Re: Skip resource path in TLD scanner?

On Thu, May 8, 2025 at 6:04 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Jakub, > > On 5/7/25 3:26 PM, Jakub Królikowski wrote: > > On Sat, Apr 29, 2017 at 12:01 PM Mark Thomas wrote: > > > >> On 28/04/17 17:00, Matt Cosentino wrote: > >>> Yes, it's other folders within WEB-INF

Re: Skip resource path in TLD scanner?

Jakub, On 5/7/25 3:26 PM, Jakub Królikowski wrote: On Sat, Apr 29, 2017 at 12:01 PM Mark Thomas wrote: On 28/04/17 17:00, Matt Cosentino wrote: Yes, it's other folders within WEB-INF. I turned on the TldScanner logging and it is definitely what is causing the delay. My situation probably isn

Re: Skip resource path in TLD scanner?

lders from WEB-INF from scanning. Best regards, Jakub > > > > > - Matt > > > > > > -Original Message- From: Mark Thomas > > [mailto:ma...@apache.org] Sent: Friday, April 28, 2017 7:28 AM To: > > Tomcat Users List Subject: Re: Skip > > resou

Re: Trouble passing through backslash in URL path

are ASCII, but are encoded due to special > meaning in a URL > - Cyrillic characters are 2 bytes: Ѐӿ > - Chinese and Japanese characters are 3 bytes: 中さ > - emoji characters are 4 bytes: 😀 > > A client can request a URL path with the following: > > "/customers/custo

Re: context path version number with parallel deployment

Kind regards, Mark От: Mark Thomas Отправлено: 18 марта 2025 г. 9:35 Кому: users@tomcat.apache.org Тема: Re: context path version number with parallel deployment On 17/03/2025 18:43, Усманов Азат Анварович wrote: thanks a lot! I got it working. A quick follow

RE: context path version number with parallel deployment

like this: String webappVersion = (String)request.gteServletContext().getAttribute("org.apache.catalina.webappVersion"); " От: Mark Thomas Отправлено: 18 марта 2025 г. 9:35 Кому: users@tomcat.apache.org Тема: Re: context path version number with par

Re: context path version number with parallel deployment

i/org/apache/catalina/Globals.html Where else would you like to see it? The where may change which steps are required to update the docs. Mark От: Christopher Schultz Отправлено: 17 марта 2025 г. 17:40 Кому: users@tomcat.apache.org Тема: Re: context path version n

Re: context path version number with parallel deployment

StandardWrapperValve.invoke Servlet.service() for > servlet [IndexServlet] with context path [/Education##23459] threw exception > [org.opensaml.common.SAMLException: Assertion is not conformed with > notOnOrAfter condition] with root cause > > I know if such property exists

RE: context path version number with parallel deployment

а: Re: context path version number with parallel deployment Азат, On 3/17/25 8:53 AM, Усманов Азат Анварович wrote: > Hi everyone! is it possible to display current version number in a jsp page > or servlet when using parallel deployment . using some property. >Currently when building an

Re: context path version number with parallel deployment

] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [IndexServlet] with context path [/Education##23459] threw exception [org.opensaml.common.SAMLException: Assertion is not conformed with notOnOrAfter condition] with root cause I know if such property exists its probably a

context path version number with parallel deployment

() for servlet [IndexServlet] with context path [/Education##23459] threw exception [org.opensaml.common.SAMLException: Assertion is not conformed with notOnOrAfter condition] with root cause I know if such property exists its probably a tomcat one, not java, since parallel deployment is not a

Re: Trouble passing through backslash in URL path

> These are: Вау :)) > > > > LOL > > > > More extraordinary are: ЩЖЦЪ > I guess :) > > > > -chris > > > > [1] https://www.compart.com/en/unicode/U+00C8 > > [2] https://www.compart.com/en/unicode/U+0450 > > [3] https://www.compart

Re: Trouble passing through backslash in URL path

rt.com/en/unicode/U+00C8 > [2] https://www.compart.com/en/unicode/U+0450 > [3] https://www.compart.com/en/unicode/U+04FF > > > > > - Chinese and Japanese characters are 3 bytes: 中さ > >> - emoji characters are 4 bytes: 😀 > >> > >> A client can reque

