John Renne wrote:
>Can I ask you what you consider insecure about AJP by the way?
AJP is, apart from some simple encoding of a few headers which are easily
decoded, a plain text protocol. There is zero encryption. Hence it is not
secure.
I suggest you read the AJP protocol definition in the d
Rod Macpherson wrote:
>I was under the impression Tomcat 7 supported JAX-RS out of the box.
What gave you that impression?
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: us
Christoph Maser wrote:
>Am Donnerstag, den 12.04.2012, 14:02 +0100 schrieb ma...@apache.org:
>> Christoph Maser wrote:
>>
>> >Do you see any chance a request for feature in that direction would
>be
>> >accpeted?
>>
>> Right now, no. I don't see a requirement that isn't met by the
>existing imp
Peter wrote:
>Thanks for the response Mark - it is consistent with both observations
>that i noted in the original email (heap post startup was near 0, and
>disabling scanning resolves). I looked in the changelog in 26/27 and
>did not see anything in there that fits this? If your hypothesis is
>
Christoph Maser wrote:
>Do you see any chance a request for feature in that direction would be
>accpeted?
Right now, no. I don't see a requirement that isn't met by the existing
implementation. If there was a use case that wasn't completely off the wall
that couldn't be met then it would get l
Violeta Georgieva wrote:
>Hi,
>
>This mechanism is meant to be a standard way for web frameworks to
>extend
>the Servlet Container. IMHO this is compliant with the specification:
Your not really humble at all opinion is wrong. This is a Servlet 3.0 feature
and therefore not available to 2.5 or
Jim Garrison wrote:
>I am in an environment where I deploy tomcat via a script. Rather than
>keep two entire copies of Tomcat for 32- and 64-bit systems I have the
>complete 32-bit download plus the 64-bit tomcat6*.exe files. I'm
>upgrading from 6.0.20 to 6.0.35 and my usual procedure is to dif
"Robinson, Eric" wrote:
>Agreed. Anyway, in this case the thread is on a tomcat server that is
>only used for scheduled java tasks. Users do not access it directly.
>Very puzzling. What's I'd really like is for some well-known tomcat
>guru
>to say that in our environment, -Xms16M is fine and that
Dan Tran wrote:
>I also notice commons-deamon is upgraded after tomcat 7.0.23
>
>Would this be the main issue?
>
>-D
>
>On Sun, Feb 5, 2012 at 1:40 AM, Dan Tran wrote:
>> Hello,
>>
>> Starting tomcat 7.0.25, update windows tomcat server option using
>> ++jmvOptions seems to replace existing opti
Christopher Schultz wrote:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA1
>
>David,
>
>On 1/21/12 3:02 AM, David Jorm wrote:
>> Based on reading the advisory and Tomcat patch code, it seems to me
>> that the issue is simply slow processing when a very large number
>> of parameters is received wi
Violeta Georgieva wrote:
>Hi,
>
>If the static content is not protected then by default it is cached and
>the
>corresponding headers are set - see screenshot1 & screenshot2.
>but when I put it as protected content the following headers are set:
>Cache-control:private and Expires header: Expires T
Justin Larose wrote:
>> > An error occurred at line: 230 in the jsp file: /object_table.jsp
>> > The type Part is ambiguous
>> > 227:{
>> > 228: //do nothing here - we don't want the filter to be
>displayed
>> > for lifecycles
>> > 229: }
>> > 230: else if (objType.eq
Mark Lim wrote:
>It seems that tomcat is trying the default JSSE implementation despite
>the sslImplementationName attribute being set. Are there internal
>precedence controls or does the classloader hierarchy matter or what?
No, but what makes you assume what you are trying will work?
You hav
Janne Jalkanen wrote:
>APR + native. Good catch there, I took apr out and I am no longer
>seeing the FD leak.
OK. Sounds like APR/native has an issue. There was a fair bit of refactoring in
7.0.22.
I'll see if I can reproduce it. A simple test case may help.
