On 20/06/2025 11:54, Hrvoje Lončar wrote:
Thank you very much
Mark ThomasThat was the case :(
Absolutely weird to make such a major change in a minor release from
NN.MM.39 to NN.MM.42
It was a response to a DoS security vulnerability.
Feel free to add your views on what the defaults should be to the BZ
discussion.
Mark
On Fri, Jun 20, 2025 at 10:01 AM Mark Thomas <ma...@apache.org> wrote:
On 20/06/2025 02:07, Hrvoje Lončar wrote:
Hi!
Hope it's the right place to ask for help or/and advice.
Few days ago I switched to latest Tomcat 10.1.42.
After deyploy POST is not working due to missing CSRF token.
When I inspect HTTP request, CSRF token is in a payload as "_csrf" and
the
value is correct.
But at the backend side I get
* AccessDeniedException = Invalid CSRF Token 'null' was found on the
request parameter '_csrf' or header 'X-XSRF-TOKEN'.*
Everything works fine with 10.1.39.
To be sure tried on 2 different Ubuntu servers - test and production
instance.
Anyone else having the same problem?
Maybe related to:
https://bz.apache.org/bugzilla/show_bug.cgi?id=69710
Try setting maxPartCount on the connector but be aware of DoS risks as
the value gets higher.
Mark
Some technical info:
- Ubuntu 24.04.2 LTS
- nginx/1.27.5 to handle SSL certificate
- Apache Tomcat 10.1.39 and 10.1.42
- Java 21
- Spring Boot 3.5.0
Thanks!
BR,
Hrvoje
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