Re: Trouble passing through backslash in URL path

request a URL path with the following: "/customers/customer/%C3%80%C3%8B%C3%8C%C3%91%C3%A0%C3%AB%C3%AD%C3%B1%C3%B8%C3%BC%20%2F%20%5C%20%D0%80%D3%BF%20%E4%B8%AD%E3%81%95%20%F0%9F%98%80%20customer" Then Tomcat processes the URL to the following and passes it into the servlet. &q

Re: Trouble passing through backslash in URL path

a URL - Cyrillic characters are 2 bytes: Ѐӿ - Chinese and Japanese characters are 3 bytes: 中さ - emoji characters are 4 bytes: 😀 A client can request a URL path with the following: "/customers/customer/%C3%80%C3%8B%C3%8C%C3%91%C3%A0%C3%AB%C3%AD%C3%B1%C3%B8%C3%BC%20%2F%20%5C%20%D0%80%D3%BF%2

Re: Trouble passing through backslash in URL path

slash characters are ASCII, but are encoded due to special > meaning in a URL > - Cyrillic characters are 2 bytes: Ѐӿ > These two are not Cyrillic :)) These are: Вау :)) - Chinese and Japanese characters are 3 bytes: 中さ > - emoji characters are 4 bytes: 😀 > > A clie

Re: Trouble passing through backslash in URL path

s: Ѐӿ - Chinese and Japanese characters are 3 bytes: 中さ - emoji characters are 4 bytes: 😀 A client can request a URL path with the following: "/customers/customer/%C3%80%C3%8B%C3%8C%C3%91%C3%A0%C3%AB%C3%AD%C3%B1%C3%B8%C3%BC%20%2F%20%5C%20%D0%80%D3%BF%20%E4%B8%AD%E3%81%95%20%F0%9F%98%80%20custo

Re: Trouble passing through backslash in URL path

is gets implemented? Mark Thanks, James On Fri, Jan 17, 2025, 10:00 AM Christopher Schultz < ch...@christopherschultz.net> wrote: James, On 1/17/25 8:04 AM, James Matlik wrote: When I'm talking about path parameters, it is in the context of how Open API/Swagger defined them: https://swa

Re: Trouble passing through backslash in URL path

this. It would have to be a custom Tomcat build. Are you able to test some snapshot builds if this gets implemented? Mark Thanks, James On Fri, Jan 17, 2025, 10:00 AM Christopher Schultz < ch...@christopherschultz.net> wrote: James, On 1/17/25 8:04 AM, James Matlik wrote: When I

Re: Trouble passing through backslash in URL path

if I'm better off working around the core functionality, would you > >> have > >>> any suggestions on how? I see the UDecoder recently changed to support > >>> encoded % characters. I considered using a double encoded \ hack to > >>> effectively pass

Re: Trouble passing through backslash in URL path

7/25 8:04 AM, James Matlik wrote: When I'm talking about path parameters, it is in the context of how Open API/Swagger defined them: https://swagger.io/docs/specification/v3_0/describing-parameters/ Okay, that helps clear things up. In the URL specification (inherited by HTTP) defines t

Re: Trouble passing through backslash in URL path

> > side isn't feasible. > > > > Ideally, I wouldn't need to maintain a custom build of Tomcat > indefinitely. > > There isn't an easy (or any) extension point to implement this. It would > have to be a custom Tomcat build. > > Are you able to te

Re: Trouble passing through backslash in URL path

r Schultz < ch...@christopherschultz.net> wrote: James, On 1/17/25 8:04 AM, James Matlik wrote: When I'm talking about path parameters, it is in the context of how Open API/Swagger defined them: https://swagger.io/docs/specification/v3_0/describing-parameters/ Okay, that helps clea

Re: Trouble passing through backslash in URL path

Ideally, I wouldn't need to maintain a custom build of Tomcat indefinitely. Thanks, James On Fri, Jan 17, 2025, 10:00 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > James, > > On 1/17/25 8:04 AM, James Matlik wrote: > > When I'm talking about path p

