RE: [External] Re: Security Headers Implementation in Tomcat 6.x version

2017-06-01 Thread Shaik, Mohammad N. 
Hi Chris,

My actual requirement was to implement 7 HTTP headers, out of which 4 are 
implemented in "HttpHeaderSecurityFilter". The remaining 3 headers 
(Content-Security-Policy, Public-Key-Pins, X-Robots-Tag) are not addressed in 
any of the filters available in Tomcat 7, 8 & 9 versions.

Is there any way that we implement these 3 headers in Tomcat?


Regards,
Mohammad

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: 01 June 2017 19:59
To: users@tomcat.apache.org
Subject: Re: [External] Re: Security Headers Implementation in Tomcat 6.x 
version

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote:
> What should be name of the new JAR file that I would create for the
> Filter classes?
It doesn't matter.

> There are multiple JAR files in lib folder. Does the name of these JAR
> files have any significance?

Not really.

> My understanding is that as long as you have your code (.class
> files) is present in any of the JAR files under "lib" folder, system
> would get it. You don’t need to have a specific-named JAR files having
> specific-named .class files. The .class files from all the jar files
> under lib folder is considered as one big collection, and based on the
> invoked classname its corresponding .class file gets executed from
> that big code. Multiple JAR files with different names is setup just
> for logical classification of classes. Please correct me if this is
> not right.

You are correct. There are problems if the same class exists in two separate 
JAR files, but that should not be a problem in the standard Tomcat 
installation, plus the JAR file that has a few (unique) classes from Tomcat 7 
in there.

Remember: Upgrade ASAP.

- -chris

> -Original Message- From: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Sent: 31 May 2017 23:52 To:
> users@tomcat.apache.org Subject: [External] Re: Security Headers
> Implementation in Tomcat 6.x version
>
> Mohammad,
>
> On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:
>> Can I simply use the JAR files from Tomcat 7 that contains executable
>> code of filter classes (security headers), and put them into
>> corresponding location in Tomcat 6?
>
> Definitely don't do that. But you could probably grab the compiled
> .class files from Tomcat 7's binary distribution... just make sure you
> have all of them.
>
> So, basically, create a new JAR file that contains only those Filter
> classes (don't forget any inner classes that might be found in
> separate .class files).
>
> -chris
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> 
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you
> have received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is prohibited.
> Where allowed by local law, electronic communications with Accenture
> and its affiliates, including e-mail and instant messaging (including
> content), may be scanned by our systems for the purposes of
> information security and assessment of internal compliance with
> Accenture policy.
> __

>
>  www.accenture.com
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u
kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi
3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx
bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn
aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo
/28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou
gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhdytbie85nET
0G5OBIOZ4UGwjfGc5+ItCaNeAY4zsCofwlvvqjPG0xjM5uBJK6Eqy4dp++VYPv5Y
qK/1Qpmzu+KALoV7nLXLDrRV3qes319XaWgKB9c8r6BH6vYIg5K+W+pR63TiFDLE
/XHDxIpemsy6oq657sg0JI/48J8iiulbiIXsZ5bb1gjOg7bh4xz8XqOtSW2oqSju
ngDPVYxotcbA6DWsaOZJu7WYfR0wjs+/gkhvX1GgICd2lixXZUwboTkOk9wNwArS
HGUlc2U0LgTmSYLe+vj6
=oY0c
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you

Re: Tomcat 7 antivirus exclusions, firewall exclusions?

2017-06-01 Thread Kerry Hazelton 
Awesome, this will point me in the right direction on where to look and how
to get this deployed.  Thanks!

On Thu, Jun 1, 2017 at 11:55 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Kerry,
>
> On 6/1/17 10:47 AM, Kerry Hazelton wrote:
> > I am attempting to deploy a managed antivirus agent to two
> > different machines - one runs RHEL 7.3, kernel version 3.10.0-514;
> > the other runs Microsoft Windows 2012 R2 - and both are hosting web
> > pages served up by Apache Tomcat 7.0.78.  What I’d like to know is
> > which processes/services, files and/or directories need to be
> > excluded from the antivirus scans to avoid any potential CPU or
> > memory utilization spikes (or worse, the AV console falsely
> > identifies a legit file as “malicious” and quarantines it).
>
> You can probably whitelist everything in the CATALINA_HOME and
> CATALINA_BASE directories, plus the JVM. But the JVM will probably
> only be scanned once on startup and the same thing is true of
> everything in CATALINA_HOME and CATALINA_BASE.
>
> If the server is being kept up-to-date, you may have to update the
> antivirus's settings because CATALINA_HOME and the JVM paths will
> likely change.
>
> > I’d also like to know which specific TCP/UDP ports will need to be
> > whitelisted to permit inbound and outbound traffic from our web
> > developer workstations, since their VLAN is segregated from the
> > rest of the network. I already know which ports to open on the
> > firewall to allow the antivirus agents to talk back to the console;
> > I just need to figure out the other ports to open.
>
> The ports will be dependent upon what the Tomcat administrator has
> configured in Tomcat. Unless there are some XML includes being used
> (which is fairly rare, but not unheard of), everything you need will
> be in CATALINA_BASE/conf/server.xml. Look for lines that look like this:
>
> 
> ...where XXX is the port number being used. Check to see if there is
> an "address" attribute on the XML element: if there is one and it's
> something like "127.0.0.1" or "::" then you won't have to open a
> firewall port, of course.
>
> There may be more than one connector.
>
> My recommendation would be to speak to the Tomcat administrator(s) to
> find out what they expect to keep open.
>
> > Before I go any further, I’d like to stress the following:
> >
> > * I wasn’t the one who set up these servers; I was merely tasked
> > with getting the antivirus agents deployed on them.  The system
> > administrator who set these up doesn’t know which Linux processes,
> > Windows services, files or directories to exclude; as he left that
> > up to me to figure out.
>
> Awesome. Who is the admin for Tomcat itself? Same person? If so, tell
> them to do their job. :(
>
> > * I have already contacted the AV vendor's support team, and they
> > have indicated they have no documentation that specifically covers
> > any version of Apache Tomcat.
>
> That's not terribly surprising.
>
> > * The last search on Google I used was “Apache Tomcat 7.x
> > antivirus exclusions” and I didn’t see any results that were
> > specific to my query. Same with “Apache Tomcat 7.x firewall
> > exclusions”.
> >
> > * I looked through the Information Security group on Stack Exchange
> > with the same queries as above, and again I didn’t see anything
> > promising nor specific to my queries.
> >
> > * I attempted to search the mailing list archives using the search
> > terms “antivirus exclusions” and “firewall permissions”; again, I
> > didn’t see any answers that were specific to my queries.
> >
> > * Yes, I’m aware of the risks involved by excluding specific
> > processes/services, files and directories.  I have tried to
> > convince the management of these risks but to no avail.  They have
> > agreed to accept them, along with any consequences that may occur.
>
> You should try to convince management that virus scanners are
> completely useless, and save yourself a whole lot of time and
> resources. Then you'll have one less thing to do. :)
>
> You could just let the antivirus do whatever it will do by default,
> and then open things up individually until things start working again.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJZMDkGAAoJEBzwKT+lPKRY2dYP/0pDPcNHxvFeSAn3uvORc18h
> qfk36sQGy4UAui+nZ+x+BDi3SkA+ABQhSATz9oXejJaAAODgui0B1m4OoXcDmUNa
> fUbMu60f+yjn909FgRJNICWbFZIa1ahpYboTtn7T65BWAW//XLn98CXYJiJjhPJk
> 9/KywVeHOe+9BRCRQPym3I/0ATHO2CT2ik9NxGr1SRF8fc3qIBEerkv1WfnGSq8Y
> 0UvUlVpIHB4cTGZCMzkUpL+8/RshPWc3qCKFIwAC4XiW0XZKvc33L+krwZLxejVk
> gATVCPkEwij4mOUqAxx27fp19AUyqmDdr84r/Q8nkOpxZIXZOR3Mg5I1oZQsPpBQ
> WIwo9Z/N5nLpYvtbs2Tp1qGsAq21TvEn6B+7nS9UtiQlFlVtk0Q2xo3ja+bjnxMR
> 14BdM4Gsz3ZV/tkTZ9t8lhwOc2eiLsQGwGXPOvd+1hz/JOcO5Yi1evIUCfJMXAbf
> 3Xj58R0lGd2XlffLZ5qhcc84B9zpxn+5XplijQWVN4opMM/KjFPSoTwwYd7SBU8X

