Re: Tomcat 8.0.30 Session lost

2016-01-12 Thread Thomas Scheffler
Am 11.01.16 um 22:05 schrieb Mark Thomas: Found on http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection the description how to switch the "feature" off. I will file two bugs soon describing the issues I had. Hopefully they will be fixed. 1.) if using HttpServetRequest.logi

Re: Tomcat 8.0.30 Session lost

2016-01-12 Thread Mark Thomas
On 12/01/2016 11:06, Thomas Scheffler wrote: > Am 11.01.16 um 22:05 schrieb Mark Thomas: >>> >>> >>changeSessionIdOnAuthentication="false" /> >>> >>> Found on >>> http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection >>> the description how to switch the "feature" off. >>> >>>

Problem with clientAuth SSL connection

2016-01-12 Thread David Sills
All: I'm trying to set up clientAuth SSL connection between a batch process and Tomcat (7.0.55, Java 8 64-bit server). One-way SSL works wonderfully. I set up a server certificate (self-signed) and used this configuration in Tomcat (server.xml): In the client, I used java -cp ws-client.

Re: File size >= 2GB not uploaded in application [Tomcat 7.0.54 Struts: 2.3.24 JAVA: openJDK 1.7.79]

2016-01-12 Thread David kerber
On 1/12/2016 12:01 AM, Rahul Singh wrote: Hello Apache Tomcat team, Sending again with some corrections, File upload in my application(Tomcat 7.0.54 Struts: 2.3.24 JAVA: openJDK 1.7.79) is not successful for greater than 2 gb. After previous discussion here on previous thread, I migrated my

Re: Tomcat 8.0.30 Session lost

2016-01-12 Thread Thomas Scheffler
Am 12.01.16 um 13:24 schrieb Mark Thomas: On 12/01/2016 11:06, Thomas Scheffler wrote: Am 11.01.16 um 22:05 schrieb Mark Thomas: Found on http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection the description how to switch the "feature" off. I will file two bugs soon descri

Re: Upload big file for data

2016-01-12 Thread Edwin Quijada
Sory for missing information My tomcat is 8.0 , Debian 7. Tomcat is in front of my app using Grails+Vaadin for interface. This annotation where will be used in Grails.conf ? From: Kyohei Nakamura Sent: Tuesday, January 12, 2016 7:44 AM To: Tomcat Users Li

RE: Tomcat 8.0.30 Session lost

2016-01-12 Thread Cris Berneburg - US
Thomas > -Original Message- > From: Olaf Kock [mailto:tom...@olafkock.de] > Sent: Monday, January 11, 2016 4:12 PM > To: Tomcat Users List > Subject: Re: Tomcat 8.0.30 Session lost > > Well, at least you do a bit of protection instead of just disabling the > session fixation security fi

Re: Tomcat 8.0.30 Session lost

2016-01-12 Thread Mark Thomas
On 12/01/2016 13:03, Thomas Scheffler wrote: > Am 12.01.16 um 13:24 schrieb Mark Thomas: >> On 12/01/2016 11:06, Thomas Scheffler wrote: >>> Am 11.01.16 um 22:05 schrieb Mark Thomas: For the first the description above isn't clear enough to be sure exactly what you are asking for. Howe

Re: Tomcat 8.0.30 Session lost

2016-01-12 Thread Christopher Schultz
Thomas, On 1/12/16 8:03 AM, Thomas Scheffler wrote: > Am 12.01.16 um 13:24 schrieb Mark Thomas: >> On 12/01/2016 11:06, Thomas Scheffler wrote: >>> Am 11.01.16 um 22:05 schrieb Mark Thomas: > > className="org.apache.catalina.authenticator.BasicAuthenticator" > changeSessionIdO

[ANN] Apache Tomcat Native 1.2.4 released

2016-01-12 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.4 stable. The key features of this release are: - Improvements to renegotiation Note that, unless a regression is discovered in 1.2.x, users should now be using 1.2.x in preference to 1.1.x. Please refer to t

Problem starting Tomcat 7.0.59 as a Windows Service

2016-01-12 Thread McDermott, Becky
I am integrating Tomcat with the IBM CLM 6.0.1 collaboration tools. Per IBM's installation instructions, I downloaded and extracted Tomcat 7.0.59 to my server. I am successfully able to start the Tomcat server from the command line using the batch files provided by the IBM application (C:\Prog

Re: Tomcat 8.0.30 Session lost

2016-01-12 Thread Christopher Schultz
Olaf, On 1/11/16 4:12 PM, Olaf Kock wrote: > Well, at least you do a bit of protection instead of just disabling the > session fixation security filter. However, be aware that potentially > many people might come from the same IP address - either because it's a > NATing home router or a big compan

