Re: Tomcat 9.0.x support Java 17 ?

2025-05-28 Thread Zdeněk Henek 
Hi,

here is all you need
https://tomcat.apache.org/whichversion.html

We run Tomcat 9 even with OpenJDK 21.

Regards,
Zdenek Henek

On Wed, May 28, 2025 at 5:04 AM dineshk 
wrote:

> Hi Team,
> Could anybody clarify on if we could use Java 17 with Java EE specs with
> tomcat 9.0.x ?
>
> RegardsDinesh
>
>
> Sent from Yahoo Mail for iPhone
>

Re: adding new SSL certificate without restarting tomcat

2025-05-28 Thread Ivano Luberti 

Thanks for all the responses. I try to be more clear.

My server.xml configuration contains a few SSLHostConfig configurations 
like this






certificateKeystoreFile="/etc/ssl/LetsEncrypt/host domain.it/host 
domain.it.pfx"


certificateKeystorePassword="passwrod"

certificateKeystoreType="PKCS12"

/>





after certificate renewal, reloadin the certificate is no concern.

But if I add (or remove)  a new SSLHostConfig,  tomcat needs to be  
restarted in order to take into account the new configuration.


I would like to know if there is a way to configure tomcat so avoid restart.

Even using a different way to configure tomcat outside of server.xml 
using a different certificate format or whatever.




Il 28-May-25 09:49, Michael Osipov ha scritto:

On 2025/05/27 20:11:25 Ivano Luberti wrote:

Hi all, is there a way to configure tomcat in order to avoid restart
when I change the list of ssl certificates?

I know and I do it, how to reload existing certificates, but I'm
searching a qay to avoid reloading when I add or remove a certificate.

I'm using Tomcat 9 , but looking for solution also in tomcat 10 or 11.

RTFM:https://tomcat.apache.org/tomcat-11.0-doc/api/org/apache/catalina/security/TLSCertificateReloadListener.html?

Works for me very well.

-
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org


--

Archimede Informatica tratta i dati personali in conformità a quanto
stabilito dal Regolamento UE n. 2016/679 (GDPR) e dal D. Lgs. 30 giugno 
2003 n. 196

per come modificato dal D.Lgs. 10 agosto 2018 n. 101.
Informativa completa 



Il contenuto di questo messaggio e dei suoi eventuali allegati è 
riservato. Nel caso in cui Lei non sia il destinatario, La preghiamo di 
contattare telefonicamente o via e-mail il mittente ai recapiti sopra 
indicati e di cancellare il messaggio e gli eventuali allegati dal Suo 
sistema senza farne copia o diffonderli. Le opinioni espresse sono 
quelle dell'autore e non rappresentano necessariamente quelle della Società.
This message and any attachment are confidential.If you are not the 
intended recipient, please telephone or email the sender and delete this 
message and any attachment from your system. If you are not the intended 
recipient you must not copy this message or attachment or disclose the 
contents to any other person. Any opinions presented are solely those of 
the author and do not necessarily represent those of the Company.


dott. Ivano Mario Luberti

Archimede Informatica società cooperativa a r. l.
Via Gereschi 36, 56127 Pisa

tel.: +39 050/580959

web: www.archicoop.it
linkedin: www.linkedin.com/in/ivanoluberti
facebook: www.facebook.com/archimedeinformaticapisa/

Re: adding new SSL certificate without restarting tomcat

2025-05-28 Thread Michael Osipov 
On 2025/05/27 20:11:25 Ivano Luberti wrote:
> Hi all, is there a way to configure tomcat in order to avoid restart 
> when I change the list of ssl certificates?
> 
> I know and I do it, how to reload existing certificates, but I'm 
> searching a qay to avoid reloading when I add or remove a certificate.
> 
> I'm using Tomcat 9 , but looking for solution also in tomcat 10 or 11.

RTFM: 
https://tomcat.apache.org/tomcat-11.0-doc/api/org/apache/catalina/security/TLSCertificateReloadListener.html?

Works for me very well.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tcnative-2 PQC support

2025-05-28 Thread Mark Thomas 

On 27/05/2025 19:20, federico bustamante wrote:

Hi Mark, hope to find you well.
Just following up, did you get the build working?
I tried a few more times but I couldn't make any progress.