Re: Trouble passing through backslash in URL path

James, On 1/17/25 8:04 AM, James Matlik wrote: When I'm talking about path parameters, it is in the context of how Open API/Swagger defined them: https://swagger.io/docs/specification/v3_0/describing-parameters/ Okay, that helps clear things up. In the URL specification (inherited by

Re: Trouble passing through backslash in URL path

Mark, When I'm talking about path parameters, it is in the context of how Open API/Swagger defined them: https://swagger.io/docs/specification/v3_0/describing-parameters/ The OS is AWS Linux running in a Docker container. On Fri, Jan 17, 2025, 3:52 AM Mark Thomas wrote: > James, >

Re: Trouble passing through backslash in URL path

James, A comment and a question. You are talking about the servlet path here. Path parameters are something different (.../path-segment;path-param-name=path-param-value/...) Which operating system are you using? Mark 16 Jan 2025 15:38:50 James Matlik : Thank you for responding, Chris

Re: Trouble passing through backslash in URL path

est.getServletPath()` it returns "/group/(ON/QC) LOCAL". This splits the path parameter in 2, causing my application to return a 404. I would prefer the behavior be similar to the '/' when encodedSolidusHandling PASS_THROUGH config is set, so calling `request.getServletPath()

Re: Trouble passing through backslash in URL path

James, On 1/15/25 2:39 PM, James Matlik wrote: I have an API that needs Tomcat to accept both the escaped forward slash '/' (%2F) and escaped backslash '\' (%5C) and pass them through to the servlet (Spring application). This need exists to support path parameters with

Trouble passing through backslash in URL path

I have an API that needs Tomcat to accept both the escaped forward slash '/' (%2F) and escaped backslash '\' (%5C) and pass them through to the servlet (Spring application). This need exists to support path parameters with special URL relevant characters. I've been abl

Re: Disabling OPTIONS HTTP method with * path

On 30/04/2024 19:56, Oleg Frenkel wrote: This issue exists in 9.0.88 and 10.1.23. I am looking to disable the following HTTP request (note 'OPTIONS *' in the request): Why? Please confirm if this is a bug in Tomcat or if I am missing something in Tomcat configuration. Neither. Tomcat is

Re: [EXTERNAL] Disabling OPTIONS HTTP method with * path

From: Oleg Frenkel Sent: Tuesday, April 30, 2024 1:56 PM To: users@tomcat.apache.org Subject: [EXTERNAL] Disabling OPTIONS HTTP method with * path This issue exists in 9.0.88 and 10.1.23. I am looking to disable the following HTTP request (note 'OPTIONS *' in the request):

Disabling OPTIONS HTTP method with * path

The following configuration doesn't work either: Available HTTP methods /* GET POST The above section properly disables OPTIONS request to '/' path, but not to '*

Re: java.lang.IllegalStateException: Unable to find match between the canonical context path

error . java.lang.IllegalStateException: Unable to find match between the canonical context path [/servicename] and the URI presented by the user agent [_visitor=...] at org.apache.catalina.connector.Request.getContextPath(Request.java:2152) at org.apache.catalina.connector.RequestFacade.getContextPath(RequestFacad

java.lang.IllegalStateException: Unable to find match between the canonical context path

en the canonical context path [/servicename] and the URI presented by the user agent [_visitor=...] at org.apache.catalina.connector.Request.getContextPath(Request.java:2152) at org.apache.catalina.connector.RequestFacade.getContextPath(RequestFacade.java:7

Re: Tomcat's support for path parameters can expose resources despite reverse proxy access restrictions

Christopher Schultz wrote: >> Well yeah, it’s not like Envoy is a super niche proxy. We also found >> the exact same issue in two other proxies in our network by the way. >> Any proxy that does not consider path parameters when doing >> path-based access control w

