Re: Corruption of files uploaded with Safari when Tomcat has HTTP/2 enabled

I found this bug report from someone else having similar problems: https://bz.apache.org/bugzilla/show_bug.cgi?id=63948 From the comments in that report, it looks like Safari is also tripping the abusive behavior detection. Rather than disabling it, by setting overheadDataThreshold=“2048” every

RE: Classloading has a long delay after idle period

>On 7/14/25 15:26, Gregg, John E wrote: >Daniel, > >I cannot access your flame graph on imgur, but what is happening in your code >that leads to the jar scanning? All of my apps have run on Linux since >forever, so I don’t know what might be different with Windows, but I’ve found >that anything

RE: Classloading has a long delay after idle period

>On 7/11/25 17:42, Christopher Schultz wrote: >Daniel, > >On 7/11/25 11:57 AM, Daniel Sheridan wrote: > > > > [snip] > > >> Correct, almost the entire delay is during the JAR scanning when the >> files are being accessed. >> >> We are using expanded-WAR deployment. > >Good. That fixes at least on

Re: Server Vulnerabilities for Apache Tomcat 9.0.0.M1 < 9.0.98

Hassan, On 7/17/25 1:04 PM, Jacobs, Hassan wrote: I am reaching out in regards to multiple vulnerabilities that we have found in our servers with you all. Is there a representative that we could speak with? You're speaking to the whole community. The ASF does not provide support through any

Re: URL callback

On Thu, Jul 17, 2025 at 1:53 PM Ragavendhiran Bhiman (rabhiman) wrote: > Hi All, > > The callback as given below RedirectToSlashFilter needs to be called when > both /admin or /admin/ is given in the URL. > > > > > > RedirectToSlashFilter > > > com.cisco.cpm.admin.infra.utils.RedirectToSlas

Re: Server Vulnerabilities for Apache Tomcat 9.0.0.M1 < 9.0.98

If you haven't already, you should review: https://tomcat.apache.org/security-9.html Also consider migrating / upgrading to the most recent 9.0.x version. On Thu, Jul 17, 2025 at 1:05 PM Jacobs, Hassan wrote: > Greetings, > > > > I am reaching out in regards to multiple vulnerabilities that we

Re: RHEL 10 Compatibility for Apache Tomcat 8.x, 9.x, 10.x, and 11.x

hat. > LOL, same. > > -chris > > > From: Christopher Schultz > > Date: Monday, 14 July 2025 at 19:34 > > To: users@tomcat.apache.org > > Subject: Re: RHEL 10 Compatibility for Apache Tomcat 8.x, 9.x, 10.x, and > 11.x > > Bharath, > > > >

Re: POST parameters chopped

Hi Christopher! Just to inform you about Tomcat 11 behaviour regarding my issues with POST parameters - so far it didn't happen, starting from 2025-07-11 until now. That is not guarantee it won't happen ever but at least I was free of exceptions for 6 days. BR, Hrvoje On Mon, Jul 14, 2025 at 2:

Re: RHEL 10 Compatibility for Apache Tomcat 8.x, 9.x, 10.x, and 11.x

appreciated. If Red Hat drops support for Apache httpd, I'll eat my (red) hat. -chris From: Christopher Schultz Date: Monday, 14 July 2025 at 19:34 To: users@tomcat.apache.org Subject: Re: RHEL 10 Compatibility for Apache Tomcat 8.x, 9.x, 10.x, and 11.x Bharath, On 7/14/25 9:17 AM, Cheruku

Re: RHEL 10 Compatibility for Apache Tomcat 8.x, 9.x, 10.x, and 11.x

: users@tomcat.apache.org Subject: Re: RHEL 10 Compatibility for Apache Tomcat 8.x, 9.x, 10.x, and 11.x Bharath, On 7/14/25 9:17 AM, Cheruku, B.R. (Bharath) wrote: > I would like to ask if anyone in the community has experience running > Apache Tomcat versions 8.x, 9.x, 10.x, or 11.x on R

Re: RHEL 10 Compatibility for Apache Tomcat 8.x, 9.x, 10.x, and 11.x

Bharath, On 7/14/25 9:17 AM, Cheruku, B.R. (Bharath) wrote: I would like to ask if anyone in the community has experience running Apache Tomcat versions 8.x, 9.x, 10.x, or 11.x on Red Hat Enterprise Linux 10 (RHEL 10). Are there any known issues, limitations, or recommendations for these ver

