Thank you Mark for the feedback.
Reason to ask for shutdown port availability was that, configtest already check
that for connector ports. E.g.
SEVERE: Failed to initialize component
[Connector["nbhttps-jsse-nio-127.0.0.1-12345"]]
org.apache.catalina.LifecycleException: Protocol handler initial
from mobile (sorry for typos ;)
On Fri, Jun 20, 2025, 18:16 Hrvoje Lončar wrote:
> Well, I should say it was a weird way to fix it.
>
> For example, if you don't have a DoS attack
AFAIK defaults should be set to the values preventing DoS
Waiting for the DoS is not a good idea :)
and you upg
Well, I should say it was a weird way to fix it.
For example, if you don't have a DoS attack and you upgrade your Tomcat,
that would be a big surprise as it was to me.
Lucky me I have nice users that contacted me and told me some features of
my web app stopped working.
Moving to next minor release
On 20/06/2025 11:54, Hrvoje Lončar wrote:
Thank you very much
Mark ThomasThat was the case :(
Absolutely weird to make such a major change in a minor release from
NN.MM.39 to NN.MM.42
It was a response to a DoS security vulnerability.
Feel free to add your views on what the defaults should be
Thank you very much
Mark ThomasThat was the case :(
Absolutely weird to make such a major change in a minor release from
NN.MM.39 to NN.MM.42
On Fri, Jun 20, 2025 at 10:01 AM Mark Thomas wrote:
> On 20/06/2025 02:07, Hrvoje Lončar wrote:
> > Hi!
> >
> > Hope it's the right place to ask for hel
On 11/06/2025 14:36, Troels Arvin wrote:
Hello,
On May 28th, Mark Thomas wrote:
Define the Valve at the web application level in the web application's
META-INF/context.xml (nested under ) rather than at the host
level in server.xml
Rewrite rules for that web application then go in WEB-INF/re
On 20/06/2025 01:18, Amit Pande wrote:
Hello,
I was testing out the "configtest" option of the catalina.sh/.bat and observed
that does not do validation for the shutdown port.
There are lots of things it doesn't explicitly test. Why is the shutdown
port of particular interest?
https://gi
On 20/06/2025 02:07, Hrvoje Lončar wrote:
Hi!
Hope it's the right place to ask for help or/and advice.
Few days ago I switched to latest Tomcat 10.1.42.
After deyploy POST is not working due to missing CSRF token.
When I inspect HTTP request, CSRF token is in a payload as "_csrf" and the
value i
On 19/06/2025 16:56, Christopher Schultz wrote:
2. Try remote debugging?
I'd love to, but what am I looking for? If I had seen the "committed"
flag set to "true" at some point, I would look for a value-change as a
trigger to see what's causing it.
I just commented-out everything in the F
