Re: Tomcat Conflicting with Group Policy Client

2015-11-19 Thread tomcat 

On 19.11.2015 05:19, Nick Childs wrote:

Tomcat Version: 6.0.39

Operating System: Server 2012 R2 Standard

Configuration: We are utilizing Tomcat as part of a Pentaho deployment - Tomcat 
is utilized for Pentaho's Data Integration and Business Analytics services.
Description: We have a custom Deployment of Pentaho using PostgreSQL and Tomcat 
Apache running within the current version of our proprietary Medical Imaging 
software. The integration works well, but we have spent months struggling to 
identify the cause of a major conflict between the PostgreSQL/Tomcat 
integration and group policy client in windows domain environments. Whenever 
the PostgreSQL and Tomcat Apache (Pentaho Data Integration) services are 
running, we begin to see 1 hour + reboot times and gpupdate failures due to the 
group policy client just hanging for long periods of time with no explanation. 
If only Pentaho is running, no problem is experienced. If only Tomcat is 
running, no problem is experienced - it is only when we have both 
running/communicating the Group Policy updates begin to fail.

We have enabled all known debugging in Group Policy, PostgreSQL, Pentaho, and 
Tomcat, performed xBootMgr traces, performed Process Monitor analysis, and 
Packet Captures, but have been unable to determine the cause of the conflict. 
We are also working with Microsoft, Pentaho, and PostgreSQL independently to 
try and flush out the culprit. After spending weeks analyzing and reviewing our 
development team's internal notes, I have become fairly confident that the root 
cause of this problem is related to the way that we deployed Tomcat, and the 
way that Tomcat/PostgreSQL communicate with each other, but I have not found 
solid proof that actually indicates this yet.

I have learned a lot about how PostgreSQL/Tomcat are functioning in this 
environment over the last week, but I am not part of the team that deployed 
this, and am certainly not an expert on Pentaho, PostgreSQL, or Tomcat. I have 
been collecting a list of debug error/warnings from the Tomcat logs over the 
last few days (attached), and I am hoping someone who is an expert on this 
stuff can possibly review this list of errors, provide an explanation/priority 
for each, and answer the following questions:

1. Are there any known conflicts with Tomcat and GroupPolicy in Windows domain 
environments? Required Configurations? Workarounds?
3. Are there any special debugging options or monitoring tools that we could 
use to get more information about what Tomcat is doing during the time periods 
that Group Policy Client is hung? The built-in logging is not helping us.
4. Do you have any suggestions or options that we can try to see if our 
behavior changes?

Please let me know if there is any additional information I can provide to help.



Hi.
I don't know anything about the various non-Tomcat softwares you are mentioning, and just 
a little bit about Tomcat.
But the one thing I see in your Tomcat logfile, is that there seem to be a lot of TCP 
connection errors of the kind "(Connection refused. Check that the hostname and port are 
correct and that the postmaster is accepting TCP/IP connections.)"

These seem to be related mostly to PostgreSQL.
Maybe there is a limit (in the PostgreSQL configuration) to how many connections it 
accepts at the same time ? or maybe the PostgreSQL server is just overloaded ?
Anyway, I would check this first, because there is a chance that many of the other errors 
which you are seeing are cascading down from there.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat's JNDI lookups fail if java.naming.factory.object property is specified

2015-11-19 Thread Violeta Georgieva 
Hi,

2015-11-16 8:39 GMT+02:00 Dimitar Valov :
>
> Hello,
>
> It is really easy to reproduce this problem even if the default factory
> org.apache.naming.factory.ResourceFactory is used (set
> JAVA_OPTS=%JAVA_OPTS% -Djava.naming.factory.object=
> org.apache.naming.factory.ResourceFactory)
>
> Do you think that this should happen?

