[ANN] Apache Tomcat 11.0.8 Available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.8. Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications.

Re: adding new SSL certificate without restarting tomcat

25 15:27, Mark Thomas ha scritto: Why do you need to add/remove a certificate? Mark On 03/06/2025 09:15, Ivano Luberti wrote: Hi Mark, only problem to solve is to avoid restart upon adding/ removal of an SSL certificate. Il 29-May-25 09:38, Mark Thomas ha scritto: On 29/05/2025 07:59,

Re: adding new SSL certificate without restarting tomcat

Why do you need to add/remove a certificate? Mark On 03/06/2025 09:15, Ivano Luberti wrote: Hi Mark, only problem to solve is to avoid restart upon adding/removal of an SSL certificate. Il 29-May-25 09:38, Mark Thomas ha scritto: On 29/05/2025 07:59, Ivano Luberti wrote: Thanks Chris

[SECURITY] CVE-2025-46701 Apache Tomcat - CGI security constraint bypass

CVE-2025-46701 Apache Tomcat - CGI security constraint bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.6 Apache Tomcat 10.1.0-M1 to 10.1.40 Apache Tomcat 9.0.0.M1 to 9.0.104 Description: When running on a case insensitive file syst

Re: adding new SSL certificate without restarting tomcat

On 29/05/2025 07:59, Ivano Luberti wrote: Thanks Chris, yes that's what I tried to explain from the beginning, sorry I wasn't clear enough. To summarize: there is no solution out of the box, I have to develop something. I will look into that. Just out of interest, what problem are you tryi

Re: rewrite.config hot update?

On 28/05/2025 15:48, Troels Arvin wrote: Hello, Mark Thomas wrote:   Try with per context rewrite rules rather than global ones. What does that mean? https://tomcat.apache.org/tomcat-11.0-doc/rewrite.html Define the Valve at the web application level in the web application's MET

Re: rewrite.config hot update?

Try with per context rewrite rules rather than global ones. The watched resource path is relative to the docBase. You might be able to trick watched resources with "../../conf/standalone/rewrite.config" but I haven't tested it and I'm fairly sure it was never intended to work that way (even if

Re: adding new SSL certificate without restarting tomcat

On 27/05/2025 21:11, Ivano Luberti wrote: Hi all, is there a way to configure tomcat in order to avoid restart when I change the list of ssl certificates? Which list of certificates? There are several. Exactly what are you changing? Are you adding a cert to a keystore, adding a PEM file to a

Re: Tcnative-2 PQC support

The switch to 3.5 LTS would be wonderful, I hope you can get the build working, Mark. Please keep us updated. Thanks, Fede. On Thu, May 22, 2025, 07:07 Mark Thomas wrote: On 22/05/2025 07:53, Mark Thomas wrote: On 21/05/2025 23:04, federico bustamante wrote: Yes, I don't have high hope

Re: Tcnative-2 PQC support

On 22/05/2025 07:53, Mark Thomas wrote: On 21/05/2025 23:04, federico bustamante wrote: Yes, I don't have high hopes on make in it work on Ubuntu, but I thought of giving it a try using mingw-64. I'll report back. I've been building the Tomcat Native binaries for Windows for

Re: Tcnative-2 PQC support

On 21/05/2025 23:04, federico bustamante wrote: Yes, I don't have high hopes on make in it work on Ubuntu, but I thought of giving it a try using mingw-64. I'll report back. I've been building the Tomcat Native binaries for Windows for a while. I'll try with 3.5 and report back. I'll also st

Re: WebSocket session is never closed

On 21/05/2025 10:37, Harri Pesonen wrote: Hello, We have a random problem with Apache Tomcat/9.0.100 in Windows, JDK 11.0.13. We have seen this problem only once so far. Problem is that WebSocket connection is apparently closed but there is no callback to @OnClose handler, which is implemented

Re: Tomcat 9, ClassCast exception

On 21/05/2025 13:44, Zdeněk Henek wrote: Hello, I am getting these errors in one of our systems: java.lang.ClassCastException: class com.sun.mail.handlers.text_html cannot be cast to class javax.activation.DataContentHandler (com.sun.mail.handlers.text_html is in unnamed module of loader org.ap

Re: What is a reasonable performance degradation?