Re: Developer quickstart guide for Tomcat with HTTP/2 on macOS

2017-06-01 Thread Tobias Soloschenko 
Christopher,

> Am 01.06.2017 um 16:33 schrieb Christopher Schultz 
> :
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Tobias,
> 
>> On 6/1/17 3:53 AM, Tobias Soloschenko wrote:
>> a long time ago I tried out to install Apache Tomcat with HTTP/2
>> support on macOS. I finally got a short time window to complete a
>> developer quickstart guide for that:
> 
> Wouldn't this all be a lot easier if you used the NIO connector
> instead of APR? No XCode/OpenSSL/tcnative necessary.
> 
>> 1. Download XCode from the AppStore
>> 
>> 
>> 2. Install Brew: http://brew.sh/
>> 
>> 
>> 3. Download Apache Tomcat binaries > 8.5 http://tomcat.apache.org/
>> 
>> 
>> 4. Install APR and OPENSSL with “brew install openssl” and “brew
>> install apr”
>> 
>> 
>> 5. Create pem files in “apache-tomcat-8.5.15/conf” folder - use
>> “changeit” every time a password is going to be requested (The
>> commands can be executed separately or within a shell script):
>> 
>> /usr/local/Cellar/openssl/1.0.2l/bin/openssl genrsa -des3 -out 
>> localhost-rsa-key 1024
>> 
>> /usr/local/Cellar/openssl/1.0.2l/bin/openssl genrsa -out
>> localhost-key 1024
>> 
>> /usr/local/Cellar/openssl/1.0.2l/bin/openssl rsa -in
>> localhost-rsa-key -out localhost-key
>> 
>> /usr/local/Cellar/openssl/1.0.2l/bin/openssl req -new -key
>> localhost-key -out localhost-csr
>> 
>> /usr/local/Cellar/openssl/1.0.2l/bin/openssl x509 -req -days 365
>> -in localhost-csr -signkey localhost-key -out localhost-crt
>> 
>> cat localhost-key localhost-crt > localhost-rsa-cert.pem
>> 
>> cat localhost-rsa-cert.pem > localhost-rsa-chain.pem
>> 
>> cat localhost-rsa-key > localhost-rsa-key-mod.pem
>> 
>> /usr/local/Cellar/openssl/1.0.2l/bin/openssl rsa -in 
>> localhost-rsa-key-mod.pem -out localhost-rsa-key.pem
>> 
>> 
>> 6. Uncomment the http/2 connector with protocol 
>> “org.apache.coyote.http11.Http11AprProtocol” in the 
>> "apache-tomcat-8.5.15/conf/server.xml"
>> 
>> 
>> 7. Tomcat native installation
>> 
>> Extract “apache-tomcat-8.5.15/bin/tomcat-native.tar.gz”
>> 
>> Go into folder
>> “apache-tomcat-8.5.15/bin/tomcat-native-1.2.12-src/native”
>> 
>> Run “./configure --with-apr=/usr/local/Cellar/apr/1.5.2_3/ 
>> --with-ssl=/usr/local/Cellar/openssl/1.0.2l”
>> 
>> Run “make”
>> 
>> 
>> 8. Create a setenv.sh file within the /bin folder and add
>> lines:
>> 
>> LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/Cellar/apr/1.5.2_3/libexec
> /lib:/Applications/apache-tomcat-8.5.15/bin/tomcat-native-1.2.12-src/nat
> ive/.libs
>> 
>> 
>> JAVA_OPTS="-Djava.library.path=/usr/local/Cellar/apr/1.5.2_3/libexec/l
> ib:/Applications/apache-tomcat-8.5.15/bin/tomcat-native-1.2.12-src/nativ
> e/.libs"
>> 
>> 
>> 
>> 9. Start Server
>> 
>> 
>> * Note1: The paths might be adjusted according to the version of
>> openssl / apr / tomcat-native / tomcat version
>> 
>> 
>> Logs:
>> 
>> 01-Jun-2017 09:32:46.551 INFO [main] 
>> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded
>> APR based Apache Tomcat Native library [1.2.12] using APR version
>> [1.5.2].
>> 
>> 01-Jun-2017 09:32:46.551 INFO [main] 
>> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR 
>> capabilities: IPv6 [true], sendfile [true], accept filters [false],
>> random [true].
>> 
>> 01-Jun-2017 09:32:46.551 INFO [main] 
>> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent
>> APR/OpenSSL configuration: useAprConnector [false], useOpenSSL
>> [true]
>> 
>> 01-Jun-2017 09:32:46.556 INFO [main] 
>> org.apache.catalina.core.AprLifecycleListener.initializeSSL
>> OpenSSL successfully initialized [OpenSSL 1.0.2l  25 May 2017]
>> 
>> 
>> My question regarding this guide: Is there anything which might be
>> changed or is bad practice?
> 
> Everything looks good to me.
> 
> Whenever I try to build tcnative on my Mac, I find that XCode has
> broken some kind of symlink somewhere that I need to correct in order
> to use clang from the CLI. Some notes about how to work-around that
> would be good.

I was thinking of adding this line as optional. I tried to write a guide 
sometime ago but failed and switched to jetty. I am very happy that Tomcat with 
http/2 is running for me because I can test the Apache Wicket http/2 
experimental integration on both servers, now.

http://tomcat.10.x6.nabble.com/Apache-Tomcat-9-0-0-M4-and-http-2-on-Mac-OS-X-10-11-4-td5048883.html

Point 5. of this guide shows how to create the symlink.

> 
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQIcBAEBCAAGBQJZMCXKAAoJEBzwKT+lPKRY7x8P/jvES/2Z5MZOWcq2mHabGkxu
> PDPoi9X+gdWet/ucMToyuI0gHoJe9s51RsqWRn5T4jW+XuOmjgKEpgTM2+qbDwpB
> q3T/ZFWL31YMFwJ3YFOD6MZzQ89MqfK8pLvJ7pIzXjYLWL+8gaAfBXAwg7lmdLr/
> TM5fnl5lwzEw9sTdkNZ+o1bIjbs4PkpxKP7X3vZylnwRVKrP/5q3NQirBiXuG/Dn
> RMlhjAfepog24L/Wja/DAQVgq4EjHfh9KvxytN1WHO7o9x6d9seBCm5PtR+6If3B
> GxvGSfd47AcbA/T2nUnSAPLrGQheUCWw31StFvsNY1n2z6/6iISabRzxHLL3JPf4
>

Re: Developer quickstart guide for Tomcat with HTTP/2 on macOS

2017-06-01 Thread Tobias Soloschenko 
Hi,

what do you think of adding this to wiki or a place to point to?

kind regards

Tobias

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Developer quickstart guide for Tomcat with HTTP/2 on macOS

2017-06-01 Thread Mark Thomas 
On 1 June 2017 17:03:48 BST, Christopher Schultz  
wrote:
>Mark,
>
>On 6/1/17 11:46 AM, Mark Thomas wrote:
>> On 1 June 2017 15:33:46 BST, Christopher Schultz
>>  wrote:
>>> Tobias,
>>> 
>>> On 6/1/17 3:53 AM, Tobias Soloschenko wrote:
 a long time ago I tried out to install Apache Tomcat with
 HTTP/2 support on macOS. I finally got a short time window to
 complete a developer quickstart guide for that:
>>> 
>>> Wouldn't this all be a lot easier if you used the NIO connector 
>>> instead of APR? No XCode/OpenSSL/tcnative necessary.
>> 
>> But then you wouldn't have HTTP/2 support. Well you could have 
>> HTTP/2 if you used 9.0 x on Java 9 but there were a few wrinkles 
>> running Tomcat on Java 9 the last time I checked.
>
>Oh, I didn't realize that HTTP/2 required the APR connector.

It doesn't. It does require tomcat-native on 8.5.x.

>Funny... there is nothing on the Tomcat 8.5 HTTP/2 page that says
>anything about that requirement:
>http://tomcat.apache.org/tomcat-8.5-doc/config/http2.html
>
>The HTTP/1.1 connector docs allude to this fact:
>http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#HTTP/2_Support
>
>... but it's not explicitly said that the APR connector is required.
>From my reading, NIO+OpenSSL should work. Is that true?

Correct.

>Of course, NIO+OpenSSL requires that libtcnative be available, so the
>only question is whether NIO+OpenSSL is as reliable as the APR
>connector (or vice-versa).

I'd opt for NIO+OpenSSL as my first choice.

Mark

>
>Thanks for putting together this guide, Tobias.
>
>-chris


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Guide for upgrading 8.0 -> 8.5

2017-06-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

Tomcat 8.5 is intended to be a drop-in replacement for Tomcat 8.0 with
certain caveats. There is a migration guide[1] but it seems that may
be more detail than many need.

Is there any appetite for a tl;dr version of the migration guide?
Something like "just drop it in, but look out for these one or two
things"?

We discussed this at ApacheCon/TomcatCon and it seemed like a guide
for upgrading 8.0 -> 8.5 would be helpful, but ... the Migration Guide
is already there.

So... is there room for improvement? If so, what are some suggestions?

Thanks,
- -chris

[1] http://tomcat.apache.org/migration-85.html
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZMDzhAAoJEBzwKT+lPKRYhHIQAK9moJiAdaUmUhBL20wDh6jt
7q81XXFi9by1mNhD2ael3/NVO6NxRltJG7VwHW2SdB0/0RmpwdVdAM/akVwkSR46
Q97JCTJkvOVYdbjJ7308AGANpmvYPz77ONrD9BUKueK81d35g7Y4NPFMoqzOfang
TS42LG+fbLy+u3K/A+KTSTYIE6ssLOabhapojPLmgvx8mDIIPiaffy8LnKKJ1aVN
GO7/1ybEj+0AN+942x5wzH8eWtk0KTn6mDq+uMO6ZVCUyGXMK4ZIR2zn5WGirp9T
Y34hIXIDc3KVflOu+TXybLCKw7IaFXjQ24tjHgXxVv6qLelv31/Rfi5Vo0BcB4u7
Sy4bUH6GlBans2P/2k84n1OY8NghoH6MYX83KOhKehnoK7kOzQGPo7dLFUHfRgTQ
N8XR/d47hv4r4pq8iwx2eEH80uzUhUTd5i4Dkt3wWGlUseBi4JO1WEYSccqbft4V
IBRVcs6REbCJ3Z2WZtV+GdKKVssbPIg9jOoT1tFAtmx16Lt049dsHplZZVVi5t7F
t1sydVq4Q48+3uAxet5ewEALFywffwvSecsZLAZKpT93bmEzNncomWWbHxM14Xak
UsJ45bOW30lSlIXP7j0mghjEn6C0uZ3ZeB/h59YExw66DRddoWrZfnDpYuckJD66
fI9J/DPWGovtFXjdYoAQ
=hz16
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Developer quickstart guide for Tomcat with HTTP/2 on macOS

2017-06-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 6/1/17 11:46 AM, Mark Thomas wrote:
> On 1 June 2017 15:33:46 BST, Christopher Schultz
>  wrote:
>> Tobias,
>> 
>> On 6/1/17 3:53 AM, Tobias Soloschenko wrote:
>>> a long time ago I tried out to install Apache Tomcat with
>>> HTTP/2 support on macOS. I finally got a short time window to
>>> complete a developer quickstart guide for that:
>> 
>> Wouldn't this all be a lot easier if you used the NIO connector 
>> instead of APR? No XCode/OpenSSL/tcnative necessary.
> 
> But then you wouldn't have HTTP/2 support. Well you could have 
> HTTP/2 if you used 9.0 x on Java 9 but there were a few wrinkles 
> running Tomcat on Java 9 the last time I checked.

Oh, I didn't realize that HTTP/2 required the APR connector.

Funny... there is nothing on the Tomcat 8.5 HTTP/2 page that says
anything about that requirement:
http://tomcat.apache.org/tomcat-8.5-doc/config/http2.html

The HTTP/1.1 connector docs allude to this fact:
http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#HTTP/2_Support

... but it's not explicitly said that the APR connector is required.
- From my reading, NIO+OpenSSL should work. Is that true?

Of course, NIO+OpenSSL requires that libtcnative be available, so the
only question is whether NIO+OpenSSL is as reliable as the APR
connector (or vice-versa).

Thanks for putting together this guide, Tobias.

