[Bug 66348] New: new jars in lib
https://bz.apache.org/bugzilla/show_bug.cgi?id=66348 Bug ID: 66348 Summary: new jars in lib Product: Tomcat 10 Version: 10.1.1 Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: Documentation Assignee: dev@tomcat.apache.org Reporter: elatl...@gmail.com Target Milestone: -- 10.1.2 changed the jakartaee-migration-*-shaded.jar from optional to required. Regardless of if that is a bug, the documentation is missing that jar in the lib list; https://tomcat.apache.org/tomcat-10.1-doc/class-loader-howto.html on inspection 3 other required jars are also missing. Please add the 4 JARs missing from the class-loader documentation; > jakartaee-migration-*-shaded.jar -- required as of 10.1.2 > jaspic-api.jar > tomcat-jni.jar > tomcat-util-scan.jar -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66348] new jars in lib
https://bz.apache.org/bugzilla/show_bug.cgi?id=66348 --- Comment #1 from elatl...@gmail.com --- In addition to tomcat-i18n-*.jar , the following should also be marked optional: < catalina-ant.jar < catalina-ha.jar < catalina-ssi.jar < catalina-storeconfig.jar < catalina-tribes.jar < ecj-*.jar < el-api.jar < jasper-el.jar < jasper.jar < tomcat-dbcp.jar < tomcat-jdbc.jar -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66348] new jars in lib
https://bz.apache.org/bugzilla/show_bug.cgi?id=66348 --- Comment #2 from Mark Thomas --- (In reply to elatllat from comment #0) > 10.1.2 changed the jakartaee-migration-*-shaded.jar from optional to > required. That is a bug that has already been fixed for 10.1.3 onwards. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [tomcat] branch main updated: Avoid runtime dependency on the migration tool unless it is being used
On 14/11/2022 22:52, Rémy Maucherat wrote:
On Mon, Nov 14, 2022 at 11:38 PM wrote:
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new dc5cab83ae Avoid runtime dependency on the migration tool unless it
is being used
dc5cab83ae is described below
commit dc5cab83ae13804152b3d1bab90fafb9582764da
Author: Mark Thomas
AuthorDate: Mon Nov 14 22:37:54 2022 +
Avoid runtime dependency on the migration tool unless it is being used
Good idea and nice trick.
Tx.
Rémy
---
java/org/apache/catalina/loader/WebappLoader.java | 29 ---
webapps/docs/changelog.xml| 5
2 files changed, 26 insertions(+), 8 deletions(-)
diff --git a/java/org/apache/catalina/loader/WebappLoader.java
b/java/org/apache/catalina/loader/WebappLoader.java
index a8fe3cf806..ae4f58523d 100644
--- a/java/org/apache/catalina/loader/WebappLoader.java
+++ b/java/org/apache/catalina/loader/WebappLoader.java
@@ -367,14 +367,7 @@ public class WebappLoader extends LifecycleMBeanBase
implements Loader{
// Set Jakarta class converter
if (getJakartaConverter() != null) {
-EESpecProfile profile = null;
-try {
-profile = EESpecProfiles.valueOf(getJakartaConverter());
-} catch (IllegalArgumentException ignored) {
-// Use default value
-log.warn(sm.getString("webappLoader.unknownProfile",
getJakartaConverter()));
-}
-classLoader.addTransformer((profile != null) ? new
ClassConverter(profile) : new ClassConverter());
+MigrationUtil.addJakartaEETransformer(classLoader,
getJakartaConverter());
}
// Configure our repositories
@@ -631,4 +624,24 @@ public class WebappLoader extends LifecycleMBeanBase
implements Loader{
return name.toString();
}
+
+
+/*
+ * Implemented in a sub-class so EESpecProfile and EESpecProfiles are not
+ * loaded unless a profile is configured. Otherwise, tomcat-embed-core.jar
+ * has a runtime dependency on the migration tool whether it is used or
not.
+ */
+private static class MigrationUtil {
+
+public static void addJakartaEETransformer(WebappClassLoaderBase
webappClassLoader, String profileName) {
+EESpecProfile profile = null;
+try {
+profile = EESpecProfiles.valueOf(profileName);
+} catch (IllegalArgumentException ignored) {
+// Use default value
+log.warn(sm.getString("webappLoader.unknownProfile",
profileName));
+}
+webappClassLoader.addTransformer((profile != null) ? new
ClassConverter(profile) : new ClassConverter());
+}
+}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index cbf01a7ebb..ddf984a862 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -152,6 +152,11 @@
HttpServletRequest.getTrailerFields() and with the
Servlet
API provided by the Jakarta EE project. (markt)
+
+Refactor WebappLoader so it only has a runtime dependency
+on the migration tool for Jakarta EE if configured to use the converter
+as classes are loaded. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66348] new jars in lib
https://bz.apache.org/bugzilla/show_bug.cgi?id=66348 --- Comment #3 from elatl...@gmail.com --- Thanks for the information, is there a due date for 10.1.3? Link to commit with fix: https://github.com/apache/tomcat/commit/55f41d78c778a82e315b9980b56ff50e89e3af57 > Regardless there are 4 JARs missing from the doc, and at least 11 that should be marked optional (I'm not sure about the web socket JARs). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66349] New: Why does LockOutRealm not support CredentialHandler?