On 30/04/2025 16:17, Mark Thomas wrote: On 30/04/2025 14:59, Doug Whitfield wrote: Hi folks, This feature was added in 9.0.90: The system property org.apache.catalina.connector.RECYCLE_FACADES will now default to true if not specified, which will in turn set the default value for the

Re: What is a reasonable performance degradation?

On 30/04/2025 14:59, Doug Whitfield wrote: Hi folks, This feature was added in 9.0.90: The system property org.apache.catalina.connector.RECYCLE_FACADES will now default to true if not specified, which will in turn set the default value for the discardFacades connector attribute, thus causing

Re: When was the first stable GA release of Apache Tomcat 11.0.x?

Minor nit: Tomcat also supports: Jakarta Annotations Jakarta Debugging Support for Other Languages but we don't list then on the spec age. We probably should. Mark On 29/04/2025 15:36, William Crowell wrote: Chris, Beautiful answer and exactly what I was looking for. Thank you. Regards,

Re: [SECURITY] CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header

On 29/04/2025 08:16, Zdeněk Henek wrote: Hi, I have looked at the commits and all have in changes http2. Is this an issue in case we don't use http2? No. It only affects h2/h2c. Mark Thank you. Regards, Zdenek Henek On Mon, Apr 28, 2025 at 7:12 PM Mark Thomas wrote: CVE-2025-

[SECURITY] CVE-2025-31651 Apache Tomcat - Rewrite rule bypass

CVE-2025-31651 Apache Tomcat - Rewrite rule bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.5 Apache Tomcat 10.1.0-M1 to 10.1.39 Apache Tomcat 9.0.0.M1 to 9.0.102 Description: For a subset of unlikely rewrite rule configurations, i

[SECURITY] CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header

CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header Severity: High Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M2 to 11.0.5 Apache Tomcat 10.1.10 to 10.1.39 Apache Tomcat 9.0.76 to 9.0.102 Description: Incorrect error handling for some i

Re: global web.xml question

On 28/04/2025 16:35, Christopher Schultz wrote: ABT, On 4/28/25 9:05 AM, A Name wrote: We are looking at adding a second instance of our app (named differently -- myappA and myappB) to our Tomcat 9.  We currently have the app installed at a number of customer locations, we are looking at drop

Re: global web.xml question

On 28/04/2025 14:05, A Name wrote: We are looking at adding a second instance of our app (named differently -- myappA and myappB) to our Tomcat 9. We currently have the app installed at a number of customer locations, we are looking at dropping 1 app Currently, our database connections are esta

Re: Axis Fault, Xerces sees the webapp as stopped although it is running

There is a lot of information here. Responses in-line. On 24/04/2025 21:51, Simon Arame wrote: Not sure I am interpreting the doc correctly, does this mean that the concerned classes of the xercesImpl jar in /WEB-INF/lib will be ignored when there exists the equivalent in the bootstrap class

Re: Help with Cluster Setup on Tomcat 9

On 24/04/2025 02:02, Zoran Avtarovski wrote: We have a cluster of tomcat servers on AWS EC2 which operate behind an AWS load balancer with sticky sessions. We have our session storage on a DB using a JDBC store which for the most part is working well, but we occasionally see duplicate session

Re: Axis Fault, Xerces sees the webapp as stopped although it is running

pplication shuts down and/or cause each reference chain to be created to the common class loader rather than the web application specific one. If you can provide a minimal web application that reproduces the issue, we can help with the above. Mark Simon On Tue, Apr 22, 2025 at 12:

Re: Axis Fault, Xerces sees the webapp as stopped although it is running

On 22/04/2025 16:44, Simon Arame wrote: What is strange is that although it says "this web application instance has been stopped already", the web application is still running, end users are still receiving 200 OKs from the web application. Any other web applications running on that Tomcat i

Re: State Synchronization without Serialization - Possible?

