Re: Getting garbled data when making http request on https port

[Amey Rokde]

Christoph

Fair enough that it is not a security leak . Can you throw some light on
what's happening internally so as to understand why we get this garbled
data to be downloaded.

sorry for pushing
Amey

On Mon, Mar 28, 2016 at 10:00 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Amey,
>
> On 3/28/16 11:25 AM, Amey Rokde wrote:
> > May be i didn't explained my question properly. What we have is a single
> > web application running on https port 7070. This port is configured for
> > https connection only and that the reason there is single connector. What
> > we are seeing is if by mistake
> > or intentionally the user types instead of https://localhost:7070/myapp
> he
> > types http://localhost:7070/myapp
> > the content with some garbled data gets downloaded.  The question is
> > whether i can prevent the garbled data and if so how i can do that.
>
> There is currently no Tomcat-only solution that meets all of your
> criteria (single connector).
>
> Apache httpd can respond with a plaintext response (it's a 400, not a
> 404), but Apache Tomcat is not yet able to do that.
>
> I would like to reiterate that there is no security leak, here.
>
> -chris
>
> > On Mon, Mar 28, 2016 at 7:15 PM, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > Amey,
> >
> > On 3/28/16 3:54 AM, Amey Rokde wrote:
>  Dear Community
> 
>  We are using the apache-tomcat-7.0.55 and have configured only one
>  SSL connector (7070).
> 
>  The SSL connection (https) )works properly and i am able to fetch
>  the request. But if we make http request we get the garbled data to
>  be downloaded in the browser.
> >
> > This is expected behavior.
> >
>  I tried searching over the net but the information available is
>  more about redirect and things around it. What i want is to prevent
>  this garbled data and get more of http 404 not found.
> >
> > Then you need to make an HTTP connection, not an HTTPS one. It's easy
> > to configure an HTTP connector that redirects to HTTPS.
> >
>  Getting this garbled data is considered more or less security
>  leak.
> >
> > Considered a security leak by whom? There is no information leakage.
> > There are no secrets being transmitted. This is an inconvenience to
> > the user that you can easily remedy.
> >
>  I am attaching the sample server xml of the tomcat .
> >
> > Thanks, but it wasn't relevant (other than to confirm that you weren't
> > configuring an HTTPS connector on a standard HTTP port such as 80).
> >
>  Please advise what needs to be done.
> >
> > If you want your users to get a 404, then you should listen on port 80
> > (for HTTP) and return 404 for all requests. If you want to do better
> > than that, you should listen on port 80 (for HTTP) and redirect all
> > requests to the secure port.
> >
>  PS: the higher tomcat versions namely apache-tomcat-8.0.32 does not
>  show above behaviour.
> >
> > It should behave exactly the same way.
> >
> > -chris
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Monitoring Tomcat

[Leonardo Santagostini]

My two cents:

You can aldo use Zabbix to Monitor your Tomcar using JMX.

Also Zabbix is used from templates. So once you got one machine monitored
as you expected you can easy deployit on other your machine, and the best
of all, you dont nees to use apps like Jolokia. But bear in mind that there
are some security concerns.

Best regards
El mar 28, 2016 8:56 p.m., "Edwin Quijada" 
escribió:

> Thks!
>
> 
> From: Mark Eggers 
> Sent: Monday, March 28, 2016 10:32 PM
> To: Tomcat Users List
> Subject: Re: Monitoring Tomcat
>
> https://tomcat.apache.org/tomcat-7.0-doc/monitoring.html
> https://wiki.apache.org/tomcat/FAQ/Monitoring
>
> Basically enable JMX, then use a wide variety of tools to query an even
> wider variety of information.
>
> Please note that there are security issues when enabling JMX. Read the
> first link above for details.
>
> . . . just my two cents
> /mde/
>
> On 3/28/2016 3:23 PM, Edwin Quijada wrote:
> > Hi!
> > I have an app with Tomcat+Grails+Vaadin+PostgreSQL and I wanna monitor
> the speed and resources of this. I add to 1024mb to Tomcat because the app
> and DB is in the same server.
> >
> > What application can I use to monitor performance of this Tomcat ?
> >
> >
> > TIA
> >
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Monitoring Tomcat

[Edwin Quijada]

Thks!