RE: Classloading has a long delay after idle period

therefore no longer loaded from the system classloader. Unfortunately I don’t have anything in my notes about how large the caches are or when they might be flushed. Thanks From: Daniel Sheridan Sent: Friday, July 11, 2025 10:57 AM To: Tomcat Users List Subject: RE: Classloading has a long delay

Re: POST parameters chopped

Hrvoje, On 7/11/25 7:51 PM, Hrvoje Lončar wrote: I did a bit radical step and upgraded to 11.0.9. Now waiting to see what happens. I'm interested to see what happens. My expectation is that is will behave exactly the same. The major differences between Tomcat 9, 10.1, and 11 are their suppo

Re: POST parameters chopped

Hi Christopher! I did a bit radical step and upgraded to 11.0.9. Now waiting to see what happens. Thanks a lot for your time! On Thu, Jul 10, 2025 at 1:54 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Hrvoje, > > On 7/10/25 6:52 AM, Hrvoje Lončar wrote: > > Currently it's 10.

Re: Classloading has a long delay after idle period

Daniel, On 7/11/25 11:57 AM, Daniel Sheridan wrote: > > [snip] > Correct, almost the entire delay is during the JAR scanning when the files are being accessed. We are using expanded-WAR deployment. Good. That fixes at least one known performance issue (scanning WAR files is inefficient regar

Re: [SECURITY] CVE-2025-52520 Apache Tomcat - DoS in multipart upload

Mark, Oops, I'm sorry I didn't see this correction and just sent one of my own. :( -chris On 7/10/25 3:18 PM, Mark Thomas wrote: Correcting typo in fixed versions CVE-2025-52520 Apache Tomcat - DoS in multipart upload Severity: Low Vendor: The Apache Software Foundation Versions Affected:

RE: Classloading has a long delay after idle period

>On 7/8/25 16:32, Christopher Schultz wrote: >Daniel, > >On 7/8/25 11:15 AM, Daniel Sheridan wrote: >> On 7/2/25 10:22 AM, Daniel Sheridan wrote: >>> Hi folks, >>> >>> We're using Tomcat 10.1.40, but also seeing this issue with multiple Tomcat >>> 9 versions, running on Windows Server 2019 and Ser

Re: [EXTERNAL] [SECURITY] CVE-2025-52520 Apache Tomcat - DoS in multipart upload

Joey, On 7/10/25 3:14 PM, Joey Cochran wrote: Is this accurate? Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.42 Mitigation: - Upgrade to Apache Tomcat 10.1.32 or later Nope, this should be "Upgrade to 10.1.43 or later". Thanks for noticing; we'll get this corrected anywhere it needs t

Re: [EXTERNAL] [SECURITY] CVE-2025-52520 Apache Tomcat - DoS in multipart upload

Mark, Is this accurate? Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.42 Mitigation: - Upgrade to Apache Tomcat 10.1.32 or later Thanks! -Joey [cid:d114c52d-730d-4ed5-9b19-db4e930e1068] Joey Cochran Systems Administrator II Middleware Developer Information Technology Di

Re: POST parameters chopped

Hrvoje, On 7/10/25 6:52 AM, Hrvoje Lončar wrote: Currently it's 10.1.39 as I wanted to avoid 10.1.42 but I get the same unpredictable behaviour from both. Oh, that's interesting. Of course, upon your first report I had assumed it was the "maxPartCount" but then you posted your configuration w

Re: POST parameters chopped

Hi! Currently it's 10.1.39 as I wanted to avoid 10.1.42 but I get the same unpredictable behaviour from both. I had 10.1.39 for some time before upgrading to 10.1.42 but no one reported that form is not working which is not a proof that it was working correctly. Thanks for your time! BR, Hrvoje.

Re: Content negotiation for Accept-Language (static pages)?

Fab, On 7/9/25 2:27 PM, Fab Stz wrote: Le mercredi 9 juillet 2025, 16:20:56 CEST Christopher Schultz a écrit : Fab, On 7/9/25 9:12 AM, Fab Stz wrote: I'm packaging upstream software (css-validator) for Debian so your suggestions won't really fit to ship a package working out of the box. Real

Re: I have some Java Version Confusion

Alan, On 7/9/25 1:04 PM, Alan Masters wrote: I have successfully developed a WAR file with Eclipse  Version: 2024-06 (4.32.0) which has JRE System Library Java SE-17   and tested using Tomcat 9.0.91 as a local host on Windows 11. I had started work on this around a year ago and do not recall

Re: POST parameters chopped

Hrvoje, On 7/9/25 1:04 PM, Hrvoje Lončar wrote: This is the form: https://thevegcat.com/suggest 13 fields are visible plus file field and few are hidden fields including csrf token - nothing special or extreme. Web app is published 6 years ago and all those years there was no trouble at all.

