Is tomcat UserDatabaseRealm buggy?
Hello, I think I found the following bug in tomcat 7/8 with the following setup: We use tomcat 7.0.42 (but I tried 7.0.55 and 8.0.15 without success) and deployed a web service with jersey 1.18.2. Additionally we set up HTTP authentication. In our case DIGEST authentication, but I tried BASIC authentication the observed behavior is the same. We have a web service with login and logout methods, as well as some other methods which could only be invoked if a login request was made previously. Authentication works fine, till some point in time. At this point the client receives a HTTP response 401 Unauthorized. I double checked that the client sends correct credentials and nonce values. On server side I enabled logging (see attached log file). The log shows two web service calls, the first one returns successfully the last one reports the 401 error. As one could see in line 12 and 13 FEIN: Calling authenticate() Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase authenticate Tomcat delegates the authentication request to RealmBase class logs some stuff and returns with FEIN: Successfully passed all security constraints But in case of my error just these three lines are logged: FEIN: Calling authenticate() Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: Failed authenticate() test My server.xml is as follows: … Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase digest=md5/ /Realm Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true deployOnStartup=true Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=%h %l %u %t quot;%rquot; %s %b / /Host /Engine … I also tried to remove the LockOutRealm, but without success. As far as I understand with this setup class org.apache.catalina.realm.CombinedRealm.java is invoked to handle authentication. If I further understand correctly, then method authenticate(String username, String clientDigest, String nonce, String nc, String cnonce, String qop, String realmName, String md5a2) is also invoked. This method iterates over all configured Realms. It seems to me that, in case of the 401 error, the list of realms (Line 51) is empty and thus authentication fails. The error only occurs after many calls to the webservice. I was unable to identify any pattern, but it seems related to the nonce timeout, somehow. Could one verify this bug? Best Regards, Andreas ___ Andreas Kehlenbach Software Engineer, SWD PROSTEP AG Dolivostrasse 11, D-64293 Darmstadt Tel.: +49 6151 9287 332 Fax: +49 6151 9287 326 Email: andreas.kehlenb...@prostep.com _ PROSTEP AG, Dolivostraße 11, D-64293 Darmstadt HR: Amtsgericht Darmstadt, HRB 8383 Vorstand: Dr. Bernd Pätzold (Vorsitz), Reinhard Betz Aufsichtsrat: Dr. Heinz-Gerd Lehnhoff (Vorsitz) Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: Security checking request POST /OpenPDMSmarTeamOUCAConnectorServer/rest/is-session-alive Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase findSecurityConstraints FEIN: Checking constraint 'SecurityConstraint[OpenPDM OUCA REST WebServices]' against POST /rest/is-session-alive -- true Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase findSecurityConstraints FEIN: Checking constraint 'SecurityConstraint[OpenPDM CAD Controller REST WebServices]' against POST /rest/is-session-alive -- false Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase findSecurityConstraints FEIN: Checking constraint 'SecurityConstraint[OpenPDM OUCA REST WebServices]' against POST /rest/is-session-alive -- true Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase findSecurityConstraints FEIN: Checking constraint 'SecurityConstraint[OpenPDM CAD Controller REST WebServices]' against POST /rest/is-session-alive -- false Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: Calling hasUserDataPermission() Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase hasUserDataPermission FEIN: User data constraint has no restrictions Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: Calling authenticate() Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase authenticate FEIN: Digest : d747e0dabf284059948a2ad40c0abc72 Username:openpdmadmin ClientSigest:d747e0dabf284059948a2ad40c0abc72
RE: How can code in a Realm gain access to a Globally Named Resource
Chris, thank you for your reply -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 26 November 2014 04:17 To: Tomcat Users List Subject: Re: How can code in a Realm gain access to a Globally Named Resource -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Vince, On 11/25/14 9:00 PM, vince.w...@thomsonreuters.com wrote: Web applications gain access to Globally Named JDBC Resources GlobalNamingResources by adding a ResourceLink to context.xml Then using code like: Context initContext = new InitialContext(); dbLookupStr = java:comp/env/ + dbResourceName; ds = (DataSource)initContext.lookup(dbLookupStr); HOW CAN code in a custom Realm gain access to one of those same Globally named database connection pools ? What's wrong with the code above? I don't know if there is nothing wrong with the code above, if it can be used in a Realm, then what I'm missing is the Realm equivalent of adding a ResourceLink to an application's context.xml As a result I fail to get a DataSource I have the Realm defined in the Engine section of server.xml Extra info included here for background: I have a custom realm that I created by extending JDBCRealm it does its own authentication and uses JDBCRealm's getRoles() to do the authorization. Although it works much of the time, the inherited getRoles method causes problems. I've decided to re-write my realm without extending JDBCRealm, thus I need to write my own JDBC authorization code, hence the above question. JDBCRealm should probably die, and you probably shouldn't be using it. Why not extend DataSourceRealm instead? You'll get DataSource access for free ;) I've never looked at DataSourceRealm, perhaps it's time I did. I used JDBCRealm because having used it years ago I understand what it aims to do - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUdVRIAAoJEBzwKT+lPKRY8z4P/12ZMvXrmT4SJt/BLNhUJEMX j1rqGcZdKPH17pacMSfUMLciVvSLOZbsNoV2mgwUw+EfZVCUuL1i2Tk52vH2swa5 l2pgQI0zJB2nREzP1jZLpnVXi2lB5L+GL2TV3WE7Mr+nG03lSCN3RB/4hUEdRgcU ZblJ5Dz62Jx/Vi+9d/qBYi68jSvgXLwQcrx+eFvYeKpTylSghkkn+mzbSgGW4RXL lfpMm+q+una4KpCCLZP40BWcGyx57loFakyucLjsuvDjKQmLbX8Ay4WU7R1sXX2O J+CZzzBqHOCU8Q9Snmt3xaYcZ+0De5UIYI17ztdKCD703a4evytwSXZ1tEpg3vYE lHNGIKcW/q6ABOt0eWxFTj/wjTCYn3rYhcv+mEPV0c6HPkJ9DqFKh0+efSnFsOnW CNWF9eH3Y64zmWh7DQ2AF+Aij4mtXof9YYl6Q6oAL4XBw8vMajwSek9dpXZYDKi0 RkI5GhzWPP1xUx8FDfQfnfjJmHAKMIaK330EwX0RhJH9yoX+1vG5XCPT+/KV7Xfj ZCOz90SiPr2KxLAtijL79p98nWIB4w1GSNaN0z0ePrup1J+Kkfh2AqL4i/jmdXK8 qQJ4TGJczgq6NZZbg+t6SkPA0nRN18f42Aq8yguwE7cYXb66rkfLUpxcqc28kdCO irKlHlgNrxDzSH0pwAM8 =RqZF -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: URL Mapping for filter not the same on tomcat as it is on TomEE?
