from:"André Warnier"

Re: Strange URL rewrite when reverse proxy with Apache HTTP Server

2017-02-21 Thread André Warnier

On 21.02.2017 20:45, Aaron Gray wrote:

I have an application server from a vendor that comes bundled with an
additional Apache Tomcat server. The webapp SelfService.war is vendor
supplied too.

Here's my problem (IP's replaced to protect the innocent):

networks:
DMZ=172.x.x.x
INTERNAL=10.x.x.x

server1 https listen = 172.1.1.1:23270
server2 https listen = 172.1.1.2:23270
F5 load balancer hostname = loadbalancer.domain.com:443
backend tomcat server = 10.1.1.1:18080

mod_proxy configuration:
ProxyPass /SelfService http://10.1.1.1:18080/SelfService
ProxyPassReverse /SelfService http://10.1.1.1:18080/SelfService

When I access these DMZ webservers which mod_proxy back to Apache Tomcat as:
https://172.1.1.1:23270/SelfService
and
https://172.1.1.2:23270/SelfService
They load properly. Perfectly, every time!

Ok, so there is no problem in tomcat, nor with the webapp itself.

When I access these DMZ webservers via the F5 load balancer (to which I
dont have access to, but the network folks configure for me), it hangs.

What is the URL you are using, when you do the access via the F5 load balancer ?
(just to make sure)

Eventually returns:
https://loadbalancer.domain.com:23270/SelfService
cant load.

"Eventually" meaning that there is a delay ? how long ?

No idea why the URL is being re-written with the ":23270".
I added static content to the server.xml on 10.1.1.1 (Tomcat) to test:

Then put a simple index.html in there. Accessing via the Apache Web
Servers works fine, but if you hit it with the Load Balancer it once again
adds the https://loadbalancer.domain.com:23270/static

Do you have any thoughts? Thanks so much, I have been working with this
for weeks now with no success

I don't know the F5 internals, but at first sight, it sounds like 2 problems, of which the
first is a misconfiguration of the load-balancer.
Internally, it should have a configuration similar to your Apache configurations, with a
ProxyPass and a ProxyPassReverse (at least in the principle), and it should never show
this ":23270" to the caller. The URL is not really being "rewritten". It looks more like a
"leakage" of some information that the F5 should keep to itself.
It obviously replace the hostname to which it is supposed to proxy, by his own hostname
before returning this error message. But it seems to forget to also replace the port by
its own port.
The second problem, if it returns this error in the first place, seems to indicate that
there is somewhere, in addition, a communications issue between the F5 and the Apache
httpds. The F5 is obviously never getting a response from the httpds.
What is between the F5 and the httpds ? It looks like whatever it is, allows packets from
the F5 *to* a httpd but maybe not return packets *from* the httpd to the F5

(or they get wrongly routed back).
I have seen this kind of issue before, with servers hosted "in the cloud".

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 8.0.23, Apache Commons 2.2: Object pool shared across Tomcat servers/clusters?

2015-08-26 Thread André Warnier


On 26.08.2015 12:36, Prarthana Agwania wrote:

Chuck,

Apologies for the confusion. Let me rephrase it,

Currently, we have multiple Tomcat nodes running on a single or on
different physical machines with each having its own object pool
(consider we have a pool of java String object but not connection
pool) i.e., an object pool per node. The requirement is to share this
pool of objects across Tomcat nodes.

Is there any such implementation that we can readily use to achieve this?


Maybe you should look at something like this :
https://code.google.com/p/memcached/wiki/Clients




Thanks,
Prarthana

On Tue, Aug 25, 2015 at 6:10 PM, Caldarale, Charles R
chuck.caldar...@unisys.com wrote:

From: Prarthana Agwania [mailto:prarthana.agwa...@gmail.com]
Subject: Tomcat 8.0.23, Apache Commons 2.2: Object pool shared across Tomcat 
servers/clusters?



Currently in our project, we have multiple Tomcat servers running on a
single physical server each having its own connection pool. We have a
requirement where in, we could have a shared connection pool across
multiple Tomcat servers.


Whoever came up with that requirement is seriously confused.  Underlying every 
database connection is a TCP/IP connection, which by definition, is 
point-to-point.  There is no possible way for a single TCP/IP connection to be 
usable other than by the two end points (discounting MITM hacks).

At best, you could invent a proxy machine which would connect to the DB server, 
and each Tomcat server could connect to the proxy.  The added complication, 
performance impact, and overall cost make this a completely nonsensical thing 
to do.

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7 - Organizing web applications into sub directories

2015-08-26 Thread André Warnier


On 26.08.2015 06:06, Srikanth Challa wrote:

I am trying to organize my applications (multiple) into a specific
hierarchy under the webapps folder.
Something like this -
webapps
  dev
   app1
   app2
  test
   app1
   app3

When deploying (without WAR), I am getting a 404 error for servlets. Tried
changing the web.xml servlet mapping, still no luck. It works perfectly
when the folder is moved directly under webapps like below -
webapps
  app1

Does tomcat have a limitation on organizing webapps under multiple levels
of folders (under the webapp directory)?



Hi.
Without getting too technical :
It is not a limitation of Tomcat.  There /are/ ways of doing what you indicate above.  But 
the problem is that if you do that, you are going against the natural way in which URLs 
are mapped to web-applications, and that will force you further down the line, to do ever 
more complicated things to keep this working correctly (for example, if you want to easily 
move an application between the dev and the test areas above).


To map URLs to web-applications, Tomcat is following the basic principles outlined in the 
Servlet Specification 3.0, for example this :


-- quote --
10.5 Directory Structure
A Web application exists as a structured hierarchy of directories. The root of 
this
hierarchy serves as the document root for files that are part of the 
application. For
example, for a Web application with the context path /catalog in a Web 
container,
the index.html file at the base of the Web application hierarchy or in a JAR 
file
inside WEB-INF/lib that includes the index.html under META-INF/resources
directory can be served to satisfy a request from /catalog/index.html.
-- unquote --

(re: http://tomcat.apache.org/tomcat-8.0-doc/appdev/deployment.html)

For Tomcat, the root for all the applications within a specified Host, is the 
directory which is indicated by the appBase attribute of the corresponding Host tag.

Like this :
  Host name=localhost  appBase=(/somepath/)webapps
unpackWARs=true autoDeploy=true

and then under (/somepath/)webapps/ you would have something like this :

(/somepath/)webapps/
   app1
 app1-sub1
 app1-sub2
   app2
 app2-sub1
 app2-sub2
etc..

This makes it clear to Tomcat that app1 and app2 are the distinct web-applications 
(also known as context), corresponding respectively to URLs such as :

  http://yourhost:port/app1
  http://yourhost:port/app2
and that the subdirectories app1-sub1, app1-sub2 etc.. are internal sub-divisions of 
these app1 and app2 web-applications, helping to map longer URLs to things inside 
these application (such as servlets, JSP pages, HTML pages etc.) (these further 
sub-mappings being described in the web.xml file of each web-application).


If you want to go against this natural interpretation of the directory structure by 
Tomcat, then you have to start telling Tomcat (in various places), that app1/app1-sub1 
is one application, and app1/app1-sub2 is a different application etc.., which 
complicates things for you (for example, you'd have to name a WAR file like 
app1#app1-sub1.war). (And also, since it is not the natural way, it will confuse 
orther people).


A more practical way of achieving what you want, would probably be to define 2 distinct 
Host's, like this (in server.xml) :


 Host name=mydevhost appBase=(/somepath/)webapps-dev
unpackWARs=true autoDeploy=true
...
/Host

 Host name=mytesthost appBase=(/somepath/)webapps-test
unpackWARs=true autoDeploy=true
...
/Host

(and of course, both mydevhost and mytesthost map to the same IP address 
(in DNS)).

and then have a directory structure like this :

webapps-dev/
   app1
   app2

webapps-test/
   app1
   app2
   app3

corresponding to URLs like :
 http://mydevhost:port/app1  (maps to /somepath/webapps-dev/app1)
 http://mytesthost:port/app1 (maps to /somepath/webapps-test/app1)
 etc..

This way, the internal configuration and content of app1 can be exactly the same for 
dev and test, and you can move an application between the 2 Hosts (or anywhwere else, 
such as to another machine) without having to make any change at all inside the 
application or its configuration.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: memory trace of the server with 2 instances of tomcat 7 running

2015-07-30 Thread André Warnier


Ethen John wrote:

hi all,

I have a linux server which is running 2 similar instances of Tomcats 7.

Each of the tomcat instances has the exact same web application (.war)
deployed.

The application is not actively used by the users, but the behavior of the
application on both the tomcat instances is looking very sluggish.

I checked the memory utilization of the server machine, which is as
follows:

top - 12:47:20 up 182 days, 43 min, 1 user, load average: 0.09, 0.16, 0.15
Tasks: 226 total, 1 running, 225 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.1%us, 0.2%sy, 0.0%ni, 99.7%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 15529M total, 11474M used, 4054M free, 485M buffers
Swap: 16383M total, 0M used, 16383M free, 9633M cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
7866 root 0 -20 43036 12m 2640 S 12 0.1 2479:02 scopeux
1 root 20 0 10548 824 692 S 0 0.0 1:41.80 init
2 root 20 0 0 0 0 S 0 0.0 0:00.16 kthreadd
3 root 20 0 0 0 0 S 0 0.0 3:09.18 ksoftirqd/0
5 root 20 0 0 0 0 S 0 0.0 15:56.61 kworker/u:0
…


Just a little thing here : under top, if you enter F and then n, it will show the 
processes in the order of memory usage. Did you do that ?
(I am asking because I see no java processes above, and they tend to come on top of the 
list when there are any).



=

yyy@xxx:~ free -m
total used free shared buffers cached
Mem: 15529 11469 4059 0 485 9633
-/+ buffers/cache: 1350 14178
Swap: 16383 0 16383

==

yyy@xxx:~ df -kh
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg00-rootvol 5.0G 1.4G 3.4G 29% /
udev 7.6G 220K 7.6G 1% /dev
tmpfs 24G 0 24G 0% /dev/shm
/dev/sda1 510M 48M 437M 10% /boot
/dev/mapper/vg00-homevol 992M 12M 929M 2% /home
/dev/mapper/vg00-tmpvol 2.0G 201M 1.7G 11% /tmp
/dev/mapper/vg00-varvol 7.9G 319M 7.2G 5% /var
/dev/mapper/vg00-crashvol 2.0G 68M 1.9G 4% /crashdump
/dev/mapper/vg00-auditvol 248M 11M 226M 5% /var/log/audit
/dev/mapper/vg00-optvol 12G 1.5G 9.8G 13% /opt
/dev/mapper/vg00-webdienste 99G 3.7G 95G 4% /webdienste




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Re: SSL configuration using PFX as keystore

2015-07-22 Thread André Warnier


Mark Thomas wrote:

On 08/07/2015 16:22, André Warnier wrote:

snip /


With respect, you both don't get it.  MS support is deliberately
pitiful, to emphasize the fact that MS software is by definition
bug-free and does not really need support.


I've had several extremely frustrating telephone calls this afternoon
where various levels of Microsoft staff repeating their position that
the WebDAV client is working as designed and that prompting for
authentication is a perfectly reasonable response when trying to connect
to a server that does not require authentication but does have a cert
issued by a CA the client doesn't trust.

So far the minor security vulnerability (details to follow once
Microsoft provide their final response in writing) is working as
designed as well. Hmm. Microsoft Windows - insecure by design. There
is a nice strap line. I wonder if their marketing folks would like to
use it. I'd be happy to offer them a royalty free license.

I've asked MS to provide the justification for this position in writing
- mainly because I intend writing up a blog post to make clear to those
who haven't already figured it out that the Microsoft WebDAV client is,
despite the improvements in recent Windows versions, still buggy and -
more importantly - Microsoft are point blank refusing to fix obvious
bugs and (minor) security vulnerabilities.

I recall that someone on this list said that they had switched to a 3rd
party WebDAV client and hadn't looked back since. Could that person
remind me what that client was. I'd be happy to give it a plug in the
blog post.


If that person was me, I was mentioning WebDrive 
(http://www.southrivertech.com/products/webdrive/)




I'll also be updating the Tomcat docs to make it clear that the
Microsoft WebDAV client is unsupported and I'll be removing the WebDAV
fix valve from Tomcat 9 onwards since it fixes bugs in old, unsupported
MS WebDAV clients and there is no way to fix issues like the current one
on the server side. I'll be asking httpd to add a similar note regarding
the supportability of the MS WebDAV client.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat deploys only half of the application and starts the server

2015-07-16 Thread André Warnier


chedana jayasinghe wrote:

tomcat deploys only half of the application and starts. what could be the
reason ? I tried deleting the server and setting up a new tomcat server but
the problem is still the same



If you installed and configured Tomcat with the same care and precision in terms than you 
used to write the question above, no wonder.


Try again, and give us some real data this time, so that we could maybe begin trying to 
help you.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Unable to start service on Windows (Tomcat version 8.00.023)

2015-07-14 Thread André Warnier


Hi.

Nikitha Benny wrote:

Hi All,

I have installed java JRE version 1.07.079 and Tomcat version 8.00.023.

And it installs and runs fine on all unix platforms (Linux_x64, Linux_x86,
Solaris and HP-UX).

Now when it comes to Windows (both x86 and x64), Tomcat installs fine but
does not run.

Also logs are not being thrown.


I believe that we will need a lot more details about the above in order to 
begin to help.
Such as :
- what package did you download, from where, to do this installation ?
- how did you install it ? where ?
- what do you mean by does not run ? how are you trying to run it, and what 
happens ?

(For example, if you installed Tomcat as a Windows Service, and the Windows Service does 
not start, then there should at last be some message in the Windows Event Logs, no ?)




And I believe that was it below here only confuses the issue.
So let's focus for the moment at installing and running a new Tomcat 8.0.23 under Windows, 
shall we ?




But when I do an upgrade from Tomcat 7.00.062 to 8.00.023 it throws the
following error in the logs:

Jul 14, 2015 12:08:33 PM org.apache.coyote.AbstractProtocol pause
INFO: Pausing ProtocolHandler [http-apr-0.0.0.0-8081]
Jul 14, 2015 12:08:33 PM org.apache.coyote.AbstractProtocol pause
INFO: Pausing ProtocolHandler [http-apr-0:0:0:0:0:0:0:0-8081]
Jul 14, 2015 12:08:33 PM org.apache.coyote.AbstractProtocol pause
INFO: Pausing ProtocolHandler [http-bio-0.0.0.0-8444]
Jul 14, 2015 12:08:33 PM org.apache.coyote.AbstractProtocol pause
INFO: Pausing ProtocolHandler [http-bio-0:0:0:0:0:0:0:0-8444]
Jul 14, 2015 12:08:33 PM org.apache.coyote.AbstractProtocol pause
INFO: Pausing ProtocolHandler [ajp-apr-8010]
Jul 14, 2015 12:08:33 PM org.apache.catalina.core.StandardService
stopInternal
INFO: Stopping service Catalina
Jul 14, 2015 12:08:33 PM org.apache.coyote.AbstractProtocol stop
INFO: Stopping ProtocolHandler [http-bio-0.0.0.0-8444]
Jul 14, 2015 12:08:33 PM org.apache.coyote.AbstractProtocol stop
INFO: Stopping ProtocolHandler [ajp-apr-8010]

Is it something to with the Jasper Listener not being present in the
server.xml ?

*Listener className=org.apache.catalina.core.JasperListener /* has been
present in Tomcat 7.00.062 but not in 8.00.023.

Please help me out in here.

Thanks in advance.

Regards,
Nikitha




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat unaware that connection has been dropped

2015-07-09 Thread André Warnier


Tecno Brain wrote:

I am running Tomcat 8.0.20 in Ubuntu with Java 1.8u45
This server runs in Amazon EC2 behind an ELB (load balancer), although the
cluster size is just one server.

My application allows to download some data in CSV format.
The CSV data is generated on the fly, and there is no way to known in
advance the size of the response. So, the data is an attachment.

 response.setContentType(text/csv;charset=utf-8);

 filename = data.csv

 response.setHeader(Content-Disposition, attachment; filename=\ +
filename + .csv\);


The download starts immediately but after 100 MB the browser stopped
received data -my internet connection was not the best-, so I canceled the
download as it was not progressing anymore.

Nevertheless, my web app keeps generating the CSV data, unaware that the
connection has been dropped. I was expecting that my code would get an
IOException when writing to the servlet OutputStream (which was wrapped by
a BufferedOutputStream and wrapped by an OutputStreamWriter).

Is this a problem I can solve through the configuration of the NIO
connector ?
Or is this a problem of Amazon ELB that still consumes the stream even
though it can't be forwarded to the browser anymore?


Yes, that kind of thing.  There may also be load-balancers, proxies, gateways, etc. 
between Tomcat and the end-user browser.
As long as Tomcat itself is able to write to that connection, there is no way for an 
application within Tomcat, to even find out that the ultimate client has gone away.




I don't remember having this problem when working with Apache HTTP as the
load balancer. If I remember correctly, I would get an error indicating
that the client closed the connection.


Yes, in some cases, because then there was less buffering in-between.



Any pointers are appreciated.



If your generated files are really that big, I would suggest that the Tomcat side writes 
them to disk to a temporary file, and then returns to the client a short response, with a 
link where it can retrieve that file.  Then there could be a separate cleanup procedure, 
which cleans up such temporary files when they are more than a certain age.





-Jorge




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl session id

2015-07-09 Thread André Warnier


Hi.

Alex Soto wrote:

Hi at the end it seems apache is doing something (wrong or not)

HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +] GET /hello/hello
HTTP/1.1 200 89

HTTP/1.1 1b17f16f8ae73c1b4d706c1598aadb596db610bbdaeb1cd967e0bea98ec2abcb
172.17.42.1 - - [09/Jul/2015:09:15:34 +] GET /hello/hello HTTP/1.1
200 209



I only see a mention of HTTP here.  Did you also print the protocol (%H) ?
(Is that the leading HTTP/1.1 above ?)




Notice how ssl session id is printed when it is ready. So now it is time to
start a discussion with apache and why this is happening.

Thank you so much for all your support.

Alex.

El dj., 9 jul. 2015 a les 0:22, André Warnier (a...@ice-sa.com) va escriure:


Alex Soto wrote:

no they are always the same, I simply go to browser do
https://localhost/hello/hello and I only push refresh button several

times,

until the id appears. Then after some pushes it disappears again and
appears after some time again. So I think I am not changing the protocol
from https to http. In fact the browser complains about that the
certificate is homemade. So yes I think so.

In first mail I sent the Docker project
https://github.com/lordofthejars/apache-tomee-ssl just in case you

didn't

know it.
Also one thing I done was to inspect the debugging file of mod_jk and I

can

see the session id is not sent by mod_jk. But if it is because mod_jk
misses or not, I just don't know.

