date:20161027

Re: Proxy Apache https to Tomcat http

2016-10-27 Thread Ted Spradley

Chris,

Problem solved.

On Thu, Oct 27, 2016 at 12:32 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Ted,
>
> (I apologize, I didn't see your message from he 5th until just now. I
> would have replied earlier.)
>
> On 10/27/16 12:21 PM, Ted Spradley wrote:
> On Wed, Oct 5, 2016 at 7:52 PM, Christopher Schultz wrote:
> >> Explicit descriptor XML file placed in
> >> CATALINA_HOME/conf/[service]/[ host]/[app].xml?
> >
> > Yes - with a caveat. The path is CATALINA_HOME/conf/[service]/[
> > host]/context.xml
>
> Do you mean a /literal/ context.xml? That will deploy your application
> to /context.
>
> Yes to the literal context.xml. I'm assuming the applications get deployed
to the proper context because of the appBase attribute in the host
definition.


example.com





> > The only contents being one empty  element with the
> > docBase attribute defined
> >
> > 
> >
> > 
>
> That's just fine.
>
> > The CATALINA_HOME/exampledotcomapps directory contains three
> > applications deployed using the manager application. 1.
> > "http:example.com/mycontext" 2. "http:example.com/anotherContext"
> > 3. "http:example.com/stillAnontherContext"
>
> Okay, so you have a  with appBase set to
> CATAINA_HOME/exampledotcomapps.
>
> Note that you aren't using the manager, here. The manager is a web
> application that lets you upload and manage running applications via
> an HTTP interface. Putting files on the disk under CATALINA_HOME/conf
> will generally just go ahead and deploy them under a default
> configuration -- that is, one where autoDeploy is set to true.
>
>
There is an instance of manager in CATALINA_HOME/exampledotcomapps
that I use to deploy those applications.

> All three applications are reached as expected through the proxy on
> > port 80.
> >
> > The path CATALINA_HOME/exampledotcomapps matches the appBase
> > attribute in the  element for example.com in
> > CATALINA_HOME/conf/server.xml
>
> Gotcha.
>
> > I've since defined a separate Connector to listen for the redirect
> >  from Apache on port 8082 because I thought there was a
> > possibility the proxyPort directive would need to be specifically
> > port 443 instead of port 80.
>
> Several things: mod_proxy isn't redirecting anything... it's proxying
> the connection. It sounds pedantic but it's important to use the right
> terminology here since both proxying and redirects are valid ways to
> change where the data is coming from. A redirect would involve the
> client making a follow-up HTTP request. mod_proxy is instead handling
> the client's connection on behalf of the client through to Tomcat.
>
>
Thank you for this.

The "redirect port" is the port that will be used to redirect the user
> if a security-constraint cannot be fulfilled using the current
> connector. Most practically, it means that if the application says "I
> need TLS" and the connection isn't a TLS connection, then Tomcat will
> redirect the user to the same URL but with an https:// protocol and
> that port number you specify. It comes preconfigured as 8443 since
> that will generally get you back to Tomcat instead of some other
> service. For a real service, you probably want that set to "443".
>
>
This is one  of the key changes that solved the https access issue.

This is the port number that the CLIENT will end up using. Using port
> 80 for the redirectPort will basically never work. You should leave it
> as 443 if you want httpd to do the TLS termination (which it's pretty
> obvious you are in fact trying to do).
>
> > So now I have a Connector to receive the port 80 traffic and
> > another for the port 443 traffic. I've tried it with and without
> > the redirectPort attribute. Still no success.
>
> Okay. This is IMO the best configuration especially if you want to
> treat some applications as secure and others as insecure. (In my
> environment, everything is secure, so I use only a single Connector.)
>
> > The Connectors appear in this order in server.xml
> >
> >  > connectionTimeout="2" proxyName="www.example.com"
> > proxyPort="80" redirectPort="8443" xpoweredBy="false"
> > server="Apache TomEE" />  > protocol="HTTP/1.1" connectionTimeout="2"
> > proxyName="www.example.com" proxyPort="443" redirectPort="8443"
> > xpoweredBy="false" server="Apache TomEE" />
>
> I think you want redirectPort="443" for both of those connectors.
> Assuming that you want port 8082 to be used for proxying HTTPS
> connections, you are going to want to set these attributes at well:
>

Done.


>
>   scheme="https"
>   secure="true"
>
>
Done.


> This will let your application know that the connection is secure (but
> it's up to you to make sure that it actually IS by not e.g. proxying a
> non-TLS connection to port 8082).
>
> There are ways to get this to work with a single connector and have
> the reverse proxy (that's httpd_+mod_proxy, here) tell Tomcat what
> kind of connection it is. But you have to configure a

RE: Tomcat 9 exe, High CPU usage due to TCP I/O with itself

2016-10-27 Thread Caldarale, Charles R

> From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
> Subject: Re: Tomcat 9 exe, High CPU usage due to TCP I/O with itself

> On 10/27/16 1:45 PM, Dustin Delage wrote:
> > Looks like the app is now slated for redevelopment. Thanks
> > everyone.

> I still think this has nothing to do with your application...

Maybe, maybe not.  On a fresh install of Tomcat 9.0.0.M11 using JDK 1.8.0_102 
running as a service on Windows 7 Pro, I see the following ports in use:

Protocol  Local Address Remote AddressState
TCP   :8009   :0  LISTENING
TCP   :8080   :0  LISTENING
TCP   :8005   :0  LISTENING
TCP   :55089  :55090  ESTABLISHED
TCP   :55090  :55089  ESTABLISHED
TCP   :55091  :55092  ESTABLISHED
TCP   :55092  :55091  ESTABLISHED
TCP   :55093  :55094  ESTABLISHED
TCP   :55094  :55093  ESTABLISHED
TCP   :55095  :55096  ESTABLISHED
TCP   :55096  :55095  ESTABLISHED
TCP   :55097  :55098  ESTABLISHED
TCP   :55098  :55097  ESTABLISHED
TCP   :55099  :55100  ESTABLISHED
TCP   :55100  :55099  ESTABLISHED
TCPV6 :8009   :0  LISTENING
TCPV6 :8080   :0  LISTENING

I haven't figured out what all the paired ports with established connections 
are used for yet; maybe stdin, stdout, stderr, and ??  If some of the ports are 
redirects of stdout and/or stderr, the webapp could be dumping a lot of junk 
there, causing the high CPU usage.

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 9 exe, High CPU usage due to TCP I/O with itself

2016-10-27 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dustin,

On 10/27/16 1:45 PM, Dustin Delage wrote:
> Looks like the app is now slated for redevelopment. Thanks
> everyone.

I still think this has nothing to do with your application...

