Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure

Hi, Am 21.06.2023 um 12:20 schrieb Mark Thomas: CVE-2023-34981 Apache Tomcat - Information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M5 Apache Tomcat 10.1.8 Apache Tomcat 9.0.74 Apache Tomcat 8.5.88 Description: The fix for

Re: Get Client Certificate Information

import javax.servlet.http.HttpServletRequest; import javax.security.cert.Certificate; import javax.security.cert.X509Certificate; public class GrabCert extends Object { public static String getCommonName() { try { X509Certificate[] certs = (X509Certificate[]) HttpServletRequest().ge

Re: Get Client Certificate Information

Sorry, getHttpServletRequest() came from my code :) It’s not a Jakarta method. In JAX-RS frameworks such as Jersey you can use @Context or @Inject annotations to get request and servlet context objects (such as HttpServletRequest): https://jakarta.ee/specifications/dependency-injection/2.0/apidocs

Re: Get Client Certificate Information

Timothy, On 6/21/23 13:55, Timothy Ward wrote: Not sure it's lined up right, lost in copy/paste I think, the ^ seems to be initially under the (X509Certificate[]) right before the getHttpServletRequest(), so I thought it didn't like the getHttpServletRequest itself, maybe it doesn't like the get

Re: Get Client Certificate Information

I'm attempting to run this from within Oracle 19c, so I believe that is throwing a whole other wrinkle in there. On Wed, Jun 21, 2023 at 1:48 PM Mark Thomas wrote: > > > On 21/06/2023 18:29, Timothy Ward wrote: > > I tried the following: > > > > import javax.servlet.http.HttpServletRequest; > >

Re: Get Client Certificate Information

Not sure it's lined up right, lost in copy/paste I think, the ^ seems to be initially under the (X509Certificate[]) right before the getHttpServletRequest(), so I thought it didn't like the getHttpServletRequest itself, maybe it doesn't like the getAttribute method. On Wed, Jun 21, 2023 at 1:52 PM

Re: Get Client Certificate Information

> On Jun 21, 2023, at 11:29 AM, Timothy Ward wrote: > > I tried the following: > > import javax.servlet.http.HttpServletRequest; > import javax.security.cert.Certificate; > import javax.security.cert.X509Certificate; > > X509Certificate[] certs = (X509Certificate[]) > getHttpServletRequest()

Re: Get Client Certificate Information

On 21/06/2023 18:29, Timothy Ward wrote: I tried the following: import javax.servlet.http.HttpServletRequest; If you are using the Java EE imports ... import javax.security.cert.Certificate; import javax.security.cert.X509Certificate; X509Certificate[] certs = (X509Certificate[]) getHttp

Re: Get Client Certificate Information

I tried the following: import javax.servlet.http.HttpServletRequest; import javax.security.cert.Certificate; import javax.security.cert.X509Certificate; X509Certificate[] certs = (X509Certificate[]) getHttpServletRequest().getAttribute("jakarta.servlet.request.X509Certificate"); and I'm getting:

Re: Tomcat Clustering, Mod_JK, Fail_on_Status, Stopped Application

Mark and Dan, On 6/21/23 04:57, Mark Thomas wrote: On 20/06/2023 17:12, Dan McLaughlin wrote: Mark, What are your thoughts on changing the Tomcat codebase to return a 503 instead of a 404 if a context is marked as distributable or if clustering is enabled and deployed but stopped?  When I did

Re: Conclusion - Re: Crypto Randomly Not Getting Initialized

Simon, On 6/21/23 03:19, Simon Matter wrote: Jerry, On 6/15/23 00:41, Jerry Malcolm wrote: On 6/13/2023 3:46 PM, Jerry Malcolm wrote: On 6/13/2023 12:39 PM, Jerry Malcolm wrote: Rob, On 6/13/2023 11:34 AM, Rob Sargent wrote: In /etc/rc.local I have: -- sleep 120s sy

Re: Tomcat hosting issue/bug:

Virenda, On 6/21/23 00:20, Virendra Barad wrote: I have multiple application with jdk-1.8. And i have alredy checked there is no log printed of any files like stdout, stderror, etc... it's only buffering for particular that application. How are you launching Tomcat? If you are using the standard

Re: Words of Wisdom re: Context Versioning - Parallel Deployment

Dan, On 6/20/23 18:03, Christopher Schultz wrote: Dan, On 6/16/23 12:54, Dan McLaughlin wrote: Does anyone have any advice on implementing Context Versioning (parallel deployment) in Tomcat? It seems to have been a feature for quite some time. Is it stable?   What are the typical issues peop

[SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure

CVE-2023-34981 Apache Tomcat - Information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M5 Apache Tomcat 10.1.8 Apache Tomcat 9.0.74 Apache Tomcat 8.5.88 Description: The fix for bug 66512 introduced a regression that was fixed a

Re: Tomcat Clustering, Mod_JK, Fail_on_Status, Stopped Application

On 20/06/2023 17:12, Dan McLaughlin wrote: Mark, What are your thoughts on changing the Tomcat codebase to return a 503 instead of a 404 if a context is marked as distributable or if clustering is enabled and deployed but stopped? When I did searches years ago on this issue, most people at the

Re: Conclusion - Re: Crypto Randomly Not Getting Initialized

> Jerry, > > On 6/15/23 00:41, Jerry Malcolm wrote: >> >> On 6/13/2023 3:46 PM, Jerry Malcolm wrote: >>> >>> On 6/13/2023 12:39 PM, Jerry Malcolm wrote: Rob, On 6/13/2023 11:34 AM, Rob Sargent wrote: > In /etc/rc.local I have: >> >> -- >> sleep 120