Re: Tomcat's support for path parameters can expose resources despite reverse proxy access restrictions

t;>>> - Envoy allows the request based on the /v1/* rule, because it >>>>> does not support path parameters, because they are not part of >>>>> any recent standard (RFC 2396 dropped them in 1998 [1]) >>>> >>>> Envoy does support path par

Re: Tomcat's support for path parameters can expose resources despite reverse proxy access restrictions

Mark, On 9/24/20 12:41, Mark Thomas wrote: > On 24/09/2020 17:28, Christopher Schultz wrote: > > > >> Tomcat will only use path parameters in the final segment of a URL e.g. >> https://www.example.com/app/servlet;jsessionid=ABCD1234?q=search > > Not qui

Re: Tomcat's support for path parameters can expose resources despite reverse proxy access restrictions

Christopher Schultz wrote: > On 9/24/20 07:46, Nils Breunese wrote: >> Mark Thomas wrote: >> >>> On 24/09/2020 11:02, Nils Breunese wrote: >>> >>> >>> >>>> - Envoy allows the request based on the /v1/* rule, because it >

Re: Tomcat's support for path parameters can expose resources despite reverse proxy access restrictions

On 24/09/2020 17:28, Christopher Schultz wrote: > Tomcat will only use path parameters in the final segment of a URL e.g. > https://www.example.com/app/servlet;jsessionid=ABCD1234?q=search Not quite. Tomcat will only *add* the jsessionid at the end but it will accept it on any s

Re: Tomcat's support for path parameters can expose resources despite reverse proxy access restrictions

Nils, On 9/24/20 07:46, Nils Breunese wrote: > Mark Thomas wrote: > >> On 24/09/2020 11:02, Nils Breunese wrote: >> >> >> >>> - Envoy allows the request based on the /v1/* rule, because it >>> does not support path parameters, because they a

Re: Tomcat's support for path parameters can expose resources despite reverse proxy access restrictions

Mark Thomas wrote: > On 24/09/2020 11:02, Nils Breunese wrote: > > > >> - Envoy allows the request based on the /v1/* rule, because it does not >> support path parameters, because they are not part of any recent standard >> (RFC 2396 dropped them in 1998 [1]

Re: Tomcat's support for path parameters can expose resources despite reverse proxy access restrictions

whatever is necessary in your application. We have hundreds of applications running on Tomcat and path-based access control is currently handled outside Tomcat by Istio’s RBAC in the cloud. It appears that this is not a great match then. > Please use secur...@tomcat.apache.org for reporting (pos

Re: Tomcat's support for path parameters can expose resources despite reverse proxy access restrictions

Julian Reschke wrote: > Am 24.09.2020 um 12:02 schrieb Nils Breunese: >> Hello, >> >> I recently learned that when a server that supports path parameters [0] — >> like Tomcat (I found Jetty also does) — is run behind a reverse proxy that >> does path-based a

Re: Tomcat's support for path parameters can expose resources despite reverse proxy access restrictions

Am 24.09.2020 um 12:02 schrieb Nils Breunese: Hello, I recently learned that when a server that supports path parameters [0] — like Tomcat (I found Jetty also does) — is run behind a reverse proxy that does path-based access control checks and does not support path parameters, your combined

Re: Tomcat's support for path parameters can expose resources despite reverse proxy access restrictions

On 24/09/2020 11:02, Nils Breunese wrote: > - Envoy allows the request based on the /v1/* rule, because it does not > support path parameters, because they are not part of any recent standard > (RFC 2396 dropped them in 1998 [1]) Envoy does support path parameters and is correctly

Re: Tomcat's support for path parameters can expose resources despite reverse proxy access restrictions

On Thu, Sep 24, 2020 at 2:11 PM Martin Grigorov wrote: > Hi, > > On Thu, Sep 24, 2020 at 1:02 PM Nils Breunese wrote: > >> Hello, >> >> I recently learned that when a server that supports path parameters [0] — >> like Tomcat (I found Jetty also does) — is run

Re: Tomcat's support for path parameters can expose resources despite reverse proxy access restrictions