- -chris

> -Original Message- From: Mark Thomas
> [mailto:ma...@apache.org] Sent: Thursday, October 27, 2016 4:48 AM 
> To: Tomcat Users List  Subject: Re: Tomcat
> 9 exe, High CPU usage due to TCP I/O with itself
> 
> On 26/10/2016 18:07, Dustin Delage wrote:
>> Tomcat 9, running on Windows Server 2008, runs the CPU at 79% -
>> 90% continuously. The only activity is tomcat spamming itself
>> with TCP traffic. Same proc ID, out one port, to another port
>> back to itself.
> 
> Tomcat doesn't do that. That looks more likely to be an app issue.
> 
> A series of thread dumps (3 thread dumps, 10 seconds apart) should
> provide some pointers as to what is going on. A profiler (e.g.
> YourKit) would be better.
> 
> Mark
> 
>> 
>> A small sample from Process Monitor:
>> 
>> #
#
>>
>> 

>> #
#
>>
>> 

>> ## 10:16:04.7458125 AM   Tomcat9.exe 1932TCP
>> Receive 7f00:1::d880:fe03:80fa::49199 -> 
>> 7f00:1:::::::49198   SUCCESS Length: 1,
>> seqnum: 0, connid: 0 10:16:04.7458374 AM Tomcat9.exe 1932TCP
>> Send Sage-Web03.sage.local:49198 -> Sage-Web03.sage.local:49199
>> SUCCESS Length: 1, startime: 12341635, endtime: 12341635, seqnum:
>> 0, connid: 0 10:16:04.7458805 AM Tomcat9.exe 1932TCP Receive 
>> 7f00:1::d880:fe03:80fa::49197 -> 
>> 7f00:1:::::::49196   SUCCESS Length: 1,
>> seqnum: 0, connid: 0 10:16:04.7458972 AM Tomcat9.exe 1932TCP
>> Send Sage-Web03.sage.local:49196 -> Sage-Web03.sage.local:49197
>> SUCCESS Length: 1, startime: 12341635, endtime: 12341635, seqnum:
>> 0, connid: 0 10:16:04.7459244 AM Tomcat9.exe 1932TCP Receive 
>> 7f00:1::d880:fe03:80fa::49197 -> 
>> 7f00:1:::::::49196   SUCCESS Length: 1,
>> seqnum: 0, connid: 0 10:16:04.7459507 AM Tomcat9.exe 1932TCP
>> Send Sage-Web03.sage.local:49196 -> Sage-Web03.sage.local:49197
>> SUCCESS Length: 1, startime: 12341635, endtime: 12341635, seqnum:
>> 0, connid: 0 
>> #
#
>>
>> 

>> #
#
>>
>> 

>> ###
>> 
>> Attaching an image of my findings as well
>> 
>> Thank You,
>> 
>> D Delage
>> 
>> 
>> 
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYElPDAAoJEBzwKT+lPKRY7qoP/jL/CvgwumQ8n5f4vw4yFYFC
IedXndeyp6iQ5XGKi+XjjjCPUHPf0rQgjBtfn1yBmVh8Pn2QKA4SGVPrQoRwD/Q1
5HSY8n4cALaeTBLUbf/rVqeu3zzRs+TDPTf9O6MHa6PXj9LTxlRB8PqEzV8ltnLT
1UHC5w8XvDTFtVRRnmYdr0615zByEEf1l6EUbFZsi+fRTA/f39eMohXDgNYQzJ1j
WL1BcmpBPJfxHZjnfkOxI8QnieAnBprNGk9T8cpbuTFURTG9B0HZ/LtWOGaCN63e
Ji2Riu84TZx0Y2uz5XwunyPykRqBxMRyZhtzvCuomna8R+hYf+6i3utXnzcaKwID
dAvJm7vr/BbJen5tzvzGkAX26Zl4I6UCfcVzp0OW1wmbX+gTLdmEaT0kQrO5Udz4
ZraXF5zxwYEh/BHtVv/tF6GrOSI8c3GUZOZwi6P7ItMiCahkj8seAgPBA49g9wrq
HBuGRSaTW6xdyZoYzJVX4gyTjVPrCm71Ky8eORh96EnMYW/Rd+zCq9sy8UCkBg5V
/aFmv+ax1PFPNByMQKtRRItQorxLanmt2Z/K1SWm6kDHhT7hMHFZcHe/Q3QMiTwi
sbeGXCCGH5KEZC+j/w8OzfPJgJPJYrMyuJs/CcBNxp9zYZISL8N/IcqMFqkSMl0g
QGYcT3vU2hHFlD75Ksn/
=NpHn
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat 9 exe, High CPU usage due to TCP I/O with itself

2016-10-27 Thread Dustin Delage

Looks like the app is now slated for redevelopment. Thanks everyone.

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Thursday, October 27, 2016 4:48 AM
To: Tomcat Users List 
Subject: Re: Tomcat 9 exe, High CPU usage due to TCP I/O with itself

On 26/10/2016 18:07, Dustin Delage wrote:
> Tomcat 9, running on Windows Server 2008, runs the CPU at 79% - 90%
> continuously. The only activity is tomcat spamming itself with TCP
> traffic. Same proc ID, out one port, to another port back to itself.

Tomcat doesn't do that. That looks more likely to be an app issue.

A series of thread dumps (3 thread dumps, 10 seconds apart) should provide
some pointers as to what is going on. A profiler (e.g. YourKit) would be
better.

Mark

>
> A small sample from Process Monitor:
>
> ##
> 
> ##
> 
> ##
> 10:16:04.7458125 AM   Tomcat9.exe 1932TCP Receive
> 7f00:1::d880:fe03:80fa::49199 ->
> 7f00:1:::::::49198SUCCESS Length: 1, seqnum:
> 0, connid: 0
> 10:16:04.7458374 AM   Tomcat9.exe 1932TCP Send
> Sage-Web03.sage.local:49198 -> Sage-Web03.sage.local:49199SUCCESS
> Length: 1, startime: 12341635, endtime: 12341635, seqnum: 0, connid: 0
> 10:16:04.7458805 AM   Tomcat9.exe 1932TCP Receive
> 7f00:1::d880:fe03:80fa::49197 ->
> 7f00:1:::::::49196SUCCESS Length: 1, seqnum:
> 0, connid: 0
> 10:16:04.7458972 AM   Tomcat9.exe 1932TCP Send
> Sage-Web03.sage.local:49196 -> Sage-Web03.sage.local:49197SUCCESS
> Length: 1, startime: 12341635, endtime: 12341635, seqnum: 0, connid: 0
> 10:16:04.7459244 AM   Tomcat9.exe 1932TCP Receive
> 7f00:1::d880:fe03:80fa::49197 ->
> 7f00:1:::::::49196SUCCESS Length: 1, seqnum:
> 0, connid: 0
> 10:16:04.7459507 AM   Tomcat9.exe 1932TCP Send
> Sage-Web03.sage.local:49196 -> Sage-Web03.sage.local:49197SUCCESS
> Length: 1, startime: 12341635, endtime: 12341635, seqnum: 0, connid: 0
> ##
> 
> ##
> 
> ###
>
> Attaching an image of my findings as well
>
> Thank You,
>
> D Delage
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Proxy Apache https to Tomcat http

2016-10-27 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ted,

(I apologize, I didn't see your message from he 5th until just now. I
would have replied earlier.)