Re: Content negotiation for Accept-Language (static pages)?

Le mercredi 9 juillet 2025, 16:20:56 CEST Christopher Schultz a écrit : > Fab, > > On 7/9/25 9:12 AM, Fab Stz wrote: > > I'm packaging upstream software (css-validator) for Debian so your > > suggestions won't really fit to ship a package working out of the > > box. > Really? How is your css valid

Re: POST parameters chopped

Hi! The problem is that sometimes it works and sometimes don't but with strictly the same data entered. BR, Hrvoje *TheVegCat.com * *VegCook.net * *horvoje.net * On Sun, 6 Jul 2025, 15:22 Martin Konicsek, wrote: > Hi, > maybe

Re: POST parameters chopped

Hi! This is the form: https://thevegcat.com/suggest 13 fields are visible plus file field and few are hidden fields including csrf token - nothing special or extreme. Web app is published 6 years ago and all those years there was no trouble at all. BR, Hrvoje *TheVegCat.com

Re: Content negotiation for Accept-Language (static pages)?

Fab, On 7/9/25 9:12 AM, Fab Stz wrote: I'm packaging upstream software (css-validator) for Debian so your suggestions won't really fit to ship a package working out of the box. Really? How is your css validator packaged? Is it a web application, or just a component of a web application? So I

Re: POST parameters chopped

Hrvoje, On 7/6/25 7:33 AM, Hrvoje Lončar wrote: > After recent Tomcat security changes, my POST request are failing > but not all the time. The problem is that the same request sometimes > ends up with an error and sometimes not. > > Tomcat is 10.0.42 protected by nginx which handles SSL certific

Re: Content negotiation for Accept-Language (static pages)?

Hello, Thank you for your reply. I'm packaging upstream software (css-validator) for Debian so your suggestions won't really fit to ship a package working out of the box. So I created a request on bugzilla. https://bz.apache.org/bugzilla/show_bug.cgi?id=69735 Regards Fab Le mardi 8 juillet 2

Re: Content negotiation for Accept-Language (static pages)?

Fab, On 7/6/25 6:58 AM, Fab Stz wrote: Does tomcat support content negotiation like apache httpd does [1] for the Accept-Language header? No. How to configure this for a webapp context? You'll have to build this capability into your own web application. > Use case is *serving static pages

Re: Classloading has a long delay after idle period

Daniel, On 7/8/25 11:15 AM, Daniel Sheridan wrote: On 7/2/25 10:22 AM, Daniel Sheridan wrote: Hi folks, We're using Tomcat 10.1.40, but also seeing this issue with multiple Tomcat 9 versions, running on Windows Server 2019 and Server 2022 machines. We're hosting a web app with a REST API, an

RE: Classloading has a long delay after idle period

On 7/2/25 10:22 AM, Daniel Sheridan wrote: > Hi folks, > > We're using Tomcat 10.1.40, but also seeing this issue with multiple Tomcat 9 > versions, running on Windows Server 2019 and Server 2022 machines. We're > hosting a web app with a REST API, and encounter delays on requests when they > h

Re: POST parameters chopped

Hi, maybe nginx strips the header try proxy settings of nginx proxy_set_header X-XSRF-TOKEN $http_x_xsrf_token; 06.07.2025 13:33:35 Hrvoje Lončar : > Hi! > > After recent Tomcat security changes, my POST request are failing but not > all the time. > The problem is that the same request somet

Re: Restricting POST request size in Tomcat

Hi Perplexity  wrote The maxPostSize attribute only applies to requests where Tomcat parses form data (e.g., application/x-www-form-urlencoded). For raw POST bodies (like application/json), maxPostSize may not be enforced by default in all Tomcat versions. If you need to restrict POST size fo

Re: Apache Tomcat 10.1.42 Cache-Control header changed when added security-constraint with transport-guarantee CONFIDENTIAL

On 04/07/2025 06:37, Rolandas Karosas | Edrana Baltic wrote: Different value for securePagesWithPragma on the authenticator for the two system being tested? No. authenticator is not used at all. Yes, it is. There are security constraints so there will be an authenticator even if it is the

Re: Apache Tomcat 10.1.42 Cache-Control header changed when added security-constraint with transport-guarantee CONFIDENTIAL

> Different value for securePagesWithPragma on the authenticator for the > two system being tested? No. authenticator is not used at all.

