Hi,
It seems this happens also with tomcat 10.1.x under certain circumstances.
I have create
https://github.com/reiern70/file-upload-broken
to illustrate the problem. Hope this helps reproduce the problem. If I can
further assist getting this "fixed" please let me know
On Fri, May 2, 2025 at 2:
efault (as per HTTP
spec) MIME type for an HTTP response, or that Tomcat was somehow
ignoring the content type you explicitly requested, but neither are the
case.
The cached resource is not providing the correct MIME type, but that
content type is being used without re-checking it in any way.
Hi,
Mamy thanks for your email.
On Fri, May 2, 2025 at 1:42 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Ernesto,
>
> On 5/1/25 8:51 PM, Ernesto Reinaldo Barreiro wrote:
> > We have an Apache Wicket application that I just ported to wicket 10. The
> > application works as expe
Hi Chris,
please excuse the long delay in answering (unplanned holidays...)
Tomcat is never going to figure out what MIME type should be used for a
request like "/my/servlet/app?version=!!1.22.32-4-g8a3c060!!"
So I think Mark is probably right (well, he's right like 99.999% of the
time, so..
Ernesto,
On 5/1/25 8:51 PM, Ernesto Reinaldo Barreiro wrote:
We have an Apache Wicket application that I just ported to wicket 10. The
application works as expected with the latest Tomcat 10.1.40. But our
application does not work with Tomcat 11.0.6 because file upload (multipart
processing is b
Zoran,
On 5/1/25 9:14 PM, Zoran Avtarovski wrote:
I appreciate you input. In answer to your questions the primary issue we
are experiencing is that on occasions (once a month or two) we will get
two users on different nodes with the same session id. We suspect this
could be because there is a
Hi,
Thank you very much for your email. My answers inlined.
On Fri, May 2, 2025 at 6:54 AM Rick Noel
wrote:
> We had the same issue when going to Tomcat 11.
>
> You need to make two changes.
> 1) get the request params passed in via.
> jakarta.servlet.http.Part
>
> Like so.
>
We had the same issue when going to Tomcat 11.
You need to make two changes.
1) get the request params passed in via. jakarta.servlet.http.Part
Like so.
import jakarta.servlet.http.Part;
Part fileUpload = request.getPart("param-name");
if(null != fileUpload) {
Thanks Chris,
I appreciate you input. In answer to your questions the primary issue we
are experiencing is that on occasions (once a month or two) we will get
two users on different nodes with the same session id. We suspect this
could be because there is a short window from when tomcat create
Rainer and Doug,
On 4/30/25 12:47 PM, Rainer Jung wrote:
Am 30.04.25 um 15:59 schrieb Doug Whitfield:
Hi folks,
This feature was added in 9.0.90:
The system property org.apache.catalina.connector.RECYCLE_FACADES will
now default to true if not specified, which will in turn set the
default va
Am 30.04.25 um 15:59 schrieb Doug Whitfield:
Hi folks,
This feature was added in 9.0.90:
The system property org.apache.catalina.connector.RECYCLE_FACADES will now
default to true if not specified, which will in turn set the default value for
the discardFacades connector attribute, thus causin
On 30/04/2025 16:17, Mark Thomas wrote:
On 30/04/2025 14:59, Doug Whitfield wrote:
Hi folks,
This feature was added in 9.0.90:
The system property org.apache.catalina.connector.RECYCLE_FACADES will
now default to true if not specified, which will in turn set the
default value for the discardF
On 30/04/2025 14:59, Doug Whitfield wrote:
Hi folks,
This feature was added in 9.0.90:
The system property org.apache.catalina.connector.RECYCLE_FACADES will now
default to true if not specified, which will in turn set the default value for
the discardFacades connector attribute, thus causing
gards,
William Crowell
From: Christopher Schultz
Date: Tuesday, April 29, 2025 at 10:32 AM
To: Tomcat Users List , William Crowell
Subject: Re: When was the first stable GA release of Apache Tomcat 11.0.x?
William,
On 4/29/25 7:04 AM, William Crowell wrote:
Just for my clarification: When wa
gt; > >
> > >
> > >>> I think your host/site context.xml file ideas are interesting.
> Would I be
> > >>> able to take the context info that I put here out of web.xml and put
> it in
> > >>> the conf/Catalina/localhost/site1app.xml and put anot
talina/localhost/site2app.xml with the different
url/username/password?
