2011/11/5 Brendan P Keenan :
>
> It has been identified to me by our security group that my Apache Tomcat
> 6.0.33 has the following vulnerability CVE-2011-3190. There is a link on
> the Apache Tomcat 6.0 Security page to
> http://svn.apache.org/viewvc?view=revision&revision=1162959 as a patch.
>
>
Brendan,
The link is a list of the files that were modified to fix the
vulnerability. These files can be used to patch the source code for
Tomcat. After patching the source code, you would then need to
recompile it and update your Tomcat installation with the recompiled
binaries.
In my opinion,
Héhé. No comment.
Have a good week-end and cheers,
--
Léa
--
View this message in context:
http://old.nabble.com/Session-expiration---browser--Web-application-tp32780678p32783180.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
--
It has been identified to me by our security group that my Apache Tomcat
6.0.33 has the following vulnerability CVE-2011-3190. There is a link on
the Apache Tomcat 6.0 Security page to
http://svn.apache.org/viewvc?view=revision&revision=1162959 as a patch.
The link list three files:
/tomcat/tc6.
On 4 Nov 2011, at 19:24, Tim Watts wrote:
> Léa,
>
> Life needn't be this difficult. :-) You're reinventing wheels here
> instead of understanding how the wheels you already have work. Again,
> read the spec. Pretty please. So many questions will be answered.
+1
JSP != PHP
The Servlet Cont
On 4 Nov 2011, at 11:24, Paul Wilson wrote:
> Hi there,
>
> I'd like to specify a custom implementation of 'StandardClassLoader' for
> Tomcat 6.
Why?
> I've written such an implementation of
> 'org.apache.catalina.loader.StandardClassLoader' and dropped it onto the
> classpath
What does the a
On Fri, Nov 4, 2011 at 20:23, Mark Thomas wrote:
[...]
>
> I think the thing to do here is to work out what the 'best' solution is
> and fix the docs/code accordingly. I think LRU is the way to go in which
> case the current code needs fixing.
>
I see more arguments for the LRU case: when a CSRF
Léa,
Life needn't be this difficult. :-) You're reinventing wheels here
instead of understanding how the wheels you already have work. Again,
read the spec. Pretty please. So many questions will be answered.
On Fri, 2011-11-04 at 11:55 -0700, Léa Massiot wrote:
> @Christopher :
> Thank you f
On 04/11/2011 13:14, Pete Gould wrote:
> Hi,
>
> I have recently been using
> the org.apache.catalina.filters.CsrfPreventionFilter, and I notice that the
> documentation for setNonceCacheSize states:
>
> "Sets the number of previously issued nonces that will be cached on a
> LRU basis to support
On Fri, 2011-11-04 at 13:07 -0400, Christopher Schultz wrote:
> On 11/4/11 12:04 PM, Léa Massiot wrote:
I would basically echo what Chris said.
> >> [Tim wrote:] I'm assuming (perhaps incorrectly) you've already
> >> got some declaration in there for form authentication?
> > What are you thinki
@Christopher :
Thank you for your answer.
Christopher wrote:
>
> The new session created is completely empty. It has nothing to do with the
> user going back in the history, etc.
> No, you are right.
What I meant is that I was/am managing session expiration inside the Webapp
(for instance if the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Pete,
On 11/4/11 1:06 PM, Pete Gould wrote:
> Okay, great. I guess that I should raise a bug for this then.
>
> The reason that I think that add() needs to change is that it used
> to be:
>
> cache.put(key, null);
>
> and therefore cache.contains()
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Léa,
On 11/4/11 12:04 PM, Léa Massiot wrote:
> @Tim : Thank you for your answer.
>
>> [Tim wrote:] "Uncertain" is a bit vague.
> Yes. Ok. This is my understanding which is "uncertain" then. What
> happens is what you wrote: "a new session for the use
Hi,
Okay, great. I guess that I should raise a bug for this then.
The reason that I think that add() needs to change is that it used to be:
cache.put(key, null);
and therefore cache.contains() would return null as it would have to change
to use get(). This is because we can no longer use cont
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Paul,
On 11/4/11 7:23 AM, Paul Wilson wrote:
> I'd like to specify a custom implementation of
> 'StandardClassLoader' for Tomcat 6. I've written such an
> implementation of 'org.apache.catalina.loader.StandardClassLoader'
> and dropped it onto the cla
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Pete,
On 11/4/11 9:14 AM, Pete Gould wrote:
> I have recently been using the
> org.apache.catalina.filters.CsrfPreventionFilter, and I notice that
> the documentation for setNonceCacheSize states:
>
> "Sets the number of previously issued nonces that
@Tim : Thank you for your answer.
> [Tim wrote:] "Uncertain" is a bit vague.
Yes. Ok. This is my understanding which is "uncertain" then.
What happens is what you wrote: "a new session for the user with _none_ of
the objects from
the old session in it".
> [Tim wrote:] If every page in the web ap
On Fri, 2011-11-04 at 07:16 -0700, Léa Massiot wrote:
> Hello,
>
> Thank you for reading my post.
>
> Maybe my question is not purely related to "Tomcat" but here is my problem:
> - a user logs into my Webapp;
> - his session expires;
> - if he:
> - presses the F5 key (browser refresh funct
Hello,
Thank you for reading my post.
Maybe my question is not purely related to "Tomcat" but here is my problem:
- a user logs into my Webapp;
- his session expires;
- if he:
- presses the F5 key (browser refresh functionality),
- goes back to the previous screen using the browser "
I'm hoping to replace it with an aspect weaver.
On 4 November 2011 13:13, Mikolaj Rydzewski wrote:
> On Fri, 4 Nov 2011 11:23:59 +, Paul Wilson wrote:
>
> It seems that only the lib/* jars are available at this point in time, and
>> not bootstrap.jar.
>>
>> What's the correct way to overrid
Hi,
I have recently been using
the org.apache.catalina.filters.CsrfPreventionFilter, and I notice that the
documentation for setNonceCacheSize states:
"Sets the number of previously issued nonces that will be cached on a
LRU basis to support parallel requests..."
However, looking at the implemen
On Fri, 4 Nov 2011 11:23:59 +, Paul Wilson wrote:
It seems that only the lib/* jars are available at this point in
time, and
not bootstrap.jar.
What's the correct way to override the StandardClassLoader?
Just out of curiosity: what do you need it for?
--
Mikolaj Rydzewski
Hello @ll,
I have two Tomcat instances (6.0.32 x64 on Windows) on the same server. Both
servers make their own clustering with the other physical node independent
from each other on the same machine.
I get during start of the 2nd Tomcat on the same node the following error:
INFO: Receiver Server
Hi there,
I'd like to specify a custom implementation of 'StandardClassLoader' for
Tomcat 6. I've written such an implementation of
'org.apache.catalina.loader.StandardClassLoader' and dropped it onto the
classpath (using the Eclipse launch configuration). However, I get an error:
java.lang.Class
24 matches
Mail list logo
