Re: a problem: tomcat exits unexpectedly
Warnier,
Thank you for your reply.
AbstractScheduleTaskProcess class use the ExecutorService to create
thread and runs some custom tasks. These tasks will be done in a few
seconds. Sample code is following:
for (final ListT list : lists) {
executor.submit(new CallableObject() {
@Override
public Object call() throws Exception {
try {
executeTasks(list);
..
But I don't think that this class causes the serious prolbem. the max
size of lists is 4 -- that is a parameter of application.
In our server, we have 12 tomcat instances that run the different
application, but the default value of os parameter(open files and max
processes) is 1024, at first, I modified these value to 65535. but some of
these instance had still exited unexpectedly, I has found the same things
in these log: pause, reinit, stop. So I think that the os resource limit
maybe cause all of these, especially the parameter of the open files.
I don't know well the tomcat, so I maybe has not found the key cause
and I expect your reply.
Thank you very much.
On Sun, Sep 28, 2014 at 6:37 PM, André Warnier a...@ice-sa.com wrote:
bo zhao wrote:
I had modified the os ulimit parameter: open files and max processes,
after
that, Tomcat does't exit unexpectedly, and the log of Tomcat have not the
... pause, ... init. It seems work normally.
But I still don't know the reason. I want to know if the two parameter is
the key to solve probelm and how the two parameter of os limit cause the
exit of tomcat?
I believe that you are understanding this wrongly. These paraneters are
not the /cause/ of the problem, they are a /symptom/. The default value fo
these parameters is set so that they are ok for any normal process/system,
and rarely need to be adjusted.
By increasing their value, you are moving the problem further down the
line, but are not solving the real (possible) problem.
Ognjen is asking a question below. Why do you not start by answering it ?
On Fri, Sep 19, 2014 at 5:17 PM, Ognjen Blagojevic
ognjen.d.blagoje...@gmail.com wrote:
Zhao,
On 19.9.2014 3:42, bo zhao wrote:
but I can't find any error message in the log? what causes the tomcat to
pause and stop?
One of the suspects for restarts and shutdown seems to be the class
com.jd.clover.center.service.AbstractScheduleTaskProcess, as there is a
log message regarding it, at the first line of each log excerpt you sent.
What is AbstractScheduleTaskProcess class for?
-Ognjen
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: a problem: tomcat exits unexpectedly
bo zhao wrote:
Warnier,
Thank you for your reply.
AbstractScheduleTaskProcess class use the ExecutorService to create
thread and runs some custom tasks. These tasks will be done in a few
seconds. Sample code is following:
for (final ListT list : lists) {
executor.submit(new CallableObject() {
@Override
public Object call() throws Exception {
try {
executeTasks(list);
..
But I don't think that this class causes the serious prolbem. the max
size of lists is 4 -- that is a parameter of application.
In our server, we have 12 tomcat instances that run the different
application, but the default value of os parameter(open files and max
processes) is 1024, at first, I modified these value to 65535. but some of
these instance had still exited unexpectedly, I has found the same things
in these log: pause, reinit, stop. So I think that the os resource limit
maybe cause all of these, especially the parameter of the open files.
I don't know well the tomcat, so I maybe has not found the key cause
and I expect your reply.
In such circumstances, you can (probably) consider Tomcat as just a process like any
other. It looks like something in that process is holding on to a lot of open files/sockets.
The Linux utility lsof provides (among a zillion other things) a good way to list all
the files/sockets linked to one process.
Try it for one of your Tomcat instances, and probably the names of these files/sockets
will give you a hint.
Thank you very much.
On Sun, Sep 28, 2014 at 6:37 PM, André Warnier a...@ice-sa.com wrote:
bo zhao wrote:
I had modified the os ulimit parameter: open files and max processes,
after
that, Tomcat does't exit unexpectedly, and the log of Tomcat have not the
... pause, ... init. It seems work normally.
But I still don't know the reason. I want to know if the two parameter is
the key to solve probelm and how the two parameter of os limit cause the
exit of tomcat?
I believe that you are understanding this wrongly. These paraneters are
not the /cause/ of the problem, they are a /symptom/. The default value fo
these parameters is set so that they are ok for any normal process/system,
and rarely need to be adjusted.
By increasing their value, you are moving the problem further down the
line, but are not solving the real (possible) problem.
Ognjen is asking a question below. Why do you not start by answering it ?