Re: Tomcat 8.0.30 Session lost

2016-01-12 Thread Thomas Scheffler
Am 12.01.16 um 14:41 schrieb Mark Thomas: 1.) are not required as every request belonging to the same session are already authenticated. After login() other request of the same session will not return 'null' on getRemoteUser() or getUserPrincipal() 2.) are not required, as authenticate() use the

Re: Problem starting Tomcat 7.0.59 as a Windows Service

2016-01-12 Thread Christopher Schultz
Becky, On 1/12/16 10:42 AM, McDermott, Becky wrote: > I am integrating Tomcat with the IBM CLM 6.0.1 collaboration tools. Per > IBM's installation instructions, I downloaded and extracted Tomcat 7.0.59 to > my server. > > I am successfully able to start the Tomcat server from the command line

Re: Problem with clientAuth SSL connection

2016-01-12 Thread Christopher Schultz
David, On 1/12/16 7:43 AM, David Sills wrote: > All: > > I'm trying to set up clientAuth SSL connection between a batch process and > Tomcat (7.0.55, Java 8 64-bit server). One-way SSL works wonderfully. I set > up a server certificate (self-signed) and used this configuration in Tomcat > (ser

RE: [EXTERNAL] Re: Problem starting Tomcat 7.0.59 as a Windows Service

2016-01-12 Thread McDermott, Becky
I used the Java options provided by IBM. Since Tomcat will successfully start using the startup batch files, I assume that these settings are fine. I've tried playing with the settings and cannot get it to work either. I seems like it's some sort of weird Windows thing. I have successfully c

RE: Problem with clientAuth SSL connection

2016-01-12 Thread David Sills
Christopher: Thank you for your prompt reply. The client does seem to need a trust store when dealing with a self-signed certificate from the server, as otherwise it tries to create a chain back to an implicitly trusted CA. I agree, with a commercial certificate this would not be necessary, as

Re: Tomcat 8.0.30 Session lost

2016-01-12 Thread tomcat
On 12.01.2016 12:06, Thomas Scheffler wrote: Am 11.01.16 um 22:05 schrieb Mark Thomas: Found on http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection the description how to switch the "feature" off. I will file two bugs soon describing the issues I had. Hopefully they will

RE: Problem with clientAuth SSL connection

2016-01-12 Thread David Sills
Oh, and by the way, it turns out I'm using Java 6, not 8. Not that that should make a huge difference, but our client is a bit behind the times. -Original Message- From: David Sills [mailto:dsi...@datasourceinc.com] Sent: Tuesday, January 12, 2016 11:35 AM To: Tomcat Users List Subject:

Error deploying WAR

2016-01-12 Thread George Sexton
I'm hitting an error, and I'm not sure how to fix it. The environment is: OS: Ubuntu Linux Tomcat: 6.0.44 JVM: Sun 1.6.0.22 CATALINA_HOME/CATALINA_BASE configuration The client reports that this system has worked in the past. Their original production system was running 6.0.18 using a distribu

Re: Tomcat 8.0.30 Session lost

2016-01-12 Thread David kerber
On 1/12/2016 10:57 AM, Thomas Scheffler wrote: Am 12.01.16 um 14:41 schrieb Mark Thomas: 1.) are not required as every request belonging to the same session are already authenticated. After login() other request of the same session will not return 'null' on getRemoteUser() or getUserPrincipal()

Re: [EXTERNAL] Re: Problem starting Tomcat 7.0.59 as a Windows Service

2016-01-12 Thread Mark Thomas
On 12/01/2016 16:04, McDermott, Becky wrote: > I used the Java options provided by IBM. Since Tomcat will successfully > start using the startup batch files, I assume that these settings are fine. > I've tried playing with the settings and cannot get it to work either. I > seems like it's som

Re: Tomcat 8.0.30 Session lost

2016-01-12 Thread Olaf Kock
Hi Christopher, Thanks for reminding me of my extra doubt that I missed writing of in the first post: Picking up on AOL: If I'm on proxy1 now, with many other users - will I stay on that proxy for a long time? Or will I be loadbalanced to many other proxies during my visit on the site? There's no

Re: Problem with clientAuth SSL connection

2016-01-12 Thread Mark Thomas
On 12/01/2016 16:39, David Sills wrote: > Oh, and by the way, it turns out I'm using Java 6, not 8. Not that that > should make a huge difference, but our client is a bit behind the times. Are you sure the right certs are in the right stores? If all the certs are self-signed then: The trust sto

Re: Error deploying WAR

2016-01-12 Thread Mark Thomas
On 12/01/2016 16:40, George Sexton wrote: > I'm hitting an error, and I'm not sure how to fix it. The environment is: > Check the JARs in WEB-INF/lib for any javax.servlet classes. There should not be any. You might as well check WEB-INF/classes while you are at it. If any JARs have been added t