On 22/04/2025 01:09, Eric Robinson wrote: Hi all, We want to implement tomcat clustering, but we cannot because the application is commercial, and it does not support serializable objects. In short, it does not work with tomcat's standard clustering technology. Is there any known reliable way

Re: Best practices to set heap memory

On 21/04/2025 17:49, Christopher Schultz wrote: Ramesh, On 4/21/25 1:06 AM, Ramesh B R wrote: How to decide on heap memory size? is it 25% of total memory? or 50% total memory? What is the ideal value (in %) for heap memory ? Only you can answer that question about your own application envir

Re: Tomcat 9.0.104 Crashing at Startup on RHEL 8.4

On 17/04/2025 20:32, RAY, DAVID wrote: I updated from Tomcat 9.0.102 to 9.0.104 on two RHEL servers. Both are 'crashing' at startup after the update.Version 9.0.102 and prior versions ran fine. No issues. Version 9.0.104 is crashing at startup. Any suggestions much appreciated: That

Re: Apache Tomcat 12+

To expand on some of that: On 17/04/2025 16:47, Rémy Maucherat wrote: On Thu, Apr 17, 2025 at 5:16 PM William Crowell wrote: Hi, A few questions on the future direction of the project. It seems like Project Panama is still in preview mode as of JDK 24. Is that correct? No, it's a stable

Re: Content type unknown after upgrading Tomcat 10.1.39 => 10.1.40

On 16/04/2025 19:35, Thorsten Heit wrote: Hi all, long time Tomcat user, but first time I'm posting, so hi to you all :-) I'm suffering a strange phenomenon after I upgraded Tomcat on one of our virtual machines from 10.1.39 to 10.1.40: When I open the link to an application being served by

Re: About whether the described env is safe from CVE 2024-50379 and 56337

On 16/04/2025 18:20, Nguyen Duong wrote: Hi Tomcat team I am really sorry to bother you regarding this fix for Tomcat 9.0.98 revolving around the following CVEs, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50379 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56337 (★) My que

Re: Classpath confusion between webapps

Thad, A quick read of https://github.com/jai-imageio/jai-imageio-core suggests a possible cause. The library is using the SPI plugin mechanism of ImageIO. I haven't confirmed this with a code inspection but what I assume is happening is that the web application is registering an extension at

Re: 10.1.x [ANN] are missing for x >= 33

On 10/04/2025 17:53, Christopher Schultz wrote: Charles, On 4/9/25 6:57 PM, Charles Slivkoff wrote: I noticed this in February and have attempted multiple times to contact the list owners and have received no response. There are no posts for Tomcat 10.1.x to tomcat-announce after 33 on 2024-1

Re: 9.0.102 sessions

On 10/04/2025 10:44, Greg Huber wrote: Hello, Going through the logs, the session creation was being triggered from our 403 jsp page (they were not following the robots.txt and got themselves banned). 10 minutes of log entries: (752 403's) 752 (32.71%)    0 (00.00%)    1.5 MiB (04.64%)    4

Re: Exception: Server name value of host_name cannot have the trailing dot

On 09/04/2025 12:45, Vishwas Bm wrote: Hi, I am getting below error when having tomcat server name with trailing dot (.) when using tomcat 10. From the stacktrace, it looks like it is coming as part of SNI handling. That is generated by the JRE. Nothing to do with Tomcat. I'll note that RFC

Re: 9.0.102 sessions

On 09/04/2025 12:22, Greg Huber wrote: Hello, I have noticed that seems I have alot of sessions open, when  looking in the application manager.  It was was 800+.  I don't remember seeing it this high before. Before what?   If I refresh the screen I can see the number going up slowly.  I ha

Re: Monitoring Virtual Threads via JMX / MBeans in Tomcat

your time and assistance. I look forward to your response. Regards, Rose Mary *From: *Mark Thomas *Date: *Thursday, 3 April 2025 at 2:49 PM *To: *users@tomcat.apache.org *Subject: *[EXTERNAL] Re: Monitoring Virtual Threads via JMX / MBeans in Tomcat On 28/03/2025 09:08, Rose Mary P T wrote:

Re: Tomcat Clustering Roadmap And Max Node Limit

There are several presentations by me on the Tomcat website that discuss this. Maybe start with this one from slide 12. Slides: https://tomcat.apache.org/presentations/2013-02-acna-Apache-Tomcat-Clustering.pdf Video: https://www.youtube.com/watch?v=rX1zm11AXcA HTH, Mark On Fri, Apr 4, 2025 at 8:23 P