Re: Apache Tomcat 10.1.42 Cache-Control header changed when added security-constraint with transport-guarantee CONFIDENTIAL

On 03/07/2025 11:18, Rolandas Karosas | Edrana Baltic wrote: Hi, On Apache Tomcat 10.1.42 with configured SSL Connector web application with Spring, Spring Security returns the configured Default Spring Security Cache Control HTTP Response Headers Cache-Control: no-cache, no-store, max-age=

Re: Classloading has a long delay after idle period

Dan, On 7/2/25 10:22 AM, Daniel Sheridan wrote: Hi folks, We're using Tomcat 10.1.40, but also seeing this issue with multiple Tomcat 9 versions, running on Windows Server 2019 and Server 2022 machines. We're hosting a web app with a REST API, and encounter delays on requests when they hit o

RE: elasticsearch-7.17.13 jar file Download

Hi Team, Anyone can guide me on the below. Thanks & Regards, Pramod Kumar Adhi |SAP Basis (o) +91 40 66294849 (m) +91- 9701117733 www.servicenow.com [cid:image001.png@01DBEA69.F5882E90] From: Pramod Kumar Adhi Sent: Monday, June 30, 2025 9:40 AM To: Tomcat Users List

Re: elasticsearch-7.17.13 jar file Download

> On 2025 Jun 29, at 23:10, Pramod Kumar Adhi > wrote: > > Hi Team, > > Could you share me the jar file for the elasticsearch-7.17.13 or higher. In a word, no. You’ll need to get that from the elastic.co web site - it is not part of the Tomcat distribution. - Chuck > C:\Program Files

Re: Monitoring Virtual Threads via JMX / MBeans in Tomcat

lThreads="true"/> > I still think using is redundant here, useVirtualThreads="true" is more than enough. Rémy > > > > Regards, > > Rose Mary > > > > From: Rémy Maucherat > Date: Thursday, 19 June 2025 at 8:22 PM > To: Tomcat Users List

RE: Monitoring Virtual Threads via JMX / MBeans in Tomcat

: [EXTERNAL] Re: Monitoring Virtual Threads via JMX / MBeans in Tomcat Hi, On Tue, May 20, 2025 at 12:57 PM Rose Mary P T wrote: > > HI Mark, > > > Just a gentle reminder regarding my previous message. I’m following up to see > if there’s any update on this as its pending fo

Re: Servlet 6.2 / Tomcat 12 - Welcome files

Mark, On 6/25/25 9:58 AM, Mark Thomas wrote: On 25/06/2025 14:07, Mark Thomas wrote: I think I need to look at the rules for merging welcome resources. That might prompt some changes to the PR. At the moment, a is almost certain to match since it will likely be using extension mapping ma

Re: Servlet 6.2 / Tomcat 12 - Welcome files

On 25/06/2025 14:07, Mark Thomas wrote: I think I need to look at the rules for merging welcome resources. That might prompt some changes to the PR. At the moment, a is almost certain to match since it will likely be using extension mapping making any welcome resources that follow unneces

Re: Servlet 6.2 / Tomcat 12 - Welcome files

On 25/06/2025 09:17, Rémy Maucherat wrote: On Wed, Jun 25, 2025 at 9:19 AM Mark Thomas wrote: All, Servlet 6.2 intends to address a long standing (more than 10 years) issue with welcome files. Consider the following: - *.do is mapped to a servlet - welcome files are index.jsp, index.do The

Re: Servlet 6.2 / Tomcat 12 - Welcome files

Tim, Thanks for looking at this. On 25/06/2025 13:55, Tim Funk wrote: This is a good cleanup. I one question for confirmation, let's say we have this config: index.html index.do index.htm With -- request = /foo/ -- AND file exists of = /foo/index.htm Since index.htm exists, we'd process as /f

Re: Servlet 6.2 / Tomcat 12 - Welcome files

This is a good cleanup. I one question for confirmation, let's say we have this config: index.html index.do index.htm With -- request = /foo/ -- AND file exists of = /foo/index.htm Since index.htm exists, we'd process as /foo/index.htm despite it being "3rd" in the welcome file list since welcome