On Fri, Sep 19, 2014 at 5:17 PM, Ognjen Blagojevic
ognjen.d.blagoje...@gmail.com wrote:
Zhao,
On 19.9.2014 3:42, bo zhao wrote:
but I can't find any error message in the log? what causes the tomcat to
pause and stop?
One of the suspects for restarts and shutdown seems to be the class
com.jd.clover.center.service.AbstractScheduleTaskProcess, as there is a
log message regarding it, at the first line of each log excerpt you sent.
What is AbstractScheduleTaskProcess class for?
-Ognjen
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat crash problem (INTERNAL)
Hi Ognjen, Could you please suggest one best open source java profiler for analysing and monitoring the tomcat server. Regards, Subbu. -Original Message- From: Ognjen Blagojevic [mailto:ognjen.d.blagoje...@gmail.com] Sent: 3. oktober 2014 12:47 To: Tomcat Users List Subject: Re: tomcat crash problem (INTERNAL) Subbu, On 3.10.2014 10:25, bala-subrahmanyam.bha...@telenor.com wrote: Hi Ognjen, Tomcat is crashing with the below error message. java.lang.OutOfMemoryError: GC overhead limit exceeded Please, reply below the quotes, it is standard on this list. Tomcat have small memory footprint, way below 3 GB you allocate for JVM. So, it is probably your application data filling this 3 GB of memory. The above error says that garbage collector is struggling to release the memory, but it consumes to much CPU cycles and releases too little memory. This usually results in dramatic server slowdowns, so JVM decides to throw an error and inform you about the problem. You should analyze your application heap usage with the profiler to determine what objects are holding references so GC is unable to free more memory. If you don't need those objects, clear the references. If you really need all those objects, throw more memory at the server. Please read: http://wiki.apache.org/tomcat/OutOfMemory -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SecureRandom instance for session ID generation using [SHA1PRNG] took [510,962] milliseconds !
Le 03/10/2014 20:41, Rainer Jung a écrit : Am 03.10.2014 um 14:01 schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 10/3/14 5:48 AM, Martin Hamant wrote: Le 03/10/2014 11:26, Martin Hamant a écrit : The virtual (qemu) server runs with 4GB RAM Sorry, The hypervisor is KVM. The VM is running on top of OpenStack So... This could lead somewhere as I am reading http://blog.dustinkirkland.com/2012/10/entropy-or-lack-thereof-in-openstack.html OpenStack or not, running on a VM usually means that the underlying OS is providing the source of entropy. If your physical machine is heavily virtualized, you may have multiple entropy sinks constantly draining your source(s() of entropy. If you wait for a while, things will recover. If you find you are constantly blocking waiting for more randomness to be available from your random source, you basically have 3 options: 1. Suffer through it. Just keep waiting. 2. Use a poor source of randomness, like /dev/urandom on Linux. I wouldn't recommend this for any kind of production deployment, since the entropy source is watered-down. You can't rely on it for important things like encryption (including SSL) and really anything that requires random numbers that are as random as possible (like session ids). 3. Get yourself a hardware entropy source. You can buy USB keys that do this kind of thing. Make sure whatever you get is compatible with your OS and accessible by Java (better yet, get one that will simply dump its randomness into /dev/random). ... and in case you are heading for the urandom solution and are sing JDK before 8, you should use e.g. Thanks both of you for your help. -Djava.security.egd=file:/dev//urandom and *not* -Djava.security.egd=file:/dev/urandom And what about using haveged (so no need to alter setenv.sh) in the VM VS using /dev/urandom ? I read about it here http://security.stackexchange.com/questions/34523/is-it-appropriate-to-use-haveged-as-a-source-of-entropy-on-virtual-machines The small C program returns values between 20-30 in my VM, but as specified it doesn't guarantee anything... - Waiting 10min for a tomcat to start is a pain - getting a USB hardware device for that is like walking on head. So... I consider using haveged or urandom - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Connection count explosion due to thread http-nio-80-ClientPoller-x death