That would be an ideal and simple answer.
I can think of two other ways to do this. The first way requires no code
changes and should continue to work. It essentially uses the same
servlet context parameters you are already using
configure your application in a
> > more flexible way -- essentially it makes it possible to achieve your
> > goal of decoupling the configuration from the application bundle itself.
>
> I have a team of developers - but, at this moment, the customer does not
want a path that includes c
assword?
That would be an ideal and simple answer.
I can think of two other ways to do this. The first way requires no code
changes and should continue to work. It essentially uses the same
servlet context parameters you are already using, but re-locates them to
context.xml -- which I didn&
Chris,
Beautiful answer and exactly what I was looking for. Thank you.
Regards,
William Crowell
From: Christopher Schultz
Date: Tuesday, April 29, 2025 at 10:32 AM
To: Tomcat Users List , William Crowell
Subject: Re: When was the first stable GA release of Apache Tomcat 11.0.x?
William
William,
On 4/29/25 7:04 AM, William Crowell wrote:
Just for my clarification: When was the first stable GA release of
Apache Tomcat 11.0.x?
I believe it was October 9th, 2024, but I did see the Jakarta EE
Platform Web Profile 11 was released on March 30th, 2025:
https://projects.eclipse.org/p
On Mon, Apr 28, 2025 at 1:07 PM Mark Thomas wrote:
> > On 28/04/2025 16:35, Christopher Schultz wrote:
> > > ABT,
> > >
> > > On 4/28/25 9:05 AM, A Name wrote:
> > >> We are looking at adding a second instance of our app (named
> > >> differently --
> > >> myappA and myappB) to our Tomcat 9. We
On 29/04/2025 08:16, Zdeněk Henek wrote:
Hi,
I have looked at the commits and all have in changes http2. Is this an
issue in case we don't use http2?
No. It only affects h2/h2c.
Mark
Thank you.
Regards,
Zdenek Henek
On Mon, Apr 28, 2025 at 7:12 PM Mark Thomas wrote:
CVE-2025-31650 Apa
Hi,
I have looked at the commits and all have in changes http2. Is this an
issue in case we don't use http2?
Thank you.
Regards,
Zdenek Henek
On Mon, Apr 28, 2025 at 7:12 PM Mark Thomas wrote:
> CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header
>
> Severity: High
>
> V
On 28/04/2025 16:35, Christopher Schultz wrote:
ABT,
On 4/28/25 9:05 AM, A Name wrote:
We are looking at adding a second instance of our app (named
differently --
myappA and myappB) to our Tomcat 9. We currently have the app
installed at
a number of customer locations, we are looking at drop
ABT,
On 4/28/25 9:05 AM, A Name wrote:
We are looking at adding a second instance of our app (named differently --
myappA and myappB) to our Tomcat 9. We currently have the app installed at
a number of customer locations, we are looking at dropping 1 app
Currently, our database connections are
Ramesh,
On 4/28/25 7:00 AM, Ramesh B R wrote:
The application hosted on tomcat9 exposes soap api which is consumed by SAP.
On a daily basis we are getting 200 thousands transactions and out of that
we could see around 1000 to 2000 failed transactions due to CONNECTION
REFUSED, CONNECTION CLOSED
On Mon, Apr 28, 2025 at 9:32 AM Mark Thomas wrote:
> > On 28/04/2025 14:05, A Name wrote:
> > > We are looking at adding a second instance of our app (named
> differently --
> > > myappA and myappB) to our Tomcat 9. We currently have the app
> installed at
> > > a number of customer locations, w
On 28/04/2025 14:05, A Name wrote:
We are looking at adding a second instance of our app (named differently --
myappA and myappB) to our Tomcat 9. We currently have the app installed at
a number of customer locations, we are looking at dropping 1 app
Currently, our database connections are esta
Zoran,
On 4/24/25 4:21 AM, Zoran Avtarovski wrote:
Thanks Chuck,
I missed that and will implement. Bigger problem is that
PersistentManager is incompatible with Clusters so we have to migrate
back to memory based sessions and use clusters to share sessions.
I would have thought that cluster
Rick,
On 4/24/25 10:47 AM, Rick Noel wrote:
Hello,
When I upgraded to tomcat 11.0.5 and Java 24,
Tomcat log gives this warning..
WARNING: A terminally deprecated method in sun.misc.Unsafe has been called
WARNING: sun.misc.Unsafe::invokeCleaner has been called by
org.apache.tomcat.util
Mark, Piotr,
thanks a lot for your answers.