From: Mark Eggers 
Sent: Monday, March 28, 2016 10:32 PM
To: Tomcat Users List
Subject: Re: Monitoring Tomcat

https://tomcat.apache.org/tomcat-7.0-doc/monitoring.html
https://wiki.apache.org/tomcat/FAQ/Monitoring

Basically enable JMX, then use a wide variety of tools to query an even
wider variety of information.

Please note that there are security issues when enabling JMX. Read the
first link above for details.

. . . just my two cents
/mde/

On 3/28/2016 3:23 PM, Edwin Quijada wrote:
> Hi!
> I have an app with Tomcat+Grails+Vaadin+PostgreSQL and I wanna monitor the 
> speed and resources of this. I add to 1024mb to Tomcat because the app and DB 
> is in the same server.
>
> What application can I use to monitor performance of this Tomcat ?
>
>
> TIA
>



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Monitoring Tomcat

[Leon Rosenberg]

Of course MoSKito:
http://www.moskito.org

Take a look at the step by step guide (start with step 1 not 0).
blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-1/

regards
Leon

On Tue, Mar 29, 2016 at 12:23 AM, Edwin Quijada 
wrote:

> Hi!
> I have an app with Tomcat+Grails+Vaadin+PostgreSQL and I wanna monitor the
> speed and resources of this. I add to 1024mb to Tomcat because the app and
> DB is in the same server.
>
> What application can I use to monitor performance of this Tomcat ?
>
>
> TIA
>

Re: Monitoring Tomcat

[Mark Eggers]

https://tomcat.apache.org/tomcat-7.0-doc/monitoring.html
https://wiki.apache.org/tomcat/FAQ/Monitoring

Basically enable JMX, then use a wide variety of tools to query an even
wider variety of information.

Please note that there are security issues when enabling JMX. Read the
first link above for details.

. . . just my two cents
/mde/

On 3/28/2016 3:23 PM, Edwin Quijada wrote:
> Hi!
> I have an app with Tomcat+Grails+Vaadin+PostgreSQL and I wanna monitor the 
> speed and resources of this. I add to 1024mb to Tomcat because the app and DB 
> is in the same server.
> 
> What application can I use to monitor performance of this Tomcat ?
> 
> 
> TIA
> 




signature.asc
Description: OpenPGP digital signature

Monitoring Tomcat

[Edwin Quijada]

Hi!
I have an app with Tomcat+Grails+Vaadin+PostgreSQL and I wanna monitor the 
speed and resources of this. I add to 1024mb to Tomcat because the app and DB 
is in the same server.

What application can I use to monitor performance of this Tomcat ?


TIA

Re: Why the tomcat source code uses obsolete ant build configuration? why not maven or gradle?

[Leon Rosenberg]

Hi Raja,

I think this question arises on this user list every now and then. I even
think there have been some effort to create a pom.xml for tomcat, but
without great success (after few replies you can imagine why).
Personally I totally understand you. From what I see ant is totally gone
and has been replaced by maven virtually everywhere. Also the tool support
for maven is much better as for ant. However, there are reasons why maven
has been so successful, and it is one of the reasons, why it still not used
here.

1) maven has an absolutely superior dependency management to what ant ever
had to offer, with or without ivy.
2) and more important, maven is not only a build tool, it defines the
project layout, the build cycles and how you have to work with the project
(meaning releases, branching etc). All of that is missing completely in
ant, ant lets you create whatever development system you want, but you have
to do it all the way alone. Maven gives you one, and if you agree to use
it, you will safe a lot of time and can put your effort in things that
matter more.

