How to custom java program to decrypt keystore password in Tomcat 10.1.15
Hi Tomcat team, Version: Tomcat 10.1.15 I am trying to upgrade Tomcat from version 9.0.56 into 10.1.15, and found that there is no setKeystorePass(String) method in tomcat 10.1.15. As we want to use the custom keystore encryption password in server.xml like this: And the java class test.CustomHttp11Nio2Protocol is the implement of jks password description like this: public class CustomHttp11Nio2Protocol extends org.apache.coyote.http11.Http11Nio2Protocol{ @Override public void setKeystorePass(String encryptionPassword){ super.setKeystorePass(decryptPassword(s)) } private static String decryptPassword(String encryptionPassword){ //Some decription method... } } The above java code "super.setKeystorePass(decryptPassword(s))" work in Tomat 9, but not work in Tomcat 10.1. Is there any solution can support the custom keystore password decryption requirement in Tomcat 10.1?
Need Help : Tomcat 9.0.75 not honoring session timeout configured in tomcat web.xml for FORM Authentication
Hi All, Tomcat Version : 9.0.75 Operating System: Windows and Linux Bits: 64 Tomcat 9.0.75 not honoring session timeout configured in tomcat/conf/web.xml for FORM Authentication and it is effecting customers. == 30 // 30 minutes = Verified the Tomcat source code -FormAuthenticator overriding above configured session timeout setting (30 minutes) with value (120 seconds) -As per FormAuthenticator.Java, this change/issue started from Tomcat Version : 9.0.74 for FORM Authentication and it overwrites the original session-timeout value -This issue/behavior not observed in 9.0.73 Verified the Tomcat documentation -Verified the tomcat changelog, there is a fix/change went in Tomcat 9.0.74 below related to FORM Based Authentication Session @ https://tomcat.apache.org/tomcat-9.0-doc/changelog.html, looks which is causing this issue. -- Harden the FORM authentication process against DoS attacks by using a reduced session timeout if the FORM authentication process creates a session. The duration of this timeout is configured by the authenticationSessionTimeout attribute of the FORM authenticator. (markt) - Is it bug ? Could you please help/suggest. Thanks Channa -- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it. smime.p7s Description: S/MIME Cryptographic Signature
Re: Tomcat 9.0.75 ignoring session timeout configured in tomcat conf web.xml
26 Oct 2023 05:01:49 Channa Puchakayala : Hi All, Tomcat Version : 9.0.75 Operating System: Windows and Linux Bits: 64 Tomcat 9.0.75 ignoring session timeout configured in tomcat/conf/web.xml, it is overriding previous session timeout setting and effecting existing customers. == 30 = Looks this change/issue started from Tomcat Version : 9.0.74 for FormAuthenticator, why it overwrites the original session-timeout ? is it bug ? Could you please help/suggest. Have you checked the open issues in bugzilla? Have you checked Bugzilla / CI changelog to see if the issue has already been fixed for the next release? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need Help : Tomcat 9.0.75 not honoring session timeout configured in tomcat web.xml for FORM Authentication
1. Do not cross-post the same question to multiple lists. 2. Do not post the same question multiple times if you don't get an answer as quickly as you would like. We all all volunteers here. If you want a guaranteed SLA then pick you preferred vendor and pay for support. Mark 27 Oct 2023 05:07:20 Channa Puchakayala : Hi All, Tomcat Version : 9.0.75 Operating System: Windows and Linux Bits: 64 Tomcat 9.0.75 not honoring session timeout configured in tomcat/conf/web.xml for FORM Authentication and it is effecting customers. == 30 // 30 minutes = Verified the Tomcat source code - FormAuthenticator overriding above configured session timeout setting (30 minutes) with value (120 seconds) - As per FormAuthenticator.Java, this change/issue started from Tomcat Version : 9.0.74 for FORM Authentication and it overwrites the original session-timeout value - This issue/behavior not observed in 9.0.73 Verified the Tomcat documentation - Verified the tomcat changelog, there is a fix/change went in Tomcat 9.0.74 below related to FORM Based Authentication Session @ https://tomcat.apache.org/tomcat-9.0-doc/changelog.html, looks which is causing this issue. -- Harden the FORM authentication process against DoS attacks by using a reduced session timeout if the FORM authentication process creates a session. The duration of this timeout is configured by the *authenticationSessionTimeout* attribute of the FORM authenticator. (markt) - Is it bug ? Could you please help/suggest. Thanks Channa This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org