I tested both fixes proposed by Piotr:
1) adding to catalina.properties works.
2) adding to JreMemoryLeakPreventionListener.classesToInitialize did not
work.
Simon
On Fri, Apr 25, 2025 at 10:12 AM Piotr P. Karwasz
wrote:
> Hi,
>
> On 25.04.2025 15:
Hi,
On 25.04.2025 15:57, Piotr P. Karwasz wrote:
To solve this, add:
javax.xml.datatype.DatatypeFactory =
com.sun.org.apache.xerces.internal.jaxp.datatype.DatatypeFactoryImpl
A more proper solution could be to initialize
`j.x.b.DatatypeConverterImpl` using the `JreMemoryLeakPreventionListene
Hi Simon,
On 22.04.2025 17:44, Simon Arame wrote:
org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading
Illegal access: this web application instance has been stopped
already. Could not load
[org.apache.xerces.jaxp.datatype.XMLGregorianCalendarImpl$DaysInMonth].
The follo
There is a lot of information here. Responses in-line.
On 24/04/2025 21:51, Simon Arame wrote:
Not sure I am interpreting the doc correctly, does this mean that the
concerned classes of the xercesImpl jar in /WEB-INF/lib will be
ignored when there exists the equivalent in the bootstrap class
Hi Mark, thank you for providing those steps. I downloaded a "YourKit"
trial and did execute them.
I am blocked at the "Figure out what is creating those reference chains"
step. The documentation [
https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/catalina/loader/WebappClassLoaderBase.html
]
Hi Mark,
By duplicate session I mean that we get a duplicate session id created
by one of the nodes which then hijacks an existing session and we have
two users with a single session. We thought using JDBC based sessions
would avoid this but that doesn't seem to be the case. It could be how
o
On 24/04/2025 02:02, Zoran Avtarovski wrote:
We have a cluster of tomcat servers on AWS EC2 which operate behind an
AWS load balancer with sticky sessions.
We have our session storage on a DB using a JDBC store which for the
most part is working well, but we occasionally see duplicate session
On 23/04/2025 16:10, Simon Arame wrote:
What java method call should I be searching for in libraries source code ?
It isn't going to be that simple. You'll need to do something like.
1. Deploy the application
2. Undeploy the application
3. Force GC (with a profiler)
4. Take a memory snap
Thanks Chuck,
I missed that and will implement. Bigger problem is that
PersistentManager is incompatible with Clusters so we have to migrate
back to memory based sessions and use clusters to share sessions.
I would have thought that cluster would be easier to support with DB
based sessions.
> On 2025 Apr 23, at 20:02, Zoran Avtarovski wrote:
>
> We have a cluster of tomcat servers on AWS EC2 which operate behind an AWS
> load balancer with sticky sessions.
>
> We have our session storage on a DB using a JDBC store which for the most
> part is working well, but we occasionally se
I noticed that this happens after we stop and restart the context but does
not happen right after we restart tomcat.
To answer your question, there are other web applications on the server but
those are not stopped or restarted.
Maybe it's because stopping the context did not correctly deregister
The third one. ☹
Oh well, I had to ask.
-Eric
-Original Message-
From: Mark Thomas
Sent: Tuesday, April 22, 2025 2:50 AM
To: users@tomcat.apache.org
Subject: Re: State Synchronization without Serialization - Possible?
On 22/04/2025 01:09, Eric Robinson wrote:
> Hi all,
>
> W
On 22/04/2025 16:44, Simon Arame wrote:
What is strange is that although it says "this web application instance has
been stopped already", the web application is still running, end users are
still receiving 200 OKs from the web application.
Any other web applications running on that Tomcat i
ng to find
out what works best for your application.
Ooh, one more thing... assuming this is a long-lived service on
dedicated (possibly virtual) hardware: set your minimum and maximum heap
sizes on startup to the save value. There is zero advantage to having
the JVM constantly re-sizing the heap
enough.
I can’t tell you whether it needs to be 1GB or 10GB. You’ll have to
experiment. It’s very common to have GC overhead well below 1% now. (That’s
600ms per 6ms.)