I found this in the archives [1]

Regards,
Violeta

[1] http://markmail.org/message/ux4tbigxqrm3tmzy

> Best Regards,
> Dimitar
>
> On Thu, Nov 5, 2015 at 1:51 PM, Dimitar Valov 
> wrote:
>
> > Hello,
> >
> > Exceptions such as this are found in the logs when
> > java.naming.factory.object is present
> > 04-Nov-2015 15:40:51.560 SEVERE [main]
> > org.apache.catalina.realm.UserDatabaseRealm.startInternal Exception
looking
> > up UserDatabase under key UserDatabase
> >  java.lang.ClassCastException: Cannot cast class
> > org.apache.naming.ResourceRef to interface
org.apache.catalina.UserDatabase
> > at
> >
org.apache.catalina.realm.UserDatabaseRealm.startInternal(UserDatabaseRealm.java:232)
> > at
> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> > at
> >
org.apache.catalina.realm.CombinedRealm.startInternal(CombinedRealm.java:249)
> > at
> >
org.apache.catalina.realm.LockOutRealm.startInternal(LockOutRealm.java:120)
> > at
> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> > at
> >
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:905)
> > at
> >
org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262)
> > at
> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> > at
> >
org.apache.catalina.core.StandardService.startInternal(StandardService.java:439)
> > at
> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> > at
> >
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:769)
> > at
> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> > at org.apache.catalina.startup.Catalina.start(Catalina.java:625)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> >
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at
> >
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:497)
> > at
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:351)
> > at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:485)
> > It is also not possible to add additional ObjectFactories with
> > java.naming.factory.object property.
> >
> > Steps to reproduce:
> >
> > setenv.bat:
> > set JAVA_OPTS=%JAVA_OPTS%
> >
-Djava.naming.factory.object=org.apache.naming.factory.ResourceFactory:custom.CustomObjectFactory
> >
> > setenv.sh:
> > export JAVA_OPTS=$JAVA_OPTS
> >
-Djava.naming.factory.object=org.apache.naming.factory.ResourceFactory:custom.CustomObjectFactory
> >
> > Details:
> >
> > 1. org.apache.naming.ResourceRef.getFactoryClassName() returns null:
> >
https://github.com/apache/tomcat/blob/trunk/java/org/apache/naming/ResourceRef.java#L134
> >
> > 2. Consequently
> >
http://docs.oracle.com/javase/8/docs/api/javax/naming/spi/NamingManager.html#getObjectInstance-java.lang.Object-javax.naming.Name-javax.naming.Context-java.util.Hashtable-
falls
> > to option 3, however the environment does not contain any values and
> > returns the refInfo (An object created using refInfo; or refInfo if an
> > object cannot be created using the algorithm described above.).
> >
> > Possible Reasons:
> >
> > 1. org.apache.catalina.core.NamingContextListener.lifecycleEvent() uses
an
> > empty Hashtable for specifying the environment of the NamingContext:
> >
https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/NamingContextListener.java#L235
> >This is the place where the environment is initially created before
> > lookups are made.
> >
> > Possible Solutions:
> >
> > 1. Add the object factories as specified in the environment to the
initial
> > context environment:
> >
> >contextEnv.put(javax.naming.Context.OBJECT_FACTORIES,
> > System.getProperty(javax.naming.Context.OBJECT_FACTORIES));
> >
> >in
> >
https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/NamingContextListener.java#L235
> >
> > Attachments:
> >
> > The projects.zip contains two maven projects: a web application that
uses
> > custom resource type and extension to Tomcat that adds a custom
> > ObjectFactory.
> >
> > Also regarding
> >
https://tomcat.apache.org/tomcat-8.0-doc/jndi-resources-howto.html#Adding_Custom_Resource_Factories
,
> > there is step "2. Declare Your Resource Requirements" which states to
add a
> > resource-env-ref inside web.xml. I've noticed when the resource is
> >

Re: Tomcat Conflicting with Group Policy Client

2015-11-19 Thread Mark H. Wood 
On Thu, Nov 19, 2015 at 10:34:55AM +0100, André Warnier (tomcat) wrote:
> I don't know anything about the various non-Tomcat softwares you are
> mentioning, and just a little bit about Tomcat.  But the one thing I
> see in your Tomcat logfile, is that there seem to be a lot of TCP
> connection errors of the kind "(Connection refused. Check that the
> hostname and port are correct and that the postmaster is accepting
> TCP/IP connections.)"  These seem to be related mostly to
> PostgreSQL.  Maybe there is a limit (in the PostgreSQL
> configuration) to how many connections it accepts at the same time ?
> or maybe the PostgreSQL server is just overloaded ?