Hi all, I have good news as I have identified the reason for the devastating NioEndpoint.Poller thread death: In rare circumstances a ConcurrentModification can occur in the Poller's connection timeout handling called from OUTSIDE the try-catch(Throwable) of Poller.run() java.util.ConcurrentModificationException at java.util.HashMap$HashIterator.nextEntry(HashMap.java:922) at java.util.HashMap$KeyIterator.next(HashMap.java:956) at java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1067) at org.apache.tomcat.util.net.NioEndpoint$Poller.timeout(NioEndpoint.java:1437) at org.apache.tomcat.util.net.NioEndpoint$Poller.run(NioEndpoint.java:1143) at java.lang.Thread.run(Thread.java:745) Somehow the Poller's Selector object gets modified from another thread. As a remedy until fixed properly by the Tomcat team, I have added a try-catch(ConcurrentModificationException) surrounding the for loop in Poller.timeout(). That way, in case of the rare problem, a full iteration of the Selector will be retried in the next call to Poller.timeout(). I am really happy now as all our production servers have been rock stable for two weeks now. Best regards to all, Lars Engholm Johansen On Thu, Sep 18, 2014 at 7:03 PM, Filip Hanik fi...@hanik.com wrote: Thanks Lars, if you are indeed experiencing a non caught error, let us know what it is. On Thu, Sep 18, 2014 at 2:30 AM, Lars Engholm Johansen lar...@gmail.com wrote: Thanks guys for all the feedback. I have tried the following suggested tasks: - Upgrading Tomcat to the newest 7.0.55 on all our servers - Problem still persists - Force a System.gc() when connection count is on the loose - Connection count is not dropping - Lowering the log level of NioEndpoint class that contains the Poller code - No info about why the poller thread exits in any tomcat logs - Reverting the JVM stack size per thread to the default is discussed previously - Problem still persists I have now checked out the NioEndpoint source code and recompiled it with a logging try-catch surrounding the whole of the Poller.run() implementation as I noticed that the outer try-catch here only catches OOME. I will report back with my findings as soon as the problem arises again. /Lars On Fri, Jun 27, 2014 at 9:02 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Filip, On 6/27/14, 11:36 AM, Filip Hanik wrote: Are there any log entries that would indicate that the poller thread has died? This/these thread/s start when Tomcat starts. and a stack over flow on a processing thread should never affect the poller thread. OP reported in the initial post that the thread had disappeared: On 6/16/14, 5:40 AM, Lars Engholm Johansen wrote: We have no output in tomcat or our logs at the time when this event occurs. The only sign is when comparing full java thread dump with a dump from a newly launched Tomcat: One of http-nio-80-ClientPoller-0 or http-nio-80-ClientPoller-1 is missing/has died. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTrb+yAAoJEBzwKT+lPKRYhYEP/05kiei/EUFhtxL6RMIl70Ok cb3I9XEvrQDBTkEDnGLvxw8MQSs6ocHaxdEOxzie289sYxvkuLWxOsKpikWkuUHH pEgHM5WuGuCS2AmcrTGiH6WPCnNAj8YM/zyx25NZOn8turWIbvh8GRzBFf265qP5 79z2Vb15NisYyNEqvkWHvli5CeDeOW2fgHcgv5Ec5fWb1/KyXAyVtRmEWnHpy/LB j/VLjzbBtFSJGT64W4i572qQ7C+f/XRgNzV6Fh/53gwPf+ggz5vKS9XEQEpa5SOz rlTrWuVs+WehBoCLE9TZB2J+argV7noqSQDumYcXeSf/4THkfhbhAlcBKXa/YLgH Paip710VV6S+9K1dAZOt4i1h28YXZ+qNviO6b/auo1DEdt21ezpklEOQyZbQcHYf H4VZ2mcSaMQo3QpWpze6QxvSsRZFAofpkLoqCRfsORlnV2c2xfjhRC1YtZ0sshfM zNnWQCEjRe5V+UB69mtjatJrDG16qjTcUZQlot3r4zxdjMq5D0W9XmC6WH2eCXhl aeH8SMISdn4GcYGMoUm7hWSWHs5azyBPma9AWJfYC+mLk8UbmvLP9gZN+KWenWOr xLiqCgMUvpLiOFsbNs8oWMDWGW59xT2zBjS3Aa20ZYJP/GeLWJkOrAPwTeqIaXG+ tV1WjkDkejPrC4WWKwzm =sTia -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat crash problem (INTERNAL)
Subbu, On 6.10.2014 10:27, bala-subrahmanyam.bha...@telenor.com wrote: Could you please suggest one best open source java profiler for analysing and monitoring the tomcat server. I don't know which (open source) one is the best, but you may try your luck with: 1. MAT (http://www.eclipse.org/mat/), which analyzes heap dumps. Just dump the server memory while the server is running and later open dump files with MAT. 2. VisualVM can monitor your server memory usage, measure surviving generations, and compare memory snapshots -- so you could detect what is causing memory leak. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat crash problem (INTERNAL)
Thanks Ognjen. Regards, Subbu. -Original Message- From: Ognjen Blagojevic [mailto:ognjen.d.blagoje...@gmail.com] Sent: 6. oktober 2014 11:48 To: Tomcat Users List Subject: Re: tomcat crash problem (INTERNAL) Subbu, On 6.10.2014 10:27, bala-subrahmanyam.bha...@telenor.com wrote: Could you please suggest one best open source java profiler for analysing and monitoring the tomcat server. I don't know which (open source) one is the best, but you may try your luck with: 1. MAT (http://www.eclipse.org/mat/), which analyzes heap dumps. Just dump the server memory while the server is running and later open dump files with MAT. 2. VisualVM can monitor your server memory usage, measure surviving generations, and compare memory snapshots -- so you could detect what is causing memory leak. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Maven Tomcat 6/7/8 plugin