On 10/27/16 12:21 PM, Ted Spradley wrote:
On Wed, Oct 5, 2016 at 7:52 PM, Christopher Schultz wrote:
>> Explicit descriptor XML file placed in
>> CATALINA_HOME/conf/[service]/[ host]/[app].xml?
> 
> Yes - with a caveat. The path is CATALINA_HOME/conf/[service]/[ 
> host]/context.xml

Do you mean a /literal/ context.xml? That will deploy your application
to /context.

> The only contents being one empty  element with the
> docBase attribute defined
> 
> 
> 
> 

That's just fine.

> The CATALINA_HOME/exampledotcomapps directory contains three
> applications deployed using the manager application. 1.
> "http:example.com/mycontext" 2. "http:example.com/anotherContext" 
> 3. "http:example.com/stillAnontherContext"

Okay, so you have a  with appBase set to
CATAINA_HOME/exampledotcomapps.

Note that you aren't using the manager, here. The manager is a web
application that lets you upload and manage running applications via
an HTTP interface. Putting files on the disk under CATALINA_HOME/conf
will generally just go ahead and deploy them under a default
configuration -- that is, one where autoDeploy is set to true.

> All three applications are reached as expected through the proxy on
> port 80.
> 
> The path CATALINA_HOME/exampledotcomapps matches the appBase
> attribute in the  element for example.com in 
> CATALINA_HOME/conf/server.xml

Gotcha.

> I've since defined a separate Connector to listen for the redirect
>  from Apache on port 8082 because I thought there was a
> possibility the proxyPort directive would need to be specifically
> port 443 instead of port 80.

Several things: mod_proxy isn't redirecting anything... it's proxying
the connection. It sounds pedantic but it's important to use the right
terminology here since both proxying and redirects are valid ways to
change where the data is coming from. A redirect would involve the
client making a follow-up HTTP request. mod_proxy is instead handling
the client's connection on behalf of the client through to Tomcat.

The "redirect port" is the port that will be used to redirect the user
if a security-constraint cannot be fulfilled using the current
connector. Most practically, it means that if the application says "I
need TLS" and the connection isn't a TLS connection, then Tomcat will
redirect the user to the same URL but with an https:// protocol and
that port number you specify. It comes preconfigured as 8443 since
that will generally get you back to Tomcat instead of some other
service. For a real service, you probably want that set to "443".

This is the port number that the CLIENT will end up using. Using port
80 for the redirectPort will basically never work. You should leave it
as 443 if you want httpd to do the TLS termination (which it's pretty
obvious you are in fact trying to do).

> So now I have a Connector to receive the port 80 traffic and
> another for the port 443 traffic. I've tried it with and without
> the redirectPort attribute. Still no success.

Okay. This is IMO the best configuration especially if you want to
treat some applications as secure and others as insecure. (In my
environment, everything is secure, so I use only a single Connector.)

> The Connectors appear in this order in server.xml
> 
>  connectionTimeout="2" proxyName="www.example.com" 
> proxyPort="80" redirectPort="8443" xpoweredBy="false" 
> server="Apache TomEE" />  protocol="HTTP/1.1" connectionTimeout="2" 
> proxyName="www.example.com" proxyPort="443" redirectPort="8443" 
> xpoweredBy="false" server="Apache TomEE" />

I think you want redirectPort="443" for both of those connectors.
Assuming that you want port 8082 to be used for proxying HTTPS
connections, you are going to want to set these attributes at well:

  scheme="https"
  secure="true"

This will let your application know that the connection is secure (but
it's up to you to make sure that it actually IS by not e.g. proxying a
non-TLS connection to port 8082).

There are ways to get this to work with a single connector and have
the reverse proxy (that's httpd_+mod_proxy, here) tell Tomcat what
kind of connection it is. But you have to configure a proxy listener
and configure more stuff on the httpd end. That's one of the reasons I
like mod_jk better since it automatically sends all that stuff to the
back-end.

Something you aren't getting unless you are using the RemoteIPValve[1]
is the ability to tell anything about the client's connection (origin
IP, protocol, etc.) as well as possibly the hostname they were
requesting. I have much less experience with mod_proxy_http than I do
with mod_proxy_ajp/mod_jk which "just handles it". I would recommend
using the RemoteIPValve on the Tomcat end.

> Note: It is curious to me that when I enter https://example.com/ 
> into a browser, Apache serves the page at /var/www/html/index.html 
> which is in

Re: Tomcat Native compile can't find jni_md.h

2016-10-27 Thread Paquin, Brian


> On Oct 27, 2016, at 11:53 AM, Christopher Schultz 
>  wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Brian,
> 
> On 10/27/16 11:47 AM, Paquin, Brian wrote:
>> I’m trying to compile Tomcat Native (1.2.10 that comes with
>> 8.5.6), and get the error “Cannot find jni_md.h” In
>> /usr/lib/jvm/[openjdk-1.8.0_111]/jre/ I have bin and lib but not 
>> include… I downloaded oracle’s 1.8.0_112 JDK and have the same
>> structure (no include).
>> 
>> I haven’t found anything on the web that helps me get the headers 
>> back and was hoping someone here could help.
> 
> It looks like you have a JRE and you need a JDK to build tcnative.
> 
> The JDK contains a jre/ directory and you're right, it has no include/
> subdir. But if you back-out one directory to JAVA_HOME, you should
> have an include/ directory there.
> 
> When I unpack the jdk1.8 archive, I get these files:
> 
> drwxr-xr-x 2 uucp 143 4096 Jun 22 21:53 bin
> - -r--r--r-- 1 uucp 143 3244 Jun 22 21:53 COPYRIGHT
> drwxr-xr-x 4 uucp 143 4096 Jun 22 21:53 db
> drwxr-xr-x 3 uucp 143 4096 Jun 22 21:53 include
> - -rwxr-xr-x 1 uucp 143  5091318 Jun 22 11:58 javafx-src.zip
> drwxr-xr-x 5 uucp 143 4096 Jun 22 21:53 jre
> drwxr-xr-x 5 uucp 143 4096 Jun 22 21:53 lib
> - -r--r--r-- 1 uucp 143   40 Jun 22 21:53 LICENSE
> drwxr-xr-x 4 uucp 143 4096 Jun 22 21:53 man
> - -r--r--r-- 1 uucp 143  159 Jun 22 21:53 README.html
> - -rw-r--r-- 1 uucp 143  526 Jun 22 21:53 release
> - -rw-r--r-- 1 uucp 143 21109887 Jun 22 21:53 src.zip
> - -rwxr-xr-x 1 uucp 143   110114 Jun 22 11:58
> THIRDPARTYLICENSEREADME-JAVAFX.txt
> - -r--r--r-- 1 uucp 143   177094 Jun 22 21:53 THIRDPARTYLICENSEREADME.txt
> 
> - -chris