Re: EOL timeline for tomcat 9 and 10.1

On 08/04/2025 13:29, Aniket Pachpute wrote: No Plans. Please See: https://lists.apache.org/thread/qlzpscgoqct9wspkj5qjkm34s66jswj0 Plans have evolved a little since that message. For Tomcat 9: https://lists.apache.org/thread/o8d1nz8mj8dhwq88jbt7zxopp3omkkkb Work has now started on Tomcat 12 /

Re: HOWTO: the right way to configure security constraints to protect CGI scripts in web.xml

8 Apr 2025 21:45:50 Christopher Schultz : Justin, On 4/8/25 3:16 AM, Justin Chen wrote: Dear users and supporters, Currently I have two CGI scripts: 1. "/cgi-bin/update" //an administrative command, required role="admin" 2. "/cgi-bin/updateOrder" //update order, required role="biz" In order

Re: Using classes from forked packages

On 04/04/2025 18:18, Alexander Norz wrote: Dear Tomcat users and supporters, The Apache Tomcat software uses forks from packages as Apache Commons FileUpload and others. However, do you not recommend using classes from such Tomcat packages within a web app that only will run on Tomcat? (e.g.

Re: Tomcat Clustering Roadmap And Max Node Limit

On 04/04/2025 02:42, Chuck Caldarale wrote: On 2025 Apr 3, at 19:57, Tim N wrote: For a long time up to the latest version 11 documentation, there has been a recommended maximum limit of 4 nodes per cluster. https://tomcat.apache.org/tomcat-11.0-doc/cluster-howto.html "This works great for s

Re: Monitoring Virtual Threads via JMX / MBeans in Tomcat

ionCount will always be 1 more than the current connections. i.e. a value of 1 means there are no current requests. Mark Thank you for your continued support. Best Regards, Rose Mary From: Mark Thomas Date: Thursday, 27 March 2025 at 9:25 PM To: users@tomcat.apache.org Subject: [EXTERNAL]

Re: Tomcat 10.1 Upgrade & Uber JAR Error

On 03/04/2025 05:34, Tim N wrote: That should have been Looks like this last worked Tomcat v10.1.20 and first failed v10.1.23 ...and now looks like this was first fixed again in v10.1.39 Any ideas why? It suggests that the JasperInitializer was not trigger on start. If not a packaging issu

Re: Additional Property File For Substitution Variables

On 27/03/2025 14:54, William Crowell wrote: Sebastian, Thanks for your reply. I did know about environment variables. I would be concerned about someone doing a “ps -ef” on the box and getting the password from the command line arguments. I will keep looking. Write a small class that impl

Re: Monitoring Virtual Threads via JMX / MBeans in Tomcat

Date: Wednesday, 26 March 2025 at 12:48 PM To: Rose Mary P T Subject: Begin forwarded message: From: Mark Thomas Subject: [EXTERNAL] Re: Monitoring Virtual Threads via JMX / MBeans in Tomcat Date: 6 March 2025 at 2:08:43 PM IST To: Reply-To: "Tomcat Users List" On 06/03/2025

Re: NIO Thread Madness

em? Mark Regards, William Crowell From: Mark Thomas Date: Tuesday, March 25, 2025 at 8:27 AM To: users@tomcat.apache.org Subject: Re: NIO Thread Madness On 25/03/2025 11:24, William Crowell wrote: Chris, Looking at JMX is the next step. I make a request and Tomcat never returns, and I do

Re: NIO Thread Madness

On 25/03/2025 11:24, William Crowell wrote: Chris, Looking at JMX is the next step. I make a request and Tomcat never returns, and I do not get a “connection refused”. It just sits and hangs. Looking that the thread dump you sent me privately now. Which port/protocol are you using to conne

Re: NIO Thread Madness

William Crowell ____ From: Mark Thomas Sent: Tuesday, March 25, 2025 5:09:20 AM To: users@tomcat.apache.org Subject: Re: NIO Thread Madness On 24/03/2025 18:56, William Crowell wrote: Are there any logs I can enable to find out why the application server stops accepting connections? I'd sug

Re: NIO Thread Madness

On 24/03/2025 18:56, William Crowell wrote: Are there any logs I can enable to find out why the application server stops accepting connections? I'd suggest taking 3 thread dumps approx 5s apart when this happens. Hopefully you'll see a bunch of threads waiting on the database and where th

