| Message |
|
|
Perfect!
Thanks.
Regards,
Tommy
|
 |
|
|
Hi,
I performed a small PEN test on my installation of JForum and got a warning that the 'Secure' flag is missing (which is true):
Set-Cookie: jforumAutoLogin=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/; HttpOnly; SameSite=Strict
Set-Cookie: jforumUserId=1; Max-Age=31536000; Expires=Tue, 10 Mar 2026 19:26:29 GMT; Path=/; HttpOnly; SameSite=Strict
I tried to force the inclusion of that flag through the 'session-config' in web.xml:
<session-config>
<session-timeout>10</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
But for some strange reason it works for all 'Set-Cookie' headers except for jforum* cookies. Very strange.
Is there any other way to enforce inclusion of the 'Secure' flag through JForum? The headers are immutable in the HttpServletResponse class, so it can't be changed efterwards through a filter or something similar.
Thanks.
Regards,
Tommy
|
|
|
|
Unfortunately not. I have JForum embedded in my own web app, which I have already updated to Jakarta EE 9 since I want to utilize the latest spec.
But I don't understand why you don't upgrade JForum? How will you manage security vulnerabilities in Java EE 8 when it's not supported anymore? It also depends on other legacy third parties. That's a bit strange since it's a dead end.
Regarding "commons-fileupload", there seem to be an already patched version available. It was mentioned in the link you posted in your previous message:
https://community.jforum.net/posts/list/257.page
Even better, there is a public Apache release available with support for Servlet 6 (which uses Jakarta EE). 
https://commons.apache.org/proper/commons-fileupload/commons-fileupload2-jakarta-servlet6/project-info.html
https://central.sonatype.com/artifact/org.apache.commons/commons-fileupload2-jakarta
/Tommy
|
|
|
|
Hi,
Unfortunately, it's not possible to deploy JForum on a Tomcat version 10.x or v11.x instance since JForum only support up to Java/Jakarta EE 8.
This means that we are forced to use Tomcat version 9.0.98 (Java 8 and later) which is next in queue to be deprecated and unsupported. That is not good.
When I start up the Catalina container, I get the following exception:
java.lang.ClassNotFoundException: javax.servlet.http.HttpServlet
The technical reason is that during the step from Java/Jakarta EE 8 to Jakarta EE 9 all javax.* packages have been renamed to jakarta.* packages. So there is no backwards compatibility anymore since Jakarta EE 9.
It is however very easy to fix. Just replace the javax.servlet.* imports in the JForum code by jakarta.servlet.*:
import jakarta.servlet.*;
import jakarta.servlet.http.*;
Do you have any plans on upgrading (or forking) JForum to support the newer Tomcat versions (Jakarta EE 9)?
It would be very much appreciated. Trust me.
Thanks!
Regards,
Tommy
|
|
|
|
Thank you!
I checked the table and it was user ID 2 (admin). 
What can make my own admin to get banned? Are there any automatic banning features included and active in JForum? I have not banned my admin, hehe.
Btw, I have been in contact with this support several times before. Just must say that I am super impressed by your immediate, quick, and helpful responses. Very much appreciated! 
Tommy
|
|
|
|
Hi,
I restarted my web server and database. When I then visited my JForum page, I was met by the following message "You have been banned from this forum. If you have any questions, please contact the Administrator. Thank you.".
I entered the JForum page as an anonymous user.
What can lead to this kind of strange situation? Can you please give a hint on where to start finding the cause of this? Is there a "banned" column in a DB table somewhere? If yes, when and how is that one set?
Thanks.
Regards,
Tommy
|
|
|
|
OH YES!! 
All groups (including "Administration") apparently had their group permissions set to negative selections ("Allow all" deselected, and "No" set for all choices). Probably due to safe guard settings when changes was made to groups/permissions in a newer version of JForum
Now it just works!
Thank you VERY MUCH for your help in this matter!
Wish you a great Sunday as well.
|
|
|
|
It did not solve this specific problem, but now the search functionality partially works.
When I search for a common term, I get the following response:
"Search Results: 222 records were found"
But below the "Search Results" it says "No results were found. Click here to make a new search. ".
Also, the Forum Index list on the start page is still empty as well.
What a weird problem.
Any other suggestions to share with me?
|
|
|
|
Thanks for the advice.
But unfortunately it didn't solve the problem.
Another strange thing is that when I go to the search page and enter any search term, then I always get "0 records were found" even though I use terms that I know exists.
Any other suggestions I can try out?
Edit:
I connected JForum back to the new database (the one that was initialized when I installed JForum version 2.8.3) and here it just works! I can in the Forum Index list see the "Category Test" -> "Test Forum" -> "This is a test forum"
But when I connect JForum to my migrated database, then the Forum Index list is empty again. Seems like something is missing in the migration steps.
|
|
|
|
The migration went well! The only problem was that the older scripts contained "TYPE=InnoDB". But when changed to "ENGINE=InnoDB", they worked fine as well.
Everything looks ok. I can login as admin and see all registered users etc.
But the "Forum Index" list on the main page is empty. They are correctly stored in the database tables though.
I did a "SELECT(*)" on the following tables as well:
jforum_categories = 1
jforum_forums = 4
jforum_posts = 285
jforum_posts_text = 285
Can you suggest anything for this?
I get no error messages in Tomcat or in the web page.
Is there any way to debug this? The problem is very shy and quiet.
Thanks!
Edit:
Added jforum log file as attachment. But it doesn't say much unfortunately.
I am using:
openjdk version 11.0.16.1
JForum version 2.8.3
Tomcat version 9.0.82
MySQL 8 version 8.0.34
mysql-connector-j-8.1.0.jar
|
|
|
|
Perfect!
Just what I was looking for, but didn't know where to find.
Thank you so very much for that.
Btw, extra thanks for a quick and competent reply.
- Tommy
|
|
|
|
Hi,
I have a very big database migration ahead of me regarding a really old version of JForum.
Old version: jforum-2.1.4
New version: jforum-2.8.3
Are there any upgrade DB SQL scripts available for the JForum database that I can execute one-by-one to get up to the latest release (I am using MySQL)?
There are many releases to go through to upgrade, so it would save me a lot of time if you already have the required scripts available/collected.
Any help/suggestions are appreciated.
Thank you!
Regards,
Tommy
|
|
|
|
![[Logo]](/templates/default/images/logo.jpg){kind=logo}
![[Search]](/templates/default/images/icon_mini_search.gif){kind=icon}
![[Recent Topics]](/templates/default/images/icon_mini_recentTopics.gif){kind=icon}
![[Groups]](/templates/default/images/icon_mini_groups.gif){kind=icon}
![[Register]](/templates/default/images/icon_mini_register.gif){kind=icon}
![[Login]](/templates/default/images/icon_mini_login.gif){kind=icon}