SpringBoot Embedded Tomcat Server RateLimitFilter
Hi, I am using spring boot and wanted to use Rate Limit. I can find it in package org.apache.catalina.filters; //in embedded tomcat But this RateLimitFilter is never called. I want to understand when this filter is called and how I can customize it. Regards, Ved Prakash
RE: Need help for a problem on migrating from Tomcat-8 to Tomcat-9
Hi Chris, I got your point. Actually, this service for us is a core service of our product, which control several core servers on it. But, we will Definity see the options to unblock the dependency as you said. Regards Rajib -Original Message- From: Christopher Schultz Sent: 27 February 2024 19:51 To: users@tomcat.apache.org Subject: Re: Need help for a problem on migrating from Tomcat-8 to Tomcat-9 [You don't often get email from ch...@christopherschultz.net. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Rajib, On 2/26/24 23:43, Saha, Rajib wrote: > Hi Mark, > > Thanks for your explanation and suggestion. > For my use case, I have used the below option and its working fine. > = > --ServiceUser="LocalSystem" > = > > Thank you very much for showing the way. I'm glad you got your service working. But. Your next task should be to determine why you need to run your service as (essentially) local-Administrator and fix it so you don't have to. Anyone who is able to take control of your application will have complete control of the local machine. This is a huge red-flag from a security standpoint. -chris > -Original Message- > From: Mark Thomas > Sent: 26 February 2024 14:23 > To: users@tomcat.apache.org > Subject: Re: Need help for a problem on migrating from Tomcat-8 to Tomcat-9 > > [You don't often get email from ma...@apache.org. Learn why this is important > at https://aka.ms/LearnAboutSenderIdentification ] > > On 26/02/2024 06:11, Saha, Rajib wrote: >> Hi Experts, >> >> In our product, we are using Tomcat [OriginalFileName: prunsrv.exe] for >> creating a service[Say, Service-A]. It's a huge product running in market >> for last 20 years. >> We are in progress of moving from Tomcat-8 to tomcat-9. >> >> When we are creating the Service-A with Tomcat-8 [tomcat8.exe]. In >> "Services" desktop app, we can see the service is created with "Local >> System" in "Log On as". >> When we are creating the Service-A with Tomcat-9 [tomcat9.exe]. in >> "Services" desktop app, we can see the service is created with "Local >> service" in "Log On as". >> >> Looks like "Local service" has less power than "Local System". >> Due to it, Service-A created with Tomcat-9 failing for several operation >> inside product. > > That should be a security concern. Local System is broadly equivalent to > local administrator. You generally don't want to be running Tomcat under > Local System. > >> Can somebody suggest, how we can create a service with tomcat-9, with the >> privilege of "Local System"? > > Have you looked at the documentation? > > https://tomcat.apache.org/tomcat-9.0-doc/windows-service-howto.html > > Look for "--ServiceUser" > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Any way to look-up a session from application?
Chris, I think maybe Mark answered a similar question a while back indicating the only supported method within the Servlet API was custom session tracking. I could be remembering incorrectly. That's what we do however, because without "snooping" into the Tomcat internals, I don't think there was a way that we found. Robert On Tue, Feb 27, 2024 at 3:10 PM Olaf Kock wrote: > Hi Chris > > On 27.02.24 15:19, Christopher Schultz wrote: > > All, > > > > I'm looking at building some administrative tools into my application, > > and I'd like to be able to inspect user sessions for certain attributes. > > > > I know that I can use JMX to make calls to the (session) Manager, but > > it looks like the only things really exposed are: > > > > String[] listSessionIds() > > String getSessionAttribute(String sessionId, String attributeName) > > > > There are other operations available but they aren't related to what > > I'd like to do: get a reference to the Session object itself, so I can > > get attributes as their *actual* types and not converted to a String. > > > > Is that possible using existing Tomcat-provided tools? > > > > Another option would be to register an HttpSessionListener / > > HttpSessionActivationListener and keep track of all the events so I > > have my own "private" set of references to all of those sessions. > > > > Is there a way to do this without writing my own session-tracking > > code? The old HttpSessionContext interface has been deprecated for > > ages and implementations are required to be no-ops. > > > I can't really provide a recipe, but have a question for clarification: > > As you mention JMX, it sounds like you want to access the session from > out-of-application context? If that is the case, you might have a hard > time getting any session objects, if their classes are private to the > web application's classloader. Strings naturally will work, but for > others you'd need severe class loading or reflection magic to make sense > of them. > > HttpSessionListener sounds more "in context", and more doable. > > I'm not aware of a way that does not involve custom session tracking > code. But that doesn't mean anything: I can easily be proven wrong :) > > Olaf > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Any way to look-up a session from application?
