How to custom java program to decrypt keystore password in Tomcat 10.1.15

2023-10-26 Thread yanyizhong


Hi Tomcat team,
Version: Tomcat 10.1.15


I am trying to upgrade Tomcat from version 9.0.56 into 10.1.15, and found that 
there is no setKeystorePass(String) method in tomcat 10.1.15.


As we want to use the custom keystore encryption password in server.xml like 
this:





And the java class test.CustomHttp11Nio2Protocol is the implement of jks 
password description like this:
public class CustomHttp11Nio2Protocol extends 
org.apache.coyote.http11.Http11Nio2Protocol{
   @Override
   public void setKeystorePass(String encryptionPassword){
   super.setKeystorePass(decryptPassword(s))
  }
  
  private static String decryptPassword(String encryptionPassword){
   //Some decription method...
  }
}


The above java code "super.setKeystorePass(decryptPassword(s))" work in Tomat 
9, but not work in Tomcat 10.1.
Is there any solution can support the custom keystore password decryption 
requirement in Tomcat 10.1?



Need Help : Tomcat 9.0.75 not honoring session timeout configured in tomcat web.xml for FORM Authentication

2023-10-26 Thread Channa Puchakayala
Hi All,



Tomcat Version : 9.0.75

Operating System: Windows and Linux

Bits: 64



Tomcat 9.0.75 not honoring  session timeout configured in
tomcat/conf/web.xml for FORM Authentication and it is effecting customers.

==

   

30 // 30 minutes



=



Verified the Tomcat source code

-FormAuthenticator overriding above configured session timeout
setting (30 minutes)  with value (120 seconds)

-As per FormAuthenticator.Java, this change/issue started from
Tomcat Version : 9.0.74 for FORM Authentication and it overwrites the
original session-timeout value

-This issue/behavior not observed in 9.0.73



Verified the Tomcat documentation

-Verified the tomcat changelog, there is a fix/change went in
Tomcat 9.0.74 below related to FORM Based Authentication Session @
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html, looks which is
causing this issue.

--

Harden the FORM authentication process against DoS attacks by using a
reduced session timeout if the FORM authentication process creates a
session. The duration of this timeout is configured by the
authenticationSessionTimeout attribute of the FORM authenticator. (markt)

-



Is it bug ? Could you please help/suggest.



Thanks

Channa

-- 
This electronic communication and the information and any files transmitted 
with it, or attached to it, are confidential and are intended solely for 
the use of the individual or entity to whom it is addressed and may contain 
information that is confidential, legally privileged, protected by privacy 
laws, or otherwise restricted from disclosure to anyone else. If you are 
not the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, you are hereby notified that any use, 
copying, distributing, dissemination, forwarding, printing, or copying of 
this e-mail is strictly prohibited. If you received this e-mail in error, 
please return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.


smime.p7s
Description: S/MIME Cryptographic Signature


Re: Tomcat 9.0.75 ignoring session timeout configured in tomcat conf web.xml

2023-10-26 Thread Mark Thomas
26 Oct 2023 05:01:49 Channa Puchakayala 
:



Hi All,
 

Tomcat Version : 9.0.75
Operating System: Windows and Linux
Bits: 64   
 

Tomcat 9.0.75 ignoring session timeout configured in 
tomcat/conf/web.xml, it is overriding previous session timeout setting 
and effecting existing customers.

==
   
    30
    
=
 

Looks this change/issue started from Tomcat Version : 9.0.74 for 
FormAuthenticator, why it overwrites the original session-timeout ? is 
it bug ? Could you please help/suggest.


Have you checked the open issues in bugzilla?

Have you checked Bugzilla / CI changelog to see if the issue has already 
been fixed for the next release?


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Need Help : Tomcat 9.0.75 not honoring session timeout configured in tomcat web.xml for FORM Authentication

2023-10-26 Thread Mark Thomas

1. Do not cross-post the same question to multiple lists.

2. Do not post the same question multiple times if you don't get an 
answer as quickly as you would like. We all all volunteers here. If you 
want a guaranteed SLA then pick you preferred vendor and pay for support.


Mark


27 Oct 2023 05:07:20 Channa Puchakayala 
:



Hi All,
 

Tomcat Version : 9.0.75
Operating System: Windows and Linux
Bits: 64   
 

Tomcat 9.0.75 not honoring  session timeout configured in 
tomcat/conf/web.xml for FORM Authentication and it is effecting 
customers.

==
   
    30 // 30 minutes
    
=
 

Verified the Tomcat source code
-    FormAuthenticator overriding above configured session timeout 
setting (30 minutes)  with value (120 seconds)
-    As per FormAuthenticator.Java, this change/issue started from 
Tomcat Version : 9.0.74 for FORM Authentication and it overwrites the 
original session-timeout value

-    This issue/behavior not observed in 9.0.73
 

Verified the Tomcat documentation
-    Verified the tomcat changelog, there is a fix/change went in 
Tomcat 9.0.74 below related to FORM Based Authentication Session @ 
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html, looks which is 
causing this issue.


--
Harden the FORM authentication process against DoS attacks by using a 
reduced session timeout if the FORM authentication process creates a 
session. The duration of this timeout is configured by 
the *authenticationSessionTimeout* attribute of the FORM authenticator. 
(markt)


-
 

Is it bug ? Could you please help/suggest.
 

Thanks
Channa
 


This electronic communication and the information and any files 
transmitted with it, or attached to it, are confidential and are 
intended solely for the use of the individual or entity to whom it is 
addressed and may contain information that is confidential, legally 
privileged, protected by privacy laws, or otherwise restricted from 
disclosure to anyone else. If you are not the intended recipient or the 
person responsible for delivering the e-mail to the intended recipient, 
you are hereby notified that any use, copying, distributing, 
dissemination, forwarding, printing, or copying of this e-mail is 
strictly prohibited. If you received this e-mail in error, please 
return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org