Now, see, this is exactly the problem. Tomcat as a project was there long
before maven team layed out how they imagine people should work. And since
tomcat is doing stuff it's own way, it will be a huge portion of work to
make it work with a pom. So if you want to work with a pom and maven, you
maybe start your work exactly there ;-)

regards
Leon

P.S. The opinion that "ant is gone" is of course solely mine and based on
personal experience only ;-) No flame please.


On Mon, Mar 28, 2016 at 5:57 PM, Raja Anbazhagan <
raja.anbazhagan1...@gmail.com> wrote:

> I'm new to tomcat project and I wanted to take a look at the code base to
> see if I can contribute in any which ways. But after going through the
> build process and setting up every other tools used to build ant, I'm a bit
> frustrated.
>
> Why didnt we migrated this project to a better build tool like maven or
> gradle so that the contributor can spend less time setting up the code and
> more time on actually working on the contribution part.?
>
> - Raja
>

RE: Tomcat 8.5.0 and 9.0.0 M4

[Lulseged Zerfu]

Hi

When I say in place, I mean it is in the same place as in tomcat 8.0.33
(lib).

Yes I have only one under apache-tomcat-8.5.0/lib.

Have anyone tried and seen same problem or is it only me that have this
problem?

BR
lulseged.zerfu


-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] 
Sent: den 28 mars 2016 20:23
To: Tomcat Users List 
Subject: RE: Tomcat 8.5.0 and 9.0.0 M4

> From: Lulseged Zerfu [mailto:zlulse...@hotmail.com]
> Subject: Tomcat 8.5.0 and 9.0.0 M4

> I was trying to test HTTP/2 and tried versions 8.5.0 and 9.0.0.M4. I 
> was not able to start these releases because I get NoClassDefFoundError.

> Caused by: java.lang.NoClassDefFoundError:

> Class javax/servlet/ServletContainerInitializer is found in the 
> servlet-api.jar which is inplace.

In place where (be precise)?

Make sure the .jar is not in more than one location; it should be only in
Tomcat's lib directory, nowhere else.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Why the tomcat source code uses obsolete ant build configuration? why not maven or gradle?

[David kerber]

On 3/28/2016 2:18 PM, Caldarale, Charles R wrote:

From: George Sexton [mailto:geor...@mhsoftware.com]
Subject: Re: Why the tomcat source code uses obsolete ant build configuration? 
why not maven or gradle?



In my opinion (and it's probably not shared by many, but I don't care),
Maven sucks.


+many to that

Another "solution" in search of a problem.


Yup.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Cluster session replication issue: servlet hang on restart only under load

[Anthony Sturchio]

After playing with static clustering a few more days, I still ran 
headlong into a wall with this.


I decided to go back to multicast, and try BackupManager instead of 
DeltaManager, and it now seems to be restarting correctly, as long as my 
timeout was high enough for the 15+ second AbstractMapReplication init.  
Overall it takes about 65 seconds for server startup compared to 15 sec 
for static deltaManager and 30 sec for multicast deltaManager.  But the 
important part is that it eventually does start the server while under 
load, and session failover seems to work as expected.


Unfortunately using backupManager is not my preferred solution, but it 
may be the only option until I can figure out why DeltaManager is broken 
in our environment. I would still love to hear if anyone has any 
suggestions as to why backup manager is working but delta manager is broken.



Thank you,
-Anthony

On 3/25/2016 10:28 AM, Anthony Sturchio wrote:
Thanks for the response.   I apologize if I'm using the incorrect 
terminology here, as this is one of the smaller "hats" that I wear at 
work.


Basically, coldfusion runs on top of a (possibly customized) tomcat 
backend.  Each instance has its own server.xml and web.xml.  As best I 
can figure, when starting CF, it starts tomcat in the JRE, and if 
applicable, starts deltamanager to handle the clustering business.  
After the sessions are replicated, the servlet (coldfusion server) 
starts up with the connector ports specified in server.xml.  This all 
happens relatively smoothly in testing without any appreciable load.