There is.  It is in postgresql.conf:  max_connections.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu


signature.asc
Description: Digital signature

SSO session expiration

2015-11-19 Thread Kraev, Dmitry 
I`m working on migration from tomcat 6 to tomcat 8. On tomcat 8 the following 
warning occurs when the session is expired or the user signed out:

WARN [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO unable 
to expire session [Host: [localhost], Context: [/appName], SessionID: 
[cookieId]] because the Session could not be found

I found that in Tomcat 6 session registers like the following:

[org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] Registering sso 
id 'E16F95304C7A0571A392C49BBB5B2B28' for user 'root' with auth type 'FORM'
[org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] Associate sso 
id E16F95304C7A0571A392C49BBB5B2B28 with session 
StandardSession[68B9BFEC646992D572DEDFBB0BA29BDC]

And then session destroys as the following:

[org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] Process session 
destroyed on StandardSession[68B9BFEC646992D572DEDFBB0BA29BDC]
[org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] Deregistering 
sso id 'E16F95304C7A0571A392C49BBB5B2B28'
[org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] Process session 
destroyed on StandardSession[CC36C13B089873D8BCEF2CBAFA1552F5]
[org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] Process session 
destroyed on StandardSession[DAC33294278B915C464EDFF0387A5E8D]

Everything looks fine.

In Tomcat 8 session registers listed below:

[org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO registering 
SSO session [F869098E903E96139B95170742C613E8] for user [root] with 
authentication type [FORM]
[org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO associating 
application session [StandardSession[9B741874689B4C8A1296D5BB86B841D0]] with 
SSO session [F869098E903E96139B95170742C613E8]

And when the session has to be destroyed the following messages occurs:

[org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO processing 
a log out for SSO session [F869098E903E96139B95170742C613E8] and application 
session [StandardSession[A88E8761E6F82CF38ED79590D1FED84D]]

[org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO expiring 
application session [Host: [localhost], Context: [/AppName1], SessionID: 
[AE27B6B1C4E9C26E7C298A4E1DB7DC27]] associated with SSO session 
[F869098E903E96139B95170742C613E8]
[org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO processing 
a log out for SSO session [F869098E903E96139B95170742C613E8] and application 
session [StandardSession[AE27B6B1C4E9C26E7C298A4E1DB7DC27]]
[org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO failed to 
deregister the SSO session [F869098E903E96139B95170742C613E8] because it was 
not in the cache

[org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO expiring 
application session [Host: [localhost], Context: [/AppName2], SessionID: 
[9B741874689B4C8A1296D5BB86B841D0]] associated with SSO session 
[F869098E903E96139B95170742C613E8]
[org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO processing 
a log out for SSO session [F869098E903E96139B95170742C613E8] and application 
session [StandardSession[9B741874689B4C8A1296D5BB86B841D0]]
[org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO failed to 
deregister the SSO session [F869098E903E96139B95170742C613E8] because it was 
not in the cache

[org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO expiring 
application session [Host: [localhost], Context: [/AppName3], SessionID: 
[A88E8761E6F82CF38ED79590D1FED84D]] associated with SSO session 
[F869098E903E96139B95170742C613E8]
[org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO unable to 
expire session [Host: [localhost], Context: [/AppName3], SessionID: 
[A88E8761E6F82CF38ED79590D1FED84D]] because the Session could not be found

I also found the tomcat's function that destroys sessions. The messaging should 
look something like this:


1.   SSO processing a log out for SSO session [{0}] and application session 
[{1}]

2.   SSO expiring application session [{0}] associated with SSO session 
[{1}]

But as you can see above, the only "AppName1" starts with the "SSO 
processing...", the others starts with "SSO expiring...", and "AppName1" ends 
up with a warning message.
Could it be related to session association thing? How to switch them and set 
like in tomcat 6?
Or may it be related to something else and if it so where should I look?