- -chris

-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZMDrkAAoJEBzwKT+lPKRYua8P/i1L1nX1lJWas/kkuibL4FKs
5pUkt46CIlAqTQ7e0JEyUOd04J5xMsOOvmJbO36eFiRhLzhlOzSUOR6SI+QZWaZv
m38zCov/9pllJEbLK+hjhmrta4Pqj2az499dsVBXH2zY1cSN5JhOosM66YKPpc9s
VVCQVEpj7xxliccGGwJMI5ngMTE9NPIMLSmAvCEgp7bYLHe8Rqh17lKuenWHXud7
bqkCIYHDOIOgRWbrQciatwBW9Hs/hIU1uNLjI4z7Z9wSMLWE/LKYp1vV95aYQ/82
0BV+xzkz1iBgffSnJc0fRLeQovdvzWK9VFlnWQ40u1Q7gLPqMA27QWEPrlJJ7RiF
IeKL33rmAgVt6NXhKl0JFc7qCwplyf8zvyA3+EdZjyPg+3WnkgWwkijcFgWwMsC9
9bxAkc3+q1WRJeGiz4efxyJFiet3G9oIFqnmeJi48mTiCKubnd4tNitP0j6BeF1F
maF5YkMnn5F319A8A8pMYVIQxcJW4ibXJexUryl1BVS4dYOARc1kICFEO+/zPrm/
DGNEpxXgFYiBZeiJel0IrTlZE1Qy/bjzTSZMrwHAdyXQSt7o1TZ7nFnzxxOiNA0H
Ga6JDPnbGLHszD5BVMwrObSuefzqZ5d1ewdmZLflUzVd8m/IERubQyVFTQmPkzhC
/I/7hs/qt+2rVLiZqXs/
=Pw7+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 7, null tag attributes

2017-06-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chris,

On 6/1/17 10:51 AM, Chris Cheshire wrote:
> 7.0.77 (latest version in EPEL repository)
> 
> On Thu, Jun 1, 2017 at 10:27 AM, Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
> Chris,
> 
> On 5/31/17 6:31 PM, Chris Cheshire wrote:
 I am using tomcat 7 on CentOS 7 and I need to pass a null
 value to tag attributes of type Long/Integer/Float, however
 it is *always* coerced to zero.
 
 <%@attribute name="parentId" required="true"
 rtexprvalue="true" type="java.lang.Long" %>
 
 Changing required to false does nothing. I tried setting the 
 system property org.apache.el.parser.COERCE_TO_ZERO to false
 in tomcat.conf (-Dorg.apache.el.parser.COERCE_TO_ZERO=false
 with my other JAVA_OPTS) but this does nothing. The value
 before it hits the tag is null and inside the tag is 0. If I
 query the System properties it shows it as set to false, but
 Tomcat is not honoring it and is still coercing nulls to
 zero. I understand the spec says to do this etc but that
 defeats the purpose of using an object vs atomic type in the
 first place and is horribly shortsighted.
 
 Upgrading to Tomcat 8 is not a solution unfortunately as
 there is no RPM for it.
 
 How do I pass a null Long/Float/Integer as a tag attribute
 and have it kept as null and not turned into an incorrect
 value?
> 
> What exact version of Tomcat 7 are you running?

Can you produce a SSCCE[1] for this? If so, and you can reproduce it
in a clean Tomcat 7.0.78 from apache.org, please file a bug[2] and
attach your test case.

- -chris

[1] http://sscce.org/
[2] https://bz.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%207
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZMDnEAAoJEBzwKT+lPKRY0fcP/ixfCdOkWtPpb/xMUWreadoS
39Zuzii0nwsp4hsH2MkK1mZcdPGe5YElZTF1xMDtYEccUaAdDdy5DLFOnSCiXHse
2gv7nuH9cc4BQgNE6EAYTdEm/uosLwRkTn5cajNhuPdFUoTYKXwB4OGUWSMDKPUk
8nB/A7/36V2qDuu7lneR/ip/VTXLBcEA1mC+InCF7iL4VVXxl6jikc6whDcOn1m+
F5oEWzSjGn3Xu0yni5Qd8Az7GISRP7DLKHNSNoEvLgEHqdZD85R3bNY977iOujfq
3dCaDkjG/gCYdpJY+8ylRf045ZsqOn/Np8ba3WApGllXUzmbed1K+hKkKC/19D74
bGnJNRAtlpraWioWaqCb0eQn3Aml5prYD+3WKWu7bfSweLTzi1uwMV+7QL+z0rDb
9ZOmvtgW+LFlECSV71zFRTaswy1GUjR/ODTLfmLOU3PLYR+md8wgezCZW/z0C1Lt
o3Xm5RaOYc8ar6j4nwBa5LN8V4oSAWtCfzT4xZw+rDFNSbi5LSJYWoae4uuZ0jqY
fcINvOyowB4bxFNEycDi2qWjmShkRPpCljTsmDFSHUJ0yiNbSeEfHShSK/fvDEa7
AuZhS389LE2UcC/2/+0BTmoZqgMPqW1Bta413R6theLJ81sJe88MlmKb8T+JixyY
PpsbS7nvFIjDmJ3pNKcK
=67eb
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7 antivirus exclusions, firewall exclusions?

2017-06-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Kerry,

On 6/1/17 10:47 AM, Kerry Hazelton wrote:
> I am attempting to deploy a managed antivirus agent to two
> different machines - one runs RHEL 7.3, kernel version 3.10.0-514;
> the other runs Microsoft Windows 2012 R2 - and both are hosting web
> pages served up by Apache Tomcat 7.0.78.  What I’d like to know is
> which processes/services, files and/or directories need to be
> excluded from the antivirus scans to avoid any potential CPU or
> memory utilization spikes (or worse, the AV console falsely
> identifies a legit file as “malicious” and quarantines it).

You can probably whitelist everything in the CATALINA_HOME and
CATALINA_BASE directories, plus the JVM. But the JVM will probably
only be scanned once on startup and the same thing is true of
everything in CATALINA_HOME and CATALINA_BASE.

If the server is being kept up-to-date, you may have to update the
antivirus's settings because CATALINA_HOME and the JVM paths will
likely change.

> I’d also like to know which specific TCP/UDP ports will need to be 
> whitelisted to permit inbound and outbound traffic from our web
> developer workstations, since their VLAN is segregated from the
> rest of the network. I already know which ports to open on the
> firewall to allow the antivirus agents to talk back to the console;
> I just need to figure out the other ports to open.

The ports will be dependent upon what the Tomcat administrator has
configured in Tomcat. Unless there are some XML includes being used
(which is fairly rare, but not unheard of), everything you need will
be in CATALINA_BASE/conf/server.xml. Look for lines that look like this:

 Before I go any further, I’d like to stress the following:
> 
> * I wasn’t the one who set up these servers; I was merely tasked
> with getting the antivirus agents deployed on them.  The system
> administrator who set these up doesn’t know which Linux processes,
> Windows services, files or directories to exclude; as he left that
> up to me to figure out.

Awesome. Who is the admin for Tomcat itself? Same person? If so, tell
them to do their job. :(

> * I have already contacted the AV vendor's support team, and they
> have indicated they have no documentation that specifically covers
> any version of Apache Tomcat.

That's not terribly surprising.

> * The last search on Google I used was “Apache Tomcat 7.x
> antivirus exclusions” and I didn’t see any results that were
> specific to my query. Same with “Apache Tomcat 7.x firewall
> exclusions”.
> 
> * I looked through the Information Security group on Stack Exchange
> with the same queries as above, and again I didn’t see anything
> promising nor specific to my queries.
> 
> * I attempted to search the mailing list archives using the search
> terms “antivirus exclusions” and “firewall permissions”; again, I
> didn’t see any answers that were specific to my queries.
> 
> * Yes, I’m aware of the risks involved by excluding specific 
> processes/services, files and directories.  I have tried to
> convince the management of these risks but to no avail.  They have
> agreed to accept them, along with any consequences that may occur.

You should try to convince management that virus scanners are
completely useless, and save yourself a whole lot of time and
resources. Then you'll have one less thing to do. :)

You could just let the antivirus do whatever it will do by default,
and then open things up individually until things start working again.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZMDkGAAoJEBzwKT+lPKRY2dYP/0pDPcNHxvFeSAn3uvORc18h
qfk36sQGy4UAui+nZ+x+BDi3SkA+ABQhSATz9oXejJaAAODgui0B1m4OoXcDmUNa
fUbMu60f+yjn909FgRJNICWbFZIa1ahpYboTtn7T65BWAW//XLn98CXYJiJjhPJk
9/KywVeHOe+9BRCRQPym3I/0ATHO2CT2ik9NxGr1SRF8fc3qIBEerkv1WfnGSq8Y
0UvUlVpIHB4cTGZCMzkUpL+8/RshPWc3qCKFIwAC4XiW0XZKvc33L+krwZLxejVk
gATVCPkEwij4mOUqAxx27fp19AUyqmDdr84r/Q8nkOpxZIXZOR3Mg5I1oZQsPpBQ
WIwo9Z/N5nLpYvtbs2Tp1qGsAq21TvEn6B+7nS9UtiQlFlVtk0Q2xo3ja+bjnxMR
14BdM4Gsz3ZV/tkTZ9t8lhwOc2eiLsQGwGXPOvd+1hz/JOcO5Yi1evIUCfJMXAbf
3Xj58R0lGd2XlffLZ5qhcc84B9zpxn+5XplijQWVN4opMM/KjFPSoTwwYd7SBU8X
hc9QYru+YkQxPe1z1eExuI6nvmYLZL1G2vQ8ftu/I1lo9RWCn7rGrfCHSJnAgOyd
voXLtn+kb0QgRvHoZGlHkSk7huL7rfSPiUnqNrnXWh5coq4gb7dsC2xV+RaN4PlW
+uT1rtgcmu+r5A8Ax1an
=8cAP
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Developer quickstart guide for Tomcat with HTTP/2 on macOS

2017-06-01 Thread Mark Thomas 
On 1 June 2017 15:33:46 BST, Christopher Schultz  
wrote:
>Tobias,
>
>On 6/1/17 3:53 AM, Tobias Soloschenko wrote:
>> a long time ago I tried out to install Apache Tomcat with HTTP/2
>> support on macOS. I finally got a short time window to complete a
>> developer quickstart guide for that:
>
>Wouldn't this all be a lot easier if you used the NIO connector
>instead of APR? No XCode/OpenSSL/tcnative necessary.

But then you wouldn't have HTTP/2 support. Well you could have HTTP/2 if you 
used 9.0 x on Java 9 but there were a few wrinkles running Tomcat on Java 9 the 
last time I checked.

