Consultation on disabling insecure HTTP requests in Tomcat

2024-01-18 Thread 2460873257
Hi Tomcat Experts??
      I'm trying to Looking for a solution to disable the tomcat 
* Options request, but upon checking the source code, it seems that it is 
directly defined in the code. Is there a configuration provided to disable it?


Attached are the questions and the source code found







2460873257
2460873...@qq.com



 

Re: Consultation on disabling insecure HTTP requests in Tomcat

2024-01-18 Thread Mark Thomas

On 18/01/2024 09:22, 2460873257 wrote:

Hi Tomcat Experts:
       I'm trying to Looking for a solution to disable the tomcat * 
Options request,


Why?

but upon checking the source code, it seems that it is 
directly defined in the code. Is there a configuration provided to 
disable it?


No.


Attached are the questions and the source code found


Attachments are removed automatically. Please use plain text.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Consultation on disabling insecure HTTP requests in Tomcat

2024-01-18 Thread Christopher Schultz

Marc, etc.,

On 1/18/24 05:10, Mark Thomas wrote:

On 18/01/2024 09:22, 2460873257 wrote:

Hi Tomcat Experts:
       I'm trying to Looking for a solution to disable the tomcat * 
Options request,


Why?


+1

What's wrong with OPTIONS requests? They allow some basic security 
checks to succeed and should not be disabled. If you disable them, CORS 
will fail all over the place.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Getting Two times login page issue.

2024-01-18 Thread Chaudhary, Mohit
Hello Team ,

We are facing a issue with the tomcat application login URL , where it is 
asking twice for login to the user , with first login it will redirect again to 
the login page , while reentering the credentials again , it is successful ( 
with second attempt it is working ) and user will be redirected to the next 
page , this issue we have encountered after a datacenter migration for the 
tomcat server on Test region , the servers were cloned from the original server 
to the new datacenter servers, we had manually updated the new IP address on 
the configuration files related to new servers , but with testing part we 
encountering this issue ,

We had 2 servers on Test region which are load balanced where 1 server is 
working fine ( with another server shutdown ) , no issue with login page on 
this server , while issue happening on another server.

The application login page resides on the Lotus Domino server and 
authentication happens on Domino side and then it redirects the request to 
Apache and Tomcat servers .

Please suggest on this issue .

Thanks,
Mohit



Re: Getting Two times login page issue.

2024-01-18 Thread Brian Wolfe
On Thu, Jan 18, 2024 at 8:08 PM Chaudhary, Mohit 
wrote:

> Hello Team ,
>
> We are facing a issue with the tomcat application login URL , where it is
> asking twice for login to the user , with first login it will redirect
> again to the login page , while reentering the credentials again , it is
> successful ( with second attempt it is working ) and user will be
> redirected to the next page , this issue we have encountered after a
> datacenter migration for the tomcat server on Test region , the servers
> were cloned from the original server to the new datacenter servers, we had
> manually updated the new IP address on the configuration files related to
> new servers , but with testing part we encountering this issue ,
>
> You haven't really indicated how this is a tomcat issue. This sounds like
it's either an application issue or a Lotus Domino SSO issue. However I
will ask some questions that may point you in the right direction. Is the
application dependent on tomcats JSession? If so , when does it determine
the userPrincipal? If not then it's an application issue. How is this SSO
setup? Header based? cookie based? agent based session? is Tomcat
responsible for connecting to the userstore to determine who the user is?
This would be done via a realm.


> We had 2 servers on Test region which are load balanced where 1 server is
> working fine ( with another server shutdown ) , no issue with login page on
> this server , while issue happening on another server.
>
So are you saying it works fine with 1 server and doesn't when 2 are
running? Are you sure its not a load balancing issue? How does your
application handle sessions? Does it replicate them? Does the application
use Affinity to keep the user going to the same server through the LB?

>
> The application login page resides on the Lotus Domino server and
> authentication happens on Domino side and then it redirects the request to
> Apache and Tomcat servers .


> Please suggest on this issue .
>
There are a lot of different things that can go wrong here and most of them
are not tomcat related.

>
> Thanks,
> Mohit
>
>

-- 
Thanks,
Brian Wolfe
https://www.linkedin.com/in/brian-wolfe-3136425a/