Re: Source IP filtering on some URLs before Container-managed authentication

2015-11-19 Thread Christopher Schultz 
Ognjen,

On 11/19/15 10:14 AM, Ognjen Blagojevic wrote:
> My webapp have a set of resources, let's call that set R. Some of those
> resources need to be accessed only from certain source IP addresses,
> let's call that subset R'. And some subset of R' (let's call it R'')
> needs authentication.
> 
> I have a reqirement to check source IP address before authentication.
> 
> Right now, R' is specified in web.xml RemoteAddrFilter s,
> and R'' is specified in web.xml  s.
> 
> The problem is, filters are executed after container-managed
> authentication, so login form is presented to the user before
> RemoteAddrFilter kicks in, and check source IP address. That is not what
> I need. Users outside trusted IP ranges should not be able to even know
> about the protected resources, let alone to guess passwords.
> 
> RemoteAddrValve, on the other hand, is called before container-managed
> authentication, but it does not allow specifying s.
> 
> What would be a good solution for the above requirement? Extend
> RemoteAddrValve with the ability to specify s?

I think that may be the only way to do it. IIRC, someone did some work
to allow Filters to be used in the valve chain, but I don't think there
is any facility for specifying s for those.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need an application specific common.loader folder, like with EAR

2015-11-19 Thread Christopher Schultz 
Sebastien,

On 11/19/15 8:37 AM, Tardif, Sebastien wrote:
> Have two wars in the same Tomcat instance, I want to share some 
> jars. I want these jars take priority over Tomcat shipped jars.
> 
> However, because I usually reuse the same Tomcat installation 
> between application (different set of wars), I do not want to modify 
> common.loader folder (the lib folder). Because if I modify the lib 
> folder for application 1, like overriding some Tomcat jar, then it’s
> lot of work to reset it right.
> 
> That problem doesn’t exist with EAR, which Tomcat doesn’t support. 
> I’m fine that Tomcat doesn’t support EAR but it could at least
> provide clean workaround.
> 
> So I would like to see a new folder called: extraLibs, and the
> classloader order will become:
> 
> 
> Bootstrap classes of your JVM
> System class loader classes (described above)
> extraLibs
> Common class loader classes (described above)
> /WEB-INF/classes of your web application
> /WEB-INF/lib/*.jar of your web application
> 
> See http://tomcat.apache.org/tomcat-7.0-doc/class-loader-howto.html

What about simply modifying CATALINA_BASE/bin/setenv.sh|SETENV.BAT to
set a custom CLASSPATH that includes those libraries? You have to modify
nothing else, and it easily survives an upgrade.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat catalina.out log is not rolling using log4j DailyRollingFileAppender

2015-11-19 Thread Joleen Barker 
I want to say up front that I am not a developer and know enough to brake
some stuff. lol

I have a software package from a vendor that ships the tomcat web server
with it. Below are my environment details:

1) The tomcat version that is running is v8.0.26.0
2) The OS is a Centos v7 UNIX VM
3) Java JDK I have installed that Tomcat is using is 1.8.0_60
4) The vendor has the $CATALINA_HOME and CATALINA_BASE as the same location
which is /server
5) The /server directory is the place where the /lib,
/bin, /conf, and etc.directory's are found.
6) Due to the catalina.out file growing too large with the default
juli.AsyncFileHandler using the logging.properties file that was found in
the $CATALINA_HOME/conf directory. I changed it to use the log4j logging.
Here are the steps I did to make this happen which I found on Tomcat 8 web
site:

  a. Downloaded log4j-1.2.17.jar and placed it in $CATALINA_HOME/lib
  b. Downloaded from the Tomcat extras web page for Tomcat 8 the
tomcat-juli-adapters.jar and the tomcat-juli.jar.
  c. Deleted the old tomcat-juli.jar out of the $CATALINA_HOME/bin
directory.
  d. Placed the new tomcat-juli.jar file and the
tomcat-juli-adapters.jar file in to the $CATALINA_HOME/bin directory.
  e. Deleted the old logging.properties file from the
$CATALINA_HOME/conf directory.
   f. Created the log4j.properties file in the $CATALINA_HOME/lib
directory and copied the settings that are shown on the Tomcat 8 logging
web page that has been there for Tomcat 7 logging web page too that
everyone is familiar with. Here is the url just incase:
https://tomcat.apache.org/tomcat-8.0-doc/logging.html