https://bz.apache.org/bugzilla/show_bug.cgi?id=66349 Bug ID: 66349 Summary: Why does LockOutRealm not support CredentialHandler? Product: Tomcat 10 Version: 10.0.0 Hardware: PC Status: NEW Severity: normal Priority: P2 Component: Authentication Assignee: dev@tomcat.apache.org Reporter: tschoen...@am-soft.de Target Milestone: -- I have some webapp hosted by Tomcat and need to restrict user access to some part of that. One additional requirement is that this app needs to be CIS benchmark compliant and that requires to use LockOutRealm and restricts to store plain-text passwords. Therefore, the ultimate solution in my case would be the following: > >resourceName="UserDatabase"> > className="org.apache.catalina.realm.SecretKeyCredentialHandler" > algorithm="PBKDF2WithHmacSHA512" > iterations="10" > keyLength="256" > saltLength="16" > /> > > But that doesn't work, because LockOutRealm ignores any credential handler. Additionally, with my used Tomcat 10, I'm unable to set any "digest" attribute on the realm itself anymore as well. The only way to fulfill both requirements is to implement a custom realm. > Nov 14, 2022 9:03:48 PM org.apache.catalina.realm.CombinedRealm > setCredentialHandler > WARNUNG: A CredentialHandler was set on an instance of the > CombinedRealm (or a sub-class of CombinedRealm). CombinedRealm > doesn't use a configured CredentialHandler. Is this a configuration > error? https://github.com/apache/tomcat/blob/1e8ed80849f2766d3c5b27e09ef53029e1a1a88e/java/org/apache/catalina/realm/LocalStrings.properties#L23 https://github.com/apache/tomcat/blob/1e8ed80849f2766d3c5b27e09ef53029e1a1a88e/java/org/apache/catalina/realm/CombinedRealm.java#L466 https://tomcat.apache.org/tomcat-9.0-doc/changelog.html https://stackoverflow.com/questions/64733766/how-to-get-tomcat-credentialhandler-inside-java-when-nested-in-lockoutrealm So, what's the reason of not supporting credential handlers for LockOutRealm? Doesn't make too much sense to me, especially as most docs I came across use LockOutRealm in combination with some other realm and there's no docs that a fundamental concept like credential helpers will only work very limited in this setup. Additionally, when researching about that task, some people even claim that the above XML config works, but it simply can't. I don't see any code in LockOutRealm to ask other realms about their credential handlers. I've had a look at the bugtracker already and couldn't find this topic discussed or a reason for the implementation. OTOH, someone did add some code to explicitly log a warning message instead of fixing the underlying problem, so most likely had some reason to do so. Is the problem really to decide which of the child realms to choose for its credential handler to use? In the easiest case simply use the first credential handler found with a depth-first search, that should work for the majority of use-cases. Other aspects of the config like default assumed nesting level of realms and stuff seems to be hard-coded as well. Would be glad to read about the reasons and at best if this could be enhanced. Thanks! -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Tomcat 8.5.84
All, Sorry, I've been MIA the past few days and haven't yet rolled an 8.5.84 release. I will begin the process tomorrow. -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66349] Why does LockOutRealm not support CredentialHandler?
https://bz.apache.org/bugzilla/show_bug.cgi?id=66349 Christopher Schultz changed: What|Removed |Added Status|NEW |NEEDINFO OS||All --- Comment #1 from Christopher Schultz --- (In reply to Thorsten Schöning from comment #0) > So, what's the reason of not supporting credential handlers for LockOutRealm? The code says they are supported. Are you having a problem, or are you reporting that a WARNING in the logs is making you uncomfortable? The WARNING you posted should only occur if you are setting a CredentialHandler directly on the LockoutRealm, but your configuration shows you have it nested inside the UserDatabaseRealm. Something seems off. > So, what's the reason of not supporting credential handlers for LockOutRealm? I assert that Tomcat *does* support credentials handlers on LockOutRealm. What is your evidence that they are not supported? > Additionally, when researching about that task, some people even claim that > the above XML config works, but it simply can't. Why not? > I don't see any code in LockOutRealm to ask other realms about their > credential handlers. Is that kind of thing required? If so, why? > OTOH, someone did add some code to explicitly log a warning message instead > of fixing the underlying problem, so most likely had some reason to do so. What underlying problem needs fixing that hasn't been fixed? Since you have asked this same question on the users' list, let's continue to discuss it there, as Bugzilla is not a support forum. We can come back to this bug if there really is something to be done. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66350] New: tomcat-websocket 9.0.69, pom.xml can not download from maven central
https://bz.apache.org/bugzilla/show_bug.cgi?id=66350 Bug ID: 66350 Summary: tomcat-websocket 9.0.69, pom.xml can not download from maven central Product: Tomcat 9 Version: 9.0.x Hardware: PC Status: NEW Severity: normal Priority: P2 Component: WebSocket Assignee: dev@tomcat.apache.org Reporter: songyeon0...@gmail.com Target Milestone: - tomcat-websocket 9.0.69, pom.xml can not download from maven central. this page return 404 https://repo1.maven.org/maven2/org/apache/tomcat/tomcat-websocket/9.0.69/tomcat-websocket-9.0.69.pom -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
