date:20170310

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 3/10/17 12:42 PM, Mark Thomas wrote:
> On 10/03/2017 17:39, KARR, DAVID wrote:
>> I have a CXF/REST/Spring/JDBC app running in TomEE (7.0.1).  I've
>> decided to try to move it to Tomcat (8.5.11) because of some
>> classloader conflicts (CXF classes) I'm now seeing in trying to
>> add some new code to the app.
>> 
>> Initially, I'm just running the server in Eclipse.
>> 
>> When I add the apps to Tomcat and start it up, without changing
>> the server conf, it starts up, but it fails to find my JNDI
>> resources (obviously).
>> 
>> I have the following DataSource definition in the "tomee.xml"
>> file in TomEE, which is working fine: -- 
>>  testOnBorrow = true 
>> testOnReturn = true testWhileIdle = true logValidationErrors =
>> true validationQuery = select 1 from dual JdbcDriver =
>> oracle.jdbc.OracleDriver InitialSize = 2 MaxActive = 2 MinIdle =
>> 2 MaxIdle = 2 JdbcUrl = ... UserName = ... Password = ... 
>>  -
>> 
>> When I attempt to add this Resource definition to the
>> "context.xml" file in Tomcat 8.5.11, I see errors like the
>> following, and Tomcat fails to start up:  Caused
>> by: java.lang.NullPointerException at
>> java.util.StringTokenizer.(StringTokenizer.java:199) at
>> java.util.StringTokenizer.(StringTokenizer.java:221) at
>> org.apache.catalina.core.NamingContextListener.createSubcontexts(Nami
ngContextListener.java:1300)
>>
>> 
at
org.apache.catalina.core.NamingContextListener.addResource(NamingContext
Listener.java:1081)
>> at
>> org.apache.catalina.core.NamingContextListener.createNamingContext(Na
mingContextListener.java:661)
>>
>> 
at
org.apache.catalina.core.NamingContextListener.lifecycleEvent(NamingCont
extListener.java:249)
>> -
>> 
>> I've tried converting the Resource definition to look more
>> "normal", but nothing I've tried makes any difference.  This is
>> the current state of it: -- > id="jdbc/tst36" type="javax.sql.DataSource" auth="Container"
> 
> name="jdbc/tst36" not id=...

Hmm. When 'name' is null we should have a better behavior than NPE. :(

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYwwgwAAoJEBzwKT+lPKRYLlsQAImSopWlV03jve4cZaGtli9F
qJGKdhl6IvMbzvWn1LGyUQ1ckPddR9LETy1pUcfoffKDdfpHx6LbOUCA8pcKsBD6
67SzS5ynruQlZZb3ikJA+R4GpNZ1LNu7zu0VPogV7BW7U09kTuoDlhO6pfYJ5DuW
br9NtxR/6en5uWi77w8+0P3fLyCnUcxtatmw/o3P8DCUGrX5LIhj7NvRdyEEmSY6
HbOsIB83bP3deC1yRdx3/7O5jVn7Go8aL8B5rjHuu3am3HRHD1RZArSSg5FCS3zd
Bt08yC4FumFBExRf6XRyjU544tygSe0Y1AEliiQb/i+e8s0CnpsDuz2QKm8t2CaG
yCNElAYubjyzeG1dvBM7rarP3vJv/QRRhJ3eZ7KuxnxRZX9LOYIQoZfYxuYEeTUg
Qs3neW1c1ESIezD4isFnfQALk0QSzPX+A2Btr8wzCUQWNOiN/MD3udVfafpuPVkY
FqZdhb1aPu03SScv/y2luUTJpKtxdGz9cXjMz9dp6lcbDtOAFBzP93CrMy4vWYXs
vryD9gbMVvuA7hWeKiTkIAIdoTCAw9Z3DxLpohC5v+3CCAy3Au37ke3kXE4ZAwh5
dERhqY78F00bbf3OI2VlNQdV75anDiyD3nuVS4D82w3OL1od4MIYCueU0sDzSwfI
fueFuqYlmqZSLvRXTo3Y
=GKYG
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: getRealPath is a bad idea?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cris,

On 3/10/17 2:02 PM, Berneburg, Cris J. - US wrote:
> Chris
> 
> Thanks for taking the time to help me out.  I appreciate it.
> Sorry, my response is kinda wordy.  :-P
> 
>> If you really REALLY want a file path, you could use the 
>> catalina.base system property or the tmpdir and go from there.
>> The former is Tomcat-specific, of course, and the tmpdir would
>> be *anywhere*, but if you just really REALLY need a path on the
>> disk, you could get it from there.
> 
> Aha!  Yes, that could work.

It will work, but it's going to suck. :(

>>> Also, maybe I'm not asking the right question. How do you all 
>>> configure the location of a special folder that is not part of 
>>> the deployment package itself? A site-specific config file 
>>> perhaps?
>> 
>> Well-known location like /etc/myapp/config.cfg? Well-known 
>> configuration URL like 
>> https://internal-config.myapp.com/config.cfg?
> 
> Actually it's Windows.  Also, the config file should live in a
> folder that is (1) obvious and (2) we have access to.
> 
>>> Currently I'm using getRealPath for a relative-path location
>> [SNIP]
>> 
>> If the file can be bundled with the WAR file (which would be
>> best), then you should get 
>> ServletContext.getResource("/path/rooted/in/the/WAR/file/config.cfg")
.
>
>>
>> 
> Unfortunately it's a site-specific configuration, meaning the
> value for the setting may be different for each environment, so it
> really cannot be bundled as-is.  The file would need to be tweaked
> before starting the webapp.
> 
> Well, I suppose it could be bundled if, after deploying the
> webapp, we extracted the config file, modified it for the current
> location, and then reinserted it into the WAR file...  But that
> sounds like a lot of work and not what you intended anyway.  ;-)
> Actually, that's exactly how we handle other custom settings, only
> without using a WAR file.  It's clumsy, and I wish there were a
> better way of doing it. So instead of having to tweak the
> configuration after every deployment, we would only do it 1x for
> the first time the application is installed.  That would be great.

That's super-ugly. Better to have an external configuration file. That
supports the Principle of Least Surprise[1].

> I'm not sure I understand how to configure a custom resource or am 
> even grasping the concept.  Can the resource (config file
> location) be defined in the application context web.xml?  If so,
> wouldn't it already be too late since that would mean the config
> file is already bundled with the application?  Unless the location
> of the config file in the resource definition can be expressed as
> an OS-path (not virtual) to point outside of the webapp's home.

I would use a well-known location for the file. Maybe the application
can be installed anywhere, but the config file needs to be in
%APPDATA%\YourCompany\YourProduct\config.properties

Would that be okay? Or are you saying that you need to do things like
configure the JNDI DataSource that would usually be in context.xml?

> Guess I could explain it better.  It's a custom report-generation 
> engine.  A template file is read by a library, processed, dumped
> to an output file, then served to the client.  There is a folder
> with template input files and another folder with the output
> files.