On Sun, Oct 5, 2014 at 2:00 PM, Matthias Hryniszak pad...@gmail.com wrote: It seems I might have expressed myself purely. Let me rephrase: I'm looking for RemoteIpValve support in maven-tomcat7-plugin. Perhaps you could use RemoteIPFilter instead? You can configure that through web.xml. http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Remote_IP_Filter Dan I know the valve itself exists since long before version 7 and I am already using it in production. What I'm on to here is running Maven-managed web applications in development and as far as I can see it's been added ~2 weeks after the release of 2.2 version of that plugin Alternatively if you know of a way to persuade Apache CXF to present the endpoint URL using HTTPS scheme when running mvn tomcat7:run. CXF does it automatically if the RemoteIpValve is installed and proper header exists (as in the isSecure() method returns true). Otherwise it does just HTTP and that in turn makes my local HAProxy do a 302 to HTTPS which ends up in an infinite loop and that's not exactly the result I was hoping for... Cheers, Matthias 2014-10-05 19:31 GMT+02:00 Konstantin Kolinko knst.koli...@gmail.com: 2014-10-05 18:01 GMT+04:00 Matthias Hryniszak pad...@gmail.com: Hi all, I'm new to this list so let me briefly introduce myself. My name is Matthias and I live in Poland. I'm a software architect for Lumesse, an British software development company. The core of our development is talent acquisition and talent management software. The part I'm working with is e-learning solutions. Now that you all know me let me ask you a question: are there any plans on releasing a new version of the maven-tomcat7-plugin and/or an upgrade to maven-tomcat8-plugin? We're falling short a bit on the lack of remote IP valve in the current release RemoteIpValve does exist in Tomcat 7 http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_IP_Valve and I was wondering if that's going to be released any time soon. Please note the last release (2.2) was November 2013 and there's been lots of changes so it'd be great to have them stabilized and released - not to mention the upgrade over embedded Tomcat version. It is being developed on a branch, http://svn.apache.org/viewvc/tomcat/maven-plugin/branches/tc8.x/ See archives of tomcat dev mailing list for discussions. Thus far, integration tests are failing, http://markmail.org/message/xc5r6yycrvmjh2vx Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Maven Tomcat 6/7/8 plugin
Perfect! I didn't know about this one. Thanks! 2014-10-06 13:37 GMT+02:00 Daniel Mikusa dmik...@pivotal.io: On Sun, Oct 5, 2014 at 2:00 PM, Matthias Hryniszak pad...@gmail.com wrote: It seems I might have expressed myself purely. Let me rephrase: I'm looking for RemoteIpValve support in maven-tomcat7-plugin. Perhaps you could use RemoteIPFilter instead? You can configure that through web.xml. http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Remote_IP_Filter Dan I know the valve itself exists since long before version 7 and I am already using it in production. What I'm on to here is running Maven-managed web applications in development and as far as I can see it's been added ~2 weeks after the release of 2.2 version of that plugin Alternatively if you know of a way to persuade Apache CXF to present the endpoint URL using HTTPS scheme when running mvn tomcat7:run. CXF does it automatically if the RemoteIpValve is installed and proper header exists (as in the isSecure() method returns true). Otherwise it does just HTTP and that in turn makes my local HAProxy do a 302 to HTTPS which ends up in an infinite loop and that's not exactly the result I was hoping for... Cheers, Matthias 2014-10-05 19:31 GMT+02:00 Konstantin Kolinko knst.koli...@gmail.com: 2014-10-05 18:01 GMT+04:00 Matthias Hryniszak pad...