Hi, On Thu, Sep 24, 2020 at 1:02 PM Nils Breunese wrote: > Hello, > > I recently learned that when a server that supports path parameters [0] — > like Tomcat (I found Jetty also does) — is run behind a reverse proxy that > does path-based access control checks and does n

Tomcat's support for path parameters can expose resources despite reverse proxy access restrictions

Hello, I recently learned that when a server that supports path parameters [0] — like Tomcat (I found Jetty also does) — is run behind a reverse proxy that does path-based access control checks and does not support path parameters, your combined setup could be vulnerable. Consider this setup

Re: Manager save text command bug giving path parameter

On 20/04/2020 20:25, Mark Thomas wrote: > On 19/04/2020 18:34, Arnaud Yahoo wrote: >> Hello, >> >> following >> https://tomcat.apache.org/tomcat-8.5-doc/manager-howto.html#Save_Configuration >> documentation, >> >> calling save with path paramete

Re: Manager save text command bug giving path parameter

On 19/04/2020 18:34, Arnaud Yahoo wrote: > Hello, > > following > https://tomcat.apache.org/tomcat-8.5-doc/manager-howto.html#Save_Configuration > documentation, > > calling save with path parameter is failing giving following error: > *FAIL

Manager save text command bug giving path parameter

Hello, following https://tomcat.apache.org/tomcat-8.5-doc/manager-howto.html#Save_Configuration documentation, calling save with path parameter is failing giving following error: *FAIL - Encountered exception [javax.management.MBeanException: Cannot find operation store] * looking at

Re: Role/Path Based Access Valve?

was looking for a valve that could do the same thing, and > >>>> here is the reason: > >>>> > >>>> If I, as the Tomcat admin, want to manage access permissions > >>>> (authorization) I can use the /tomcat/conf/web.xml file. > >>>

Re: Role/Path Based Access Valve?

;>>> (authorization) I can use the /tomcat/conf/web.xml file. >>>> However, this file is overridden by matching elements in an >>>> individual WAR. > > This will never work. If conf/web.xml is even allowed to set > (and I'm not sure either way

Re: Role/Path Based Access Valve?

Ok. That makes sense. Thanks again, Mark. On Tue, Mar 3, 2020 at 8:18 AM Mark Thomas wrote: > On 03/03/2020 13:50, Christopher Schultz wrote: > > Richard, > > > > On 3/3/20 08:26, Richard Monson-Haefel wrote: > >> Thank you, Mark. I was actually aware of how to do it using the > >> web.xml. > >

Re: Role/Path Based Access Valve?

On 03/03/2020 13:50, Christopher Schultz wrote: > Richard, > > On 3/3/20 08:26, Richard Monson-Haefel wrote: >> Thank you, Mark. I was actually aware of how to do it using the >> web.xml. > >> I was looking for a valve that could do the same thing, and here is >> the reason: > >> If I, as the T

Re: Role/Path Based Access Valve?

gt; relative to every web application and not relative to the server's > root. IT would be very difficult to manage this in the way you describe. > > > So If I say on the tomcat web.xml that only Bill and Ted have > > access to path A, but an individual WAR's web.xml say

Re: Role/Path Based Access Valve?

they would be relative to every web application and not relative to the server's root. IT would be very difficult to manage this in the way you describe. > So If I say on the tomcat web.xml that only Bill and Ted have > access to path A, but an individual WAR's web.xml says th

Re: Role/Path Based Access Valve?

overridden by matching elements in an individual WAR. So If I say on the tomcat web.xml that only Bill and Ted have access to path A, but an individual WAR's web.xml says that Everyone has access to Path A, then the WAR web.xml wins, right? If I use a valve I can short-circuit the process befo

Re: Role/Path Based Access Valve?

On 03/03/2020 12:27, Richard Monson-Haefel wrote: > I've tried to find this but keep running into the three remote address > valves (address, IP, and CIDR) what I'm looking for is an access valve that > uses roles from a realm that checks roles to either path or web application

Role/Path Based Access Valve?

