[ANN] Apache Tomcat 11.0.0-M10 (alpha) available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M10 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process. Apache Tomcat 11.0.0-M10 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 11.0.0-M9 include: - Refactor HTTP/2 implementation to reduce pinning when using virtual threads. - Pass through ciphers referring to an OpenSSL profile, such as PROFILE=SYSTEM instead of producing an error trying to parse it. - Update Tomcat Native to 2.0.5. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat 10.1.12 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.12. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use. The notable changes compared to 10.1.11 include: - Refactor HTTP/2 implementation to reduce pinning when using virtual threads. - Pass through ciphers referring to an OpenSSL profile, such as PROFILE=SYSTEM instead of producing an error trying to parse it. - Update Tomcat Native to 2.0.5. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.1-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 8.5.64 maxHttpHeaderSize="6553600"
Joel, On 8/11/23 11:16, Joel Werginz wrote: Version: 8.5.64 maxHttpHeaderSize=³6553600² Are you able to try with 8.5.91? Your version is more than 2 years old and many fixes have been made to h2 stream handling in that time. -chris 10-Aug-2023 16:36:21.530 FINE [https-openssl-apr-443-exec-7] org.apache.coyote.http2.Http2UpgradeHandler.upgradeDispatch Entry, Connection [1], SocketStatus [OPEN_READ] 10-Aug-2023 16:36:21.530 FINE [https-openssl-apr-443-exec-7] org.apache.coyote.http2.Http2UpgradeHandler.init Connection [1], State [CONNECTED] 10-Aug-2023 16:36:21.530 FINE [https-openssl-apr-443-exec-7] org.apache.coyote.http2.Http2UpgradeHandler.upgradeDispatch Exit, Connection [1], SocketState [UPGRADED] 10-Aug-2023 16:36:21.623 FINE [https-openssl-apr-443-exec-19] org.apache.coyote.http2.Http2UpgradeHandler.upgradeDispatch Entry, Connection [1], SocketStatus [OPEN_READ] 10-Aug-2023 16:36:21.623 FINE [https-openssl-apr-443-exec-19] org.apache.coyote.http2.Http2UpgradeHandler.init Connection [1], State [CONNECTED] 10-Aug-2023 16:36:21.623 FINE [https-openssl-apr-443-exec-19] org.apache.coyote.http2.Http2Parser.validateFrame Connection [1], Stream [23], Frame type [HEADERS], Flags [33], Payload size [16374] 10-Aug-2023 16:36:21.623 FINE [https-openssl-apr-443-exec-19] org.apache.coyote.http2.StreamStateMachine.stateChange Connection [1], Stream [23], State changed from [null] to [IDLE] 10-Aug-2023 16:36:21.623 FINE [https-openssl-apr-443-exec-19] org.apache.coyote.http2.StreamStateMachine.stateChange Connection [1], Stream [23], State changed from [IDLE] to [OPEN] 10-Aug-2023 16:36:21.623 FINE [https-openssl-apr-443-exec-19] org.apache.coyote.http2.AbstractNonZeroStream.rePrioritise Connection [1], Stream [23], Exclusive [true], Parent [0], Weight [220] 10-Aug-2023 16:36:21.623 FINE [https-openssl-apr-443-exec-19] org.apache.coyote.http2.Http2Parser.readHeaderPayload Connection [1], Stream [23], Processing headers payload of size [16,369] 10-Aug-2023 16:36:21.623 FINE [https-openssl-apr-443-exec-19] org.apache.coyote.http2.Stream.emitHeader Connection [1], Stream [23], HTTP header [:method], Value [GET] 10-Aug-2023 16:36:21.623 FINE [https-openssl-apr-443-exec-19] org.apache.coyote.http2.Stream.emitHeader Connection [1], Stream [23], HTTP header [:authority], Value [mdmsdev6.intranet.dow.com] 10-Aug-2023 16:36:21.623 FINE [https-openssl-apr-443-exec-19] org.apache.coyote.http2.Stream.emitHeader Connection [1], Stream [23], HTTP header [:scheme], Value [https] 10-Aug-2023 16:36:21.623 FINE [https-openssl-apr-443-exec-19] org.apache.coyote.http2.Stream.emitHeader Connection [1], Stream [23], HTTP header [:path], Value [/ebx-ui/rest/user/v1/current] 10-Aug-2023 16:36:21.623 