From: Mark Thomas
Sent: Tuesday, April 22, 2025 2:38 AM
To: users@tomcat.apache.org
Subject: Re: Best practices to set heap
On 22/04/2025 01:09, Eric Robinson wrote:
Hi all,
We want to implement tomcat clustering, but we cannot because the application
is commercial, and it does not support serializable objects. In short, it does
not work with tomcat's standard clustering technology. Is there any known
reliable way
On 21/04/2025 17:49, Christopher Schultz wrote:
Ramesh,
On 4/21/25 1:06 AM, Ramesh B R wrote:
How to decide on heap memory size?
is it 25% of total memory? or 50% total memory?
What is the ideal value (in %) for heap memory ?
Only you can answer that question about your own application envir
Ramesh,
On 4/21/25 1:06 AM, Ramesh B R wrote:
How to decide on heap memory size?
is it 25% of total memory? or 50% total memory?
What is the ideal value (in %) for heap memory ?
Only you can answer that question about your own application environment.
The percentage of total memory is comple
On 4/17/25 4:56 PM, Mark Thomas wrote:
> On 17/04/2025 20:32, RAY, DAVID wrote:
>>> I updated from Tomcat 9.0.102 to 9.0.104 on two RHEL servers. Both
>>> are 'crashing' at startup after the update. Version 9.0.102 and
>>> prior versions ran fine. No issues. Version 9.0.104 is crashing at
Mark,
On 4/17/25 4:56 PM, Mark Thomas wrote:
On 17/04/2025 20:32, RAY, DAVID wrote:
I updated from Tomcat 9.0.102 to 9.0.104 on two RHEL servers. Both
are 'crashing' at startup after the update. Version 9.0.102 and
prior versions ran fine. No issues. Version 9.0.104 is crashing at
start
Rémy,
On 4/17/25 11:47 AM, Rémy Maucherat wrote:
On Thu, Apr 17, 2025 at 5:16 PM William Crowell
wrote:
Hi,
A few questions on the future direction of the project.
It seems like Project Panama is still in preview mode as of JDK 24. Is that
correct?
No, it's a stable regular part of Java
Thorsten,
On 4/17/25 1:54 AM, Thorsten Heit wrote:
Hi Chris,
That definitely sounds odd. Do you have anything on the network
between the client (browser) and the server (Tomcat)? Specifically,
anything like a load-balancer, proxy, or similar?
I just want to remove other possible causes befo
I've managed to find a solution that works. The info I found has me using
the "log4j-jul" bridge (and excluding spring-boot-starter-logging from
spring-boot-starter-web), which redirects from jul to log4j, which
effectively redirects to logback, which allows me to configure loggers in
the same plac
-Original Message-
From: Mark Thomas
Sent: Thursday, April 17, 2025 3:57 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat 9.0.104 Crashing at Startup on RHEL 8.4
On 17/04/2025 20:32, RAY, DAVID wrote:
> I updated from Tomcat 9.0.102 to 9.0.104 on two RHEL servers. Both
On 17/04/2025 20:32, RAY, DAVID wrote:
I updated from Tomcat 9.0.102 to 9.0.104 on two RHEL servers. Both are
'crashing' at startup after the update.Version 9.0.102 and prior versions
ran fine. No issues. Version 9.0.104 is crashing at startup. Any suggestions
much appreciated:
That
Mark and Rémy,
Thank you for your replies. I think it would be better for now if HTTP/3 is
required is to front Tomcat with NGINX as a reverse proxy.
Regards,
William Crowell
From: Mark Thomas
Date: Thursday, April 17, 2025 at 1:30 PM
To: users@tomcat.apache.org
Subject: Re: Apache Tomcat
To expand on some of that:
On 17/04/2025 16:47, Rémy Maucherat wrote:
On Thu, Apr 17, 2025 at 5:16 PM William Crowell
wrote:
Hi,
A few questions on the future direction of the project.
It seems like Project Panama is still in preview mode as of JDK 24. Is that
correct?
No, it's a stable
On Thu, Apr 17, 2025 at 5:16 PM William Crowell
wrote:
>
> Hi,
>
> A few questions on the future direction of the project.
>
> It seems like Project Panama is still in preview mode as of JDK 24. Is that
> correct?
