Re: Tomcat shutdown password complexity

[calder]

On Fri, May 8, 2020 at 9:07 PM calder  wrote:
>
> On Fri, May 8, 2020, 19:20 Robert Hicks  wrote:
>>
>> I am trying to find what the password complexity can be. I've looked at
>> several hardening guides and they are all "WordsLikeThis". Does the
>> shutdown password take symbols and numbers or at least hyphenated words?
>
>
> We've never had occasion to use the password, because we disable shutdown 
> (the better option).
>
> However, my best guess one could use anything.  One could check the source 
> code, or better yet, set up a Dev instance and give it a quick test - a 15 
> minute exercise at most.

Gave it a test.

In server.xml, we have


and then fire it up

user@stimpy:~/bin/apache-tomcat/bin> ./catalina.sh start  > log.log 2>&1

user@stimpy:~/bin/apache-tomcat/bin> ps aux | grep java
user   7223  531  1.2 21006280 812812 pts/2 Sl   23:22   0:13 /home/ [ ... ]

user@stimpy:~/bin/apache-tomcat/bin> ./shutdown.sh stop

user@stimpy:~/bin/apache-tomcat/bin> ps aux | grep "bin/java"
[ no response ]

If we start up TC and change  server.xml entry to (removed one char at end)

TC won't shut down.

Keep in mind - some characters won't work like & or ( or ) - at least
on Unix-style OSes as the shell may want to interpret them.

Experiment with whatever chars you want.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat shutdown password complexity

[calder]

On Fri, May 8, 2020, 19:20 Robert Hicks  wrote:

> I am trying to find what the password complexity can be. I've looked at
> several hardening guides and they are all "WordsLikeThis". Does the
> shutdown password take symbols and numbers or at least hyphenated words?
>

We've never had occasion to use the password, because we disable shutdown
(the better option).

However, my best guess one could use anything.  One could check the source
code, or better yet, set up a Dev instance and give it a quick test - a 15
minute exercise at most.

>

Re: log4j failed on tomcat9

[AJ Chen]

More test info trying to isolate the problem:
Task:
  developing  web app project on eclipse 2019 version. main project
includes a dependent project (sub-project) on the same eclipse.

Run main app as java app:
  main app vm parameters include: -Dlog4j.configurationFile,
LogManager.getLogger() returns correct logger in main app as well as
sub-project code. meaning, Log4j2 messages can print as expected. no error.

Run web app on tomcat 9, 8 or 7:
For tomcat runtime classpath, eclipse requires to add the sub-project and
all the jars needed (include log4j2 jars), otherwise it complains with no
class found error. However, after log4j2 jars are added, it throws the
above " ERROR StatusLogger Unrecognized format specifier " errors. The web
app can run. Log4j2 messages can print in the main app codes. BUT, Logger
in the sub-project codes does not print messages because it has error.

The cause may be in tomcat or in log4j2, or even eclipse. Any idea?

thanks,
-aj



On Fri, May 8, 2020 at 11:21 AM AJ Chen  wrote:

> Hi Mark,
> I also use log4j2 in my web app. dev in eclipse, when adding the log4j2
> jars to tomcat 7,8, or 9 runtime, it has this problem, log4j2.xml is
> provided as VM parameter. Web app firsts instantiates log4j2, and then
> tries to config log4j2 again,  throwing the following error due to double
> class loading:
>
> ERROR StatusLogger Unrecognized format specifier [d]
> ERROR StatusLogger Unrecognized conversion specifier [d] starting at
> position 16 in conversion pattern.
> ERROR StatusLogger Unrecognized format specifier [thread]
> ERROR StatusLogger Unrecognized conversion specifier [thread] starting at
> position 25 in conversion pattern.
> ERROR StatusLogger Unrecognized format specifier [level]
> ERROR StatusLogger Unrecognized conversion specifier [level] starting at
> position 35 in conversion pattern.
> ERROR StatusLogger Unrecognized format specifier [logger]
> ERROR StatusLogger Unrecognized conversion specifier [logger] starting at
> position 47 in conversion pattern.
> ERROR StatusLogger Unrecognized format specifier [msg]
> ERROR StatusLogger Unrecognized conversion specifier [msg] starting at
> position 54 in conversion pattern.
> ERROR StatusLogger Unrecognized format specifier [n]
> ERROR StatusLogger Unrecognized conversion specifier [n] starting at
> position 56 in conversion pattern.
> ERROR StatusLogger Reconfiguration failed: No configuration found for
> '18b4aac2' at 'null' in 'null'
>
> Please note there is problem in the simple log4j2.xml for testing, which
> can be loaded successfully when there is no double class loading.
>
> -aj
>
>
> On Thu, May 7, 2020 at 1:53 PM Mark Thomas  wrote:
>
>> On 07/05/2020 21:40, AJ Chen wrote:
>> > I use eclipse to develop web app for tomcat, Web app has a dependent
>> > project and so the dependent project and all jars are added on the
>> > classpath for tomcat runtime. Log4j works on tomcat 6. But after
>> upgrate to
>> > tomcat 9, log4j failed to start with the following error. Anyone has
>> seen
>> > similar problem? log4j2 also failed. Thanks.
>>
>> Note: log4j is no longer supported.
>>
>> How, exactly, is log4j configured? What JAR files and what configuration
>> files are where? Any other configuration?
>>
>> Mark
>>
>>
>> >
>> > log4j:ERROR A "org.apache.log4j.DailyRollingFileAppender" object is not
>> > assignable to a "org.apache.log4j.Appender" variable.
>> > log4j:ERROR The class "org.apache.log4j.Appender" was loaded by
>> > log4j:ERROR [sun.misc.Launcher$AppClassLoader@18b4aac2] whereas object
>> of
>> > type
>> > log4j:ERROR "org.apache.log4j.DailyRollingFileAppender" was loaded by
>> > [ParallelWebappClassLoader
>> >
>> > aj
>> >
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

Tomcat shutdown password complexity

[Robert Hicks]

I am trying to find what the password complexity can be. I've looked at
several hardening guides and they are all "WordsLikeThis". Does the
shutdown password take symbols and numbers or at least hyphenated words?

Thanks,

Bob

Re: how do I switch class loaders

[Jonathan Yom-Tov]

Got it! Using http://jhades.github.io/ it was quick and easy to find out
that the offending class was indeed loaded from two different jar files.
After I removed one of them casting worked with no issues. I didn't know
jar hell could result in ClassCastException, but you learn something new
every day.