However when the box is added back into our webserver farm (via 
hardware load balancer), or if I create artificial load against the 
box using apache jmeter, session replication is not successful, and 
the coldfusion server never loads.  I don't get any errors written to 
screen or log, nor does kill -3 give me anything, but as per ps aux, 
the java process is still running. The replication ports and Catalina 
connector ports are open, however the overall server shutdown port is 
not open, if that offers any clues.


Web pages are being served via apache httpd and mod_jk and AJP/1.3.


Thank you,
-Anthony

On 3/25/2016 10:09 AM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Anthony,

On 3/25/16 9:41 AM, Anthony Sturchio wrote:

We recently updated our Coldfusion 10 server to update 18, which
moved us up to Tomcat 7.0.64, and we are now experiencing issues
when restarting a CF instance.  I understand that this is not a
coldfuison forum, but since CF10 is based on top of a tomcat back
end, which is where the issue appears to be, I figured I would ask
here.  As best I can figure, it appears that while under moderate
load, DeltaManager sessions dont replicate, and the servlet hangs
and never fully starts up.  Without any load, the CF instance
(servlet) starts up perfectly fine without issue.

Can you clarify what it means for a servlet that has not yet started
up to be "under load"?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools -http://gpgtools.org
Comment: Using GnuPG with Thunderbird -http://www.enigmail.net/

iEYEARECAAYFAlb1RoIACgkQ9CaO5/Lv0PBpxgCggKFVpE/HM++CSwsGw73r6Yni
UHYAn2dcnX/FomVD19Tz+TjEe1cMi/Zd
=ruIF
-END PGP SIGNATURE-

-
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org

RE: Tomcat 8.5.0 and 9.0.0 M4

[Caldarale, Charles R]

> From: Lulseged Zerfu [mailto:zlulse...@hotmail.com] 
> Subject: Tomcat 8.5.0 and 9.0.0 M4

> I was trying to test HTTP/2 and tried versions 8.5.0 and 9.0.0.M4. I was not
> able to start these releases because I get NoClassDefFoundError.

> Caused by: java.lang.NoClassDefFoundError:

> Class javax/servlet/ServletContainerInitializer is found in the
> servlet-api.jar which is inplace.

In place where (be precise)?

Make sure the .jar is not in more than one location; it should be only in 
Tomcat's lib directory, nowhere else.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Why the tomcat source code uses obsolete ant build configuration? why not maven or gradle?

[Caldarale, Charles R]

> From: George Sexton [mailto:geor...@mhsoftware.com] 
> Subject: Re: Why the tomcat source code uses obsolete ant build 
> configuration? why not maven or gradle?

> In my opinion (and it's probably not shared by many, but I don't care), 
> Maven sucks.

+many to that

Another "solution" in search of a problem.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Why the tomcat source code uses obsolete ant build configuration? why not maven or gradle?

[George Sexton]

On 3/28/2016 9:57 AM, Raja Anbazhagan wrote:

I'm new to tomcat project and I wanted to take a look at the code base to
see if I can contribute in any which ways. But after going through the
build process and setting up every other tools used to build ant, I'm a bit
frustrated.

Why didnt we migrated this project to a better build tool like maven or
gradle so that the contributor can spend less time setting up the code and
more time on actually working on the contribution part.?


In my opinion (and it's probably not shared by many, but I don't care), 
Maven sucks. Every time I've ever got involved in something that 
required maven, a repository wasn't present, something had been renamed, 
new dependencies had been introduced somewhere in the chain that were 
broken, version numbers were wrong. The issues I'm talking about are not 
issues directly caused by the tool, but issues caused by fallible 
humans. However, the complexity of unraveling the problems when they do 
happen are a huge, giant pain. I hate Maven, and I avoid it like the 
scurvy plague that it causes...




- Raja



--
George Sexton
*MH Software, Inc.*
Voice: 303 438 9585
http://www.connectdaily.com

Re: Why the tomcat source code uses obsolete ant build configuration? why not maven or gradle?