Mark

>
>> 1. Download XCode from the AppStore
>> 
>> 
>> 2. Install Brew: http://brew.sh/
>> 
>> 
>> 3. Download Apache Tomcat binaries > 8.5 http://tomcat.apache.org/
>> 
>> 
>> 4. Install APR and OPENSSL with “brew install openssl” and “brew
>> install apr”
>> 
>> 
>> 5. Create pem files in “apache-tomcat-8.5.15/conf” folder - use
>> “changeit” every time a password is going to be requested (The
>> commands can be executed separately or within a shell script):
>> 
>> /usr/local/Cellar/openssl/1.0.2l/bin/openssl genrsa -des3 -out 
>> localhost-rsa-key 1024
>> 
>> /usr/local/Cellar/openssl/1.0.2l/bin/openssl genrsa -out
>> localhost-key 1024
>> 
>> /usr/local/Cellar/openssl/1.0.2l/bin/openssl rsa -in
>> localhost-rsa-key -out localhost-key
>> 
>> /usr/local/Cellar/openssl/1.0.2l/bin/openssl req -new -key
>> localhost-key -out localhost-csr
>> 
>> /usr/local/Cellar/openssl/1.0.2l/bin/openssl x509 -req -days 365
>> -in localhost-csr -signkey localhost-key -out localhost-crt
>> 
>> cat localhost-key localhost-crt > localhost-rsa-cert.pem
>> 
>> cat localhost-rsa-cert.pem > localhost-rsa-chain.pem
>> 
>> cat localhost-rsa-key > localhost-rsa-key-mod.pem
>> 
>> /usr/local/Cellar/openssl/1.0.2l/bin/openssl rsa -in 
>> localhost-rsa-key-mod.pem -out localhost-rsa-key.pem
>> 
>> 
>> 6. Uncomment the http/2 connector with protocol 
>> “org.apache.coyote.http11.Http11AprProtocol” in the 
>> "apache-tomcat-8.5.15/conf/server.xml"
>> 
>> 
>> 7. Tomcat native installation
>> 
>> Extract “apache-tomcat-8.5.15/bin/tomcat-native.tar.gz”
>> 
>> Go into folder
>> “apache-tomcat-8.5.15/bin/tomcat-native-1.2.12-src/native”
>> 
>> Run “./configure --with-apr=/usr/local/Cellar/apr/1.5.2_3/ 
>> --with-ssl=/usr/local/Cellar/openssl/1.0.2l”
>> 
>> Run “make”
>> 
>> 
>> 8. Create a setenv.sh file within the /bin folder and add
>> lines:
>> 
>>
>LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/Cellar/apr/1.5.2_3/libexec
>/lib:/Applications/apache-tomcat-8.5.15/bin/tomcat-native-1.2.12-src/nat
>ive/.libs
>>
>>  
>>
>JAVA_OPTS="-Djava.library.path=/usr/local/Cellar/apr/1.5.2_3/libexec/l
>ib:/Applications/apache-tomcat-8.5.15/bin/tomcat-native-1.2.12-src/nativ
>e/.libs"
>>
>> 
>> 
>> 9. Start Server
>> 
>> 
>> * Note1: The paths might be adjusted according to the version of
>> openssl / apr / tomcat-native / tomcat version
>> 
>> 
>> Logs:
>> 
>> 01-Jun-2017 09:32:46.551 INFO [main] 
>> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded
>> APR based Apache Tomcat Native library [1.2.12] using APR version
>> [1.5.2].
>> 
>> 01-Jun-2017 09:32:46.551 INFO [main] 
>> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR 
>> capabilities: IPv6 [true], sendfile [true], accept filters [false],
>> random [true].
>> 
>> 01-Jun-2017 09:32:46.551 INFO [main] 
>> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent
>> APR/OpenSSL configuration: useAprConnector [false], useOpenSSL
>> [true]
>> 
>> 01-Jun-2017 09:32:46.556 INFO [main] 
>> org.apache.catalina.core.AprLifecycleListener.initializeSSL
>> OpenSSL successfully initialized [OpenSSL 1.0.2l  25 May 2017]
>> 
>> 
>> My question regarding this guide: Is there anything which might be
>> changed or is bad practice?
>
>Everything looks good to me.
>
>Whenever I try to build tcnative on my Mac, I find that XCode has
>broken some kind of symlink somewhere that I need to correct in order
>to use clang from the CLI. Some notes about how to work-around that
>would be good.
>
>-chris


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Custom Webapp loading..

2017-06-01 Thread Hassan Khan 
Also inside the work folder the jsp is not compiled , just the _folder name
has been created... does that point to a issue.
Thanks

On Thu, Jun 1, 2017 at 11:26 AM, Hassan Khan 
wrote:

> Any pointers to the problem .. pls... Have extended webapploader and use
> the below function for adding jar in tomcat 6... for tomcat 8.5 the jar are
> loading but not getting included in the classpath somehow...
> /**
>  * reflectively add a jar to the classloader. This only works when
> called after super.start() has completed.
>  */
> private void addJar(final File jarRealFile) {
> try {
> final String jarPath = getFilePathRelativeToBase(jarRealFile);
> final JarFile jarFile = new JarFile(jarRealFile);
> final ClassLoader cl = getClassLoader();
> if (cl instanceof WebappClassLoader) {
> final WebappClassLoader wcl = (WebappClassLoader) cl;
> final Class clazz = WebappClassLoader.class;
> final Method addJar = clazz.getDeclaredMethod("addJar",
> new Class[]{String.class, JarFile.class, File.class});
> addJar.setAccessible(true);
> addJar.invoke(wcl, jarPath, jarFile, jarRealFile);
> }
> log("added jar " + jarRealFile.getCanonicalPath());
> }
> catch (IOException e) {
> log("Exception accessing jar file: " + jarRealFile + ": " +
> e.getMessage());
> }
> catch (SecurityException e) {
> log("Exception finding method in WebappClassLoader to add jar
> file: " + jarRealFile + ": " + e.getMessage());
> }
> catch (NoSuchMethodException e) {
> log("Exception finding method in WebappClassLoader to add jar
> file: " + jarRealFile + ": " + e.getMessage());
> }
> catch (IllegalArgumentException e) {
> log("Exception calling method in WebappClassLoader to add jar
> file: " + jarRealFile + ": " + e.getMessage());
> }
> catch (IllegalAccessException e) {
> log("Exception calling method in WebappClassLoader to add jar
> file: " + jarRealFile + ": " + e.getMessage());
> }
> catch (InvocationTargetException e) {
> log("Exception calling method in WebappClassLoader to add jar
> file: " + jarRealFile + ": " + e.getMessage());
> }
> }
>
> Thanks
>
>
>
>
> On Wed, May 31, 2017 at 5:13 PM, Hassan Khan 
> wrote:
>
>> So the precise exception is Only a type can be imported. ABC resolves to
>> a package..
>>
>> Stacktrace is :
>> at org.apache.jasper.compiler.DefaultErrorHandler.javacError(De
>> faultErrorHandler.java:102)
>> at org.apache.jasper.compiler.ErrorDispatcher.javacError(ErrorD
>> ispatcher.java:212)
>> at org.apache.jasper.compiler.JDTCompiler.generateClass(JDTComp
>> iler.java:457)
>> at org.apache.jasper.compiler.Compiler.compile(Compiler.java:377)
>> at org.apache.jasper.compiler.Compiler.compile(Compiler.java:349)
>> at org.apache.jasper.compiler.Compiler.compile(Compiler.java:333)
>> at org.apache.jasper.JspCompilationContext.compile(JspCompilati
>> onContext.java:600)
>> at org.apache.jasper.servlet.JspServletWrapper.service(JspServl
>> etWrapper.java:368)
>> at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServl
>> et.java:385)
>> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:231)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:166)
>> at org.apache.catalina.core.ApplicationDispatcher.invoke(Applic
>> ationDispatcher.java:728)
>> at org.apache.catalina.core.ApplicationDispatcher.doInclude(App
>> licationDispatcher.java:590)
>> at org.apache.catalina.core.ApplicationDispatcher.include(Appli
>> cationDispatcher.java:524)
>> at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRunti
>> meLibrary.java:895)
>> at org.apache.jsp.iNexx.common._005fshinglesTop_jsp._jspService
>> (_005fshinglesTop_jsp.java:385) ==> JSP page called from the main webapp
>> referencing the modular apps
>>
>>
>>
>> On Wed, May 31, 2017 at 5:05 PM, Hassan Khan 
>> wrote:
>>
>>> Hi,
>>>
>>> We have a main webapp (Tomcat\Webapp) that has many modular webapps (
>>> (Tomcat\Webapp\app\) under it that can be removed and added by the user.
>>> The main webapp has the service and connectors , but the modular webapps
>>> do not need it.
>>>
>>> The problem is currently when the main webapp tries to access a jar in
>>> the modular webapps lib dir... we have a class not found exception.. that
>>> is why we need to load the jars from the modular webapps Web-INF\lib
>>> directory.
>>>
>>> Thanks
>>>
>>>
>>>
>>> On Wed, May 31,

Re: Custom Webapp loading..

2017-06-01 Thread Hassan Khan 
Any pointers to the problem .. pls... Have extended webapploader and use
the below function for adding jar in tomcat 6... for tomcat 8.5 the jar are
loading but not getting included in the classpath somehow...
/**
 * reflectively add a jar to the classloader. This only works when
called after super.start() has completed.
 */
private void addJar(final File jarRealFile) {
try {
final String jarPath = getFilePathRelativeToBase(jarRealFile);
final JarFile jarFile = new JarFile(jarRealFile);
final ClassLoader cl = getClassLoader();
if (cl instanceof WebappClassLoader) {
final WebappClassLoader wcl = (WebappClassLoader) cl;
final Class clazz = WebappClassLoader.class;
final Method addJar = clazz.getDeclaredMethod("addJar", new
Class[]{String.class, JarFile.class, File.class});
addJar.setAccessible(true);
addJar.invoke(wcl, jarPath, jarFile, jarRealFile);
}
log("added jar " + jarRealFile.getCanonicalPath());
}
catch (IOException e) {
log("Exception accessing jar file: " + jarRealFile + ": " +
e.getMessage());
}
catch (SecurityException e) {
log("Exception finding method in WebappClassLoader to add jar
file: " + jarRealFile + ": " + e.getMessage());
}
catch (NoSuchMethodException e) {
log("Exception finding method in WebappClassLoader to add jar
file: " + jarRealFile + ": " + e.getMessage());
}
catch (IllegalArgumentException e) {
log("Exception calling method in WebappClassLoader to add jar
file: " + jarRealFile + ": " + e.getMessage());
}
catch (IllegalAccessException e) {
log("Exception calling method in WebappClassLoader to add jar
file: " + jarRealFile + ": " + e.getMessage());
}
catch (InvocationTargetException e) {
log("Exception calling method in WebappClassLoader to add jar
file: " + jarRealFile + ": " + e.getMessage());
}
}

Thanks




On Wed, May 31, 2017 at 5:13 PM, Hassan Khan 
wrote:

> So the precise exception is Only a type can be imported. ABC resolves to a
> package..
>
> Stacktrace is :
> at org.apache.jasper.compiler.DefaultErrorHandler.javacError(
> DefaultErrorHandler.java:102)
> at org.apache.jasper.compiler.ErrorDispatcher.javacError(
> ErrorDispatcher.java:212)
> at org.apache.jasper.compiler.JDTCompiler.generateClass(
> JDTCompiler.java:457)
> at org.apache.jasper.compiler.Compiler.compile(Compiler.java:377)
> at org.apache.jasper.compiler.Compiler.compile(Compiler.java:349)
> at org.apache.jasper.compiler.Compiler.compile(Compiler.java:333)
> at org.apache.jasper.JspCompilationContext.compile(
> JspCompilationContext.java:600)
> at org.apache.jasper.servlet.JspServletWrapper.service(
> JspServletWrapper.java:368)
> at org.apache.jasper.servlet.JspServlet.serviceJspFile(
> JspServlet.java:385)
> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> ApplicationFilterChain.java:231)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(
> ApplicationFilterChain.java:166)
> at org.apache.catalina.core.ApplicationDispatcher.invoke(
> ApplicationDispatcher.java:728)
> at org.apache.catalina.core.ApplicationDispatcher.doInclude(
> ApplicationDispatcher.java:590)
> at org.apache.catalina.core.ApplicationDispatcher.include(
> ApplicationDispatcher.java:524)
> at org.apache.jasper.runtime.JspRuntimeLibrary.include(
> JspRuntimeLibrary.java:895)
> at org.apache.jsp.iNexx.common._005fshinglesTop_jsp._
> jspService(_005fshinglesTop_jsp.java:385) ==> JSP page called from the
> main webapp referencing the modular apps
>
>
>
> On Wed, May 31, 2017 at 5:05 PM, Hassan Khan 
> wrote:
>
>> Hi,
>>
>> We have a main webapp (Tomcat\Webapp) that has many modular webapps (
>> (Tomcat\Webapp\app\) under it that can be removed and added by the user.
>> The main webapp has the service and connectors , but the modular webapps
>> do not need it.
>>
>> The problem is currently when the main webapp tries to access a jar in
>> the modular webapps lib dir... we have a class not found exception.. that
>> is why we need to load the jars from the modular webapps Web-INF\lib
>> directory.
>>
>> Thanks
>>
>>
>>
>> On Wed, May 31, 2017 at 5:00 PM, Aurélien Terrestris <
>> aterrest...@gmail.com> wrote:
>>
>>> hi
>>>
>>> what are you trying to do exactly ?
>>>
>>> If you just need to start one webapp after another one in a precise
>>> order,
>>> you need as many Services (+Connector on a different port, + Host) as
>>> webapps.
>>>
>>> A.T.
>>>
>>>
>>>
>>>
>>>
>>> 2017-05-31 22:48 GMT+02:00 Hassan Khan

Re: tomcat 7, null tag attributes

2017-06-01 Thread Chris Cheshire 
7.0.77 (latest version in EPEL repository)

On Thu, Jun 1, 2017 at 10:27 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Chris,
>
> On 5/31/17 6:31 PM, Chris Cheshire wrote:
> > I am using tomcat 7 on CentOS 7 and I need to pass a null value to
> > tag attributes of type Long/Integer/Float, however it is *always*
> > coerced to zero.
> >
> > <%@attribute name="parentId" required="true" rtexprvalue="true"
> > type="java.lang.Long" %>
> >
> > Changing required to false does nothing. I tried setting the
> > system property org.apache.el.parser.COERCE_TO_ZERO to false in
> > tomcat.conf (-Dorg.apache.el.parser.COERCE_TO_ZERO=false with my
> > other JAVA_OPTS) but this does nothing. The value before it hits
> > the tag is null and inside the tag is 0. If I query the System
> > properties it shows it as set to false, but Tomcat is not honoring
> > it and is still coercing nulls to zero. I understand the spec says
> > to do this etc but that defeats the purpose of using an object vs
> > atomic type in the first place and is horribly shortsighted.
> >
> > Upgrading to Tomcat 8 is not a solution unfortunately as there is
> > no RPM for it.
> >
> > How do I pass a null Long/Float/Integer as a tag attribute and have
> > it kept as null and not turned into an incorrect value?
>
> What exact version of Tomcat 7 are you running?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJZMCRCAAoJEBzwKT+lPKRYveMP/RbE4suNmhmV6Yk7+OY3iiv0
> BuM6TruMa9ijRhewZJJHBE1KSjskZjNkA7Ls8+pdKUDHNExeLSbIY+k56XHT4Yvb
> Y8pnIMeFcMTYIBHUjTNmyCYJm8B0CD+B4L5hJM/dLbVLASp82JFPw3lQt0mhsrua
> AX7bpE1pRooU1DpiB2FeJhDhmKywWzq34o5QA8jyq2egnlPD2ip0P4TwpjDe7FzM
> z2szb6lH2qI/9SWEKOxfc7FKMmtpM2kCtQO8gBY0WatGLxGlMxBAXQVGmV/70dS4
> /lIyAsKfiB1HeNMhykRniKKh6miNCvVsslF4pn1wq5MLXSmYHTSV1OpFWG5yVrLe
> NZVIJMiLO9NMQLEgjqNwJZfrdd6JB67LUQwulAM7r2AHzHl3LJI6IAxY5LXC41OY
> jRqzNCJkriJkThrC/bFYfdb28iishM0wT/q+/JLi/3M9HEPPMKJH80oDFzFsfhum
> jUfUENyVwxczUS4IAmEAPuESRZgXoXrs8h1XImH/04FJfwMxIY4Owm5+zlYH2qde
> H5qxlYwUkw035dDTBr/Wi7MPh1K7fxwWnnV4qFgPGImFzRx93C5VUO3AfCm6JDsv
> obutg31VzU7dxph1o1Bx4UsR/44wcK+y/eiEKgd3RBZNtpWuApJa7Yhuj1qtShJY
> nHGeLzQPm33MGBvL62P9
> =TQH3
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Tomcat 7 antivirus exclusions, firewall exclusions?

2017-06-01 Thread Kerry Hazelton 
All,



I am attempting to deploy a managed antivirus agent to two different
machines - one runs RHEL 7.3, kernel version 3.10.0-514; the other runs
Microsoft Windows 2012 R2 - and both are hosting web pages served up by
Apache Tomcat 7.0.78.  What I’d like to know is which processes/services,
files and/or directories need to be excluded from the antivirus scans to
avoid any potential CPU or memory utilization spikes (or worse, the AV
console falsely identifies a legit file as “malicious” and quarantines it).



I’d also like to know which specific TCP/UDP ports will need to be
whitelisted to permit inbound and outbound traffic from our web developer
workstations, since their VLAN is segregated from the rest of the network.
I already know which ports to open on the firewall to allow the antivirus
agents to talk back to the console; I just need to figure out the other
ports to open.



Before I go any further, I’d like to stress the following:



* I wasn’t the one who set up these servers; I was merely tasked with
getting the antivirus agents deployed on them.  The system administrator
who set these up doesn’t know which Linux processes, Windows services,
files or directories to exclude; as he left that up to me to figure out.

* I have already contacted the AV vendor's support team, and they have
indicated they have no documentation that specifically covers any version
of Apache Tomcat.

* The last search on Google I used was “Apache Tomcat 7.x antivirus
exclusions” and I didn’t see any results that were specific to my query.
Same with “Apache Tomcat 7.x firewall exclusions”.

* I looked through the Information Security group on Stack Exchange with
the same queries as above, and again I didn’t see anything promising nor
specific to my queries.

* I attempted to search the mailing list archives using the search terms
“antivirus exclusions” and “firewall permissions”; again, I didn’t see any
answers that were specific to my queries.

* Yes, I’m aware of the risks involved by excluding specific
processes/services, files and directories.  I have tried to convince the
management of these risks but to no avail.  They have agreed to accept
them, along with any consequences that may occur.



Any insight on this would be appreciated.  Thanks.

Re: a question about Realm config

2017-06-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ophusky,

On 6/1/17 5:09 AM, ophusky wrote:
> Thank you very much! I according to what you said it and solved the
> problem. I have modified  CATALINA_HOME/conf/server.xml to :
> 
>  docBase="/home/coremail/tomcat/webapps_exp/sample">  className="org.apache.catalina.realm.LockOutRealm">  className="org.apache.catalina.realm.UserDatabaseRealm" 
> resourceName="UserDatabase" digest="MD5"/>   className="org.apache.catalina.authenticator.DigestAuthenticator"
> validateUri="false"/> 
> 
> Everything is all right,thanks again!

I'd highly recommend removing the URL rewriting if possible. Either
remove the leading /tomcat from your URI space on the proxy or re-name
your application's WAR (or exploded WAR directory) to
tomcat#sample.war (or tomcat#sample directory).

- -chris

> 发件人:Mark Thomas  发送时间:2017-06-01 15:50 主题:Re: a
> question about Realm config 收件人:"Tomcat Users
> List" 抄送:
> 
> This time to the list...
> 
> On 01/06/17 08:02, ophusky wrote:
>> Tomcat version:8.0.43.0 Nginx  version:openresty/1.11.2.2 
>> OS:CentOS Linux release 7.3.1611 (Core)
>> 
>> I have already configure tomcat to use the DIGEST certification,
>>  When I have direct access to Tomcat  all normal, 
>> http://192.168.122.130:8080/sample/test/test.html  can trigger
>> the certification and passed. But when I through the nginx proxy
>> access, http://192.168.122.130/tomcat/sample/test/test.html
>> have a few problems,can trigger the certification but can't
>> passed ,repeated authentication dialog.
> 
> 
> 
>> nginx.conf
>> 
>> location ~ /tomcat/ { rewrite ^/tomcat/(.*) /$1 break; proxy_pass
>> http://192.168.122.130:8080; }
>> 
>> Why cannot be accessed through the nginx and certified ? please
>> help me ,thanks!
> 
> The request URL forms part of the DIGEST authentication process. By
>  changing it in the reverse proxy, you are breaking the
> authentication process.
> 
> You can disable the URI validation. See the validateUri attribute
> in 
> http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Digest_Authe
nticator_Valve/Attributes
> 
> 
> Mark
> 
> -
>  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For
> additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZMCaPAAoJEBzwKT+lPKRYO9sQAMTdzpfJDX/tjcYErAbZl4Rb
tG22YjSGdlfS1mAx+4CPX+zOnCiaA4vyl3QtEQ3vfPSGfdMq+Rcl/LObMChNQ3Gs
zkZBtdUCPx70bNRTCndtBHKzLjbPJkBqtE5WMytOMKH41PMlIj8ZISBE04G8D/KK
nqnsxlerm36W7TSR7gLieIZWd0mgJwQ/5UlsTcdJRq8YhQ2LFSARt2sZGK00p+qM
rJKsbnaVXodq0vVHBinibBmnotRZsvIdvqAZerv8WUKCj4doKaDv4XLM0vEuQIBY
bjRc8n/etyTSgSIS7P2anPYlN8T6DhA/8Pafh8DFfiRXygtxIp0brYwrHjNpvpEc
i0rzlVo8zf6lKN3WEFFAlHxsRDr5N+7K92uATdCpXIxH9uSR7xIYhl7fvAC9pDJ0
Vrf4Rc/pxVBvggpXeKYWbP2/m/T4E4nqCGHSW4T2Xji/FWM6LkdNW7mfPF8mPRdt
qORmDpbvygEhOG3qbjBgPpArjVsvgVS48/B4zO3GyeZS9VZiB+6u9V8+yD4fzIcf
Eohh4l2CuRgGatntehjkRM2bqdYgTXeseWUskXvZlMkx2gjHH5N6XyNcQsfvUxNl
mbh3HSKGZDU59AhqNS9Vqi5IQrhl7SuXKseW2tU+m8k8Z1nEvEtyYpl8BSNYuA7q
tnNhJ5OzWVIm63uHUmXG
=nWiX
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Developer quickstart guide for Tomcat with HTTP/2 on macOS

2017-06-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Tobias,

On 6/1/17 3:53 AM, Tobias Soloschenko wrote:
> a long time ago I tried out to install Apache Tomcat with HTTP/2
> support on macOS. I finally got a short time window to complete a
> developer quickstart guide for that:

Wouldn't this all be a lot easier if you used the NIO connector
instead of APR? No XCode/OpenSSL/tcnative necessary.

> 1. Download XCode from the AppStore
> 
> 
> 2. Install Brew: http://brew.sh/
> 
> 
> 3. Download Apache Tomcat binaries > 8.5 http://tomcat.apache.org/
> 
> 
> 4. Install APR and OPENSSL with “brew install openssl” and “brew
> install apr”
> 
> 
> 5. Create pem files in “apache-tomcat-8.5.15/conf” folder - use
> “changeit” every time a password is going to be requested (The
> commands can be executed separately or within a shell script):
> 
> /usr/local/Cellar/openssl/1.0.2l/bin/openssl genrsa -des3 -out 
> localhost-rsa-key 1024
> 
> /usr/local/Cellar/openssl/1.0.2l/bin/openssl genrsa -out
> localhost-key 1024
> 
> /usr/local/Cellar/openssl/1.0.2l/bin/openssl rsa -in
> localhost-rsa-key -out localhost-key
> 
> /usr/local/Cellar/openssl/1.0.2l/bin/openssl req -new -key
> localhost-key -out localhost-csr
> 
> /usr/local/Cellar/openssl/1.0.2l/bin/openssl x509 -req -days 365
> -in localhost-csr -signkey localhost-key -out localhost-crt
> 
> cat localhost-key localhost-crt > localhost-rsa-cert.pem
> 
> cat localhost-rsa-cert.pem > localhost-rsa-chain.pem
> 
> cat localhost-rsa-key > localhost-rsa-key-mod.pem
> 
> /usr/local/Cellar/openssl/1.0.2l/bin/openssl rsa -in 
> localhost-rsa-key-mod.pem -out localhost-rsa-key.pem
> 
> 
> 6. Uncomment the http/2 connector with protocol 
> “org.apache.coyote.http11.Http11AprProtocol” in the 
> "apache-tomcat-8.5.15/conf/server.xml"
> 
> 
> 7. Tomcat native installation
> 
> Extract “apache-tomcat-8.5.15/bin/tomcat-native.tar.gz”
> 
> Go into folder
> “apache-tomcat-8.5.15/bin/tomcat-native-1.2.12-src/native”
> 
> Run “./configure --with-apr=/usr/local/Cellar/apr/1.5.2_3/ 
> --with-ssl=/usr/local/Cellar/openssl/1.0.2l”
> 
> Run “make”
> 
> 
> 8. Create a setenv.sh file within the /bin folder and add
> lines:
> 
> LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/Cellar/apr/1.5.2_3/libexec
/lib:/Applications/apache-tomcat-8.5.15/bin/tomcat-native-1.2.12-src/nat
ive/.libs
>
>  
> JAVA_OPTS="-Djava.library.path=/usr/local/Cellar/apr/1.5.2_3/libexec/l
ib:/Applications/apache-tomcat-8.5.15/bin/tomcat-native-1.2.12-src/nativ
e/.libs"
>
> 
> 
> 9. Start Server
> 
> 
> * Note1: The paths might be adjusted according to the version of
> openssl / apr / tomcat-native / tomcat version
> 
> 
> Logs:
> 
> 01-Jun-2017 09:32:46.551 INFO [main] 
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded
> APR based Apache Tomcat Native library [1.2.12] using APR version
> [1.5.2].
> 
> 01-Jun-2017 09:32:46.551 INFO [main] 
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR 
> capabilities: IPv6 [true], sendfile [true], accept filters [false],
> random [true].
> 
> 01-Jun-2017 09:32:46.551 INFO [main] 
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent
> APR/OpenSSL configuration: useAprConnector [false], useOpenSSL
> [true]
> 
> 01-Jun-2017 09:32:46.556 INFO [main] 
> org.apache.catalina.core.AprLifecycleListener.initializeSSL
> OpenSSL successfully initialized [OpenSSL 1.0.2l  25 May 2017]
> 
> 
> My question regarding this guide: Is there anything which might be
> changed or is bad practice?

Everything looks good to me.

Whenever I try to build tcnative on my Mac, I find that XCode has
broken some kind of symlink somewhere that I need to correct in order
to use clang from the CLI. Some notes about how to work-around that
would be good.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZMCXKAAoJEBzwKT+lPKRY7x8P/jvES/2Z5MZOWcq2mHabGkxu
PDPoi9X+gdWet/ucMToyuI0gHoJe9s51RsqWRn5T4jW+XuOmjgKEpgTM2+qbDwpB
q3T/ZFWL31YMFwJ3YFOD6MZzQ89MqfK8pLvJ7pIzXjYLWL+8gaAfBXAwg7lmdLr/
TM5fnl5lwzEw9sTdkNZ+o1bIjbs4PkpxKP7X3vZylnwRVKrP/5q3NQirBiXuG/Dn
RMlhjAfepog24L/Wja/DAQVgq4EjHfh9KvxytN1WHO7o9x6d9seBCm5PtR+6If3B
GxvGSfd47AcbA/T2nUnSAPLrGQheUCWw31StFvsNY1n2z6/6iISabRzxHLL3JPf4
7Qr92AKt9FVFDlzfHlzYWp+zoRcDX+ApjFUUpeMsp/+ZFDzXbZ/0zRu6J+wnDvMF
CYRVkv42ct9wXJjEk2WYUint9Hn2xj5BLGMIRk0xFBohFLHMb6eYDeKoAoWGUG/L
T4HSt7cfW2NWV84TdewfIN2u2fr9Hkpm8QohB0FcFHJ8LSRUXHcdtFRuE25XBnum
RyQkkpKpaBEsVdZ17EBEX1Kh29Apa7HgpeJ7KCiLHoGkf+OUmYnr3Qm9Tv6zdRWo
jousTeghGf0/nolys0/+zLkR/lDtjB19r/H2hav7dP7NGxaCio2V2CyWqLwyOcMu
QkfKDlXIohfm3W9L+m1E
=X9UM
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [External] Re: Security Headers Implementation in Tomcat 6.x version

2017-06-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mohammad,

On 6/1/17 12:43 AM, Shaik, Mohammad N. wrote:
> What should be name of the new JAR file that I would create for
> the Filter classes?
It doesn't matter.

> There are multiple JAR files in lib folder. Does the name of these 
> JAR files have any significance?

Not really.

> My understanding is that as long as you have your code (.class 
> files) is present in any of the JAR files under "lib" folder,
> system would get it. You don’t need to have a specific-named JAR
> files having specific-named .class files. The .class files from all
> the jar files under lib folder is considered as one big collection,
> and based on the invoked classname its corresponding .class file
> gets executed from that big code. Multiple JAR files with different
> names is setup just for logical classification of classes. Please
> correct me if this is not right.

You are correct. There are problems if the same class exists in two
separate JAR files, but that should not be a problem in the standard
Tomcat installation, plus the JAR file that has a few (unique) classes
from Tomcat 7 in there.

Remember: Upgrade ASAP.

- -chris

> -Original Message- From: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Sent: 31 May 2017 23:52 To:
> users@tomcat.apache.org Subject: [External] Re: Security Headers
> Implementation in Tomcat 6.x version
> 
> Mohammad,
> 
> On 5/31/17 6:37 AM, Shaik, Mohammad N. wrote:
>> Can I simply use the JAR files from Tomcat 7 that contains
>> executable code of filter classes (security headers), and put
>> them into corresponding location in Tomcat 6?
> 
> Definitely don't do that. But you could probably grab the compiled
> .class files from Tomcat 7's binary distribution... just make sure
> you have all of them.
> 
> So, basically, create a new JAR file that contains only those
> Filter classes (don't forget any inner classes that might be found
> in separate .class files).
> 
> -chris
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> 
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If
> you have received it in error, please notify the sender immediately
> and delete the original. Any other use of the e-mail by you is
> prohibited. Where allowed by local law, electronic communications
> with Accenture and its affiliates, including e-mail and instant
> messaging (including content), may be scanned by our systems for
> the purposes of information security and assessment of internal
> compliance with Accenture policy. 
> __

>
>  www.accenture.com
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZMCSuAAoJEBzwKT+lPKRYuXoQAMLiiazF90PhBn4NxTu/Zh2u
kqFbjTSUBRnk+KgQ7hezeRbQlLj/gt20Fywd8cvxOgXZ9CFGOVrxY5ljQdD/GQqi
3fr437iqlVXrzgIeZo/N7NAOQHa04ktMmGQiW+Hx3o8MyN6UlXUazL4K3ddiDNkx
bnTCYXtjic66vTJvTr+I2TVy/gBTLe7V4ooxNVP9zv+NL3xFqFqb3ZrkoHI9xiTn
aoM3HL2RMRu0Kt/fRAhzqOHYDj5uFttjXMfCVnm5+nBEE7R5ymihI8rMfVIxlIBo
/28+3nRnOK63dhAKHfpnNgBykH3DDwtududKme6KpCzbuD/95seIGhr4aKtBL9ou
gJXSaXt0IR7PFy4xiZGwdESr1OdR1/eTnyq8vNzIcmbEW9gv30dRhdytbie85nET
0G5OBIOZ4UGwjfGc5+ItCaNeAY4zsCofwlvvqjPG0xjM5uBJK6Eqy4dp++VYPv5Y
qK/1Qpmzu+KALoV7nLXLDrRV3qes319XaWgKB9c8r6BH6vYIg5K+W+pR63TiFDLE
/XHDxIpemsy6oq657sg0JI/48J8iiulbiIXsZ5bb1gjOg7bh4xz8XqOtSW2oqSju
ngDPVYxotcbA6DWsaOZJu7WYfR0wjs+/gkhvX1GgICd2lixXZUwboTkOk9wNwArS
HGUlc2U0LgTmSYLe+vj6
=oY0c
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 7, null tag attributes

2017-06-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chris,

On 5/31/17 6:31 PM, Chris Cheshire wrote:
> I am using tomcat 7 on CentOS 7 and I need to pass a null value to
> tag attributes of type Long/Integer/Float, however it is *always*
> coerced to zero.
> 
> <%@attribute name="parentId" required="true" rtexprvalue="true" 
> type="java.lang.Long" %>
> 
> Changing required to false does nothing. I tried setting the
> system property org.apache.el.parser.COERCE_TO_ZERO to false in
> tomcat.conf (-Dorg.apache.el.parser.COERCE_TO_ZERO=false with my
> other JAVA_OPTS) but this does nothing. The value before it hits
> the tag is null and inside the tag is 0. If I query the System
> properties it shows it as set to false, but Tomcat is not honoring
> it and is still coercing nulls to zero. I understand the spec says
> to do this etc but that defeats the purpose of using an object vs
> atomic type in the first place and is horribly shortsighted.
> 
> Upgrading to Tomcat 8 is not a solution unfortunately as there is
> no RPM for it.
> 
> How do I pass a null Long/Float/Integer as a tag attribute and have
> it kept as null and not turned into an incorrect value?

What exact version of Tomcat 7 are you running?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZMCRCAAoJEBzwKT+lPKRYveMP/RbE4suNmhmV6Yk7+OY3iiv0
BuM6TruMa9ijRhewZJJHBE1KSjskZjNkA7Ls8+pdKUDHNExeLSbIY+k56XHT4Yvb
Y8pnIMeFcMTYIBHUjTNmyCYJm8B0CD+B4L5hJM/dLbVLASp82JFPw3lQt0mhsrua
AX7bpE1pRooU1DpiB2FeJhDhmKywWzq34o5QA8jyq2egnlPD2ip0P4TwpjDe7FzM
z2szb6lH2qI/9SWEKOxfc7FKMmtpM2kCtQO8gBY0WatGLxGlMxBAXQVGmV/70dS4
/lIyAsKfiB1HeNMhykRniKKh6miNCvVsslF4pn1wq5MLXSmYHTSV1OpFWG5yVrLe
NZVIJMiLO9NMQLEgjqNwJZfrdd6JB67LUQwulAM7r2AHzHl3LJI6IAxY5LXC41OY
jRqzNCJkriJkThrC/bFYfdb28iishM0wT/q+/JLi/3M9HEPPMKJH80oDFzFsfhum
jUfUENyVwxczUS4IAmEAPuESRZgXoXrs8h1XImH/04FJfwMxIY4Owm5+zlYH2qde
H5qxlYwUkw035dDTBr/Wi7MPh1K7fxwWnnV4qFgPGImFzRx93C5VUO3AfCm6JDsv
obutg31VzU7dxph1o1Bx4UsR/44wcK+y/eiEKgd3RBZNtpWuApJa7Yhuj1qtShJY
nHGeLzQPm33MGBvL62P9
=TQH3
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat Architecture Documentation Contribution

2017-06-01 Thread Adrian Bartlett 
Hi All,



I have documented the MySQL DBCP Example on the
http://tomcat.apache.org/tomcat-8.5-doc/jndi-datasource-examples-howto.html
page.



It shows architecturally how Tomcat serves the page by using a DataSource,
Connection Pool and MySQL. It can be viewed here:
https://design.codelytics.io/tomcat/jdbc-query, it is the second part, but
it is more interesting than the first.



There also is some more security documentation under the Tomcat folder at:
https://design.codelytics.io. It documents the example:
*/jsp/security/protected/index.html*, which comes bundled with Tomcat. It
visually shows how Tomcat performs Authentication and Authorisation
internally.


 If anyone would like some other aspects of Tomcat documented, let me know

Project to help data analysis on thread dumps

2017-06-01 Thread Robert Anderson 
Hi,

I've started a project that make data analysis on thread dumps easier (at
least I hope so :) ).

An example of jupyter notebook:

https://github.com/ranophoenix/jvmthreadparser/blob/master/Thread%20Analysis.ipynb

All suggestions are welcomed.

Thanks,

Robert

Re: Possible bug between Apache 2.4 and Tomcat 7 via AJP when POSTing

2017-06-01 Thread Mark Eggers 
On 6/1/2017 1:32 AM, Nicholas Cottrell wrote:
> yum provides /usr/lib64/httpd/modules/mod_proxy_ajp.so

OK - don't know how I missed it. I could have sworn it wasn't there
yesterday :-p.

I just checked my system and it's there (run CentOS 6 in production).

/mde/



signature.asc
Description: OpenPGP digital signature

Re: Possible bug between Apache 2.4 and Tomcat 7 via AJP when POSTing

2017-06-01 Thread Mark Thomas 
On 1 June 2017 09:24:16 BST, Nicholas Cottrell  wrote:
>
>> On 31 May 2017, at 22:44, André Warnier (tomcat) 
>wrote:
>> 
>> On 31.05.2017 21:52, Nicholas Cottrell wrote:
 On 5/31/17 8:42 AM, Nicholas Cottrell wrote:
> Hi All!
> 
> I'm having a problem setting up an existing webapp from Apache
> 2.2/Tomcat6 on a new server running Centos 7, and the following
> packages:
> 
> httpd 2.4.6-45.el7.centos.4 tomcat.noarch
> 7.0.69-11.el7_3 @updates tomcat-native.x86_64
> 1.1.34-1.el7@epel
> 
> For debugging I have enabled AJP/1.3 and 8009 and HTTP on 8080,
> then use Apache to ProxyPass.
> 
> With my initial configuration, data from a form POST is not
> available via request.getParameter:
> 
> ProxyPass / ajp://localhost:8009/ 
>> retry=1
> acquire=3000 timeout=600 Keepalive=On ProxyPassReverse /
> ajp://localhost:8009/ 
>>
> 
> But changing it to this fixes everything:
> 
> ProxyPass / http://localhost:8080/ 
>> retry=1
> acquire=3000 timeout=600 Keepalive=On ProxyPassReverse /
> http://localhost:8080/ 
>>
> 
> In the broken instance, request.getParameter("x") returned null,
> but request.getReader() returned bytes with "x=123" so seems that
> Apache is sending the POST body but Tomcat is not processing it
> correctly, yes?
> 
> Please also see
>
>https://stackoverflow.com/questions/44167876/problems-with-post-parame
>
 ters-with-tomcat-ajp-on-apache-2-4-but-not-2-2
>
>
 eters-with-tomcat-ajp-on-apache-2-4-but-not-2-2>
> for my steps so far.
> 
> I would prefer to switch back to AJP for the proxy, since I
> understand it is more performant, right? Should I try forcing a
> Tomcat 8 install to see if the problem persists there too?
 
 If you call request.getReader/getInputStream before any of the
 request.getParameter family of methods, then all
>request.getParameter*
 methods will return null. That's because Tomcat must consume the
 request body in order to parse POST parameters. If you call
 request.getReader/getInputStream, then Tomcat assumes that you will
>be
 handling the request body (and any associated parameters therein).
 
 Is it possible that you are "damaging" the request by inspecting
>the
 request body?
>>> 
>>> I've been thinking about that but I don't call
>getReader/getInputStream anywhere myself.
>>> Also, the fact that accessing the same page via 8080 directly to
>Tomcat works, but via Apache/AJP through Tomcat's port 8009 works fine,
>and setting the proxy to use the 8080 also works.
>>> 
>> 
>> There must be a typo in the phrase above, or else what are you
>complaining about ?
>
>Sorry - via AJP and port 8009 does NOT work, and I don't want to switch
>production to Proxying via HTTP since I understand that's much less
>performant.

Your understanding is incorrect.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Re: a question about Realm config

2017-06-01 Thread ophusky 
Thank you very much! I according to what you said it and solved the problem. 
I have modified  CATALINA_HOME/conf/server.xml to :



  

 


Everything is all right,thanks again!

2017-06-01 

ophusky 



发件人:Mark Thomas 
发送时间:2017-06-01 15:50
主题:Re: a question about Realm config
收件人:"Tomcat Users List"
抄送:

This time to the list... 

On 01/06/17 08:02, ophusky wrote: 
> Tomcat version:8.0.43.0 
> Nginx  version:openresty/1.11.2.2 
> OS:CentOS Linux release 7.3.1611 (Core) 
>  
> I have already configure tomcat to use the DIGEST certification, 
> When I have direct access to Tomcat  all normal, 
> http://192.168.122.130:8080/sample/test/test.html  can trigger the 
> certification and passed. 
> But when I through the nginx proxy access, 
> http://192.168.122.130/tomcat/sample/test/test.html   have a few 
> problems,can trigger the certification but can't passed ,repeated 
> authentication dialog. 

 

> nginx.conf 
>  
> location ~ /tomcat/ { 
> rewrite ^/tomcat/(.*) /$1 break; 
> proxy_pass http://192.168.122.130:8080; 
> } 
>  
> Why cannot be accessed through the nginx and certified ? please help me 
> ,thanks! 

The request URL forms part of the DIGEST authentication process. By 
changing it in the reverse proxy, you are breaking the authentication 
process. 

You can disable the URI validation. See the validateUri attribute in 
http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Digest_Authenticator_Valve/Attributes
 

Mark 

- 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Possible bug between Apache 2.4 and Tomcat 7 via AJP when POSTing

2017-06-01 Thread Nicholas Cottrell 
Mark,
> 
> On 5/31/2017 5:42 AM, Nicholas Cottrell wrote:
>> Hi All!
>> 
>> I'm having a problem setting up an existing webapp from Apache
>> 2.2/Tomcat6 on a new server running Centos 7, and the following
>> packages:
>> 
>> httpd2.4.6-45.el7.centos.4 tomcat.noarch
>> 7.0.69-11.el7_3 @updates tomcat-native.x86_64
>> 1.1.34-1.el7@epel
>> 
>> For debugging I have enabled AJP/1.3 and 8009 and HTTP on 8080, then
>> use Apache to ProxyPass.
>> 
>> With my initial configuration, data from a form POST is not available
>> via request.getParameter:
>> 
>> ProxyPass / ajp://localhost:8009/  retry=1
>> acquire=3000 timeout=600 Keepalive=On ProxyPassReverse /
>> ajp://localhost:8009/ 
>> 
>> But changing it to this fixes everything:
>> 
>> ProxyPass / http://localhost:8080/  retry=1
>> acquire=3000 timeout=600 Keepalive=On ProxyPassReverse /
>> http://localhost:8080/ 
>> 
>> In the broken instance, request.getParameter("x") returned null, but
>> request.getReader() returned bytes with "x=123" so seems that Apache
>> is sending the POST body but Tomcat is not processing it correctly,
>> yes?
>> 
>> Please also see
>> https://stackoverflow.com/questions/44167876/problems-with-post-parameters-with-tomcat-ajp-on-apache-2-4-but-not-2-2
>> 
>> for my steps so far.
>> 
>> I would prefer to switch back to AJP for the proxy, since I
>> understand it is more performant, right? Should I try forcing a
>> Tomcat 8 install to see if the problem persists there too?
>> 
>> Best, Nic.
>> 
> 
> I wasn't aware that mod_proxy_ajp was available on a stock CentOS 7 even
> with epel enabled.
> 
> If you're using the ajp protocol (it's not HTTP), then you'll need to
> get mod_jk (from tomcat.apache.org) and build it yourself. It's not
> difficult.
> 
> However, the configuration is quite a bit different. Fortunately, there
> is an excellent set of example configuration files in the source (see
> the conf subdirectory).
> 
> mod_proxy_ajp.so was shipped with CentOS 6, but does not appear to be
> available with CentOS 7.
> 
> Either that - or go with mod_proxy_http and proxy to the HTTP connector
> (default in server.xml is port 8080).
> 
> . . . just my two cents
> /mde/

Yes, seems that Centos 7 does provide mod_proxy_ajp.so:

[root@blanche nic]# yum provides /usr/lib64/httpd/modules/mod_proxy_ajp.so
Loaded plugins: etckeeper, fastestmirror, priorities, protectbase
Loading mirror speeds from cached hostfile
 * base: mirror.wiuwiu.de
 * epel: mirrors.n-ix.net
 * extras: mirror.softaculous.com
 * remi: mirror.23media.de
 * remi-php56: mirror.23media.de
 * remi-safe: mirror.23media.de
 * updates: mirror.wiuwiu.de
0 packages excluded due to repository protections
httpd-2.4.6-45.el7.centos.x86_64 : Apache HTTP Server
Repo: base
Matched from:
Filename: /usr/lib64/httpd/modules/mod_proxy_ajp.so

httpd-2.4.6-45.el7.centos.4.x86_64 : Apache HTTP Server
Repo: updates
Matched from:
Filename: /usr/lib64/httpd/modules/mod_proxy_ajp.so

httpd-2.4.6-45.el7.centos.4.x86_64 : Apache HTTP Server
Repo: @updates
Matched from:
Filename: /usr/lib64/httpd/modules/mod_proxy_ajp.so

Is mod_jk really still recommended? I thought it was mostly deprecated now in 
preference for mod_proxy_ajp? See 
https://serverfault.com/questions/182289/mod-proxy-vs-mod-proxy-ajp-vs-mod-jk

Re: Possible bug between Apache 2.4 and Tomcat 7 via AJP when POSTing

2017-06-01 Thread Nicholas Cottrell 

> On 31 May 2017, at 22:44, André Warnier (tomcat)  wrote:
> 
> On 31.05.2017 21:52, Nicholas Cottrell wrote:
>>> On 5/31/17 8:42 AM, Nicholas Cottrell wrote:
 Hi All!
 
 I'm having a problem setting up an existing webapp from Apache
 2.2/Tomcat6 on a new server running Centos 7, and the following
 packages:
 
 httpd  2.4.6-45.el7.centos.4 tomcat.noarch
 7.0.69-11.el7_3 @updates tomcat-native.x86_64
 1.1.34-1.el7@epel
 
 For debugging I have enabled AJP/1.3 and 8009 and HTTP on 8080,
 then use Apache to ProxyPass.
 
 With my initial configuration, data from a form POST is not
 available via request.getParameter:
 
 ProxyPass / ajp://localhost:8009/  
 > retry=1
 acquire=3000 timeout=600 Keepalive=On ProxyPassReverse /
 ajp://localhost:8009/  >>> >
 
 But changing it to this fixes everything:
 
 ProxyPass / http://localhost:8080/  
 > retry=1
 acquire=3000 timeout=600 Keepalive=On ProxyPassReverse /
 http://localhost:8080/  >
 
 In the broken instance, request.getParameter("x") returned null,
 but request.getReader() returned bytes with "x=123" so seems that
 Apache is sending the POST body but Tomcat is not processing it
 correctly, yes?
 
 Please also see
 https://stackoverflow.com/questions/44167876/problems-with-post-parame 
 
>>> ters-with-tomcat-ajp-on-apache-2-4-but-not-2-2
 
>>> eters-with-tomcat-ajp-on-apache-2-4-but-not-2-2>
 for my steps so far.
 
 I would prefer to switch back to AJP for the proxy, since I
 understand it is more performant, right? Should I try forcing a
 Tomcat 8 install to see if the problem persists there too?
>>> 
>>> If you call request.getReader/getInputStream before any of the
>>> request.getParameter family of methods, then all request.getParameter*
>>> methods will return null. That's because Tomcat must consume the
>>> request body in order to parse POST parameters. If you call
>>> request.getReader/getInputStream, then Tomcat assumes that you will be
>>> handling the request body (and any associated parameters therein).
>>> 
>>> Is it possible that you are "damaging" the request by inspecting the
>>> request body?
>> 
>> I've been thinking about that but I don't call getReader/getInputStream 
>> anywhere myself.
>> Also, the fact that accessing the same page via 8080 directly to Tomcat 
>> works, but via Apache/AJP through Tomcat's port 8009 works fine, and setting 
>> the proxy to use the 8080 also works.
>> 
> 
> There must be a typo in the phrase above, or else what are you complaining 
> about ?

Sorry - via AJP and port 8009 does NOT work, and I don't want to switch 
production to Proxying via HTTP since I understand that's much less performant.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Developer quickstart guide for Tomcat with HTTP/2 on macOS

2017-06-01 Thread Tobias Soloschenko 
Hi everyone,

a long time ago I tried out to install Apache Tomcat with HTTP/2 support on
macOS. I finally got a short time window to complete a developer quickstart
guide for that:

1. Download XCode from the AppStore


2. Install Brew: http://brew.sh/


3. Download Apache Tomcat binaries > 8.5 http://tomcat.apache.org/


4. Install APR and OPENSSL with “brew install openssl” and “brew install
apr”


5. Create pem files in “apache-tomcat-8.5.15/conf” folder - use “changeit”
every time a password is going to be requested (The commands can be
executed separately or within a shell script):

/usr/local/Cellar/openssl/1.0.2l/bin/openssl genrsa -des3 -out
localhost-rsa-key 1024

/usr/local/Cellar/openssl/1.0.2l/bin/openssl genrsa -out localhost-key 1024

/usr/local/Cellar/openssl/1.0.2l/bin/openssl rsa -in localhost-rsa-key -out
localhost-key

/usr/local/Cellar/openssl/1.0.2l/bin/openssl req -new -key localhost-key
-out localhost-csr

/usr/local/Cellar/openssl/1.0.2l/bin/openssl x509 -req -days 365 -in
localhost-csr -signkey localhost-key -out localhost-crt

cat localhost-key localhost-crt > localhost-rsa-cert.pem

cat localhost-rsa-cert.pem > localhost-rsa-chain.pem

cat localhost-rsa-key > localhost-rsa-key-mod.pem

/usr/local/Cellar/openssl/1.0.2l/bin/openssl rsa -in
localhost-rsa-key-mod.pem -out localhost-rsa-key.pem


6. Uncomment the http/2 connector with protocol
“org.apache.coyote.http11.Http11AprProtocol” in the
"apache-tomcat-8.5.15/conf/server.xml"


7. Tomcat native installation

Extract “apache-tomcat-8.5.15/bin/tomcat-native.tar.gz”

Go into folder “apache-tomcat-8.5.15/bin/tomcat-native-1.2.12-src/native”

Run “./configure --with-apr=/usr/local/Cellar/apr/1.5.2_3/
--with-ssl=/usr/local/Cellar/openssl/1.0.2l”

Run “make”


8. Create a setenv.sh file within the /bin folder and add lines:

LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/Cellar/apr/1.5.2_3/libexec/lib:/Applications/apache-tomcat-8.5.15/bin/tomcat-native-1.2.12-src/native/.libs

JAVA_OPTS="-Djava.library.path=/usr/local/Cellar/apr/1.5.2_3/libexec/lib:/Applications/apache-tomcat-8.5.15/bin/tomcat-native-1.2.12-src/native/.libs"


9. Start Server


* Note1: The paths might be adjusted according to the version of openssl /
apr / tomcat-native / tomcat version


Logs:

01-Jun-2017 09:32:46.551 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR
based Apache Tomcat Native library [1.2.12] using APR version [1.5.2].

01-Jun-2017 09:32:46.551 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
capabilities: IPv6 [true], sendfile [true], accept filters [false], random
[true].

01-Jun-2017 09:32:46.551 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]

01-Jun-2017 09:32:46.556 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized [OpenSSL 1.0.2l  25 May 2017]


My question regarding this guide: Is there anything which might be changed
or is bad practice?


thanks in advance / kind regards

Tobias

Re: a question about Realm config

2017-06-01 Thread Mark Thomas 
This time to the list...

On 01/06/17 08:02, ophusky wrote:
> Tomcat version:8.0.43.0
> Nginx  version:openresty/1.11.2.2
> OS:CentOS Linux release 7.3.1611 (Core)
> 
> I have already configure tomcat to use the DIGEST certification,
> When I have direct access to Tomcat  all normal,
> http://192.168.122.130:8080/sample/test/test.html  can trigger the
> certification and passed.
> But when I through the nginx proxy access,
> http://192.168.122.130/tomcat/sample/test/test.html   have a few
> problems,can trigger the certification but can't passed ,repeated
> authentication dialog.



> nginx.conf
> 
> location ~ /tomcat/ {
> rewrite ^/tomcat/(.*) /$1 break;
> proxy_pass http://192.168.122.130:8080;
> }
> 
> Why cannot be accessed through the nginx and certified ? please help me
> ,thanks!

The request URL forms part of the DIGEST authentication process. By
changing it in the reverse proxy, you are breaking the authentication
process.

You can disable the URI validation. See the validateUri attribute in
http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Digest_Authenticator_Valve/Attributes

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

a question about Realm config

2017-06-01 Thread ophusky 
Tomcat version:8.0.43.0
Nginx  version:openresty/1.11.2.2
OS:CentOS Linux release 7.3.1611 (Core)


I have already configure tomcat to use the DIGEST certification,
When I have direct access to Tomcat  all normal,
http://192.168.122.130:8080/sample/test/test.html  can trigger the 
certification and passed.
But when I through the nginx proxy access,
http://192.168.122.130/tomcat/sample/test/test.html   have a few problems,can 
trigger the certification but can't passed ,repeated authentication dialog.
CATALINA_HOME/conf/server.xml:


  




CATALINA_HOME/conf/tomcat-users.xml :

  


CATALINA_HOME/webapps_exp/sample/WEB-INF/web.xml :

   
 
 my sample webapp
 
 /test/*
   
   
   testuser
   




 DIGEST
 webapp




  testuser



nginx.conf


location ~ /tomcat/ {
rewrite ^/tomcat/(.*) /$1 break;
proxy_pass http://192.168.122.130:8080;
}


Why cannot be accessed through the nginx and certified ? please help me ,thanks!