Thanks everyone for your help. Olaf I found your suggestion especially
helpful. Have a good weekend :-)



On Fri, May 8, 2020 at 9:29 PM Olaf Kock  wrote:

>
> On 08.05.20 19:50, Christopher Schultz wrote:
> > Olaf,
> >
> > On 5/8/20 13:19, Olaf Kock wrote:
> >
> > > You might want to hunt down duplicate classes in the JAR files on
> > > your classpath. Worst case: unpack them all in temporary
> > > directories and check for occurrences of the filename. Make sure
> > > that one doesn't overwrite the other when unzipping.
> >
> > Or unpack them all and let the unzipper tell you if there are any
> > filename collisions.
> >
> > Someone has probably written a "classpath scanner" that will just
> > unzip everything and look for conflicts.
>
>
> I've gotten follow up questions on how to use those tools in the past.
> Key is to identify all the jars, less the options of the tool, but since
> then I've just reverted to mention the low-tech version, and am not even
> ashamed ;)
>
> That's not to say that I don't trust Jonathan to use a classpath scanner
> - it's just a low-tech-preference out of habit.
>
> Plus, due to this habit, I currently can't come up with a tool's name to
> look for :D
>
> Olaf
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-- 
[image: SysAid Technologies]

Jonathan Yom-Tov
Senior Architect
jonathan.yom...@sysaid.com
Phone (IL): +972 (3) 533-3675 Ext. 932
[image: SysAid Technologies]

  [image: SysAid on Facebook]    [image:
SysAid on Twitter]    [image: SysAid on
Linked-in]    [image:
SysAid on YouTube]    [image: SysAid
on Instagram] 
[image: Banner] 

Re: how do I switch class loaders

[Olaf Kock]

On 08.05.20 19:50, Christopher Schultz wrote:
> Olaf,
>
> On 5/8/20 13:19, Olaf Kock wrote:
>
> > You might want to hunt down duplicate classes in the JAR files on
> > your classpath. Worst case: unpack them all in temporary
> > directories and check for occurrences of the filename. Make sure
> > that one doesn't overwrite the other when unzipping.
>
> Or unpack them all and let the unzipper tell you if there are any
> filename collisions.
>
> Someone has probably written a "classpath scanner" that will just
> unzip everything and look for conflicts.


I've gotten follow up questions on how to use those tools in the past.
Key is to identify all the jars, less the options of the tool, but since
then I've just reverted to mention the low-tech version, and am not even
ashamed ;)

That's not to say that I don't trust Jonathan to use a classpath scanner
- it's just a low-tech-preference out of habit.

Plus, due to this habit, I currently can't come up with a tool's name to
look for :D

Olaf



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: log4j failed on tomcat9

[AJ Chen]

Hi Mark,
I also use log4j2 in my web app. dev in eclipse, when adding the log4j2
jars to tomcat 7,8, or 9 runtime, it has this problem, log4j2.xml is
provided as VM parameter. Web app firsts instantiates log4j2, and then
tries to config log4j2 again,  throwing the following error due to double
class loading:

ERROR StatusLogger Unrecognized format specifier [d]
ERROR StatusLogger Unrecognized conversion specifier [d] starting at
position 16 in conversion pattern.
ERROR StatusLogger Unrecognized format specifier [thread]
ERROR StatusLogger Unrecognized conversion specifier [thread] starting at
position 25 in conversion pattern.
ERROR StatusLogger Unrecognized format specifier [level]
ERROR StatusLogger Unrecognized conversion specifier [level] starting at
position 35 in conversion pattern.
ERROR StatusLogger Unrecognized format specifier [logger]
ERROR StatusLogger Unrecognized conversion specifier [logger] starting at
position 47 in conversion pattern.
ERROR StatusLogger Unrecognized format specifier [msg]
ERROR StatusLogger Unrecognized conversion specifier [msg] starting at
position 54 in conversion pattern.
ERROR StatusLogger Unrecognized format specifier [n]
ERROR StatusLogger Unrecognized conversion specifier [n] starting at
position 56 in conversion pattern.
ERROR StatusLogger Reconfiguration failed: No configuration found for
'18b4aac2' at 'null' in 'null'

Please note there is problem in the simple log4j2.xml for testing, which
can be loaded successfully when there is no double class loading.

-aj


On Thu, May 7, 2020 at 1:53 PM Mark Thomas  wrote:

> On 07/05/2020 21:40, AJ Chen wrote:
> > I use eclipse to develop web app for tomcat, Web app has a dependent
> > project and so the dependent project and all jars are added on the
> > classpath for tomcat runtime. Log4j works on tomcat 6. But after upgrate
> to
> > tomcat 9, log4j failed to start with the following error. Anyone has seen
> > similar problem? log4j2 also failed. Thanks.
>
> Note: log4j is no longer supported.
>
> How, exactly, is log4j configured? What JAR files and what configuration
> files are where? Any other configuration?
>
> Mark
>
>
> >
> > log4j:ERROR A "org.apache.log4j.DailyRollingFileAppender" object is not
> > assignable to a "org.apache.log4j.Appender" variable.
> > log4j:ERROR The class "org.apache.log4j.Appender" was loaded by
> > log4j:ERROR [sun.misc.Launcher$AppClassLoader@18b4aac2] whereas object
> of
> > type
> > log4j:ERROR "org.apache.log4j.DailyRollingFileAppender" was loaded by
> > [ParallelWebappClassLoader
> >
> > aj
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: how do I switch class loaders

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Olaf,

On 5/8/20 13:19, Olaf Kock wrote:
>
> On 08.05.20 18:23, Jonathan Yom-Tov wrote:
>> Oops, my bad  But that still leaves my original issue: why do I
>> get a ClassCastException casting RedissonSessionManager to
>> RedissonSessionManager?
>
> The *only* reason that I've ever seen this happens (e.g. a class
> can't be typecast to a legitimate superclass or interface): When
> the superclass or interface is available through two different
> classloaders.
>
> The error message omits the classloader, and instead of
>
> A cannot be cast to B
>
> /should/ read
>
> A (from classloader X) cannot be cast to B (from classloader Y)
>
> You might want to hunt down duplicate classes in the JAR files on
> your classpath. Worst case: unpack them all in temporary
> directories and check for occurrences of the filename. Make sure
> that one doesn't overwrite the other when unzipping.

Or unpack them all and let the unzipper tell you if there are any
filename collisions.

Someone has probably written a "classpath scanner" that will just
unzip everything and look for conflicts.

- -chris

>> On Fri, 8 May 2020, 16:56 Luis Rodríguez Fernández,
>>  wrote:
>>
>>> Hello Jonathan,
>>>
>>> It is not exactly the same :), look at the "$2" appended at the
>>> end.This is an "anonymous inner class" [1]
>>>
>>> Cheers,
>>>
>>> Luis
>>>
>>> [1]
>>>
>>> https://stackoverflow.com/questions/11388840/java-compiled-classes-c
ontain-dollar-signs
>>>
>>>
>>>
>>>
El vie., 8 may. 2020 a las 11:52, Jonathan Yom-Tov (<
>>> jonathan.yom...@sysaid.com>) escribió:
>>>
 This is very odd. I ran Tomcat with -verbose:class (see
 relevant output below). The class is being loaded twice from
 the same location, I'm guessing by two different class
 loaders. How can that be?

 [Loaded org.redisson.tomcat.RedissonSessionManager from
 file:/C:/dev/tomcat.9.0.19/lib/redisson-tomcat-9-3.12.2.jar]
 [Loaded org.redisson.tomcat.RedissonSessionManager$2 from
 file:/C:/dev/tomcat.9.0.19/lib/redisson-tomcat-9-3.12.2.jar]

 On Fri, May 8, 2020 at 11:04 AM Olaf Kock
  wrote:

> On 08.05.20 09:37, Jonathan Yom-Tov wrote:
>> Thanks Mark. Just tried that. I put the redisson-tomcat
>> jar outside
>>> of
>> WEB-INF/lib and added it with scope provided. I get the
>> exact same
 issue.
>> What am I doing wrong?
> Make sure, it's actually gone from your webapp. Depending
> on the deployment technique I've seen removed files to
> persist from previous deployments.
>
> You might need to fully undeploy, then deploy the new
> version without the jar in question. But inspect the
> runtime environment to make sure you only have a single
> library accessible. Having the same class available two
> different ways is a recipe for disaster, don't fix it my
> messing with the classloader: Fix it by eliminating one of
> them.
>
> You might also check if you're not accessing any wrapped
> object, e.g.
>>> by
> inspecting getManager(session).getClass().getName().
>
> Olaf
>
>
>
>> Here's my code:
>>
>> HttpSession session =
>> httpServletRequest.getSession(false); try {
>> RedissonSessionManager rsm = (RedissonSessionManager)
> getManager(session);
>> } catch (Exception e) { e.printStackTrace(); }
>>
>> private Manager getManager(HttpSession session) throws
>> Exception {
>>
>> Field facadeSessionField =
>> StandardSessionFacade.class.getDeclaredField("session");
>> facadeSessionField.setAccessible(true); StandardSession
>> stdSession = (StandardSession)
>> facadeSessionField.get(session);
>>
>> return stdSession.getManager(); }
>>
>>
>>
>> On Thu, May 7, 2020 at 11:52 PM Mark Thomas
>> 
>>> wrote:
>>> On 07/05/2020 21:36, Jonathan Yom-Tov wrote:
 My application uses Redisson (a client which persists
 the session
>>> to
 Redis). There are two Redisson jar files located in
 $CATALINA_HOME/lib,
>>> so
 if I understand the docs correctly they're loaded by
 the common
>>> class
 loader.

 I want to access the RedissonSessionManager class
 during a request.
 The
 problem is that if I do something like
 RedissonSessionManager
 manager =
 (RedissonSessionManager) session.getManager() I get
 a
> ClassCastException,
 presumably because they were loaded by different
 class loaders.

 Will it help if I somehow access the common class
 loader for this?
>>> If
> so
 how can I do that? If not is there some other way I
 can achieve
>>> this?
>>> Make sure you don't have those JARs in your
>>> application's
>>> WEB-INF/lib
 as
>>> well as $CATALINA_BASE/lib.
>>>
>>> In any recent version of Tomcat 

Re: how do I switch class loaders

[Olaf Kock]

On 08.05.20 18:23, Jonathan Yom-Tov wrote:
> Oops, my bad  But that still leaves my original issue: why do I get a
> ClassCastException casting RedissonSessionManager to
> RedissonSessionManager?

The *only* reason that I've ever seen this happens (e.g. a class can't
be typecast to a legitimate superclass or interface): When the
superclass or interface is available through two different classloaders.

The error message omits the classloader, and instead of

  A cannot be cast to B

/should/ read

   A (from classloader X) cannot be cast to B (from classloader Y)

You might want to hunt down duplicate classes in the JAR files on your
classpath. Worst case: unpack them all in temporary directories and
check for occurrences of the filename. Make sure that one doesn't
overwrite the other when unzipping.

Olaf



> On Fri, 8 May 2020, 16:56 Luis Rodríguez Fernández, 
> wrote:
>
>> Hello Jonathan,
>>
>> It is not exactly the same :), look at the "$2" appended at the end.This is
>> an "anonymous inner class" [1]
>>
>> Cheers,
>>
>> Luis
>>
>> [1]
>>
>> https://stackoverflow.com/questions/11388840/java-compiled-classes-contain-dollar-signs
>>
>>
>> El vie., 8 may. 2020 a las 11:52, Jonathan Yom-Tov (<
>> jonathan.yom...@sysaid.com>) escribió:
>>
>>> This is very odd. I ran Tomcat with -verbose:class (see relevant output
>>> below). The class is being loaded twice from the same location, I'm
>>> guessing by two different class loaders. How can that be?
>>>
>>> [Loaded org.redisson.tomcat.RedissonSessionManager from
>>> file:/C:/dev/tomcat.9.0.19/lib/redisson-tomcat-9-3.12.2.jar]
>>> [Loaded org.redisson.tomcat.RedissonSessionManager$2 from
>>> file:/C:/dev/tomcat.9.0.19/lib/redisson-tomcat-9-3.12.2.jar]
>>>
>>> On Fri, May 8, 2020 at 11:04 AM Olaf Kock  wrote:
>>>
 On 08.05.20 09:37, Jonathan Yom-Tov wrote:
> Thanks Mark. Just tried that. I put the redisson-tomcat jar outside
>> of
> WEB-INF/lib and added it with scope provided. I get the exact same
>>> issue.
> What am I doing wrong?
 Make sure, it's actually gone from your webapp. Depending on the
 deployment technique I've seen removed files to persist from previous
 deployments.

 You might need to fully undeploy, then deploy the new version without
 the jar in question. But inspect the runtime environment to make sure
 you only have a single library accessible. Having the same class
 available two different ways is a recipe for disaster, don't fix it my
 messing with the classloader: Fix it by eliminating one of them.

 You might also check if you're not accessing any wrapped object, e.g.
>> by
 inspecting getManager(session).getClass().getName().

 Olaf



> Here's my code:
>
> HttpSession session = httpServletRequest.getSession(false);
> try {
> RedissonSessionManager rsm = (RedissonSessionManager)
 getManager(session);
> } catch (Exception e) {
> e.printStackTrace();
> }
>
> private Manager getManager(HttpSession session) throws Exception {
>
> Field facadeSessionField =
> StandardSessionFacade.class.getDeclaredField("session");
> facadeSessionField.setAccessible(true);
> StandardSession stdSession = (StandardSession)
> facadeSessionField.get(session);
>
> return stdSession.getManager();
> }
>
>
>
> On Thu, May 7, 2020 at 11:52 PM Mark Thomas 
>> wrote:
>> On 07/05/2020 21:36, Jonathan Yom-Tov wrote:
>>> My application uses Redisson (a client which persists the session
>> to
>>> Redis). There are two Redisson jar files located in
>>> $CATALINA_HOME/lib,
>> so
>>> if I understand the docs correctly they're loaded by the common
>> class
>>> loader.
>>>
>>> I want to access the RedissonSessionManager class during a request.
>>> The
>>> problem is that if I do something like RedissonSessionManager
>>> manager =
>>> (RedissonSessionManager) session.getManager() I get a
 ClassCastException,
>>> presumably because they were loaded by different class loaders.
>>>
>>> Will it help if I somehow access the common class loader for this?
>> If
 so
>>> how can I do that? If not is there some other way I can achieve
>> this?
>> Make sure you don't have those JARs in your application's
>> WEB-INF/lib
>>> as
>> well as $CATALINA_BASE/lib.
>>
>> In any recent version of Tomcat any JAR in $CATALINA_BASE/lib will
>> be
>> visible to your application.
>>
>> Mark
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: 

Re: log4j failed on tomcat9

[AJ Chen]

Hi Chris,
my web app META-INF/lib has log4j jar,  but CATALINA_BASE/lib does not have
log4j jar listed.
It should be double loading class issue. I need to find out how to exclude
the unwanted classloading.
-aj