[Christopher Schultz]

Raja,

On 3/28/16 11:57 AM, Raja Anbazhagan wrote:
> I'm new to tomcat project and I wanted to take a look at the code base to
> see if I can contribute in any which ways. But after going through the
> build process and setting up every other tools used to build ant, I'm a bit
> frustrated.
> 
> Why didnt we migrated this project to a better build tool like maven or
> gradle so that the contributor can spend less time setting up the code and
> more time on actually working on the contribution part.?

Steps to build Tomcat:

0. Download JDK
1. Download ant
2. Download Tomcat sources, cd to directory
3. Execute this command:

  $ ant

Done.

Steps to build [project] using Maven:

0. Download JDK
1. Download Maven
2. Download project sources, cd to directory
3. Execute this command:

  $ mvn

What's the difference, here?

ant is not obsolete. Maven is a giant pain in the neck. Tomcat has tons
of build configuration that, under Maven, would have to pretty much be
entirely scripted using ant anyway.

This question has come up many times on both the Tomcat users' lists and
the Tomcat developers' list and the request has been rejected, with
reasons, several times. As of today, there is little motivation for any
of the Tomcat developers to switch from an ant-based to a Maven-based
build process.

If you wish to raise the issue again, please provide some additional
information to support your request.

If you find the ant-based build process frustrating, please explain and
we'll try to make it better.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Getting garbled data when making http request on https port

[Christopher Schultz]

Amey,

On 3/28/16 11:25 AM, Amey Rokde wrote:
> May be i didn't explained my question properly. What we have is a single
> web application running on https port 7070. This port is configured for
> https connection only and that the reason there is single connector. What
> we are seeing is if by mistake
> or intentionally the user types instead of https://localhost:7070/myapp he
> types http://localhost:7070/myapp
> the content with some garbled data gets downloaded.  The question is
> whether i can prevent the garbled data and if so how i can do that.

There is currently no Tomcat-only solution that meets all of your
criteria (single connector).

Apache httpd can respond with a plaintext response (it's a 400, not a
404), but Apache Tomcat is not yet able to do that.

I would like to reiterate that there is no security leak, here.

-chris

> On Mon, Mar 28, 2016 at 7:15 PM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
> 
> Amey,
> 
> On 3/28/16 3:54 AM, Amey Rokde wrote:
 Dear Community

 We are using the apache-tomcat-7.0.55 and have configured only one
 SSL connector (7070).

 The SSL connection (https) )works properly and i am able to fetch
 the request. But if we make http request we get the garbled data to
 be downloaded in the browser.
> 
> This is expected behavior.
> 
 I tried searching over the net but the information available is
 more about redirect and things around it. What i want is to prevent
 this garbled data and get more of http 404 not found.
> 
> Then you need to make an HTTP connection, not an HTTPS one. It's easy
> to configure an HTTP connector that redirects to HTTPS.
> 
 Getting this garbled data is considered more or less security
 leak.
> 
> Considered a security leak by whom? There is no information leakage.
> There are no secrets being transmitted. This is an inconvenience to
> the user that you can easily remedy.
> 
 I am attaching the sample server xml of the tomcat .
> 
> Thanks, but it wasn't relevant (other than to confirm that you weren't
> configuring an HTTPS connector on a standard HTTP port such as 80).
> 
 Please advise what needs to be done.
> 
> If you want your users to get a 404, then you should listen on port 80
> (for HTTP) and return 404 for all requests. If you want to do better
> than that, you should listen on port 80 (for HTTP) and redirect all
> requests to the secure port.
> 
 PS: the higher tomcat versions namely apache-tomcat-8.0.32 does not
 show above behaviour.
> 
> It should behave exactly the same way.
> 
> -chris
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 8.5.0 and 9.0.0 M4

[Lulseged Zerfu]

Hi

 

I was trying to test HTTP/2 and tried versions 8.5.0 and 9.0.0.M4. I was not
able to start these releases because I get NoClassDefFoundError.

 

Caused by: java.lang.NoClassDefFoundError:
javax/servlet/ServletContainerInitializer

at java.lang.ClassLoader.findBootstrapClass(Native Method)

at
java.lang.ClassLoader.findBootstrapClassOrNull(ClassLoader.java:1015)

at java.lang.ClassLoader.loadClass(ClassLoader.java:413)

at java.lang.ClassLoader.loadClass(ClassLoader.java:357)

at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoader
Base.java:1216)

at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoader
Base.java:1131)

at java.lang.Class.forName0(Native Method)

at java.lang.Class.forName(Class.java:348)

at
org.apache.catalina.startup.WebappServiceLoader.loadServices(WebappServiceLo
ader.java:188)

at
org.apache.catalina.startup.WebappServiceLoader.load(WebappServiceLoader.jav
a:159)

at
org.apache.catalina.startup.ContextConfig.processServletContainerInitializer
s(ContextConfig.java:1611)

at
org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1131)

at
org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:
771)

at
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:
298)

at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java
:94)

at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:
5092)

at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:152)

... 10 more

 

Class javax/servlet/ServletContainerInitializer is found in the
servlet-api.jar which is inplace.

 

I am starting it with:

bin\catalina.bat jpda run

 

 

This works fine with earlier tomcat releases. For example 8.0.33.

 

Any change made to these releases?

 

BR

Lulseged

Why the tomcat source code uses obsolete ant build configuration? why not maven or gradle?

[Raja Anbazhagan]

I'm new to tomcat project and I wanted to take a look at the code base to
see if I can contribute in any which ways. But after going through the
build process and setting up every other tools used to build ant, I'm a bit
frustrated.

Why didnt we migrated this project to a better build tool like maven or
gradle so that the contributor can spend less time setting up the code and
more time on actually working on the contribution part.?

- Raja

Re: Getting garbled data when making http request on https port

[Amey Rokde]

Hi Christoph

May be i didn't explained my question properly. What we have is a single
web application running on https port 7070. This port is configured for
https connection only and that the reason there is single connector. What
we are seeing is if by mistake
or intentionally the user types instead of https://localhost:7070/myapp he
types http://localhost:7070/myapp
the content with some garbled data gets downloaded.  The question is
whether i can prevent the garbled data and if so how i can do that.

Thanks for all the help




On Mon, Mar 28, 2016 at 7:15 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Amey,
>
> On 3/28/16 3:54 AM, Amey Rokde wrote:
> > Dear Community
> >
> > We are using the apache-tomcat-7.0.55 and have configured only one
> > SSL connector (7070).
> >
> > The SSL connection (https) )works properly and i am able to fetch
> > the request. But if we make http request we get the garbled data to
> > be downloaded in the browser.
>
> This is expected behavior.
>
> > I tried searching over the net but the information available is
> > more about redirect and things around it. What i want is to prevent
> > this garbled data and get more of http 404 not found.
>
> Then you need to make an HTTP connection, not an HTTPS one. It's easy
> to configure an HTTP connector that redirects to HTTPS.
>
> > Getting this garbled data is considered more or less security
> > leak.
>
> Considered a security leak by whom? There is no information leakage.
> There are no secrets being transmitted. This is an inconvenience to
> the user that you can easily remedy.
>
> > I am attaching the sample server xml of the tomcat .
>
> Thanks, but it wasn't relevant (other than to confirm that you weren't
> configuring an HTTPS connector on a standard HTTP port such as 80).
>
> > Please advise what needs to be done.
>
> If you want your users to get a 404, then you should listen on port 80
> (for HTTP) and return 404 for all requests. If you want to do better
> than that, you should listen on port 80 (for HTTP) and redirect all
> requests to the secure port.
>
> > PS: the higher tomcat versions namely apache-tomcat-8.0.32 does not
> > show above behaviour.
>
> It should behave exactly the same way.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlb5NXEACgkQ9CaO5/Lv0PA1WACfVyLxPNvG8EDwcNgNthvA0GOI
> eE0AoLOsRTnqp99mmIktin69zJz89pVj
> =YDpX
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat port listening as SYSTEM

[tomcat]

On 28.03.2016 16:37, SUSIL SAHU wrote:

netstat -ab | grep -B 1 "java" | grep "8080" | grep "LISTEN"


How about

netstat -ab | grep -A 1 "8080" | grep -A 1 "LISTEN" | grep -B 1 "java\.exe"



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat port listening as SYSTEM

[Konstantin Preißer]

Hi,

I think you need to look at the line below the port information, not the one 
above. It should show "java.exe" (or "tomcat7.exe" if running as a service).

  TCP0.0.0.0:8009   DESKTOP-F1DTQBM:0  LISTENING
 [java.exe]
  TCP0.0.0.0:8080   DESKTOP-F1DTQBM:0  LISTENING
 [java.exe]


Regards,
Konstantin Preißer


> -Original Message-
> From: SUSIL SAHU [mailto:susilsahu...@gmail.com]
> Sent: Monday, March 28, 2016 4:37 PM
> To: Tomcat Users List 
> Subject: Re: Tomcat port listening as SYSTEM
> 
> It's working, server is starting properly as I mentioned. But I've code
> that check whether tomcat is running or not using below command:
> 
> netstat -ab | grep -B 1 "java" | grep "8080" | grep "LISTEN"
> 
> This doesn't return any value bcz it is listening as SYSTEM instead of
> java.exe.
> 
> [System]
>TCP0.0.0.0:8080  Lap80:0   LISTENING
> 
> I am not sure how to fix this issue.
> 
> Thanks,
> susil
> 
> 
> On Mon, Mar 28, 2016 at 7:39 PM, David kerber 
> wrote:
> 
> > On 3/28/2016 9:58 AM, SUSIL SAHU wrote:
> >
> >> Hello,
> >>
> >> I am new to tomcat using version 7.0.28. I am able to start tomcat
> >> successfully using startup.bat in windows 2008.
> >>
> >> But when tried to check the port number using netstat -ab, it is listening
> >> as SYSTEM instead of java.exe.
> >>
> >> [System]
> >>TCP0.0.0.0:8080  Lap80:0   LISTENING
> >>
> >> I need help to fix this issue.
> >>
> >
> > Is it not working properly?  That is normal for a windows service.
> >
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat port listening as SYSTEM

[David kerber]

On 3/28/2016 10:37 AM, SUSIL SAHU wrote:

It's working, server is starting properly as I mentioned. But I've code
that check whether tomcat is running or not using below command:

netstat -ab | grep -B 1 "java" | grep "8080" | grep "LISTEN"

This doesn't return any value bcz it is listening as SYSTEM instead of
java.exe.

[System]
TCP0.0.0.0:8080  Lap80:0   LISTENING

I am not sure how to fix this issue.


There is nothing to fix; that is normal for windows services.  You will 
probably find a tomcat*.exe in your task list, though.





Thanks,
susil


On Mon, Mar 28, 2016 at 7:39 PM, David kerber  wrote:


On 3/28/2016 9:58 AM, SUSIL SAHU wrote:


Hello,

I am new to tomcat using version 7.0.28. I am able to start tomcat
successfully using startup.bat in windows 2008.

But when tried to check the port number using netstat -ab, it is listening
as SYSTEM instead of java.exe.

[System]
TCP0.0.0.0:8080  Lap80:0   LISTENING

I need help to fix this issue.



Is it not working properly?  That is normal for a windows service.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat port listening as SYSTEM

[SUSIL SAHU]

It's working, server is starting properly as I mentioned. But I've code
that check whether tomcat is running or not using below command:

netstat -ab | grep -B 1 "java" | grep "8080" | grep "LISTEN"

This doesn't return any value bcz it is listening as SYSTEM instead of
java.exe.

[System]
   TCP0.0.0.0:8080  Lap80:0   LISTENING

I am not sure how to fix this issue.

Thanks,
susil


On Mon, Mar 28, 2016 at 7:39 PM, David kerber  wrote:

> On 3/28/2016 9:58 AM, SUSIL SAHU wrote:
>
>> Hello,
>>
>> I am new to tomcat using version 7.0.28. I am able to start tomcat
>> successfully using startup.bat in windows 2008.
>>
>> But when tried to check the port number using netstat -ab, it is listening
>> as SYSTEM instead of java.exe.
>>
>> [System]
>>TCP0.0.0.0:8080  Lap80:0   LISTENING
>>
>> I need help to fix this issue.
>>
>
> Is it not working properly?  That is normal for a windows service.
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat port listening as SYSTEM

[David kerber]

On 3/28/2016 9:58 AM, SUSIL SAHU wrote:

Hello,

I am new to tomcat using version 7.0.28. I am able to start tomcat
successfully using startup.bat in windows 2008.

But when tried to check the port number using netstat -ab, it is listening
as SYSTEM instead of java.exe.

[System]
   TCP0.0.0.0:8080  Lap80:0   LISTENING

I need help to fix this issue.


Is it not working properly?  That is normal for a windows service.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat port listening as SYSTEM

[SUSIL SAHU]

Hello,

I am new to tomcat using version 7.0.28. I am able to start tomcat
successfully using startup.bat in windows 2008.

But when tried to check the port number using netstat -ab, it is listening
as SYSTEM instead of java.exe.

[System]
  TCP0.0.0.0:8080  Lap80:0   LISTENING

I need help to fix this issue.

Thanks
Susil

Re: Getting garbled data when making http request on https port

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Amey,

On 3/28/16 3:54 AM, Amey Rokde wrote:
> Dear Community
> 
> We are using the apache-tomcat-7.0.55 and have configured only one
> SSL connector (7070).
> 
> The SSL connection (https) )works properly and i am able to fetch
> the request. But if we make http request we get the garbled data to
> be downloaded in the browser.

This is expected behavior.

> I tried searching over the net but the information available is
> more about redirect and things around it. What i want is to prevent
> this garbled data and get more of http 404 not found.

Then you need to make an HTTP connection, not an HTTPS one. It's easy
to configure an HTTP connector that redirects to HTTPS.

> Getting this garbled data is considered more or less security
> leak.

Considered a security leak by whom? There is no information leakage.
There are no secrets being transmitted. This is an inconvenience to
the user that you can easily remedy.

> I am attaching the sample server xml of the tomcat .

Thanks, but it wasn't relevant (other than to confirm that you weren't
configuring an HTTPS connector on a standard HTTP port such as 80).

> Please advise what needs to be done.

If you want your users to get a 404, then you should listen on port 80
(for HTTP) and return 404 for all requests. If you want to do better
than that, you should listen on port 80 (for HTTP) and redirect all
requests to the secure port.

> PS: the higher tomcat versions namely apache-tomcat-8.0.32 does not
> show above behaviour.

It should behave exactly the same way.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb5NXEACgkQ9CaO5/Lv0PA1WACfVyLxPNvG8EDwcNgNthvA0GOI
eE0AoLOsRTnqp99mmIktin69zJz89pVj
=YDpX
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Getting garbled data when making http request on https port

[Amey Rokde]

Dear Community

We are using the apache-tomcat-7.0.55 and have configured only one SSL
connector (7070).

The SSL connection (https) )works properly and i am able to fetch the
request. But if we make http request we get the garbled data to be
downloaded in the browser.

I tried searching over the net but the information available is more about
redirect and things around it. What i want is to prevent this garbled data
and get more of http 404 not found.

Getting this garbled data is considered more or less security leak. I am
attaching the sample server xml of the tomcat .

Please advise what needs to be done.

Thanks

Amey

PS: the higher tomcat versions namely apache-tomcat-8.0.32 does not show
above behaviour.



  
  
  
  
  
  
  
  
  

  
  


  

  
  


	
	



  
  


  

  


 
 





  

  

  


  

  
  




  







 
 
 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org