I know the log4j.properties files is being used as I made 2 changes to the
config file that were taken. One changes was to actually verify the
log4j.properties file was being used, which was changed the word INFO to
OFF for localhost file messages being written by editing the following line
at the bottom of the log4j.properties file:

log4j.logger.org.apache.catalina,core.ConainerBase.[Catalina].[localhost] =
OFF, LOCALHOST

The other change I made was I changed the file name in the following line
to read catalina.out instead of catalina:
log4j.appender,CATALINA.File = ${catalina.base}/logs/catalina.out

The reason I did this was I thought the daily roll that was supposed to
take place at midnight would occur on the file that was named catalina and
not on the file that was named catalina.out. All the INFO messages being
written to the file named catalina were also being written to the
catalina.out file which was the one I wanted to roll daily anyway so I
thought this change would be fine.

I stopped tomcat and cleared all the logs out and left the server to run
over night. (It is still running now) and it appears the roll did not take
place. What I woke up to was everything you see below found in the
$CATALINA_HOME/logs directory except for the one file written today which
was due to me logging in to the web application that the vendor supports so
I could verify I could still login and use the software:

-rw-r--r--.  root  root  33003 Nov 18 21:03 catalina.out
-rw-r--r--.  root  root 0 Nov 18 21:03 host-manager
-rw-r--r--.  root  root 0 Nov 18 21:03 localhost
-rw-r--r--.  root  root 0 Nov 18 21:03
localhost_access_log.2015-11-18.txt
-rw-r--r--.  root  root2498 Nov 19 13:23
localhost_access_log.2015-11-19.txt
-rw-r--r--.  root  root 0 Nov 18 21:03 manager

I don't know what I am missing from the configs to make the catalina.out
file roll each day at midnight. Some help would be greatly appreciated.

Also, no I cannot contact the vendor as they just tell me to hire a
professional. So I am the professional.

And, no I don't want to use the RollingFileAppender as I need the roll over
to be based on day and not the size of catalina.out.

I do see when the application starts and in the catalina.out it records the
following which I don't know if it should read something else for the log4j
logging to be used:

-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager

I'm digging and don't know where else to look and am probably not looking
in the right places.

Any Help is greatly appreciated. I think I am close.

Source IP filtering on some URLs before Container-managed authentication

2015-11-19 Thread Ognjen Blagojevic 

Hi,

My webapp have a set of resources, let's call that set R. Some of those 
resources need to be accessed only from certain source IP addresses, 
let's call that subset R'. And some subset of R' (let's call it R'') 
needs authentication.


I have a reqirement to check source IP address before authentication.

Right now, R' is specified in web.xml RemoteAddrFilter s, 
and R'' is specified in web.xml  s.


The problem is, filters are executed after container-managed 
authentication, so login form is presented to the user before 
RemoteAddrFilter kicks in, and check source IP address. That is not what 
I need. Users outside trusted IP ranges should not be able to even know 
about the protected resources, let alone to guess passwords.


RemoteAddrValve, on the other hand, is called before container-managed 
authentication, but it does not allow specifying s.


What would be a good solution for the above requirement? Extend 
RemoteAddrValve with the ability to specify s?


-Ognjen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[ANN] Apache Tomcat 9.0.0.M1 available

2015-11-19 Thread Mark Thomas 
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.0.M1.

Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.