No, it's a stable regular part of Java since Java 22. Availability of
the API wil
Hi Mark,
That looks like the result of fixing this bug:
https://bz.apache.org/bugzilla/show_bug.cgi?id=69623
A little more digging suggests that MIME type is only set for a resource
when it is served via the default servlet. I suspect that lookup needs
to be moved so MIME type is also availab
On 16/04/2025 19:35, Thorsten Heit wrote:
Hi all,
long time Tomcat user, but first time I'm posting, so hi to you all :-)
I'm suffering a strange phenomenon after I upgraded Tomcat on one of our
virtual machines from 10.1.39 to 10.1.40:
When I open the link to an application being served by
Hi Chris,
That definitely sounds odd. Do you have anything on the network between
the client (browser) and the server (Tomcat)? Specifically, anything
like a load-balancer, proxy, or similar?
I just want to remove other possible causes before diving into Tomcat
(but from your description, To
Thorsten,
On 4/16/25 2:35 PM, Thorsten Heit wrote:
long time Tomcat user, but first time I'm posting, so hi to you all :-)
I'm suffering a strange phenomenon after I upgraded Tomcat on one of our
virtual machines from 10.1.39 to 10.1.40:
When I open the link to an application being served by
On 16/04/2025 18:20, Nguyen Duong wrote:
Hi Tomcat team
I am really sorry to bother you regarding this fix for Tomcat 9.0.98 revolving
around the following CVEs,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50379
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56337
(★) My que
On Wed, Apr 16, 2025 at 9:14 AM S Abirami
wrote:
>
> Hi All,
>
> After upgrading to Tomcat 11, I noticed Catalina.policy file removed from the
> tomcat.
> I haven't see any specific documentation regarding it in tomcat release note,
> migration guide etc.
The security manager support has been r
> On 2025 Apr 15, at 09:32, Christopher Schultz
> wrote:
>
> Chenjp,
>
> On 4/14/25 5:46 AM, Justin Chen wrote:
>> Main branch: Receive unexpected 400 for curl put with content-range header
>> value "bytes 0-0/1" and
>> -d c.
>> PR submitted.
>
> I think HTTP 400 is the correct response for
Chenjp,
On 4/14/25 5:46 AM, Justin Chen wrote:
Main branch: Receive unexpected 400 for curl put with content-range header value
"bytes 0-0/1" and
-d c.
PR submitted.
I think HTTP 400 is the correct response for this. You are saying "I'd
like to update bytes 0-0 (a zero-width update) with th
*“Don't cross the streams.”*
—
"Hell hath no limits, nor is circumscrib'd In one self-place; but where we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, Doctor Faustus (v. 111-13)
On Mon, Apr 14, 2025 at 17:23 Chuck Caldarale wrote:
>
> > On 2025 Apr 14, at 15:57
> On 2025 Apr 14, at 15:57, Thad Humphries wrote:
>
> Thank you, Mark. Copying both jai-imageio jars into $CATALINA_BASE/lib
> works.
Hopefully, you moved the jars (as Mark suggested) rather than just copying
them. Putting the same jar in multiple places in a branch of the class loader
tree
Thank you, Mark. Copying both jai-imageio jars into $CATALINA_BASE/lib
works.
On Mon, Apr 14, 2025 at 6:13 AM Mark Thomas wrote:
> Thad,
>
> A quick read of https://github.com/jai-imageio/jai-imageio-core suggests
> a possible cause.
>
> The library is using the SPI plugin mechanism of ImageIO.
Thad,
A quick read of https://github.com/jai-imageio/jai-imageio-core suggests
a possible cause.
The library is using the SPI plugin mechanism of ImageIO.
I haven't confirmed this with a code inspection but what I assume is
happening is that the web application is registering an extension at
UNSUBSCRIBE
On Thu, Jan 23, 2025 at 9:00 AM James Matlik wrote:
> It works!
>
> I've been able to test with a customer name of: ÀËÌÑàëíñøü / \ Ѐӿ 中さ 😀
> customer
> This covers
> - Latin-1 Supplement characters are 1 byte: ÀËÌÑàëíñøü
> - The / and \ slash characters are ASCII, but are encoded d
There are no native binaries in either the jai-image core or jpeg2000 jars.
These same web apps run on Linux, Windows, Intel macOS, and at least one
old Solaris machine. I just prefer macOS as my development platform. (Sun's
original JAI did have native libraries, but that was decades ago.)
On Sat
Wild guess. Does this library use tmp to extract binaries to run native
code?
If so, it might be a version collision of those tmp binaries?
On Sat, Apr 12, 2025 at 4:23 PM Thad Humphries
wrote:
> I have a problem that appears to be one webapp in Tomcat 9 having a portion
> of its classpath ma
:46 PM
> To: Tomcat Users List
> Subject: Re: Your connection is not private Issue
>
>
> Usay,
>
> Could you try tls test tool like testssl.sh on the problematic URLs?