On Thu, May 7, 2020 at 2:48 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> AJ,
>
> On 5/7/20 16:40, AJ Chen wrote:
> > I use eclipse to develop web app for tomcat, Web app has a
> > dependent project and so the dependent project and all jars are
> > added on the classpath for tomcat runtime. Log4j works on tomcat 6.
> > But after upgrate to tomcat 9, log4j failed to start with the
> > following error. Anyone has seen similar problem? log4j2 also
> > failed. Thanks.
> >
> > log4j:ERROR A "org.apache.log4j.DailyRollingFileAppender" object is
> > not assignable to a "org.apache.log4j.Appender" variable.
> > log4j:ERROR The class "org.apache.log4j.Appender" was loaded by
> > log4j:ERROR [sun.misc.Launcher$AppClassLoader@18b4aac2] whereas
> > object of type log4j:ERROR
> > "org.apache.log4j.DailyRollingFileAppender" was loaded by
> > [ParallelWebappClassLoader
>
> Can I just say that the above is a masterpiece of diagnostic error
> messaging?
>
> I can already tell that you have a classloading issue, and it's almost
> certain that you have log4j.jar both in CATALINA_BASE/lib and your web
> application's META-INF/lib directory. Is that the case?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl60gjsACgkQHPApP6U8
> pFgydxAAvnJ1tJFklOMnsHnx+gFn7m0UkWjs1Sj+1zurmjuAzd64aXjwt8Mh2FRH
> JaJ4R0kYaHruoJxNDKelS+FIYgn1qe7D7LE7uq6gmNHg5b1JruoUXbk2GcaTfM55
> htu9idB/JOyx5lmlP4tR6E/K7HctM6h2A7zuJ2s98VM2WljU/Ts6v5R1C53JbXq6
> gzB0g6XYyVnuQx/9qoSyOSqKIBp3jLp2G8JlKje7SzKZcJeXSzq0HPUX6Do15VK1
> Rl8ineKRjwDHgujjN3DiXqh+BnbdY6URsFApwGVxNLqh/ykIQYIHVxCGuRv9+W3D
> i0Uxx9C2p6rb6Nr8Tk6lxZjx1IMCC0JuKaunHPt6bQ26s/VNEROU5aztQ5RF/ynN
> pjFvwa/UIR6/i5u7mtGo2WBRLmH04KOu/7ZS8FL4ieKHXuaGGDvZlTe3AZ8hBPNx
> 2jHtmpqWiQaw1+lMnL7RxrmGBISIWSH4+MAKXWDzM4OSeTsKxTv2gcZ14Z9HfYZm
> JGO3DGgOSfWAnFSTYX9L/NodRfIDXLMPTAG/epWzSSiF5tf6nAzWNj6Vbi1L0VnS
> 8IdfqHavSGeIqhDqwTSwuQhXYdoc6AyBdY5WIYEGiUNu789b9SjNlY8/EWqjrJKx
> 3Au9YxYkMTqi2SL/r1cCd8HU+imS9L3aSZPKaOn73AsTtux/VCA=
> =IVj+
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: log4j failed on tomcat9

[AJ Chen]

Hi Luis, good blog for logging settings. thanks.
-aj


On Thu, May 7, 2020 at 11:42 PM Luis Rodríguez Fernández 
wrote:

> Hello AjChen,
>
> Here [1] you can find an example of how I configured log4j2 in tomcat 9.
> You can skip all the bla, bla, bla and go directly to the gitthub repo [2]
> and run the example to have a look at the configuration.
>
> Note: I've been running like this for a while in production, but I do think
> that I am going to come back to the default, beautiful and simple JULI :)
>
> Hope it helps,
>
> Luis
>
> [1]
>
> https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2019-03-keeping-your-logs-clean-apache-tomcat-9-log4j2-and-spring-boot
> [2] https://github.com/lurodrig/log4j2-in-tomcat/
>
> El jue., 7 may. 2020 a las 23:48, Christopher Schultz (<
> ch...@christopherschultz.net>) escribió:
>
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > AJ,
> >
> > On 5/7/20 16:40, AJ Chen wrote:
> > > I use eclipse to develop web app for tomcat, Web app has a
> > > dependent project and so the dependent project and all jars are
> > > added on the classpath for tomcat runtime. Log4j works on tomcat 6.
> > > But after upgrate to tomcat 9, log4j failed to start with the
> > > following error. Anyone has seen similar problem? log4j2 also
> > > failed. Thanks.
> > >
> > > log4j:ERROR A "org.apache.log4j.DailyRollingFileAppender" object is
> > > not assignable to a "org.apache.log4j.Appender" variable.
> > > log4j:ERROR The class "org.apache.log4j.Appender" was loaded by
> > > log4j:ERROR [sun.misc.Launcher$AppClassLoader@18b4aac2] whereas
> > > object of type log4j:ERROR
> > > "org.apache.log4j.DailyRollingFileAppender" was loaded by
> > > [ParallelWebappClassLoader
> >
> > Can I just say that the above is a masterpiece of diagnostic error
> > messaging?
> >
> > I can already tell that you have a classloading issue, and it's almost
> > certain that you have log4j.jar both in CATALINA_BASE/lib and your web
> > application's META-INF/lib directory. Is that the case?
> >
> > - -chris
> > -BEGIN PGP SIGNATURE-
> > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> >
> > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl60gjsACgkQHPApP6U8
> > pFgydxAAvnJ1tJFklOMnsHnx+gFn7m0UkWjs1Sj+1zurmjuAzd64aXjwt8Mh2FRH
> > JaJ4R0kYaHruoJxNDKelS+FIYgn1qe7D7LE7uq6gmNHg5b1JruoUXbk2GcaTfM55
> > htu9idB/JOyx5lmlP4tR6E/K7HctM6h2A7zuJ2s98VM2WljU/Ts6v5R1C53JbXq6
> > gzB0g6XYyVnuQx/9qoSyOSqKIBp3jLp2G8JlKje7SzKZcJeXSzq0HPUX6Do15VK1
> > Rl8ineKRjwDHgujjN3DiXqh+BnbdY6URsFApwGVxNLqh/ykIQYIHVxCGuRv9+W3D
> > i0Uxx9C2p6rb6Nr8Tk6lxZjx1IMCC0JuKaunHPt6bQ26s/VNEROU5aztQ5RF/ynN
> > pjFvwa/UIR6/i5u7mtGo2WBRLmH04KOu/7ZS8FL4ieKHXuaGGDvZlTe3AZ8hBPNx
> > 2jHtmpqWiQaw1+lMnL7RxrmGBISIWSH4+MAKXWDzM4OSeTsKxTv2gcZ14Z9HfYZm
> > JGO3DGgOSfWAnFSTYX9L/NodRfIDXLMPTAG/epWzSSiF5tf6nAzWNj6Vbi1L0VnS
> > 8IdfqHavSGeIqhDqwTSwuQhXYdoc6AyBdY5WIYEGiUNu789b9SjNlY8/EWqjrJKx
> > 3Au9YxYkMTqi2SL/r1cCd8HU+imS9L3aSZPKaOn73AsTtux/VCA=
> > =IVj+
> > -END PGP SIGNATURE-
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
>

Re: how do I switch class loaders

[Jonathan Yom-Tov]

Oops, my bad  But that still leaves my original issue: why do I get a
ClassCastException casting RedissonSessionManager to
RedissonSessionManager?