Apache Tomcat 9.0.0.M1 is the first milestone release of the 9.0.x
branch and has been made to provide users with early access to the new
features in Apache Tomcat 9.0.x so that they may provide feedback.The
notable changes compared to 8.0.x include:

-   Adding support for HTTP/2, and TLS virtual hosting

-   An implementation of the current draft of the Servlet 4.0
specification

-   The BIO connectors, support for Windows Itanium and support
for Comet have been removed

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-9.0-doc/changelog.html

The first in the new series of short Tomcat webinars will cover a quick
start guide to HTTP/2. Details have been posted to the users mailing list:
- http://markmail.org/message/suiwwo57fpasyw2g  - 10.00 UTC
- http://markmail.org/message/xwxq6etj2scjmllp  - 20.00 UTC


Downloads:
http://tomcat.apache.org/download-90.cgi

Migration guides from Apache Tomcat 5.5.x, 6.0.x, 7.0.x and 8.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: REMOTE_USER mod_jk

2015-11-19 Thread Konstantin Kolinko 
2015-11-19 16:02 GMT+03:00 Teresa Fasano :
> Hi,
>
> I'm using Apache 2.4.6 with mod_jk and mod_shib 2.5.5, so Shibboleth as SSO
> authentication.
>
> Routing Apache request to tomcat (JBoss) we are not able to retreive
> REMOTE_USER.
>
> It seems that the REMOTE_USER is lost.
>
> In the configuration file shibboleth2.xml we have REMOTE_USER="uid".
>
> The authentication of shibboleth is successful as you can see from the logs
> of the identity provider and the log of the service provider:
> <...>
>
> In the access log of the Apache I see the value of the attribute uid (the
> remote_user):
> 130.186.19.126 - test [19/Nov/2015:10:38:54 +0100] "GET /u-gov/ HTTP/1.1"
>
> The authentication of the location is:
> 
>AuthType shibboleth
>ShibRequireSession On
>ShibExportAssertion On
>require valid-user
> 
>
>
> It seems that the Apache is unable to pass this attribute.

How do you test whether it is able or unable to pass it?

How your AJP connector in Tomcat is configured?  You need to set
tomcatAuthentication="false" on  [1]

[1] http://tomcat.apache.org/connectors-doc/common_howto/proxy.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: REMOTE_USER mod_jk

2015-11-19 Thread Teresa Fasano 
With Apache/2.2.15 the REMOTE_USER is passed to the application (Jboss), 
while with Apache/2.4.6 is lost.


In the log of the application we see this error: "REMOTE_USER variable 
not assigned."


Il 19/11/2015 14:02, Teresa Fasano ha scritto:

Hi,

I'm using Apache 2.4.6 with mod_jk and mod_shib 2.5.5, so Shibboleth 
as SSO authentication.


Routing Apache request to tomcat (JBoss) we are not able to retreive 
REMOTE_USER.


It seems that the REMOTE_USER is lost.

In the configuration file shibboleth2.xml we have REMOTE_USER="uid".

The authentication of shibboleth is successful as you can see from the 
logs of the identity provider and the log of the service provider:


1) IdP:
20151119T092332Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_5c0790590c7a1d003f63b4e5ce58b8da|http://iuav-dev2.sviluppo.u-gov.it/shibboleth|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp-univ-dev.cineca.it/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_a8079a3a32dd6bd411be38ed5a8f509a|test|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,eduPersonPrincipalName,surname,commonName,transientId,eduPersonTargetedID,email,employeeNumber,||| 



2) SP:
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: New session 
(ID: _771b50dad4ec72d57ae5a383a8b8f71e) with (applicationId: 
iuav-dev2) for principal from (IdP: 
https://idp-univ-dev.cineca.it/idp/shibboleth) at (ClientAddress: 
130.186.19.126) with (NameIdentifier: 
_5ae86372161ba20460d91773f12241a5) using (Protocol: 
urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: 
_b7a9d7435d4b2633af811cac17b80683)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: Cached the 
following attributes with session (ID: 
_771b50dad4ec72d57ae5a383a8b8f71e) for (applicationId: iuav-dev2) {

2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: uid (1 values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: sn (1 
values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: cn (1 
values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: 
eduPersonTargetedID (1 values)

2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: mail (1 values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: employeeNumber 
(1 values)

2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: }

In the access log of the Apache I see the value of the attribute uid 
(the remote_user):

130.186.19.126 - test [19/Nov/2015:10:38:54 +0100] "GET /u-gov/ HTTP/1.1"

The authentication of the location is:

   AuthType shibboleth
   ShibRequireSession On
   ShibExportAssertion On
   require valid-user



It seems that the Apache is unable to pass this attribute.

