Problem getting logging from TldScanner
Moin, I wanted to check the TLD scanner and placed* org.apache.jasper.servlet.TldScanner.level = FINE in logging.properties, but under Tomcat 10.1.25 and Tomcat 9.0.91 I get only 05-Aug-2024 10:43:29.958 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Uncommenting the line org.apache.catalina.util.LifecycleBase.level = FINE in logging.properties works as expected (to check, if I really looked at the correct files). On Tomcat 9.0.83 I got Aug 05, 2024 11:44:43 AM org.apache.jasper.servlet.TldScanner scanResourcePaths FINE: No TLD files were found in resource path [/WEB-INF/]. as expected. I could not find any open bugs for TldScanner or logging that would explain this behavior. Did I miss something? Could someone verify this? Java versions: 11.0.21 for Tomcat 9 17..0.11 for Tomcat 10 Thanks, Andreas * Yes, I tried FINE, FINEST and ALL... This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache Tomcat Plain Password
Chuck, On 8/3/24 12:17, Chuck Caldarale wrote: On Aug 3, 2024, at 06:28, MOHAMMED Bahauddin N wrote: I have a request related to the Keystore password in Apache Tomcat's 'server.xml' file. Currently, the password under the Connector port is displayed in plain text, Displayed to whom? which is a security concern. No, it’s not - as long as you have properly secured the Tomcat configuration files. They should be accessible only by the userid Tomcat runs with and the Tomcat administrator (if using a different userid). No other users should have any access. I am looking to encrypt it through configuration (not through any code).I have reviewed the information provided in the link below, which mentions configuration tips, but I don't understand some of these (apart from the XML encoding). https://cwiki.apache.org/confluence/display/TOMCAT/Password The point of the article is that attempting to encrypt the Tomcat configuration entries is … pointless. There will have to be a decryption key saved somewhere that Tomcat has access to; if any other users have access to that key, you’ve just wasted a lot of time and effort for no gain. Much more efficient to expend that effort in securing the Tomcat files. I had this conversation with someone a long time ago and their argument at the time was basically against shoulder-surfing. "If the password is 'hummingbird'" then someone can just read it and go write it down elsewhere." Okay, sure. So just make your password random junk and that will solve the shoulder-surfing issue. All other use-cases are just making more work for everybody who already really has access to the password. I make it a habit of generating secrets basically like this: $ dd if=/dev/urandom bs=1024 count=10 | sha1sum 10k of random garbage into sha1sum gives me a nice big random blob every time. Copy, paste, done. Unless someone is able to take a photro over your shoulder, you are fine. If that happens, why are you letting them take pictures? Why are you letting them log into your application server to impersonate your application? So many "whys". Choosing a non-trivial password and file-level permissions should be sufficient. Everything else is hand-waving. I have become more interested in the ServiceBindingPropertySource class recently, but that has MUCH more to do with deployment flexibility than security. But the passwords aren't in server.xml anymore! -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat 9.0.93 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.93. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.93 is a bugfix and feature release. The notable changes compared to 9.0.91 include: - Align HTTP/2 with HTTP/1.1 and recycle the container internal request and response processing objects by default. This behaviour can be controlled via the new discardRequestsAndResponses attribute on the HTTP/2 upgrade protocol. - Add OpenSSL support for FFM. Using this feature requires Java 22 or newer. - Add support for RFC 8297 (Early Hints). Applications can use this feature by casting the HttpServletResponse to org.apache.catalina.connector.Reponse and then calling the method void sendEarlyHints(). Along with lots of other bug fixes and improvements. Please refer to the change log for the complete list of changes: https://tomcat.apache.org/tomcat-9.0-doc/changelog.html Downloads: https://tomcat.apache.org/download-90.cgi Migration guides from Apache Tomcat 7.x and 8.x: https://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