Re: Servlet 6.2 / Tomcat 12 - Welcome files

On Wed, Jun 25, 2025 at 9:19 AM Mark Thomas wrote: > > All, > > Servlet 6.2 intends to address a long standing (more than 10 years) > issue with welcome files. Consider the following: > > - *.do is mapped to a servlet > - welcome files are index.jsp, index.do > > The intention is that the index.js

Re: CSRF not working with 10.1.42 but it works with 10.1.39

On 24/06/2025 14:28, Hrvoje Lončar wrote: Thanks! 50 as default would be much better and I guess it will cover the most of cases. Just out of curiosity, does CSRF protection implemented hepls with attack or it does not matter? On its own, CSRF protection won't help you here. However, CSRF prot

Re: CSRF not working with 10.1.42 but it works with 10.1.39

Thanks! 50 as default would be much better and I guess it will cover the most of cases. Just out of curiosity, does CSRF protection implemented hepls with attack or it does not matter? On Mon, 23 Jun 2025, 09:02 Mark Thomas, wrote: > On 23/06/2025 01:17, Hrvoje Lončar wrote: > > If someone else

Re: SUSPICIOUS Re: Updating configTest to include shutdown port validation

, June 22, 2025 3:30 PM To: users@tomcat.apache.org Subject: SUSPICIOUS Re: Updating configTest to include shutdown port validation Cohesity Security Advisory: Automated detections have identified this email as SUSPICIOUS for the following reasons: Message matched suspicious signature

Re: Need confirmation about CVE-2025-48988 impacting Tomcat 9.0.10x related to CVE-2025-48976.

Hi, On Mon, Jun 23, 2025 at 12:12 PM Charpe, Anil wrote: > > Hi, > It is about the CVE-2025-48988 mentioned in the email subject. > I have a question that- if we update the "Apache Commons FileUpload" jar to > the version which fixes the CVE-2025-48976; in that case, do we still need to > updat

Re: CSRF not working with 10.1.42 but it works with 10.1.39

On 23/06/2025 01:17, Hrvoje Lončar wrote: If someone else has a problem with latest "security fix", here is a working solution to run your Spring Boot app directly from Eclipse STS without installing a Tomcat and deploying to it. Now you can submit forms the same way as you did before. You can fi

Re: CSRF not working with 10.1.42 but it works with 10.1.39

If someone else has a problem with latest "security fix", here is a working solution to run your Spring Boot app directly from Eclipse STS without installing a Tomcat and deploying to it. Now you can submit forms the same way as you did before. You can filter out my fix from production environment

Re: Updating configTest to include shutdown port validation

on't cause the server to fail to start. So it doesn't cause the configtest to fail, either. -chris From: Mark Thomas Sent: Friday, June 20, 2025 2:58 AM To: users@tomcat.apache.org Subject: Re: Updating configTest to include shutdown port validatio

Re: CSRF not working with 10.1.42 but it works with 10.1.39

The actual problem now is my embedded Tomcat when I start my Spring Boot app from Eclipse STS: I get the same error, but I don't know where to configure Tomcat and where to add this new paramerer. Anyone? On Fri, Jun 20, 2025 at 1:28 PM Maxim Solodovnik wrote: > from mobile (sorry for typos ;) >

Re: Updating configTest to include shutdown port validation

To: users@tomcat.apache.org Subject: Re: Updating configTest to include shutdown port validation Cohesity Security Advisory: Automated detections have identified this email as SUSPICIOUS for the following reasons: Message matched bulk signature 'BULK.LUC.High' Message matched

Re: CSRF not working with 10.1.42 but it works with 10.1.39

from mobile (sorry for typos ;) On Fri, Jun 20, 2025, 18:16 Hrvoje Lončar wrote: > Well, I should say it was a weird way to fix it. > > For example, if you don't have a DoS attack AFAIK defaults should be set to the values preventing DoS Waiting for the DoS is not a good idea :) and you upg

Re: CSRF not working with 10.1.42 but it works with 10.1.39

Well, I should say it was a weird way to fix it. For example, if you don't have a DoS attack and you upgrade your Tomcat, that would be a big surprise as it was to me. Lucky me I have nice users that contacted me and told me some features of my web app stopped working. Moving to next minor release

Re: CSRF not working with 10.1.42 but it works with 10.1.39

On 20/06/2025 11:54, Hrvoje Lončar wrote: Thank you very much Mark ThomasThat was the case :( Absolutely weird to make such a major change in a minor release from NN.MM.39 to NN.MM.42 It was a response to a DoS security vulnerability. Feel free to add your views on what the defaults should be

Re: CSRF not working with 10.1.42 but it works with 10.1.39

Thank you very much Mark ThomasThat was the case :( Absolutely weird to make such a major change in a minor release from NN.MM.39 to NN.MM.42 On Fri, Jun 20, 2025 at 10:01 AM Mark Thomas wrote: > On 20/06/2025 02:07, Hrvoje Lončar wrote: > > Hi! > > > > Hope it's the right place to ask for hel

Re: rewrite.config hot update?