Yes, all working. There is a Tomcat Native release in progress now with 
the Windows binaries built with OpenSSL 3.5.0.


Details here:
https://lists.apache.org/thread/5k3nv5ntmnrwfyz8tlywfldmpzbjdpcn

Additional testing and feedback on that proposed release would be 
appreciated.


Mark



Fede

On Thu, May 22, 2025, 08:22 federico bustamante  wrote:


I couldn't make it work with mingw64.
The switch to 3.5 LTS would be wonderful, I hope you can get the build
working, Mark.
Please keep us updated.

Thanks,
Fede.

On Thu, May 22, 2025, 07:07 Mark Thomas  wrote:


On 22/05/2025 07:53, Mark Thomas wrote:

On 21/05/2025 23:04, federico bustamante wrote:

Yes, I don't have high hopes on make in it work on Ubuntu, but I
thought of
giving it a try using mingw-64.
I'll report back.


I've been building the Tomcat Native binaries for Windows for a while.
I'll try with 3.5 and report back.


This won't work with the currently documented Tomcat Native build
process for Windows
I'm working on some updates.


I'll also start a discussion on dev@ about switching the convenience
builds to use OpenSSL 3.5 since that is the new LTS version.


Looks like we are heading towards consensus to do that - assuming I can
get the build working.

Mark



Mark



Fede

On Wed, May 21, 2025, 18:20 Christopher Schultz <
ch...@christopherschultz.net> wrote:


Federico,

On 5/21/25 2:22 PM, federico bustamante wrote:

I've only tried with OpenSSL 3.5, but I suspect it's the same story
with
older versions (which, to be honest, wouldn't bother me as much as it

being

a specific problem with 3.5).


I'll try reproducing the build process on Windows. We know the build

CAN

be produced on Windows, because, well... we produce convenience

binaries

for Windows with each tcnative release. But there may be some
environmental nuances that aren't completely documented in our build
process. We should fix that if it's the case.


I'll try building the DLL on Ubuntu.


Strictly speaking, this is not possible. You may be able to build a
Linux binary, but creating a Windows DLL on Linux would require that

you

set up a toolchain that is much more complicated than just doing it on
Windows in the first place.

-chris


On Wed, May 21, 2025, 13:35 Christopher Schultz <
ch...@christopherschultz.net> wrote:


Federico,

On 5/21/25 12:27 PM, Christopher Schultz wrote:

Federico,

On 5/21/25 10:58 AM, federico bustamante wrote:

Hi!
Did anyone have any luck building tcnative-2.dll with Openssl 3.5

to

add

Post Quantum Cryptography support?
I tried following the steps in the wiki, but didn't have any luck

(tried

with cmake and nmake).


Have you been able to compile tcnative-2.dll with earlier versions

of

OpenSSL? I'm asking to see if you are having trouble with building
tcnative in general, or if OpenSSL 3.5 is what is causing the
problem.


FYI I just tried building libtcnative on MacOS against OpenSSL 3.5

and

the build was successful. I believe the build process for Windows
is ...
complex compared to *NIX-style builds.

But I wanted to confirm that tcnative didn't have any issues with
building against OpenSSL 3.5 in general, and that seems not to be

the

case.


So the problem must be with the Windows build process itself.

-chris




-

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: adding new SSL certificate without restarting tomcat

2025-05-28 Thread Mark Thomas 

On 27/05/2025 21:11, Ivano Luberti wrote:
Hi all, is there a way to configure tomcat in order to avoid restart 
when I change the list of ssl certificates?


Which list of certificates? There are several.

Exactly what are you changing? Are you adding a cert to a keystore, 
adding a PEM file to a directory or something else?


I know and I do it, how to reload existing certificates, but I'm 
searching a way to avoid reloading when I add or remove a certificate.


If you change anything related to the Connector configuration, the 
minimum you are going to have to do is reload the configuration for that 
Connector. That should be a seamless process with no downtime.



I'm using Tomcat 9 , but looking for solution also in tomcat 10 or 11.


I'd expect the same solution to work for all but we need to understand 
the problem fully first.


Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: adding new SSL certificate without restarting tomcat

2025-05-28 Thread Christopher Schultz 

Ivano,

On 5/28/25 4:17 AM, Ivano Luberti wrote:

Thanks for all the responses. I try to be more clear.