Re: Verifying tomcat downloads: PGP keys unavailable at https://keys.openpgp.org

On 19/03/2025 18:51, Mark Thomas wrote: On 19/03/2025 14:52, Roberto Resoli wrote: Hello, I am trying to verify GPG signatures of recent tomcat downloads, but I noted that both Mark E D Thomas DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 Remy Maucherat

Re: Verifying tomcat downloads: PGP keys unavailable at https://keys.openpgp.org

On 19/03/2025 14:52, Roberto Resoli wrote: Hello, I am trying to verify GPG signatures of recent tomcat downloads, but I noted that both Mark E D Thomas DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 Remy Maucherat 48F8E69F6390C9F25CFEDCD268248959359E722B Are no more available on the https://ke

Re: context path version number with parallel deployment

Kind regards, Mark ____ От: Mark Thomas Отправлено: 18 марта 2025 г. 9:35 Кому: users@tomcat.apache.org Тема: Re: context path version number with parallel deployment On 17/03/2025 18:43, Усманов Азат Анварович wrote: thanks a lot! I got it working. A quick follow

Re: context path version number with parallel deployment

On 17/03/2025 18:43, Усманов Азат Анварович wrote: thanks a lot! I got it working. A quick follow up What's step do I need to take to include this info in documentation ? I think it might be useful to others The list is in the Javadoc: https://tomcat.apache.org/tomcat-11.0-doc/api/org/apache

Re: [SECURITY] CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT

tor Distributed Application Platform Services Northwestern University 4th Floor 2020 Ridge Avenue Evanston, IL 60208-0801 darryl.ba...@northwestern.edu <mailto:darryl.ba...@northwestern.edu> (847) 467-6674 On 3/10/25, 11:38 AM, "Mark Thomas" mailto:ma...@apache.org>> wrote:

Re: Has Tomcat 10 dropped support for using log4j2 as its default logger?

On 10/03/2025 21:58, Piotr P. Karwasz wrote: If you are looking for instructions on how to replace Tomcat's default logging backend with Log4j Core, there is a dedicated section[2] in our new Integrating Log4j Core with Jakarta EE Guide[3] [2] https://logging.apache.org/log4j/2.x/jakarta.ht

[SECURITY] CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT

CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.2 Apache Tomcat 10.1.0-M1 to 10.1.34 Apache Tomcat 9.0.0.M1 to 9.0.98 Descrip

Re: net::ERR_HTTP2_PROTOCOL_ERROR with 10.1.30

have been resolved with that specific fix? It is certainly possible. The only way to be sure is to test it and find out. Mark As always, thanks for the hard work on Tomcat! Regards, Boris On 1/20/25 10:31 AM, Mark Thomas wrote: On 17/01/2025 15:31, Boris Petrov wrote: Hi Mark, I'

Re: Monitoring Virtual Threads via JMX / MBeans in Tomcat

On 06/03/2025 06:29, Joash Jose wrote: Dear Apache Tomcat Support Team, I hope this message finds you well. I am writing to inquire whether Apache Tomcat (tomacat version is 10.1.33 running on Java 21) exposes virtual thread metrics through JMX / MBeans. Specifically: Virtual Thread Visibil

Re: Async servlet and request recycle synchronization

On 05/03/2025 19:19, François Rajotte wrote: Hi Christopher, Thanks for your comments. Regarding the behavior of the non-container thread when an async request gets cancelled, I don't really care exactly how it's handled. Currently, my strategy is to let it finish if it had already started proc

Re: Handling CloseNowException in Tomcat 9.0

On 27/02/2025 19:56, Banana Kanana wrote: Hi, We are using Apache Tomcat 9.0 and frequently see logs related to CloseNowException in one of our applications. This exception occurs on multiple operating systems, including OpenSUSE, Ubuntu, and Windows, and in different parts of our codebase. Fr

Re: tomcat 10.1.33 random rare 500 response status for http2 upgrade with tls

On 26/02/2025 12:04, Mark Thomas wrote: On 26/02/2025 08:16, Mark Thomas wrote: On 13/02/2025 10:04, Rémy Maucherat wrote: On Thu, Feb 13, 2025 at 9:41 AM Cenk Pekyaman wrote: We run tomcat on java17 with the embedded tomcat setup. We have http and https connectors and we have http2