@gmail.com: Hi all, I'm new to this list so let me briefly introduce myself. My name is Matthias and I live in Poland. I'm a software architect for Lumesse, an British software development company. The core of our development is talent acquisition and talent management software. The part I'm working with is e-learning solutions. Now that you all know me let me ask you a question: are there any plans on releasing a new version of the maven-tomcat7-plugin and/or an upgrade to maven-tomcat8-plugin? We're falling short a bit on the lack of remote IP valve in the current release RemoteIpValve does exist in Tomcat 7 http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_IP_Valve and I was wondering if that's going to be released any time soon. Please note the last release (2.2) was November 2013 and there's been lots of changes so it'd be great to have them stabilized and released - not to mention the upgrade over embedded Tomcat version. It is being developed on a branch, http://svn.apache.org/viewvc/tomcat/maven-plugin/branches/tc8.x/ See archives of tomcat dev mailing list for discussions. Thus far, integration tests are failing, http://markmail.org/message/xc5r6yycrvmjh2vx Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Connection count explosion due to thread http-nio-80-ClientPoller-x death
On 06/10/2014 10:11, Lars Engholm Johansen wrote: Hi all, I have good news as I have identified the reason for the devastating NioEndpoint.Poller thread death: In rare circumstances a ConcurrentModification can occur in the Poller's connection timeout handling called from OUTSIDE the try-catch(Throwable) of Poller.run() java.util.ConcurrentModificationException at java.util.HashMap$HashIterator.nextEntry(HashMap.java:922) at java.util.HashMap$KeyIterator.next(HashMap.java:956) at java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1067) at org.apache.tomcat.util.net.NioEndpoint$Poller.timeout(NioEndpoint.java:1437) at org.apache.tomcat.util.net.NioEndpoint$Poller.run(NioEndpoint.java:1143) at java.lang.Thread.run(Thread.java:745) Somehow the Poller's Selector object gets modified from another thread. Any idea how? I've been looking through that code for some time now (this stack trace appears to be from 7.0.55 for those that want to look at this themselves) and I can't see anywhere where the selector's keyset is accessed by more than one thread. As a remedy until fixed properly by the Tomcat team, I have added a try-catch(ConcurrentModificationException) surrounding the for loop in Poller.timeout(). That way, in case of the rare problem, a full iteration of the Selector will be retried in the next call to Poller.timeout(). That seems like a reasonable work-around but before we start making changes to the Tomcat code I'd really like to understand the root cause(s) of the issue else we might not be fixing the actual issue and could make it worse for some folks. Mark I am really happy now as all our production servers have been rock stable for two weeks now. Best regards to all, Lars Engholm Johansen On Thu, Sep 18, 2014 at 7:03 PM, Filip Hanik fi...@hanik.com wrote: Thanks Lars, if you are indeed experiencing a non caught error, let us know what it is. On Thu, Sep 18, 2014 at 2:30 AM, Lars Engholm Johansen lar...@gmail.com wrote: Thanks guys for all the feedback. I have tried the following suggested tasks: - Upgrading Tomcat to the newest 7.0.55 on all our servers - Problem still persists - Force a System.gc() when connection count is on the loose - Connection count is not dropping - Lowering the log level of NioEndpoint class that contains the Poller code - No info about why the poller thread exits in any tomcat logs - Reverting the JVM stack size per thread to the default is discussed previously - Problem still persists I have now checked out the NioEndpoint source code and recompiled it with a logging try-catch surrounding the whole of the Poller.run() implementation as I noticed that the outer try-catch here only catches OOME. I will report back with my findings as soon as the problem arises again. /Lars On Fri, Jun 27, 2014 at 9:02 PM, Christopher Schultz ch...@christopherschultz.net wrote: Filip, On 6/27/14, 11:36 AM, Filip Hanik wrote: Are there any log entries that would indicate that the poller thread has died? This/these thread/s start when Tomcat starts. and a stack over flow on a processing thread should never affect the poller thread. OP reported in the initial post that the thread had disappeared: On 6/16/14, 5:40 AM, Lars Engholm Johansen wrote: We have no output in tomcat or our logs at the time when this event occurs. The only sign is when comparing full java thread dump with a dump from a newly launched Tomcat: One of http-nio-80-ClientPoller-0 or http-nio-80-ClientPoller-1 is missing/has died. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
JNDIRealm Authentication and Roles
Hi all,
I've been setting up user authentication based on JNDIRealm and have couple
of questions regarding the operation. I've been using one of the secured
applications that come with the examples included in Tomcat source for
testing. My setup with obfuscated names and passwords is as follows.