My server.xml configuration contains a few SSLHostConfig configurations 
like this






certificateKeystoreFile="/etc/ssl/LetsEncrypt/host domain.it/host 
domain.it.pfx"


certificateKeystorePassword="passwrod"

certificateKeystoreType="PKCS12"

/>





after certificate renewal, reloadin the certificate is no concern.

But if I add (or remove)  a new SSLHostConfig,  tomcat needs to be 
restarted in order to take into account the new configuration.


I would like to know if there is a way to configure tomcat so avoid 
restart.


Even using a different way to configure tomcat outside of server.xml 
using a different certificate format or whatever.


Okay, so you don't mean reconfiguring an existing SSLHostConfig. You 
mean adding a new one (or removing an old one).


You should connect to Tomcat using JMX to see all of the 
remote-management capabilities it has. You are able to use JMX to create 
SSLHostConfig settings on the fly, reconfigure connectors, etc. without 
restarting the JVM.


-chris


Il 28-May-25 09:49, Michael Osipov ha scritto:

On 2025/05/27 20:11:25 Ivano Luberti wrote:

Hi all, is there a way to configure tomcat in order to avoid restart
when I change the list of ssl certificates?

I know and I do it, how to reload existing certificates, but I'm
searching a qay to avoid reloading when I add or remove a certificate.

I'm using Tomcat 9 , but looking for solution also in tomcat 10 or 11.
RTFM:https://tomcat.apache.org/tomcat-11.0-doc/api/org/apache/ 
catalina/security/TLSCertificateReloadListener.html?


Works for me very well.

-
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: rewrite.config hot update?

2025-05-28 Thread Troels Arvin 

Hello,

Mark Thomas wrote:

  Try with per context rewrite rules rather than global ones.


What does that mean?

I've added my ... clause to 
...tomcat/conf/context.xml



  You might be able to trick watched resources with 
"../../conf/standalone/rewrite.config"


Thanks, but unfortunately, that trick did not work.

--
Regards,
Troels Arvin


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: rewrite.config hot update?

2025-05-28 Thread Mark Thomas 
Try with per context rewrite rules rather than global ones. The watched 
resource path is relative to the docBase.


You might be able to trick watched resources with 
"../../conf/standalone/rewrite.config" but I haven't tested it and I'm 
fairly sure it was never intended to work that way (even if it does).


Mark


On 28/05/2025 15:27, Troels Arvin wrote:

Hello,

Holger Klawitter wrote:

  In the context.xml you should be able to specify
    WEB-INF/rewrite.config


It doesn't work. I've tried

${catalina.base}/conf/standalone/rewrite.configWatchedResource>


and

/PATH_TO/tomcat/conf/standalone/rewrite.configWatchedResource>


However, I can still only get Tomcat to pick up my changes to 
rewrite.config if I restart all of Tomcat :-(





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tcnative-2 PQC support

2025-05-28 Thread federico bustamante 
Mark,

Excellent news, thank you for taking the time to make it work.
I tested it in 9.0.105 (using NIO2) , 10.1.41 and 11.0.7 on Windows and it
works fine.
On Chrome 136 the negotiated DH group is X25519MLKEM768, as expected.
I'll keep doing tests.

Fede.

On Wed, May 28, 2025, 04:51 Mark Thomas  wrote:

> On 27/05/2025 19:20, federico bustamante wrote:
> > Hi Mark, hope to find you well.
> > Just following up, did you get the build working?
> > I tried a few more times but I couldn't make any progress.
>
> Yes, all working. There is a Tomcat Native release in progress now with
> the Windows binaries built with OpenSSL 3.5.0.
>
> Details here:
> https://lists.apache.org/thread/5k3nv5ntmnrwfyz8tlywfldmpzbjdpcn
>
> Additional testing and feedback on that proposed release would be
> appreciated.
>
> Mark
>
> >
> > Fede
> >
> > On Thu, May 22, 2025, 08:22 federico bustamante 
> wrote:
> >
> >> I couldn't make it work with mingw64.
> >> The switch to 3.5 LTS would be wonderful, I hope you can get the build
> >> working, Mark.
> >> Please keep us updated.
> >>
> >> Thanks,
> >> Fede.
> >>
> >> On Thu, May 22, 2025, 07:07 Mark Thomas  wrote:
> >>
> >>> On 22/05/2025 07:53, Mark Thomas wrote:
>  On 21/05/2025 23:04, federico bustamante wrote:
> > Yes, I don't have high hopes on make in it work on Ubuntu, but I
> > thought of
> > giving it a try using mingw-64.
> > I'll report back.
> 
>  I've been building the Tomcat Native binaries for Windows for a while.
>  I'll try with 3.5 and report back.
> >>>
> >>> This won't work with the currently documented Tomcat Native build
> >>> process for Windows
> >>> I'm working on some updates.
> >>>
>  I'll also start a discussion on dev@ about switching the convenience
>  builds to use OpenSSL 3.5 since that is the new LTS version.
> >>>
> >>> Looks like we are heading towards consensus to do that - assuming I can
> >>> get the build working.
> >>>
> >>> Mark
> >>>
> 
>  Mark
> 
> >
> > Fede
> >
> > On Wed, May 21, 2025, 18:20 Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> >> Federico,
> >>
> >> On 5/21/25 2:22 PM, federico bustamante wrote:
> >>> I've only tried with OpenSSL 3.5, but I suspect it's the same story
> >>> with
> >>> older versions (which, to be honest, wouldn't bother me as much as
> it
> >> being
> >>> a specific problem with 3.5).
> >>
> >> I'll try reproducing the build process on Windows. We know the build
> >>> CAN
> >> be produced on Windows, because, well... we produce convenience
> >>> binaries
> >> for Windows with each tcnative release. But there may be some
> >> environmental nuances that aren't completely documented in our build
> >> process. We should fix that if it's the case.
> >>
> >>> I'll try building the DLL on Ubuntu.
> >>
> >> Strictly speaking, this is not possible. You may be able to build a
> >> Linux binary, but creating a Windows DLL on Linux would require that
> >>> you
> >> set up a toolchain that is much more complicated than just doing it
> on
> >> Windows in the first place.
> >>
> >> -chris
> >>
> >>> On Wed, May 21, 2025, 13:35 Christopher Schultz <
> >>> ch...@christopherschultz.net> wrote:
> >>>
>  Federico,
> 
>  On 5/21/25 12:27 PM, Christopher Schultz wrote:
> > Federico,
> >
> > On 5/21/25 10:58 AM, federico bustamante wrote:
> >> Hi!
> >> Did anyone have any luck building tcnative-2.dll with Openssl
> 3.5
> >>> to
> >> add
> >> Post Quantum Cryptography support?
> >> I tried following the steps in the wiki, but didn't have any
> luck
> >> (tried
> >> with cmake and nmake).
> >
> > Have you been able to compile tcnative-2.dll with earlier
> versions
> >>> of
> > OpenSSL? I'm asking to see if you are having trouble with
> building
> > tcnative in general, or if OpenSSL 3.5 is what is causing the
> > problem.
> 
>  FYI I just tried building libtcnative on MacOS against OpenSSL 3.5
> >>> and
>  the build was successful. I believe the build process for Windows
>  is ...
>  complex compared to *NIX-style builds.
> 
>  But I wanted to confirm that tcnative didn't have any issues with
>  building against OpenSSL 3.5 in general, and that seems not to be
> >>> the
> >> case.
> 
>  So the problem must be with the Windows build process itself.
> 
>  -chris
> 
> 
> 
> >>> -
>  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>  For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> >>>
> >>
> >>
> >>
> ---

Re: rewrite.config hot update?

2025-05-28 Thread Mark Thomas 

On 28/05/2025 15:48, Troels Arvin wrote:

Hello,

Mark Thomas wrote:

  Try with per context rewrite rules rather than global ones.


What does that mean?


https://tomcat.apache.org/tomcat-11.0-doc/rewrite.html

Define the Valve at the web application level in the web application's 
META-INF/context.xml (nested under ) rather than at the host 
level in server.xml


Rewrite rules for that web application then go in WEB-INF/rewrite.config

Then add

WEB-INF/rewrite.config

(also nested under ) to the context.xml

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tcnative-2 PQC support

2025-05-28 Thread Christopher Schultz 

Federico,

On 5/28/25 10:43 AM, federico bustamante wrote:

Excellent news, thank you for taking the time to make it work.
I tested it in 9.0.105 (using NIO2) , 10.1.41 and 11.0.7 on Windows and it
works fine.
On Chrome 136 the negotiated DH group is X25519MLKEM768, as expected.
I'll keep doing tests.