Neither of those are in the WAR, right? Obviously, not the output
files, but what about the input templates?

> Based on what you and Chuck said, it looks like the input
> templates can be claimed as Resources. Since the library can accept
> a java.io.InputStream, then the input templates could be included
> in a WAR file, if we used one.

Be specific when you use a term like "Resources". That has a special
meaning to Tomcat, and actually multiple meanings depending upon the
context. Which did you mean, here?

You can certainly include the templates in the WAR file, but I suspect
that one of your features is clients being able to build their own
templates?

> However, the output folder needs to live outside a WAR file, and
> we need a non-virtual way of specifying the folder (an actual OS
> path) so the library can write the output there.  AND we currently
> don't use a WAR file.  But we could, provided the config file issue
> can be taken care of.  If so, how do you resolve a virtual path to
> a resource outside the WAR file since it's outside the package
> "folder" structure of the WAR?

To WAR or not to WAR, that isn't really the question. But you should
always work as if you were confined to a WAR file.

To directly answer your question about translating virtual paths to
real paths, the answer is "you can't (at least not reliably)".

> Hence the use of getRealPath, so all this configuration juggling
> can simply be bypassed.
> 
> I feel like I'm stuck in a "which came first, the chicken or the
> egg" loop.

I would go for a well-known-location and just tell your customers "the
config file has to go HERE". Maybe

RE: Moved app from TomEE to Tomcat, now getting Spring errors failing to go through proxy for XML validation

> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Friday, March 10, 2017 10:32 AM
> To: Tomcat Users List 
> Subject: Re: Moved app from TomEE to Tomcat, now getting Spring errors
> failing to go through proxy for XML validation
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> David,
> 
> On 3/10/17 1:07 PM, KARR, DAVID wrote:
> > I have an app using CXF/REST/Spring/JDBC that is working pretty well
> > in TomEE (7.0.1).  I'm trying to move it to Tomcat (8.5.11) because it
> > doesn't need to be in TomEE, and I'm having problems adding additional
> > features due to aspects of TomEE.
> >
> > I'm first testing the port by running Tomcat in Eclipse.  I had
> > previously verified that the app works fine in the same environment
> > when running in TomEE.
> >
> > I moved all of my Resource and Environment entries to the Tomcat
> > context.xml file.
> >
> > When I start it up, I'm seeing errors like the following:
> > ---
> > org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException:
> >
> >
> Line 1 in XML document from ServletContext resource
> > [/WEB-INF/applicationContext.xml] is invalid; nested exception is
> > org.xml.sax.SAXParseException; systemId:
> > http://.../ProxyWarning.html; lineNumber: 1; columnNumber: 3; The
> > markup in the document preceding the root element must be well-formed.
> > at
> > org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBe
> anDefinitions(XmlBeanDefinitionReader.java:399)
> >
> >
> >
> ...
> > Caused by: org.xml.sax.SAXParseException; systemId:
> > http://.../ProxyWarning.html; lineNumber: 1; columnNumber: 3; The
> > markup in the document preceding the root element must be well-formed.
> > at
> > com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXP
> arseException(ErrorHandlerWrapper.java:203)
> >
> >
> >
> - ---
> >
> > That URL that I've elided is the page we see in our enterprise when we
> > try to reach the internet without going through our proxy.
> >
> > So, this app that was working fine in TomEE now is getting this proxy
> > error when it runs in Tomcat.  Any ideas what I might be missing?
> 
> That error seems to be that the markup is bad. Are you saying that the
> markup is bad because the resource you are requesting ends up being an
> HTTP BAD REQUEST or other response rather than the XML document you are
> expecting?

The former, as it fails to get through the proxy.

> How did you have TomEE configured for a proxy before? Generally, proxies
> are configured for the whole JVM.

Curiously, I can't find any evidence that I had configured a proxy for TomEE.  
I never saw this error when running the app in TomEE.

> In Tomcat, you generally do this in one of two ways:
> 
> 1. For a standard command-line launch (e.g. testing, *NIX systems,
> etc.) create/edit CATALINA_BASE/bin/setenv.sh and add the following line
> :
> 
> CATALINA_OPTS="$CATALINA_OPTS -Dhttp.proxyHost=... ..."

That worked, thanks.

> 2. For Windows Service-based services, open the Tomcat Service Manager
> (tomcatXw.exe //ES//) and add the appropriate system properties to the
> "system properties" tab.
> 
> FYI There will be a few presentations at TomcatCon/ApacheCon in Miami in
> May. that might interest you, including a presentation by Romain on
> TomEE and Meecrowave.
> 
> http://events.linuxfoundation.org/events/apachecon-north-america/attend/
> register-

Thanks.  Hopefully those will be recorded.

RE: getRealPath is a bad idea?

2017-03-10 Thread Berneburg, Cris J. - US

Chris

Thanks for taking the time to help me out.  I appreciate it.  Sorry, my 
response is kinda wordy.  :-P

> If you really REALLY want a file path, you could use the catalina.base system
> property or the tmpdir and go from there. The former is Tomcat-specific, of
> course, and the tmpdir would be *anywhere*, but if you just really REALLY need
> a path on the disk, you could get it from there.

Aha!  Yes, that could work.

>> Also, maybe I'm not asking the right question. How do you all 
>> configure the location of a special folder that is not part of the 
>> deployment package itself? A site-specific config file perhaps?
>
> Well-known location like /etc/myapp/config.cfg? Well-known
> configuration URL like https://internal-config.myapp.com/config.cfg?

Actually it's Windows.  Also, the config file should live in a folder that is 
(1) obvious and (2) we have access to.

>> Currently I'm using getRealPath for a relative-path location
> [SNIP]
>
> If the file can be bundled with the WAR file (which would be best), then you
> should get 
> ServletContext.getResource("/path/rooted/in/the/WAR/file/config.cfg").

Unfortunately it's a site-specific configuration, meaning the value for the 
setting may be different for each environment, so it really cannot be bundled 
as-is.  The file would need to be tweaked before starting the webapp.

Well, I suppose it could be bundled if, after deploying the webapp, we 
extracted the config file, modified it for the current location, and then 
reinserted it into the WAR file...  But that sounds like a lot of work and not 
what you intended anyway.  ;-)  Actually, that's exactly how we handle other 
custom settings, only without using a WAR file.  It's clumsy, and I wish there 
were a better way of doing it.  So instead of having to tweak the configuration 
after every deployment, we would only do it 1x for the first time the 
application is installed.  That would be great.

I'm not sure I understand how to configure a custom resource or am even 
grasping the concept.  Can the resource (config file location) be defined in 
the application context web.xml?  If so, wouldn't it already be too late since 
that would mean the config file is already bundled with the application?  
Unless the location of the config file in the resource definition can be 
expressed as an OS-path (not virtual) to point outside of the webapp's home.

