Skip to main content

Using Tomcat’s `tomcat-users.xml` with Jakarta Security in TomEE

By Jakarta EE, Tomcat, TomEE No Comments

While working on Jakarta EE 10 certification (See announcement Apache Tomee Jakarta EE certified after 10 years, Apache TomEE implemented Jakarta Security specification.  Currently, there is only one implementation used in Glassfish and used by all the other vendors for Jakarta Security. In TomEE, we decided to create an alternative to bring some diversity, and have an Apache implementation. What is Jakarta Security? Jakarta Security defines a standard for creating secure Jakarta EE applications in modern application paradigms. It defines an overarching (end-user targeted) Security API for Jakarta EE Applications. Jakarta Security builds on the lower level Security SPIs defined…

Read More

Understanding Jakarta Security with TomEE

By Apache TomEE, Jakarta EE, Tomcat No Comments

There are many blogs explaining how to get Jakarta Security on Tomcat using all sorts of libraries and wiring everything manually. So many opportunities to get it wrong, if you are evaluating or currently using Apache TomEE. In TomEE, the good news is that, like JAX-RS, CDI or Bean Validation, Jakarta Security is out of the box ready to be used like Servlet, and CDI for example. This blog is a high-level view so you have the big picture of the technologies and how they interact with each other in the security landscape. The goal is to be able to…

Read More

TomEE vs. Tomcat

By Community, Jakarta EE, Open Source, Tomcat, TomEE One Comment

Our support customers will sometimes ask, “What is the difference between Tomcat and TomEE,” but that’s not really the right question. It’s like asking which is better “Omelets or Eggs” or “JSP or Servlets”. You can’t have the first one without the second. TomEE is Tomcat Plus It’s easier to think of TomEE as the same thing as Tomcat plus some bells and whistles, because TomEE is built on top of Tomcat. Specifically, TomEE 8 is the complete Tomcat 9 distribution plus Jakarta EE 8 (formerly Java EE 8) specific APIs. Tomcat is a powerful and hugely popular Java web…

Read More

Tomcat RCE Vulnerability via JSP Upload Bypass

By Apache TomEE, Open Source, Tomcat, TomEE No Comments

Tomitribe’s Jonathan Gallimore (@jongallimore) explains how easy it is to exploit a simple configuration vulnerability in Apache Tomcat and take over your entire server. He also explains how easy it is to prevent this from happening with a simple configuration change. This is an older exploit but one that may not be patched on your own installation. Watch the video to ensure you are protected! Tomitribe’s Enterprise Support service works with Sonatype to monitor all reported vulnerabilities to Tomcat, TomEE, and ActiveMQ to help protect our customers from malicious hackers. Learn more about how we help protect our customers here.

Read More

Debug mode in Docker for Tomcat and TomEE

By Apache TomEE, Docker, ES, Open Source, Tomcat, TomEE One Comment

Remote debugging is a common practice for troubleshooting issues in software development. If you are using Tomcat or TomEE with Docker containers as part of your stack you can find various techniques to enable debug capabilities in these types of containers: 1. Create a custom Docker image by extending an existing official one[1] 2. Extensive customization of CATALINA_OPSTS[2] However, both approaches require extra steps in some scenarios. Below I share the simplest method I have used to do remote debugging in Apache Tomcat and Apache TomEE with a Docker image: $ $ docker run -it -p 8080:8080 -p 8000:8000 -e…

Read More

Docker y debug de Apache Tomcat y TomEE

By Apache TomEE, Docker, ES, Open Source, Tomcat, TomEE No Comments

El debug remoto es una práctica común para investigación de problemas de microservicios. Si estas utilizando contenedores Docker Apache Tomcat o Apache TomEE, en la web puedes encontrar varias técnicas como lo son: 1. Extender una imagen oficial y personalizar[1] 2. Utilizar personalización extensiva de CATALINA_OPTS[2] Sin embargo ambos enfoques requieren extra pasos aplicables para algunos escenarios. A continuación les comparto la forma más sencilla que he utilizado para poder hacer debug remoto en Apache Tomcat y Apache TomEE: $ $ docker run -it -p 8080:8080 -p 8000:8000 -e CATALINA_OPTS=”-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8000″ tomcat:9.0.17-jre11 Anatomía de las opciones utilizadas: docker run Comando para…

Read More