On Fri, 8 May 2020, 16:56 Luis Rodríguez Fernández, 
wrote:

> Hello Jonathan,
>
> It is not exactly the same :), look at the "$2" appended at the end.This is
> an "anonymous inner class" [1]
>
> Cheers,
>
> Luis
>
> [1]
>
> https://stackoverflow.com/questions/11388840/java-compiled-classes-contain-dollar-signs
>
>
> El vie., 8 may. 2020 a las 11:52, Jonathan Yom-Tov (<
> jonathan.yom...@sysaid.com>) escribió:
>
> > This is very odd. I ran Tomcat with -verbose:class (see relevant output
> > below). The class is being loaded twice from the same location, I'm
> > guessing by two different class loaders. How can that be?
> >
> > [Loaded org.redisson.tomcat.RedissonSessionManager from
> > file:/C:/dev/tomcat.9.0.19/lib/redisson-tomcat-9-3.12.2.jar]
> > [Loaded org.redisson.tomcat.RedissonSessionManager$2 from
> > file:/C:/dev/tomcat.9.0.19/lib/redisson-tomcat-9-3.12.2.jar]
> >
> > On Fri, May 8, 2020 at 11:04 AM Olaf Kock  wrote:
> >
> > >
> > > On 08.05.20 09:37, Jonathan Yom-Tov wrote:
> > > > Thanks Mark. Just tried that. I put the redisson-tomcat jar outside
> of
> > > > WEB-INF/lib and added it with scope provided. I get the exact same
> > issue.
> > > > What am I doing wrong?
> > >
> > > Make sure, it's actually gone from your webapp. Depending on the
> > > deployment technique I've seen removed files to persist from previous
> > > deployments.
> > >
> > > You might need to fully undeploy, then deploy the new version without
> > > the jar in question. But inspect the runtime environment to make sure
> > > you only have a single library accessible. Having the same class
> > > available two different ways is a recipe for disaster, don't fix it my
> > > messing with the classloader: Fix it by eliminating one of them.
> > >
> > > You might also check if you're not accessing any wrapped object, e.g.
> by
> > > inspecting getManager(session).getClass().getName().
> > >
> > > Olaf
> > >
> > >
> > >
> > > > Here's my code:
> > > >
> > > > HttpSession session = httpServletRequest.getSession(false);
> > > > try {
> > > > RedissonSessionManager rsm = (RedissonSessionManager)
> > > getManager(session);
> > > > } catch (Exception e) {
> > > > e.printStackTrace();
> > > > }
> > > >
> > > > private Manager getManager(HttpSession session) throws Exception {
> > > >
> > > > Field facadeSessionField =
> > > > StandardSessionFacade.class.getDeclaredField("session");
> > > > facadeSessionField.setAccessible(true);
> > > > StandardSession stdSession = (StandardSession)
> > > > facadeSessionField.get(session);
> > > >
> > > > return stdSession.getManager();
> > > > }
> > > >
> > > >
> > > >
> > > > On Thu, May 7, 2020 at 11:52 PM Mark Thomas 
> wrote:
> > > >
> > > >> On 07/05/2020 21:36, Jonathan Yom-Tov wrote:
> > > >>> My application uses Redisson (a client which persists the session
> to
> > > >>> Redis). There are two Redisson jar files located in
> > $CATALINA_HOME/lib,
> > > >> so
> > > >>> if I understand the docs correctly they're loaded by the common
> class
> > > >>> loader.
> > > >>>
> > > >>> I want to access the RedissonSessionManager class during a request.
> > The
> > > >>> problem is that if I do something like RedissonSessionManager
> > manager =
> > > >>> (RedissonSessionManager) session.getManager() I get a
> > > ClassCastException,
> > > >>> presumably because they were loaded by different class loaders.
> > > >>>
> > > >>> Will it help if I somehow access the common class loader for this?
> If
> > > so
> > > >>> how can I do that? If not is there some other way I can achieve
> this?
> > > >> Make sure you don't have those JARs in your application's
> WEB-INF/lib
> > as
> > > >> well as $CATALINA_BASE/lib.
> > > >>
> > > >> In any recent version of Tomcat any JAR in $CATALINA_BASE/lib will
> be
> > > >> visible to your application.
> > > >>
> > > >> Mark
> > > >>
> > > >>
> -
> > > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > >> For additional commands, e-mail: users-h...@tomcat.apache.org
> > > >>
> > > >>
> > >
> > > -
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > >
> >
> > --
> > [image: SysAid Technologies]
> > <
> >
> http://www.sysaid.com/?utm_source=signature_medium=email_campaign=sysaid-logo
> > >
> > Jonathan Yom-Tov
> > Senior Architect
> > jonathan.yom...@sysaid.com
> > Phone (IL): +972 (3) 533-3675 Ext. 932
> > [image: SysAid Technologies]
> > <
> >
> https://www.sysaid.com/?utm_source=signature_medium=email_campaign=sysaid-logo-icon
> > >
> >   [image: SysAid on Facebook] 
> >  [image:
> > SysAid on Twitter] 

Re: APR connector questions

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Daniel,

On 5/8/20 04:25, daniel@dell.com wrote:
> We are changing from Nio connector to APR connector to enable FIPS
> mode in tomcat. But we hit tomcat hang issue, ssl handshake no
> response when run long time. So many close_wait in netstat output.
> Do you have any advises about that issue?

Can you please post your  configuration? Remember to remove
any secrets that may be in there.

You may be interested to know that FIPS is available through Java,
though not through Sun's JSSE provider.

https://stackoverflow.com/questions/5046482/which-jce-providers-are-fips
- -140-2-compliant

You may also be interested in the fact that FIPS mode doesn't really
offer any additional security. In certain cases, it may reduce your
security because of the various required-supported algorithms which,
honestly, should never be used in production.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl61bnAACgkQHPApP6U8
pFjf2Q/+K/kHIF36pSJ3gzU1gkrRnmDOqLtNX4rAzJVguZrOqSDjVNyFjYlYPcDD
A9szjfgdwd8PlTdgXJISpvdSqdvjGSadKbNswcN731VDptMlUz979R54+kRHeoWU
lYdwZuNp/ACj+UXJnSDcxK0Q15UewlRLuTrtpFfoCkteS1uAXAH1OMStsZYFXrSt
Jc3XmrmidTfAl8P24W8xNFxCTDPhkcnO7nJaNPKlGwdtjtxVfOaxyK9UtoKJW+te
lANt3Fi8r5QlLbZIofK9A0BTyHsk17SmUseeETDPCUcqlEZ1z8KWN6NVlLl0O4Rk
P/i3JUrsD8ZuCMghj1Jw6s4B4aWolLoSvxFYGLmNitqGNPGQnuUid5RV6LWLW7nH
kMFDE6yGXHagZ/34GIWcPVJOmcobOdFGtGXb4SWRsf9xOU8U5g2ljpSIYA0xT4J+
lCWZLxkcxW0YdppfPWU7t7uKO8GPnCjBmBUgx7fSHRvNefrgof6CRSAjyKlMsU1w
WSW8ZPblXSBToHy98JoT27wTrYUkhfDGzCDopkMxGH4QZZtvIVH+MNsBpWUWMhMc
h/yo2ubKWwsrmPBhkd+Jjkon3FGsuBRpUdNQJx0+5G5CKGuDNFIIZYV5MDK0ovCu
wmBN/6ZSwUj7ZqpOFekGHhM4DUee8R0kXmScDXd1nogkoIGIO20=
=JFpT
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: how do I switch class loaders

[Luis Rodríguez Fernández]

Hello Jonathan,

It is not exactly the same :), look at the "$2" appended at the end.This is
an "anonymous inner class" [1]

Cheers,

Luis

[1]
https://stackoverflow.com/questions/11388840/java-compiled-classes-contain-dollar-signs


El vie., 8 may. 2020 a las 11:52, Jonathan Yom-Tov (<
jonathan.yom...@sysaid.com>) escribió:

> This is very odd. I ran Tomcat with -verbose:class (see relevant output
> below). The class is being loaded twice from the same location, I'm
> guessing by two different class loaders. How can that be?
>
> [Loaded org.redisson.tomcat.RedissonSessionManager from
> file:/C:/dev/tomcat.9.0.19/lib/redisson-tomcat-9-3.12.2.jar]
> [Loaded org.redisson.tomcat.RedissonSessionManager$2 from
> file:/C:/dev/tomcat.9.0.19/lib/redisson-tomcat-9-3.12.2.jar]
>
> On Fri, May 8, 2020 at 11:04 AM Olaf Kock  wrote:
>
> >
> > On 08.05.20 09:37, Jonathan Yom-Tov wrote:
> > > Thanks Mark. Just tried that. I put the redisson-tomcat jar outside of
> > > WEB-INF/lib and added it with scope provided. I get the exact same
> issue.
> > > What am I doing wrong?
> >
> > Make sure, it's actually gone from your webapp. Depending on the
> > deployment technique I've seen removed files to persist from previous
> > deployments.
> >
> > You might need to fully undeploy, then deploy the new version without
> > the jar in question. But inspect the runtime environment to make sure
> > you only have a single library accessible. Having the same class
> > available two different ways is a recipe for disaster, don't fix it my
> > messing with the classloader: Fix it by eliminating one of them.
> >
> > You might also check if you're not accessing any wrapped object, e.g. by
> > inspecting getManager(session).getClass().getName().
> >
> > Olaf
> >
> >
> >
> > > Here's my code:
> > >
> > > HttpSession session = httpServletRequest.getSession(false);
> > > try {
> > > RedissonSessionManager rsm = (RedissonSessionManager)
> > getManager(session);
> > > } catch (Exception e) {
> > > e.printStackTrace();
> > > }
> > >
> > > private Manager getManager(HttpSession session) throws Exception {
> > >
> > > Field facadeSessionField =
> > > StandardSessionFacade.class.getDeclaredField("session");
> > > facadeSessionField.setAccessible(true);
> > > StandardSession stdSession = (StandardSession)
> > > facadeSessionField.get(session);
> > >
> > > return stdSession.getManager();
> > > }
> > >
> > >
> > >
> > > On Thu, May 7, 2020 at 11:52 PM Mark Thomas  wrote:
> > >
> > >> On 07/05/2020 21:36, Jonathan Yom-Tov wrote:
> > >>> My application uses Redisson (a client which persists the session to
> > >>> Redis). There are two Redisson jar files located in
> $CATALINA_HOME/lib,
> > >> so
> > >>> if I understand the docs correctly they're loaded by the common class
> > >>> loader.
> > >>>
> > >>> I want to access the RedissonSessionManager class during a request.
> The
> > >>> problem is that if I do something like RedissonSessionManager
> manager =
> > >>> (RedissonSessionManager) session.getManager() I get a
> > ClassCastException,
> > >>> presumably because they were loaded by different class loaders.
> > >>>
> > >>> Will it help if I somehow access the common class loader for this? If
> > so
> > >>> how can I do that? If not is there some other way I can achieve this?
> > >> Make sure you don't have those JARs in your application's WEB-INF/lib
> as
> > >> well as $CATALINA_BASE/lib.
> > >>
> > >> In any recent version of Tomcat any JAR in $CATALINA_BASE/lib will be
> > >> visible to your application.
> > >>
> > >> Mark
> > >>
> > >> -
> > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > >> For additional commands, e-mail: users-h...@tomcat.apache.org
> > >>
> > >>
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>
> --
> [image: SysAid Technologies]
> <
> http://www.sysaid.com/?utm_source=signature_medium=email_campaign=sysaid-logo
> >
> Jonathan Yom-Tov
> Senior Architect
> jonathan.yom...@sysaid.com
> Phone (IL): +972 (3) 533-3675 Ext. 932
> [image: SysAid Technologies]
> <
> https://www.sysaid.com/?utm_source=signature_medium=email_campaign=sysaid-logo-icon
> >
>   [image: SysAid on Facebook] 
>  [image:
> SysAid on Twitter]    [image: SysAid on
> Linked-in] 
>  [image:
> SysAid on YouTube]    [image:
> SysAid
> on Instagram] 
> [image: Banner] 
>


-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

Re: how do I switch class loaders

[Jonathan Yom-Tov]

This is very odd. I ran Tomcat with -verbose:class (see relevant output
below). The class is being loaded twice from the same location, I'm
guessing by two different class loaders. How can that be?

[Loaded org.redisson.tomcat.RedissonSessionManager from
file:/C:/dev/tomcat.9.0.19/lib/redisson-tomcat-9-3.12.2.jar]
[Loaded org.redisson.tomcat.RedissonSessionManager$2 from
file:/C:/dev/tomcat.9.0.19/lib/redisson-tomcat-9-3.12.2.jar]

On Fri, May 8, 2020 at 11:04 AM Olaf Kock  wrote:

>
> On 08.05.20 09:37, Jonathan Yom-Tov wrote:
> > Thanks Mark. Just tried that. I put the redisson-tomcat jar outside of
> > WEB-INF/lib and added it with scope provided. I get the exact same issue.
> > What am I doing wrong?
>
> Make sure, it's actually gone from your webapp. Depending on the
> deployment technique I've seen removed files to persist from previous
> deployments.
>
> You might need to fully undeploy, then deploy the new version without
> the jar in question. But inspect the runtime environment to make sure
> you only have a single library accessible. Having the same class
> available two different ways is a recipe for disaster, don't fix it my
> messing with the classloader: Fix it by eliminating one of them.
>
> You might also check if you're not accessing any wrapped object, e.g. by
> inspecting getManager(session).getClass().getName().
>
> Olaf
>
>
>
> > Here's my code:
> >
> > HttpSession session = httpServletRequest.getSession(false);
> > try {
> > RedissonSessionManager rsm = (RedissonSessionManager)
> getManager(session);
> > } catch (Exception e) {
> > e.printStackTrace();
> > }
> >
> > private Manager getManager(HttpSession session) throws Exception {
> >
> > Field facadeSessionField =
> > StandardSessionFacade.class.getDeclaredField("session");
> > facadeSessionField.setAccessible(true);
> > StandardSession stdSession = (StandardSession)
> > facadeSessionField.get(session);
> >
> > return stdSession.getManager();
> > }
> >
> >
> >
> > On Thu, May 7, 2020 at 11:52 PM Mark Thomas  wrote:
> >
> >> On 07/05/2020 21:36, Jonathan Yom-Tov wrote:
> >>> My application uses Redisson (a client which persists the session to
> >>> Redis). There are two Redisson jar files located in $CATALINA_HOME/lib,
> >> so
> >>> if I understand the docs correctly they're loaded by the common class
> >>> loader.
> >>>
> >>> I want to access the RedissonSessionManager class during a request. The
> >>> problem is that if I do something like RedissonSessionManager manager =
> >>> (RedissonSessionManager) session.getManager() I get a
> ClassCastException,
> >>> presumably because they were loaded by different class loaders.
> >>>
> >>> Will it help if I somehow access the common class loader for this? If
> so
> >>> how can I do that? If not is there some other way I can achieve this?
> >> Make sure you don't have those JARs in your application's WEB-INF/lib as
> >> well as $CATALINA_BASE/lib.
> >>
> >> In any recent version of Tomcat any JAR in $CATALINA_BASE/lib will be
> >> visible to your application.
> >>
> >> Mark
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-- 
[image: SysAid Technologies]

Jonathan Yom-Tov
Senior Architect
jonathan.yom...@sysaid.com
Phone (IL): +972 (3) 533-3675 Ext. 932
[image: SysAid Technologies]