Please reply to the [VOTE] email on the development list with this 
feedback. We always appreciate community feedback on releases. You don't 
have to be a committer or PMC member or anything like that.


-chris


On Wed, May 28, 2025, 04:51 Mark Thomas  wrote:


On 27/05/2025 19:20, federico bustamante wrote:

Hi Mark, hope to find you well.
Just following up, did you get the build working?
I tried a few more times but I couldn't make any progress.


Yes, all working. There is a Tomcat Native release in progress now with
the Windows binaries built with OpenSSL 3.5.0.

Details here:
https://lists.apache.org/thread/5k3nv5ntmnrwfyz8tlywfldmpzbjdpcn

Additional testing and feedback on that proposed release would be
appreciated.

Mark



Fede

On Thu, May 22, 2025, 08:22 federico bustamante 

wrote:



I couldn't make it work with mingw64.
The switch to 3.5 LTS would be wonderful, I hope you can get the build
working, Mark.
Please keep us updated.

Thanks,
Fede.

On Thu, May 22, 2025, 07:07 Mark Thomas  wrote:


On 22/05/2025 07:53, Mark Thomas wrote:

On 21/05/2025 23:04, federico bustamante wrote:

Yes, I don't have high hopes on make in it work on Ubuntu, but I
thought of
giving it a try using mingw-64.
I'll report back.


I've been building the Tomcat Native binaries for Windows for a while.
I'll try with 3.5 and report back.


This won't work with the currently documented Tomcat Native build
process for Windows
I'm working on some updates.


I'll also start a discussion on dev@ about switching the convenience
builds to use OpenSSL 3.5 since that is the new LTS version.


Looks like we are heading towards consensus to do that - assuming I can
get the build working.

Mark



Mark



Fede

On Wed, May 21, 2025, 18:20 Christopher Schultz <
ch...@christopherschultz.net> wrote:


Federico,

On 5/21/25 2:22 PM, federico bustamante wrote:

I've only tried with OpenSSL 3.5, but I suspect it's the same story
with
older versions (which, to be honest, wouldn't bother me as much as

it

being

a specific problem with 3.5).


I'll try reproducing the build process on Windows. We know the build

CAN

be produced on Windows, because, well... we produce convenience

binaries

for Windows with each tcnative release. But there may be some
environmental nuances that aren't completely documented in our build
process. We should fix that if it's the case.


I'll try building the DLL on Ubuntu.


Strictly speaking, this is not possible. You may be able to build a
Linux binary, but creating a Windows DLL on Linux would require that

you

set up a toolchain that is much more complicated than just doing it

on

Windows in the first place.

-chris


On Wed, May 21, 2025, 13:35 Christopher Schultz <
ch...@christopherschultz.net> wrote:


Federico,

On 5/21/25 12:27 PM, Christopher Schultz wrote:

Federico,

On 5/21/25 10:58 AM, federico bustamante wrote:

Hi!
Did anyone have any luck building tcnative-2.dll with Openssl

3.5

to

add

Post Quantum Cryptography support?
I tried following the steps in the wiki, but didn't have any

luck

(tried

with cmake and nmake).


Have you been able to compile tcnative-2.dll with earlier

versions

of

OpenSSL? I'm asking to see if you are having trouble with

building

tcnative in general, or if OpenSSL 3.5 is what is causing the
problem.


FYI I just tried building libtcnative on MacOS against OpenSSL 3.5

and

the build was successful. I believe the build process for Windows
is ...
complex compared to *NIX-style builds.

But I wanted to confirm that tcnative didn't have any issues with
building against OpenSSL 3.5 in general, and that seems not to be

the

case.


So the problem must be with the Windows build process itself.

-chris




-

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org









-

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomc

Re: Consolidating and harmonizing users from multiple realms

2025-05-28 Thread Christopher Schultz 

Michael,

On 5/26/25 9:14 AM, Michael Osipov wrote:

Hi folks,

I seek guidance on a larger problem I need to solve where I do have a few ideas,
but am also considering to what degree it would make sense to add code to the
Tomcat codebase for the common good:

I have a realm impl called MyRealm which sources from "store A", is has roles
(groups) in a specific format and user attributes. It returns MyPrincipal.
Consider you have a webapp which has logical roles "user", "editor", "admin",
etc. and also uses those specific attributes. The webapp context maps the
roles from "store A" into the logical roles with the 
PropertiesRoleMappingListener.

Now an additional MyRealm with "store B" comes into play. Of course, the
CombinedRealm works perfectly, but "store B" has different role names and
different attribute names.

The problem: Both "String Context#findRoleMapping(String)" and
"#addRoleMapping(String, String)" do not support 1:n mapping, e.g.,
"user" role maps to "store_a_role_1" and "store_b_role_5".
This would require changing/extending the interface and other classes.
The other problem is, of course, realm-specific. Say "store A" has attribute
"gid" which is semantically identically identical "store B" attribute
"employeeID". From an application PoV this is a consolidation nightmare
to touch every single spot to accommodate that.

My idea is going from:


   
   


to


   
 
 
   


While the attributeMapper cannot be part of Tomcat because it is realm-specific,
do you see a benefit of modifying Context to accommodating 1:n mappings and of
course the aftermath?
Let me know your opinion whether this is of good use for the Tomcat code base.

For the same of completeness, I cannot add "user1", etc. to the application
because it will require some hefty code changes as well.


I must admit I've never used the role-mapping capabilities of the 
servlet context before; I've only written applications that use the 
one-and-only-one set of roles exposed by my user database. So perhaps my 
comments come from a position of ignorance to your particular situation.


It seems to me that this can be entirely fixed by using a custom 
Principal object: one that is already under the control of the Realm.


public class MyRealm extends RealmBase {
  public Principal authenticate(...) {
...
return new CustomPrincipal(...);
  }

  public boolean isInRole(Wrapper wrapper, Principal principal, String 
role) {

if(principal instanceof CustomPrincipal
   && ((CustomPrincipal)principal).isMine(this) {
  return super.isInRole(reverseMapRole(role));
} else {
  // Principal is not from this Realm

  return false;
}
  }

  protected String reverseMapRole(String role) {
if("user".equals(role)) {
  // Obviously, implement this as a configurable Map
  return "CN=users,OU=groups,DC=example,DC=org";
} else {
  return role;
  }

  public class CustomPrincipal extends GenericPrincipal {
private boolean isMine(MyRealm realm) {
  return realm == MyRealm.this;
}
...
  }
}

You can use the same class MyRealm for both of your Realms, each with a 
different configuration. Since Tomcat already supports any attribute you 
want to configure, just do something like:


 roleMappings="user=CN=users,OU=groups,DC=example,DC=org; 
editor=CN=editors,OU=groups,DC=example,DC=org"; and so on" />


Would what I have above work for you? It doesn't work for an application 
that tries to manually perform reverse-role-mapping (because the Context 
doesn't know about these mappings), but without changes to Jakarta EE 
APIs, the application will /never/ be able to do this.


-chris


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: rewrite.config hot update?

2025-05-28 Thread Troels Arvin 

Hello,

Holger Klawitter wrote:

  In the context.xml you should be able to specify
WEB-INF/rewrite.config


It doesn't work. I've tried

${catalina.base}/conf/standalone/rewrite.config

and

/PATH_TO/tomcat/conf/standalone/rewrite.config

However, I can still only get Tomcat to pick up my changes to 
rewrite.config if I restart all of Tomcat :-(


--
Regards,
Troels Arvin

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tcnative-2 PQC support

2025-05-28 Thread federico bustamante 
Done!

Fede.


On Wed, May 28, 2025, 14:05 Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Federico,
>
> On 5/28/25 10:43 AM, federico bustamante wrote:
> > Excellent news, thank you for taking the time to make it work.
> > I tested it in 9.0.105 (using NIO2) , 10.1.41 and 11.0.7 on Windows and
> it
> > works fine.
> > On Chrome 136 the negotiated DH group is X25519MLKEM768, as expected.
> > I'll keep doing tests.
> >
>
> Please reply to the [VOTE] email on the development list with this
> feedback. We always appreciate community feedback on releases. You don't
> have to be a committer or PMC member or anything like that.
>
> -chris
>
> > On Wed, May 28, 2025, 04:51 Mark Thomas  wrote:
> >
> >> On 27/05/2025 19:20, federico bustamante wrote:
> >>> Hi Mark, hope to find you well.
> >>> Just following up, did you get the build working?
> >>> I tried a few more times but I couldn't make any progress.
> >>
> >> Yes, all working. There is a Tomcat Native release in progress now with
> >> the Windows binaries built with OpenSSL 3.5.0.
> >>
> >> Details here:
> >> https://lists.apache.org/thread/5k3nv5ntmnrwfyz8tlywfldmpzbjdpcn
> >>
> >> Additional testing and feedback on that proposed release would be
> >> appreciated.
> >>
> >> Mark
> >>
> >>>
> >>> Fede
> >>>
> >>> On Thu, May 22, 2025, 08:22 federico bustamante 
> >> wrote:
> >>>
>  I couldn't make it work with mingw64.
>  The switch to 3.5 LTS would be wonderful, I hope you can get the build
>  working, Mark.
>  Please keep us updated.
> 
>  Thanks,
>  Fede.
> 
>  On Thu, May 22, 2025, 07:07 Mark Thomas  wrote:
> 
> > On 22/05/2025 07:53, Mark Thomas wrote:
> >> On 21/05/2025 23:04, federico bustamante wrote:
> >>> Yes, I don't have high hopes on make in it work on Ubuntu, but I
> >>> thought of
> >>> giving it a try using mingw-64.
> >>> I'll report back.
> >>
> >> I've been building the Tomcat Native binaries for Windows for a
> while.
> >> I'll try with 3.5 and report back.
> >
> > This won't work with the currently documented Tomcat Native build
> > process for Windows
> > I'm working on some updates.
> >
> >> I'll also start a discussion on dev@ about switching the
> convenience
> >> builds to use OpenSSL 3.5 since that is the new LTS version.
> >
> > Looks like we are heading towards consensus to do that - assuming I
> can
> > get the build working.
> >
> > Mark
> >
> >>
> >> Mark
> >>
> >>>
> >>> Fede
> >>>
> >>> On Wed, May 21, 2025, 18:20 Christopher Schultz <
> >>> ch...@christopherschultz.net> wrote:
> >>>
>  Federico,
> 
>  On 5/21/25 2:22 PM, federico bustamante wrote:
> > I've only tried with OpenSSL 3.5, but I suspect it's the same
> story
> > with
> > older versions (which, to be honest, wouldn't bother me as much
> as
> >> it
>  being
> > a specific problem with 3.5).
> 
>  I'll try reproducing the build process on Windows. We know the
> build
> > CAN
>  be produced on Windows, because, well... we produce convenience
> > binaries
>  for Windows with each tcnative release. But there may be some
>  environmental nuances that aren't completely documented in our
> build
>  process. We should fix that if it's the case.
> 
> > I'll try building the DLL on Ubuntu.
> 
>  Strictly speaking, this is not possible. You may be able to build
> a
>  Linux binary, but creating a Windows DLL on Linux would require
> that
> > you
>  set up a toolchain that is much more complicated than just doing
> it
> >> on
>  Windows in the first place.
> 
>  -chris
> 
> > On Wed, May 21, 2025, 13:35 Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> >> Federico,
> >>
> >> On 5/21/25 12:27 PM, Christopher Schultz wrote:
> >>> Federico,
> >>>
> >>> On 5/21/25 10:58 AM, federico bustamante wrote:
>  Hi!
>  Did anyone have any luck building tcnative-2.dll with Openssl
> >> 3.5
> > to
>  add
>  Post Quantum Cryptography support?
>  I tried following the steps in the wiki, but didn't have any
> >> luck
>  (tried
>  with cmake and nmake).
> >>>
> >>> Have you been able to compile tcnative-2.dll with earlier
> >> versions
> > of
> >>> OpenSSL? I'm asking to see if you are having trouble with
> >> building
> >>> tcnative in general, or if OpenSSL 3.5 is what is causing the
> >>> problem.
> >>
> >> FYI I just tried building libtcnative on MacOS against OpenSSL
> 3.5
> > and
> >> the build was successful. I believe the build process for
> Windows
> >> is ...
> >>