That did it! Thank you!!  (my “find / -name jni” only returned 3 items in 
Tomcat)

Much appreciated,

Brian

Re: Proxy Apache https to Tomcat http

2016-10-27 Thread Ted Spradley

Chris,

On Wed, Oct 5, 2016 at 7:52 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Ted,
>
> On 10/5/16 6:47 PM, Ted Spradley wrote:
> > Chris,
> >
> > On Wed, Oct 5, 2016 at 5:14 PM, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > Ted,
> >
> > On 10/5/16 6:10 PM, Ted Spradley wrote:
>  Chris,
> 
>  Thanks for your response.
> 
>  On Wed, Oct 5, 2016 at 3:14 PM, Christopher Schultz <
>  ch...@christopherschultz.net> wrote:
> 
>  Ted,
> 
>  On 10/5/16 3:42 PM, TED SPRADLEY wrote:
> >>> Tomcat 7.0.68 Apache 2.4.6 CentOS  7.2.1511
> 
>  Thanks.
> 
> >>> Problem: A Tomcat application at context "/mycontext"
> >>> on port 8081 running through Apache proxy renders as
> >>> expected when using http://example.com/mycontext but
> >>> https://example.com/mycontext call renders "The
> >>> requested URL /mycontext/ was not found on this
> >>> server."
> >>>
> >>> Question: Do I have a Tomcat Connector configuration
> >>> problem? Or an Apache proxy configuration problem? Or
> >>> an Apache ssl.conf problem?
> >>>
> >>> Note: the CA issued certificate appears to be properly
> >>> installed as evidence by the lock icon in the url bar
> >>> displaying "Verified by Š " when doing a mouseover.
> >>>
> >>> Files: Httpd.conf -  ServerName
> >>> www.example.com ServerAlias *.example.com ProxyRequests
> >>> off ProxyPass /mycontext
> >>> http://example.com:8081/mycontext ProxyPassReverse
> >>> /mycontext http://example.com:8081/mycontext
> >>>   ProxyRequests off
> >>> ProxyPreserveHost on SSLEngine on SSLCertificateFile
> >>> /path/to/certs/ca.crt SSLCertificateKeyFile
> >>> /path/to/key/private/exampleDotCom.key ServerName
> >>> www.example.com ServerAlias *.example.com ProxyPass
> >>> /mycontext http://example.com:8081/mycontext
> >>> ProxyPassReverse /mycontext
> >>> http://example.com:8081/mycontext 
> 
>  On first inspection, that looks correct.
> 
> >>> Tomcat's server.xml Connector  >>> protocol="HTTP/1.1" connectionTimeout="2"
> >>> proxyName="www.example.com" proxyPort="80"
> >>> redirectPort="8443" xpoweredBy="false" server="Apache
> >>> TomEE" />
> 
>  That also looks correct.
> 
>  How have you deployed your actual application?
> 
> 
> > Yes. It is deployed and responds as expected through the
> > proxy when using http.
> >
> > Great. But *HOW* have you deployed your actual application?
> >
> >
> >> Sorry, I missed the "How". I'm not sure what descriptors you are
> >> asking for when you ask how.
>
> Auto-deployed WAR file/directory? WAR/dir deployed via manager
> application? Explicit descriptor XML file placed in
> CATALINA_HOME/conf/[service]/[host]/[app].xml?
>
> WAR/dir deployed via manager application?
Yes
Explicit descriptor XML file placed in CATALINA_HOME/conf/[service]/[
host]/[app].xml?
Yes - with a caveat. The path is CATALINA_HOME/conf/[service]/[
host]/context.xml

The only contents being one empty  element with the docBase
attribute defined




The CATALINA_HOME/exampledotcomapps directory contains three applications
deployed using the manager application.
1. "http:example.com/mycontext"
2. "http:example.com/anotherContext"
3. "http:example.com/stillAnontherContext"

All three applications are reached as expected through the proxy on port 80.

The path CATALINA_HOME/exampledotcomapps matches the
appBase attribute in the  element for example.com in
CATALINA_HOME/conf/server.xml

I've since defined a separate Connector to listen for the redirect
from Apache on port 8082 because I thought there was a
possibility the proxyPort directive would need to be specifically
port 443 instead of port 80. So now I have a Connector to
receive the port 80 traffic and another for the port 443 traffic.
I've tried it with and without the redirectPort attribute. Still no
success.

The Connectors appear in this order in server.xml





Note: It is curious to me that when I enter https://example.com/
into a browser, Apache serves the page at /var/www/html/index.html
which is in the document root defined in /etc/httpd/conf/httpd.conf

with the directive DocumentRoot "/var/www/html"
My expectation is that the call to https://example.com/ would be
redirected with the pair
  ProxyPass / http://example.com:8082/
  ProxyPassReverse / https://example.com:8082/
in the virtual host element for port 443.

To refresh, the virtual host definitions are currently:


  ServerName www.example.com
  ServerAlias *.example.com
  ProxyRequests off
  ProxyPreserveHost on
  ProxyPass / http://example.com:8081/
  ProxyPassReverse / http://example.com:8081/
  ProxyPass /mycontext  http://example.com:8081/mycontext
  ProxyPassReverse  /mycontext  http://example.com:8081/mycontext
  ProxyPass

RE: Tomcat 9 exe, High CPU usage due to TCP I/O with itself

2016-10-27 Thread Dustin Delage

Unfortunately my knowledge of Tomcat and Java apps is limited to basic sys
admin stuff. I've made the suggestion to the developer to Profile the app.
I'm sure this will reveal the problem. I might make an attempt as well.

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Thursday, October 27, 2016 12:03 PM
To: Tomcat Users List 
Subject: Re: Tomcat 9 exe, High CPU usage due to TCP I/O with itself

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 10/27/16 4:47 AM, Mark Thomas wrote:
> On 26/10/2016 18:07, Dustin Delage wrote:
>> Tomcat 9, running on Windows Server 2008, runs the CPU at 79% - 90%
>> continuously. The only activity is tomcat spamming itself with TCP
>> traffic. Same proc ID, out one port, to another port back to itself.
>
> Tomcat doesn't do that. That looks more likely to be an app issue.
>
> A series of thread dumps (3 thread dumps, 10 seconds apart) should
> provide some pointers as to what is going on. A profiler (e.g.
> YourKit) would be better.

Tomcat9.exe should be the monitor (procrun), not anything hosting an
application, right?

- -chris

>> A small sample from Process Monitor:
>>
>> #
#
>>
>>

##
>> ## 10:16:04.7458125 AM   Tomcat9.exe 1932TCP
>> Receive 7f00:1::d880:fe03:80fa::49199 ->
>> 7f00:1:::::::49198   SUCCESS Length: 1,
>> seqnum: 0, connid: 0 10:16:04.7458374 AM Tomcat9.exe 1932TCP
>> Send Sage-Web03.sage.local:49198 -> Sage-Web03.sage.local:49199
>> SUCCESS Length: 1, startime: 12341635, endtime: 12341635, seqnum:
>> 0, connid: 0 10:16:04.7458805 AM Tomcat9.exe 1932TCP Receive
>> 7f00:1::d880:fe03:80fa::49197 ->
>> 7f00:1:::::::49196   SUCCESS Length: 1,
>> seqnum: 0, connid: 0 10:16:04.7458972 AM Tomcat9.exe 1932TCP
>> Send Sage-Web03.sage.local:49196 -> Sage-Web03.sage.local:49197
>> SUCCESS Length: 1, startime: 12341635, endtime: 12341635, seqnum:
>> 0, connid: 0 10:16:04.7459244 AM Tomcat9.exe 1932TCP Receive
>> 7f00:1::d880:fe03:80fa::49197 ->
>> 7f00:1:::::::49196   SUCCESS Length: 1,
>> seqnum: 0, connid: 0 10:16:04.7459507 AM Tomcat9.exe 1932TCP
>> Send Sage-Web03.sage.local:49196 -> Sage-Web03.sage.local:49197
>> SUCCESS Length: 1, startime: 12341635, endtime: 12341635, seqnum:
>> 0, connid: 0
>> #
#
>>
>>

##
>> ###
>>
>> Attaching an image of my findings as well
>>
>> Thank You,
>>
>> D Delage
>>
>>
>>
>>
>> -
>>
>>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYEiUyAAoJEBzwKT+lPKRY92oP/jYekQFTj5HaiQsmsQaaWgg+
eGmookPwRATKubROIedjzQA9Y62Y1PL0udQpk5xnEReQ5ISxbUs+OGJtPQippC85
VxILggVIA2ZHuPVd2qEhj1cBb5ppB9n1SsRBFRHU+Y7rdJGp8goIMBZzs1CytR/M
vK7xkyDtXzLinerMGj4k/82KnTfCo6nwf+z7Np03Np2doWXYYcZmJO3yo3N/v4lm
arp1MEHf1qSutd12ga3MeMXwt8e3WZaK5M1gFL7h7CMclIbgUBz0vGtZ7VYYCB7g
qVCzwQi64Jt7HADwllKKLmPC/N3lA3zTQvp/o1z8qsDSYPtbaZNSKNnSoqb4uzx/
8Z59Y3HZEQudT8gV2GwNzULmGh6Clcn3ECQaUxnK81YZFz0YluO8QbKTMuRM18pb
mr8UH/JoPO3PUaBsDvWo95KUZw8m1+YPhvtMCi0r2NTD7j+Klr3r9cHubAHq21Hi
VfsGXHm1Pv7vaYVx4za9bREtxEtQZWkQOsjrviYX9lH5n2Ad8QwWOd0fI4HrLBhM
3i/zE7VSOLnCpCZwQ0Dpx7inzVIuXQzmvecdSS6MsuPea3uzNqgSbKoct0A28tTU
Em1dBwPuyeHVISnxBtTYufJOeBSBEq/sFW5385QftHLQgwfH4aVouix9U6pLfAF0
+ptjg7u5okrPzuh+6RTx
=laEe
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 9 exe, High CPU usage due to TCP I/O with itself

2016-10-27 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 10/27/16 4:47 AM, Mark Thomas wrote:
> On 26/10/2016 18:07, Dustin Delage wrote:
>> Tomcat 9, running on Windows Server 2008, runs the CPU at 79% -
>> 90% continuously. The only activity is tomcat spamming itself
>> with TCP traffic. Same proc ID, out one port, to another port
>> back to itself.
> 
> Tomcat doesn't do that. That looks more likely to be an app issue.
> 
> A series of thread dumps (3 thread dumps, 10 seconds apart) should 
> provide some pointers as to what is going on. A profiler (e.g.
> YourKit) would be better.

Tomcat9.exe should be the monitor (procrun), not anything hosting an
application, right?

- -chris

>> A small sample from Process Monitor:
>> 
>> #
#
>>
>> 

##
>> ## 10:16:04.7458125 AM   Tomcat9.exe 1932TCP
>> Receive 7f00:1::d880:fe03:80fa::49199 -> 
>> 7f00:1:::::::49198   SUCCESS Length: 1,
>> seqnum: 0, connid: 0 10:16:04.7458374 AM Tomcat9.exe 1932TCP
>> Send Sage-Web03.sage.local:49198 -> Sage-Web03.sage.local:49199
>> SUCCESS Length: 1, startime: 12341635, endtime: 12341635, seqnum:
>> 0, connid: 0 10:16:04.7458805 AM Tomcat9.exe 1932TCP Receive 
>> 7f00:1::d880:fe03:80fa::49197 -> 
>> 7f00:1:::::::49196   SUCCESS Length: 1,
>> seqnum: 0, connid: 0 10:16:04.7458972 AM Tomcat9.exe 1932TCP
>> Send Sage-Web03.sage.local:49196 -> Sage-Web03.sage.local:49197
>> SUCCESS Length: 1, startime: 12341635, endtime: 12341635, seqnum:
>> 0, connid: 0 10:16:04.7459244 AM Tomcat9.exe 1932TCP Receive 
>> 7f00:1::d880:fe03:80fa::49197 -> 
>> 7f00:1:::::::49196   SUCCESS Length: 1,
>> seqnum: 0, connid: 0 10:16:04.7459507 AM Tomcat9.exe 1932TCP
>> Send Sage-Web03.sage.local:49196 -> Sage-Web03.sage.local:49197
>> SUCCESS Length: 1, startime: 12341635, endtime: 12341635, seqnum:
>> 0, connid: 0 
>> #
#
>>
>> 

##
>> ###
>> 
>> Attaching an image of my findings as well
>> 
>> Thank You,
>> 
>> D Delage
>> 
>> 
>> 
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYEiUyAAoJEBzwKT+lPKRY92oP/jYekQFTj5HaiQsmsQaaWgg+
eGmookPwRATKubROIedjzQA9Y62Y1PL0udQpk5xnEReQ5ISxbUs+OGJtPQippC85
VxILggVIA2ZHuPVd2qEhj1cBb5ppB9n1SsRBFRHU+Y7rdJGp8goIMBZzs1CytR/M
vK7xkyDtXzLinerMGj4k/82KnTfCo6nwf+z7Np03Np2doWXYYcZmJO3yo3N/v4lm
arp1MEHf1qSutd12ga3MeMXwt8e3WZaK5M1gFL7h7CMclIbgUBz0vGtZ7VYYCB7g
qVCzwQi64Jt7HADwllKKLmPC/N3lA3zTQvp/o1z8qsDSYPtbaZNSKNnSoqb4uzx/
8Z59Y3HZEQudT8gV2GwNzULmGh6Clcn3ECQaUxnK81YZFz0YluO8QbKTMuRM18pb
mr8UH/JoPO3PUaBsDvWo95KUZw8m1+YPhvtMCi0r2NTD7j+Klr3r9cHubAHq21Hi
VfsGXHm1Pv7vaYVx4za9bREtxEtQZWkQOsjrviYX9lH5n2Ad8QwWOd0fI4HrLBhM
3i/zE7VSOLnCpCZwQ0Dpx7inzVIuXQzmvecdSS6MsuPea3uzNqgSbKoct0A28tTU
Em1dBwPuyeHVISnxBtTYufJOeBSBEq/sFW5385QftHLQgwfH4aVouix9U6pLfAF0
+ptjg7u5okrPzuh+6RTx
=laEe
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Native compile can't find jni_md.h

2016-10-27 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Brian,

On 10/27/16 11:47 AM, Paquin, Brian wrote:
> I’m trying to compile Tomcat Native (1.2.10 that comes with
> 8.5.6), and get the error “Cannot find jni_md.h” In
> /usr/lib/jvm/[openjdk-1.8.0_111]/jre/ I have bin and lib but not 
> include… I downloaded oracle’s 1.8.0_112 JDK and have the same
> structure (no include).
> 
> I haven’t found anything on the web that helps me get the headers 
> back and was hoping someone here could help.

It looks like you have a JRE and you need a JDK to build tcnative.

The JDK contains a jre/ directory and you're right, it has no include/
subdir. But if you back-out one directory to JAVA_HOME, you should
have an include/ directory there.

When I unpack the jdk1.8 archive, I get these files:

drwxr-xr-x 2 uucp 143 4096 Jun 22 21:53 bin
- -r--r--r-- 1 uucp 143 3244 Jun 22 21:53 COPYRIGHT
drwxr-xr-x 4 uucp 143 4096 Jun 22 21:53 db
drwxr-xr-x 3 uucp 143 4096 Jun 22 21:53 include
- -rwxr-xr-x 1 uucp 143  5091318 Jun 22 11:58 javafx-src.zip
drwxr-xr-x 5 uucp 143 4096 Jun 22 21:53 jre
drwxr-xr-x 5 uucp 143 4096 Jun 22 21:53 lib
- -r--r--r-- 1 uucp 143   40 Jun 22 21:53 LICENSE
drwxr-xr-x 4 uucp 143 4096 Jun 22 21:53 man
- -r--r--r-- 1 uucp 143  159 Jun 22 21:53 README.html
- -rw-r--r-- 1 uucp 143  526 Jun 22 21:53 release
- -rw-r--r-- 1 uucp 143 21109887 Jun 22 21:53 src.zip
- -rwxr-xr-x 1 uucp 143   110114 Jun 22 11:58
THIRDPARTYLICENSEREADME-JAVAFX.txt
- -r--r--r-- 1 uucp 143   177094 Jun 22 21:53 THIRDPARTYLICENSEREADME.txt

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYEiL8AAoJEBzwKT+lPKRYj+wP/0OUeSQn/w8bh6lII/eviMO2
bJwbot3/WrPBT3jMwUoZK/3/QyJ118brLFqInddKDKsUpyKalZ0K6hLzLbP2NGA+
GtyHA6TgJbPcMpbd3Fdpzpcbf1Oy+5WQOoDUgV5rC69yFyDg2d5+R1MHfMRSZ0lp
UqtkEEJ0LRN1YxQV23XwgUIGBI6j/ZYw3KTWg7747V7/NPBSF/FuOxQt0flHZy+W
jZtel0H7j2SMLRrVxMSCGeemZgry2bx7mDsmT9Sz+ycrgOalxeg3MUbIZZk/zISC
Ldd3KaL6d98g9VOFX0uO3bLyH+eQ3l5yQu26ziKP64keQww0HODTWatC0xQI+JVZ
v/y/gKgRiFd8ASW04qDaLDQLfUl32d3DrZX26MhfBWxtWJEGqeXhCMXgr3fb+cnF
c3wsYhH7alppZ1iDqf3LcpB2gcQrg2VNE8nvgse+/s/t19U4vsU5TGhtovVOoq2h
bV9Cl0atLgueSx+YCTNJy7Am8lsUwWrIEcZ8fA+g8WTIGEJrtgfvbY+qjgei/z5o
NQylLCDWYXEe7SM+CSUpAzbP15HP/kjcyp8s+GO5YJRiewT8ZVCr4JPrHW1oexEu
IpDTH17Vxtf/Z/6T+coj1s/oIzX3RWutcdWpgyTH4ACRUYrGi0U0pLDlMkBcCMxy
1wZA0UwWhI1v1s4BIeZm
=nqnn
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat Native compile can't find jni_md.h

2016-10-27 Thread Paquin, Brian

I’m trying to compile Tomcat Native (1.2.10 that comes with 8.5.6), and get the 
error “Cannot find jni_md.h”
In /usr/lib/jvm/[openjdk-1.8.0_111]/jre/ I have bin and lib but not include…
I downloaded oracle’s 1.8.0_112 JDK and have the same structure (no include).

I haven’t found anything on the web that helps me get the headers back and was 
hoping someone here could help.

Brian

[SECURITY] CVE-2016-6797 Apache Tomcat Unrestricted Access to Global Resources

2016-10-27 Thread Mark Thomas

CVE-2016-6797 Apache Tomcat Unrestricted Access to Global Resources

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M9
Apache Tomcat 8.5.0 to 8.5.4
Apache Tomcat 8.0.0.RC1 to 8.0.36
Apache Tomcat 7.0.0 to 7.0.70
Apache Tomcat 6.0.0 to 6.0.45
Earlier, unsupported versions may also be affected.

Description
The ResourceLinkFactory did not limit web application access to global
JNDI resources to those resources explicitly linked to the web
application. Therefore, it was possible for a web application to access
any global JNDI resource whether an explicit ResourceLink had been
configured or not.

Mitigation
Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 9.0.0.M10 or later
- Upgrade to Apache Tomcat 8.5.5 or later
- Upgrade to Apache Tomcat 8.0.37 or later
- Upgrade to Apache Tomcat 7.0.72 or later
  (Apache Tomcat 7.0.71 has the fix but was not released)
- Upgrade to Apache Tomcat 6.0.47 or later
  (Apache Tomcat 6.0.46 has the fix but was not released)

Credit:
This issue was discovered by the Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-6.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[SECURITY] CVE-2016-6796 Apache Tomcat Security Manager Bypass

2016-10-27 Thread Mark Thomas

CVE-2016-6796 Apache Tomcat Security Manager Bypass

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M9
Apache Tomcat 8.5.0 to 8.5.4
Apache Tomcat 8.0.0.RC1 to 8.0.36
Apache Tomcat 7.0.0 to 7.0.70
Apache Tomcat 6.0.0 to 6.0.45
Earlier, unsupported versions may also be affected.

Description
A malicious web application was able to bypass a configured
SecurityManager via manipulation of the configuration parameters for the
JSP Servlet.

Mitigation
Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 9.0.0.M10 or later
- Upgrade to Apache Tomcat 8.5.5 or later
- Upgrade to Apache Tomcat 8.0.37 or later
- Upgrade to Apache Tomcat 7.0.72 or later
  (Apache Tomcat 7.0.71 has the fix but was not released)
- Upgrade to Apache Tomcat 6.0.47 or later
  (Apache Tomcat 6.0.46 has the fix but was not released)

Credit:
This issue was discovered by the Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-6.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[SECURITY] CVE-2016-5018 Apache Tomcat Security Manager Bypass

2016-10-27 Thread Mark Thomas

CVE-2016-5018 Apache Tomcat Security Manager Bypass

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M9
Apache Tomcat 8.5.0 to 8.5.4
Apache Tomcat 8.0.0.RC1 to 8.0.36
Apache Tomcat 7.0.0 to 7.0.70
Apache Tomcat 6.0.0 to 6.0.45
Earlier, unsupported versions may also be affected.

Description
A malicious web application was able to bypass a configured
SecurityManager via a Tomcat utility method that was accessible to web
applications.

Mitigation
Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 9.0.0.M10 or later
- Upgrade to Apache Tomcat 8.5.5 or later
- Upgrade to Apache Tomcat 8.0.37 or later
- Upgrade to Apache Tomcat 7.0.72 or later
  (Apache Tomcat 7.0.71 has the fix but was not released)
- Upgrade to Apache Tomcat 6.0.47 or later
  (Apache Tomcat 6.0.46 has the fix but was not released)

Credit:
This issue was discovered by Alvaro Munoz of the HP Enterprise Security
Team and reported responsibly to the Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-6.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[SECURITY] CVE-2016-6794 Apache Tomcat Security System Property Disclosure

2016-10-27 Thread Mark Thomas

CVE-2016-6794 Apache Tomcat System Property Disclosure

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M9
Apache Tomcat 8.5.0 to 8.5.4
Apache Tomcat 8.0.0.RC1 to 8.0.36
Apache Tomcat 7.0.0 to 7.0.70
Apache Tomcat 6.0.0 to 6.0.45
Earlier, unsupported versions may also be affected.

Description
When a SecurityManager is configured, a web application's ability to
read system properties should be controlled by the SecurityManager.
Tomcat's system property replacement feature for configuration files
could be used by a malicious web application to bypass the
SecurityManager and read system properties that should not be visible.

Mitigation
Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 9.0.0.M10 or later
- Upgrade to Apache Tomcat 8.5.5 or later
- Upgrade to Apache Tomcat 8.0.37 or later
- Upgrade to Apache Tomcat 7.0.72 or later
  (Apache Tomcat 7.0.71 has the fix but was not released)
- Upgrade to Apache Tomcat 6.0.47 or later
  (Apache Tomcat 6.0.46 has the fix but was not released)

Credit:
This issue was discovered by the Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-6.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[SECURITY] CVE-2016-0762 Apache Tomcat Realm Timing Attack

2016-10-27 Thread Mark Thomas

CVE-2016-0762 Apache Tomcat Realm Timing Attack

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M9
Apache Tomcat 8.5.0 to 8.5.4
Apache Tomcat 8.0.0.RC1 to 8.0.36
Apache Tomcat 7.0.0 to 7.0.70
Apache Tomcat 6.0.0 to 6.0.45
Earlier, unsupported versions may also be affected.

Description
The Realm implementations did not process the supplied password if the
supplied user name did not exist. This made a timing attack possible to
determine valid user names. Note that the default configuration includes
the LockOutRealm which makes exploitation of this vulnerability harder.

Mitigation
Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 9.0.0.M10 or later
- Upgrade to Apache Tomcat 8.5.5 or later
- Upgrade to Apache Tomcat 8.0.37 or later
- Upgrade to Apache Tomcat 7.0.72 or later
  (Apache Tomcat 7.0.71 has the fix but was not released)
- Upgrade to Apache Tomcat 6.0.47 or later
  (Apache Tomcat 6.0.46 has the fix but was not released)

Credit:
This issue was discovered by The Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-6.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: setWriteListener and async operations concurrency

2016-10-27 Thread tomcat

On 27.10.2016 13:41, Sergey Mashkov wrote:

On Thu, Oct 27, 2016 at 2:19 PM André Warnier (tomcat)
wrote:

On 27.10.2016 12:15, Sergey Mashkov wrote:

I am experiencing deadlock when trying to set output stream write

listener:

The thread from my own thread pool is trying to set a write listener (my
code via setWriteListener call) and another one thread is
https-jsse-nio-N-exec is trying to close and flush (there is no my code

the stack trace) and no more threads locked.
..
So the question is: is it even legal to call any async operation from
non-server thread? I see a lot of existing code in the web assumes that

is. I also used to write so many times with no issues until now. This is
why I suppose it could be a tomcat bug.

Hi.
Not an answer to your questions, but :
It would be good practice, and probably help a lot the people here to
answer your
questions, if you provided :
- the Tomcat version
- the Java version
- the platform OS and version
You can find all of those in the Tomcat logs, or by running the
(tomcat_dir)/bin/VERSION.(sh|bat)

It's more about the API and requirements: the documentation is not clear
about threading. But if it's a bug then it could be significant

The documentation also corresponds to the version of Tomcat, so it is significant and
useful (and mainly it saves time for the list volunteers) if you specify what you are
looking at.

You want free expert advice. You will get it on this list.
But the easier and less time-consuming you make it for these experts, the quicker you will
have your expert response.

Versions are 9.0.0M6 and M11, java 8u112, Linux x86_64

Thank you.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: setWriteListener and async operations concurrency

2016-10-27 Thread Sergey Mashkov

On Thu, Oct 27, 2016 at 2:19 PM André Warnier (tomcat) 
wrote:

> On 27.10.2016 12:15, Sergey Mashkov wrote:
> > Hi
> >
> > I am experiencing deadlock when trying to set output stream write
> listener:
> > The thread from my own thread pool is trying to set a write listener (my
> > code via setWriteListener call) and another one thread is
> > https-jsse-nio-N-exec is trying to close and flush (there is no my code
> in
> > the stack trace) and no more threads locked.
> > ..
> > So the question is: is it even legal to call any async operation from
> > non-server thread? I see a lot of existing code in the web assumes that
> it
> > is. I also used to write so many times with no issues until now. This is
> > why I suppose it could be a tomcat bug.
> >
>
> Hi.
> Not an answer to your questions, but :
> It would be good practice, and probably help a lot the people here to
> answer your
> questions, if you provided :
> - the Tomcat version
> - the Java version
> - the platform OS and version
> You can find all of those in the Tomcat logs, or by running the
> (tomcat_dir)/bin/VERSION.(sh|bat)
>

It's more about the API and requirements: the documentation is not clear
about threading. But if it's a bug then it could be significant

Versions are 9.0.0M6 and M11, java 8u112, Linux x86_64


>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: setWriteListener and async operations concurrency

2016-10-27 Thread tomcat


On 27.10.2016 12:15, Sergey Mashkov wrote:

Hi

I am experiencing deadlock when trying to set output stream write listener:
The thread from my own thread pool is trying to set a write listener (my
code via setWriteListener call) and another one thread is
https-jsse-nio-N-exec is trying to close and flush (there is no my code in
the stack trace) and no more threads locked.
..
So the question is: is it even legal to call any async operation from
non-server thread? I see a lot of existing code in the web assumes that it
is. I also used to write so many times with no issues until now. This is
why I suppose it could be a tomcat bug.



Hi.
Not an answer to your questions, but :
It would be good practice, and probably help a lot the people here to answer your 
questions, if you provided :

- the Tomcat version
- the Java version
- the platform OS and version
You can find all of those in the Tomcat logs, or by running the
(tomcat_dir)/bin/VERSION.(sh|bat)



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

setWriteListener and async operations concurrency

2016-10-27 Thread Sergey Mashkov

Hi

I am experiencing deadlock when trying to set output stream write listener:
The thread from my own thread pool is trying to set a write listener (my
code via setWriteListener call) and another one thread is
https-jsse-nio-N-exec is trying to close and flush (there is no my code in
the stack trace) and no more threads locked.
.
So the question is: is it even legal to call any async operation from
non-server thread? I see a lot of existing code in the web assumes that it
is. I also used to write so many times with no issues until now. This is
why I suppose it could be a tomcat bug.

Re: Tomcat 9 exe, High CPU usage due to TCP I/O with itself

2016-10-27 Thread Mark Thomas

On 26/10/2016 18:07, Dustin Delage wrote:
> Tomcat 9, running on Windows Server 2008, runs the CPU at 79% - 90%
> continuously. The only activity is tomcat spamming itself with TCP
> traffic. Same proc ID, out one port, to another port back to itself.

Tomcat doesn't do that. That looks more likely to be an app issue.

A series of thread dumps (3 thread dumps, 10 seconds apart) should
provide some pointers as to what is going on. A profiler (e.g. YourKit)
would be better.

Mark

> 
> A small sample from Process Monitor:
> 
> ##
> ##
> ##
> 10:16:04.7458125 AM   Tomcat9.exe 1932TCP Receive
> 7f00:1::d880:fe03:80fa::49199 ->
> 7f00:1:::::::49198SUCCESS Length: 1, seqnum:
> 0, connid: 0
> 10:16:04.7458374 AM   Tomcat9.exe 1932TCP Send
> Sage-Web03.sage.local:49198 -> Sage-Web03.sage.local:49199SUCCESS
> Length: 1, startime: 12341635, endtime: 12341635, seqnum: 0, connid: 0
> 10:16:04.7458805 AM   Tomcat9.exe 1932TCP Receive
> 7f00:1::d880:fe03:80fa::49197 ->
> 7f00:1:::::::49196SUCCESS Length: 1, seqnum:
> 0, connid: 0
> 10:16:04.7458972 AM   Tomcat9.exe 1932TCP Send
> Sage-Web03.sage.local:49196 -> Sage-Web03.sage.local:49197SUCCESS
> Length: 1, startime: 12341635, endtime: 12341635, seqnum: 0, connid: 0
> 10:16:04.7459244 AM   Tomcat9.exe 1932TCP Receive
> 7f00:1::d880:fe03:80fa::49197 ->
> 7f00:1:::::::49196SUCCESS Length: 1, seqnum:
> 0, connid: 0
> 10:16:04.7459507 AM   Tomcat9.exe 1932TCP Send
> Sage-Web03.sage.local:49196 -> Sage-Web03.sage.local:49197SUCCESS
> Length: 1, startime: 12341635, endtime: 12341635, seqnum: 0, connid: 0
> ##
> ##
> ###
> 
> Attaching an image of my findings as well
> 
> Thank You,
> 
> D Delage
> 
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Proxy Apache https to Tomcat http

RE: Tomcat 9 exe, High CPU usage due to TCP I/O with itself

Re: Tomcat 9 exe, High CPU usage due to TCP I/O with itself

RE: Tomcat 9 exe, High CPU usage due to TCP I/O with itself

Re: Proxy Apache https to Tomcat http

Re: Tomcat Native compile can't find jni_md.h

Re: Proxy Apache https to Tomcat http

RE: Tomcat 9 exe, High CPU usage due to TCP I/O with itself

Re: Tomcat 9 exe, High CPU usage due to TCP I/O with itself

Re: Tomcat Native compile can't find jni_md.h

Tomcat Native compile can't find jni_md.h

[SECURITY] CVE-2016-6797 Apache Tomcat Unrestricted Access to Global Resources

[SECURITY] CVE-2016-6796 Apache Tomcat Security Manager Bypass

[SECURITY] CVE-2016-5018 Apache Tomcat Security Manager Bypass

[SECURITY] CVE-2016-6794 Apache Tomcat Security System Property Disclosure

[SECURITY] CVE-2016-0762 Apache Tomcat Realm Timing Attack

Re: setWriteListener and async operations concurrency

Re: setWriteListener and async operations concurrency

Re: setWriteListener and async operations concurrency

setWriteListener and async operations concurrency

Re: Tomcat 9 exe, High CPU usage due to TCP I/O with itself

21 matches

Site Navigation

Mail list logo

Footer information