I've tried to find this but keep running into the three remote address valves (address, IP, and CIDR) what I'm looking for is an access valve that uses roles from a realm that checks roles to either path or web application identifiers - not remote address. This is classic authorizat

Re: HSTS not apply to some request URI path on tomcat 8.5.9 Centos 7

Dear Chris, Thank you so much for your suggestion. Now I can solve this problem, cause is the request url path with special characters were handled by web application framework. But my application framework's configuration not apply for special characters in url. So it return default page wi

Re: HSTS not apply to some request URI path on tomcat 8.5.9 Centos 7

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Pattavee, On 1/1/20 22:55, Pattavee Sanchol wrote: > Dear Chris, > > I follow your suggestion, change my app to ROOT but request with > special characters on url path still response with no HSTS header. > detail on e.g. below

Re: HSTS not apply to some request URI path on tomcat 8.5.9 Centos 7

Dear Chris, I follow your suggestion, change my app to ROOT but request with special characters on url path still response with no HSTS header. detail on e.g. below [sys01@webgateway ~]$ curl -I -k "https://192.168.136.3:8443"; HTTP/1.1 200 Strict-Transport-Security: max-ag

Re: HSTS not apply to some request URI path on tomcat 8.5.9 Centos 7

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Pattavee, On 12/26/19 05:22, Pattavee Sanchol wrote: > Dear support team > > I config tomcat server to enabled HSTS some request URI path not > response with Secure heading > > The configuration illustrated below > >

Re: HSTS not apply to some request URI path on tomcat 8.5.9 Centos 7

S header on some request such as http://192.168.1.1/%20 or http://192.168.1.1/%3e I think url pattern /* is not apply to request with special characters on path. httpHeaderSecurity /* REQUEST Regards. *ปฐวี สรรค์ชลPattavee SANCHOL* * <http://www.thaidigitalid.com&

Re: HSTS not apply to some request URI path on tomcat 8.5.9 Centos 7

On 26.12.19 11:22, Pattavee Sanchol wrote: > Dear support team > > I config tomcat server to enabled HSTS some request URI path not > response with Secure heading > > ... > > > I some request URI such as http://192.168.1.1/%20 is not response with > security

HSTS not apply to some request URI path on tomcat 8.5.9 Centos 7

Dear support team I config tomcat server to enabled HSTS some request URI path not response with Secure heading The configuration illustrated below httpHeaderSecurity org.apache.catalina.filters.HttpHeaderSecurityFilter true hstsEnabled true

Re: override context path for manager application

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 12/4/19 17:32, Konstantin Kolinko wrote: > чт, 5 дек. 2019 г. в 01:20, Guild, Jason A (DOT) > : >> >> Hi all: >> >> The context path of the Tomcat manager application is "/manager" >&

Re: override context path for manager application

Konstantin: Thank you for your point #1 below! When I remove "path" attribute entirely from my override configuration and save it as "dev9#manager.xml" then I get exactly the result I want. However, I did not need to move the manager application from the "${catalina.ho

Re: override context path for manager application

чт, 5 дек. 2019 г. в 01:20, Guild, Jason A (DOT) : > > Hi all: > > The context path of the Tomcat manager application is "/manager" by default > [0]. > I am trying to change this context path from the default using an override > configuration. > > I am doin

override context path for manager application

Hi all: The context path of the Tomcat manager application is "/manager" by default [0]. I am trying to change this context path from the default using an override configuration. I am doing the typical creation of a container using makebase.sh and setting CATALINA_BASE before starti

Re: Tomcat Loader putting my modules to module-path as unnamed module

t is custom class loading done modular > or > > old style, he recommended putting > > System.out.println(SomeClass.class.getModule()); somewhere in code in the > > module. I did it and as a result, I got printed out 'unnamed module > > @595b34e5'. So the big ques

Re: Tomcat Loader putting my modules to module-path as unnamed module

e. I did it and as a result, I got printed out 'unnamed module > @595b34e5'. So the big question is: why is this happening and how can I > resolve this? I want Tomcat to put my modules to module path normally, not > as an unnamed module. You can't. The Servlet API (nor an

Tomcat Loader putting my modules to module-path as unnamed module

tion is: why is this happening and how can I resolve this? I want Tomcat to put my modules to module path normally, not as an unnamed module.