>
> It will tell you the reason...
>
> Peter
>
> > Am 10.04.2025 um 18:50 schrieb Christopher
From: Mark Thomas
Date: Wednesday, 9 April 2025 at 4:12 PM
To: users@tomcat.apache.org
Subject: [EXTERNAL] Re: Monitoring Virtual Threads via JMX / MBeans in Tomcat
On 03/04/2025 13:05, Rose Mary P T wrote:
> HI Mark,
>
> Thanks for your response.
>
> I would like to seek your guid
= tps_app-dev
DNS.15 = tps_app-dev2..com
DNS.16 = tps_app-dev2
EOF
[cid:image002.png@01DBAA6E.B5FAAB30]
Thanks
-Original Message-
From: Peter Kreuser
Sent: Thursday, April 10, 2025 1:46 PM
To: Tomcat Users List
Subject: Re: Your connection is not private Issue
Usay
Thanks, Peter, for the help.
Could you please provide more insight on the steps to run testssl.sh? We are
using Windows Standard Server 2022.
This will help me.
Thank you.
-Original Message-
From: Peter Kreuser
Sent: Thursday, April 10, 2025 1:46 PM
To: Tomcat Users List
Subject: Re
Usay,
Could you try tls test tool like testssl.sh on the problematic URLs?
It will tell you the reason...
Peter
> Am 10.04.2025 um 18:50 schrieb Christopher Schultz
> :
>
> Uday,
>
>> On 4/10/25 2:44 AM, Uday Upadhyay wrote:
>> I'm experiencing an issue when accessing the production web s
On 10/04/2025 17:53, Christopher Schultz wrote:
Charles,
On 4/9/25 6:57 PM, Charles Slivkoff wrote:
I noticed this in February and have attempted multiple times to
contact the list owners and have received no response.
There are no posts for Tomcat 10.1.x to tomcat-announce after 33 on
2024-1
Charles,
On 4/9/25 6:57 PM, Charles Slivkoff wrote:
I noticed this in February and have attempted multiple times to
contact the list owners and have received no response.
There are no posts for Tomcat 10.1.x to tomcat-announce after 33 on 2024-11-11.
https://lists.apache.org/thread/pbovsrrm11j
Uday,
On 4/10/25 2:44 AM, Uday Upadhyay wrote:
I'm experiencing an issue when accessing the production web servers without using the
.xxx.com domain. The browser displays a message stating, "Your connection is not
private."
This problem occurs in Edge, Chrome, and Firefox, while the developmen
On 10/04/2025 10:44, Greg Huber wrote:
Hello,
Going through the logs, the session creation was being triggered from
our 403 jsp page (they were not following the robots.txt and got
themselves banned).
10 minutes of log entries: (752 403's)
752 (32.71%) 0 (00.00%) 1.5 MiB (04.64%) 4
Hello,
Going through the logs, the session creation was being triggered from
our 403 jsp page (they were not following the robots.txt and got
themselves banned).
10 minutes of log entries: (752 403's)
752 (32.71%) 0 (00.00%) 1.5 MiB (04.64%) 403 - Forbidden:
Server is refusing to r
From: Christopher Schultz
Sent: Thursday, April 10, 2025 2:22
To: users@tomcat.apache.org
Subject: Re: HOWTO: the right way to configure security constraints to protect
CGI scripts in web.xml
Mark,
On 4/8/25 5:40 PM, Mark Thomas wrote:
> 8 Apr 2025 21:45:50 Ch
Thanks for the curl check.
This is what I get from the default page (from the server)
curl -vv http://www.myapp.co.uk/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to www.myapp.co.uk (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: www.myapp.co.uk
> User-Agent: curl/7.61.1
> Accept: *
Thanks for the reply.
I have rechecked the manager app and the sessions are around 40, and steady.
I did not notice the link on the number of sessions, and checking now I
can see they are all under 30 minutes, which is good.