Is there anyone that know how to forward REMOTE_USER with mod_jk to 
the application?


Regards.
Teresa




--
--
L'educazione è il pane dell'anima
--

Teresa Fasano

CINECA
System and Technologies Department
Middleware and Infrastructure Group
Via Magnanelli, 6/3
Casalecchio di Reno (Bologna) ITALY

web: http://www.cineca.it
e-mail:  t.fas...@cineca.it
phone:   +39 051 61 71 364


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Need an application specific common.loader folder, like with EAR

2015-11-19 Thread Tardif, Sebastien 
Have two wars in the same Tomcat instance, I want to share some jars. I want 
these jars take priority over Tomcat shipped jars.

However, because I usually reuse the same Tomcat installation between 
application (different set of wars), I do not want to modify common.loader 
folder (the lib folder). Because if I modify the lib folder for application 1, 
like overriding some Tomcat jar, then it’s lot of work to reset it right.

That problem doesn’t exist with EAR, which Tomcat doesn’t support. I’m fine 
that Tomcat doesn’t support EAR but it could at least provide clean workaround.

So I would like to see a new folder called: extraLibs, and the classloader 
order will become:


Bootstrap classes of your JVM
System class loader classes (described above)
extraLibs
Common class loader classes (described above)
/WEB-INF/classes of your web application
/WEB-INF/lib/*.jar of your web application

See http://tomcat.apache.org/tomcat-7.0-doc/class-loader-howto.html

Tomcat Webinar series admin

2015-11-19 Thread Mark Thomas 
This is intended to provide more information for people planning to
attend the new Tomcat Webinar series.

1. This is new for all of us
Please keep in mind that this is new and that there might be some
teething problems. Your understanding will be appreciated.

2. Dial-in from outside the US
The conferencing software includes a call back option. It should work
with any international number.

3. Mute your line
When you join the call *please* mute you line.

4. Recording
The webinars will be recorded and uploaded to the (to be created) Apache
Tomcat YouTube channel.

5. Q
The actual presentation part is intended to be short (10, maybe 15
minutes). There will be plenty of time for Q at the end. Questions
should be sent to the presenter / host via the conferencing software.

6. Topics
The topics for subsequent sessions are still TBD. Suggestions are always
welcome.

After the first webinar all of this, plus any additional lessons
learned, will be added to the Tomcat web site along with links to the
recordings.

Thanks,

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

REMOTE_USER mod_jk

2015-11-19 Thread Teresa Fasano 

Hi,

I'm using Apache 2.4.6 with mod_jk and mod_shib 2.5.5, so Shibboleth as 
SSO authentication.


Routing Apache request to tomcat (JBoss) we are not able to retreive 
REMOTE_USER.


It seems that the REMOTE_USER is lost.

In the configuration file shibboleth2.xml we have REMOTE_USER="uid".

The authentication of shibboleth is successful as you can see from the 
logs of the identity provider and the log of the service provider:


1) IdP:
20151119T092332Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_5c0790590c7a1d003f63b4e5ce58b8da|http://iuav-dev2.sviluppo.u-gov.it/shibboleth|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp-univ-dev.cineca.it/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_a8079a3a32dd6bd411be38ed5a8f509a|test|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,eduPersonPrincipalName,surname,commonName,transientId,eduPersonTargetedID,email,employeeNumber,|||