I have the following Realm in the default host:
Host name=localhost appBase=webapps unpackWARs=true
autoDeploy=false
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionURL=ldap://ldap1.mydomain.com:389;
alternateURL=ldap://ldap2.mydomain.com:389;
connectionName=cn=connect,ou=Users,dc=mydomain,dc=com
connectionPassword=password
userBase=ou=Users,dc=mydomain,dc=com
userSearch=uid={0}
roleBase=ou=Groups,dc=mydomain,dc=com
roleName=cn
roleSearch=memberUid={1}
contextFactory=org.apache.catalina.ldap.realm.LdapTlsContextFactory/
...
/Host
and have modified the security constraint roles in the web.xml of the
examples application to match my LDAP groups:
auth-constraint
!-- Anyone with one of the listed roles may access this area --
!--role-nametomcat/role-name--
!--role-namerole1/role-name--
role-nameMyCompany Users/role-name
!--role-nametomcat-users/role-name--
/auth-constraint
...
security-role
role-nametomcat-users/role-name
/security-role
security-role
role-nameMyCompany Users/role-name
/security-role
Now when I hit the protected application,
https://myserver/examples/jsp/security/protected/, I can successfully login
but only if the role-name is set to MyCompany Users. When I replace it
with the tomcat-users, comment it out and uncomment the tomcat-users role
name, the authentication fails. The following are the traces from the
Tomcat log and LDAP log:
Oct 07, 2014 2:35:06 PM org.apache.catalina.realm.RealmBase hasRole
FINE: Username user1 does NOT have role tomcat-users
Oct 07, 2014 2:35:06 PM org.apache.catalina.realm.RealmBase
hasResourcePermission
FINE: No role found: tomcat-users
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 BIND
dn=cn=connect,ou=Users,dc=mydomain,dc=com method=128
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 BIND
dn=cn=connect,ou=Users,dc=mydomain,dc=com mech=SIMPLE ssf=0
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 RESULT tag=97 err=0 text=
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SRCH
base=ou=Users,dc=mydomain,dc=com scope=1 deref=3 filter=(uid=user1)
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SRCH attr=1.1
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND anonymous
mech=implicit ssf=0
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND
dn=uid=user1,ou=Users,dc=mydomain,dc=com method=128
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND
dn=uid=user1,ou=Users,dc=mydomain,dc=com mech=SIMPLE ssf=0
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 RESULT tag=97 err=0 text=
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=4 SRCH base= scope=0
deref=3 filter=(objectClass=*)
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=4 SEARCH RESULT tag=101
err=0 nentries=1 text=
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 BIND anonymous
mech=implicit ssf=0
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 BIND
dn=cn=connect,ou=Users,dc=mydomain,dc=com method=128
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 BIND
dn=cn=connect,ou=Users,dc=mydomain,dc=com mech=SIMPLE ssf=0
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 RESULT tag=97 err=0 text=
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=6 SRCH
base=ou=Groups,dc=mydomain,dc=com scope=1 deref=3
filter=(memberUid=user1)
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=6 SRCH attr=cn
Oct 7 14:35:06 ldap1 slapd[1367]: conn=1123 op=6 SEARCH RESULT tag=101
err=0 nentries=2 text=
So the LDAP server returns 2 entries for the role query (filtering by
attr=cn) which can be confirmed by the following LDAP command doing the
same:
$ ldapsearch -LLL -Z -H ldap://myldap:389/ -D
cn=connect,ou=Users,dc=mydomain,dc=com -W -b ou=Groups,dc=mydomain,dc=com
(memberUid=user1) cn
Enter LDAP Password:
dn: cn=tomcat-users,ou=Groups,dc=mydomain,dc=com
cn: MyCompany Users
cn: tomcat-users
dn: cn=user1,ou=Groups,dc=mydomain,dc=com
cn: MyCompany Users
cn: user1
Not sure if understand it correctly, but I thought the Realm would loop
through the cn's returned and find the right one before it fails but looks
like it picks up the first cn only? Is there something I can modify in my
Realm without changing anything on the LDAP side to fix this?
Thanks,
Igor