Re: tomcat 10.1.33 random rare 500 response status for http2 upgrade with tls

On 26/02/2025 08:16, Mark Thomas wrote: On 13/02/2025 10:04, Rémy Maucherat wrote: On Thu, Feb 13, 2025 at 9:41 AM Cenk Pekyaman wrote: We run tomcat on java17 with the embedded tomcat setup. We have http and https connectors and we have http2 upgradeProtocol for both. We recently upgraded

Re: tomcat 10.1.33 random rare 500 response status for http2 upgrade with tls

On 13/02/2025 10:04, Rémy Maucherat wrote: On Thu, Feb 13, 2025 at 9:41 AM Cenk Pekyaman wrote: We run tomcat on java17 with the embedded tomcat setup. We have http and https connectors and we have http2 upgradeProtocol for both. We recently upgraded from 9.0.88 to 10.1.24 to work on javax to

The future of Tomcat 9

All, Tomcat 9 is the last major Tomcat version supporting Java EE. Therefore, the Tomcat community intends to provide support for Tomcat 9 beyond the 10 years for which major Tomcat versions are typically supported. Extended support will be provided via a new 9.1.x branch that will be starte

Re: AllowLiking below contex resources

On 17/02/2025 11:50, Michael Osipov wrote: Folks, consider the following usecase: ... This, of course does not work. I have to move the allowLinking attribute up to Resources which means that all resources are allowed to do that. I'd rather prefer something like: Opt

[ANN] Apache Tomcat 11.0.4 Available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.4. Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications.

Re: HTTP/2 support in Tomcat

On 12/02/2025 02:50, Chuck Caldarale wrote: On 2025 Feb 11, at 19:21, Amit Pande wrote: Am planning to update the Tomcat configuration to support HTTP/2. Wanted to understand the difference between nested within the HTTP/1.1 connector Vs Supporting protocol=org.apache.coyote.http2.Http

Re: Reg: Tomcat temp file deletion

On 11/02/2025 12:42, Christopher Schultz wrote: Mark, On 2/7/25 3:42 AM, Mark Thomas wrote: On 06/02/2025 19:25, Jalaj Asher wrote: Hello, Is it ok to delete files from tomcat/temp folder  while the tomcat is running ? Generally, no. There are instances where that will break things. It

Re: catalina.policy file not available Tomcat 11.0.0

On 11/02/2025 10:53, S Abirami wrote: Hi All, Tomcat catalina.policy file is not available from Tomcat 11.0.0. Is there any specific reason for the removal? Support for running under a SecurityManager has been removed. Mark ---

[ANN] Apache Tomcat 11.0.3 Available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.3. Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications.

Re: REG: Version stability of Tomcat 9.0.96

If the applications contain JSPs precompiled against an earlier version of Tomact 9 there is no solution that will enable them to work with 9.0.96 short of rebuilding and precompiling against 9.0.96 or later. If they have not been precompiled then: - stop Tomact - empty work directory - start T

Re: Reg: Tomcat temp file deletion

On 06/02/2025 19:25, Jalaj Asher wrote: Hello, Is it ok to delete files from tomcat/temp folder while the tomcat is running ? Generally, no. There are instances where that will break things. It may be possible to delete some files safely - although that begs the question why isn't Tomcat del

Re: JspWriterImpl BufferSize And Flushing In Tomcat 10.1.16

On 03/02/2025 09:24, Rémy Maucherat wrote: On Mon, Feb 3, 2025 at 3:38 AM Tim N wrote: I've replicated something similar on Tomcat 10.1.34 (and also 9.0.98). Steps 1 - Download and unzip Tomcat 10.1.34 2 - Create file "webapps/ROOT/include.jsp" with contents "I've been included!" 3 - Edit "we

Re: Release 10.1.35

On 03/02/2025 13:52, Adrienne Farrell wrote: Hello I am seeing https://bz.apache.org/bugzilla/show_bug.cgi?id=69527 in my Tomcat 10.1.33 and 10.1.34 and have to roll back to 10.1.31. I am just wondering when 10.1.35 might be released as I see the fix is in that update? If all goes to plan, the

Re: Openssl Connector configuration for Dynamic Client Authorization does not work.