I will go through the logs and analyse the urls to see what was
tri
Greg,
On 4/9/25 7:22 AM, Greg Huber wrote:
I have noticed that seems I have alot of sessions open, when looking in
the application manager. It was was 800+. I don't remember seeing it
this high before. If I refresh the screen I can see the number going up
slowly. I have not made any chang
Mark,
On 4/8/25 5:40 PM, Mark Thomas wrote:
8 Apr 2025 21:45:50 Christopher Schultz :
Justin,
On 4/8/25 3:16 AM, Justin Chen wrote:
Dear users and supporters,
Currently I have two CGI scripts:
1. "/cgi-bin/update" //an administrative command, required role="admin"
2. "/cgi-bin/updateOrder" /
On 09/04/2025 12:45, Vishwas Bm wrote:
Hi,
I am getting below error when having tomcat server name with trailing dot
(.) when using tomcat 10.
From the stacktrace, it looks like it is coming as part of SNI handling.
That is generated by the JRE. Nothing to do with Tomcat.
I'll note that RFC
On 09/04/2025 12:22, Greg Huber wrote:
Hello,
I have noticed that seems I have alot of sessions open, when looking in
the application manager. It was was 800+. I don't remember seeing it
this high before.
Before what?
If I refresh the screen I can see the number going up
slowly. I ha
your time and assistance. I look forward to your response.
Regards,
Rose Mary
*From: *Mark Thomas
*Date: *Thursday, 3 April 2025 at 2:49 PM
*To: *users@tomcat.apache.org
*Subject: *[EXTERNAL] Re: Monitoring Virtual Threads via JMX / MBeans in
Tomcat
On 28/03/2025 09:08, Rose Mary P T wrote:
at your earliest convenience.
Thanks,
Rose Mary
From: Rose Mary P T
Date: Thursday, 3 April 2025 at 5:37 PM
To: Tomcat Users List , ma...@apache.org
Subject: [EXTERNAL] RE: Monitoring Virtual Threads via JMX / MBeans in Tomcat
HI Mark, Thanks for your response. I would like to seek your
On 08/04/2025 00:27, Tim N wrote:
Thanks for clarifying that. Does BackupManager support auto-scaling
Yes, if you use a cluster membership mechanism that allows that.
and
cycled restarts of all nodes (for web-app upgrades) without losing the
user's session?
Yes, but you need to trigger the
On 08/04/2025 13:29, Aniket Pachpute wrote:
No Plans.
Please See: https://lists.apache.org/thread/qlzpscgoqct9wspkj5qjkm34s66jswj0
Plans have evolved a little since that message.
For Tomcat 9:
https://lists.apache.org/thread/o8d1nz8mj8dhwq88jbt7zxopp3omkkkb
Work has now started on Tomcat 12 /
r security mapping would be open to second guesses. It is the same
with any servlet that is using its path info liberally.
Rémy
> Chenjp
>
> From: Mark Thomas
> Sent: Wednesday, April 9, 2025 5:40
> To: Tomcat Users List
> Subject: Re: HOWTO: the right way to configure
Sent: Wednesday, April 9, 2025 5:40
To: Tomcat Users List
Subject: Re: HOWTO: the right way to configure security constraints to protect
CGI scripts in web.xml
8 Apr 2025 21:45:50 Christopher Schultz :
> Justin,
>
> On 4/8/25 3:16 AM, Justin Chen wrote:
>> Dear users and supporters,
8 Apr 2025 21:45:50 Christopher Schultz :
Justin,
On 4/8/25 3:16 AM, Justin Chen wrote:
Dear users and supporters,
Currently I have two CGI scripts:
1. "/cgi-bin/update" //an administrative command, required
role="admin"
2. "/cgi-bin/updateOrder" //update order, required role="biz"
In order
Justin,
On 4/8/25 3:16 AM, Justin Chen wrote:
Dear users and supporters,
Currently I have two CGI scripts:
1. "/cgi-bin/update" //an administrative command, required role="admin"
2. "/cgi-bin/updateOrder" //update order, required role="biz"
In order to protect above endpoints via web.xml secur
Juan,
On 4/6/25 9:36 AM, juan wrote:
I read it
But couldn't make it work
After hours i got it :
This configuration looks acceptable at first glance. When you use this
configuration, you said you "couldn't make it work". Can you be more
spec
William,
On 4/7/25 2:28 PM, William Crowell wrote:
I am running Apache Tomcat 9.0.97 on Windows Server 2022 using Oracle’s JDK
1.8.0_441-b07. Anytime I generate a thread dump I see an AWT-Windows thread.
Should this thread not be there when I am specifying the JVM to run in headless
mode?
-
1 - 100 of 1449 matches
Mail list logo