Re: Use relative path in Java code hosted in tomcat server.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Kaushal, On 9/19/19 13:06, Kaushal Shriyan wrote: > I am adding the below absolute path in java code and compiled in a > war file and uploaded in tomcat 9.0.24 servlet/jsp container. > > file=createPDF("/opt/tomcat9/weba

Re: Path parameters with RewriteValve

; For curiosity, what is the non-spec API to obtain path parameters? It only gets a value for a name. It doesn't provide access to which segment, it doesn't handle multiple instances of the same parameter, etc. http://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/coyote/Request.html

Use relative path in Java code hosted in tomcat server.

Hi, I am adding the below absolute path in java code and compiled in a war file and uploaded in tomcat 9.0.24 servlet/jsp container. file=createPDF("/opt/tomcat9/webapps/statementspdf/"+accountId+statementId+".pdf", > statementsEntityATOS); Is there a way to use r

Re: Path parameters with RewriteValve

On Mon, Sep 16, 2019 at 1:49 PM Mark Thomas wrote: > > > Alain, > > On 9/13/19 13:37, Alain Sellerin wrote: > >>>> Tomcat version: 8.5 OS: Win10, Linux > > > > >>>> I'm facing an issue with an application that is using path > >&g

Re: Path parameters with RewriteValve

> Alain, > On 9/13/19 13:37, Alain Sellerin wrote: >>>> Tomcat version: 8.5 OS: Win10, Linux >>>> I'm facing an issue with an application that is using path >>>> parameters in conjunction with a RewriteValve. >>>> If the request

Re: Path parameters with RewriteValve

On Sat, Sep 14, 2019 at 5:42 PM Christopher Schultz wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Alain, > > On 9/13/19 13:37, Alain Sellerin wrote: > > Tomcat version: 8.5 OS: Win10, Linux > > > > Hi, > > > > I'

Re: Path parameters with RewriteValve

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alain, On 9/13/19 13:37, Alain Sellerin wrote: > Tomcat version: 8.5 OS: Win10, Linux > > Hi, > > I'm facing an issue with an application that is using path > parameters in conjunction with a RewriteValve. > > I

Path parameters with RewriteValve

Tomcat version: 8.5 OS: Win10, Linux Hi, I'm facing an issue with an application that is using path parameters in conjunction with a RewriteValve. I narrowed down the problem by using the sample application available here: https://tomcat.apache.org/tomcat-8.5-doc/appdev/sample/ Co

Re: latest situation with escaped path delimiters in URI

On 2/5/2019 1:15 PM, Mark Thomas wrote: … Migratation to git has been in planning for a while. We are pretty much ready to pull the trigger. It is largely waiting for someone to have the time to do it when there aren't other more urgent things to be dealt with. I'd expect it to happen in the next

Re: latest situation with escaped path delimiters in URI

On 05/02/2019 14:51, Garret Wilson wrote: > On 2/3/2019 9:34 PM, Mark Thomas wrote: >> >>>   * If this setting is still needed in some cases, is there any way to >>>     control it without resorting to a system property? (System >>>     properties are not very flexible, and Tomcat has many layers o

Re: latest situation with escaped path delimiters in URI

lot of us like them.) So you're > saying that to request information for the resource > https://example.info/foobar, I would send a GET request to: > > https://example.com/https%3A//example.info/foobar/description > > That raises all sorts of questions, such as > > *

Re: latest situation with escaped path delimiters in URI

On 2/3/2019 9:34 PM, Mark Thomas wrote:  * If this setting is still needed in some cases, is there any way to    control it without resorting to a system property? (System    properties are not very flexible, and Tomcat has many layers of more    manipulable settings, as you all would know

Re: latest situation with escaped path delimiters in URI

double slash is OK? Really!?? * Is there any RESTful API framework on the planet that would realize the URI path "/https%3A//example.info/foobar/description" matched "{thingURI}/description"? So if I'm using JAX-RS with a @Path("{thingURI}/description")