On 28/01/2025 17:16, Timothy Resh wrote: Chris and Mark, The following properties are set via Introspection and are used by a SOAP call in a hosted Java web app. System.setProperty("javax.net.ssl.keyStore", keyStorePath); System.setProperty("javax.net.ssl.keyStorePassword", clearText); System.s

Re: Tomcat 10 usage and necessity of --add-opens

On Thu, 23 Jan, 2025, 8:25 pm Mark Thomas, wrote: On 23/01/2025 14:42, anand raj wrote: Hi all, In Tomcat 10 there is --add-opens added default and does this mean Tomcat required to access these. Yes. Also document information on what all are accessed which requires these will be helpful

Re: Trouble passing through backslash in URL path

9.0.x, 10.1.x and 11.0.x. Mark -James On Thu, Jan 23, 2025 at 8:20 AM Mark Thomas wrote: James, I've added attributes (encodedReverseSolidusHandling and encodedSolidusHandling) to the Context to provide control of how the RequestDispatcher paths are processed. Snapshots built after

Re: Sporadic NPEs from CoyoteOutputStream and their surprising effect

On 23/01/2025 14:34, Mark Thomas wrote: All of that suggests that something detects an issue with this request (or it just times out) which triggers the async error handling which eventually leads to the async request being completed/dispatched. In the case of the unit test, it was a

Re: Tomcat 10 usage and necessity of --add-opens

On 23/01/2025 14:42, anand raj wrote: Hi all, In Tomcat 10 there is --add-opens added default and does this mean Tomcat required to access these. Yes. Also document information on what all are accessed which requires these will be helpful. Generally to implement the memory leak detection

Re: Sporadic NPEs from CoyoteOutputStream and their surprising effect

On 17/01/2025 10:05, Michael wrote: I have two applications, A and B, running in Tomcat 10.1.28 on RHEL 8.10 with Java 21 (OpenJDK Runtime Environment Red_Hat-21.0.5.0.10-1). Application uses an AsyncContext and SSE to send messages back to an application running in a Chrome browser. Sometimes I

Re: Sporadic NPEs from CoyoteOutputStream and their surprising effect

On 20/01/2025 20:44, Michael wrote: On Fri, Jan 17, 2025 at 7:45 PM Michael wrote: On Fri, Jan 17, 2025 at 3:51 PM Chuck Caldarale wrote: In various logs from nightly(?) Tomcat test runs, I've been able to find a similar problem. See this, for instance: https://nightlies.apache.org/tomcat/

Re: Trouble passing through backslash in URL path

at 11 is building and Tomcat 10 and Tomcat 9 are in the queue. All should be complete in a couple of hours. Mark On 22/01/2025 09:30, Mark Thomas wrote: This is going to be fun. The RequestDispatcher processing currently does not take account of encodedSolidusHandli

Re: Openssl Connector configuration for Dynamic Client Authorization does not work.

On 21/01/2025 19:08, Timothy Resh wrote: Good afternoon, If I use this configuration, then the prompts for the client auth work, where the intermediate.p12 file has all the intermediates from DOD ID CAx imported. I do not see where the caCertificatePath can be used in this configuration. OK.

Re: Trouble passing through backslash in URL path

tion is created and a 500 response is returned. It seems that this area of the code would need to be aware of the encodedReverseSolidusHandling configuration as well. Thank you, James On Tue, Jan 21, 2025 at 1:20 PM Mark Thomas wrote: On 21/01/2025 14:15, James Matlik wrote: Hello Mark, Yes

Re: Trouble passing through backslash in URL path

look for the snapshot for the current dev version for each release branch. The Connector attribute is called encodedReverseSolidusHandling Let the list know how you get on. Mark -James On Tue, Jan 21, 2025 at 8:17 AM Mark Thomas wrote: On 18/01/2025 16:18, James Matlik wrote: I agree

Re: Trouble passing through backslash in URL path

On 18/01/2025 16:18, James Matlik wrote: I agree with everything you have said. As the config options stand today, the allowBackslash seems to implement part of encodeSolidusHandling. While encodeSolidusHandling supports: * REJECT - Return 400 on encoded / * DECODE - Decodes the / * PASS_THROUGH

Re: Tomcat Virtual Threads Performance

On 21/01/2025 11:17, joan.balagu...@ventusproxy.com wrote: Hi, Virtual threads only shine on I/O bound tasks, in terms of throughput (not latency). They were created for that, don't expect any improvement on CPU bound tasks. +1. If I had to guess, I'd guess something to do with concurrency

[ANN] Apache Tomcat Migration tool for Jakarta EE 1.0.9

The Apache Tomcat team announces the immediate availability of Apache Tomcat Migration Tool for Jakarta EE 1.0.9 Apache Tomcat Migration Tool for Jakarta EE is an open source software tool for migrating binary web applications (WAR files) and other binary artifacts from Java EE 8 to Jakarta EE 9.