2) SP:
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: New session (ID: 
_771b50dad4ec72d57ae5a383a8b8f71e) with (applicationId: iuav-dev2) for 
principal from (IdP: https://idp-univ-dev.cineca.it/idp/shibboleth) at 
(ClientAddress: 130.186.19.126) with (NameIdentifier: 
_5ae86372161ba20460d91773f12241a5) using (Protocol: 
urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: 
_b7a9d7435d4b2633af811cac17b80683)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: Cached the 
following attributes with session (ID: 
_771b50dad4ec72d57ae5a383a8b8f71e) for (applicationId: iuav-dev2) {
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: uid (1 
values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: sn (1 
values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: cn (1 
values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: 
eduPersonTargetedID (1 values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: mail (1 
values)
2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: employeeNumber 
(1 values)

2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: }

In the access log of the Apache I see the value of the attribute uid 
(the remote_user):

130.186.19.126 - test [19/Nov/2015:10:38:54 +0100] "GET /u-gov/ HTTP/1.1"

The authentication of the location is:

   AuthType shibboleth
   ShibRequireSession On
   ShibExportAssertion On
   require valid-user



It seems that the Apache is unable to pass this attribute.

Is there anyone that know how to forward REMOTE_USER with mod_jk to the 
application?


Regards.
Teresa

--
--
L'educazione è il pane dell'anima
--

Teresa Fasano

CINECA
System and Technologies Department
Middleware and Infrastructure Group
Via Magnanelli, 6/3
Casalecchio di Reno (Bologna) ITALY

web: http://www.cineca.it
e-mail:  t.fas...@cineca.it
phone:   +39 051 61 71 364


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

WebEx meeting changed: Apache Tomcat 9: HTTP/2 quick start

2015-11-19 Thread Mark Thomas 

Hello,

Mark Thomas changed the WebEx meeting information.


Apache Tomcat 9: HTTP/2 quick start
Tuesday, 24 November 2015
10:00  |  GMT Time (London, GMT)  |  1 hr


JOIN WEBEX MEETING
https://pivotal.webex.com/pivotal/j.php?MTID=mfa085250004a720ae2cbf026fc2249fa
Meeting number: 646 025 783


JOIN BY PHONE
Call-in toll-free number: 1-877-8818371  (US)
Call-in number: 1-617-3374371  (US)
Show global numbers:
https://sites.google.com/a/pivotal.io/pivotal-it/pivotal-conferencing
Attendee access code: 289 459 03



Add this meeting to your calendar:
https://pivotal.webex.com/pivotal/j.php?MTID=m97cccbc4b3d2a27722a0dcea8377113c


Can't join the meeting? Contact support here:
https://pivotal.webex.com/pivotal/mc


IMPORTANT NOTICE: Please note that this WebEx service allows audio and other 
information sent during the session to be recorded, which may be discoverable 
in a legal matter. By joining this session, you automatically consent to such 
recordings. If you do not consent to being recorded, discuss your concerns with 
the host or do not join the session.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

WebEx meeting changed: Apache Tomcat 9: HTTP/2 quick start

2015-11-19 Thread Mark Thomas 

Hello,

Mark Thomas changed the WebEx meeting information.


Apache Tomcat 9: HTTP/2 quick start
Tuesday, 24 November 2015
20:00  |  GMT Time (London, GMT)  |  1 hr


JOIN WEBEX MEETING
https://pivotal.webex.com/pivotal/j.php?MTID=mc659a2f2bf4a68cd94ea0a3e702de9a7
Meeting number: 649 296 162


JOIN BY PHONE
Call-in toll-free number: 1-877-8818371  (US)
Call-in number: 1-617-3374371  (US)
Show global numbers:
https://sites.google.com/a/pivotal.io/pivotal-it/pivotal-conferencing
Attendee access code: 289 459 03



Add this meeting to your calendar:
https://pivotal.webex.com/pivotal/j.php?MTID=m4dbdc76580d9af7383b6468ac36c1a68


Can't join the meeting? Contact support here:
https://pivotal.webex.com/pivotal/mc


IMPORTANT NOTICE: Please note that this WebEx service allows audio and other 
information sent during the session to be recorded, which may be discoverable 
in a legal matter. By joining this session, you automatically consent to such 
recordings. If you do not consent to being recorded, discuss your concerns with 
the host or do not join the session.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org