  [image: SysAid on Facebook]    [image:
SysAid on Twitter]    [image: SysAid on
Linked-in]    [image:
SysAid on YouTube]    [image: SysAid
on Instagram] 
[image: Banner] 

Offensive Penetration Attacks

[Owasp_zap111]

Letsencrypt.org   please save me from all these
attacks.
https://owasp.org/www-community/attacks/

List of Attacks

- [Binary Planting](https://owasp.org/www-community/attacks/Binary_planting)

- [Blind SQL 
Injection](https://owasp.org/www-community/attacks/Blind_SQL_Injection)

- [Blind XPath 
Injection](https://owasp.org/www-community/attacks/Blind_XPath_Injection)

- [Brute Force 
Attack](https://owasp.org/www-community/attacks/Brute_force_attack)

- [Buffer Overflow via Environment 
Variables](https://owasp.org/www-community/attacks/Buffer_Overflow_via_Environment_Variables)

- [Buffer Overflow 
Attack](https://owasp.org/www-community/attacks/Buffer_overflow_attack)

- [CORS 
OriginHeaderScrutiny](https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny)

- [CORS 
RequestPreflighScrutiny](https://owasp.org/www-community/attacks/CORS_RequestPreflighScrutiny)

- [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection)

- [Cache Poisoning](https://owasp.org/www-community/attacks/Cache_Poisoning)

- [Cash Overflow](https://owasp.org/www-community/attacks/Cash_Overflow)

- [Clickjacking](https://owasp.org/www-community/attacks/Clickjacking)

- [Code Injection](https://owasp.org/www-community/attacks/Code_Injection)

- [Command Injection](https://owasp.org/www-community/attacks/Command_Injection)

- [Comment Injection 
Attack](https://owasp.org/www-community/attacks/Comment_Injection_Attack)

- [Content Security 
Policy](https://owasp.org/www-community/attacks/Content_Security_Policy)

- [Content Spoofing](https://owasp.org/www-community/attacks/Content_Spoofing)

- [Cornucopia - Ecommerce Website Edition - Wiki 
Deck](https://owasp.org/www-community/attacks/Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck)
 by Darío De Filippis
- [Credential 
stuffing](https://owasp.org/www-community/attacks/Credential_stuffing)

- [Cross-User 
Defacement](https://owasp.org/www-community/attacks/Cross-User_Defacement)

- [Cross Site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/) by 
KirstenS
- [Cross Frame 
Scripting](https://owasp.org/www-community/attacks/Cross_Frame_Scripting)

- [Cross Site History Manipulation 
(XSHM)](https://owasp.org/www-community/attacks/Cross_Site_History_Manipulation_(XSHM))

- [Cross Site 
Tracing](https://owasp.org/www-community/attacks/Cross_Site_Tracing)

- [Cryptanalysiss](https://owasp.org/www-community/attacks/Cryptanalysis)

- [Custom Special Character 
Injection](https://owasp.org/www-community/attacks/Custom_Special_Character_Injection)

- [Denial of Service](https://owasp.org/www-community/attacks/Denial_of_Service)

- [Direct Dynamic Code Evaluation - Eval 
Injection](https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection)

- [Embedding Null 
Code](https://owasp.org/www-community/attacks/Embedding_Null_Code) by Nsrav
- [Execution After Redirect 
(EAR)](https://owasp.org/www-community/attacks/Execution_After_Redirect_(EAR)) 
by Robert Gilbert (amroot)
- [Forced browsing](https://owasp.org/www-community/attacks/Forced_browsing)

- [Form action 
hijacking](https://owasp.org/www-community/attacks/Form_action_hijacking) by 
Robert Gilbert (amroot)
- [Format string 
attack](https://owasp.org/www-community/attacks/Format_string_attack)

- [Full Path 
Disclosure](https://owasp.org/www-community/attacks/Full_Path_Disclosure)

- [Function 
Injection](https://owasp.org/www-community/attacks/Function_Injection)

- [HTTP Response 
Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)

- [LDAP Injection](https://owasp.org/www-community/attacks/LDAP_Injection)

- [Log Injection](https://owasp.org/www-community/attacks/Log_Injection)

- [Man-in-the-browser 
attack](https://owasp.org/www-community/attacks/Man-in-the-browser_attack)

- [Man-in-the-middle 
attack](https://owasp.org/www-community/attacks/Man-in-the-middle_attack)

- [Mobile code invoking untrusted mobile 
code](https://owasp.org/www-community/attacks/Mobile_code_invoking_untrusted_mobile_code)

- [Mobile code non-final public 
field](https://owasp.org/www-community/attacks/Mobile_code_non-final_public_field)

- [Mobile code object 
hijack](https://owasp.org/www-community/attacks/Mobile_code_object_hijack)

- [Parameter 
Delimiter](https://owasp.org/www-community/attacks/Parameter_Delimiter)

- [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)

- [Qrljacking](https://owasp.org/www-community/attacks/Qrljacking)

- [Reflected DOM 
Injection](https://owasp.org/www-community/attacks/Reflected_DOM_Injection)

- [Regular expression Denial of Service - 
ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)

- [Repudiation 
Attack](https://owasp.org/www-community/attacks/Repudiation_Attack)

- [Resource 
Injection](https://owasp.org/www-community/attacks/Resource_Injection)

- [Reverse 
Tabnabbing](https://owasp.org/www-community/attacks/Reverse_Tabnabbing)

- [SQL 

RE: APR connector questions

[Daniel.Sun]

Dear experts:

Nowadays,  we are changing from Nio connector to APR connector to enable FIPS 
mode in tomcat.
But we hit tomcat hang issue, ssl handshake no response when run long time.
So many close_wait in netstat output.
Do you have any advises about that issue?

BRs
Dan

Re: how do I switch class loaders

[Olaf Kock]

On 08.05.20 09:37, Jonathan Yom-Tov wrote:
> Thanks Mark. Just tried that. I put the redisson-tomcat jar outside of
> WEB-INF/lib and added it with scope provided. I get the exact same issue.
> What am I doing wrong?

Make sure, it's actually gone from your webapp. Depending on the
deployment technique I've seen removed files to persist from previous
deployments.

You might need to fully undeploy, then deploy the new version without
the jar in question. But inspect the runtime environment to make sure
you only have a single library accessible. Having the same class
available two different ways is a recipe for disaster, don't fix it my
messing with the classloader: Fix it by eliminating one of them.

You might also check if you're not accessing any wrapped object, e.g. by
inspecting getManager(session).getClass().getName().

Olaf



> Here's my code:
>
> HttpSession session = httpServletRequest.getSession(false);
> try {
> RedissonSessionManager rsm = (RedissonSessionManager) getManager(session);
> } catch (Exception e) {
> e.printStackTrace();
> }
>
> private Manager getManager(HttpSession session) throws Exception {
>
> Field facadeSessionField =
> StandardSessionFacade.class.getDeclaredField("session");
> facadeSessionField.setAccessible(true);
> StandardSession stdSession = (StandardSession)
> facadeSessionField.get(session);
>
> return stdSession.getManager();
> }
>
>
>
> On Thu, May 7, 2020 at 11:52 PM Mark Thomas  wrote:
>
>> On 07/05/2020 21:36, Jonathan Yom-Tov wrote:
>>> My application uses Redisson (a client which persists the session to
>>> Redis). There are two Redisson jar files located in $CATALINA_HOME/lib,
>> so
>>> if I understand the docs correctly they're loaded by the common class
>>> loader.
>>>
>>> I want to access the RedissonSessionManager class during a request. The
>>> problem is that if I do something like RedissonSessionManager manager =
>>> (RedissonSessionManager) session.getManager() I get a ClassCastException,
>>> presumably because they were loaded by different class loaders.
>>>
>>> Will it help if I somehow access the common class loader for this? If so
>>> how can I do that? If not is there some other way I can achieve this?
>> Make sure you don't have those JARs in your application's WEB-INF/lib as
>> well as $CATALINA_BASE/lib.
>>
>> In any recent version of Tomcat any JAR in $CATALINA_BASE/lib will be
>> visible to your application.
>>
>> Mark
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: how do I switch class loaders

[Jonathan Yom-Tov]

Thanks Mark. Just tried that. I put the redisson-tomcat jar outside of
WEB-INF/lib and added it with scope provided. I get the exact same issue.
What am I doing wrong?