FINE [https-openssl-apr-443-exec-19] org.apache.coyote.http2.Stream.emitHeader Connection [1], Stream [23], HTTP header [sec-ch-ua], Value ["Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"] 10-Aug-2023 16:36:21.623 FINE [https-openssl-apr-443-exec-19] org.apache.coyote.http2.Stream.emitHeader Connection [1], Stream [23], HTTP header [accept], Value [application/json] 10-Aug-2023 16:36:21.623 FINE [https-openssl-apr-443-exec-19] org.apache.coyote.http2.Http2UpgradeHandler.upgradeDispatch Connection error org.apache.coyote.http2.ConnectionException: Connection [1], Stream [23], Total header size too big at org.apache.coyote.http2.Http2Parser.readHeaderPayload(Http2Parser.java:454) at org.apache.coyote.http2.Http2Parser.readHeadersFrame(Http2Parser.java:253) at org.apache.coyote.http2.Http2Parser.readFrame(Http2Parser.java:97) at org.apache.coyote.http2.Http2Parser.readFrame(Http2Parser.java:69) at org.apache.coyote.http2.Http2UpgradeHandler.upgradeDispatch(Http2UpgradeHan dler.java:334) at org.apache.coyote.http11.upgrade.UpgradeProcessorInternal.dispatch(UpgradeP rocessorInternal.java:60) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.jav a:59) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtoc ol.java:831) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.ja va:2075) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java :49) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecu tor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExec utor.java:628) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.j ava:61) at java.base/java.lang.Thread.run(Thread.java:834) 10-Aug-2023 16:36:21.623 FINE [https-openssl-apr-443-exec-19] org.apache.coyote.http2.Stream.receiveReset Connection [1], Stream [23], Reset received due to [8] 10-Aug-2023 16:36:21.623 FINE [https-openssl-apr-443-exec-19] org.apache.coyote
[ANN] Apache Tomcat 8.5.92 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.92. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 8.5.92 is a bugfix and feature release. The notable changes compared to 8.5.91 include: - Refactor HTTP/2 implementation to reduce pinning when using virtual threads. - Fix a NullPointerException when flushing batched WebSocket messages with compression enabled using permessage-deflate. - Update Tomcat Native to 1.2.38 to pick up Windows binaries built with OpenSSL 1.1.1v Along with lots of other bug fixes and improvements. Please refer to the change log for the complete list of changes: https://tomcat.apache.org/tomcat-8.5-doc/changelog.html Downloads: https://tomcat.apache.org/download-80.cgi Migration guides from Apache Tomcat 7.x and 8.0: https://tomcat.apache.org/migration.html Please note that Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 2024. For more information please visit https://tomcat.apache.org/tomcat-85-eol.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [External] Re: listening all local addresses by default is not security best practice
On 8/6/23 13:25, Amit Pande wrote:
My apologies if I missed any conclusion here.
From the description of address attribute on HTTP connector:
"For servers with more than one IP address, this attribute specifies which address
will be used for listening on the specified port. By default, the connector will listen
all local addresses. Unless the JVM is configured otherwise using system properties, the
Java based connectors (NIO, NIO2) will listen on both IPv4 and IPv6 addresses when
configured with either 0.0.0.0 or ::. The APR/native connector will only listen on IPv4
addresses if configured with 0.0.0.0 and will listen on IPv6 addresses (and optionally
IPv4 addresses depending on the setting of ipv6v6only) if configured with ::."
Is it possible to update the behavior to listen to loopback address only like
was done for AJP connectors.