Guess I could explain it better.  It's a custom report-generation engine.  A 
template file is read by a library, processed, dumped to an output file, then 
served to the client.  There is a folder with template input files and another 
folder with the output files.  Based on what you and Chuck said, it looks like 
the input templates can be claimed as Resources.  Since the library can accept 
a java.io.InputStream, then the input templates could be included in a WAR 
file, if we used one.

However, the output folder needs to live outside a WAR file, and we need a 
non-virtual way of specifying the folder (an actual OS path) so the library can 
write the output there.  AND we currently don't use a WAR file.  But we could, 
provided the config file issue can be taken care of.  If so, how do you resolve 
a virtual path to a resource outside the WAR file since it's outside the 
package "folder" structure of the WAR?

Hence the use of getRealPath, so all this configuration juggling can simply be 
bypassed.

I feel like I'm stuck in a "which came first, the chicken or the egg" loop.

--
Cris Berneburg
CACI Lead Software Engineer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Moved app from TomEE to Tomcat, now getting Spring errors failing to go through proxy for XML validation

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David,

On 3/10/17 1:07 PM, KARR, DAVID wrote:
> I have an app using CXF/REST/Spring/JDBC that is working pretty
> well in TomEE (7.0.1).  I'm trying to move it to Tomcat (8.5.11)
> because it doesn't need to be in TomEE, and I'm having problems
> adding additional features due to aspects of TomEE.
> 
> I'm first testing the port by running Tomcat in Eclipse.  I had 
> previously verified that the app works fine in the same
> environment when running in TomEE.
> 
> I moved all of my Resource and Environment entries to the Tomcat 
> context.xml file.
> 
> When I start it up, I'm seeing errors like the following: 
> --- 
> org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException:
>
> 
Line 1 in XML document from ServletContext resource
> [/WEB-INF/applicationContext.xml] is invalid; nested exception is 
> org.xml.sax.SAXParseException; systemId: 
> http://.../ProxyWarning.html; lineNumber: 1; columnNumber: 3; The 
> markup in the document preceding the root element must be 
> well-formed. at 
> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBe
anDefinitions(XmlBeanDefinitionReader.java:399)
>
>
> 
...
> Caused by: org.xml.sax.SAXParseException; systemId: 
> http://.../ProxyWarning.html; lineNumber: 1; columnNumber: 3; The 
> markup in the document preceding the root element must be 
> well-formed. at 
> com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXP
arseException(ErrorHandlerWrapper.java:203)
>
>
> 
- ---
> 
> That URL that I've elided is the page we see in our enterprise
> when we try to reach the internet without going through our proxy.
> 
> So, this app that was working fine in TomEE now is getting this
> proxy error when it runs in Tomcat.  Any ideas what I might be
> missing?

That error seems to be that the markup is bad. Are you saying that the
markup is bad because the resource you are requesting ends up being an
HTTP BAD REQUEST or other response rather than the XML document you
are expecting?

How did you have TomEE configured for a proxy before? Generally,
proxies are configured for the whole JVM.

http://stackoverflow.com/questions/120797/how-do-i-set-the-proxy-to-be-u
sed-by-the-jvm

In Tomcat, you generally do this in one of two ways:

1. For a standard command-line launch (e.g. testing, *NIX systems,
etc.) create/edit CATALINA_BASE/bin/setenv.sh and add the following line
:

CATALINA_OPTS="$CATALINA_OPTS -Dhttp.proxyHost=... ..."

2. For Windows Service-based services, open the Tomcat Service Manager
(tomcatXw.exe //ES//) and add the appropriate system properties to the
"system properties" tab.

FYI There will be a few presentations at TomcatCon/ApacheCon in Miami
in May. that might interest you, including a presentation by Romain on
TomEE and Meecrowave.

http://events.linuxfoundation.org/events/apachecon-north-america/attend/
register-

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYwvEIAAoJEBzwKT+lPKRYDWQP/2ohd4RsfEmWSJD/9SJaSSGT
16seqbJqIg6rmwpREZNa7I++YOoiBFImKyeRlYTwQFfZP46cbJymrpLzwp8P73dX
SwG5szY9atjAQ+sdYUDksv/meCc5XvjDrF4em/dr2C7XPkcvoXy+lqRarTzHwrDU
gtrqd30+ULsDaY2AmGCiekHqP8+N8SJAqS0iiat3fwTyrIuGS8Cxc0PC5e55aGl9
gBQPVibu0e0V3KtGGltsA3HqCKzn2cWhyMyXTNLn01qyXLwwQ2nMyuIuxMfaS2Mz
LQkaxAja6e8SZg1cWZDNurjaEFxsOCSAK+nSjoztph6+9Cukp4gA1E1v33DjMGAp
nnqoGZi9RWu5Le/kr7BHcOxgAEnWahPBvgyglOY2x57xfoqjUjcY7bJhUXSiEXix
E0nmybgXmutA8ugnqdGnUVQx+K1vAq+bMu8oIafkKYYA/JnLPHr/mXDI6Y7PGcdX
3BOlDd6ORq+jMg8P8AktDPYyBnnq/OYX7rdpNpIoVWNFsPoSfb7tChNJgPFRSODf
c+c8BISqxYyNECQh6y+HTTbadg8xU9vnb46AJg10mjn78tdvykjfRveGQVj5JJA4
G47G8P3b4sztO3KXNvPkbtCXbasrf0O1XZRBSeHNjhadyT7EXhRbGoqXMxe1aUHv
cx7/QMdM5nGexmcfTtoj
=VCwa
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: getRealPath is a bad idea?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cris,

On 3/10/17 12:56 PM, Berneburg, Cris J. - US wrote:
> Chuck
> 
>>> How do you all configure the location of a special folder that
>>> is not part of the deployment package itself?  A site-specific
>>> config file perhaps?
>> 
>> Take a look at this: 
>> http://tomcat.apache.org/tomcat-8.5-doc/config/resources.html
>> 
>> A  element within  allows specification of
>> areas outside of the Tomcat deployment that the webapp can access
>> via ServletContext .getResource() or getResourceAsStream().
> 
> Thanks for pointing that out.  Hmm...  It looks like 
> getResourceAsStream might work.  We use a library to processes the 
> files.  Currently we supply it with a java.io.File as an input 
> source, but the library also can accept a java.io.InputStream for 
> input too.

Don't forget to close the InputStream when you are done ;)

I see a ton of code like this:

configureFromPropertiesFile(app.getResourceAsStream("/config.file"))

I suspect the JVM does finally close all that junk up, but it's really
bad programming practice IMHO.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYwu8eAAoJEBzwKT+lPKRYxuEQAKdgNAu6UvD1MM7faL/BrIzX
VnYoBlpMwJ8wEWBRqtg7MrLkhzCFnhrtO/hhVxc2tAeliz2Pk7VlXMv34vlt/uCl
r/t+o4lPju9WsJaT1AmjkytBGLum9Ab5VBMbmsS/jtyiJ9iC/ghR0VbJJG6yB3B9
+Ycbfb9wodLXJ5UYzzNEuLBOndR3P1etw1OSRRxdG8g8eI3GPYM+L8NeqP7s9jhf
9up3PbT0k1GOo4Jhqo1bvzBoMEfVptQKn2E+QzrtaeYcMNPS7Slr79gWG8jBYEeV
cfIDxhQ1nIabmT4Rqke1K/Ek/duTRXXIuPj1QNVSr0uEgi3pgfaNgQCyhwjj32+l
U1PFOXeADoCh/ofzpGUoxnkXhXNXCNPFdjvmpjUwahB6x1YqgIPqOEZvIbuCiAnT
yPlBncszQlpurrsmR7AWvW28p8NhScjwYYeGG6VRfBhLKMLvTrnfSeQBNcq//vfn
wPSyVpn4zH28X2Mqe83VYCLXqXne5QPITffshOFYylUQPhikrSdLSgylCl6Cnoya
n/cqjCmJTVrOH+BBiIOtjYZWDCvodX6E95W+pUb4BOtrdp1a5A31L58RU3hiorqo
xv1ZbWWpUASNTQXJQFkJMGYNCU2aRbxgW6/65Tv6chgpF1pDa5xKN43ArVyhsoIu
y1uf4m+Q8hgeM8Fvv2XA
=gSr+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Websocket client with SSL and authentication

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

To whom it may concern.

On 3/9/17 8:41 PM, radiatejava wrote:
> Tomcat team, I have few questions on websocket:
> 
> 1. I am looking for Java websocket client sample code that uses
> basic (user) auth.

AIUI, you'll have to authenticate using standard HTTP
WWW-Authenticate, and *then* upgrade your connection to WebSocket.

> 2. Is there any sample code for how to put in SSL (keystore and 
> truststore) websocket client ?

https://bz.apache.org/bugzilla/show_bug.cgi?id=55801

Specify an SSLContext in your user properties:

http://tomcat.apache.org/tomcat-8.0-doc/web-socket-howto.html#Tomcat_Web
Socket_specific_configuration

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYwu4MAAoJEBzwKT+lPKRYreEQALIPJL4tmb9dOL7S+Phhh/YO
Kxw77Gj7Axm6OG6f6i7CKINIHJcOoZrzZiMTFOE4aqdVbWkePafwIXbOZV8sD1et
GPgvVHrpbGtJOc9C1Z8fxkGDn78fFFjPc6weKoyQMUAu2Glc7ux77J6kESZp3QVL
fbKdf/iE0aXRUf1XX074KrPgTjZEzvglJUz87jwrq8YtRsKp8KW1XWQ+RdW9TxOh
gRYe8a9Oap8/QBZwbpkQIOxRZqDSQjYg8rsma/aBA0Q4heLz1gmZJMlxcc6FRaIu
VpifrHj3SV2YCig/oTU2iH+LSvZVJI1AHeMvTTqLNO0J6QGnTXN0BTsUHVDbHjeW
c59MbUIkF5qVK1gUTETiMtdOxBBVNv6IbU8oAaITZ4OoZPk3/IVRV2UPmN3oCqD3
IdsLKPNRN7y/9UKjs8cNdo8vqg3rDKL7xLAkBcIJKmo0GCrUFXC9XfSUgV9BAQih
R41QoyHxPRNxv8LCnqX/rA1718oLoMDXfq2K7QviJfo2crn65kM6OvdGuml7llBX
h/tl02gAIoapdnkool9gi34/opuWmfiY4kluZUBAIp5r/0QYd7WKa78fimv1GQVC
pMnhcaD3P1tadeaDIFl92yUVWIXbcCGpiUC9ZBRg7FlW3Ttl1wXaDQ+E/rkKVk2l
wLNTn5gLK3xPR++txDaK
=W59o
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: get NPE from NamingContextListener in app moved from TomEE to Tomcat

> -Original Message-
> From: Mark Thomas [mailto:ma...@apache.org]
> Sent: Friday, March 10, 2017 9:42 AM
> To: Tomcat Users List 
> Subject: Re: get NPE from NamingContextListener in app moved from TomEE
> to Tomcat
> 
> On 10/03/2017 17:39, KARR, DAVID wrote:
> > I have a CXF/REST/Spring/JDBC app running in TomEE (7.0.1).  I've
> decided to try to move it to Tomcat (8.5.11) because of some classloader
> conflicts (CXF classes) I'm now seeing in trying to add some new code to
> the app.
> >
> > Initially, I'm just running the server in Eclipse.
> >
> > When I add the apps to Tomcat and start it up, without changing the
> server conf, it starts up, but it fails to find my JNDI resources
> (obviously).
> >
> > I have the following DataSource definition in the "tomee.xml" file in
> TomEE, which is working fine:
> > --
> >   
> > testOnBorrow = true
> > testOnReturn = true
> > testWhileIdle = true
> > logValidationErrors = true
> > validationQuery = select 1 from dual
> > JdbcDriver = oracle.jdbc.OracleDriver
> > InitialSize = 2
> > MaxActive = 2
> > MinIdle = 2
> > MaxIdle = 2
> > JdbcUrl = ...
> > UserName = ...
> > Password = ...
> >   
> > -
> >
> > When I attempt to add this Resource definition to the "context.xml"
> file in Tomcat 8.5.11, I see errors like the following, and Tomcat fails
> to start up:
> > 
> > Caused by: java.lang.NullPointerException
> > at java.util.StringTokenizer.(StringTokenizer.java:199)
> > at java.util.StringTokenizer.(StringTokenizer.java:221)
> > at
> org.apache.catalina.core.NamingContextListener.createSubcontexts(NamingC
> ontextListener.java:1300)
> > at
> org.apache.catalina.core.NamingContextListener.addResource(NamingContext
> Listener.java:1081)
> > at
> org.apache.catalina.core.NamingContextListener.createNamingContext(Namin
> gContextListener.java:661)
> > at
> org.apache.catalina.core.NamingContextListener.lifecycleEvent(NamingCont
> extListener.java:249)
> > -
> >
> > I've tried converting the Resource definition to look more "normal",
> but nothing I've tried makes any difference.  This is the current state
> of it:
> > --
> >  auth="Container"
> 
> name="jdbc/tst36" not id=...

That was it, thanks.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JMX currentThreadsBusy less than connections/requests when use APR connector

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Linbo,

On 3/9/17 7:31 PM, linbo liao wrote:
> 1、The load-generating vm has 2 cores.

With only 2 cores, you can only actually do 2 things at once. Perhaps
you need more load-generating computers.

> 2、Can I use currentThreadsBusy to monitor the performance of Tomcat
> using APR connector?

Yes, you can use that with any connector. The threads are Java
threads. Only the underlying file descriptors are being managed by APR
versus Java's BIO/NIO/2 stream managers.

- -chris

> 2017-03-10 0:42 GMT+08:00 Christopher Schultz
>  :
> 
> Linbo,
> 
> On 3/8/17 8:13 PM, linbo liao wrote:
 Here is the Connector configuration:
 
 >>> protocol="org.apache.coyote.http11.Http11AprProtocol" 
 maxHttpHeaderSize="8192" maxThreads="400"
 acceptorThreadCount="4" maxKeepAliveRequests="-1"
 enableLookups="false" disableUploadTimeout="true"
 connectionTimeout="2" />
 
 I use wrk, the currentThreadsBusy is higher than the value in
 ab testing, but most of time is less than 40.
 
 ./wrk -t100 -c 100 -d 10s http://10.211.55.4:8080/
> 
> I've never used wrk. How many CPU cores does your load-generating 
> computer have?
> 
 For APR connector, will it get one thread from the poll to
 deal with each request?
> 
> For both NIO/2 and APR, you'll have one accepter thread (4 in your 
> case) and one poller thread for many (400 in your case) 
> request-processing threads.
> 
> It's possible that your server is handling the requests fast
> enough that they never pile-up enough to use more than 40 threads.
> 
> Congratulations: you can handle the load you are putting on the
> server. :)
> 
> -chris
> 
 2017-03-08 22:45 GMT+08:00 Christopher Schultz 
  :
 
 Linbo,
 
 On 3/7/17 10:14 PM, linbo liao wrote:
>>> I setup local environment to test Tomcat monitor.
>>> 
>>> The Environment:
>>> 
>>> Tomcat: 8.5.5 VM: Ubuntu 14.04.1 LTS HTTP PORT: 8080
>>> IP: 10.211.55.4
>>> 
>>> Tomcat use APR connector, I test the tomcat via ab
>>> command, find JMX currentThreadsBusy < 10 all of the
>>> time.
>>> 
>>> ab -n 10 -c 100 10.211.55.4:8080/
 
>>> 
>>> I tried to search the reason but without the result.
>>> For BIO each thread to handle one connection, so
>>> currentThreadsBusy can show the performance of tomcat.
>>> 
>>> But for APR connector, what's the meaning of 
>>> currentThreadsBusy?
 
 Please post your  configuration.
 
 It seems that ab isn't a very good load-generator for
 several reasons. But you should be able to get more than Java
 10 threads working at a tim e.
 
 You are probably expecting ~100 threads busy at all times,
 right?
 
 -chris
> 
> --
- ---
>
>
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail:
> users-h...@tomcat.apache.org
> 
> 
 
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYwuuvAAoJEBzwKT+lPKRYfCUP/1OEAoFvKMAY2Rmh9X0Gy+WN
ZIfnZOOUnC3onnEpgCGxucxXzfkf9jGljhIIqr+mXYu1urbhpgUaoGXT8CS7S4bn
SSE7GSQwaQ0dyqdzhc4F2/4LzMZ1J1u+Jakn/uQhlDv4eIrYMo4tNVGEaGdVA7jo
hU6Auy4ATY5NW/0zeefnukq8fp+CyyMGPESJGsCDL5czVjZ8zXyHo/4Px2kGyryt
7GM/R+8RpapnrA3WFQs65MTMn7cQAbAZOSgvzUfCC6VQicn/rMuND07OgN7I4MUG
soEpRDjwY/41ynEUL5wID6uHsWJ9KrRldybhSQzwpI3FVNPHDCe3hRxNWPN0eULT
/u8fCK2jyswscRqfTuk1NKEQGJ4XQqMVo+Y0cJ9BAncUPA5OUN2zD/DLnIa06yLv
OXs3HjyFgwwEN9wMBxQyMedam5BkcjzjD6A5zdIV0isHyROa3idVl3B8HYyslhk5
seLlCPOehr2MJsluzZjiciv4estnUf2Dm43aTc8c/1I12AMmLudAxkbGB5a4bkUt
mb4LXpV+pPuQ/rdWrBAuyvfAXYvlgjKmcWrKltrpzFuTU+VLW8GC/1IsLwYlDcpW
oilPZtfKEUp1hnsT8bKC1pywT3lX5MYT4acxbXcOAw1cSY+ocwPmum4J3NKBfcQP
mR5U4hKAZ926OQYwC/f6
=E3ng
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Moved app from TomEE to Tomcat, now getting Spring errors failing to go through proxy for XML validation

I have an app using CXF/REST/Spring/JDBC that is working pretty well in TomEE
(7.0.1). I'm trying to move it to Tomcat (8.5.11) because it doesn't need to
be in TomEE, and I'm having problems adding additional features due to aspects
of TomEE.

I'm first testing the port by running Tomcat in Eclipse. I had previously
verified that the app works fine in the same environment when running in TomEE.

I moved all of my Resource and Environment entries to the Tomcat context.xml
file.

When I start it up, I'm seeing errors like the following:
---
org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 1
in XML document from ServletContext resource [/WEB-INF/applicationContext.xml]
is invalid; nested exception is org.xml.sax.SAXParseException; systemId:
http://.../ProxyWarning.html; lineNumber: 1; columnNumber: 3; The markup in the
document preceding the root element must be well-formed.
at
org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:399)
...
Caused by: org.xml.sax.SAXParseException; systemId:
http://.../ProxyWarning.html; lineNumber: 1; columnNumber: 3; The markup in the
document preceding the root element must be well-formed.
at
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:203)
---

That URL that I've elided is the page we see in our enterprise when we try to
reach the internet without going through our proxy.

So, this app that was working fine in TomEE now is getting this proxy error
when it runs in Tomcat. Any ideas what I might be missing?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: getRealPath is a bad idea?

2017-03-10 Thread Berneburg, Cris J. - US

Chuck

>> How do you all configure the location of a special folder that is not 
>> part of the deployment package itself?  A site-specific config file perhaps?
>
> Take a look at this:
> http://tomcat.apache.org/tomcat-8.5-doc/config/resources.html
>
> A  element within  allows specification of areas outside
> of the Tomcat deployment that the webapp can access via ServletContext
> .getResource() or getResourceAsStream().

Thanks for pointing that out.  Hmm...  It looks like getResourceAsStream might 
work.  We use a library to processes the files.  Currently we supply it with a 
java.io.File as an input source, but the library also can accept a 
java.io.InputStream for input too.

--
Cris Berneburg
CACI Lead Software Engineer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: get NPE from NamingContextListener in app moved from TomEE to Tomcat

On 10/03/2017 17:39, KARR, DAVID wrote:
> I have a CXF/REST/Spring/JDBC app running in TomEE (7.0.1).  I've decided to 
> try to move it to Tomcat (8.5.11) because of some classloader conflicts (CXF 
> classes) I'm now seeing in trying to add some new code to the app.
> 
> Initially, I'm just running the server in Eclipse.
> 
> When I add the apps to Tomcat and start it up, without changing the server 
> conf, it starts up, but it fails to find my JNDI resources (obviously).
> 
> I have the following DataSource definition in the "tomee.xml" file in TomEE, 
> which is working fine:
> --
>   
> testOnBorrow = true
> testOnReturn = true
> testWhileIdle = true
> logValidationErrors = true
> validationQuery = select 1 from dual
> JdbcDriver = oracle.jdbc.OracleDriver
> InitialSize = 2
> MaxActive = 2
> MinIdle = 2
> MaxIdle = 2 
> JdbcUrl = ...
> UserName = ...
> Password = ...
>   
> -
> 
> When I attempt to add this Resource definition to the "context.xml" file in 
> Tomcat 8.5.11, I see errors like the following, and Tomcat fails to start up:
> 
> Caused by: java.lang.NullPointerException
>   at java.util.StringTokenizer.(StringTokenizer.java:199)
>   at java.util.StringTokenizer.(StringTokenizer.java:221)
>   at 
> org.apache.catalina.core.NamingContextListener.createSubcontexts(NamingContextListener.java:1300)
>   at 
> org.apache.catalina.core.NamingContextListener.addResource(NamingContextListener.java:1081)
>   at 
> org.apache.catalina.core.NamingContextListener.createNamingContext(NamingContextListener.java:661)
>   at 
> org.apache.catalina.core.NamingContextListener.lifecycleEvent(NamingContextListener.java:249)
> -
> 
> I've tried converting the Resource definition to look more "normal", but 
> nothing I've tried makes any difference.  This is the current state of it:
> --
>testOnBorrow="true" testOnReturn="true" testWhileIdle="true"
>   logValidationErrors="true" validationQuery="select 1 from dual"
>   JdbcDriver="oracle.jdbc.OracleDriver"
>   InitialSize="2" MaxActive="2" MinIdle="2" MaxIdle="2"
>   JdbcUrl="..."
>   UserName="..." Password="...">
> 
> --
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Required changes to move an app from TomEE 7.0.1 to Tomcat 8.5.11

On 10/03/2017 16:29, KARR, DAVID wrote:
> I'm currently running a somewhat simple CXF/REST/Spring app in TomEE
> 7.0.1.  It uses the CXF libraries in WEB-INF/lib, not in the
> container.  It uses a couple of Environment strings, and some
> DataSource resources, all of which it gets from JNDI.
> 
> I'm considering moving this app from TomEE to Tomcat, because as far
> as I can see, I don't need anything that TomEE provides over Tomcat,
> and I'm also running into classloader conflicts now that I've added
> more code using CXF pieces that I haven't used before.  I'm pursuing
> those issues with the TomEE team (ok, Romain), as I'd like to get
> these issues resolved now that I've run into them, but I have to
> consider alternative strategies if it's going to take too long to get
> them resolved.
> 
> If I attempt to port this to Tomcat, I'm guessing all of the required
> changes will be in "conf".  It appears that in TomEE, I define
> DataSource Resources in "tomee.xml" and environment strings (and
> other things) in "Context.xml", but in Tomcat I define all of those
> in "Context.xml".  I assume that's correct?

It is context.xml (case matters) but otherwise correct.

> I also need to understand if there are any syntax differences between
> the "Resource" entries I define in "tomee.xml" and the similar ones I
> define in "Context.xml" in Tomcat.

Almost certainly since these are container specific configuration files.

> For instance, in my DataSource Resources in TomEE, I set the "type"
> to "DataSource", although I see in the Tomcat example it uses
> "javax.sql.DataSource".  Will both of these work in Tomcat?

No. Tomcat expects the full class name.

>  In my
> current app, I also define the other DataSource properties in the
> "body" of the "Resource" element, like "key = value", one on each
> line.  In the Tomcat example, they are set as traditional XML
> attributes.  I would also guess that both of these strategies would
> work in Tomcat, correct?

No. Tomcat requires the XML format.

> I also have to determine what the required "JNDI prefix" is for
> Tomcat.  Presently, in my TomEE app, I don't need a prefix for the
> environment entries, but I need to prefix my datasource JNDI names
> with "openejb:Resource/".  What will I need to prefix my JNDI
> references with in Tomcat?

java:comp/env

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

get NPE from NamingContextListener in app moved from TomEE to Tomcat

I have a CXF/REST/Spring/JDBC app running in TomEE (7.0.1).  I've decided to 
try to move it to Tomcat (8.5.11) because of some classloader conflicts (CXF 
classes) I'm now seeing in trying to add some new code to the app.

Initially, I'm just running the server in Eclipse.

When I add the apps to Tomcat and start it up, without changing the server 
conf, it starts up, but it fails to find my JNDI resources (obviously).

I have the following DataSource definition in the "tomee.xml" file in TomEE, 
which is working fine:
--
  
testOnBorrow = true
testOnReturn = true
testWhileIdle = true
logValidationErrors = true
validationQuery = select 1 from dual
JdbcDriver = oracle.jdbc.OracleDriver
InitialSize = 2
MaxActive = 2
MinIdle = 2
MaxIdle = 2 
JdbcUrl = ...
UserName = ...
Password = ...
  
-

When I attempt to add this Resource definition to the "context.xml" file in 
Tomcat 8.5.11, I see errors like the following, and Tomcat fails to start up:

Caused by: java.lang.NullPointerException
at java.util.StringTokenizer.(StringTokenizer.java:199)
at java.util.StringTokenizer.(StringTokenizer.java:221)
at 
org.apache.catalina.core.NamingContextListener.createSubcontexts(NamingContextListener.java:1300)
at 
org.apache.catalina.core.NamingContextListener.addResource(NamingContextListener.java:1081)
at 
org.apache.catalina.core.NamingContextListener.createNamingContext(NamingContextListener.java:661)
at 
org.apache.catalina.core.NamingContextListener.lifecycleEvent(NamingContextListener.java:249)
-

I've tried converting the Resource definition to look more "normal", but 
nothing I've tried makes any difference.  This is the current state of it:
--


--

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 8.0.x series roadmap

On 10/03/2017 16:21, KK Gupta wrote:
> Hi All,
> 
> Our product uses Tomcat 8.0.x series and we recently upgraded to tomcat
> 8.0.41 in our product.
> 
> http://tomcat.apache.org/whichversion.html shows that 8.0.41 as superseded.
> So, I wanted to understand whether 8.0.x line is actively being maintained
> or not?

For now, yes but the expectation is users will move to 8.5.x sooner
rather than later.

> We are primarily concerned about security vulnerability fixes and need to
> understand how long those would continue to be delivered on 8.0.x series.

The initial plan was that these would have stopped already. The most
likely scenario at the moment s that 8.0.x moves to a 3 to 6 monthly
release cycle but that depends on there being a release manager to do
the releases.

> Moving to 8.5.x requires significant efforts from our side and thus trying
> to understand pros and cons of remaining on 8.0.x line.

Why so much work? 8.0.x to 8.5.x should be a fairly smooth upgrade. If
there are problems it would help to know what they are.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Required changes to move an app from TomEE 7.0.1 to Tomcat 8.5.11

I'm currently running a somewhat simple CXF/REST/Spring app in TomEE 7.0.1.  It 
uses the CXF libraries in WEB-INF/lib, not in the container.  It uses a couple 
of Environment strings, and some DataSource resources, all of which it gets 
from JNDI.

I'm considering moving this app from TomEE to Tomcat, because as far as I can 
see, I don't need anything that TomEE provides over Tomcat, and I'm also 
running into classloader conflicts now that I've added more code using CXF 
pieces that I haven't used before.  I'm pursuing those issues with the TomEE 
team (ok, Romain), as I'd like to get these issues resolved now that I've run 
into them, but I have to consider alternative strategies if it's going to take 
too long to get them resolved.

If I attempt to port this to Tomcat, I'm guessing all of the required changes 
will be in "conf".  It appears that in TomEE, I define DataSource Resources in 
"tomee.xml" and environment strings (and other things) in "Context.xml", but in 
Tomcat I define all of those in "Context.xml".  I assume that's correct?

I also need to understand if there are any syntax differences between the 
"Resource" entries I define in "tomee.xml" and the similar ones I define in 
"Context.xml" in Tomcat.

For instance, in my DataSource Resources in TomEE, I set the "type" to 
"DataSource", although I see in the Tomcat example it uses 
"javax.sql.DataSource".  Will both of these work in Tomcat?  In my current app, 
I also define the other DataSource properties in the "body" of the "Resource" 
element, like "key = value", one on each line.  In the Tomcat example, they are 
set as traditional XML attributes.  I would also guess that both of these 
strategies would work in Tomcat, correct?

I also have to determine what the required "JNDI prefix" is for Tomcat.  
Presently, in my TomEE app, I don't need a prefix for the environment entries, 
but I need to prefix my datasource JNDI names with "openejb:Resource/".  What 
will I need to prefix my JNDI references with in Tomcat?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 8.0.x series roadmap

2017-03-10 Thread KK Gupta

Hi All,

Our product uses Tomcat 8.0.x series and we recently upgraded to tomcat
8.0.41 in our product.

http://tomcat.apache.org/whichversion.html shows that 8.0.41 as superseded.
So, I wanted to understand whether 8.0.x line is actively being maintained
or not?

We are primarily concerned about security vulnerability fixes and need to
understand how long those would continue to be delivered on 8.0.x series.

Moving to 8.5.x requires significant efforts from our side and thus trying
to understand pros and cons of remaining on 8.0.x line.

Thanks,
KK

Re: Tomcat 7 installation on Sun Solaris 10

On 10/03/17 14:07, Subhro Paul wrote:
> Hi All,
> 
> We need to install tomcat 7.0.68 or higher version on Sun Solaris 10. Can you 
> let me know if there is any version compatibility matrix for Tomcat 7 ?

http://tomcat.apache.org/whichversion.html

The OS doesn't matter. What matters is the Java version available.

Mark



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 7 installation on Sun Solaris 10

2017-03-10 Thread Subhro Paul

Hi All,

We need to install tomcat 7.0.68 or higher version on Sun Solaris 10. Can you 
let me know if there is any version compatibility matrix for Tomcat 7 ?


Thanks & Regards
Subhro Paul
Tata Consultancy Services
Website: http://www.tcs.com

Experience certainty.   IT Services
Business Solutions
Consulting

=-=-=
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you

Re: Logging TLS Session Failures

2017-03-10 Thread Durga Srinivasu Karuturi

Thanks,

Will explore JSSE options.

On Thu, Mar 9, 2017 at 7:18 PM, Jammy Chen  wrote:

> If you are using JSSE which you mentioned in earlier post, you probably can
> only enable debug for all or specially one
> -Djavax.net.debug=ssl:record or -Djavax.net.debug=ssl:handshake - but it
> will log all sessions
>
> You could try to register a customized SSL socket factory in JSSE, you may
> extend the default sun impl to overwrite the method, catch the exception
> and log the failure, and throw it.
>
> 2017-03-09 20:04 GMT+08:00 Durga Srinivasu Karuturi <
> durgasriniv...@gmail.com>:
>
> > Our application meaning on RHEL machine within JVM with embedded tomcat
> > (with single web-app)
> >
> > Okay, tomcat may not have this information on handshake failures.
> >
> > I need to see little higher level for capturing these failures.
> >
> > Thanks for answers so far.
> >
> > Thanks,
> > Durga Srinivasu
> >
> > On Thu, Mar 9, 2017 at 3:44 PM, André Warnier (tomcat) 
> > wrote:
> >
> > > On 09.03.2017 09:34, Durga Srinivasu Karuturi wrote:
> > >
> > >> This is one of the requirement from FIPS/CC certification.
> > >>
> > >> Thanks,
> > >> Durga Srinivasu
> > >>
> > >>
> > > Durga,
> > >
> > > I believe that in your original post, you said :
> > > "We have a requirement in our application to log all TLS session
> > failures."
> > >
> > > You should probably have another look a the precise requirements, and
> the
> > > exact definition of "our application".
> > > Because it may be that the requirements are wrong, as far as you are
> > > concerned.
> > >
> > > It depends on what is included in "our application".
> > > In the java servlet container (like Tomcat) terminology, an
> "application"
> > > is a webapp.
> > > A webapp runs inside a servlet container.
> > > The servlet container (here Tomcat) runs inside a java JVM.
> > > The java JVM runs inside an OS.
> > > The OS runs inside a host.
> > >
> > > In that hierarchy, a webapp only sees a request, when the servlet
> > > container has received this request on one of its ports, and
> "delegates"
> > > the request to the webapp.
> > > By that time, the webapp does not even know through which interface the
> > > request came in, nor if that interface required HTTP, HTTPS or whatever
> > > other communications protocol.
> > > And if a TLS connection from a browser failed, the webapp is not even
> > > called, so it does not know anything about it.
> > > Of course the webapp cannot log a failure, if it is never called when
> > that
> > > failure happens.
> > >
> > > To move one level up : if a TLS connection from a browser fails, Tomcat
> > > probably never even sees that (because the connection never reaches
> > > Tomcat). So Tomcat cannot log this failure either. Tomcat is just
> telling
> > > some underlying layer of software (in the JVM, in the OS, or in some
> > > external library), what kind of connections to accept. But it does  not
> > > manage these connections, it just "gets" a connection when it succeeds.
> > >
> > > So if you (your team, your company) is responsible for providing the
> > whole
> > > service, including the host, the OS, the JVM, the servlet container,
> and
> > > the webapp inside it, then the requirement may make sense. And then you
> > > have to look for the component, at the right level, which can provide
> > that
> > > information. (But it is not the webapp, and it is not Tomcat).
> > >
> > > At the other extreme, if you are providing only the web application,
> then
> > > the requirement does not make sense /for you/, because it is
> impossible.
> > > It is not that it does not make sense in general, but "as part of the
> > > webapp" it does not make sense.
> > >
> > > And that is what Christopher is also telling you (in a lot less words).
> > >
> > >
> > >
> > > On Wed, Mar 8, 2017 at 11:03 PM, Christopher Schultz <
> > >> ch...@christopherschultz.net> wrote:
> > >>
> > >> -BEGIN PGP SIGNED MESSAGE-
> > >>> Hash: SHA256
> > >>>
> > >>> Durga,
> > >>>
> > >>> On 3/8/17 10:02 AM, Durga Srinivasu Karuturi wrote:
> > >>>
> >  We are using JSSE only not APR. Looking for handshake failures.
> > 
> >  Yes, using JSSE SSL debug, we are able to get all handshake
> >  (-Djavax.net.debug=ssl:handshake) logs including success cases.
> >  These are still quite bit expense logs and meant for debug
> >  purposes. As you said it might impact performance that's the
> >  reason, trying for any other optimal solution here.
> > 
> > >>>
> > >>> I know of no way to be notified about handshake failures on the
> server
> > >>> side. You may not be able to fulfill this requirement if using Java
> > >>> for your crypto.
> > >>>
> > >>> Honestly, I'm not sure why you care about failed TLS handshakes. Are
> > >>> you trying to implement a NIDS in your application? This is
> > >>> better-handled by a network component specifically-designed for this
> > >>> kind of thing.
> > >>>
> > >>>

Re: How to restrict access to specific webapp + denyStatus

2017-03-10 Thread Diego Gomes

Ohh, I see now! Thanks Mark and André!

I'll plan to upgrade it!

Diego

On 10 Mar 2017, at 07:10, André Warnier (tomcat)  wrote:

> On 10.03.2017 11:04, Diego Gomes wrote:
> Thanks Mark!
> 
> In that link just say that is possible, but do not say how to get 404 and not 
> 403.

No, what that link says, it that the denyStatus feature was only introduced in 
a later version of tomcat 7, than the one you are using.
You should at least upgrade to the latest available tomcat 7 version, and 
preferably to the latest available tomcat version.
See here :
http://tomcat.apache.org/whichversion.html

> 
> Diego
> 
> On 10 Mar 2017, at 06:17, Mark Thomas  wrote:
> 
> On 09/03/17 23:51, Diego Gomes wrote:
> 
> 
> 
>> My questions:
>> 
>> - For the first statement, that configuration I did (Student.xml) is
>> the correct way?
> 
> Yes.
> 
>> - Why the 404 denyStatus is not working?
>> 
>> I am running tomcat 7.0.11
> 
> http://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?view=log
> 
> Search for "denyStatus"
> 
> Mark
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to restrict access to specific webapp + denyStatus

2017-03-10 Thread tomcat


On 10.03.2017 11:04, Diego Gomes wrote:

Thanks Mark!

In that link just say that is possible, but do not say how to get 404 and not 
403.


No, what that link says, it that the denyStatus feature was only introduced in a later 
version of tomcat 7, than the one you are using.
You should at least upgrade to the latest available tomcat 7 version, and preferably to 
the latest available tomcat version.

See here :
http://tomcat.apache.org/whichversion.html




Diego

On 10 Mar 2017, at 06:17, Mark Thomas  wrote:

On 09/03/17 23:51, Diego Gomes wrote:




My questions:

- For the first statement, that configuration I did (Student.xml) is
the correct way?


Yes.


- Why the 404 denyStatus is not working?

I am running tomcat 7.0.11


http://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?view=log

Search for "denyStatus"

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to restrict access to specific webapp + denyStatus

2017-03-10 Thread Diego Gomes

Thanks Mark!

In that link just say that is possible, but do not say how to get 404 and not 
403.

Diego

On 10 Mar 2017, at 06:17, Mark Thomas  wrote:

On 09/03/17 23:51, Diego Gomes wrote:



> My questions:
> 
> - For the first statement, that configuration I did (Student.xml) is
> the correct way?

Yes.

> - Why the 404 denyStatus is not working?
> 
> I am running tomcat 7.0.11

http://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?view=log

Search for "denyStatus"

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: What is the correct way to use scanManifest

On 10/03/17 00:14, Hoa Phan wrote:
> looks like I can't overwrite the webapp context.xml with tomcat
> context.xml. I have no control over the WAR file until tomcat deployed it :(

I have confirmed (via remote debugging) that using


   ...
   


in $CATALINA_BASE/conf/context.xml disables manifest processing.


> If I try to use tomcat server.xml and add
> 
> 
>   
> 
> 
> 
> inside  it somehow breaks the webapp.

That is expected. The above snippet is invalid in server.xml.

> Is there any other way for me to set this scanmanifest to false.

You need to figure out what you are doing wrong with conf/context.xml

Mark


> 
> Says if I took all the jars that I saw reported as
> WARNING: Failed to scan...
> java.io.FileNotFoundException: .../common/lib/jonas_timer.jar (No such file
> or directory)
> 
> And append them to:
> tomcat.util.scan.StandardJarScanFilter.jarsToSkip
> 
> in catalina.properties, would that help ?
> 
> On Fri, Mar 10, 2017 at 10:33 AM, Mark Thomas  wrote:
> 
>> On 09/03/17 21:38, Hoa Phan wrote:
>>> I'll try that and see how it goes, thanks Mark. Btw, when I was
>> debugging I
>>> couldn't find where this method get called at all:
>>> public void setScanManifest(boolean scanManifest) {
>>> this.scanManifest = scanManifest;
>>> }
>>>
>>> This props default to true:
>>> private boolean scanManifest = true;
>>>
>>> And the StandardJarScanner always been constructed like:
>>> jarScanner = new StandardJarScanner();
>>>
>>> How would scanManifest ever be set to false...
>>
>> Via the digester when processing server.xml or context.xml. Take a look
>> at org.apache.catalina.startup.ContextRuleSet
>>
>> Mark
>>
>>
>>>
>>> Regards,
>>>
>>> Hoa Phan.
>>>
>>>
>>>
>>>
>>> On Fri, Mar 10, 2017 at 6:44 AM, Mark Thomas  wrote:
>>>
 On 09/03/17 13:15, Hoa Phan wrote:
> Hi,
>
> I see that since 8.0.38 we added a scanManifest props to JarScanner.
> But when I added the props
> into: container/tomcat8x/apache-tomcat-8.0.38/conf/context.xml
> 
> 
> WEB-INF/web.xml
> ${catalina.base}/conf/web.xml
>
> 
> 
>
> 
> 
> 
>
> It doesn't work and the prop is still true on startup:

 Hmm. That should work. Are you sure that file is being read at startup?
 One way to check is to deliberately break it and see what happens.

 Mark


>
> 
> Must I put this in the context.xml of the webapp itself. I deploy the
> webapp via a war file and have no control over the war content until
> tomcat deploys it which is too late...
>
> Is there any other way for me to turn this off using global config of
> tomcat.
>
> Thanks much.
>
> Regards,
>
> Hoa Phan
>
>


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


>>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to restrict access to specific webapp + denyStatus