2014-11-24 23:05 GMT+03:00 zack6849 z...@zack6849.com: Hello, i've found some strange issue with the url mapping with tomcat, i've tested this on tomcat8 and TomEE, it seems easily reproducable. I have a Filter listening to requests matching /uploads/* (all files inside of my uploads directory On TomEE, this filter is fired for requests just as one would expect, however on tomcat8, it does *not* Example: /uploads/test.jpg as a file request, the filter fires on TomEE, but not tomcat, same code, only difference being the servlet mapping. Does anyone know what could be causing this? Relevant code attached below |@WebFilter(urlPatterns = /uploads/*)|| ||public class StatisticsFilter implements Filter {|| 1. What is in your web.xml? 2. Exact versions of Tomcat, Java = ? (Are annotations processed? It is configurable in web.xml.) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Deploying .ca-bundle file .crt file as SSL certificates
Hello, After arguing with the admins for all this time, I finally have the few files ready. I have the following files : keystore.p12, server.crt, ssl-cert-snakeoil.key, domainname.com.ca-bundle, domainname.com.crt domainname.com.csr domainname.com.key, vsftpd.pem. I did the following as Christoph said: root@domainname:/etc/ssl/private# openssl pkcs12 -export -in server.crt -inkey ssl-cert-snakeoil.key -certfile domainname.com.crt -out keystore.p12 -chain (pressed enter here) unable to load certificates // This is the error. If i just plain import the .crt file like this : keytool -import -alias tomcat -file domainname.com.crt -keystore /root/.keystore, Then firefox gives me this error : An error occurred during a connection to domainname.com:8443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. On Tue, Nov 25, 2014 at 10:24 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 To whom it may concern, On 11/25/14 3:32 AM, Kernel freak wrote: I don't have the server.key and server.crt. I have root access to server, I can generate my own if necessary. I only have .crt and .ca-bundle file. Can you tell me what to do. Thank you very much for your help. If you don't have the server's key but you have the server's certificate, then you must start all over again because the key is half of a paired key. Did you generate the CSR yourself? With what key did you generate that CSR? If someone else generated the CSR, go ask them where the key is that they used. If you have lost the key then you must redo the whole process, starting with generating a new key and CSR, then get the CSR signed. Then, import the signed certificate back into the same keystore. Then, configure Tomcat to use that keystore. The instructions on the Tomcat users' guide are fairly straightforward even if they don't explain the intricacies of public key infrastructure -- that's outside the scope of the users' guide. Thanks, - -chris On Mon, Nov 24, 2014 at 7:48 PM, Christopher Schultz ch...@christopherschultz.net wrote: Niranjan, On 11/24/14 10:51 AM, Niranjan Babu Bommu wrote: I think you have create a keystore from the cert, please follow these instruction and ket me know. Create store with temporary key inside: keytool -genkey -alias alias name -keystore yourkeystore.jks -storepass Hello1 Then delete existing entry: keytool -delete -alias temp -keystore yourkeystore.jks -storepass Hello1 Now you've got empty store. You can check that it's empty: keytool -list -keystore yourkeystore.jks -storepass Hello1 Then import your certificate to the store: keytool -import -alias alias name -file cert_file.crt -keypass keypass -keystore yourkeystore.jks -storepass Hello1 Nope: the existing key *and* cert need to be imported simultaneously into the keystore. If the OP already has a cert, he's already got a key, too. The problem is that you probably started with OpenSSL to generate your keys and stuff. Here is the proper procedure to import your key, certificate, and CA bundle into a Java keystore. You'll need these files: server.key (this is your server's secret key) server.crt (this is your server's certificate, signed by the CA) ca.crt (this is your CA's certificate) Here is the incantation: $ openssl pkcs12 -export -in server.crt -inkey server.key \ -certfile ca.crt -out keystore.p12 -chain $ $JAVA_HOME/bin/keytool -importkeystore -srckeystore keystore.p12 \ -srcstoretype pkcs12 \ -destkeystore keystore.jks Now, use keystore.jks in Tomcat's server.xml. If you already had created your key and cert request using Java's 'keytool', then you can instead just import the signed certificate into your keystore: $ $JAVA_HOME/bin/keytool -importcert -file server.crt \ -keystore keystore.jks \ -alias [alias] If you used an alias to create the certificate signing request (CSR), then use the same alias in the above command. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUdPOpAAoJEBzwKT+lPKRYVikP/jrxPiejAjwm9B9T4nGDASyZ BeweTPhXLd1Fg8e95r8K6xBFfZy921Ax+NimRLqTUfU2cCen9YsHB2Xdp0a6xiw4 oC8+e2JlyZhGFhJY2TsgYRpRoqIhhJeluSUpukUYZz73Pq10LHUnetDhsEHwJEtE uz2ekNcXH1Vr+Fy4k+O+PpFJnl8N5QprjO6PX/WlflrFihFa7bC7l+8FqF4QQ7U1 gw0nKt/0VcYOPepyDfV6VKGD7gBurNmlqrx9GxkYss0YVKghyCDFllNuX9tSw7j7
Re: Help! parallel deployment problem.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 11/25/14 11:48 PM, Chris Gamache wrote: Indeed, the affected nodes don't have the newer war at all. If you don't mind me asking-- if not FarmWebDeployer, what scheme do you use to deploy a war across a cluster? We have a small cluster with slightly different configuration on each one (IP addresses, etc.) so we use ant to build the artifact on each server at deployment time. That is, there is no cluster-wide auto-deployment of any kind going on over here. - -chris On Nov 25, 2014, at 11:11 PM, Christopher Schultz ch...@christopherschultz.net wrote: Chris, On 11/24/14 10:55 PM, Chris Gamache wrote: So first, I'd be glad to. Just to be clear-- I'm not in need of a lecture, but will willingly take one if anyone can help me get down to a solution. My first attempt at asking for some assistance was met with crickets. I haven't figured out why when I post (what I think are) well written, well researched and discussion-provoking questions they get no traction but if I cry the sky is falling folks are more willing to attempt to lend a hand. Here's my go at attempt #3: I have a tomcat cluster. It is set up with much care according to http://tomcat.apache.org/tomcat-7.0-doc/cluster-howto.html. It mostly works fine. On occasion (twice a week or so) there will be one or more servers which didn't get the message that a new war was deployed (continuous deployment using the tomcat parallel deployment scheme. e.g. theapp##007.war) and they happily continue to run the old version of the war. I presume you have checked that the affected nodes are running only the old version and not the new version simultaneously, right? In a farm deployment scenario, the master node will announce to the cluster a new artifact is available and then the clustered tomcats will retrieve and deploy the new artifact. I can't pin down the problem, but let just say for argument's sake it is a true link-down situation. There doesn't seem to exist a mechanism to re-announce, or announce at regular intervals. This seems like a real weakness in the scheme. That makes me think I'm missing something obvious. If it works like it says it should in the docs I shouldn't be having this issue. Either there's something wrong with my config or there's a problem with tomcat. Based on the hair I have left after pulling mine out, I'm leaning toward a problem with tomcat. Is anyone leveraging FarmWebDeployer and Parallel Deployment in their architecture successfully? If so, DenverCoder9, what did you see?!? Sorry, we don't use the FarmWebDeployer, so I can only give you theoretical advice. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUdfzUAAoJEBzwKT+lPKRYb4IP+gJ31QuRNX1nmmyWvAY7IMso az1ZF8V3i4BYPHFB4pc+QN2D2aW8OQes5aLReHYtk4jrCdiWtFsKCYejjgYDrZkl sqEIXAiFgJNO5pcVPsND0TTzpSTy0NlGrLn2PT39cBZZJDtWaJp/pXaYXJY63SSy j94ZOFfuw2Zz2yW4ibZlXPoCq82hmk9xD1Sa44PTQmVBuEzvBYXk9SyP3vFhteAz SQqFz6wjX2VjpuJ0eGnAjr60ffyb2Ea5gGST4k0lDN4BUOm/QaBstMQ8s1C+jK5F REldc6sVCvxZg3vudtMUmYris1madRkJimwZvPBFQU0wxuSGxMwXLjsfA3ncrPiG bUYVtatRlEhBgFPfqqKUMioeLLClc+Qu+n3DsB5qsX41WROj8Tu8apWHR8sNgW0B N4YFgeRkf7zJnRqtXKBAKZNJY83tiIsQ/Vzm4KGRTezPqSTjE8vNfu0r17JUboRj Hovrma+371Nvc7DpqfPR28mlvTNn7OfnrbjUuWO8cFpLXFLgTDbVPb4PFVSYfRlU aghB4Xa8eo2GV5vAQ7jXxCpFwDWYZFBuIC/MYi8xVG7lPZALN0pnYAH3JgBKH9aj YvNPdIVWESsjp+xdmH/hvUFj17hdBtJgFd/b5hsfcjbD/Xf9HOqaq0mwJMCWW2va LV4sQZsVwr+v/52PQTpY =Psx8 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is tomcat UserDatabaseRealm buggy?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Andreas, On 11/26/14 5:42 AM, Kehlenbach, Andreas wrote: I think I found the following bug in tomcat 7/8 with the following setup: We use tomcat 7.0.42 (but I tried 7.0.55 and 8.0.15 without success) and deployed a web service with jersey 1.18.2. Additionally we set up HTTP authentication. In our case DIGEST authentication, but I tried BASIC authentication the observed behavior is the same. We have a web service with login and logout methods, as well as some other methods which could only be invoked if a login request was made previously. Authentication works fine, till some point in time. At this point the client receives a HTTP response 401 Unauthorized. I double checked that the client sends correct credentials and nonce values. On server side I enabled logging (see attached log file). The log shows two web service calls, the first one returns successfully the last one reports the 401 error. As one could see in line 12 and 13 FEIN: Calling authenticate() Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase authenticate Tomcat delegates the authentication request to RealmBase class logs some stuff and returns with FEIN: Successfully passed all security constraints But in case of my error just these three lines are logged: FEIN: Calling authenticate() Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: Failed authenticate() test My server.xml is as follows: … Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase digest=md5/ /Realm Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true deployOnStartup=true Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=%h %l %u %t quot;%rquot; %s %b / /Host /Engine … I also tried to remove the LockOutRealm, but without success. As far as I understand with this setup class org.apache.catalina.realm.CombinedRealm.java is invoked to handle authentication. If I further understand correctly, then method authenticate(String username, String clientDigest,__String nonce, String nc, String cnonce, String qop,__String realmName, String md5a2) is also invoked. This method iterates over all configured Realms. It seems to me that, in case of the 401 error, the list of realms (Line 51) is empty and thus authentication fails. The error only occurs after many calls to the webservice. I was unable to identify any pattern, but it seems related to the nonce timeout, somehow. Could one verify this bug? What is the nonce timeout? Note that HTTP BASIC authentication does not use nonces, so the nonce timeout wouldn't be the cause under those circumstances. How did you switch testing from HTTP DIGEST to HTTP BASIC authentication? The stored credentials are of course incompatible. If you created a small test case, can you share it with us? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUdf2pAAoJEBzwKT+lPKRYYa0P/1lxVAmXeDshnYP47zSnykhj wv5z86sX57H480VdYQLIIrTwj9KOa6Wifgd/YkC6fUihLNIa+kOe0Jhoq6+K/IIA hh9ZHu/qVKUHOsuef5sYD15CWX/VDEkJUyy4G/qvSB1u0dM5vGUkWggZVvn5kwRG 4V0CIg4M4bNAdki3M8ZYKp8fmD5qzYFnfmjJOKwvGiFk4nJjUZG0crVbQC69cyeC 5/7tnzswV6dPwyJdBj0b/yiMx0h58mt0BSKz/VNsukxa2WbP0P9csP7mA9gleFUB OQdupQ6KE5t8lQBHogHJ7QvjlOJT0Tesqn+NUbNuK8cAmntEg8HQc3b/Erqdly7G GMIx9dhz381RyRlZbBbvwShVc9PK8H5klDfPlwWAQzXG55+iqSx0LS2yV4X+aAht dxuE/Jc0gZRcb/s2KeUhNGR//Me1GPHStCl3nGxDMczdriEE0/Af+r6tvtXlwd0W 5SdVO1r3oar5e+aPBQMBqdmw47MyGx+vCdjY4jeuuoBm3XY4V2VJLrpZm993PwTV HgTqgREvgGzDgYkHy4Mm5Fus6YCw4GWWHjVJeff5DBezXigSBcbKtLWK4HoI1zLA 5k7Gm0liagpPsxovlt+OzgQ/kHqSE7qgTHgAWF8CRthOv4U8y4PJuZjPdvVeX9iE oTrAPaf7gZymwtORZm1J =83X2 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can code in a Realm gain access to a Globally Named Resource
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Vince, On 11/26/14 7:26 AM, vince.w...@thomsonreuters.com wrote: -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 26 November 2014 04:17 To: Tomcat Users List Subject: Re: How can code in a Realm gain access to a Globally Named Resource Vince, On 11/25/14 9:00 PM, vince.w...@thomsonreuters.com wrote: Web applications gain access to Globally Named JDBC Resources GlobalNamingResources by adding a ResourceLink to context.xml Then using code like: Context initContext = new InitialContext(); dbLookupStr = java:comp/env/ + dbResourceName; ds = (DataSource)initContext.lookup(dbLookupStr); HOW CAN code in a custom Realm gain access to one of those same Globally named database connection pools ? What's wrong with the code above? I don't know if there is nothing wrong with the code above, if it can be used in a Realm, then what I'm missing is the Realm equivalent of adding a ResourceLink to an application's context.xml As a result I fail to get a DataSource I have the Realm defined in the Engine section of server.xml I'm not sure, but I would guess you can't define a Realm in server.xml and use a DataSource defined in context.xml. If the Realm is in server.xml, then you should be able to grab the globally-accessible DataSources by using their existing (global) names. Extra info included here for background: I have a custom realm that I created by extending JDBCRealm it does its own authentication and uses JDBCRealm's getRoles() to do the authorization. Although it works much of the time, the inherited getRoles method causes problems. I've decided to re-write my realm without extending JDBCRealm, thus I need to write my own JDBC authorization code, hence the above question. JDBCRealm should probably die, and you probably shouldn't be using it. Why not extend DataSourceRealm instead? You'll get DataSource access for free ;) I've never looked at DataSourceRealm, perhaps it's time I did. I used JDBCRealm because having used it years ago I understand what it aims to do DataSourceRealm will use a DataSource you have configured instead of having the connection information directly-specified in the Realm configuration. JDBCRealm maintains only a single JDBC connection so if you have lots of login operations, it will slow down to a crawl. You are better off in almost all cases using DataSourceRealm. I'm curious about what you have added in your custom Realm. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUdf6MAAoJEBzwKT+lPKRY5nMQALBY0XlR4bOEiR20bjK0NQd+ sfI8S/vZG7g+/fyGJFcPUIwlDz6Pqv4ZGqF/OalW87O+6Yj/aKVATAqdqXzcaDuH AmIrJaW7Qk2eTsERC71EA/ZallSFenjhJkRxovsMg6QNbwp8QNWyriSfeU6HOiUv ishq3eo5q3oByZ+TyOkC9zdIUbf/icFypafj5ptn/+65niKZFUUbHSqw/P04bmw9 KYwkPKfI0UpROCqEaxJ0nlo5/8jaqonxeclfTk8yR452GEb/puSLG1NXAjXR0zkG HT6DXdk6mJJdB2R8bmVUHXrq0YsroK61Uw78jUyijxkD/RqCdcD48zcXpC0K1uu/ jvDTtBjmWG7TYQgaIQbHGT/udwxoZa1LsVRmQUWhxxlzsMzJ5oEpvV5IWdCjBMa4 7xABF022pLT0AMes7qB3KtSG0djcSiOBq77LgRcctVVrHMS0HPx3VEsNJcilLk45 76Mxu6rfXmp2/WhV+qFPfm9t7vW68E8RkXIwto+fQM2rrwoUhriqQBIZYV7YNlNL bTNDCN1vE0c3tUhiZtETW/ISkidz5AgSZ/8OTBZ/lWbeJd3RBzpvYqxF6Y0G+rGl XRdmHLJQq6wvd0D1h5S2Jf7Gxgz/GX/lY0ICnw1wO9ioV9MwV8HXkbZMlt/cnRL2 oKkez8NOhc4lGUezx40u =t5yq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: [bulk]: Re: Is tomcat UserDatabaseRealm buggy?
Hey Chris, Yes I know that BASIC authentication doesn't use nonces, thus I don't think that this is the root cause. Just forget about the nonce timout. For full information: I played around with the timeout and used values of 1, 5, 20 minutes. But as I discovered that also the 401 appears with BASIC authentication I would suggest to test with this. I reconfigured tomcat, because the configuration differs. That’s what I did to test both cases. I hope I could create a small test case tomorrow. Thank you for your answer, Andreas -Ursprüngliche Nachricht- Von: Christopher Schultz [mailto:ch...@christopherschultz.net] Gesendet: Mittwoch, 26. November 2014 17:20 An: Tomcat Users List Betreff: [bulk]: Re: Is tomcat UserDatabaseRealm buggy? -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Andreas, On 11/26/14 5:42 AM, Kehlenbach, Andreas wrote: I think I found the following bug in tomcat 7/8 with the following setup: We use tomcat 7.0.42 (but I tried 7.0.55 and 8.0.15 without success) and deployed a web service with jersey 1.18.2. Additionally we set up HTTP authentication. In our case DIGEST authentication, but I tried BASIC authentication the observed behavior is the same. We have a web service with login and logout methods, as well as some other methods which could only be invoked if a login request was made previously. Authentication works fine, till some point in time. At this point the client receives a HTTP response 401 Unauthorized. I double checked that the client sends correct credentials and nonce values. On server side I enabled logging (see attached log file). The log shows two web service calls, the first one returns successfully the last one reports the 401 error. As one could see in line 12 and 13 FEIN: Calling authenticate() Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase authenticate Tomcat delegates the authentication request to RealmBase class logs some stuff and returns with FEIN: Successfully passed all security constraints But in case of my error just these three lines are logged: FEIN: Calling authenticate() Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: Failed authenticate() test My server.xml is as follows: … Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase digest=md5/ /Realm Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true deployOnStartup=true Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=%h %l %u %t quot;%rquot; %s %b / /Host /Engine … I also tried to remove the LockOutRealm, but without success. As far as I understand with this setup class org.apache.catalina.realm.CombinedRealm.java is invoked to handle authentication. If I further understand correctly, then method authenticate(String username, String clientDigest,__String nonce, String nc, String cnonce, String qop,__String realmName, String md5a2) is also invoked. This method iterates over all configured Realms. It seems to me that, in case of the 401 error, the list of realms (Line 51) is empty and thus authentication fails. The error only occurs after many calls to the webservice. I was unable to identify any pattern, but it seems related to the nonce timeout, somehow. Could one verify this bug? What is the nonce timeout? Note that HTTP BASIC authentication does not use nonces, so the nonce timeout wouldn't be the cause under those circumstances. How did you switch testing from HTTP DIGEST to HTTP BASIC authentication? The stored credentials are of course incompatible. If you created a small test case, can you share it with us? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUdf2pAAoJEBzwKT+lPKRYYa0P/1lxVAmXeDshnYP47zSnyk hj wv5z86sX57H480VdYQLIIrTwj9KOa6Wifgd/YkC6fUihLNIa+kOe0Jhoq6+K/IIA hh9ZHu/qVKUHOsuef5sYD15CWX/VDEkJUyy4G/qvSB1u0dM5vGUkWggZVvn 5kwRG 4V0CIg4M4bNAdki3M8ZYKp8fmD5qzYFnfmjJOKwvGiFk4nJjUZG0crVbQC69cy eC 5/7tnzswV6dPwyJdBj0b/yiMx0h58mt0BSKz/VNsukxa2WbP0P9csP7mA9gleF UB OQdupQ6KE5t8lQBHogHJ7QvjlOJT0Tesqn+NUbNuK8cAmntEg8HQc3b/Erqdly 7G GMIx9dhz381RyRlZbBbvwShVc9PK8H5klDfPlwWAQzXG55+iqSx0LS2yV4X+aA ht dxuE/Jc0gZRcb/s2KeUhNGR//Me1GPHStCl3nGxDMczdriEE0/Af+r6tvtXlwd0 W 5SdVO1r3oar5e+aPBQMBqdmw47MyGx+vCdjY4jeuuoBm3XY4V2VJLrpZm993 PwTV HgTqgREvgGzDgYkHy4Mm5Fus6YCw4GWWHjVJeff5DBezXigSBcbKtLWK4HoI1 zLA 5k7Gm0liagpPsxovlt+OzgQ/kHqSE7qgTHgAWF8CRthOv4U8y4PJuZjPdvVeX9iE oTrAPaf7gZymwtORZm1J =83X2 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail:
Re: Deploying .ca-bundle file .crt file as SSL certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 To whom it may concern, On 11/26/14 9:03 AM, Kernel freak wrote: After arguing with the admins for all this time, I finally have the few files ready. I have the following files : keystore.p12 That should contain your key. Can you confirm that with a 'keytool -list'? server.crt Is this the certificate that was signed by the CA? ssl-cert-snakeoil.key Uh, oh. That looks like one of OpenSSL's built-in CAs that are used for documentation and instructional purposes. I hope this isn't being used for anything at all. domainname.com.ca-bundle This should be the bundle of certificates for your domain, which may include intermediate certificates. Are you using your own internal CA or something? domainname.com.crt Which certificate is this? domainname.com.csr Is this the CSR that you generated yourself? domainname.com.key Weird. Okay, I would expect domainname.com.key to have the key that was used to generate domainname.com.csr, and that domainname.com.crt is a signed version of that CSR. That should be all you need... I'm not sure what all the other stuff is. vsftpd.pem. What is this? I did the following as Christoph said: root@domainname:/etc/ssl/private# openssl pkcs12 -export -in server.crt -inkey ssl-cert-snakeoil.key -certfile domainname.com.crt -out keystore.p12 -chain (pressed enter here) unable to load certificates // This is the error. I think you might want to do this: $ openssl pkcs12 -export -in domainname.com.crt \ -inkey domainname.com.key \ -certfile domainname.com.ca-bundle \ -out keystore.p21 -chain $ keytool -importkeystore -srckeystore keystore.p12 \ -srcstoretype pkcs12 \ -destkeystore keystore.jks You are supposed to be able to use PKCS12 keystores directly with Tomcat, but IIRC it's a pain and a bit more finicky than with just a normal JKS-format keystore. If i just plain import the .crt file like this : keytool -import -alias tomcat -file domainname.com.crt -keystore /root/.keystore A couple of things: 1. Don't run as root. Not for anything. Not even to run keytool. 2. Don't store your keystore under /root/.keystore, or you'll (likely) have to run Tomcat as root. You can put your keystore anywhere you want and point Tomcat to it explicitly. 3. If you import a certificate into a keystore and there is nothing else in it (the keystore), then you can't perform a handshake because the key is required for secure communication. Then firefox gives me this error : An error occurred during a connection to domainname.com:8443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. The no_cipher_overlap error is likely to be incorrect... the real problem is that the server can't decrypt the client's handshake because the key is unavailable. I think you might need to get some help with this from someone else at your organization... someone who is a bit more versed in PKI and configuring TLS for web servers. - -chris On Tue, Nov 25, 2014 at 10:24 PM, Christopher Schultz ch...@christopherschultz.net wrote: To whom it may concern, On 11/25/14 3:32 AM, Kernel freak wrote: I don't have the server.key and server.crt. I have root access to server, I can generate my own if necessary. I only have .crt and .ca-bundle file. Can you tell me what to do. Thank you very much for your help. If you don't have the server's key but you have the server's certificate, then you must start all over again because the key is half of a paired key. Did you generate the CSR yourself? With what key did you generate that CSR? If someone else generated the CSR, go ask them where the key is that they used. If you have lost the key then you must redo the whole process, starting with generating a new key and CSR, then get the CSR signed. Then, import the signed certificate back into the same keystore. Then, configure Tomcat to use that keystore. The instructions on the Tomcat users' guide are fairly straightforward even if they don't explain the intricacies of public key infrastructure -- that's outside the scope of the users' guide. Thanks, -chris On Mon, Nov 24, 2014 at 7:48 PM, Christopher Schultz ch...@christopherschultz.net wrote: Niranjan, On 11/24/14 10:51 AM, Niranjan Babu Bommu wrote: I think you have create a keystore from the cert, please follow these instruction and ket me know. Create store with temporary key inside: keytool -genkey -alias alias name -keystore yourkeystore.jks -storepass Hello1 Then delete existing entry: keytool -delete -alias temp -keystore yourkeystore.jks -storepass Hello1 Now you've got empty
Re: AW: [bulk]: Re: Is tomcat UserDatabaseRealm buggy?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Andreas, On 11/26/14 11:26 AM, Kehlenbach, Andreas wrote: Yes I know that BASIC authentication doesn't use nonces, thus I don't think that this is the root cause. Just forget about the nonce timout. Umm... you suggested that it was the cause. Okay, I'm happy to drop it. For full information: I played around with the timeout and used values of 1, 5, 20 minutes. But as I discovered that also the 401 appears with BASIC authentication I would suggest to test with this. There are many reasons to get a 401, so it's possible that these issues are not related as all, but I suspect there is some kind of workflow problem going on. AFAIK, Tomcat does the same thing with each request when it comes to authentication. Are you sure that your clients do the same? I reconfigured tomcat, because the configuration differs. That’s what I did to test both cases. I hope I could create a small test case tomorrow. Okay, we'll have a look. When the service stops working (i.e. returns a 401), does it return 401 for all clients at once, or just for a single client in particular? If just a single one, is there any timing information you can give us (like after 5 minutes in all cases, clients start getting 401s instead of 200s)? - -chris -Ursprüngliche Nachricht- Von: Christopher Schultz [mailto:ch...@christopherschultz.net] Gesendet: Mittwoch, 26. November 2014 17:20 An: Tomcat Users List Betreff: [bulk]: Re: Is tomcat UserDatabaseRealm buggy? Andreas, On 11/26/14 5:42 AM, Kehlenbach, Andreas wrote: I think I found the following bug in tomcat 7/8 with the following setup: We use tomcat 7.0.42 (but I tried 7.0.55 and 8.0.15 without success) and deployed a web service with jersey 1.18.2. Additionally we set up HTTP authentication. In our case DIGEST authentication, but I tried BASIC authentication the observed behavior is the same. We have a web service with login and logout methods, as well as some other methods which could only be invoked if a login request was made previously. Authentication works fine, till some point in time. At this point the client receives a HTTP response 401 Unauthorized. I double checked that the client sends correct credentials and nonce values. On server side I enabled logging (see attached log file). The log shows two web service calls, the first one returns successfully the last one reports the 401 error. As one could see in line 12 and 13 FEIN: Calling authenticate() Nov 18, 2014 2:58:25 PM org.apache.catalina.realm.RealmBase authenticate Tomcat delegates the authentication request to RealmBase class logs some stuff and returns with FEIN: Successfully passed all security constraints But in case of my error just these three lines are logged: FEIN: Calling authenticate() Nov 18, 2014 2:58:25 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FEIN: Failed authenticate() test My server.xml is as follows: … Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase digest=md5/ /Realm Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true deployOnStartup=true Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=%h %l %u %t quot;%rquot; %s %b / /Host /Engine … I also tried to remove the LockOutRealm, but without success. As far as I understand with this setup class org.apache.catalina.realm.CombinedRealm.java is invoked to handle authentication. If I further understand correctly, then method authenticate(String username, String clientDigest,__String nonce, String nc, String cnonce, String qop,__String realmName, String md5a2) is also invoked. This method iterates over all configured Realms. It seems to me that, in case of the 401 error, the list of realms (Line 51) is empty and thus authentication fails. The error only occurs after many calls to the webservice. I was unable to identify any pattern, but it seems related to the nonce timeout, somehow. Could one verify this bug? What is the nonce timeout? Note that HTTP BASIC authentication does not use nonces, so the nonce timeout wouldn't be the cause under those circumstances. How did you switch testing from HTTP DIGEST to HTTP BASIC authentication? The stored credentials are of course incompatible. If you created a small test case, can you share it with us? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org PROSTEP AG, Dolivostraße 11, D-64293 Darmstadt HR: Amtsgericht Darmstadt, HRB 8383 Vorstand: Dr. Bernd Pätzold (Vorsitz),
Re: How can code in a Realm gain access to a Globally Named Resource
On 26/11/2014 16:23, Christopher Schultz wrote: snip/ I'm not sure, but I would guess you can't define a Realm in server.xml and use a DataSource defined in context.xml. If the Realm is in server.xml, then you should be able to grab the globally-accessible DataSources by using their existing (global) names. You guess wrong. Look at the localDataSource attribute for the DataSourceRealm. If you (or the OP) then look in the source code for where that attribute is used, you'll see how the Realm switches between global and local DataSources. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Deploying .ca-bundle file .crt file as SSL certificates
On Wed, Nov 26, 2014 at 5:33 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 To whom it may concern, On 11/26/14 9:03 AM, Kernel freak wrote: After arguing with the admins for all this time, I finally have the few files ready. I have the following files : keystore.p12 That should contain your key. Can you confirm that with a 'keytool -list'? server.crt Is this the certificate that was signed by the CA? Yes, this is certificated signed by CA, but its a servercertificate, the domain certificate is below. ssl-cert-snakeoil.key Uh, oh. That looks like one of OpenSSL's built-in CAs that are used for documentation and instructional purposes. I hope this isn't being used for anything at all. domainname.com.ca-bundle This should be the bundle of certificates for your domain, which may include intermediate certificates. Are you using your own internal CA or something? domainname.com.crt Which certificate is this? This is the SSL certificate which has to be deployed. domainname.com.csr Is this the CSR that you generated yourself? No, this is also provided by hosting guys domainname.com.key Weird. Okay, I would expect domainname.com.key to have the key that was used to generate domainname.com.csr, and that domainname.com.crt is a signed version of that CSR. That should be all you need... I'm not sure what all the other stuff is. vsftpd.pem. What is this? I did the following as Christoph said: root@domainname:/etc/ssl/private# openssl pkcs12 -export -in server.crt -inkey ssl-cert-snakeoil.key -certfile domainname.com.crt -out keystore.p12 -chain (pressed enter here) unable to load certificates // This is the error. I think you might want to do this: $ openssl pkcs12 -export -in domainname.com.crt \ -inkey domainname.com.key \ -certfile domainname.com.ca-bundle \ -out keystore.p21 -chain $ keytool -importkeystore -srckeystore keystore.p12 \ -srcstoretype pkcs12 \ -destkeystore keystore.jks You are supposed to be able to use PKCS12 keystores directly with Tomcat, but IIRC it's a pain and a bit more finicky than with just a normal JKS-format keystore. If i just plain import the .crt file like this : keytool -import -alias tomcat -file domainname.com.crt -keystore /root/.keystore A couple of things: 1. Don't run as root. Not for anything. Not even to run keytool. 2. Don't store your keystore under /root/.keystore, or you'll (likely) have to run Tomcat as root. You can put your keystore anywhere you want and point Tomcat to it explicitly. 3. If you import a certificate into a keystore and there is nothing else in it (the keystore), then you can't perform a handshake because the key is required for secure communication. Then firefox gives me this error : An error occurred during a connection to domainname.com:8443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. The no_cipher_overlap error is likely to be incorrect... the real problem is that the server can't decrypt the client's handshake because the key is unavailable. I think you might need to get some help with this from someone else at your organization... someone who is a bit more versed in PKI and configuring TLS for web servers. I have told you what key is for what, can you give me the updated commands please, unfortunately there is no one here who knows this. - -chris On Tue, Nov 25, 2014 at 10:24 PM, Christopher Schultz ch...@christopherschultz.net wrote: To whom it may concern, On 11/25/14 3:32 AM, Kernel freak wrote: I don't have the server.key and server.crt. I have root access to server, I can generate my own if necessary. I only have .crt and .ca-bundle file. Can you tell me what to do. Thank you very much for your help. If you don't have the server's key but you have the server's certificate, then you must start all over again because the key is half of a paired key. Did you generate the CSR yourself? With what key did you generate that CSR? If someone else generated the CSR, go ask them where the key is that they used. If you have lost the key then you must redo the whole process, starting with generating a new key and CSR, then get the CSR signed. Then, import the signed certificate back into the same keystore. Then, configure Tomcat to use that keystore. The instructions on the Tomcat users' guide are fairly straightforward even if they don't explain the intricacies of public key infrastructure -- that's outside the scope of the users' guide. Thanks, -chris
Re: Deploying .ca-bundle file .crt file as SSL certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 To whom it may concern, On 11/26/14 12:00 PM, Kernel freak wrote: On Wed, Nov 26, 2014 at 5:33 PM, Christopher Schultz ch...@christopherschultz.net wrote: To whom it may concern, On 11/26/14 9:03 AM, Kernel freak wrote: After arguing with the admins for all this time, I finally have the few files ready. I have the following files : keystore.p12 That should contain your key. Can you confirm that with a 'keytool -list'? server.crt Is this the certificate that was signed by the CA? Yes, this is certificated signed by CA, but its a servercertificate, the domain certificate is below. I have no idea what a domain certificate is. A cert is a cert, and it's signed by another cert all the way up to a root cert, known as a CA who has widespread trust. ssl-cert-snakeoil.key Uh, oh. That looks like one of OpenSSL's built-in CAs that are used for documentation and instructional purposes. I hope this isn't being used for anything at all. domainname.com.ca-bundle This should be the bundle of certificates for your domain, which may include intermediate certificates. Are you using your own internal CA or something? domainname.com.crt Which certificate is this? This is the SSL certificate which has to be deployed. domainname.com.csr Is this the CSR that you generated yourself? No, this is also provided by hosting guys So, did your hosting guys generate everything for you, then? It's customary to create your own key and CSR and then merely have the CA sign the CSR which results in your certificate. You import your certificate and, if necessary, any intermediate certificates your clients will require to form a trust chain from your server's cert up to the root that the client trusts. domainname.com.key Weird. Okay, I would expect domainname.com.key to have the key that was used to generate domainname.com.csr, and that domainname.com.crt is a signed version of that CSR. That should be all you need... I'm not sure what all the other stuff is. vsftpd.pem. What is this? I did the following as Christoph said: root@domainname:/etc/ssl/private# openssl pkcs12 -export -in server.crt -inkey ssl-cert-snakeoil.key -certfile domainname.com.crt -out keystore.p12 -chain (pressed enter here) unable to load certificates // This is the error. I think you might want to do this: $ openssl pkcs12 -export -in domainname.com.crt \ -inkey domainname.com.key \ -certfile domainname.com.ca-bundle \ -out keystore.p21 -chain $ keytool -importkeystore -srckeystore keystore.p12 \ -srcstoretype pkcs12 \ -destkeystore keystore.jks You are supposed to be able to use PKCS12 keystores directly with Tomcat, but IIRC it's a pain and a bit more finicky than with just a normal JKS-format keystore. If i just plain import the .crt file like this : keytool -import -alias tomcat -file domainname.com.crt -keystore /root/.keystore A couple of things: 1. Don't run as root. Not for anything. Not even to run keytool. 2. Don't store your keystore under /root/.keystore, or you'll (likely) have to run Tomcat as root. You can put your keystore anywhere you want and point Tomcat to it explicitly. 3. If you import a certificate into a keystore and there is nothing else in it (the keystore), then you can't perform a handshake because the key is required for secure communication. Then firefox gives me this error : An error occurred during a connection to domainname.com:8443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. The no_cipher_overlap error is likely to be incorrect... the real problem is that the server can't decrypt the client's handshake because the key is unavailable. I think you might need to get some help with this from someone else at your organization... someone who is a bit more versed in PKI and configuring TLS for web servers. I have told you what key is for what, can you give me the updated commands please, unfortunately there is no one here who knows this. I can't understand something on your behalf: you have to understand it yourself. Once you understand what is going on, these commands will make sense and you should be able to execute them without guessing. If you can't figure it out, hire someone who already knows. The only weird part about Java keystores is the use of an alias which allows you to pack a keystore full of all kinds of goodies and then refer to specific items by their names (I don't know why CN isn't a good enough identifier, but I guess keystore wonks thought it would be a good idea). It's not a bad idea to give every item in your keystore (key, certificate, etc.) an alias so
Re: How can code in a Realm gain access to a Globally Named Resource
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 11/26/14 12:01 PM, Mark Thomas wrote: On 26/11/2014 16:23, Christopher Schultz wrote: snip/ I'm not sure, but I would guess you can't define a Realm in server.xml and use a DataSource defined in context.xml. If the Realm is in server.xml, then you should be able to grab the globally-accessible DataSources by using their existing (global) names. You guess wrong. I am aware of the localDataSource attribute but (evidently wrongly) assumed that it was for use when both the data source and realm were configured for the webapp and not globally (that is, the local Realm needed to be configured for a local data source, instead of a global one). Look at the localDataSource attribute for the DataSourceRealm. If you (or the OP) then look in the source code for where that attribute is used, you'll see how the Realm switches between global and local DataSources. Noted. I'm still interested in the OP's need for a custom Realm and, if required, why the DataSourceRealm can't be used as a base to avoid the need to deal with this stuff at all. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUdhotAAoJEBzwKT+lPKRYiasP/1CQ6nZlJG3Sd50VQV+Cilye IcFNG7ckLIEqE0wR+KMpw+a68K2foKfgJ7CT2VzLFcWU7N1cotAjQdThKUB/1tZR NUH5bYiQcPxaAzXTLS9JnupYoqwqJiLt6yQiJWi07KiIfQjSnafS0vuFoc+o1j+G p5j5N+pAE5U8rznBguIWlpBfaFTH9AHxduZdcbzU+AefC8fGYr73uPfpEw8+qHoz aV0kwPaEneGuswAcyRjU4DRljG9TOHqd00We4NcgVc/wgixaGkcOr7GtOY/KqEXY lihq+NIvqmr9MFUvA8f7qj2oHjnwF8ml1tFo6TpzqI/5gbF66MtC/r0svNk/vrya n9GxW8o6uxk07Tndqw4ygM6FlCZYb4rr6Jmo8kiDCcR65fhEAjrmFW4OX1AxrCkU eWo3++6iH/5xjf2jPVJ2BPf2y+4qM0Kvc/vOJnNIG1a21x2WJBl/pny4ChslSfbc vjQF6vIB9cCyGhvlVR7kxGwo2UyLU9vDNCQslDn9/DbqpUDiDltCalTJw7c4nLVI ty1AtYtQditgiv28UwvBt2ZwfP+kKsd5of18yqIyFfX815wc9ljIEfuM66hjU8s+ DqQDCSDU/B7ICGC5dP/HhLJf4wLW+A75hztFBtSM3Qx8+yW7VuIkxIx3Dhwivo4N 54q7cBdEFQNLLmlrnnpa =wZWd -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: catalina.out rotation in tomcat 7.0.56
Hi Chris, Can you please help me out catalina.out rotation, I have only thing pending in my migration project. I want to rotate catalina.out everyday midnight. Thanks Niranjan On Fri, Nov 21, 2014 at 2:00 PM, Niranjan Babu Bommu niranjan.bo...@gmail.com wrote: Hi Chris, Thanks for your reply. Actually I'm running multiple instances in tomcat, log-rotation works fine for all the instances but they are not rotation midnight everyday, '.'-MM-ddRollover at midnight each day. Thanks Niranjan On Fri, Nov 21, 2014 at 12:18 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Niranjan, On 11/21/14 10:38 AM, Niranjan Babu Bommu wrote: I’m working on a project migrating apps from jboss to tomcat, I’m running into an issue that is catalina.out rotation, I’m using log4.properties. Everything works fine, log rotation happening but not everyday midnight. I ‘m having difficult time to figure out. could some one help me out on this I followed this document to setup. http://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j. log4j.properties in CATALINA_BASE/lib log4j.rootLogger=INFO,catalina log4j.appender.catalina=org.apache.log4j.DailyRollingFileAppender log4j.appender.catalina.File=${catalina.base}/logs/catalina.out log4j.appender.catalina.Append=true log4j.appender.catalina.Encoding=UTF-8 # Roll-over the log once per day log4j.appender.catalina.DatePattern='.'-MM-dd'.log' log4j.appender.catalina.layout=org.apache.log4j.PatternLayout log4j.appender.catalina.layout.ConversionPattern=%d [%t] %-5p %c- %m%n If you use ${catalina.base}/logs/catalina.out with log4j and you are also using Tomcat's standard scripts to launch Tomcat, then you will have a conflict because logs/catalina.out is used for redirection of the stdout and stderr streams when the JVM launches. Instead, use a different file with log4j, and minimize the amount of stuff going to stdout/stderr so that it does not require any rotation at all. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUb3PUAAoJEBzwKT+lPKRYRaoP/ijh53H4flvtl8uVTVxwRBXc kt12tGfEfMgm8D6oneh6oZ4gNO6VnGKEWP8VHCEvKzZPCUgTwx2/VPTKi8lRdrKl JghjfbzuuVHIF+VQi5ClzT6uNveiIhzi60oleyzMHiIjaCs1lSR6HJ7V2W67Mu2M iEVz2j33/WA5BQzDPRwpbiJBFVzdJrfD2YTmUdIoIBaLLKYTBxgmGcLbamvUwsXg qotuN5wWQRgcIiclE0O7Ko+F075tY3ec65llV6olIlzGLXIKqhzsj9Tg15cRx97A RQCUAV9qH1MjFHhBnVfHOkte/6JqAetjHeN7Cf3rIWjp+CdC6fO0teLGJPtZHvAQ 6eeN0VntGy6OSe12r3nID+FvDTgBWe85UPAwk3hP1wXgMYaclOMRwfa5kD3zM4Tm y2ZMrdQKMq6xfl1hSXCtYA5mYjMVxSELTarGv42V9hqErk+4BUxzm6v/71G1NCCj 8yQo6+X7Ei4QfjUuO/K9u+/aZP70n+39MxMVopSa/Ol95RlxzI+1bJJtIsjZFU/7 VgkZ6mHdHrLJMdgOIsjM3spfOZvbpKuIboo/bGLe5TnUfoccNTmnYml0KWKGWhqh fLYTtc9Pl5JdYmpi3MqBTr2Yv3dGssC9yW1G0zDztNrv6qn3YXKFJ61gMj1rDhau SaLFI4P3EQ4mWjKmI0j0 =O3bN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- *Thanks* *Niranjan* *+1 781.956.6900 %2B1%20781.956.6900* -- *Thanks* *Niranjan* *+1 781.956.6900*
RE: How can code in a Realm gain access to a Globally Named Resource
Mark Thank you. I looked at DataSourceRealm.open() took the following lines and put them into my custom Realm: /// if (localDataSource) { context = ContextBindings.getClassLoader(); context = (Context) context.lookup(comp/env); } else { context = getServer().getGlobalNamingContext(); } DataSource dataSource = (DataSource)context.lookup(dataSourceName); I have the database resources configured in server.xml's GlobalNamingResources so I configure localDataSource to be False. This seems to be working OK and the Realm is working OK (so far). Initially I had difficulty with getServer() giving me null. To fix it I stopped calling this method from within the Realm's constructor, instead I get the DataSource the first time it's needed. Time will tell if this latest incarnation is more reliable that the other versions I've written of this Realm. The first extended JDBCRealm, another extends DataSourceRealm, they both work but not 100% of the time. -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: 26 November 2014 17:01 To: Tomcat Users List Subject: Re: How can code in a Realm gain access to a Globally Named Resource On 26/11/2014 16:23, Christopher Schultz wrote: snip/ I'm not sure, but I would guess you can't define a Realm in server.xml and use a DataSource defined in context.xml. If the Realm is in server.xml, then you should be able to grab the globally-accessible DataSources by using their existing (global) names. You guess wrong. Look at the localDataSource attribute for the DataSourceRealm. If you (or the OP) then look in the source code for where that attribute is used, you'll see how the Realm switches between global and local DataSources. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: catalina.out rotation in tomcat 7.0.56
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Niranjan, On 11/26/14 1:40 PM, Niranjan Babu Bommu wrote: Can you please help me out catalina.out rotation, I have only thing pending in my migration project. I want to rotate catalina.out everyday midnight. It sounds like you are saying that rotation isn't working properly: the rotation occurs but not at midnight. I think it's unlikely that catalina.out is being rotated properly because, really, it can't be unless you have modified catalina.sh (or catalina.bat) and piped the output through a rotatable logging utility. Since you didn't mention having done that, I assume that you have done something incorrectly to get your catalina.out file to rotate. As for rotating at some other time than midnight, I suspect that you and the JVM disagree over the time zone you are operating in. If you fix the time zone issue, you'll get rotation occurring at the right time. - -chris On Fri, Nov 21, 2014 at 2:00 PM, Niranjan Babu Bommu niranjan.bo...@gmail.com wrote: Hi Chris, Thanks for your reply. Actually I'm running multiple instances in tomcat, log-rotation works fine for all the instances but they are not rotation midnight everyday, '.'-MM-ddRollover at midnight each day. Thanks Niranjan On Fri, Nov 21, 2014 at 12:18 PM, Christopher Schultz ch...@christopherschultz.net wrote: Niranjan, On 11/21/14 10:38 AM, Niranjan Babu Bommu wrote: I’m working on a project migrating apps from jboss to tomcat, I’m running into an issue that is catalina.out rotation, I’m using log4.properties. Everything works fine, log rotation happening but not everyday midnight. I ‘m having difficult time to figure out. could some one help me out on this I followed this document to setup. http://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j. log4j.properties in CATALINA_BASE/lib log4j.rootLogger=INFO,catalina log4j.appender.catalina=org.apache.log4j.DailyRollingFileAppender log4j.appender.catalina.File=${catalina.base}/logs/catalina.out log4j.appender.catalina.Append=true log4j.appender.catalina.Encoding=UTF-8 # Roll-over the log once per day log4j.appender.catalina.DatePattern='.'-MM-dd'.log' log4j.appender.catalina.layout=org.apache.log4j.PatternLayout log4j.appender.catalina.layout.ConversionPattern=%d [%t] %-5p %c- %m%n If you use ${catalina.base}/logs/catalina.out with log4j and you are also using Tomcat's standard scripts to launch Tomcat, then you will have a conflict because logs/catalina.out is used for redirection of the stdout and stderr streams when the JVM launches. Instead, use a different file with log4j, and minimize the amount of stuff going to stdout/stderr so that it does not require any rotation at all. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- *Thanks* *Niranjan* *+1 781.956.6900 %2B1%20781.956.6900* -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUdkbWAAoJEBzwKT+lPKRYsNMP/ixRTtQ8vvtBX5Qpx/ZVGwKm fjwIKc9GPtWoTVCdudhPIYzvp2sHE/KY+1t4w8NgQKMbJ06o70FlTLMyYvagyWEK v0EOjU925mgPPdraoSkgdCYCjOE/AAjAlgUCyhqT/RUF9pBGhVgZVRV6jc+99oB7 2ah0ynu9mZajr3gWulsuXrYlxiA/GK1F261ZPoqBsYAoAwLgX0xtJ1OKUeLo130y Tyjrw/rKAjy8WDdt0oBwP4voWVEDqGMpyJYxUACe+jLLLYUfG3Xeb94BCzidtfWM myR7A2YI9/NiqgzYSFmV/6QzxsgIMWqJUjwjkGmaRCnbJ+wcw1JiWMkB8W5cQAkk m5ZXA+DaKXMUJy8TXJbtG48C7poUmxD+9XWvWcJokp370t0fX9JIM5uQUzSzjzDk Z+5zzOVW+0Uyz1SO6MBPAG1w/LZZhaJkyU9G+pFLs1VlsiJ4I6tZsmAQlC9kdgYq vHSEk4+fVmRiUQOIPGx+C1f9PsuZ7SKJi1qbuErsNG4+j8sqO0dY56bzuI1Q7sW5 vjdhrXD2ani8TA8CkzeGZWmfGLkUIb5k3LT8hib3IciL5sLDRA09MsomfyQCR0EP 3b7famnfopHSWY8Bt26isnhSB3crzTOwIXvzHsxXt10eoZF8dyXHdf8NJ1/6t2dX NHSvurec1nQKbTHyA9Lo =BuTp -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can code in a Realm gain access to a Globally Named Resource
2014-11-27 0:26 GMT+03:00 vince.w...@thomsonreuters.com: Initially I had difficulty with getServer() giving me null. To fix it I stopped calling this method from within the Realm's constructor, instead I get the DataSource the first time it's needed. Learn about org.apache.catalina.Lifecycle interface that is implemented by majority of Tomcat components. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
http://courses.apexlearning.com/apps/AceWeb/logon.jsp
i need the preview sheets for apex world history sem 2 2014, us history sem 2 2014. like this one for example - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: http://courses.apexlearning.com/apps/AceWeb/logon.jsp
or a login to the website in the subject On Wed, Nov 26, 2014 at 4:47 PM, Travis Power powertrav...@gmail.com wrote: i need the preview sheets for apex world history sem 2 2014, us history sem 2 2014. like this one for example - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: http://courses.apexlearning.com/apps/AceWeb/logon.jsp
it comes from your server/website On Wed, Nov 26, 2014 at 4:48 PM, Travis Power powertrav...@gmail.com wrote: or a login to the website in the subject On Wed, Nov 26, 2014 at 4:47 PM, Travis Power powertrav...@gmail.com wrote: i need the preview sheets for apex world history sem 2 2014, us history sem 2 2014. like this one for example - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: http://courses.apexlearning.com/apps/AceWeb/logon.jsp
On Wed, Nov 26, 2014 at 1:50 PM, Travis Power powertrav...@gmail.com wrote: it comes from your server/website Uh, no. The URL you reference is apparently using a poorly configured instance of the Tomcat server, but that's as far as the connection with this mailing list goes :-) Good luck. -- Hassan Schroeder hassan.schroe...@gmail.com http://about.me/hassanschroeder twitter: @hassan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org