On my Tomcat 9.0.78 netstat output - I see Tomcat using 0.0.0.0 by default unless we
define address as "127.0.0.1" :
tcp0 0 0.0.0.0:39054 0.0.0.0:* LISTEN
28539/java
Given the documentation quoted above, I would expect that Tomcat would
bind to ::1 unless otherwise specified ("all LOCAL addresses", emphasis
mine). The behavior you demonstrate above, and the code agree that
Tomcat will listen on all PUBLIC interfaces, not local ones, by default.
I believe the documentation should be changed to reflect reality,
because changing this default could break a lot of installations.
Changing the default AJP binding to localhost made sense because a
publicly-exposed AJP connector is very insecure, while having HTTP(S)
exposed publicly should not present much risk at all.
Also, is it right that we will need to have two connectors for IPv4 and IPv6 with address
"127.0.0.1" and "::1" respectively to enable binding only on loopback addresses?
If we configure two connectors (IPv4 and IPv6 loopback), if one isn't
available, we see:
org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1011)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1040)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
Caused by: java.net.SocketException: Protocol family unavailable
at sun.nio.ch.Net.bind0(Native Method)
which has caused confusion/concerns.
What would be a better way to bind on "all available loopback addresses?
That *would* be handy if ::1 would bind to "all local [IPv4 and IPv6, as
appropriate] addresses" just like APR does. Can you please file a BZ
ticket for that? I'm surprised it doesn't already work like that,
honestly, because it seems completely obvious to me that's how it
/should/ work.
-chris
-Original Message-
From: Christopher Schultz
Sent: Monday, November 28, 2022 5:21 PM
To: users@tomcat.apache.org
Subject: [External] Re: listening all local addresses by default is not
security best practice
To whom it may concern,
On 11/23/22 14:31, tommydu1...@outlook.com wrote:
Hi there,
Product:
>
> [snip]
The default behaviour of http connector is listenning all interfaces.
False.
It is found in the description of "address" in attributes section.
(https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftom
cat.apache.org%2Ftomcat-9.0-doc%2Fconfig%2Fhttp.html%23SSL_Support&
;data=05%7C01%7CAmit.Pande%40veritas.com%7C13ea9fddeb604e4b7dca08dad19
78243%7Cfc8e13c0422c4c55b
Re: Forwarding request to a different servlet
Andy, On 8/13/23 04:24, Andy Pont wrote: I wrote... Progress of sorts! The request is now returning 302 instead of 404! Looking in the log files for the backend, it has a message that says “Robot requests must be rejected” and the 302 response is due to a redirect to a permission denied page. My understanding was the .forward() method didn’t change anything on route in either direction. > Using JD-GUI I have looked at the class that is generates the above error message and it appears as the result of a check on the “user-agent” setting. I am now puzzled as what is being received by the backend servlet is the same as if it is called directly without me intercepting it. The .forward() should keep all request headers (and many other things) in-tact. You might want to log some things in plugins/whatever to see what is being done. You should be using the *same objects* your servlet got for the request and response when calling RequestDispatcher.forward(). You can "wrap" them if necessary to make certain modifications. The class I looked at contains a definition of a valid non-robot user-agent string. Is it possible to modify the request to use this before forwarding it? Yes, but I think you should not have to. What are the possible reasons for that specific 302 response? Are you *sure* it's complaining about the User-Agent string? If not, am I better creating a new request for the backend and copy HTTP header and body content around as needed? That will be a giant pain in the neck. Could this possibly be done with a redirect back through the client? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat 9.0.79 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.79. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.79 is a bugfix and feature release. The notable changes compared to 9.0.78 include: - Refactor HTTP/2 implementation to reduce pinning when using virtual threads. - Pass through ciphers referring to an OpenSSL profile, such as PROFILE=SYSTEM instead of producing an error trying to parse it. - Update Tomcat Native to 2.0.5. Along with lots of other bug fixes and improvements. Please refer to the change log for the complete list of changes: https://tomcat.apache.org/tomcat-9.0-doc/changelog.html Downloads: https://tomcat.apache.org/download-90.cgi Migration guides from Apache Tomcat 7.x and 8.x: https://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