B-INF/rewrite.config Then add WEB-INF/rewrite.config Thanks for trying to help. Unfortunately, I could not get that to work, either :-( You might want to check what you did. I've just re-tested this locally with a clean Tomcat install and it works. I added $CATALINA_BASE/webapps/ROO

Re: Updating configTest to include shutdown port validation

On 20/06/2025 01:18, Amit Pande wrote: Hello, I was testing out the "configtest" option of the catalina.sh/.bat and observed that does not do validation for the shutdown port. There are lots of things it doesn't explicitly test. Why is the shutdown port of particular interest? https://gi

Re: CSRF not working with 10.1.42 but it works with 10.1.39

On 20/06/2025 02:07, Hrvoje Lončar wrote: Hi! Hope it's the right place to ask for help or/and advice. Few days ago I switched to latest Tomcat 10.1.42. After deyploy POST is not working due to missing CSRF token. When I inspect HTTP request, CSRF token is in a payload as "_csrf" and the value i

Re: Unexpected behavior of dead-simple servlet

On 19/06/2025 16:56, Christopher Schultz wrote: 2. Try remote debugging? I'd love to, but what am I looking for? If I had seen the "committed" flag set to "true" at some point, I would look for a value-change as a trigger to see what's causing it. I just commented-out everything in the F

Re: TLS 1.3 and post handshake authentication (PHA)

Thank you Mark for the clarification. Thanks, Amit From: Mark Thomas Sent: Friday, June 13, 2025 12:57 PM To: users@tomcat.apache.org Subject: Re: TLS 1.3 and post handshake authentication (PHA) On 13/06/2025 18:26, Amit Pande wrote: > Hello, > > W

Re: Unexpected behavior of dead-simple servlet

ore writing the Hello World, I checked to see if the response has been committed using HttpServletResponse.isCommitted() and the return value is /false/ O_O. I checked *after* the write and the response still says it is not committed. I was even able to call response.reset() after the write and th

Re: Monitoring Virtual Threads via JMX / MBeans in Tomcat

eturned the wrong value for NIO. This is fixed. Let us know if you find other problems. Rémy > Looking forward to your response > > Regards, > Rose Mary > > From: Rose Mary P T > Date: Tuesday, 20 May 2025 at 4:07 PM > To: Tomcat Users List > Subject: [EXTERNAL] RE: Mo

Re: Unexpected behavior of dead-simple servlet

fore then. > > Before writing the Hello World, I checked to see if the response has > been committed using HttpServletResponse.isCommitted() and the return > value is /false/ O_O. > > I checked *after* the write and the response still says it is not committed. > > I was even

Re: Unexpected behavior of dead-simple servlet

d. I was even able to call response.reset() after the write and then re-write the response to "Goodbye, World". No exceptions, etc. Is there something else I should be checking? -chris - To unsubscribe, e-mail: us

Re: Tomcat GC overhead limit issue version-9.0.102.

On 18/06/2025 15:11, Raviteja Karanam wrote: TCS Confidential Not any more it isn't. You posted this question to a public mailing list. Hi Tomcat Team, We have recently upgraded the tomcat version from apache-tomcat-9.0.80 to apache-tomcat-9.0.102. After upgrade we are facing the issue * 

Re: Unexpected behavior of dead-simple servlet

Mark, On 6/18/25 3:08 AM, Mark Thomas wrote: On 17/06/2025 21:13, Christopher Schultz wrote: All, I recently wrote a relatively simple Servlet (which is less and less common these days with frameworks, etc.) and I was surprised that I got a chunked response. It's not interfering with the

Re: ThreadDump_p1lg512486.txt

On 17/06/2025 18:33, Ramesh B R wrote: Hello team, We are using tomcat 9 version in RHEL 8 and application gets into hung status very often. Have captured the thread dump to find the route cause. Could you please help here to see what is issue and how to fix it. For us to help, we need to s

Re: Unexpected behavior of dead-simple servlet

On 17/06/2025 21:13, Christopher Schultz wrote: All, I recently wrote a relatively simple Servlet (which is less and less common these days with frameworks, etc.) and I was surprised that I got a chunked response. It's not interfering with the operation of the servlet or the client, but w

Re: Problem after tomcat upgrade

On 17/06/2025 17:29, Mark Thomas wrote: In short, you'll probably need to increase maxPartCount Thanks, thats fixed it.                             Stephen == |epcc| Dr Stephen P Booth Principal Architect

Re: Problem after tomcat upgrade

See https://bz.apache.org/bugzilla/show_bug.cgi?id=69710 In short, you'll probably need to increase maxPartCount Mark On 17/06/2025 16:45, Stephen Booth wrote: I just updated my production servers from 9.0.104 to 9.0.106 and this broke my registration form with the following exception. Stack

RE: [SECURITY] CVE-2025-49125 Apache Tomcat - Security constraint bypass for pre/post-resources

[like] Marco Krammer reacted to your message: From: Mark Thomas Sent: Monday, June 16, 2025 1:59:33 PM To: Tomcat Users List Cc: annou...@apache.org ; annou...@tomcat.apache.org ; Tomcat Developers List Subject: [SECURITY] CVE-2025-49125 Apache Tomcat - Securit

Re: FileCountLimitExceededException with 10.1.42 / 11.0.8

Hi Mark, Thank you for your reply. For use-cases where we might not have (easy) access to the Tomcat-server config in the run environment: Is there a way to access the Connector object, or a different solution inside the Servlet to raise this limit to circumvent possible problems when up

Re: FileCountLimitExceededException with 10.1.42 / 11.0.8

On 14/06/2025 07:37, Fabian Hahn wrote: An easy way to increase the number of form input-fields past 10 for a multipart request in Tomcat 11.0.8 would be: /usr/local/tomcat/conf/server.xml ... ... Mark, is there a solution in HttpServlet#doPost, #init(), or @MultipartConfig?

Re: FileCountLimitExceededException with 10.1.42 / 11.0.8

An easy way to increase the number of form input-fields past 10 for a multipart request in Tomcat 11.0.8 would be: /usr/local/tomcat/conf/server.xml ... ... Mark, is there a solution in HttpServlet#doPost, #init(), or @MultipartConfig? Greetings, Fabian Mark Thomas wrote - F

Re: TLS 1.3 and post handshake authentication (PHA)

On 13/06/2025 18:26, Amit Pande wrote: Hello, When using "protocols" TLSv1.3 in SSLHostConfig with HTTP 1.1 protocol (Http11NioProtocol or Http11Nio2Protocol ) and certificateVerification=optional, we see below warning in logs: 13-Jun-2025 11:42:58.453 WARNING [catalina-exec-1] org.apache.

Re: FileCountLimitExceededException with 10.1.42 / 11.0.8

Thanks for your quick answer. I think the chosen default value of "10" is very low and will possibly break many existing applications. Hopefully it can be increased. Thanks & Best regards, Matthias On 13/06/2025 13:46, Mark Thomas wrote: https://tomcat.apache.org/tomcat-11.0-doc/config/http.

Re: FileCountLimitExceededException with 10.1.42 / 11.0.8

https://tomcat.apache.org/tomcat-11.0-doc/config/http.html You'll need to increase maxPartCount Mark On 13/06/2025 15:13, Matthias Reischenbacher wrote: Hi, after upgrading from 11.0.6 to 11.0.8 a form multi part POST stopped working with the exception: org.apache.tomcat.util.http.Invalid

Re: rewrite.config hot update?

Hello, On May 28th, Mark Thomas wrote: Define the Valve at the web application level in the web application's META-INF/context.xml (nested under ) rather than at the host level in server.xml Rewrite rules for that web application then go in WEB-INF/rewrite.config Then add WEB-INF/rewrite.co

Re: [tomcat] Odd behavior enumerating http headers

orting? Hoping this isn't some kind of supply chain attack No. The file has simply changed since the 105 release. Specifically, commit 385b0dcc0ff64fd23828513972bea23f55c736f9 re-formatted a whole bunch of javadoc and changed all the line numbering. Some theories I've cooked up on ques

Re: Certificates and keystores. I think I may have asked this before.

industry standard is to use pkcs12 keystores. You can create them with kse and are functionally the same. You just specify the type when you create the keystore config on the connector On Tue, Jun 10, 2025 at 11:51 AM James H. H. Lampert wrote: > On 6/10/25 6:33 AM, Christopher Schultz wrote: >

Re: Certificates and keystores. I think I may have asked this before.