Mark
-
Gadi Katsovich wrote:
>Hello All,
>I am using Tomcat 5.5.30 and am affected by the hashtable collision DoS
>vulnerability.
>I wanted to know if the Request parameter parsing is always invoked?
>
>Or is it only performed once a servlet asks for a parameter? Meaning if
>my servlets don't ask for a
Saravanan L wrote:
>Tomcat does not pass through any proxy. My firefox browser has a proxy
>plugin configured which RELAYED this message.
>
>I enabled this plugin because, I wanted to be sure of whats happening.
>(I guess I should made it clear)
>
>So the end line is tomcat does not responds to
Matthew Tyson wrote:
>That's right, there is an f5 load balancer. The valve is used to keep
>track of whether the request was via HTTPS or not.
What happens if you go direct to Tomcat and bypass the F5?
>tcpdump seems to confirm the same. What are you thinking?
Probably, like me, that the F5
Saravanan L wrote:
>Please find the server.xml attached.
>
>The real problem is I dont know where to look at.
> -There are no error in logs or the linux sys logs.
> - I cannot diagnose as the connector(443) does not even connect.
Of course you can diagnose this further. netstat and a thr
John Minchuk wrote:
>Quick overview of our setup. Http request
flow from our load
>balancers, to
>squid proxys, to Apaches, to our Tomcat servers. We migrated to this
>setup
>from an Oracle App Server.
>
>Apache: 2.2.3
>Tomcat: 7.0.11.0
>JVM: 1.6.0_22-b04
>Linux: 2.6.18-194.17.1.el5
>
>Our pro
jwklomp wrote:
>
>Hello,
>
>I'm migrating existing applications to Tomcat and setting Tomcat up as
>described in the 'Security Configuration Benchmark for Apache Tomcat
>5.5/6.0' of the Center of Internet Security.
>
>The benchmark recommends enabling the Security Manager. However, I'm
>experien
Jeffrey Janner wrote:
>I might be a little off
You are a long way off and also need to read the Servlet 2.5 spec.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h.
Christopher Schultz wrote:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA1
>
>Bill,
>
>On 11/28/11 7:08 PM, Bill Wang wrote:
>> Here I have the last question, what's the reload option, is it same
>> as stop/start?
>
>According to markt (who is known to
2
>- when lib/*.jar files of tomcat-7.0.23 are replaced with lib/*.jar
>files of
>tomcat-7.0.23 - everything works just fine
>
>thank you!
>
>p.s. i think it's an issue of tomcat-7.0.23 not a bug of my app.
>but some developer markt keeps closing my bug
>report,
>say
"Zampani, Michael" wrote:
>Hi,
>
>I'm trying to upgrade an existing webapp installation from 7.0.22 ->
>7.0.23.
>
>On startup, it appears to deadlock, with the threads stuck in
>ContainerBase.setRealm
>HostConfig.deployDirectories
>ContainerBase.startInternal
>
>server.xml and thread dump attache
Bill Wang wrote:
>Hi Tomcat guru,
>
>I have questions for the tomcat user roles setup.
>
>On-call team (24*7 support) need permission to restart one tomcat
>services, if they get call. I think it is maybe possible to let them
>restart tomcat throught "Tomcat Web Application Manager" (the admin
Matthew Tyson wrote:
>I guess what I'm asking is if I just start using the Servlet 3.0
>support
>for suspending requests out of the box, will it be a thread blocking
>implementation I'm using?
That depends what you mean by "thread blocking". Once startAsync has been
called the thread that was p
Leo Donahue - PLANDEVX wrote:
>Tomcat 6.0.32
>
>When you add a new .war file to the webapps directory (by dragging the
>file in there from another directory) and it automaticallyp expands the
>web archive, is that any different than what the manager application
>does when it deploys the .war fil
"Jürgen Link" wrote:
>Hi all,
>I successfully did set up a tomcat cluster (3 nodes) with session
>replication, using the standard DeltaManager.