Re: latest situation with escaped path delimiters in URI

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Garret, On 2/3/19 16:20, Garret Wilson wrote: > If we want to look up the thing identified by > https://example.info/foobar, we would need to issue a request to > https://example.com/https%3A%2F%2Fexample.info%2Ffoobar/description Why > are you

Re: latest situation with escaped path delimiters in URI

Am 03.02.2019 um 22:20 schrieb Garret Wilson: Hi, all. I've stumbled on a situation I need some clarity on. As is typical, there's all sorts of information floating around, most of it more than a decade old, with no indication of what the current status is. Our team is creating a RESTful API (

Re: latest situation with escaped path delimiters in URI

er decoded or "raw" APIs should be returned from > the various API methods. But I guess the issue here is /not/ whether > JAX-RS should interpret a path segment as decoded or encoded. The issue > is whether Tomcat has already fiddled with the URI itself to /change > what consti

Re: latest situation with escaped path delimiters in URI

methods. But I guess the issue here is /not/ whether JAX-RS should interpret a path segment as decoded or encoded. The issue is whether Tomcat has already fiddled with the URI itself to /change what constitutes the path segment/. Unless an EE specification says to muck around with the URI lik

Re: latest situation with escaped path delimiters in URI

On 03/02/2019 21:20, Garret Wilson wrote: > Hi, all. I've stumbled on a situation I need some clarity on. As is > typical, there's all sorts of information floating around, most of it > more than a decade old, with no indication of what the current status is. > > Our team is creating a RESTful API

latest situation with escaped path delimiters in URI

Hi, all. I've stumbled on a situation I need some clarity on. As is typical, there's all sorts of information floating around, most of it more than a decade old, with no indication of what the current status is. Our team is creating a RESTful API (using JAX-RS implemented by RESTEasy) to a gen

[SECURITY] CVE-2018-11759 Apache Tomcat JK (mod_jk) Connector path traversal

CVE-2018-11759 Apache Tomcat JK (mod_jk) Connector path traversal Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat JK mod_jk Connector 1.2.0 to 1.2.44 Description: The Apache Web Server (httpd) specific code that normalised the requested path

Re: tomcat-embed-core-8.5.29 Http11NioProtocol stopped accepting protocol as part of keystore file path

On 23/04/18 14:10, Maksym Mazur wrote: > HI everyone > > TL;DR > After upgrade from tomcat 8.5.23 to 8.5.29 Http11NioProtocol fails to > recognize "classpath" as protocol to load keystore file. > Using java 1.8.0_171, OS: Windows 10 Support for the classpath protocol is provided by Spring Boot.

tomcat-embed-core-8.5.29 Http11NioProtocol stopped accepting protocol as part of keystore file path

HI everyone TL;DR After upgrade from tomcat 8.5.23 to 8.5.29 Http11NioProtocol fails to recognize "classpath" as protocol to load keystore file. Using java 1.8.0_171, OS: Windows 10 In my project I used Spring Boot 2.0.0.M7 which has tomcat-embed-core-8.5.23 dependency. I have code to read keyst

[SECURITY] CVE-2018-1323 Apache Tomcat JK ISAPI Connector path traversal

CVE-2018-1323 Apache Tomcat JK ISAPI Connector path traversal Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.42 Description The IIS/ISAPI specific code that normalised the requested path before matching it to the

Re: jsessionid path parameter: Is this compliant with the Servlet 3.0 spec?

fterward that it took some > time to figure out the connection. As I said, the Tomcat behaviour here is arguable. I can see a case for the path parameter being either JSESSIONID or jsessionid in this case. My only reason for leaning towards JSESSIONID is maintaining the status quo. Experience sugges

Re: jsessionid path parameter: Is this compliant with the Servlet 3.0 spec?

Thanks, that is pretty clear and unambiguous, as is "The name of the parameter must be jsessionid." When the spec is in conflict with itself, I'm happy to consider Tomcat the reference implementation. The reason a session cookie name had to be specified in the first place was because we initiall

  1   2   3   4   5   6   7   8   9   10   >