RE: [EXTERNAL] Re: Problem starting Tomcat 7.0.59 as a Windows Service

2016-01-12 Thread McDermott, Becky
I am definitely not a Java/Tomcat expert so I appreciate the info. I have 10GB of RAM and only 1.2 GB is in use when I try to start the tomcat service. I downloaded from: http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.59/bin/?cm_mc_uid=36937329763514476995925&cm_mc_sid_5020=1450452120

Re: Problem with clientAuth SSL connection

2016-01-12 Thread Christopher Schultz
Mark, On 1/12/16 12:01 PM, Mark Thomas wrote: > On 12/01/2016 16:39, David Sills wrote: >> Oh, and by the way, it turns out I'm using Java 6, not 8. Not that that >> should make a huge difference, but our client is a bit behind the times. > > Are you sure the right certs are in the right stores?

Re: Error deploying WAR

2016-01-12 Thread Christopher Schultz
Mark, On 1/12/16 12:03 PM, Mark Thomas wrote: > On 12/01/2016 16:40, George Sexton wrote: >> I'm hitting an error, and I'm not sure how to fix it. The environment is: > > Check the JARs in WEB-INF/lib for any javax.servlet classes. There > should not be any. You might as well check WEB-INF/classe

Re: [EXTERNAL] Re: Problem starting Tomcat 7.0.59 as a Windows Service

2016-01-12 Thread Mark Thomas
On 12/01/2016 17:10, McDermott, Becky wrote: > I am definitely not a Java/Tomcat expert so I appreciate the info. I have > 10GB of RAM and only 1.2 GB is in use when I try to start the tomcat service. OK. You should be OK then but you never know. One thing to try is lower settings to see if you

Re: Problem with clientAuth SSL connection

2016-01-12 Thread Christopher Schultz
David, On 1/12/16 11:34 AM, David Sills wrote: > The client does seem to need a trust store when dealing with a > self-signed certificate from the server, as otherwise it tries to > create a chain back to an implicitly trusted CA. I agree, with a > commercial certificate this would not be necessar

Re: [EXTERNAL] Re: Problem starting Tomcat 7.0.59 as a Windows Service

2016-01-12 Thread tomcat
On 12.01.2016 18:29, Mark Thomas wrote: On 12/01/2016 17:10, McDermott, Becky wrote: I am definitely not a Java/Tomcat expert so I appreciate the info. I have 10GB of RAM and only 1.2 GB is in use when I try to start the tomcat service. OK. You should be OK then but you never know. One thing

RE: Problem with clientAuth SSL connection

2016-01-12 Thread David Sills
I will try both sides in Java 8. Our client, however, still has to use Java 6 (government sigh...). But at least if the same problem occurs, I'll know what's going on. And I'll check the certificates, though I was exceedingly careful during the setup and checked everything once already. ---

RE: Problem with clientAuth SSL connection

2016-01-12 Thread David Sills
One question as I try this - how to get logging at the debug level for the handshake process? I have tried setting everything in logging.properties to FINEST, but it makes no difference. -Original Message- From: David Sills [mailto:dsi...@datasourceinc.com] Sent: Tuesday, January 12, 20

RE: Problem with clientAuth SSL connection

2016-01-12 Thread Tauzell, Dave
You can enable jvm level TLS debug: -Djavax.net.debug=all See this site for more information: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html Dave Tauzell | Senior Software Engineer | Surescripts O: 651.855.3042 | www.surescripts.com | dave.tauz...@suresc

Re: Tomcat 8.0.30 Session lost

2016-01-12 Thread Mark Thomas
On 12/01/2016 15:57, Thomas Scheffler wrote: > What I read in the specification is that a *fix* could be implemented > that would a allow the bug to disappear. The third point above, changing > the sessionId only if the user is "new" to the session, would fix the > problem, could be integrated easi

RE: [EXTERNAL] Re: Problem starting Tomcat 7.0.59 as a Windows Service

2016-01-12 Thread Terence M. Bandoian
On 1/12/2016 10:04 AM, McDermott, Becky wrote: I used the Java options provided by IBM. Since Tomcat will successfully start using the startup batch files, I assume that these settings are fine. I've tried playing with the settings and cannot get it to work either. I seems like it's some so

Re: File size >= 2GB not uploaded in application [Tomcat 7.0.54 Struts: 2.3.24 JAVA: openJDK 1.7.79]

2016-01-12 Thread Rahul Singh
Hi, >Define "Not successful"? Exceptions thrown? File truncated? Upload >never starts? Never finishes? Not successful : Request Never finishes, we have trace the HttpServlet request object and request.getContentLength return 0 in case when file size is >=2GB, No exception thrown, as well a