>
>In order to allow for more nodes, I'd like to switch to BackupManager
>for
>primary-secondary replication on a dedicated backup node.
>Unfortunately,
"André Warnier" wrote:
>Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> André,
>>
>> On 10/4/2011 1:31 PM, André Warnier wrote:
>>> Or, wasn't there a possibility to place a symlink within the
>>> webapps dir, and have Tomcat /not/ following it when undeploy
Russ Michaels wrote:
>On Thu, Sep 8, 2011 at 7:08 PM, Christopher Schultz <
>ch...@christopherschultz.net> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Russ,
>>
>> On 9/8/2011 11:44 AM, Russ Michaels wrote:
>> > ok I have an Apache Tomcat installed via the Railo installer f
Christopher Schultz wrote:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA1
>
>Mark,
>
>On 9/7/2011 6:18 PM, Mark Thomas wrote:
>>> Am I missing something?
>>
>> Yes. You haven't read the docs and you are using the wrong name
>> for the attribute. Try reading this:
>>
>http://tomcat.apache.org/t
Aristedes Maniatis wrote:
>I am an enthusiastic user of the new parallel deployment feature of
>tomcat 7. But I'm a little unclear about how it interacts with session
>replication.
Each version of a webapp is treated as a separate webapp.
>If I have a cluster of tomcat instances:
>
>instance1/A
"Caldarale, Charles R" wrote:
>> From: Bijesh Vijayan [mailto:bijes
v...@gmail.com]
>> Subject: Re: auth-constraint
>
>> Is there a way in tomcat 7 to mention the roles outside of web.xml.
>
>Read section 8 of the servlet 3.0 spec; you might be able to use a
>web-fragment.xml to list the roles.
ranckie frank wrote:
>Honestly, I was simply curious why the cryptographically secure
>generation
>of random unique ids (through java.security.SecureRandom API) is
>disabled
>by default.
Because it is more expensive. I can't think of a reason why you would need
SecureRandom there but left so
Seth Lenzi wrote:
>
>I'm using Tomcat v7.0.14, Apache v2.2.17, and mod_jk v1.2.30.
>
>The Servlet I have does not implement CometProcessor. It's just a
>regular HttpServlet which creates an AsyncContext from the
>HttpServletRequest object. Like the example Servlet at this page,
>http://develop
Olivier Lefevre wrote:
>What is the syntax for the maxPostSize Connector parameter:
>are notations like 1M or 1G recognized? That would be expected,
>even thought the docs:
>http://tomcat.apache.org/tomcat-7.0-doc/config/http.html
>are mum about it.
>
>Thanks,
>
>-- O.L.
>
>
>
response.setStatus and response.setHeader
>instead, it
>>> works
>>> > absolutely fine. The client gets the response every time.
>>> >
>>> > I put together a very simple test that isolates the issue
&
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.14.
Apache Tomcat 7.0.14 includes bug fixes and the following new features
compared to version 7.0.12:
- new StuckThreadDetectionValve to identify long running requests
- JAAS authentication support for the JMXRemoteL
Stefan Wuschek wrote:
> Hello,
>
>i am using tomcat 6.0.32 in combination with the eclipse plattform
>(helios).
>I tried to write a very simple bean just for getting familiar with it.
>It is
>a simple form [form.jsp] that asks for mail adress and by clicking the
>send
>button it calls a jsp [resu
tefan Thurnherr wrote:
>Hi
>
> From the Tomcat v7.0.12 changelog [1] :
> " Don't unpack WAR files if they are not located in the Host's
>appBase. (markt) "
>Why? Couldnt find any issue or other trace relating to this fix...
Because (as per the docs) WA
Christopher Schultz wrote:
>If there is no request content-length, is the amount of data uploaded
>to
>the server ever checked against this same limit?
>
Yes, but Tomcat has to count the bytes as they are uploaded so the connection
is dropped later.
Mark
---
41 matches
Mail list logo