On 6/10/25 6:33 AM, Christopher Schultz wrote: A Java Keystore file is just a container for one or more keys and/or certificates. You should have no problem *using* the certificate and key. You may have to do some tricks to convert from one format into another, and/or to import those things i

Re: Certificates and keystores. I think I may have asked this before.

James, On 6/9/25 11:53 AM, James H. H. Lampert wrote: Our customer Tomcat installations are, without exception, set up to use a Java Keystore file (mainly because that appeared to be the only option back when we started setting them up) I think this has come up before, but we have a customer

RE: [EXT]Certificates and keystores. I think I may have asked this before.

Get a cert that called a SANS cert that certifies mult domains. Install as a normal one domain cert. Rick Noel Systems Programmer | Westwood One rn...@westwoodone.com -Original Message- From: James H. H. Lampert Sent: Monday, June 9, 2025 11:53 AM To: Tomcat Users List Subject: [EXT

Re: Tomcat Performance from JMX data

Hi Mark, you could add javamelody to your war file and have monitoring as part of your application. Link to javamelody https://github.com/javamelody/javamelody I use this in all applications we distribute to customers as war files for many years. Super useful. Regards, Zdenek Henek On Wed, Jun

Re: Tomcat Performance from JMX data

Mark, On 6/4/25 1:43 PM, Timothy Resh wrote: I have a production server with JMX enabled. However, we cannot install any additional software to do performance monitoring. We can, however, extract data from the MBeans and transfer it elsewhere for analysis. I saw the ant tasks in the Tomcat do

Re: adding new SSL certificate without restarting tomcat

Yes, that was the conclusion reached also by the other ml members. Thanks to everyone ! Il 03-Jun-25 17:54, Mark Thomas ha scritto: On 03/06/2025 16:29, Ivano Luberti wrote: Because the contexts (webapps) in this instance can serve requests form different domains. https://domain1/context1

Re: adding new SSL certificate without restarting tomcat

On 03/06/2025 16:29, Ivano Luberti wrote: Because the contexts (webapps) in this instance can serve requests form different domains. https://domain1/context1 https://domain2/context2 So this is a host environment where you need to add and remove customers each with their own domain? If th

Re: adding new SSL certificate without restarting tomcat

Because the contexts (webapps) in this instance can serve requests form different domains. https://domain1/context1 https://domain2/context2 Il 03-Jun-25 15:27, Mark Thomas ha scritto: Why do you need to add/remove a certificate? Mark On 03/06/2025 09:15, Ivano Luberti wrote: Hi Mark, onl

Re: adding new SSL certificate without restarting tomcat

Why do you need to add/remove a certificate? Mark On 03/06/2025 09:15, Ivano Luberti wrote: Hi Mark, only problem to solve is to avoid restart upon adding/removal of an SSL certificate. Il 29-May-25 09:38, Mark Thomas ha scritto: On 29/05/2025 07:59, Ivano Luberti wrote: Thanks Chris, yes

Re: adding new SSL certificate without restarting tomcat

Hi Mark, only problem to solve is to avoid restart upon adding/removal of an SSL certificate. Il 29-May-25 09:38, Mark Thomas ha scritto: On 29/05/2025 07:59, Ivano Luberti wrote: Thanks Chris, yes that's what I tried to explain from the beginning, sorry I wasn't clear enough. To summarize

RE: Problem Accessing https

Chris, -Original Message- From: Christopher Schultz Sent: Sunday, June 1, 2025 8:41 AM To: users@tomcat.apache.org Subject: Re: Problem Accessing https Jerome, On 5/31/25 5:53 PM, Jerome A. Wendell wrote: > The problem has been resolved. My server hosting company provides

Re: Problem Accessing https

Jerome, On 5/31/25 5:53 PM, Jerome A. Wendell wrote: The problem has been resolved. My server hosting company provides an interface to make changes on the firewall, so being a Windows server, we don't use the Windows Defender firewall (it is disabled). It appears that someone at the server hos

RE: Problem Accessing https

Chris, -Original Message- From: Jerome A. Wendell Sent: Saturday, May 31, 2025 4:15 PM To: 'Tomcat Users List' Subject: RE: Problem Accessing https Chris, -Original Message- From: Jerome A. Wendell Sent: Saturday, May 31, 2025 1:05 PM To: 'Tomcat Users Lis

  1   2   3   4   5   6   7   8   9   10   >