Hi Chris On 27.02.24 15:19, Christopher Schultz wrote: All, I'm looking at building some administrative tools into my application, and I'd like to be able to inspect user sessions for certain attributes. I know that I can use JMX to make calls to the (session) Manager, but it looks like the only things really exposed are: String[] listSessionIds() String getSessionAttribute(String sessionId, String attributeName) There are other operations available but they aren't related to what I'd like to do: get a reference to the Session object itself, so I can get attributes as their *actual* types and not converted to a String. Is that possible using existing Tomcat-provided tools? Another option would be to register an HttpSessionListener / HttpSessionActivationListener and keep track of all the events so I have my own "private" set of references to all of those sessions. Is there a way to do this without writing my own session-tracking code? The old HttpSessionContext interface has been deprecated for ages and implementations are required to be no-ops. I can't really provide a recipe, but have a question for clarification: As you mention JMX, it sounds like you want to access the session from out-of-application context? If that is the case, you might have a hard time getting any session objects, if their classes are private to the web application's classloader. Strings naturally will work, but for others you'd need severe class loading or reflection magic to make sense of them. HttpSessionListener sounds more "in context", and more doable. I'm not aware of a way that does not involve custom session tracking code. But that doesn't mean anything: I can easily be proven wrong :) Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: configuring Tomcat 9.0.85 for debugging
Mark Your input is very helpful. Thank You very much! I have been having headaches with all the issues you mentioned and will be following your guidance. On Monday, February 26, 2024 at 06:12:49 PM EST, Mark Eggers wrote: On 2/26/2024 2:18 PM, Mark Caruso wrote: > If anyone has guidance for configuring Tomcat 9.0.85 for debugging please > send it along. I am running the program under Ubuntu 20.04. I am not sure the > guidance on the internet for modifying catalina.sh is right. My goal is to > then attach a debugger from Netbeans 16 and debug my web app. > Thank youMark Mark, In my opinion, running a service-oriented (systemd for Ubuntu 20.04) or package-installed Tomcat for development and debugging is not ideal. In no particular order, you'll run into: 1. Start / stop issues (you'll need sudo) 2. Log permissions (looking at logs may be an issue) 3. Deployment permissions (more about that below) Also, NetBeans 21 just came out and is available via snap. Is there any reason to run NetBeans 16? NetBeans allows you to start up a Tomcat instance in normal, debug, or profile mode from the IDE. It does this by using the Tomcat-provided catalina.(sh/bat) script. That's going to be an issue if you're using a package-installed Tomcat. In the NetBeans server setup, you can either use shared memory or JMX (and specify the port) for a Tomcat server. By default, NetBeans will use shared memory for a Tomcat running on the same machine. NetBeans deploys an application to Tomcat that it controls by copying a context.xml file over to the appropriate location in a Tomcat installation ($CATALINA_HOME/conf/Catalina/localhost/appname.xml) with an appropriate docBase. For example, if you are running a Maven project, that docBase will be: ${project.basedir}/${project.build.directory}/${project.artifactId}-${project.version} This enables a project to be deployed quickly, as well as enables hot reloads if you enable compile on save. Deploying and redeploying a web application for debugging may run into permissions issue if you're using a package-installed version of Tomcat. So, in summary: 1. Download Tomcat from tomcat.apache.org 2. Extract and install it in a reasonable spot underneath your home directory 3. Edit server.xml to change any ports (if necessary) 4. Edit tomcat-users.xml to add a user with a manager-script role (see comments in file) 5. Configure NetBeans to use the freshly installed Tomcat Debugging is then simply starting Tomcat in debug mode. This is how I work on Windows, Ubuntu, Fedora, and have people set up on MacOS. . . . just my two cents /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: configuring Tomcat 9.0.85 for debugging
