Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 35FD1200C78 for ; Thu, 18 May 2017 20:12:55 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 3475C160BB5; Thu, 18 May 2017 18:12:55 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 54B05160B9D for ; Thu, 18 May 2017 20:12:54 +0200 (CEST) Received: (qmail 66595 invoked by uid 500); 18 May 2017 18:12:51 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 66584 invoked by uid 99); 18 May 2017 18:12:51 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 May 2017 18:12:51 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 2C4E21A0028 for ; Thu, 18 May 2017 18:12:51 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.122 X-Spam-Level: X-Spam-Status: No, score=-0.122 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=unisys.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id lwgjOofF0ubM for ; Thu, 18 May 2017 18:12:48 +0000 (UTC) Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0048.outbound.protection.outlook.com [104.47.41.48]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id DFCF55F4A9 for ; Thu, 18 May 2017 18:12:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unisys.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=zycyAyeCDOQxhlRXrPjM3ZXFaoBBhBjQdFnZ+XnG//Y=; b=miz+pAqHe2yBXxTHp1Y/ijDAfDrBnNCssEj1HnPQnbdLfrdz4in1wNLprcHrZK8iz3a+JaAFUfXom9kAWfRx4j+KuoYTZEKgZ34/j40BlijmxsZ++z9VF81L89ZMVcf9zBNX7aEwYDSew31i5F0p72IITwTUjLbbfMVT/5TJe4c= Received: from CY1PR07MB2555.namprd07.prod.outlook.com (10.167.16.22) by CY1PR07MB2556.namprd07.prod.outlook.com (10.167.16.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1101.14; Thu, 18 May 2017 18:12:40 +0000 Received: from CY1PR07MB2555.namprd07.prod.outlook.com ([10.167.16.22]) by CY1PR07MB2555.namprd07.prod.outlook.com ([10.167.16.22]) with mapi id 15.01.1101.011; Thu, 18 May 2017 18:12:40 +0000 From: "Caldarale, Charles R" To: Tomcat Users List Subject: RE: Tomcat 8.5.4 and LegacyCookieProcessor Thread-Topic: Tomcat 8.5.4 and LegacyCookieProcessor Thread-Index: AQHSz/uQv8efWuvcvU6hJpnxpQ/wCqH6WONA Date: Thu, 18 May 2017 18:12:40 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: tomcat.apache.org; dkim=none (message not signed) header.d=none;tomcat.apache.org; dmarc=none action=none header.from=unisys.com; x-originating-ip: [192.61.169.116] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;CY1PR07MB2556;7:Ynpx9y+0XptErPvdJtIAJpGX5A1tMIICGDcUd3NZdb8GYQvWJiaZF0H8Qrcpoejqpdwhm8Upi1NODM8lUeMfFoxbqYORG5wchsohBHZG0ikHysWmJxLKqTU6H5KWxWnX1ih1bpiTTk0WQCpy0mF6L05Alxw2ifv+u2nad+lrqUPmgYnIUnP0/41Ji//B0XeLsTal9bGtLsggagvnjsIgs28QDPwuGINBYoqdIwG5Y8RKenWzoiblsQXnBibq8mdw08t9ne3HVO383eCn1HUOKFaehSrVTTzVRN2gnnjlhIUOkFIXzIdT8PrrjSaTfoGDU3ufpx4LpRxGMCF2VhEltw== x-ms-traffictypediagnostic: CY1PR07MB2556: x-ms-office365-filtering-correlation-id: 4e80ba96-e695-4fc0-7519-08d49e1978f8 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(2017030254075)(201703131423075)(201703031133081)(201702281549075);SRVR:CY1PR07MB2556; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(6040450)(601004)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3002001)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123564025)(20161123562025)(20161123558100)(20161123555025)(6072148);SRVR:CY1PR07MB2556;BCL:0;PCL:0;RULEID:;SRVR:CY1PR07MB2556; x-forefront-prvs: 0311124FA9 x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(6009001)(39840400002)(39860400002)(39850400002)(39450400003)(39400400002)(6436002)(6506006)(55016002)(9686003)(966005)(6306002)(99286003)(6246003)(53936002)(229853002)(8936002)(81166006)(189998001)(38730400002)(110136004)(8676002)(74316002)(122556002)(478600001)(305945005)(2950100002)(7736002)(86362001)(6916009)(3846002)(2906002)(50986999)(66066001)(3280700002)(102836003)(6116002)(54356999)(76176999)(77096006)(72206003)(7696004)(5660300001)(7116003)(25786009)(33656002)(5890100001)(3660700001);DIR:OUT;SFP:1101;SCL:1;SRVR:CY1PR07MB2556;H:CY1PR07MB2555.namprd07.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: unisys.com X-MS-Exchange-CrossTenant-originalarrivaltime: 18 May 2017 18:12:40.5260 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 8d894c2b-238f-490b-8dd1-d93898c5bf83 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR07MB2556 archived-at: Thu, 18 May 2017 18:12:55 -0000 > From: jared.paul.walker@gmail.com [mailto:jared.paul.walker@gmail.com] On= Behalf Of Jared Walker > Subject: Tomcat 8.5.4 and LegacyCookieProcessor > We are migrating to the version of tomcat identified in the subject Before exposing an almost year-old version to the nasty real world, you mig= ht want to look at this: http://tomcat.apache.org/security-8.html and then pick a newer level (hint: 8.5.15 would be good). > 1. What are the security and compatibility concerns when using the > legacy processor Sorry, can't answer that one. > 2. The header for LegacyCookieProcesor.java explicitly states: "This > class is not thread-safe." > Can someone here with background knowledge explain exactly whats not > thread-safe about the processor? Does this mean you cannot use it for > multiple simultaneous requests (pretty hindering for a server) or does > this mean that you cannot have multiple threads parse the cookie > contents of a request in parallel (which isn't a very normal thing to > do)? It's neither, really; there is one instance of CookieProcessor per , and the fields within LegacyCookieProcessor that make it not thread-safe= are only set (in Tomcat) when the is initialized. Were you to d= ynamically reset the fields while requests were in progress, you could get = in trouble. The fields are described here: http://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MA= TERIAL and is thus for use only by the intended recipient. If you received = this in error, please contact the sender and delete the e-mail and its atta= chments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org