. 204 No Content is normally used with PUT and DELETE requests. Yes, you can use those. 200 would also make sense and, of course 201 for new resources. -chris -Original Message- From: Christopher Sc

RE: Tomcat closes connections on unexpected status codes

rri -Original Message- From: Christopher Schultz Sent: perjantai 19. huhtikuuta 2024 14.27 To: users@tomcat.apache.org Subject: Re: Tomcat closes connections on unexpected status codes Mark, On 4/18/24 11:38, Mark Thomas wrote: > On 18/04/2024 15:16, Adwait Kumar Singh wrote: >> I thi

Re: Tomcat closes connections on unexpected status codes

Pawel, On 4/18/24 20:21, Pawel Veselov wrote: On 18/04/2024 15:18, Stefan Ansing wrote: Hi Rémy, Mark, I just want to make sure that we’re understanding each other. I can see that the connection needs to be closed in certain conditions to prevent request smuggling attacks. I certainly don’t

Re: Tomcat closes connections on unexpected status codes

Pawel, On 4/18/24 20:32, Pawel Veselov wrote: On Thu, Apr 18, 2024 at 9:40 AM Adwait Kumar Singh wrote: I'm not (yet) convinced distinguishing between those scenarios is always going to be possible. I have a Tomcat patch which we use at work to do this, i.e always close the connection if

Re: Tomcat closes connections on unexpected status codes

Mark, On 4/18/24 11:38, Mark Thomas wrote: On 18/04/2024 15:16, Adwait Kumar Singh wrote: I think we should *always* close connections in cases where it can lead to request smuggling vulnerabilities like when there is an error during header or request line parsing, but allowing the user to

Re: Tomcat closes connections on unexpected status codes

All, On 4/18/24 10:16, Adwait Kumar Singh wrote: I think we should *always* close connections in cases where it can lead to request smuggling vulnerabilities like when there is an error during header or request line parsing, but allowing the user to control connection close when the status is

Re: Tomcat closes connections on unexpected status codes

On Thu, Apr 18, 2024 at 9:40 AM Adwait Kumar Singh wrote: > > I'm not (yet) convinced distinguishing between those scenarios is always > > going to be possible. > I have a Tomcat patch which we use at work to do this, i.e always close the > connection if HTTP parsing fails but not if it's a user

Re: Tomcat closes connections on unexpected status codes

> On 18/04/2024 15:18, Stefan Ansing wrote: > > Hi Rémy, Mark, > > I just want to make sure that we’re understanding each other. I can see > > that the connection needs to be closed in certain conditions to prevent > > request smuggling attacks. I certainly don’t want to change that behaviour. > >

Re: Tomcat closes connections on unexpected status codes

> > I'm not (yet) convinced distinguishing between those scenarios is always > going to be possible. I have a Tomcat patch which we use at work to do this, i.e always close the connection if HTTP parsing fails but not if it's a user set status. I can create a PR for feedback. On Thu, Apr 18,

Re: Tomcat closes connections on unexpected status codes

On 18/04/2024 15:18, Stefan Ansing wrote: Hi Rémy, Mark, I just want to make sure that we’re understanding each other. I can see that the connection needs to be closed in certain conditions to prevent request smuggling attacks. I certainly don’t want to change that behaviour. However, I’m

Re: Tomcat closes connections on unexpected status codes

On 18/04/2024 15:16, Adwait Kumar Singh wrote: I think we should *always* close connections in cases where it can lead to request smuggling vulnerabilities like when there is an error during header or request line parsing, but allowing the user to control connection close when the status is

Re: Tomcat closes connections on unexpected status codes

On 18/04/2024 14:41, Rémy Maucherat wrote: On Thu, Apr 18, 2024 at 1:17 PM Mark Thomas wrote: On 18/04/2024 09:07, Stefan Ansing wrote: Hi, We've observed some unexpected behaviour in Apache Tomcat (version 10.1.19) where we see that HTTP/1.1 connections are closed whenever a servlet

Re: Tomcat closes connections on unexpected status codes

Op do 18 apr 2024 om 15:41 schreef Rémy Maucherat : > On Thu, Apr 18, 2024 at 1:17 PM Mark Thomas wrote: > > > > On 18/04/2024 09:07, Stefan Ansing wrote: > > > Hi, > > > > > > We've observed some unexpected behaviour in Apache Tomcat (version > 10.1.19) > > > where we see that HTTP/1.1

Re: Tomcat closes connections on unexpected status codes

I think we should *always* close connections in cases where it can lead to request smuggling vulnerabilities like when there is an error during header or request line parsing, but allowing the user to control connection close when the status is being set by the user, should be safe? It allows

Re: Tomcat closes connections on unexpected status codes

On Thu, Apr 18, 2024 at 1:17 PM Mark Thomas wrote: > > On 18/04/2024 09:07, Stefan Ansing wrote: > > Hi, > > > > We've observed some unexpected behaviour in Apache Tomcat (version 10.1.19) > > where we see that HTTP/1.1 connections are closed whenever a servlet > > application returns the

Re: Tomcat closes connections on unexpected status codes

On 18/04/2024 09:07, Stefan Ansing wrote: Hi, We've observed some unexpected behaviour in Apache Tomcat (version 10.1.19) where we see that HTTP/1.1 connections are closed whenever a servlet application returns the following status codes: 400, 408, 411, 414, 500, 503, 501. This causes client

Re: Tomcat log warnings for connection parameter limits?

It would be worth creating an enhancement request for this in Bugzilla to ensure the request doesn't get forgotten about. Mark On 16/04/2024 01:06, Baron Fujimoto wrote: From our perspective, it needn't be super timely. It would be more for forensic confirmation that there's something we

Re: Tomcat log warnings for connection parameter limits?

>From our perspective, it needn't be super timely. It would be more for forensic confirmation that there's something we should consider. I think a hysteresis behavior would be compatible with this. On Mon, Apr 15, 2024 at 12:00 AM Mark Thomas wrote: > On 11/04/2024 21:28, Baron Fujimoto wrote>

Re: [EXT]Re: [EXT]Re: Tomcat 10 session replication fails

huck Caldarale Sent: Saturday, April 13, 2024 4:00 PM To: Tomcat Users List Subject: [EXT]Re: [EXT]Re: Tomcat 10 session replication fails On Apr 11, 2024, at 09:07, Rick Noel wrote: We are getting closer Changing ports from the 5000 range to the 4000 range stopped two errors But now I get

RE: [EXT]Re: [EXT]Re: Tomcat 10 session replication fails

er | Westwood One rn...@westwoodone.com -Original Message- From: Chuck Caldarale Sent: Saturday, April 13, 2024 4:00 PM To: Tomcat Users List Subject: [EXT]Re: [EXT]Re: Tomcat 10 session replication fails > On Apr 11, 2024, at 09:07, Rick Noel wrote: > > We are getting closer > Ch

Re: Tomcat log warnings for connection parameter limits?

On 11/04/2024 21:28, Baron Fujimoto wrote> I was thinking it would be something that would be left on in a live> system. We can set these parameters, so it would be useful to know if we were hitting the set limits. For the connection limit: How timely do you need the information to be? It is

Re: [EXT]Re: Tomcat 10 session replication fails

Sort of off topic, but sort of related. If you're having tremendous trouble using the built in replication methods, we built a redis based session manager: https://github.com/exabrial/redex-sm Currently redex-sm only works with Tomcat 8.5, but it wouldn't be a big leap to make it work with Tomcat

Re: [EXT]Re: Tomcat 10 session replication fails

> On Apr 11, 2024, at 09:07, Rick Noel wrote: > > We are getting closer > Changing ports from the 5000 range to the 4000 range stopped two errors > But now I get this.. > > INFO: Manager [##0001]: skipping state transfer. No members active in cluster > group > > How to I make the

Re: Tomcat log warnings for connection parameter limits?

I was thinking it would be something that would be left on in a live system. We can set these parameters, so it would be useful to know if we were hitting the set limits. I'm not sure I fully grasp how this additional logging presents a significant incremental DOS risk. I mean, if an attacker is

RE: [EXT]Re: Tomcat 10 session replication fails

Systems Programmer | Westwood One rn...@westwoodone.com -Original Message- From: Chuck Caldarale Sent: Thursday, April 11, 2024 9:14 AM To: Tomcat Users List Subject: [EXT]Re: Tomcat 10 session replication fails [You don't often get email from n82...@gmail.com. Learn why this is important

Re: Tomcat 9.0.83 - SSL handshake stops working for Google API calls after a while

Hi, > Hi, > > I am looking for help with a strange issue we are experiencing when trying > to use Google APIs from a web application that is deployed on Tomcat > 9.0.83. > > After a few hours of the server being up and running, all calls to the > Google APIs fail because of SSL handshake errors.

Re: Tomcat 10 session replication fails

> On Apr 11, 2024, at 07:56, Rick Noel wrote: > > We have our app running on Tomcat10 and doing clustering,but are getting the > following errors seen int the Catalina log... > > Apr 11, 2024 8:14:43 AM org.apache.catalina.ha.session.DeltaManager > waitForSendAllSessions > SEVERE:

Re: Tomcat log warnings for connection parameter limits?

Baron, On 4/9/24 16:33, Baron Fujimoto wrote: I'm investigating occasional 503 errors for our CAS service running in a Tomcat 10.1.x container. The 503s appear to correlate with some traffic spikes at the same time. The connector is configured as follows: Can Tomcat log info such as

Re: Tomcat & Http 103 Early Hint

Contributions always welconme. The initial work will be on the changes to the Servlet API. The issue to track that is: https://github.com/jakartaee/servlet/issues/542 Mark On 09/04/2024 08:15, xulin y wrote: Hi Mark, Is there any chance I could help with delivering this new feature? At

Re: Tomcat & Http 103 Early Hint

Hi Mark, Is there any chance I could help with delivering this new feature? At least, I can help with writing some tests. I think this new http feature can be beneficial a lot for web application page load performance. Therefore, this is crucial for the whole Tomcat community. By Xulin Yang

Re: Tomcat on Windows : new keystore possibilities

this... David Wooffindin From: Bill Stewart Sent: Monday, April 8, 2024 5:36:47 PM To: Tomcat Users List Subject: Re: Tomcat on Windows : new keystore possibilities On Mon, Apr 8, 2024 at 8:27 AM david w wrote: If you can share a way for this to not be necessary

Re: Tomcat on Windows : new keystore possibilities

On Mon, Apr 8, 2024 at 8:27 AM david w wrote: If you can share a way for this to not be necessary, I'm all ears... > I can read computer certificates from non-privileged accounts on Windows. (How would a user application such as a browser work otherwise?) I'm not sure what's different on your

Re: Tomcat on Windows : new keystore possibilities

If you can share a way for this to not be necessary, I'm all ears... David Wooffindin From: Bill Stewart Sent: Monday, April 8, 2024 4:22:37 PM To: Tomcat Users List Subject: Re: Tomcat on Windows : new keystore possibilities On Mon, Apr 8, 2024 at 3:49 AM

Re: Tomcat on Windows : new keystore possibilities

On Mon, Apr 8, 2024 at 3:49 AM david w wrote: The account running the Tomcat Windows Service needs local Administrator > rights to be able to refernce these certificate stores. > Fortunately, this statement is not correct. I would definitely not recommend running the Tomcat service using a

  1   2   3   4   5   6   7   8   9   10   >