Thank you very much! On Monday, February 26, 2024 at 05:43:02 PM EST, Chuck Caldarale wrote: > On Feb 26, 2024, at 16:18, Mark Caruso wrote: > > If anyone has guidance for configuring Tomcat 9.0.85 for debugging please > send it along. I am running the program under Ubuntu 20.04. I am not sure the > guidance on the internet for modifying catalina.sh is right. My goal is to > then attach a debugger from Netbeans 16 and debug my web app. Might want to start with the Tomcat FAQ, in particular this page: https://cwiki.apache.org/confluence/display/TOMCAT/Troubleshooting+and+Diagnostics - Chuck
Re: Need help for a problem on migrating from Tomcat-8 to Tomcat-9
Rajib, On 2/26/24 23:43, Saha, Rajib wrote: Hi Mark, Thanks for your explanation and suggestion. For my use case, I have used the below option and its working fine. = --ServiceUser="LocalSystem" = Thank you very much for showing the way. I'm glad you got your service working. But. Your next task should be to determine why you need to run your service as (essentially) local-Administrator and fix it so you don't have to. Anyone who is able to take control of your application will have complete control of the local machine. This is a huge red-flag from a security standpoint. -chris -Original Message- From: Mark Thomas Sent: 26 February 2024 14:23 To: users@tomcat.apache.org Subject: Re: Need help for a problem on migrating from Tomcat-8 to Tomcat-9 [You don't often get email from ma...@apache.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] On 26/02/2024 06:11, Saha, Rajib wrote: Hi Experts, In our product, we are using Tomcat [OriginalFileName: prunsrv.exe] for creating a service[Say, Service-A]. It's a huge product running in market for last 20 years. We are in progress of moving from Tomcat-8 to tomcat-9. When we are creating the Service-A with Tomcat-8 [tomcat8.exe]. In "Services" desktop app, we can see the service is created with "Local System" in "Log On as". When we are creating the Service-A with Tomcat-9 [tomcat9.exe]. in "Services" desktop app, we can see the service is created with "Local service" in "Log On as". Looks like "Local service" has less power than "Local System". Due to it, Service-A created with Tomcat-9 failing for several operation inside product. That should be a security concern. Local System is broadly equivalent to local administrator. You generally don't want to be running Tomcat under Local System. Can somebody suggest, how we can create a service with tomcat-9, with the privilege of "Local System"? Have you looked at the documentation? https://tomcat.apache.org/tomcat-9.0-doc/windows-service-howto.html Look for "--ServiceUser" Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Any way to look-up a session from application?
All, I'm looking at building some administrative tools into my application, and I'd like to be able to inspect user sessions for certain attributes. I know that I can use JMX to make calls to the (session) Manager, but it looks like the only things really exposed are: String[] listSessionIds() String getSessionAttribute(String sessionId, String attributeName) There are other operations available but they aren't related to what I'd like to do: get a reference to the Session object itself, so I can get attributes as their *actual* types and not converted to a String. Is that possible using existing Tomcat-provided tools? Another option would be to register an HttpSessionListener / HttpSessionActivationListener and keep track of all the events so I have my own "private" set of references to all of those sessions. Is there a way to do this without writing my own session-tracking code? The old HttpSessionContext interface has been deprecated for ages and implementations are required to be no-ops. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org