Here's my code:

HttpSession session = httpServletRequest.getSession(false);
try {
RedissonSessionManager rsm = (RedissonSessionManager) getManager(session);
} catch (Exception e) {
e.printStackTrace();
}

private Manager getManager(HttpSession session) throws Exception {

Field facadeSessionField =
StandardSessionFacade.class.getDeclaredField("session");
facadeSessionField.setAccessible(true);
StandardSession stdSession = (StandardSession)
facadeSessionField.get(session);

return stdSession.getManager();
}



On Thu, May 7, 2020 at 11:52 PM Mark Thomas  wrote:

> On 07/05/2020 21:36, Jonathan Yom-Tov wrote:
> > My application uses Redisson (a client which persists the session to
> > Redis). There are two Redisson jar files located in $CATALINA_HOME/lib,
> so
> > if I understand the docs correctly they're loaded by the common class
> > loader.
> >
> > I want to access the RedissonSessionManager class during a request. The
> > problem is that if I do something like RedissonSessionManager manager =
> > (RedissonSessionManager) session.getManager() I get a ClassCastException,
> > presumably because they were loaded by different class loaders.
> >
> > Will it help if I somehow access the common class loader for this? If so
> > how can I do that? If not is there some other way I can achieve this?
>
> Make sure you don't have those JARs in your application's WEB-INF/lib as
> well as $CATALINA_BASE/lib.
>
> In any recent version of Tomcat any JAR in $CATALINA_BASE/lib will be
> visible to your application.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-- 
[image: SysAid Technologies]

Jonathan Yom-Tov
Senior Architect
jonathan.yom...@sysaid.com
Phone (IL): +972 (3) 533-3675 Ext. 932
[image: SysAid Technologies]

  [image: SysAid on Facebook]    [image:
SysAid on Twitter]    [image: SysAid on
Linked-in]    [image:
SysAid on YouTube]    [image: SysAid
on Instagram] 
[image: Banner] 

Re: log4j failed on tomcat9

[Luis Rodríguez Fernández]

Hello AjChen,

Here [1] you can find an example of how I configured log4j2 in tomcat 9.
You can skip all the bla, bla, bla and go directly to the gitthub repo [2]
and run the example to have a look at the configuration.

Note: I've been running like this for a while in production, but I do think
that I am going to come back to the default, beautiful and simple JULI :)

Hope it helps,

Luis

[1]
https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2019-03-keeping-your-logs-clean-apache-tomcat-9-log4j2-and-spring-boot
[2] https://github.com/lurodrig/log4j2-in-tomcat/

El jue., 7 may. 2020 a las 23:48, Christopher Schultz (<
ch...@christopherschultz.net>) escribió:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> AJ,
>
> On 5/7/20 16:40, AJ Chen wrote:
> > I use eclipse to develop web app for tomcat, Web app has a
> > dependent project and so the dependent project and all jars are
> > added on the classpath for tomcat runtime. Log4j works on tomcat 6.
> > But after upgrate to tomcat 9, log4j failed to start with the
> > following error. Anyone has seen similar problem? log4j2 also
> > failed. Thanks.
> >
> > log4j:ERROR A "org.apache.log4j.DailyRollingFileAppender" object is
> > not assignable to a "org.apache.log4j.Appender" variable.
> > log4j:ERROR The class "org.apache.log4j.Appender" was loaded by
> > log4j:ERROR [sun.misc.Launcher$AppClassLoader@18b4aac2] whereas
> > object of type log4j:ERROR
> > "org.apache.log4j.DailyRollingFileAppender" was loaded by
> > [ParallelWebappClassLoader
>
> Can I just say that the above is a masterpiece of diagnostic error
> messaging?
>
> I can already tell that you have a classloading issue, and it's almost
> certain that you have log4j.jar both in CATALINA_BASE/lib and your web
> application's META-INF/lib directory. Is that the case?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl60gjsACgkQHPApP6U8
> pFgydxAAvnJ1tJFklOMnsHnx+gFn7m0UkWjs1Sj+1zurmjuAzd64aXjwt8Mh2FRH
> JaJ4R0kYaHruoJxNDKelS+FIYgn1qe7D7LE7uq6gmNHg5b1JruoUXbk2GcaTfM55
> htu9idB/JOyx5lmlP4tR6E/K7HctM6h2A7zuJ2s98VM2WljU/Ts6v5R1C53JbXq6
> gzB0g6XYyVnuQx/9qoSyOSqKIBp3jLp2G8JlKje7SzKZcJeXSzq0HPUX6Do15VK1
> Rl8ineKRjwDHgujjN3DiXqh+BnbdY6URsFApwGVxNLqh/ykIQYIHVxCGuRv9+W3D
> i0Uxx9C2p6rb6Nr8Tk6lxZjx1IMCC0JuKaunHPt6bQ26s/VNEROU5aztQ5RF/ynN
> pjFvwa/UIR6/i5u7mtGo2WBRLmH04KOu/7ZS8FL4ieKHXuaGGDvZlTe3AZ8hBPNx
> 2jHtmpqWiQaw1+lMnL7RxrmGBISIWSH4+MAKXWDzM4OSeTsKxTv2gcZ14Z9HfYZm
> JGO3DGgOSfWAnFSTYX9L/NodRfIDXLMPTAG/epWzSSiF5tf6nAzWNj6Vbi1L0VnS
> 8IdfqHavSGeIqhDqwTSwuQhXYdoc6AyBdY5WIYEGiUNu789b9SjNlY8/EWqjrJKx
> 3Au9YxYkMTqi2SL/r1cCd8HU+imS9L3aSZPKaOn73AsTtux/VCA=
> =IVj+
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

Re: Changing the Java using by Tomcat

[Luis Rodríguez Fernández]

Hello Krishna,

Me I would point my JRE_HOME or JAVA_HOME to the new installation. You can
have a look at the section 3.2 of the RUNNING.txt [1]

Hope it helps,

Luis

[1] https://tomcat.apache.org/tomcat-9.0-doc/RUNNING.txt





El mié., 6 may. 2020 a las 11:01, André Warnier (tomcat/perl) (<
a...@ice-sa.com>) escribió:

> On 06.05.2020 10:55, Reddy, Tippana Krishnanandan wrote:
> > Hi All,
> >
> > We are using tomcat 9.0.6 and we want to change existing JAVA used by
> tomcat and replace it Adopt openJDK without uninstalling the tomcat.
> >
> > Is this possible? if so can anyone please send us details how to
> approach this.
> >
>
> I don't think that there is anything in the tomcat configuration itself
> that must be changed.
> It will consists mostly of changes to the tomcat startup scripts.
> Under what OS are you running tomcat ? and how was it installed ?
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett