It is described here:
http://ha.ckers.org/slowloris/
Basically the attacker invokes thousands of connections, slowly sending
header after header until the server has exhausted resources, most
likely threads. Can tomcat use nio to process the headers then create a
thead and execute the webapp?
Hello everybody,
I started to use Tomcat 6 for a mail web application - which is coded in php
at the moment. I followed the JNDI-Resources HOW-TO to make use of JavaMail
Sessions. As recommended under 3. Configure Tomcat's Resource Factory I
copied the Resource tag to my context.xml in the web
I know this problem sounds familiar, but I can't find anything in the
archives that quite fits what's going on. We're running a 5.5.25 Tomcat
server on HP/UX 11.11. We have several installations like this, and
they are all functioning properly, without this particular problem,
except one. Our in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
David,
On 6/18/2009 12:03 AM, David Nillesen wrote:
> I think I may have sorted the problem. Would that have occurred if I
> was asking for a webpage without a context? i.e. just hitting some
> undefined area?
All requests are handled by /some/ conte
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Pete,
On 6/18/2009 10:52 AM, Pete Helgren wrote:
> Thanks. Looking at the dump I can see there is an issue with a DB
> manager we wrote (Blocking). I'll investigate further.
It's amazing what you can learn just from looking at a few thread dumps
of
> From: Alan Chaney [mailto:a...@compulsivecreative.com]
> Subject: Re: Reading POSTed data
>
> I don't want to appear picky, but that doesn't actually
> seem that problematic. If you don't set the content type
> as application/x-ww-form-urlencoded then you should be
> able to read it via the inp
> Ok, rules that out. Do any of your webapps make use of JNI? Might want
to use Process Explorer to see what's still going on inside Tomcat.
>
> - Chuck
No JNI.
The process dump immediately below shows JVM still loaded, etc. I then
drill into some of the threads via Process Explorer further
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Timo,
On 6/18/2009 4:44 AM, Timo Meinen | mindmatters wrote:
>
>
>
I like mine better:
Why bother setting all those jvmargs that catalina.sh/bat already knows
how to do?
- -c
Caldarale, Charles R wrote:
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Subject: Re: Reading POSTed data
The servlet spec is very clear about when the request is consumed to
fulfill a getParameter call and when the request is specifically /not/
consumed.
What I find probl
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Susan,
On 6/18/2009 8:13 AM, Susan G. Conger wrote:
> This is a windows box so I can't just
> put links in the other area.
mklink.exe? Why does nobody think that NTFS supports links?
> I actually have to move or copy the pieces.
> Having multiple co
Filip,
Thanks for the reply.
> You can do the actions on the worker thread or on your own thread.
Can you clarify your terminology here please? Is the "worker thread"
then one where the event() method is running? Can there be more than
one of those threads that are running the event() method for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Susan,
On 6/18/2009 10:57 AM, Susan G. Conger wrote:
> I actually was thinking about doing it that way. But I was wondering about
> the overhead. I wish I knew how they were serving up the .html files in the
> class package.
Just follow the code: y
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Subject: Re: Reading POSTed data
>
> The servlet spec is very clear about when the request is consumed to
> fulfill a getParameter call and when the request is specifically /not/
> consumed.
What I find problematic is that the sp
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
André,
On 6/17/2009 6:42 PM, André Warnier wrote:
> .. just don't do any getParameter() with your stuff.
> That, I believe, /may/ still get you in trouble.
> But I'm sure by now Chuck is already checking the Tomcat code of
> getParameter(), to see if
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
André,
As fun as beating a dead horse is...
On 6/17/2009 6:28 PM, André Warnier wrote:
> My point (awaiting a more expert opinion still), is that I believe that
> the way the servlet spec is written, you may very well get away with it
> under one ser
On Fri, 2009-06-19 at 02:05 -0700, lmk wrote:
> --prefix=/usr/tomcat/apache-tomcat-6.0.18
I'd look where you told it to go.
--
Brian Millett - [ Sinclair (re: The Line), "The Gathering"]
"The sky was full of stars and every star an exploding ship...one of ours."
signature.asc
Description: Th
You can do the actions on the worker thread or on your on thread.
You can read non blocking when you receive a READ event by calling
available()>0 before you do a read.
Writes are blocking when the TCP send buffer fills up, just like a
regular servlet
Filip
Chris Markle wrote:
Say I am runni
nothing changes even using LD_LIBRARY_PATH
mturk wrote:
>
> lmk wrote:
>> Hi all,
>>
>> I have installed apr native library, open ssl; using :./configure:
>>
>> ./configure --with-apr=/usr/local/apr
>> --with-java-home=/usr/java/jdk1.5.0_11 --with-ssl=/usr/local/ssl
>> --prefix=/usr/tomc
yes but nothing changes.
Thomas Chabaud-3 wrote:
>
> lmk a écrit :
>> Hi all,
>>
>> I have installed apr native library, open ssl; using :./configure:
>>
>> ./configure --with-apr=/usr/local/apr
>> --with-java-home=/usr/java/jdk1.5.0_11 --with-ssl=/usr/local/ssl
>> --prefix=/usr/tomcat/a
lmk wrote:
Hi all,
I have installed apr native library, open ssl; using :./configure:
./configure --with-apr=/usr/local/apr
--with-java-home=/usr/java/jdk1.5.0_11 --with-ssl=/usr/local/ssl
--prefix=/usr/tomcat/apache-tomcat-6.0.18
I added to catalina_opts java.library definition:
export
newToMina wrote:
Mark,
I changed JKMount as you suggested. But firefox is still displaying the
source when accessing through apache. Direct tomcat access displays fine.
Firefox is rendering the page as follows:
Direct from tomcat (http://server:8080/appname/servlet/Controller)
Type : text/html
$ls /usr/local/apr/lib >
apr.exp libapr-1.a libapr-1.la libapr-1.so libapr-1.so.0
libapr-1.so.0.3.5 pkgconfig
only pkgconfig is a directory
hop its more clear..
Caldarale, Charles R wrote:
>
>> From: lmk [mailto:lotf...@yahoo.fr]
>> Subject: RE: APR Native library on tomcat 6
>>
>>
lmk a écrit :
Hi all,
I have installed apr native library, open ssl; using :./configure:
./configure --with-apr=/usr/local/apr
--with-java-home=/usr/java/jdk1.5.0_11 --with-ssl=/usr/local/ssl
--prefix=/usr/tomcat/apache-tomcat-6.0.18
I added to catalina_opts java.library definition:
expo
> From: lmk [mailto:lotf...@yahoo.fr]
> Subject: RE: APR Native library on tomcat 6
>
> apr.exp
> libapr-1.a
> that's all:
>
> libapr-1.la
> libapr-1.so
> libapr-1.so.0
> libapr-1.so.0.3.5
> pkgconfig
The above is rather cryptic; which of the above are regular files, which are
directories
apr.exp
libapr-1.a
that's all:
libapr-1.la
libapr-1.so
libapr-1.so.0
libapr-1.so.0.3.5
pkgconfig
Caldarale, Charles R wrote:
>
>> From: lmk [mailto:lotf...@yahoo.fr]
>> Subject: RE: APR Native library on tomcat 6
>>
>> INFO: The APR based Apache Tomcat Native library which all
> From: lmk [mailto:lotf...@yahoo.fr]
> Subject: RE: APR Native library on tomcat 6
>
> INFO: The APR based Apache Tomcat Native library which allows optimal
> performance in production environments was not found on the
> java.library.path:
> /usr/java/jdk1.5.0_11/jre/lib/i386/server:/usr/java/jdk
here tomcat log:
INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path:
/usr/java/jdk1.5.0_11/jre/lib/i386/server:/usr/java/jdk1.5.0_11/jre/lib/i386:/usr/java/jdk1.5.0_11/jre/../lib/i386:/usr/local/apr/l
Mark,
I changed JKMount as you suggested. But firefox is still displaying the
source when accessing through apache. Direct tomcat access displays fine.
Firefox is rendering the page as follows:
Direct from tomcat (http://server:8080/appname/servlet/Controller)
Type : text/html
Render Mode: Stand
> From: lmk [mailto:lotf...@yahoo.fr]
> Subject: APR Native library on tomcat 6
>
> export CATALINA_OPTS="$CATALINA_OPTS -
> Djava.library.path=/usr/local/apr/lib"
Show us what's actually in /usr/local/apr/lib.
> And I still get the error:
>
> The APR based Apache Tomcat Native library which al
On Thu, Jun 18, 2009 at 3:28 PM, Caldarale, Charles R <
chuck.caldar...@unisys.com> wrote:
> > From: Bruce Edge [mailto:bruce.e...@gmail.com]
> > Subject: Custom valve, how to change role?
> >
> > ...or am I completely off in left field and should scrap
> > this before someone gets hurt and just u
Andre-
apache has implemented method handling by hardcoded parameters in
/include/httpd.h
#define M_GET 0 /* RFC 2616: HTTP */
#define M_PUT 1 /* : */
#define M_POST 2
#define M_DELETE3
#define M_CONNEC
mateo-jl wrote:
> Hello Mark,
>
> i do not have any doubt about the fix but i've read all the bugs at the
> ChangeLog (http://tomcat.apache.org/tomcat-6.0-doc/changelog.html) and I did
> not see the one related to this problem.
You need to read further down the page. They are all there.
> May
Hello Mark,
i do not have any doubt about the fix but i've read all the bugs at the
ChangeLog (http://tomcat.apache.org/tomcat-6.0-doc/changelog.html) and I did
not see the one related to this problem.
Maybe there are not all recorded.
Thank you for the response
JLM
> Message du 19/06/09
mateo-jl wrote:
> Hi everybody,
>
> recently i've reported a problem, which wasn't a new one, related to the
> encoding base64 within cookies ("=" separator ... only at reading :
> request.getCookies) .
> I was responded that this problem will probably be corrected with Tomcat
> 6.0.19 or 6.0.
cleegt wrote:
> Dear All,
>
> Because of the security reason imposed by my company, I disabled http
> DELETE, PUT methods from the tomcat based on some suggested method mentioned
> on the internet. Now, I need to test whether the fix is working or not. So,
> I am looking for a sample testing progr
Hi,
Please help !
I'm having exactly the same issue here, with 5.5.27, in a production
application, and close to pulling my hair out now !
I see the ThreadWithAttributes filled with 5m xalan ElementImpl objects
(my UI is generated using XSL) in one heap dump I have. Like Patrick,
the OoM ha
Hi,
This issue probably won't be given a great deal of attention. There's conflict
between what the spec says, and what has actually been going on in the
development world. The de facto reality is that people have been using =
characters in cookies despite them being prohibited for a long time.
Hi all,
I have installed apr native library, open ssl; using :./configure:
./configure --with-apr=/usr/local/apr
--with-java-home=/usr/java/jdk1.5.0_11 --with-ssl=/usr/local/ssl
--prefix=/usr/tomcat/apache-tomcat-6.0.18
I added to catalina_opts java.library definition:
export CATALINA_OPTS
38 matches
Mail list logo