Re: net::ERR_HTTP2_PROTOCOL_ERROR with 10.1.30

coyote package but that is likely to generate a LOT of data. Mark Regards, Boris On 1/14/25 3:02 PM, Mark Thomas wrote: On 16/12/2024 10:44, Mark Thomas wrote: On 16/12/2024 10:28, Boris Petrov wrote: Hi Mark, Thanks for the response and sorry for the delayed answer. I don't th

Re: Trouble passing through backslash in URL path

James, A comment and a question. You are talking about the servlet path here. Path parameters are something different (.../path-segment;path-param-name=path-param-value/...) Which operating system are you using? Mark 16 Jan 2025 15:38:50 James Matlik : Thank you for responding, Chris.

Re: I cannot unsubscribe

On 14/01/2025 14:35, Jim Anderson wrote: Hello, I subscribe to users@tomcat.apache.org occasionally and have always been able to unsubscribe, but not anymore. Over the past two months I have tried to unsubscribe several times, but I continue to receive emails from users@tomcat.apache.org. Tw

Re: net::ERR_HTTP2_PROTOCOL_ERROR with 10.1.30

On 16/12/2024 10:44, Mark Thomas wrote: On 16/12/2024 10:28, Boris Petrov wrote: Hi Mark, Thanks for the response and sorry for the delayed answer. I don't think my use case is special in any way. It's just a normal web- app exposing a JSON REST API that is being queried from tim

Re: DMARC Compliance

On 13/01/2025 18:32, Baez, Melvin L wrote: Hello everyone, Recently the security team reached out in regards to an email I sent to the Tomcat user community. I sent the email straight to “users@tomcat.apache.org ”. However, it came back with a spoof email addre

Re: Javadoc search is broken

On 10/01/2025 15:17, Christopher Schultz wrote: All, On 1/10/25 10:05 AM, Christopher Schultz wrote: All, On 1/10/25 9:52 AM, Christopher Schultz wrote: Maxim, On 1/10/25 1:44 AM, Maxim Solodovnik wrote: On Fri, 10 Jan 2025 at 13:40, Chuck Caldarale wrote: On Jan 9, 2025, at 23:09, Maxi

Re: Excessive memory usage for HTTP/2 requests

On 09/01/2025 14:19, Mark Thomas wrote: On 03/01/2025 07:44, Mark Thomas wrote: Arjan, This is the right place to ask that question. Taking a look at this is on my TODO list. Between addressing CVE-2024-50379 and CVE-2024-56337 and the holiday season I haven't got to it yet. I expect to

Re: Excessive memory usage for HTTP/2 requests

On 03/01/2025 07:44, Mark Thomas wrote: Arjan, This is the right place to ask that question. Taking a look at this is on my TODO list. Between addressing CVE-2024-50379 and CVE-2024-56337 and the holiday season I haven't got to it yet. I expect to look at it before the next release (it

Re: Excessive memory usage for HTTP/2 requests

Arjan, This is the right place to ask that question. Taking a look at this is on my TODO list. Between addressing CVE-2024-50379 and CVE-2024-56337 and the holiday season I haven't got to it yet. I expect to look at it before the next release (it isn't the only issue on my TODO list). Mark

Re: Setting sun.io.useCanonCaches to flase

On 20/12/2024 16:42, Carl Wick wrote: Hello, Mitigation: - Upgrade to Apache Tomcat 9.0.98 or later - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) In a Tomcat 9.0.98/Java 11 running on Windows 2019 environment, how

[SECURITY] CVE-2024-56337 Apache Tomcat - RCE via write-enabled default servlet - CVE-2024-50379 mitigation was incomplete

CVE-2024-56337 Apache Tomcat - RCE via write-enabled default servlet - CVE-2024-50379 mitigation was incomplete Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97 D

  1   2   3   4   5   6   7   8   9   10   >