Alex, what I think that your tests show, is that sometimes *Apache httpd*
is not setting
the SSL_SESSION_ID variable *as an Apache httpd environment variable*.
Therefor, it is
(also) not passed by mod_jk to Tomcat.

That is also what Christopher was wondering, and that is why he asked you
if you were
really sure that all your requests were HTTPS.
At this point, we also don't know why Apache httpd would in some cases not
set this, but
the first thing is to find out if it is so, or not. And if it is so, then
why ?

I believe that you can prove (or disprove) this by modifying the format of
the Apache
access log.  You can change it so that Apache httpd logs the content of
this variable for
each request.  Then you can again make a series of requests, and look at
the Apache access
log to verify what happens.

Have a look here :
http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
and in particular at
  %{FOOBAR}eThe contents of the environment variable FOOBAR

You can also log the request protocol :
%H  The request protocol

In summary : if you can show that Apache httpd is always setting what it
should set, and
that sometimes mod_jk or Tomcat does not react to it, then the problem is
with mod_jk or
Tomcat.  But if Apache is sometimes not setting this, then the problem is
with Apache, or
with something else in your setup.  We are just trying to locate the issue
correctly, and
to avoid spending time looking in the wrong places. (For us and for you).



El dc., 8 jul. 2015 a les 17:46, Christopher Schultz (
ch...@christopherschultz.net) va escriure:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alex,

On 7/8/15 10:18 AM, Alex Soto wrote:

I have tried what you mention. When SSL_Id is there both
request.getAttribute(javax.servlet, .); and
request.getAttribute(SSL_SESSION_ID); returns valid sslId and in
the same way if one is null them the other one is null too so it
behaviour is consistent. About header approach always it is null,
probably something in rewrite is not set in header.

That sounds like httpd isn't providing the session id.

Are you absolutely sure that all of these requests are actually HTTPS
from the client? Do you ever switch between HTTPS and HTTP?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVnUWVAAoJEBzwKT+lPKRYEuYQAKdxOcVmVjJI3ul57zCWys43
KOO0cQddZUnuerb3zpBKSZn8ab6KCvVCs+usULV498OAjEUOaNl2PscgNCTbT7+G
YjxvXsz3TsgDvf5tIDexEFnuteb1/zxwmxl/yREjITTl4XnSx3MHPDH7n9vBiYlO
4iHFdmSF5K3CIAKweCjBYpsQdKAaVtmrfJzdpfOnop2tIlC+vAL2w5pgHOshm18Z
dR3oOcSztev9Vws4iOYQlwc47Cg3M0bxyZ/KyIOd2IAUp0vpc8KTa2Hym388VnP+
UfnCUeAOfF2eKfk4c0aXJ3VNAkfIMJ44gG9oSI2lAChk8dbK4PE41sZ+ykHPwJgR
gXXxXbAfrdbFuav2DtWAAoEUiGQGA4YuKqJxJMQa6LOI6sJ2+TXE/CIUkRwmijRs
NkKRDGy9KW9eVsF6N7gtCsDAoL/qbu8yr01d1A6hLiofiUj3EkweNBVs2dzMmt+N
WsY2Rbr9MdmYtaEcXI+uGsM5bLWatBDMxErnMCWve0QgrGiRjREns39ixuiuWpQI
qbBMGhLajjDxtLpd2mMiqXvLLXVIHKem3bJ/lxACiSmYlw/5/gDayoHt9KYYbxEu
adJ9wGjDRlaowokEKdGFd4GVndqoiK0NPfd2lgvSpZLuUL/qwoklTdiGr6zhkvT7
T+GAJuwkYY7GSgMplLrS
=vEii
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users

Re: Tomcat unaware that connection has been dropped

2015-07-09 Thread André Warnier

Tecno Brain wrote:

Hi Andre,

These files can be huge (for a few of my clients). It can take more than an
hour for the entire file to be generated.

Then you also have to take into account that when the browser issues a request to the
server, it expects *some* answer within a maximum of about 5 minutes maximum. If it
doesn't get that, the browser will drop the connection and display a message like the
server is not responding...

I just didn't want to save them. I was expecting that if the file was too
big, the process would just be aborted. As it is now, my webapp keeps
working eventhough no browser is receiving the data.
I guess I will have to save them (In S3) an notify my client via e-mail
when the file is available.

I am not even sure that in such a case, having the file be generated by a webserver webapp
is the best design. It means that when the browser issues such a request, one of the
webserver's threads/children is busy with that request for a very extended period of time,
unable to do anything else. That looks like an ideal case for a Denial of Service e.g.

You may want to re-examine the whole principle of this thing.
In some restaurants, if you want some special dish that take a long time to prepare, you
have to order it in advance; you can't just walk in and order it from the menu.

I'll also ask Amazon about it.

Thank you,

-Jorge

On Thu, Jul 9, 2015 at 2:06 AM, André Warnier a...@ice-sa.com wrote:

Tecno Brain wrote:

I am running Tomcat 8.0.20 in Ubuntu with Java 1.8u45
This server runs in Amazon EC2 behind an ELB (load balancer), although the
cluster size is just one server.

My application allows to download some data in CSV format.
The CSV data is generated on the fly, and there is no way to known in
advance the size of the response. So, the data is an attachment.

response.setContentType(text/csv;charset=utf-8);

filename = data.csv

response.setHeader(Content-Disposition, attachment; filename=\ +
filename + .csv\);

The download starts immediately but after 100 MB the browser stopped
received data -my internet connection was not the best-, so I canceled the
download as it was not progressing anymore.

Nevertheless, my web app keeps generating the CSV data, unaware that the
connection has been dropped. I was expecting that my code would get an
IOException when writing to the servlet OutputStream (which was wrapped by
a BufferedOutputStream and wrapped by an OutputStreamWriter).

Is this a problem I can solve through the configuration of the NIO
connector ?
Or is this a problem of Amazon ELB that still consumes the stream even
though it can't be forwarded to the browser anymore?

Yes, that kind of thing. There may also be load-balancers, proxies,
gateways, etc. between Tomcat and the end-user browser.
As long as Tomcat itself is able to write to that connection, there is no
way for an application within Tomcat, to even find out that the ultimate
client has gone away.

I don't remember having this problem when working with Apache HTTP as the
load balancer. If I remember correctly, I would get an error indicating
that the client closed the connection.

Yes, in some cases, because then there was less buffering in-between.

Any pointers are appreciated.

If your generated files are really that big, I would suggest that the
Tomcat side writes them to disk to a temporary file, and then returns to
the client a short response, with a link where it can retrieve that file.
Then there could be a separate cleanup procedure, which cleans up such
temporary files when they are more than a certain age.

-Jorge

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl session id

2015-07-08 Thread André Warnier


Alex Soto wrote:

Hi I have tried this approach custom JkEnvVar are pass correctly, what I
don't know how to do is how to set an already JkEnvVar to a new JkEnvVar
(what you mention about force)) I have tried with %{SSL_SESSION_ID} and $
but no luck (Don't know if it is because originally it was null or not).


I think it is just

JkEnvVar SSL_SESSION_ID none

(where none is the default value, used if the Apache environment variable 
SSL_SESSION_ID was not set before you pass the request to Tomcat.)

(The default value insures that Tomcat always gets something, no matter what)

Then in Tomcat you do request.getAttribute(SSL_SESSION_ID) , and if you find the value 
none, it means that SSL_SESSION_ID was not set at the httpd level.


Note: if that does not work, there is still another method that can be tried : setting a 
HTTP request header, before proxying to Tomcat. It would work like this :


RewriteEngine On
RewriteRule .* - [E=MY_SESSION_ID:%{SSL_SESSION_ID},NE]
RequestHeader set JK-SSL-SESSION %{MY_SESSION_ID}e

and then in Tomcat you would retrieve the HTTP header JK-SSL-SESSION.





Alex.

El dt., 7 jul. 2015 a les 23:05, André Warnier (a...@ice-sa.com) va
escriure:


Alex Soto wrote:

yes it is set at httpd-ssl.config


https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd-ssl.conf#L229

which I think that is where it should be set.
Everything too strange, but thanks anyway.

Then, and until Rainer himself jumps in, let me ask you if it would be
possible to make
one more test. As far as I understand, this is not the way it /should/
work, but it may be
a way to find out what doesn't work, inasmuch as there is really a problem
:

Somewhere in that same page, there is a way by which you can force a
value to be passed
on to Tomcat as a request attribute (via JkEnvVar name default-value)..
Can you try to pass the SSL session-id in that way, and obtain it in
Tomcat via
request.getAttribute(name), instead of the standard request.ssl_session ?
And check if /then/, you get it all the time ?

Again, this is probably not the way in which this should work. But Tomcat
is open-source
and free software, and its development and debugging benefit from the help
of any
benevolent user, particularly if that user is interested in solving a
particular problem
that he is having.


El dt., 7 jul. 2015 a les 19:17, André Warnier (a...@ice-sa.com) va
escriure:


Alex Soto wrote:

Thank you so much but it is already set.


https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd.conf#L171

This is so strange.

But there is also this phrase : In order to make SSL data available for
mod_jk in Apache,
you need to set SSLOptions +StdEnvVars.

Honestly, I have never tried this, and I am not an SSL specialist at

all,

and the phrase
above is a bit ambiguous.  But it seems worth a try, and I do not see it
in your
configuration.


El dt., 7 jul. 2015 a les 12:25, André Warnier (a...@ice-sa.com) va
escriure:


Mark Thomas wrote:

On 07/07/2015 09:28, Alex Soto wrote:

Hi Mark, SSL Session ID is not passed to Tomcat. You can see the

logs

here

https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I have

created

a gist to not add here a lot of lines).

Now the question is is it happens because of mod_jk or because of

Apache?

Alex.

OK. You've reached the limits of my conform zone. You need someone

more

familiar with the httpd side of things at this point. Rainer?

Mark

Not Rainer, but maybe this helps :
http://tomcat.apache.org/connectors-doc/reference/apache.html
Look for JkExtractSSL.



El dl., 6 jul. 2015 a les 12:48, Mark Thomas (ma...@apache.org)

va

escriure:


On 06/07/2015 10:48, Alex Soto wrote:

Hello I have seen a strange behaviour in Apache HTTPD (2.4)  and

TomEE

(in

fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat)

when I

configure Apache server with SSL and mod_jk.
In fact I am not sure where it is the problem if in mod_jk, in

Apache

Server or in Tomcat, but I suspect that maybe the problem is on

mod_jk

configuration.

I am configuring the typical Apache as frontend and TomEE(Tomcat)

as

backend solution. Currently Apache is configured with SSL and with

mod_jk

it connects to TomEE using AJP. This works perfectly. The problem

is

that

inside my code I need to get the ssl session id:

String ssl =


(String)servletRequest.getAttribute(javax.servlet.request.ssl_session_id);

I don't know why but sometimes this attribute is null and

sometimes

not.

It

may return a null at first then stay like 10 requests working and

then

stop

working again during some requests and the get attribute returns

null.

It seems that everything is configured correctly since sometimes

works.

Have you ever found something similar or knows what it can be

happening?

Do

you think that maybe the problem is on client (browser) side?

Everything is dockerized here:
https://github.com/lordofthejars/apache-tomee-ssl so you can

review

configuration files of tomcat

Re: [OT] Re: SSL configuration using PFX as keystore

2015-07-08 Thread André Warnier

Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 7/7/15 9:39 AM, Mark Thomas wrote:

On 30/06/2015 21:16, Mark Thomas wrote:

This is probably off-topic now so marking as such.

On 29/06/2015 14:29, André Warnier wrote:

Mark Thomas wrote:

On 26/06/2015 19:37, Mark Thomas wrote:

On 22/06/2015 11:56, Mark Thomas wrote:

On 22/06/2015 09:39, Mark Thomas wrote:

snip/

Prompting for authentication in response to an untrusted
certificate is bizarre to say the least.

snip/

Progress, if you can call it that, has not been good. They have
now asked for additional network traces since:

quote ... to be able to understand what packets are sent by
client and what response did Server generate for the specific
packet, I would like to check a simultaneous trace on both
communication endpoints /quote

I have just sent a very long, fairly stropy reply pointing out
the complete pointlessness of this request - not least because
the information they claim they don't have is right in front of
them in the form of the sequence and acknowledgement numbers in
the network trace.

This continues to drag on. The stropy e-mail got the issue
re-assigned to someone with marginally more clue. They put together
a test environment (with IIS instead of Tomcat) and then attempted
to demonstrate that the issue did not occur and hence it must be a
Tomcat problem.

Our non-standard client works perfectly well with our non-standard
server. The fact that our non-standard client doesn't work with your
standards-compliant server obviously points to your software as the
problem.

Nice tautology you got there. It would be a shame if something were to
happen to it.

*sigh*

Well, if you're willing to continue to tilt at this particular
windmill, it would be a great service to the world. I'm not hopeful,
though, as WebDAV support in Microsoft Windows has degraded
consistently over the past 10 years and never improved. I don't know
why they even bother to /claim/ support for it anymore. Evidently,
nobody in the Microsoft world gives a rats posterior about WebDAV...
they all use SMB anyway.

However, once they had configured their environment to match my
original bug report (server using cert issued by CA client doesn't
trust, server configured not to require authentication) imagine my
lack of surprise when the problem was repeated with IIS. Needless
to say the other end of the conference call went very, very quiet
at that point.

The issue has now been passed to yet another support employee (I
refuse to call these people engineers) who apparently wants to
discuss the issue further. What they can possibly need to discuss
at this point I have no idea but having told them (again) how to
contact me I am waiting to hear from them.

I also discovered that - despite the conference call - the latest
support ticket update from Microsoft claimed the issue could not

be repeated with IIS.

It appears that the issue has been passed to the IIS team which
makes no sense at all since all the evidence points to this being a
WebDAV client bug and I have been making that point since this
whole sorry episode started.

The good news is that the IIS team is likely to refuse to accept
responsibility for the bug (because, by definition, IIS contains zero
bugs) and likely to pass the buck back to the WebDAV client team. If
you catch them at just the right time, you may be able to show MS how
to do their own jobs.

While I continue to appreciate the free MSDN license Microsoft
kindly provide to Apache committers, I must confess to being
completely unimpressed by Microsoft's support structures and count
myself fortunate that I don't have to run an IT infrastructure that
relies on them.

With respect, you both don't get it. MS support is deliberately pitiful, to emphasize the
fact that MS software is by definition bug-free and does not really need support.
And to really bring the point home, MS seems to have plans to not name the next version
Windows anymore, but invent some other name. Now /that/ should allow them to definitely
start with a clean slate in their support database.

There might be an idea for Tomcat there.. Bulldog ?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl session id

2015-07-08 Thread André Warnier

Alex Soto wrote:

no they are always the same, I simply go to browser do
https://localhost/hello/hello and I only push refresh button several times,
until the id appears. Then after some pushes it disappears again and
appears after some time again. So I think I am not changing the protocol
from https to http. In fact the browser complains about that the
certificate is homemade. So yes I think so.

In first mail I sent the Docker project
https://github.com/lordofthejars/apache-tomee-ssl just in case you didn't
know it.
Also one thing I done was to inspect the debugging file of mod_jk and I can
see the session id is not sent by mod_jk. But if it is because mod_jk
misses or not, I just don't know.

Alex, what I think that your tests show, is that sometimes *Apache httpd* is not setting
the SSL_SESSION_ID variable *as an Apache httpd environment variable*. Therefor, it is
(also) not passed by mod_jk to Tomcat.

That is also what Christopher was wondering, and that is why he asked you if you were
really sure that all your requests were HTTPS.
At this point, we also don't know why Apache httpd would in some cases not set this, but
the first thing is to find out if it is so, or not. And if it is so, then why ?

I believe that you can prove (or disprove) this by modifying the format of the Apache
access log. You can change it so that Apache httpd logs the content of this variable for
each request. Then you can again make a series of requests, and look at the Apache access
log to verify what happens.

Have a look here :
http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
and in particular at
%{FOOBAR}e The contents of the environment variable FOOBAR

You can also log the request protocol :
%H The request protocol

In summary : if you can show that Apache httpd is always setting what it should set, and
that sometimes mod_jk or Tomcat does not react to it, then the problem is with mod_jk or
Tomcat. But if Apache is sometimes not setting this, then the problem is with Apache, or
with something else in your setup. We are just trying to locate the issue correctly, and
to avoid spending time looking in the wrong places. (For us and for you).

El dc., 8 jul. 2015 a les 17:46, Christopher Schultz (
ch...@christopherschultz.net) va escriure:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alex,

On 7/8/15 10:18 AM, Alex Soto wrote:

I have tried what you mention. When SSL_Id is there both
request.getAttribute(javax.servlet, .); and
request.getAttribute(SSL_SESSION_ID); returns valid sslId and in
the same way if one is null them the other one is null too so it
behaviour is consistent. About header approach always it is null,
probably something in rewrite is not set in header.

That sounds like httpd isn't providing the session id.

Are you absolutely sure that all of these requests are actually HTTPS
from the client? Do you ever switch between HTTPS and HTTP?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVnUWVAAoJEBzwKT+lPKRYEuYQAKdxOcVmVjJI3ul57zCWys43
KOO0cQddZUnuerb3zpBKSZn8ab6KCvVCs+usULV498OAjEUOaNl2PscgNCTbT7+G
YjxvXsz3TsgDvf5tIDexEFnuteb1/zxwmxl/yREjITTl4XnSx3MHPDH7n9vBiYlO
4iHFdmSF5K3CIAKweCjBYpsQdKAaVtmrfJzdpfOnop2tIlC+vAL2w5pgHOshm18Z
dR3oOcSztev9Vws4iOYQlwc47Cg3M0bxyZ/KyIOd2IAUp0vpc8KTa2Hym388VnP+
UfnCUeAOfF2eKfk4c0aXJ3VNAkfIMJ44gG9oSI2lAChk8dbK4PE41sZ+ykHPwJgR
gXXxXbAfrdbFuav2DtWAAoEUiGQGA4YuKqJxJMQa6LOI6sJ2+TXE/CIUkRwmijRs
NkKRDGy9KW9eVsF6N7gtCsDAoL/qbu8yr01d1A6hLiofiUj3EkweNBVs2dzMmt+N
WsY2Rbr9MdmYtaEcXI+uGsM5bLWatBDMxErnMCWve0QgrGiRjREns39ixuiuWpQI
qbBMGhLajjDxtLpd2mMiqXvLLXVIHKem3bJ/lxACiSmYlw/5/gDayoHt9KYYbxEu
adJ9wGjDRlaowokEKdGFd4GVndqoiK0NPfd2lgvSpZLuUL/qwoklTdiGr6zhkvT7
T+GAJuwkYY7GSgMplLrS
=vEii
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl session id

2015-07-07 Thread André Warnier


Alex Soto wrote:

Thank you so much but it is already set.
https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd.conf#L171
This is so strange.


But there is also this phrase : In order to make SSL data available for mod_jk in Apache, 
you need to set SSLOptions +StdEnvVars.


Honestly, I have never tried this, and I am not an SSL specialist at all, and the phrase 
above is a bit ambiguous.  But it seems worth a try, and I do not see it in your 
configuration.




El dt., 7 jul. 2015 a les 12:25, André Warnier (a...@ice-sa.com) va
escriure:


Mark Thomas wrote:

On 07/07/2015 09:28, Alex Soto wrote:

Hi Mark, SSL Session ID is not passed to Tomcat. You can see the logs

here

https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I have

created

a gist to not add here a lot of lines).

Now the question is is it happens because of mod_jk or because of

Apache?

Alex.

OK. You've reached the limits of my conform zone. You need someone more
familiar with the httpd side of things at this point. Rainer?

Mark

Not Rainer, but maybe this helps :
http://tomcat.apache.org/connectors-doc/reference/apache.html
Look for JkExtractSSL.



El dl., 6 jul. 2015 a les 12:48, Mark Thomas (ma...@apache.org) va
escriure:


On 06/07/2015 10:48, Alex Soto wrote:

Hello I have seen a strange behaviour in Apache HTTPD (2.4)  and TomEE

(in

fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat)

when I

configure Apache server with SSL and mod_jk.
In fact I am not sure where it is the problem if in mod_jk, in Apache
Server or in Tomcat, but I suspect that maybe the problem is on mod_jk
configuration.

I am configuring the typical Apache as frontend and TomEE(Tomcat) as
backend solution. Currently Apache is configured with SSL and with

mod_jk

it connects to TomEE using AJP. This works perfectly. The problem is

that

inside my code I need to get the ssl session id:

String ssl =


(String)servletRequest.getAttribute(javax.servlet.request.ssl_session_id);

I don't know why but sometimes this attribute is null and sometimes

not.

It

may return a null at first then stay like 10 requests working and then

stop

working again during some requests and the get attribute returns null.

It seems that everything is configured correctly since sometimes

works.

Have you ever found something similar or knows what it can be

happening?

Do

you think that maybe the problem is on client (browser) side?

Everything is dockerized here:
https://github.com/lordofthejars/apache-tomee-ssl so you can review
configuration files of tomcat and apache or even run it.

Thank you so much for your support.

Try turning on debug logging for mod_jk. It will generate lots of data
so just do it long enough to see the problem. When you look at the logs
you should be able to see if the SSL Session ID is being passed to
Tomcat or not.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl session id

2015-07-07 Thread André Warnier

Alex Soto wrote:

yes it is set at httpd-ssl.config
https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd-ssl.conf#L229
which I think that is where it should be set.
Everything too strange, but thanks anyway.

Then, and until Rainer himself jumps in, let me ask you if it would be possible to make
one more test. As far as I understand, this is not the way it /should/ work, but it may be
a way to find out what doesn't work, inasmuch as there is really a problem :

Somewhere in that same page, there is a way by which you can force a value to be passed
on to Tomcat as a request attribute (via JkEnvVar name default-value).
Can you try to pass the SSL session-id in that way, and obtain it in Tomcat via
request.getAttribute(name), instead of the standard request.ssl_session ?

And check if /then/, you get it all the time ?

Again, this is probably not the way in which this should work. But Tomcat is open-source
and free software, and its development and debugging benefit from the help of any
benevolent user, particularly if that user is interested in solving a particular problem
that he is having.

El dt., 7 jul. 2015 a les 19:17, André Warnier (a...@ice-sa.com) va
escriure:

Alex Soto wrote:

Thank you so much but it is already set.

https://github.com/lordofthejars/apache-tomee-ssl/blob/master/httpd.conf#L171

This is so strange.

But there is also this phrase : In order to make SSL data available for
mod_jk in Apache,
you need to set SSLOptions +StdEnvVars.

Honestly, I have never tried this, and I am not an SSL specialist at all,
and the phrase
above is a bit ambiguous. But it seems worth a try, and I do not see it
in your
configuration.

El dt., 7 jul. 2015 a les 12:25, André Warnier (a...@ice-sa.com) va
escriure:

Mark Thomas wrote:

On 07/07/2015 09:28, Alex Soto wrote:

Hi Mark, SSL Session ID is not passed to Tomcat. You can see the logs

here

https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I have

created

a gist to not add here a lot of lines).

Now the question is is it happens because of mod_jk or because of

Apache?

Alex.

OK. You've reached the limits of my conform zone. You need someone more
familiar with the httpd side of things at this point. Rainer?

Mark

Not Rainer, but maybe this helps :
http://tomcat.apache.org/connectors-doc/reference/apache.html
Look for JkExtractSSL.

El dl., 6 jul. 2015 a les 12:48, Mark Thomas (ma...@apache.org) va
escriure:

On 06/07/2015 10:48, Alex Soto wrote:

Hello I have seen a strange behaviour in Apache HTTPD (2.4) and

TomEE

(in

fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat)

when I

configure Apache server with SSL and mod_jk.
In fact I am not sure where it is the problem if in mod_jk, in

Apache

Server or in Tomcat, but I suspect that maybe the problem is on

mod_jk

configuration.

I am configuring the typical Apache as frontend and TomEE(Tomcat) as
backend solution. Currently Apache is configured with SSL and with

mod_jk

it connects to TomEE using AJP. This works perfectly. The problem is

that

inside my code I need to get the ssl session id:

String ssl =

(String)servletRequest.getAttribute(javax.servlet.request.ssl_session_id);

I don't know why but sometimes this attribute is null and sometimes

not.

may return a null at first then stay like 10 requests working and

then

stop

working again during some requests and the get attribute returns

null.

It seems that everything is configured correctly since sometimes

works.

Have you ever found something similar or knows what it can be

happening?

you think that maybe the problem is on client (browser) side?

Everything is dockerized here:
https://github.com/lordofthejars/apache-tomee-ssl so you can review
configuration files of tomcat and apache or even run it.

Thank you so much for your support.

Try turning on debug logging for mod_jk. It will generate lots of

data

so just do it long enough to see the problem. When you look at the

logs

you should be able to see if the SSL Session ID is being passed to
Tomcat or not.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr

Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl session id

2015-07-07 Thread André Warnier


Mark Thomas wrote:

On 07/07/2015 09:28, Alex Soto wrote:

Hi Mark, SSL Session ID is not passed to Tomcat. You can see the logs here
https://gist.github.com/lordofthejars/226d8ed605f2a58b52f3 (I have created
a gist to not add here a lot of lines).

Now the question is is it happens because of mod_jk or because of Apache?
Alex.


OK. You've reached the limits of my conform zone. You need someone more
familiar with the httpd side of things at this point. Rainer?

Mark


Not Rainer, but maybe this helps :
http://tomcat.apache.org/connectors-doc/reference/apache.html
Look for JkExtractSSL.





El dl., 6 jul. 2015 a les 12:48, Mark Thomas (ma...@apache.org) va
escriure:


On 06/07/2015 10:48, Alex Soto wrote:

Hello I have seen a strange behaviour in Apache HTTPD (2.4)  and TomEE

(in

fact it is a Tomcat (7.0.61) so it is exactly the same for Tomcat) when I
configure Apache server with SSL and mod_jk.
In fact I am not sure where it is the problem if in mod_jk, in Apache
Server or in Tomcat, but I suspect that maybe the problem is on mod_jk
configuration.

I am configuring the typical Apache as frontend and TomEE(Tomcat) as
backend solution. Currently Apache is configured with SSL and with mod_jk
it connects to TomEE using AJP. This works perfectly. The problem is that
inside my code I need to get the ssl session id:

String ssl =


(String)servletRequest.getAttribute(javax.servlet.request.ssl_session_id);

I don't know why but sometimes this attribute is null and sometimes not.

It

may return a null at first then stay like 10 requests working and then

stop

working again during some requests and the get attribute returns null.

It seems that everything is configured correctly since sometimes works.
Have you ever found something similar or knows what it can be happening?

Do

you think that maybe the problem is on client (browser) side?

Everything is dockerized here:
https://github.com/lordofthejars/apache-tomee-ssl so you can review
configuration files of tomcat and apache or even run it.

Thank you so much for your support.

Try turning on debug logging for mod_jk. It will generate lots of data
so just do it long enough to see the problem. When you look at the logs
you should be able to see if the SSL Session ID is being passed to
Tomcat or not.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: HTML 508 error with container authentication and virtual host

2015-07-07 Thread André Warnier


Hi.

David Hoffer wrote:

I've added FORM container authentication with Tomcat and everything works
fine as long as users use the full URL to the app (URL in Tomcat's manager
app).

However users want to use a different URL based on a virtual host, e.g.
myapp.mycompany.com.  It brings the users to the app no problem but then
when they try to login Tomcat reports a 508 error, how do I solve this?

The URL in the browser when this happens is
myapp.mycompany.com/j_security_check



1) to save time to everyone in the end, please provide at least the full version of Tomcat 
that you are using.
2) HTTP status code 508 indicates that some server resource limit has been reached.  That 
points to some kind of infinite loop. That would tend to hint at the fact that whatever 
your login form is pointing to, maybe itself is a protected location and so on..
3) Anyway, your question above would be a lot clearer (and it would also save time), if 
you copy and paste the content of your Tomcat's server.xml file, below here :

(please remove any comments and confidential information)



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: HTML 508 error with container authentication and virtual host

2015-07-07 Thread André Warnier


André Warnier wrote:

Hi.

David Hoffer wrote:

I've added FORM container authentication with Tomcat and everything works
fine as long as users use the full URL to the app (URL in Tomcat's 
manager

app).

However users want to use a different URL based on a virtual host, e.g.
myapp.mycompany.com.  It brings the users to the app no problem but then
when they try to login Tomcat reports a 508 error, how do I solve this?

The URL in the browser when this happens is
myapp.mycompany.com/j_security_check



1) to save time to everyone in the end, please provide at least the full 
version of Tomcat that you are using.
2) HTTP status code 508 indicates that some server resource limit has 
been reached.  That points to some kind of infinite loop. That would 
tend to hint at the fact that whatever your login form is pointing to, 
maybe itself is a protected location and so on..
3) Anyway, your question above would be a lot clearer (and it would also 
save time), if you copy and paste the content of your Tomcat's 
server.xml file, below here :

(please remove any comments and confidential information)



Addendum : I think that you should also provide a copy of your webapp's WEB-INF/web.xml 
file here. Again, remove any passwords, real hostnames etc.. (but be consistent : replace 
the same thing by the same thing always.)




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: HTML 508 error with container authentication and virtual host

2015-07-07 Thread André Warnier


David Hoffer wrote:

1. Apache Tomcat/7.0.55 (Ubuntu)
2. Hum I don't think so...it works fine when using the full URL, e.g.
www.mycompany.com:8080/myapp its only when we use Apache 


wait.. what, how ? you are using an Apache httpd front-end ? you never mentioned that 
before.  We have no crystal ball here, so we are trying to guess your configuration, to 
try to guess what the problem may be.

But if you are hiding things for us, this could take a long time.

We may also need to know how exactly you are proxying from Apache httpd to 
Tomcat then.
Anyway, also send your webapp's web.xml.

From your (incomplete) description so far, it looks as if your may re-directing to the 
wrong place, which re-directs to the wrong place, which re-directs to the wrong place and 
so on.  You are probably doing your very own DOS attack on your own server. :-)


You may be able to figure this out by yourself, if you think about what really happens, 
step by step.


so users can get

to this same app via myapp.mycompany.com that we get the 508 error from
Tomcat.
3. I don't think we have made any changes to Tomcat's server.xml but here
is a copy.

?xml version='1.0' encoding='utf-8'?

Server port=8005 shutdown=SHUTDOWN
  Listener className=org.apache.catalina.core.JasperListener /
  Listener
className=org.apache.catalina.core.JreMemoryLeakPreventionListener /
  Listener
className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener /
  Listener
className=org.apache.catalina.core.ThreadLocalLeakPreventionListener /

  GlobalNamingResources
Resource name=UserDatabase auth=Container
  type=org.apache.catalina.UserDatabase
  description=User database that can be updated and saved
  factory=org.apache.catalina.users.MemoryUserDatabaseFactory
  pathname=conf/tomcat-users.xml /
  /GlobalNamingResources

  Service name=Catalina
Connector port=8080 protocol=HTTP/1.1
   connectionTimeout=2
   URIEncoding=UTF-8
   redirectPort=8443 /

Engine name=Catalina defaultHost=localhost
  Realm className=org.apache.catalina.realm.LockOutRealm
Realm className=org.apache.catalina.realm.UserDatabaseRealm
   resourceName=UserDatabase/
  /Realm

  Host name=localhost  appBase=webapps
unpackWARs=true autoDeploy=true

Valve className=org.apache.catalina.valves.AccessLogValve
directory=logs
   prefix=localhost_access_log. suffix=.txt
   pattern=%h %l %u %t quot;%rquot; %s %b /

  /Host
/Engine
  /Service
/Server



On Tue, Jul 7, 2015 at 8:28 AM, André Warnier a...@ice-sa.com wrote:


Hi.


David Hoffer wrote:


I've added FORM container authentication with Tomcat and everything works
fine as long as users use the full URL to the app (URL in Tomcat's manager
app).

However users want to use a different URL based on a virtual host, e.g.
myapp.mycompany.com.  It brings the users to the app no problem but then
when they try to login Tomcat reports a 508 error, how do I solve this?

The URL in the browser when this happens is
myapp.mycompany.com/j_security_check



1) to save time to everyone in the end, please provide at least the full
version of Tomcat that you are using.
2) HTTP status code 508 indicates that some server resource limit has been
reached.  That points to some kind of infinite loop. That would tend to
hint at the fact that whatever your login form is pointing to, maybe itself
is a protected location and so on..
3) Anyway, your question above would be a lot clearer (and it would also
save time), if you copy and paste the content of your Tomcat's server.xml
file, below here :
(please remove any comments and confidential information)



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Spring Scheduled Task is triggered multiple times

2015-07-05 Thread André Warnier

Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Zoran,

On 7/3/15 2:41 AM, Zoran Avtarovski wrote:
I have a context.xml in the META-INF directory which sets up a db
container and jndi datasource realm, could this be the issue?

?xml version=1.0 encoding=UTF-8? Context URIEncoding=UTF-8
antiResourceLocking=false path=/pain

This is unconnected with your initial problem, but URIEncoding isn't
a valid attribute for Context.

And as a didactic interlude, here is why :

1) the standard default character set / encoding on the WWW is (regretably) still
ISO-8859-1 (otherwise known as iso-latin-1 or simply latin-1). So in the absence of this
attribute, the request URI would be interpreted by the webserver as encoded in ISO-8859-1.
The attribute tells the webserver (Tomcat) to interpret the URI instead as being
Unicode, UTF-8 encoded, which is not the default.

2) The webserver first has to decode the protocol and host and port part of the HTTP
request. That tells it (among other things) which Host should handle the request.

3) The mapping of the request to a webapp (also known as Context) comes later, within the
Host. And for doing that, the webserver needs to be able to decode and interpret the
URI properly, for which it needs to know in which character set / encoding this URI is
expressed.

At the level of the Context thus, this attribute would come too late, because by then
the mapping of the URI to a Context/webapp should already have happened.

That's why URIEncoding is an attribute of the Host entry, and not the Context entry.
CQFD.

Also, your context.xml should never

contain a path attribute for Context.

Explained in detail here :
http://tomcat.apache.org/tomcat-8.0-doc/config/context.html#Common_Attributes

-- path

You should remove both of these attributes from Context.

- -chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Spring Scheduled Task is triggered multiple times

2015-07-02 Thread André Warnier


Zoran Avtarovski wrote:

We have a struts2 based app that uses spiring scheduling to trigger a task
every morning at 6am.

The problem we have is that task in triggered multiple times,
simultaneously.

We have an Ubuntu 14.04.1 Server using the standard tomcat 7 installed using
apt-get and running on oracle java 8.

Tomcat is configured as a stand alone not a cluster and I had a look at the
servers.xml file and it only has one host.

It has to be the way we have tomcat configured, but I can¹t see what. I
changed from quartz to spring scheduling thinking the issue was quartz, but
that made no difference.

I¹d really appreciate any pointers at this stage.



And so would we..

If you believe that the issue may be in the configuration, how about copying that 
configuration file here for instance ?

(Remove any comments or sensitive information).
Also try to be a bit more precise in terms of what software you have installed.
In the bin directory of Tomcat (/usr/share/tomcat7/bin), there is a version.sh script. 
Run it and copy the output here.


(You may have a bit of trouble there under Ubuntu, because you probably have to set 
JRE_HOME first. Do a which java and follow the links going through /etc/alternatives, 
until you find something with jre/bin/java in it. JRE_HOME is the path ending in jre/. 
Or find out how /etc/init.d/tomcat7 does it.)



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Spring Scheduled Task is triggered multiple times

2015-07-02 Thread André Warnier

/filter-name
url-pattern*.ftl/url-pattern
dispatcherREQUEST/dispatcher
dispatcherFORWARD/dispatcher
/filter-mapping
filter-mapping
filter-namestruts-execute/filter-name
url-pattern/struts/*/url-pattern
dispatcherREQUEST/dispatcher
dispatcherFORWARD/dispatcher
/filter-mapping
listener

listener-classorg.springframework.web.context.ContextLoaderListener/list

ener-class
/listener
servlet
servlet-nameConnector/servlet-name

servlet-classcom.fredck.FCKeditor.connector.ConnectorServlet/servlet-cla

ss
init-param
param-namebaseDir/param-name
param-value/image//param-value
/init-param
load-on-startup1/load-on-startup
/servlet

servlet-mapping
servlet-nameConnector/servlet-name

url-pattern/fckeditor/editor/filemanager/browser/default/connectors/jsp/c

onnector/url-pattern
/servlet-mapping

servlet-mapping

servlet-namejsp/servlet-name
url-pattern*.jsp/url-pattern
url-pattern*.jssp/url-pattern
url-pattern*.mp3/url-pattern
url-pattern*.csp/url-pattern
url-pattern*.jspx/url-pattern
/servlet-mapping

!-- MIME mapping --
mime-mapping
extensioncss/extension
mime-typetext/css;charset=UTF-8/mime-type
/mime-mapping
mime-mapping
extensionjs/extension
mime-typeapplication/x-javascript;charset=UTF-8/mime-type
/mime-mapping

welcome-file-list
welcome-fileindex.jsp/welcome-file
welcome-fileindex.html/welcome-file
/welcome-file-list

security-role
descriptionAuthorised to use the site/description
role-namerole/role-name
/security-role

resource-ref
descriptionMy DB Connection/description
res-ref-namejdbc/myDB/res-ref-name
res-typejavax.sql.DataSource/res-type
res-authContainer/res-auth
/resource-ref

security-constraint
display-namePainData/display-name
web-resource-collection
web-resource-nameRestricted Access/web-resource-name
!-- Define the context-relative URL(s) to be protected --
url-pattern/protected/*/url-pattern
/web-resource-collection
auth-constraint
!-- Anyone with one of the listed roles may access this area
--
role-namerole/role-name
/auth-constraint
/security-constraint

!-- Default login configuration uses form-based authentication --
login-config
auth-methodFORM/auth-method
realm-nameMyApp/realm-name
form-login-config
form-login-page/login.jsp/form-login-page
form-error-page/login-error.jsp/form-error-page
/form-login-config
/login-config

/web-app



Thanks again.


Z.

On 2/07/2015 5:20 pm, André Warnier a...@ice-sa.com wrote:


Zoran Avtarovski wrote:

We have a struts2 based app that uses spiring scheduling to trigger a
task
every morning at 6am.

The problem we have is that task in triggered multiple times,
simultaneously.

We have an Ubuntu 14.04.1 Server using the standard tomcat 7 installed
using
apt-get and running on oracle java 8.

Tomcat is configured as a stand alone not a cluster and I had a look at
the
servers.xml file and it only has one host.

It has to be the way we have tomcat configured, but I can¹t see what. I
changed from quartz to spring scheduling thinking the issue was quartz,
but
that made no difference.

I¹d really appreciate any pointers at this stage.


And so would we..

If you believe that the issue may be in the configuration, how about
copying that 
configuration file here for instance ?

(Remove any comments or sensitive information).
Also try to be a bit more precise in terms of what software you have
installed.
In the bin directory of Tomcat (/usr/share/tomcat7/bin), there is a
version.sh script.
Run it and copy the output here.

(You may have a bit of trouble there under Ubuntu, because you probably
have to set 
JRE_HOME first. Do a which java and follow the links going through

/etc/alternatives,
until you find something with jre/bin/java in it. JRE_HOME is the path
ending in jre/. 
Or find out how /etc/init.d/tomcat7 does it.)



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Spring Scheduled Task is triggered multiple times

2015-07-02 Thread André Warnier


Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Zoran,

On 7/2/15 1:22 AM, Zoran Avtarovski wrote:

We have a struts2 based app that uses spiring scheduling to trigger
a task every morning at 6am.

The problem we have is that task in triggered multiple times, 
simultaneously.


What evidence do you have that the task is triggered multiple times?
(I'm not saying I don't believe you, I'm just curious... it might help
determine WHY it's being run twice.)


We have an Ubuntu 14.04.1 Server using the standard tomcat 7
installed using apt-get and running on oracle java 8.


Ubuntu tends to be relatively up-to-date compared to other distros,
but do you know what version of Tomcat 7 you actually have? It won't
have anything to do with this problem, but upgrading to latest is
always recommended.


Tomcat is configured as a stand alone not a cluster and I had a
look at the servers.xml file and it only has one host.

It has to be the way we have tomcat configured, but I can¹t see
what. I changed from quartz to spring scheduling thinking the issue
was quartz, but that made no difference.

I¹d really appreciate any pointers at this stage.


At first, I was sure the issue would be multiple-deployment, triggered
by putting a Context element in your server.xml that pointed to a
WAR file (or exploded WAR directory) in your webapps/ folder. That
would do it. But you posted your server.xml elsewhere in this thread,
and that's not the problem.

But you might still have a double-deployment.

Do you have any files in CATALINA_BASE/conf/Catalina/localhost/? If
so, which ones and what do they contain?

What do you have in CATALINA_BASE/webapps/?

How do you launch Tomcat?



Also, if an application is being doubly-deployed, it should be visible in the Tomcat 
logfile (at the beginning, when Tomcat starts).




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: why is Tomcat 7 invoking WebSocket protocol?

2015-07-01 Thread André Warnier

Caldarale, Charles R wrote:
From: André Warnier [mailto:a...@ice-sa.com] 
Subject: Re: why is Tomcat 7 invoking WebSocket protocol?

But maybe the solution consists simply in renaming that filter, so that it does not 
give the mistaken impression that the WebSocket protocol is necessarily being used ?

That can't be a solution, because there really isn't a problem here.  The 
WsFilter has to be in the chain, just in case there's a websocket upgrade in the request. 
 The OP needs to focus on the real problem, not this non-issue.

Hi.
I did not mean solution as correcting a problem.  I understand that the filter has to 
be there.
I meant solution in the sense of probably avoiding a lot of questions in the future 
about the same thing.  Maybe renaming it to something like ProtocolDetectionFilter would 
be less of a trigger for the uninformed public.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: why is Tomcat 7 invoking WebSocket protocol?

2015-06-30 Thread André Warnier


Hi.

Sorry to jump in, and to top-post, and maybe make an irreverential comment :

But maybe the solution consists simply in renaming that filter, so that it does not give 
the mistaken impression that the WebSocket protocol is necessarily being used ?


Kiran Badi wrote:

Hi Mark,

Sorry to jumping in

But even I have seen this in few of my exception traces though I never use
websockets.Some where down the line when exception is thrown wsfilter shows
up in traces.I am guessing it should be some kind of exception filter so it
bubbles up for exception types irrespective of protocol.

Let me check my old stack traces and post few snippets of it,but they were
valid exception in my case just that I never had websockets in my app.

On Monday, June 29, 2015, Mark Thomas ma...@apache.org wrote:


On 29/06/2015 07:12, Ric Bernat wrote:

We have a Jersey application running on Tomcat 7.0.62. In production,
99.9% of our web service calls run quickly (e.g., 100ms), but there are
about half a dozen web service calls per hour that take an extraordinary
amount of time to complete: 30-120 seconds (not ms).

We do not use WebSockets in our application. However, our profiling tool
clearly shows that Tomcat is invoking the WebSocket protocol on the
slow-running web service calls. In the stack trace below, see this line:

org.apache.tomcat.websocket.server.WsFilter.doFilter (WsFilter.java:46)

That shows nothing of the sort. I suggest you take a look at the code in
question before jumping to invalid conclusions.

Mark



How can we track down what is causing Tomcat to use the WebSocket
protocol, given that our application code does not make any references
to WebSocket annotations, etc.? Or is there a configuration option we
can use to cause Tomcat to not use WebSockets?

Thanks much.

 Stack trace
  org.glassfish.jersey.server.ApplicationHandler.handle
(ApplicationHandler.java:13)
  org.glassfish.jersey.servlet.WebComponent.service
(WebComponent.java:401)
  org.glassfish.jersey.servlet.ServletContainer.service
(ServletContainer.java:386)
  org.glassfish.jersey.servlet.ServletContainer.service
(ServletContainer.java:335)
  org.glassfish.jersey.servlet.ServletContainer.service
(ServletContainer.java:222)
….catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:303)
…g.apache.catalina.core.ApplicationFilterChain.doFilter
(ApplicationFilterChain.java:208)
   org.apache.tomcat.websocket.server.WsFilter.doFilter

(WsFilter.java:46)

….catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:241)
…g.apache.catalina.core.ApplicationFilterChain.doFilter
(ApplicationFilterChain.java:208)
   org.apache.catalina.core.StandardWrapperValve.invoke
(StandardWrapperValve.java:220)
   org.apache.catalina.core.StandardContextValve.invoke
(StandardContextValve.java:122)
…apache.catalina.authenticator.AuthenticatorBase.invoke
(AuthenticatorBase.java:505)
  org.apache.catalina.core.StandardHostValve.invoke
(StandardHostValve.java:170)
 org.apache.catalina.valves.ErrorReportValve.invoke
(ErrorReportValve.java:103)
   org.apache.catalina.valves.AccessLogValve.invoke
(AccessLogValve.java:957)
org.apache.catalina.core.StandardEngineValve.invoke
(StandardEngineValve.java:116)
org.apache.catalina.connector.CoyoteAdapter.service
(CoyoteAdapter.java:423)
…g.apache.coyote.http11.AbstractHttp11Processor.process
(AbstractHttp11Processor.java:1079)
…ote.AbstractProtocol$AbstractConnectionHandler.process
(AbstractProtocol.java:620)
…ache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
(NioEndpoint.java:1747)
…apache.tomcat.util.net.NioEndpoint$SocketProcessor.run
(NioEndpoint.java:1706)
  java.util.concurrent.ThreadPoolExecutor.runWorker
(ThreadPoolExecutor.java:1145)
 java.util.concurrent.ThreadPoolExecutor$Worker.run
(ThreadPoolExecutor.java:615)
…he.tomcat.util.threads.TaskThread$WrappingRunnable.run
(TaskThread.java:61)
   java.lang.Thread.run (Thread.java:745)


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org

javascript:;

For additional commands, e-mail: users-h...@tomcat.apache.org

javascript:;

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org javascript:;
For additional commands, e-mail: users-h...@tomcat.apache.org
javascript:;







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL configuration using PFX as keystore

2015-06-29 Thread André Warnier


Mark Thomas wrote:

On 26/06/2015 19:37, Mark Thomas wrote:

On 22/06/2015 11:56, Mark Thomas wrote:

On 22/06/2015 09:39, Mark Thomas wrote:

snip/


Prompting for authentication in response to an untrusted certificate is
bizarre to say the least.

Microsoft generously provide MSDN subscriptions for Apache committers
which is why I have the various OS's to hand to test this. The
subscription also comes with tech support. I'll open an incident. It
will be interesting to see if things have improved since I last tried
raising bugs with Microsoft (I filed so many bugs with MS Office and it
took so long for MS to fix them that I hit the limit of issues MS would
let me have open in parallel).

Support incident raised. I await the response with interest...


Oh dear. Not a good first response from Microsoft.

First they tried to say that the WebDAV server must be triggering the
prompt for credentials which would be difficult to say the least given
that the TLS connection is never established AND that the WebDAV
endpoint was configured for anonymous access.

Then they tried to suggest that I contact Apache for support. Lets just
say that suggestion got shut down rather quickly.


Like, I /am/ Apache support ? :-)



Finally they went back to trying to suggest that the server was asking
for credentials. A rather circular discussion followed that demonstrated
that the support person had little to no understanding of the OSI
network model (they continued to try to claim that establishing a TCP
connection meant that the WebDAV server could have sent the request for
authentication credentials despite the fact that the TLS connection failed).

The only small ray of hope is that they asked for a network trace of the
connection process. That should enable someone more clueful at Microsoft
to confirm it is the client error handling at fault.

I'll keep the list informed of progress.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Distinct servlets for different domains in one web application

2015-06-29 Thread André Warnier


Christian wrote:

André,

On 28.06.2015 23:11, André Warnier wrote:

Christian wrote:

Mark,

On 28.06.2015 19:58, Mark Eggers wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Christian,

On 6/28/2015 9:01 AM, Christian wrote:

Hello all,

is it somehow possible to create a web application with multiple
servlets that are registered to different domains for the same url
paths using tomcat 8? I already crawled through the catalina code
that is responsible for the servlet selection and didn't find
anything that would allow this. But this doesn't mean that it
isn't possible at all. As far as I know, java configuration for
servlet registration doesn't allow passing domain names. But maybe
there is an option within context.xml.

I want to create a web application that has different domains for
the application itself and its management site. Both parts should
run at the context root, at different domains. The application
needs a shared (spring-)context in which the application's beans
are stored.

Regards, Christian

I'm not quite sure what your after. Sharing Spring beans across
contexts and domains sounds like there's an underlying requirement I
don't understand.


ok, I'll try to explain, as aliases won't do what I need.
It's an application that can be configured via an admin interface. 
The admin interface is one part of the webapp.
The main application is accessible via www.example.com. The admin 
interface needs access to the beans within the main application (e. 
g. to create tenants that live in context scope), that's why I 
created just one webapp with two dispatcher servlets.
One dispatcher servlet is responsible for the admin interface and one 
for the main application. Until now I make tomcat select them by 
using a context path for the admin interface.
But this is redundant, because the admin interface needs to be 
accessed via admin.example.com/admin instead of just 
admin.example.com. I would like to map admin.example.com to the admin 
servlet and www.example.com to the main applications dispatcher servlet.
At a later stage, www.example.com/admin might be used for other admin 
tasks that must be accessible by users registered on the main site. 
But /admin is already shadowed.


Hopefully I could explain my problem a little better.


Yes, that is much clearer.
Honestly without having really figured out the details of your 
explanation, I would nevertheless point you in 2 directions for that 
kind of thing :
a) use an Apache httpd front-end proxy, and use the httpd proxying 
and/or URL rewriting capabilities to do what you want


thanks for your suggestion! The application anyway needs a reverse proxy 
/ ssl gateway, because tomcat isn't capable of doing TLS with SNI. Your 
proposed solution seems appropriate, although I have to figure out how 
to cleanly generate the correct urls within the application.


VirtualHost *:80
  ServerName admin.mydomain.com
..
  ProxyPass / ajp://mytomcat.local/admin/
  ProxyPassReverse / ajp://mytomcat.local/admin/
  ProxyPassReverseCookieDomain /admin /
/VirtualHost

VirtualHost *:80
  ServerName www.mydomain.com
..
  ProxyPass / ajp://mytomcat.local/
  ProxyPassReverse / ajp://mytomcat.local/
/VirtualHost

The ProxyPassReverse* take care of re-directs and cookies.
But in your admin application pages, you should make sure that your are returning only 
relative URLs.

E.g. if the admin application would normally return a page with
img src=/admin/images/logo.jpg /
it should instead return
img src=images/logo.jpg /
and the browser and the proxy should then do the right thing.

Or else, you could add an output filter at the httpd level, and rewrite all the URLs on 
the fly.
That is a bit resource-instensive, but I would imagine that your admin application is not 
one with very high traffic.


Note also : in the schema above, there is nothing which prevents a user on 
www.mydomain.com to request a URL like /admin, which could lead to accidents..
You may want to add a RewriteCond/RewriteRule in that VirtualHost which prevents them 
doing that.






Regards,
Christian


or
b) use the built-in Rewrite Valve of Tomcat 8 
(http://tomcat.apache.org/tomcat-8.0-doc/rewrite.html), or if you are 
at a lower Tomcat version, use the add-on URLRewrite Filter 
(www.tuckey.org)


A Valve is a Tomcat-specific component, so that solution is generally 
non-portable to another servlet container.  The others (httpd 
front-end or the URLRewriteFilter (a servlet filter)) are portable.


Personally, in this case, and considering that you want to do 
different things depending on the hostname used to access Tomcat, I 
would go the httpd front-end route, with 2 VirtualHosts at the httpd 
level, proxying to a single Host at the Tomcat level (but in one case, 
after modifying the URL).
That's because I think that trying to do this at the Tomcat level only 
may give you headaches in terms of self-referential URLs returned by 
your application

Re: [OT] Re: Filter behaviour

2015-06-29 Thread André Warnier


George Stanchev wrote:

For SOAP, you *MUST* send back 500 or 400 with your SOAP fault back.

[1] http://www.w3.org/TR/soap12-part2/#tabresstatereccodes


Not to start a fight on SOAP on this Tomcat forum, but in the wording of the section 
referenced above, I definitely do not see that you *MUST* send a 5xx or 4xx Status Code back.

One should start reading a bit earlier, at 7.5.2.2 Receiving.
The gist seems to be : send a 2xx code back, along with a SOAP envelope containing the 
SOAP fault, or if you cannot, then use one of the HTTP error codes below.
But sending /only/ a HTTP error code is, in my view, confusing for the client, because it 
would not be able to distinguish between a HTTP transport error, and a service-level error.




-Original Message-
From: Leo Donahue [mailto:donahu...@gmail.com] 
Sent: Saturday, June 27, 2015 11:45 PM

To: Tomcat Users List
Subject: [OT] Re: Filter behaviour

On Sat, Jun 27, 2015 at 8:37 AM, Konstantin Kolinko knst.koli...@gmail.com
wrote:


public void doFilter(ServletRequest request, ServletResponse

response,

FilterChain chain) throws IOException, ServletException
{
boolean iAmNotAuthorized = true;

if (iAmNotAuthorized)
{
// generate the HTTP Servlet Response for a 403 status code
HttpServletResponse httpResponse = (HttpServletResponse) 
response;

//httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
httpResponse.setHeader(WWW-Authenticate, Basic);

WWW-Authenticate header is usually used with 401 response.

It is unusual to use it with 403 one, though the spec does not forbid 
it. (I am not sure how browsers react here, though)


http://tools.ietf.org/html/rfc7235#section-4.1


Best regards,
Konstantin Kolinko



http://tools.ietf.org/html/rfc7231#section-6.5.3

And we may send a 404 to hide the existence of a forbidden target.  It's 
misleading.  That seems to open the door for any kind of response, or no response.

I am on the fence about sending 401 or 403 responses from a web service.
They both indicate something is there, you just can't get to it.

The 401 alludes that something is wrong with your username/password.

The 403 is more vague.  You may have the right username and password (and I'm not going 
to bother to tell you), but your account may not have the correct role associated with 
using this service, so rather than say anymore, I'll just let you know you are forbidden.  Users 
have no idea, other than there is something good at the end of this request for me to be forbidden.

From the perspective of troubleshooting customer requests to your published web 
service, developers can log the unsuccessful attempt (Authentication or
Authorization) and review the log files for answers to trouble shooting, but 
sending back a status code doesn't seem to always make sense depending on what 
types of application clients your customers are using.

For example:

Suppose you call a SOAP web service that takes an object as a parameter and 
that service returns another type of object.  When customers expect an object, 
they may get a HTTP status code of 401 or 403 if they botched sending the 
correct username/password in the authentication header.  And maybe, their 
password is merely expired.  In situations like those, it seems more reasonable 
to send back a Soap Fault of some kind as defined in the schema.  The message 
could be as simple as: Authorization failed.

It seems easier for clients to know that a soap web service may throw a 
ClientAuthorizationException for example, rather than parse out a HTTP status 
code response?

I don't know though.

Leo

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question on warning message from catalina log file

2015-06-29 Thread André Warnier


minh tran wrote:

Hello , I tried to deploy myproj war file to tomcat production server and I got this 
message from the catalina log file saying that WARNING: A myproj docBase inside the 
host appBase has been specified, and will be ignored.I don't know what it meant but 
one thing I know that  myproj did not get deployed since my logfile did not get any 
change. I'd be very much appreciative if you could somehow shed some lights into this and 
tell me what I might be missed in order to have a proper deploy.
Thanks so much,Tom 


See : 
http://tomcat.apache.org/tomcat-8.0-doc/config/context.html#Common_Attributes
-- docBase

in the superb Tomcat on-line documentation.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Re: Filter behaviour

2015-06-28 Thread André Warnier


Leo Donahue wrote:

On Sat, Jun 27, 2015 at 8:37 AM, Konstantin Kolinko knst.koli...@gmail.com
wrote:


public void doFilter(ServletRequest request, ServletResponse

response,

FilterChain chain) throws IOException, ServletException
{
boolean iAmNotAuthorized = true;

if (iAmNotAuthorized)
{
// generate the HTTP Servlet Response for a 403 status code
HttpServletResponse httpResponse = (HttpServletResponse)
response;
//httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
httpResponse.setHeader(WWW-Authenticate, Basic);

WWW-Authenticate header is usually used with 401 response.

It is unusual to use it with 403 one, though the spec does not forbid
it. (I am not sure how browsers react here, though)

http://tools.ietf.org/html/rfc7235#section-4.1


Best regards,
Konstantin Kolinko



http://tools.ietf.org/html/rfc7231#section-6.5.3

And we may send a 404 to hide the existence of a forbidden target.  It's
misleading.  That seems to open the door for any kind of response, or no
response.

I am on the fence about sending 401 or 403 responses from a web service.
They both indicate something is there, you just can't get to it.

The 401 alludes that something is wrong with your username/password.

The 403 is more vague.  You may have the right username and password (and
I'm not going to bother to tell you), but your account may not have the
correct role associated with using this service, so rather than say
anymore, I'll just let you know you are forbidden.  Users have no idea,
other than there is something good at the end of this request for me to be
forbidden.


From the perspective of troubleshooting customer requests to your published

web service, developers can log the unsuccessful attempt (Authentication or
Authorization) and review the log files for answers to trouble shooting,
but sending back a status code doesn't seem to always make sense depending
on what types of application clients your customers are using.

For example:

Suppose you call a SOAP web service that takes an object as a parameter and
that service returns another type of object.  When customers expect an
object, they may get a HTTP status code of 401 or 403 if they botched
sending the correct username/password in the authentication header.  And
maybe, their password is merely expired.  In situations like those, it
seems more reasonable to send back a Soap Fault of some kind as defined in
the schema.  The message could be as simple as: Authorization failed.

It seems easier for clients to know that a soap web service may throw a
ClientAuthorizationException for example, rather than parse out a HTTP
status code response?

I don't know though.


Hi.
I think that you should not mix SOAP and HTTP.  They are two different things.
For SOAP, HTTP is a /transport/, one among several possible.  For example, you should be 
able to send your SOAP request over email, and it should not make a fundamental difference 
to your SOAP application.


An analogy would be :
You are planning to attend a concert in town, for which you have a ticket.
To get to the concert, you take a bus, for which you have a (return) ticket too.
However, it turns out that your bus ticket is invalid, so the conductor throws you off the 
bus and you never even get to the concert.
Should you have had a valid bus ticket, you would have gotten to the concert, only to find 
out that your concert ticket is invalid.  So they would not let you in to the concert. But 
because your bus return ticket is valid, you would still be able to take the bus back 
home, because for the bus line, there is no error. And the bus conductor would not know, 
and not care, that you have just been thrown out of the concert.
(The concert people did they own thing, by refusing you entry. But they should not be 
able, or allowed, to confiscate your bus return ticket).


In other words, HTTP and SOAP are independent, and you should not use status codes of the 
one to return errors of the other.  It just happens in this case that you are using HTTP 
as a transport for SOAP.


The HTTP protocol layer has its own access control, authentication and authorisation 
mechanism. You have to pass those, before your SOAP request even gets to the SOAP-based 
application (the web service). Similarly, HTTP has rather well-defined status codes, 
which relate to the HTTP part of the business.
After passing through HTTP, it may well be that the SOAP application has its own AAA 
constraints, that are different from the HTTP-level ones.  If there is no error at the 
HTTP level, but there is one at the SOAP level, then the SOAP interaction should return a 
normal HTTP response 200 OK, but with a SOAP error embedded in the SOAP message, and the 
calling application should be able to deal with those at their own SOAP level, and not be 
confused as to whether it has been refused

Re: Distinct servlets for different domains in one web application

2015-06-28 Thread André Warnier

Christian wrote:

Mark,

On 28.06.2015 19:58, Mark Eggers wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Christian,

On 6/28/2015 9:01 AM, Christian wrote:

Hello all,

is it somehow possible to create a web application with multiple
servlets that are registered to different domains for the same url
paths using tomcat 8? I already crawled through the catalina code
that is responsible for the servlet selection and didn't find
anything that would allow this. But this doesn't mean that it
isn't possible at all. As far as I know, java configuration for
servlet registration doesn't allow passing domain names. But maybe
there is an option within context.xml.

I want to create a web application that has different domains for
the application itself and its management site. Both parts should
run at the context root, at different domains. The application
needs a shared (spring-)context in which the application's beans
are stored.

Regards, Christian

I'm not quite sure what your after. Sharing Spring beans across
contexts and domains sounds like there's an underlying requirement I
don't understand.

ok, I'll try to explain, as aliases won't do what I need.
It's an application that can be configured via an admin interface. The
admin interface is one part of the webapp.
The main application is accessible via www.example.com. The admin
interface needs access to the beans within the main application (e. g.
to create tenants that live in context scope), that's why I created just
one webapp with two dispatcher servlets.
One dispatcher servlet is responsible for the admin interface and one
for the main application. Until now I make tomcat select them by using a
context path for the admin interface.
But this is redundant, because the admin interface needs to be accessed
via admin.example.com/admin instead of just admin.example.com. I would
like to map admin.example.com to the admin servlet and www.example.com
to the main applications dispatcher servlet.
At a later stage, www.example.com/admin might be used for other admin
tasks that must be accessible by users registered on the main site. But
/admin is already shadowed.

Hopefully I could explain my problem a little better.

Yes, that is much clearer.
Honestly without having really figured out the details of your explanation, I would
nevertheless point you in 2 directions for that kind of thing :
a) use an Apache httpd front-end proxy, and use the httpd proxying and/or URL rewriting
capabilities to do what you want

or
b) use the built-in Rewrite Valve of Tomcat 8
(http://tomcat.apache.org/tomcat-8.0-doc/rewrite.html), or if you are at a lower Tomcat
version, use the add-on URLRewrite Filter (www.tuckey.org)

A Valve is a Tomcat-specific component, so that solution is generally non-portable to
another servlet container. The others (httpd front-end or the URLRewriteFilter (a servlet
filter)) are portable.

Personally, in this case, and considering that you want to do different things depending
on the hostname used to access Tomcat, I would go the httpd front-end route, with 2
VirtualHosts at the httpd level, proxying to a single Host at the Tomcat level (but in one
case, after modifying the URL).
That's because I think that trying to do this at the Tomcat level only may give you
headaches in terms of self-referential URLs returned by your application.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Filter behaviour

2015-06-26 Thread André Warnier


Leo Donahue wrote:

public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException

Assuming you have only a single Filter configured in web.xml

Assuming you have logic in a doFilter that checks the value of a boolean.
If the boolean is true, then assume you send a http status code back and
use a return in the if condition.

example:

if (someConditionIsTrue)
{
HttpServletResponse httpResponse = (HttpServletResponse)
response;
httpResponse.sendError(HttpServletResponse.WHATEVER_YOU_CHOOSE);
return;
}

chain.doFilter(request, response);


My question is:

If the chain is placed inside an else, which would not run if the condition
is true, does that violate the Filter in any way?  In other words, if one
does not call chain.doFilter within a doFilter method, should one expect
something bad?

What I'm really saying without saying it is, whether I call chain.doFilter
in or out of an else, on Tomcat I get the sendError status that I expect,
but not from other containers.  I realize that statement is moot on this
list, but I thought I would share it.

Are there any conditions in which Tomcat will decide what to do on its own,
related to sendError, when it can't figure it out from code?

Leo


Using CATALINA_BASE:   C:\apache-tomcat\apache-tomcat-7.0.62
Using CATALINA_HOME:   C:\apache-tomcat\apache-tomcat-7.0.62
Using CATALINA_TMPDIR: C:\apache-tomcat\apache-tomcat-7.0.62\temp
Using JRE_HOME:C:\Program Files (x86)\Java\jdk1.7.0_67
Using CLASSPATH:
C:\apache-tomcat\apache-tomcat-7.0.62\bin\bootstrap.jar;C:\apache-tomcat\apache-tomcat-7.0.62\bin\tomcat-juli.jar
Server version: Apache Tomcat/7.0.62
Server built:   May 7 2015 17:14:55 UTC
Server number:  7.0.62.0
OS Name:Windows 7
OS Version: 6.1
Architecture:   x86
JVM Version:1.7.0_67-b01
JVM Vendor: Oracle Corporation



I must admit that your question above was a bit difficult to follow, in terms of 
if/then/else/unless, particularly late at night.  And the last paragraph made me think 
that perhaps the Tomcat logo might lead you to personalise things a bit more than is 
really healthy.
(Or else I want to have a look at that code, because the Tomcat developers must be even 
smarter that I thought).


But if your question in the end boils down to : *must* a filter necessarily call the next 
filter/webapp in the chain, then the answer is in the Servlet Specification.

E.g. Servlet Spec v 3.0 final, Chapt 6 Filtering, Section 6.2 Main concepts, 
item 4 :
The filter *may* invoke the next entity in the filter chain..
It even adds : Alternatively, the filter chain can block the request by not making the 
call to invoke the next entity, leaving the filter responsible for filling out the 
response object.


(What you need to do then still, is to insure that you do indeed generate a valid 
response, whether it's an error or not.  That's maybe the point where different containers 
may react slightly differently.).




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CVE-2014-7810 Mitigation

2015-06-25 Thread André Warnier


Lynch, Charles [USA] wrote:

Seeking guidance on mitigation of 
CVE-2014-7810http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810 on 
Apache Tomcat 6.0.37. Upgrading to 6.0.43 is not an option for my team at the moment, 
and we need to secure our install via other means until the patch can be applied. If 
there are any workaround that can be provided it would be much appreciated. Thank you.


Hi.
Maybe the first thing to ask yourself, is if you are in a situation where you are really 
vulnerable to this vulnerability.
I am not an expert, but from the description, it sounds like this vulnerability could only 
be exploited by someone who has the possibility to load a malicious web application into 
the Tomcat system, and have it be run.

Is that your case ?
See 
http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3c5554ab1c.7050...@apache.org%3E





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [External] Re: CVE-2014-7810 Mitigation

2015-06-25 Thread André Warnier


Lynch, Charles [USA] wrote:

Thank you. I am fairly unfamiliar with Apache as a whole. Simply trying to 
address our possible attack surfaces. I appreciate your assistance.



Welcome.
By the way, I found the reference to the article below by entering this on 
Google :

CVE-2014-7810 and Tomcat

So if you have any more similar issues..

The references at the bottom of that article may also be of help :
[1] http://tomcat.apache.org/security-8.html
[2] http://tomcat.apache.org/security-7.html
[3] http://tomcat.apache.org/security-6.html

(or not, as the case may be. But it is always better to be informed, isn't it ?)




From: André Warnier [a...@ice-sa.com]
Sent: Thursday, June 25, 2015 8:32 AM
To: Tomcat Users List
Subject: Re: [External] Re: CVE-2014-7810 Mitigation

Lynch, Charles [USA] wrote:

You are saying a malicious actor would need to be on the server itself to load 
an application?



Basically yes, or be allowed to load and deploy applications via the Manager 
application
(which is either not installed, or anyway secured by default)

It is fairly clear in the mail archive article I quoted below, which is signed 
by one of
the core Tomcat developers.



From: André Warnier [a...@ice-sa.com]
Sent: Thursday, June 25, 2015 7:55 AM
To: Tomcat Users List
Subject: [External] Re: CVE-2014-7810 Mitigation

Lynch, Charles [USA] wrote:

Seeking guidance on mitigation of 
CVE-2014-7810http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810 on 
Apache Tomcat 6.0.37. Upgrading to 6.0.43 is not an option for my team at the moment, 
and we need to secure our install via other means until the patch can be applied. If 
there are any workaround that can be provided it would be much appreciated. Thank you.


Hi.
Maybe the first thing to ask yourself, is if you are in a situation where you 
are really
vulnerable to this vulnerability.
I am not an expert, but from the description, it sounds like this vulnerability 
could only
be exploited by someone who has the possibility to load a malicious web 
application into
the Tomcat system, and have it be run.
Is that your case ?
See
http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3c5554ab1c.7050...@apache.org%3E




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [External] Re: CVE-2014-7810 Mitigation

2015-06-25 Thread André Warnier


Lynch, Charles [USA] wrote:

You are saying a malicious actor would need to be on the server itself to load 
an application?



Basically yes, or be allowed to load and deploy applications via the Manager application 
(which is either not installed, or anyway secured by default)


It is fairly clear in the mail archive article I quoted below, which is signed by one of 
the core Tomcat developers.




From: André Warnier [a...@ice-sa.com]
Sent: Thursday, June 25, 2015 7:55 AM
To: Tomcat Users List
Subject: [External] Re: CVE-2014-7810 Mitigation

Lynch, Charles [USA] wrote:

Seeking guidance on mitigation of 
CVE-2014-7810http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810 on 
Apache Tomcat 6.0.37. Upgrading to 6.0.43 is not an option for my team at the moment, 
and we need to secure our install via other means until the patch can be applied. If 
there are any workaround that can be provided it would be much appreciated. Thank you.


Hi.
Maybe the first thing to ask yourself, is if you are in a situation where you 
are really
vulnerable to this vulnerability.
I am not an expert, but from the description, it sounds like this vulnerability 
could only
be exploited by someone who has the possibility to load a malicious web 
application into
the Tomcat system, and have it be run.
Is that your case ?
See
http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3c5554ab1c.7050...@apache.org%3E




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 6 : saerching for a bug fix between 6.0.24 and 6.0.44

2015-06-25 Thread André Warnier


Pascal Abaziou wrote:


Le 25 juin 2015 à 00:23, Mark Eggers its_toas...@yahoo.com.INVALID a écrit :

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 6/24/2015 2:40 PM, André Warnier wrote:

Pascal Abaziou wrote:

Hello,

I’m searching for the version that fixes a bug I’ve on a tomcat 
6.0.24 (on redhat). As I do not reproduce it on my windows 
workstation with tomcat 6.0.44, I need elements to argue to

upgrade to the sys admin.

So the bug : with a REST resource service implemented with
Jersey, if there’s no method corresponding to a URI (under the
hierarchy that Jersey should handle), Jersey raises a 404
NOT_FOUND error.

In 6.0.24, tomcat raises a 500 internal error. In 6.0.44, tomcat 
propagates the 404 not found error.


As the sysadmin want to stay on version delivered by redhead, I 
need elements to motivate an update.


I’ve read the tomcat 6 changelog, but did not find when this was 
fixed.



You know, I don't want to discourage you, but..

Assuming even that this was a bug that was fixed on its own, and
not some side-effect of some other change..

As you know, Tomcat is an open-source and free software, developed 
and supported by volunteers, who apart from their Tomcat

involvement, all have a paying job which they do on the side..
This user's list is the same.

Tomcat 6.0.24 is at least 5 years old. The current Tomcat version
is 8.0.23. Between these two, there are 5 years and probably close
to 100 versions. Some of these versions correct real bugs or
security issues which could leave any lower version vulnerable to
hacking.

The Tomcat developers, having a limited amount of time to dedicate 
to it, rather understandably prefer to spend this time working on 
and supporting the latest version, rather than very old ones.


All of this to say that unless there is a very strong incentive for
someone to go and dig through the documentation and the code, your
chances of getting real help on this apparently minor and
peripheral issue, affecting an old version of Tomcat but not more
recent ones, are really slim.

If your sysadmin does not understand the benefits of upgrading to
a more recent version, rather than this very old one, then the
problem is with him, not with you and not with the Tomcat
developers. Maybe you should just take the change logs, starting
with 6.0.44 and working back to 6.0.24, append them to one another,
and send this to him as a token of what he is missing in terms of
bug corrections and security fixes, by /not/ upgrading. And if he
still does not understand the issue, or cannot give you a better
reason to want to stay with 6.0.24, send the list to his boss.

There's another issue when comparing vendor-packaged versus
Apache-distributed Tomcat versions.

Vendors often backport various fixes from later Apache-distributed
versions to vendor-packaged versions. For example, you may see the
following in RedHat (I'm running Fedora 22 or CentOS 6) distributions:

CentOS 6

Name: tomcat6
Arch: x86_64
Version : 6.0.24
Release : 83.el6_6
Size: 92 k
Repo: updates

First of all, you have to select Tomcat 6 as opposed to Tomcat on
CentOS 6.6.  I understand that the Tomcat 7 version is only available
in the EPEL repository.

Here's the information for tomcat.noarch from the EPEL repository.

Name: tomcat
Arch: noarch
Version : 7.0.33
Release : 4.el6
Size: 86 k
Repo: epel

The key thing to look at in both of these listings is the Release tag.
RedHat (and I suppose other vendors) release updates to their packages
that include backports for certain issues. In general, RedHat
addresses security issues, but avoids backporting API changes between
releases of their Linux platform.

It is very difficult to compare RedHat's version of 6.0.24 or 7.0.33
with the Apache release. You would have to compare both sets of change
logs to find out how RedHat's release compared to Apache's release.
Then, since it doesn't appear that this particular problem was
uniquely identified in the Apache Tomcat changelogs, you would have to
determine what change (and when) fixed the issue.

Finally, you would then have to lobby RedHat to include the
appropriate change into their repackaging of Tomcat.

Lots of work . . .

This is one of the reasons why most people on the list advocate using
Apache-distributed packages. In the end, it's easier for everyone
(mailing list members, Apache Tomcat users, and system administrators).

As André pointed out above, this is a system administrator issue, not
a Tomcat issue. If there are policies in place that preclude third
party packaged applications running in production, then there are also
corporate policy issues.

In short, there are few reasons to stay with a vendor-distributed
packaging of Tomcat, and quite a few good reasons to move to the
Apache-distributed packages.

. . . happily running Apache-distributed packages everywhere
/mde/


Thanks for your answers. 

I’ll go in this direction. We

Re: persistance cache

2015-06-24 Thread André Warnier


Hi.

The recommendation on this forum is to not use top posting, but to keep the flow of 
conversation natural, and respond below the question to which your question refers.

See http://tomcat.apache.org/lists.html, Important, 6)

Kaouthar Ghorbel wrote:


2015-06-23 12:00 GMT+01:00 André Warnier a...@ice-sa.com:


hello.


Kaouthar Ghorbel wrote:


hello,
I have a method that returns a list of items when I change the data in
this
list in the database ,the return of the method does not take into account
this change.
  here is the configuration of  persistance.xml

?xml version=1.0 encoding=UTF-8?
persistence version=2.1 xmlns=http://xmlns.jcp.org/xml/ns/persistence

xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance;
xsi:schemaLocation=
http://xmlns.jcp.org/xml/ns/persistence
http://xmlns.jcp.org/xml/ns/persistence/persistence_2_1.xsd;
  persistence-unit name=persistancePU
transaction-type=RESOURCE_LOCAL
providerorg.eclipse.persistence.jpa.PersistenceProvider/provider
classcom.csys.pointeuse2.model.AccessControl/class
classcom.csys.pointeuse2.model.Accompagnantgouvernante/class
classcom.csys.pointeuse2.model.Chambre/class
classcom.csys.pointeuse2.model.Client/class
classcom.csys.pointeuse2.model.EtatCha/class
classcom.csys.pointeuse2.model.EtatChambre/class
classcom.csys.pointeuse2.model.Etatmessage/class
classcom.csys.pointeuse2.model.Messagechambre/class
classcom.csys.pointeuse2.model.PrmEtage/class
exclude-unlisted-classestrue/exclude-unlisted-classes
shared-cache-modeNONE/shared-cache-mode
validation-modeNONE/validation-mode


properties
  property name=javax.persistence.jdbc.url
value=jdbc:sqlserver://192.168.2.58:1415;databaseName=database/
  property name=javax.persistence.jdbc.password value=12355/
  property name=javax.persistence.jdbc.driver
value=com.microsoft.sqlserver.jdbc.SQLServerDriver/
  property name=javax.persistence.jdbc.user value=ka/
/properties
  /persistence-unit
/persistence
thanks ...



But is this related to Tomcat somehow ?
If yes, could you explain how, and provide some versions of the software
used ?


 hello, I think it is a cache problem , because when I restart tomcat
 the resulting list is correct, the problem lies only  for this method.
 i use tomcat 8.0.2

Honestly, I am a bit out of my depth here.

But the above configuration which you provide (thank you) leads me to believe that the 
cache in question belongs to the /application/ (*), not to Tomcat.
The fact that the cache is cleared when you restart Tomcat, is probably due to the fact 
that when you restart Tomcat, you also restart the application, which probably clears the 
cache /of the application/.

I don't think that Tomcat itself knows anything about this cache.
Or am I reading this wrong ?

(*) which from the names used (**), seems to be some kind of hotel rooms 
management system

(**) and my knowledge of French, and my long-time-ago studies in hotel 
management..

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: the session tracking of tomcat 6 and tomcat 7 behaves strangely

2015-06-24 Thread André Warnier


Hi.

Hi.

The recommendation on this forum is to not use top posting, but to keep the flow of 
conversation natural, and respond below the question to which your question refers.

See http://tomcat.apache.org/lists.html, Important, 6)
I have modified you latest post accordingly below.

chedana jayasinghe wrote:

On Tue, Jun 23, 2015 at 2:46 PM, André Warnier a...@ice-sa.com wrote:


chedana jayasinghe wrote:


In my web application, in a jsp there is a javascript which sends request
to a servlet every twenty seconds, so it kills my  applications user idle
time tracking by resetting the  lastAccessed time in session. the funny
thing is lastAccessed time doesn't get updated in tomcat  6 and my
applications idle time tracking works fine in it, but in 7 it gets updated
and kills that functionality of the application . so I'm little bit
confused about the changes in the session tracking of tomcat 6 and tomcat
7.



I don't know what happened in Tomcat 6 as compared to what happens in
other versions.
But from a purely logical point of view, I would tend to think that, from
the server point of view, whether a request comes from the user pressing a
button or from a javascript module in a page sending a request, does not
make a difference : the application has been accessed, so the last
accessed time should be updated.
That is probably the point even, of many such javascript snippets out
there in the wild.

So again from a purely logical point of view, if Tomcat 6 then did not
update the last access time, that would sound more like a bug, that was
corrected later.

Maybe the fact that it updates this or not, depends on whether the
application that is called retrieves the session or not, and if so you may
have control over it, by making sure that whatever your javascript calls,
it does /not/ retrieve the session.

Caveat : I do not really /know/ how it works, so there is a lot of
speculation here.



 I just put a debug point an checked. In tomcat 6,the request comes to the
 servlet with a null session,but in  tomcat 7 and later versions  the  valid
 session is there in the request


Yes, but the /call/ that contains this jsession-id, comes from the javascript that is in 
the HTML page currently shown in the browser.
So the question is : why does that /call/, now, contain this jsessionid parameter, when 
under Tomcat 6 it did not ?


Or to put this another way : how does the local javascript in the browser *know* this 
jsession-id ?


Or in yet another way : the javascript in the browser does not /know/ if it is talking to 
a Tomcat 6 or a Tomcat 7 or a Tomcat 8 server, right ? So how comes that in one case, it 
sends a request /without/ a jsessionid, and in the other cases /with/ a jsessionid ?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 6 : saerching for a bug fix between 6.0.24 and 6.0.44

2015-06-24 Thread André Warnier

Pascal Abaziou wrote:

Hello,

I’m searching for the version that fixes a bug I’ve on a tomcat 6.0.24 (on
redhat).
As I do not reproduce it on my windows workstation with tomcat 6.0.44, I need
elements to argue to upgrade to the sys admin.

So the bug : with a REST resource service implemented with Jersey, if there’s
no method corresponding to a URI (under the hierarchy that Jersey should
handle), Jersey raises a 404 NOT_FOUND error.

In 6.0.24, tomcat raises a 500 internal error.
In 6.0.44, tomcat propagates the 404 not found error.

As the sysadmin want to stay on version delivered by redhead, I need elements
to motivate an update.

I’ve read the tomcat 6 changelog, but did not find when this was fixed.

You know, I don't want to discourage you, but..

Assuming even that this was a bug that was fixed on its own, and not some side-effect of
some other change..

As you know, Tomcat is an open-source and free software, developed and supported by
volunteers, who apart from their Tomcat involvement, all have a paying job which they do
on the side.. This user's list is the same.

Tomcat 6.0.24 is at least 5 years old.
The current Tomcat version is 8.0.23.
Between these two, there are 5 years and probably close to 100 versions.
Some of these versions correct real bugs or security issues which could leave any lower
version vulnerable to hacking.

The Tomcat developers, having a limited amount of time to dedicate to it, rather
understandably prefer to spend this time working on and supporting the latest version,
rather than very old ones.

All of this to say that unless there is a very strong incentive for someone to go and dig
through the documentation and the code, your chances of getting real help on this
apparently minor and peripheral issue, affecting an old version of Tomcat but not more
recent ones, are really slim.

If your sysadmin does not understand the benefits of upgrading to a more recent version,
rather than this very old one, then the problem is with him, not with you and not with the
Tomcat developers.
Maybe you should just take the change logs, starting with 6.0.44 and working back to
6.0.24, append them to one another, and send this to him as a token of what he is missing
in terms of bug corrections and security fixes, by /not/ upgrading.
And if he still does not understand the issue, or cannot give you a better reason to want
to stay with 6.0.24, send the list to his boss.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: the session tracking of tomcat 6 and tomcat 7 behaves strangely

2015-06-23 Thread André Warnier

chedana jayasinghe wrote:

In my web application, in a jsp there is a javascript which sends request
to a servlet every twenty seconds, so it kills my applications user idle
time tracking by resetting the lastAccessed time in session. the funny
thing is lastAccessed time doesn't get updated in tomcat 6 and my
applications idle time tracking works fine in it, but in 7 it gets updated
and kills that functionality of the application . so I'm little bit
confused about the changes in the session tracking of tomcat 6 and tomcat
7.

I don't know what happened in Tomcat 6 as compared to what happens in other
versions.
But from a purely logical point of view, I would tend to think that, from the server point
of view, whether a request comes from the user pressing a button or from a javascript
module in a page sending a request, does not make a difference : the application has been
accessed, so the last accessed time should be updated.

That is probably the point even, of many such javascript snippets out there in
the wild.

So again from a purely logical point of view, if Tomcat 6 then did not update the last
access time, that would sound more like a bug, that was corrected later.

Maybe the fact that it updates this or not, depends on whether the application that is
called retrieves the session or not, and if so you may have control over it, by making
sure that whatever your javascript calls, it does /not/ retrieve the session.

Caveat : I do not really /know/ how it works, so there is a lot of speculation
here.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: persistance cache

2015-06-23 Thread André Warnier


hello.

Kaouthar Ghorbel wrote:

hello,
I have a method that returns a list of items when I change the data in this
list in the database ,the return of the method does not take into account
this change.
  here is the configuration of  persistance.xml

?xml version=1.0 encoding=UTF-8?
persistence version=2.1 xmlns=http://xmlns.jcp.org/xml/ns/persistence;
xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=
http://xmlns.jcp.org/xml/ns/persistence
http://xmlns.jcp.org/xml/ns/persistence/persistence_2_1.xsd;
  persistence-unit name=persistancePU transaction-type=RESOURCE_LOCAL
providerorg.eclipse.persistence.jpa.PersistenceProvider/provider
classcom.csys.pointeuse2.model.AccessControl/class
classcom.csys.pointeuse2.model.Accompagnantgouvernante/class
classcom.csys.pointeuse2.model.Chambre/class
classcom.csys.pointeuse2.model.Client/class
classcom.csys.pointeuse2.model.EtatCha/class
classcom.csys.pointeuse2.model.EtatChambre/class
classcom.csys.pointeuse2.model.Etatmessage/class
classcom.csys.pointeuse2.model.Messagechambre/class
classcom.csys.pointeuse2.model.PrmEtage/class
exclude-unlisted-classestrue/exclude-unlisted-classes
shared-cache-modeNONE/shared-cache-mode
validation-modeNONE/validation-mode


properties
  property name=javax.persistence.jdbc.url
value=jdbc:sqlserver://192.168.2.58:1415;databaseName=database/
  property name=javax.persistence.jdbc.password value=12355/
  property name=javax.persistence.jdbc.driver
value=com.microsoft.sqlserver.jdbc.SQLServerDriver/
  property name=javax.persistence.jdbc.user value=ka/
/properties
  /persistence-unit
/persistence
thanks ...



But is this related to Tomcat somehow ?
If yes, could you explain how, and provide some versions of the software used ?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: We have a problem involving weird error messages in our Tomcat context, and catalina.out growing to enormous size.

2015-06-22 Thread André Warnier


James H. H. Lampert wrote:

We have two weird things going on at the same customer installation.

First, we have a situation in which catalina.out is inexplicibly growing 
to enormous size (4558505886 bytes) in a very short time (under a week), 
and growing by 4k in under a minute. And yet the catalina.[date] files 
are all of very reasonable size.


Second, we've been finding a lot of There is no process to read data 
written to a pipe. exceptions. They're apparently being thrown by our 
own code, but we haven't been able to determine why, and while a Google 
search on that exact phrase turns up hundreds of references specific to 
aix, it doesn't turn up any specific to OS/400 (or whatever IBM is 
calling it this week). Don't know if there's any connection between that 
and the enormous catalina.out.


Tomcat version is 7.0.47, running on an AS/400.


Hi.
I don't know anything about AS/400 - OS/400.
But catalina.out is usually where the output of the *JVM* is being re-directed
(such as exceptions in the JVM etc..).
Can you see what's being written ?
(iow, is there an equivalent to tail -f filename under OS/400 ?)


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL configuration using PFX as keystore

2015-06-22 Thread André Warnier


Mark Thomas wrote:

On 22/06/2015 09:39, Mark Thomas wrote:

On 22/06/2015 00:25, Michael Salisbury wrote:


snip/


When connecting from a Windows client (any Windows client) I get a 'network 
path not found' error 0x80070035.  I know the path is valid as I can reach it 
via other means, and other WebDAV clients.

The main reason I think this is a Tomcat issue is that it was working just fine 
with v7.0 and no other Windows client changes (updates, software etc.) have 
been made.  There wasn't anything specific in the Tomcat7 config that I needed 
to get the MS client to work, only on the client itself those registry changes 
as previously mentioned.

What about the WebdavFixFilter? Is it configured in Tomcat 7 but not 8?


I'll run a Wireshark trace and see what comes up, nothing in the Tomcat logs 
that I can see...

I'll do a quick test now and see what I can come up with.


I needed to enable directory listings otherwise I got a 'network name
not found' error 0x80070043.

With that one change I was able to map a Windows network drive to:

http://ip-address/
http://ip-address/test
http://ip-address:8080/
http://ip-address:8080/test

With https the behaviour is very strange. Windows is prompting me for
credentials even though none are required. I suspect that the untrusted
test certificate may be causing some of these problems.

I fixed the certificate problem so that IE viewed the site as trusted
and then I could map a network drive to:

https://ip-address/
https://ip-address/test
https://ip-address:8443/
https://ip-address:8443/test

No registry changes were required to get this to work.

Prompting for authentication in response to an untrusted certificate is
bizarre to say the least.

Microsoft generously provide MSDN subscriptions for Apache committers
which is why I have the various OS's to hand to test this. The
subscription also comes with tech support. I'll open an incident. It
will be interesting to see if things have improved since I last tried
raising bugs with Microsoft (I filed so many bugs with MS Office and it
took so long for MS to fix them that I hit the limit of issues MS would
let me have open in parallel).

I was testing with Windows 7, SP1, 64-bit, fully patched

None of my WebDAV endpoints are configured to require authentication.

I did not have to use the WebdavFixFilter.

Note that I do not have MS Office installed on this machine.

It does look like things have improved with more recent versions of the
Windows clients. I'm not sure what is causing the error you are seeing.
Maybe MS Office ships with a different WebDAV client.


From what I remember, yes it does.  That is what I was referring to when talking about 
depending on what other software is installed on the workstation. As I recall, when 
installing MS-office, it replaces the mini-redirector by its own DLL, and that changes 
the behaviour in a number of instances.


 From past

experience, I'd suggest trying some of the following:
- get it working over http before trying https
- get it working at the server root before trying just a context
- get it working without authentication before trying with authentication
- ensure you have directory listings enabled
- ensure that IE trusts any certificates and no certificate errors are
reported when connecting over https

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL configuration using PFX as keystore

2015-06-22 Thread André Warnier

Mark Thomas wrote:

On 22/06/2015 00:25, Michael Salisbury wrote:

Thanks, I've done much searching - hence why I'm finally posting here.

Windows WebDAV is actually quite reasonable

Many people would disagree with that statement. It hasn't been updated
since the early days of Windows 7 but this site gives you an idea of
just what a disaster the Windows WebDAV client has been:
http://greenbytes.de/tech/webdav/webdav-redirector-list.html

It is possible that things have improved in the last few years but the
fact that Tomcat's WebDAV implementation works with a bunch of standards
compliant clients and only fails with the Windows client suggests that
the Windows client still has some issues.

- a lot of what one reads on the internet is because people don't know how to
configure it. It won't pass basic authentication across a connection by
default, you have to turn it on and there are two different settings for
allowing it over SSL only or a non-encrypted connection.

When connecting from a Windows client (any Windows client) I get a 'network
path not found' error 0x80070035. I know the path is valid as I can reach it
via other means, and other WebDAV clients.

A good example of the idiosyncracies of the Windows webDAV client : re-enter the same URL,
but specifiy the :port after the server name (even if it is 80).
On some Windows configurations, when not specifying the port, it tries to map this to a
Windows share URL, à la \\servername\sharename, leading to the error above.

My earlier comments were meant in a practical sense. We provide document-management
applications, where one of the ways in which a user can file a document into the system is
via DAV drag-and-drop directories.
We have spent a lot of time trying to debug these issues, to finally come to the
conclusion that the only way to insure consistent behaviour among customers who may have
different versions of Windows and different software installed on their PCs (sometimes on
a PC-by-PC base), was to recommend that they use one of these external WebDav clients.
Your situation may be different, and you might be able to enforce some specific Windows
version, and/or some specific Registry settings. We could not do that, hence our solution.

I was just trying to potentially save you a lot of hassle and loss of time.
I don't know if in your case it is practical and/or business-effective to use an
additional webDav client, but if it is possible, that would still be my recommendation.
Since we do that, we have 0 problems in that area. Before we did that, we had several
related support calls per week. Your call.

The main reason I think this is a Tomcat issue is that it was working just fine
with v7.0 and no other Windows client changes (updates, software etc.) have
been made. There wasn't anything specific in the Tomcat7 config that I needed
to get the MS client to work, only on the client itself those registry changes
as previously mentioned.

Not to make this a rant or a flame, but the same issues as described on the greenbytes
page mentioned above, also happen with other server-side DAV implementations, such as
Apache httpd. So it is not really a Tomcat-only issue.

What about the WebdavFixFilter? Is it configured in Tomcat 7 but not 8?

I'll run a Wireshark trace and see what comes up, nothing in the Tomcat logs
that I can see...

I'll do a quick test now and see what I can come up with.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Weird situation

2015-06-22 Thread André Warnier


Nabusg Tomcat wrote:

Apache HTTPD version 2.4.10
Tomcat version apache-tomcat-7.0.61
Ubuntu 12.04.5
16G RAM
Dual Core processor 64-bit


Lately I am noticing that the request parameters are present when the
request hits Apache, but are dropped when request reaches tomcat.

for e.g /secure/myprog.cgi?username=user1masteraccount=master1 (logged in
Apache), however tomcat rejects the request as
request.getParameter(username) can not be null. I have been running the
same code for ages and now I am noticing this. This is happening to roughly
1% of the requests.

Following is my Apache config

APACHEStartServers15
APACHEMinSpareThreads 25
APACHEMaxSpareThreads 75
APACHEThreadLimit 512
APACHEThreadsPerChild 32
APACHEMaxRequestWorkers   2048
APACHEMaxConnectionsPerChild  2048
APACHEAsyncRequestWorkerFactor 3
APACHEServerLimit 64

And this is my tomcat settings

TOMCATprotocol=AJP/1.3
TOMCATpacketSize=32000
TOMCATmaxThreads=800
TOMCATprocessorCache=800
TOMCATacceptCount=300
TOMCATacceptorThreadCount=2
TOMCATminSpareThreads=80
TOMCATmaxSpareThreads=160
TOMCATmaxKeepAliveRequests=-1
TOMCATmaxConnections=8192
TOMCATconnectionTimeout=36
TOMCATcompression=on
TOMCATcompressableMimeType=text/html,text/xml,text/plain
TOMCATredirectPort=8443

Worker.properties config

worker.ajp_myhost.port=8009
worker.ajp_myhost.host=localhost
worker.ajp_myhost.type=ajp13
worker.ajp_myhost.retries=3
worker.ajp_myhost.recovery_options=27
worker.ajp_myhost.retry_interval=300
worker.ajp_myhost.reply_timeout=2
worker.ajp_myhost.max_packet_size=32000
worker.ajp_myhost.socket_timeout=360
worker.ajp_myhost.socket_connect_timeout=36
worker.ajp_myhost.connection_pool_timeout=360



Can someone please help me with 2 things.

1. Has anyone noticed request parameters dropping in transit ?
2. Help with fine tuning my Apache/Tomcat/mod_jk configs. During peak the
server will be handling 50 req/seconds.

Please let me know if you need anymore details.



Well certainly :
There is nothing in the above configuration excerpts, that leads me to believe that a 
request like /secure/myprog.cgi?username=user1masteraccount=master1 is even being 
forwarded by Apache httpd to Tomcat.

So how does that happen ?

At the very least, there should be some jkMount directive somewhere in the Apache 
configuration.  And then, which webapp under Tomcat is processing this request ?
Somehow the association of a myprog.cgi on the Apache side, and a 
request.getParameter() on the Tomcat side sounds strange, unless there is some piece in 
the middle that we are not being told about.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Weird situation

2015-06-22 Thread André Warnier


Nabusg Tomcat wrote:

mod_jk version 1.2.40

yes there is a jkmount directive to send every requests that start with
/secure/ to tomcat.

  JkMount /secure/* ajp_myhost
  JkMount /secure   ajp_myhost


Somehow the association of a myprog.cgi on the Apache side, and a
request.getParameter() on the Tomcat side sounds strange

What part of this is strange? heard of web.xml?


Yes, but what is myprog.cgi under Tomcat ? Is that a java webapp/servlet ?
(You are of course free to map your webapps as you wish.  It is just unusual to see one 
named this way, which is the reason I asked.)





On Mon, Jun 22, 2015 at 11:00 AM, André Warnier a...@ice-sa.com wrote:


Nabusg Tomcat wrote:


Apache HTTPD version 2.4.10
Tomcat version apache-tomcat-7.0.61
Ubuntu 12.04.5
16G RAM
Dual Core processor 64-bit


Lately I am noticing that the request parameters are present when the
request hits Apache, but are dropped when request reaches tomcat.

for e.g /secure/myprog.cgi?username=user1masteraccount=master1 (logged in
Apache), however tomcat rejects the request as
request.getParameter(username) can not be null. I have been running the
same code for ages and now I am noticing this. This is happening to
roughly
1% of the requests.

Following is my Apache config

APACHEStartServers15
APACHEMinSpareThreads 25
APACHEMaxSpareThreads 75
APACHEThreadLimit 512
APACHEThreadsPerChild 32
APACHEMaxRequestWorkers   2048
APACHEMaxConnectionsPerChild  2048
APACHEAsyncRequestWorkerFactor 3
APACHEServerLimit 64

And this is my tomcat settings

TOMCATprotocol=AJP/1.3
TOMCATpacketSize=32000
TOMCATmaxThreads=800
TOMCATprocessorCache=800
TOMCATacceptCount=300
TOMCATacceptorThreadCount=2
TOMCATminSpareThreads=80
TOMCATmaxSpareThreads=160
TOMCATmaxKeepAliveRequests=-1
TOMCATmaxConnections=8192
TOMCATconnectionTimeout=36
TOMCATcompression=on
TOMCATcompressableMimeType=text/html,text/xml,text/plain
TOMCATredirectPort=8443

Worker.properties config

worker.ajp_myhost.port=8009
worker.ajp_myhost.host=localhost
worker.ajp_myhost.type=ajp13
worker.ajp_myhost.retries=3
worker.ajp_myhost.recovery_options=27
worker.ajp_myhost.retry_interval=300
worker.ajp_myhost.reply_timeout=2
worker.ajp_myhost.max_packet_size=32000
worker.ajp_myhost.socket_timeout=360
worker.ajp_myhost.socket_connect_timeout=36
worker.ajp_myhost.connection_pool_timeout=360



Can someone please help me with 2 things.

1. Has anyone noticed request parameters dropping in transit ?
2. Help with fine tuning my Apache/Tomcat/mod_jk configs. During peak the
server will be handling 50 req/seconds.

Please let me know if you need anymore details.



Well certainly :
There is nothing in the above configuration excerpts, that leads me to
believe that a request like
/secure/myprog.cgi?username=user1masteraccount=master1 is even being
forwarded by Apache httpd to Tomcat.
So how does that happen ?

At the very least, there should be some jkMount directive somewhere in
the Apache configuration.  And then, which webapp under Tomcat is
processing this request ?
Somehow the association of a myprog.cgi on the Apache side, and a
request.getParameter() on the Tomcat side sounds strange, unless there is
some piece in the middle that we are not being told about.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat 8.0.22 server on different machines

2015-06-20 Thread André Warnier


Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Prarthana,

On 6/19/15 5:08 AM, Prarthana Agwania wrote:

We have a requirement wherein we would like to know the urls of
each of the tomcat instance running on different servers. The
scenario is somewhat like,

1. There are multiple servers running on different machines say 
Server1, Server2, Server3


2. There are multiple Tomcat instances running on each of the
machines as independent instances say, Server1-- Tomcat1,
Tomcat2, Tomcat3.Server2-- Tomcat5, Tomcat6, 
Tomcat7.Server3--Tomcat8, Tomcat9, Tomcat10 P.S. - Tomcat

servers are not clustered

Now, is there a way that an external user who does not have access
to the servers can know the urls for each Tomcat running under
different servers? Or, is it possible that Server1 or Tomcat1 can
act as the master and have the information about other
servers(remember they are not clustered)?Can this information be
made available under one hood and used further to deploy wars or
modify any configuration etc?


This is something you will have to build yourself. You may be able to
build something using components Tomcat provides (e.g. Tribes), but
there is nothing like this that exists already.

Usually, people want to mask the size of their cluster from external
users. What's your use case here?



I think that the OP just explained it above, at the end of his message.

Prarthana, you may want to have a look at something like Bonjour 
(https://en.wikipedia.org/wiki/Bonjour_%28software%29).


Each Tomcat would have to register with the service when it starts up, and de-register 
when it stops.  And then some client could find out about the available Tomcats.

Looks like something for a LifeCycleListener..

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat 8.0.22 server on different machines

2015-06-20 Thread André Warnier


André Warnier wrote:

Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Prarthana,

On 6/19/15 5:08 AM, Prarthana Agwania wrote:

We have a requirement wherein we would like to know the urls of
each of the tomcat instance running on different servers. The
scenario is somewhat like,

1. There are multiple servers running on different machines say 
Server1, Server2, Server3


2. There are multiple Tomcat instances running on each of the
machines as independent instances say, Server1-- Tomcat1,
Tomcat2, Tomcat3.Server2-- Tomcat5, Tomcat6, 
Tomcat7.Server3--Tomcat8, Tomcat9, Tomcat10 P.S. - Tomcat

servers are not clustered

Now, is there a way that an external user who does not have access
to the servers can know the urls for each Tomcat running under
different servers? Or, is it possible that Server1 or Tomcat1 can
act as the master and have the information about other
servers(remember they are not clustered)?Can this information be
made available under one hood and used further to deploy wars or
modify any configuration etc?


This is something you will have to build yourself. You may be able to
build something using components Tomcat provides (e.g. Tribes), but
there is nothing like this that exists already.

Usually, people want to mask the size of their cluster from external
users. What's your use case here?



I think that the OP just explained it above, at the end of his message.

Prarthana, you may want to have a look at something like Bonjour 
(https://en.wikipedia.org/wiki/Bonjour_%28software%29).


Each Tomcat would have to register with the service when it starts up, 
and de-register when it stops.  And then some client could find out 
about the available Tomcats.

Looks like something for a LifeCycleListener..



Add-on : as a matter of fact, someone seems to have a similar idea :
http://www.floop.org.uk/projects/tomcat-registry
Not much there yet, but it may be worth talking to them.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL configuration using PFX as keystore

2015-06-19 Thread André Warnier


Daniel Mikusa wrote:

On Fri, Jun 19, 2015 at 12:42 AM, Michael Salisbury mich...@skypoint.co.nz
wrote:


 Hi there,

I’m trying to get the above working using Tomcat 8.0, previously working
with 7.0.  This is part of a WebDAV connector in Confluence.

It seems I can connect from anything other than a Windows Mini Redirector
client (Windows 7 or 8.1, x86 or x64).  Using a web browser or 3rd party
client (CyberDuck for instance) connects OK.



You should do a search in Google for Windows and DAV.
The various implementations over the years of DAV in MS Windows are a real 
horror story.
As far as I know (but it varies according to Windows versions and patches, and even 
according to whatever other software is installed on the workstation) :

- recent version of Windows will only accept to connect to DAV folders via HTTPS
- recent and less recent versions of Windows will only accept to connect to a DAV folder, 
if that DAV folder is at the document root of the webserver


In other words, for all practical purposes, you /have to/ use a third-party 
client.
(WebDrive is another one which I know works)

And if you don't, be prepared for a lot of support calls..



What happens when you try to connect with the Windows Mini Redirector?  Do
you get a client error?  If so, what?  Do you get any errors or messages in
the Tomcat logs?  If not, you might try running wireshark to investigate
further.  Capture packets from a working client and packets from the MS
client then look to see what's different.

That said, the fact that it's working for a large selection of clients
except one, seems to point to a problem with the client and not your Tomcat
setup.  What makes you think this is a Tomcat issue?  Was there something
specific you had to do in Tomcat 7 to make the MS client work?

Dan



There are some registry keys in Windows one needs to enable to get this
working first:



[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Internet]

BasicAuthLevel=dword:0001



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters]

BasicAuthLevel=dword:0001

UseBasicAuth=dword:0001



Server.xml

Connector port=9443 maxHttpHeaderSize=8192

maxThreads=150 minSpareThreads=25 maxSpareThreads=75

protocol=org.apache.coyote.http11.Http11NioProtocol

enableLookups=false disableUploadTimeout=true

acceptCount=100 scheme=https secure=true

clientAuth=false sslProtocols=TLS SSLEnabled=true

URIEncoding=UTF-8

keystoreType=PKCS12

keystoreFile=${catalina.base}/conf/certname.pfx

keystorePass=keypassword/



I’m fairly new to this, but have done a fair bit of reading to get it
working previously in Tomcat7…so any help would be greatly appreciated.



Kind regards



*Michael Salisbury*



*Senior Systems Architect*   |   *P*  07 960 7011  |   *E*
mich...@skypoint.co.nz   |   *W*  skypoint.co.nz



Waikato Innovation Park, Ruakura Rd, PO Box 9466, Hamilton 3240, NZ





[image: cid:image001.png@01CF0265.772EC520]



Please send any support enquiries to *E* supp...@skypoint.co.nz



[image: MCSA_2013(rgb)_14802]  [image: HP Accredited Technical
Professional]








-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: redirect to website not working

2015-06-18 Thread André Warnier


Ankur Gupta wrote:

Thank you for your help...
xx.xxx.xx.81 server through which iam using ie is not accessed to public
website.This might be the problem.

I want to ask a noob question that is there any method , as 81 server is
not accessed to public websites but Linux server has access , so any
method,way so that request can be sent to public website through Linux
server . Linux server can be accessed through 81 server only.
I have to use 81 server ie to request public website SMS sender vendor
through Linux server.



Yes, there exist ways to do that.  But they are not simple to set up, and it would make 
the diagnostic of future problems much more complicated.

It can also introduce security issues.
In other words, this is not really noob level.

For information only, here is information about how it's done :
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxyrequests
But read the content of the red warning box, and do not do this unless you *really* know 
what you are doing.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: redirect to website not working

2015-06-18 Thread André Warnier

Hi.

I will try to give you some more tips below, but really you should try and work this out
by yourself. From what little information is available below, I still believe that there
is no problem with your application under Tomcat, but that the problem is that *the
browser* cannot access that SMS site you were talking about, or that the request that the
browser is sending to that site is invalid.

Ankur Gupta wrote:

*Fiddler Error:*

...

3 302 HTTPxx.xxx.xx.99:8080
/examples/smstrial.jsp?mobileNumber=01234567890
text/html;charset=ISO-8859-1 iexplore:6656

Above exchange #3 seems to be the original request which the browser sends to the Tomcat
application. What you do not show, is the *content* of the response sent back by Tomcat,
except the status code, which is 302 (re-direct).

What would be interesting to see here, is the *response header* Location:.
(you can see that also in Fiddler)

When the browser gets this 302 response from the server, it takes the content of the
Location response header, and then immediately makes a new HTTP request to that URL.

That is the exchange #4 below.

4 502 HTTP180.179.218.150
/sendurl.aspx?user=xxxpwd=xxxsenderid=xxxmobileno=0123456789msgtext=Hellosmstype=0
512 no-cache, must-revalidatetext/html; charset=UTF-8
iexplore:6656

The above exchange #4, seems to be the new request that the browser makes to the SMS
server at 180.179.218.150, and that server responds with a 502 status (a server error).

This is not Tomcat anymore, and thus out of scope for this forum.
You have to figure out why that SMS server sends this response to the browser.

Something tells me that you are not really familiar with the HTTP protocol. Maybe you
should get some local help in that respect.

Each interaction between browser and server consists of one request from the browser, and
one response from the server. Fiddler shows this as one line, but you can click on that
line and then ask to see different things (maybe you should ask for the raw content).
Above you show the browser request, but not the server response content.

...

*IE giving error:*

[Fiddler] The connection to '180.179.218.150' failed.
Error: TimedOut (0x274c).
System.Net.Sockets.SocketException A connection attempt failed because the
connected party did not properly respond after a period of time, or
established connection failed because connected host has failed to respond
180.179.218.150:80

This is a bit confusing, because it seems to say that the server at 180.179.218.150 is not
responding.
Maybe the browser that you are using cannot access that IP address ? Or it can connect to
it, but something is blocking the server response to the browser.

(Firewalls or so)

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: logging input and output HTTP message payload

2015-06-17 Thread André Warnier


Just to make sure..

Milinda Perera wrote:

Hi all,

Thanks for suggestions,

Actually I want to log all HTTP / HTTPS requests from client applications
to my Tomcat server and the Response sent back to the client. And logging
requests and payloads are not target specific application running in the
Tomcal server, which means all the request to the Tomcat server and all the
responses from the Tomcat server

My requirement cannot be fulfilled with external tools like wireshark
because:
  1. unable to log HTTPS requests and responses
  2. And I need to get logged requests and responses in server side log
files without external tools.


Are you aware of the volume of data that this could be ? and about the performance impact 
? and about the complexity of doing this in any way that would be useful ?


HTTP requests tend to be small  : a request line like GET /mylogo.jpg HTTP/1.1, and a 
few text headers). But the response to that request may be very large (a 120 KB jpeg 
file).  Multiply by the number of requests for your homepage etc. (and never mind if you 
are returning large PDF documents sometimes...)


And then, to log this jpeg logo file in any useful manner, you would have to
a) analyse the response, to see what is sent back
b) encode this in some way, to write it usefully to your logfile (you do not want binary 
data there, I presume)


These are probably some of the reasons why the standard logging methods don't 
do that.



by changing  *org.apache.coyote.level=FINE *in log properties logs HTTP
requests to the server, but does not log response.

Highly appreciate if you guys can share your thoughts to achieve this.



Ask the NSA for some tips ?


Thanks,
Milinda



On Wed, Jun 17, 2015 at 5:56 PM, André Warnier a...@ice-sa.com wrote:


Frederik Nosi wrote:


It helps only with HTTP though, no HTTPS or at least not easily.

While we are at this, are you trying to debug a SOAP / REST connection
from your application running on Tomcat to another server or a connection
coming from outside to your Tomcat?


On 06/17/2015 11:16 AM, Mark Thomas wrote:


On 17/06/2015 10:10, Milinda Perera wrote:


Hi,

I need to log HTTP payload content for debugging purposes.


Use Wireshark. That has the added benefit of not having any unwanted
side-effects on your application.

Mark



If this is for one debugging session, you could also simply use an add-on
to a browser (such as Fiddler2 for IE), and record the full exchanges there.
It has the advantage that you see the complete traffic in both directions
(headers and content), and that you can easily switch between different
presentations of the data, and save it to file if you need to.  And
depending on what you are looking for, it may be a lot easier to handle
than Wireshark.





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org








-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: redirect to website not working

2015-06-17 Thread André Warnier


Ankur Gupta wrote:

Log says this:

xx.xxx.xx.81 - - [17/Jun/2015:12:51:47 -0400] GET
/examples/smstrial.jsp?mobileNumber=0123456789 HTTP/1.1 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:52:16 -0400] GET
/examples/smstrial.jsp?mobileNumber=0123456789 HTTP/1.1 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:53:05 -0400] GET /examples/smstrial.jsp
HTTP/1.1 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:53:17 -0400] GET /examples/smstrial.jsp
HTTP/1.1 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:53:32 -0400] GET /examples/smstrial.jsp
HTTP/1.1 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:54:39 -0400] GET /examples/smstrial.jsp
HTTP/1.1 302 139

xx.xxx.xx.81 - - [17/Jun/2015:12:55:16 -0400] GET /examples/smstrial.jsp
HTTP/1.1 302 139



Browser is Internet Explorer and it gives error

 [image: Inline image 1]



Ankur Gupta wrote:
 [image: Inline image 1]

Yes, that is the stupid built-in Internet Explorer friendly error page, which doesn't 
tell you anything worth knowing.


Go to Tools - Internet Options - advanced
and disable the friendly error pages option.

Better : get Fiddler (http://www.telerik.com/fiddler)
install it, activate it, repeat your session and look at what is really sent and received 
by the browser. Look in particular at the content of the Location header received by the 
browser in the 302 responses, if it is what you expect.

(Note : the content of that header should be a full absolute URL to the desired 
site)





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: logging input and output HTTP message payload

2015-06-17 Thread André Warnier


Frederik Nosi wrote:

It helps only with HTTP though, no HTTPS or at least not easily.

While we are at this, are you trying to debug a SOAP / REST connection 
from your application running on Tomcat to another server or a 
connection coming from outside to your Tomcat?



On 06/17/2015 11:16 AM, Mark Thomas wrote:

On 17/06/2015 10:10, Milinda Perera wrote:

Hi,

I need to log HTTP payload content for debugging purposes.

Use Wireshark. That has the added benefit of not having any unwanted
side-effects on your application.

Mark



If this is for one debugging session, you could also simply use an add-on to a browser 
(such as Fiddler2 for IE), and record the full exchanges there.
It has the advantage that you see the complete traffic in both directions (headers and 
content), and that you can easily switch between different presentations of the data, and 
save it to file if you need to.  And depending on what you are looking for, it may be a 
lot easier to handle than Wireshark.





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: redirect to website not working

2015-06-17 Thread André Warnier


Ankur Gupta wrote:

I have apache tomacat 7.0.61 and linux server 6.1 enterprise.
There is a requirment of sending sms to the customers, but the request to
send sms to the vendor is throught this sftp linux server.
Now, when i redirect to the page it does not respond.But when i access the
same website through command line wget http://xyz.com; linux does execute
that and i can get sms.
one more information before wget i set http_proxy in command line like
$export http_proxy=xx.xx.xx.xx:yy/
so there is a need to set proxy in apache tomcat too in order to redirect
to public page?
Thank you



Hi.
On this list, we have quite a lot of experience at decyphering user requests 
for help.
We even have some good SSL specialists available to answer questions.
But your question above is hopelessly confusing.
Could you try to rephrase this, so that we could have a hope to understand what your 
question is really about ? (maybe a little schema may help)


In the meantime, I'll answer this :

Q :  so there is a need to set proxy in apache tomcat too in order to redirect
 to public page?

A: no.
In simplified terms : the browser makes the connection to Tomcat to send its request; and 
Tomcat sends responses to the browser on that same connection. So it does not need a proxy 
for that.
If your application is sending a redirect response to the browser, that is a response, so 
it goes through that same connection.


If your webapp itself needs to access another webserver, then it would be another matter, 
and it might need a proxy for doing that.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: redirect to website not working

2015-06-17 Thread André Warnier


Ankur Gupta wrote:

Sorry if I was unable to make you understand .
At my workplace we have one production server which have iis and classic
asp pages are deployed.


Ok, that I understand.
Server-A = IIS + whatever

 Now as per the requirement
(of which we do not have a copy, so we know nothing about it)

 , we have to send SMS to

the customers,


Who is we ?

 so , a request from production server say A(having asp page)

ok, Server-A above sends HTTP request directly to ..


is sent to Linux server having tomcat say B(having jsp page).


So Server-B is your Tomcat server with your application..

 B server has
jsp page which is called and a simple code 

(of which we do not have a copy either, so we know nothing about it)

is written to redirect to public
website 


redirect, in HTTP terms, has a very precise meaning.  It means that your application is 
sending a response *to the browser*, and this response is a redirect response

with a status code 301 or 302.
See : https://en.wikipedia.org/wiki/HTTP_301
or : https://en.wikipedia.org/wiki/HTTP_302

and when your application sends such a response to the browser, and the browser receives 
it, *the browser* immediately and automatically sends another request to the indicated 
website.

(And this does not involve Tomcat at all anymore).

Is that what happens ?


which is responsible for sending SMS.



(so that also has nothing to do with Tomcat)



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: redirect to website not working

2015-06-17 Thread André Warnier


Ankur Gupta wrote:

xx.xx.xx.81 has classic asp page sms.asp having code:

%@ language=vbscript%

%

   mobileNumber=0123456789

   Response.redirect(
http://xx.xxx.xx.99:8080/examples/smstrial.jsp?mobileNumber=; mobileNumber)

%



Linux server(xx.xxx.xx.99:8080) with apache tomcat and linux v6.1
Enterprise has jsp page named smstrial.jsp having jsp code:

%@ page import=java.io.*,java.util.*%

HTML

HEAD

TITLE New Document /TITLE

/HEAD

BODY

center

h1Page Redirection/h1

/center

%

   String mobile=request.getParameter(mobileNumber);

   String site=
http://180.179.218.150:80/sendurl.aspx?user=xyzpwd=xyzsen
derid=xyzmobileno=+mobile+msgtext=Hellosmstype=0;

   response.sendRedirect(site);

%

/BODY

/HTML







Now from xx.xx.xx.81 iam  calling sms.asp page from internet explorer and
 getting error.


Ahaaa ! you are getting an error !

Do you care to share what error you are getting, and where ?

And have you looked into any relevant server log, to find out what that error 
may be due to ?



If i change redirect webpage called in jsp code to some intranet server,e.g
xx.xx.xx.54 (which is not use for public website. It is used internally in
the organization and xx.xx.xx.81  server is connected to xx.xx.xx.54  )
then  xx.xx.xx.81 browser successfully redirects to it without any issue.



Linux server xx.xxx.xx.99:8080 is connected to internet.

When we use wget command like

Wget  http://180.179.218.150:80/sendurl.aspx?user=xyzpwd=xyzsen
derid=xyzmobileno=+mobile+msgtext=Hellosmstype=0  then it successfully
executes it.



I hope this helps . Thank you for giving you time.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: redirect to website not working

2015-06-17 Thread André Warnier


Hi.

Ankur Gupta wrote:

Log says this:

xx.xxx.xx.81 - - [17/Jun/2015:12:51:47 -0400] GET
/examples/smstrial.jsp?mobileNumber=0123456789 HTTP/1.1 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:52:16 -0400] GET
/examples/smstrial.jsp?mobileNumber=0123456789 HTTP/1.1 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:53:05 -0400] GET /examples/smstrial.jsp
HTTP/1.1 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:53:17 -0400] GET /examples/smstrial.jsp
HTTP/1.1 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:53:32 -0400] GET /examples/smstrial.jsp
HTTP/1.1 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:54:39 -0400] GET /examples/smstrial.jsp
HTTP/1.1 302 139

xx.xxx.xx.81 - - [17/Jun/2015:12:55:16 -0400] GET /examples/smstrial.jsp
HTTP/1.1 302 139




That log seems fine to me. It shows that your application is indeed returning the 302 
responses to the browser.
Unfortunately, this does not really show us *to what* the re-direction is, from the point 
of view of the browser.




Browser is Internet Explorer and it gives error

 [image: Inline image 1]



Unfortunately, the list software strips embedded images, and most attachments.
Do you have any way to post that image somewhere (or describe it), so that we know what 
error this is exactly ?


Note : if you are using IE, you may need to change a setting, in order to see the real 
error page sent by the server, rather than the friendly page that IE itself is showing.
Go to preferences, in advanced, and disable the send friendly error messages box, then 
try again.


I also suggest that you add a plugin to the browser, such as Fiddler2 for IE.
This will allow you to see exactly what the server sends as a response, including the 
Location: header, which is essential here to determine what the problem is.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: redirect to website not working

2015-06-17 Thread André Warnier

Ankur Gupta wrote:

I had installed fiddler and deactivated ie stupid feature . how can I share
the result of fiddler to you if the system dosent allow attachments?

Well, on this list here we try to help, and we provide tips.
But we do not do all the work for you, and you are expected to do some of it
yourself.
(You can of course always ask for a private consultant, there are pointers for that on the
Tomcat website.)

You have already gotten now to the point where you know that your webapp under Tomcat, is
sending the (presumably) correct 302 response to the browser.
With Fiddler, you can now examine this server response more in detail, to see if it is
really what it should be.
And you have disabled the friendly error pages, so you can see what the error really is,
from the browser point of view.

Does that help to diagnose your problem ?

And if you need to send more information to the list about what you see in Fiddler, I
believe that you just need to do a right-click on that specific response, and it will
propose a choice of things to do, among which there must be a copy-to-clipboard option.

You can then paste that specific line into your next message to the list, if
needed.

But try to do some thinking by yourself first. It helps in the long run.

One request : if you find the solution yourself, please post it to the list
also.
It will help someone else in the future, if they are smart enough to search the list
archives first.

See : http://tomcat.apache.org/lists.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Brand new to Tomcat

2015-06-16 Thread André Warnier


Cohen, Laurence wrote:

Hi,

I find myself in a position where I am the only system administrator on a
project that uses tomcat appserver and apache webeserver with a postgres
backend.


I am going to do some guesswork here, and you'll tell us if I'm wrong.

Presumably, considering what you are saying above, your actual setup may be :

browser -- -- Apache httpd server front-end -- -- Tomcat -- -- webapp -- -- 
back-end postgres database


So the browser clients actually connect to the Apache front-end server on port 80, and the 
front-end passes some or all of the requests to Tomcat in the background.

(And the users never see a URL which mentions port 8007).

Right/wrong ?

If right, do you know what is the mechanism used in the front-end Apache httpd server, to 
connect to the back-end Tomcat service ?
Specifically, are there any ProxyPass directives in the configuration of the front-end 
Apache server ?



  We have two applications, and before and changeover from mod_ssl

to mod_nss we were able to go over port 80 to grab files out of the
database.  The web app in question is listening on port 8007, but proxied
on 443.  After we switch to mod_nss, something happened with the
configuration or the Rewrite Rules, where we can not longer use port 80,
although port 443 is working fine.

In server.xml I can see the following connector line:

  Connector port=8007 protocol=HTTP/1.1 SSLEnabled=true
executor=tomcatThreadPool
   connectionTimeout=60
   scheme=https secure=true
   clientAuth=false sslProtocol=TLS
   keystoreFile=/opt/dse/keystores/keystore.tomcat
   keystorePass=changeit
   truststoreFile=/opt/dse/keystores/truststore.jks
   truststorePass=password proxyName=testweb01.novetta.com
proxyPort=443/

My first question is, can I add another connector line, proxying to port 80
as so:

 Connector port=8007 protocol=HTTP/1.1 SSLEnabled=true
executor=tomcatThreadPool
   connectionTimeout=60
   scheme=https secure=true
   clientAuth=false sslProtocol=TLS
   keystoreFile=/opt/dse/keystores/keystore.tomcat
   keystorePass=changeit
   truststoreFile=/opt/dse/keystores/truststore.jks
   truststorePass=password proxyName=testweb01.novetta.com
proxyPort=80/

Thanks,

Larry Cohen




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Apache/Tomcat mod_jk connector config issue ?

2015-06-16 Thread André Warnier


Hi.

Can I too ?

mod_jk log (debug) :
...
[Tue Jun 16 13:26:21.928 2015] [16334:140682714515200] [debug] 
map_uri_to_worker_ext::jk_uri_worker_map.c (1134): Attempting to map URI '/hudson' from 5 maps
[Tue Jun 16 13:26:21.928 2015] [16334:140682714515200] [debug] 
find_match::jk_uri_worker_map.c (941): Attempting to map context URI 
'/hudson/*=hudsonWorker' source 'JkMount'
[Tue Jun 16 13:26:21.928 2015] [16334:140682714515200] [debug] 
find_match::jk_uri_worker_map.c (941): Attempting to map context URI 
'/sonar/*=ajp13_worker' source 'JkMount'
[Tue Jun 16 13:26:21.928 2015] [16334:140682714515200] [debug] 
find_match::jk_uri_worker_map.c (941): Attempting to map context URI 
'/jk-manager=jk-manager' source 'JkMount'
[Tue Jun 16 13:26:21.929 2015] [16334:140682714515200] [debug] 
find_match::jk_uri_worker_map.c (941): Attempting to map context URI 
'/jk-status=jk-status' source 'JkMount'
[Tue Jun 16 13:26:21.929 2015] [16334:140682714515200] [debug] 
find_match::jk_uri_worker_map.c (941): Attempting to map context URI 
'/hudson=hudsonWorker' source 'JkMount'
[Tue Jun 16 13:26:21.929 2015] [16334:140682714515200] [debug] 
find_match::jk_uri_worker_map.c (964): Found an exact match '/hudson=hudsonWorker'
[Tue Jun 16 13:26:21.929 2015] [16334:140682714515200] [debug] jk_handler::mod_jk.c 
(2635): Into handler jakarta-servlet worker=hudsonWorker r-proxyreq=0
[Tue Jun 16 13:26:21.929 2015] [16334:140682714515200] [debug] 
wc_get_worker_for_name::jk_worker.c (115): found a worker hudsonWorker
[Tue Jun 16 13:26:21.929 2015] [16334:140682714515200] [debug] 
wc_get_name_for_type::jk_worker.c (292): Found worker type 'ajp13'
[Tue Jun 16 13:26:21.929 2015] [16334:140682714515200] [error] jk_handler::mod_jk.c 
(2747): Could not init service for worker=hudsonWorker


* What does the above error mean ? *  (browser gets 500 Server error page)

[Tue Jun 16 13:27:11.630 2015] [16334:140682739693312] [debug] jk_watchdog_func::mod_jk.c 
(3213): Watchdog thread running
[Tue Jun 16 13:27:11.631 2015] [16334:140682739693312] [debug] wc_maintain::jk_worker.c 
(338): Maintaining worker hudsonWorker
[Tue Jun 16 13:27:11.631 2015] [16334:140682739693312] [debug] wc_maintain::jk_worker.c 
(338): Maintaining worker ajp13_worker
[Tue Jun 16 13:27:11.631 2015] [16335:140682739693312] [debug] jk_watchdog_func::mod_jk.c 
(3213): Watchdog thread running
[Tue Jun 16 13:27:11.631 2015] [16335:140682739693312] [debug] wc_maintain::jk_worker.c 
(338): Maintaining worker hudsonWorker
[Tue Jun 16 13:27:11.631 2015] [16335:140682739693312] [debug] wc_maintain::jk_worker.c 
(338): Maintaining worker ajp13_worker



System data :

Linux : 3.10.23--grs-ipv6-64
Tomcat 8
Java 8
Apache httpd + mod_jk : Apache/2.2.22 (Debian) mod_jk/1.2.37 configured -- resuming normal 
operations


mod_jk worker defined as :

worker.hudsonWorker.port=9010
worker.hudsonWorker.host=localhost
worker.hudsonWorker.type=ajp13

Tomcat Connector :

!-- Note AW : this is the hudson mod_jk worker port --
Connector port=9010 protocol=AJP/1.3 redirectPort=8443
maxHttpHeaderSize=8192
   maxThreads=150 minSpareThreads=25 maxSpareThreads=75
   enableLookups=false disableUploadTimeout=true
   acceptCount=100 SSLEnabled=false clientAuth=false
   server=Apache-Coyote-Cloud/0.0
   URIEncoding=UTF-8 /

(Not sure all the attributes are relevant, config copied hastily from HTTP 
connector)



Tomcat startup log (Catalina log) :
...
16-Jun-2015 13:25:41.275 INFO [main] org.apache.coyote.AbstractProtocol.start Starting 
ProtocolHandler [http-nio-8080]
16-Jun-2015 13:25:41.280 INFO [main] org.apache.coyote.AbstractProtocol.start Starting 
ProtocolHandler [ajp-nio-8009]
16-Jun-2015 13:25:41.281 INFO [main] org.apache.coyote.AbstractProtocol.start Starting 
ProtocolHandler [ajp-nio-9010]
16-Jun-2015 13:25:41.281 INFO [main] org.apache.catalina.startup.Catalina.start Server 
startup in 21196 ms


(No errors visible)

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat not reading jsp code

2015-06-15 Thread André Warnier


Ankur Gupta wrote:

I have apache tomcat 7.0 and Linux 6.1 server.
I had written simple jsp code in a .jsp page which will redirect page and
deployed in tomcat .
When. Page is accessed then only html tags are shown and tomcat just skips
jsp code written under % % tag.
Plz help.



Do you have another webserver configured as a front-end to Tomcat ?

Please provide *full* versions of Tomcat and any other relevant software.
And also explain your configuration a bit more in detail.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Fwd: Apache Tomcat 7 -Parameters lost

2015-06-12 Thread André Warnier


kartheek desineedi wrote:

Yes we upgraded to Apache Tomcat 7.0.62 but still the issue is persisting.

Failed request filter did not filter out any params indicating that the
parameters are not malformed.

We are sending all the requests in the SAME manner while most of them
succeed,few of them fail.

Which class in the tomcat source should we try adding more debugging if
need be?


[...]

Kartheek,

Extraordinary claims require extraordinary evidence [Carl Sagan]

Processing POST requests with parameters is what webservers do 99% of the time, and Tomcat 
is a webserver, with several hundred thousand installations.
If several versions of Tomcat were just losing POST parameters randomly, it seems very 
unlikely that you would have been the first and only one to have noticed this and posted a 
message about this on the list.
So, without getting very technical about it, I would suggest that there must be another 
explanation to your problem; and I would further suggest that you re-examine your evidence 
very carefully. Are you 100% sure that there is nothing in these requests which could 
prevent a correct parsing of these parameters ? And/or are you sure that when you compare 
the tcpdump log and the requests that you see in the request dumper log, you are indeed 
looking at the /same/ requests ?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Vb script not running

2015-06-08 Thread André Warnier


Ankur Gupta wrote:

I have apache tomcat  7.0
linux 6.1 server

I want to deploy a .asp page which contains vb script. The problem is that
vb script is not executing. Even response.write() is not working. Is there
any alternative to run vb script?



Assuming that this script should normally be running on the server side..

VB (Visual Basic), as far as I know, is propietary technology of Microsoft 
Corporation.
So without some additional help, it is unlikely to run under anything else than Microsoft 
Operating Systems and/or Microsoft webservers.


This search in Google may point to some answers : apache vbscript linux


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Vb script not running

2015-06-08 Thread André Warnier

Hi.

1) on this list, it is highly-recommended to not top post

Ankur Gupta wrote:

Thank you for your reply,
the vb script is normally running under windows server, i had checked it.
When i deploy it into apache tomacat server and try to access vb script
then it does nothing. Is there any alternative method?

2) did you even look at the list to which I pointed you in Google ?

Here are 2 more pages which may help you understand the issue better :

http://modvb.sourceforge.net/FAQ.shtml
http://www.mono-project.com/

Please read them before coming back with another question.

Here is some additional, but very summary information :

Tomcat is a Java Servlet Engine (or Container). It can run so-called dynamic pages,
using a technology known as JSP (Java Server Pages). As the name indicates, the code in
those pages is supposed to be Java.

Pages containing vbscript sections are usually part of another technology, known as ASP,
which is Microsoft-specific. Tomcat will not run that, it doesn't even know what it is.

The links above point to solutions which could allow you to run such pages under Apache
httpd (under Linux or Windows), which is another webserver than Tomcat, but which could be
used as a front-end to Tomcat, to run these things.

If your problem is only a few vbscript sections, then you may want to consider rewriting
these parts of the application in Java/JSP. The benefit would be that then, they would
become cross-platform (for Linux and Windows).
If there is a lot of vbscript used in the application, and you do not want to convert it
to Java, then look at the solutions indicated above.

On Mon, Jun 8, 2015 at 4:17 PM, André Warnier a...@ice-sa.com wrote:

Ankur Gupta wrote:

I have apache tomcat 7.0
linux 6.1 server

I want to deploy a .asp page which contains vb script. The problem is that
vb script is not executing. Even response.write() is not working. Is there
any alternative to run vb script?

Assuming that this script should normally be running on the server side..

VB (Visual Basic), as far as I know, is propietary technology of Microsoft
Corporation.
So without some additional help, it is unlikely to run under anything else
than Microsoft Operating Systems and/or Microsoft webservers.

This search in Google may point to some answers : apache vbscript linux

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: FormAuthenticator, Tomcat restart

2015-05-29 Thread André Warnier


Leonid Rozenblyum wrote:

Hello, Christopher!
I indeed meant this The Tomcat restart between showing and submitting
the login page is the source of the problem.

Your explanation clarifies the core of the issue well!

I'll dig into the Tomcat documentation deeper to find out how to
inject that custom login handler.

Thanks!

On Thu, May 28, 2015 at 6:49 PM, Christopher Schultz
ch...@christopherschultz.net wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 5/28/15 5:29 AM, Mark Thomas wrote:

On 28/05/2015 10:22, Leonid Rozenblyum wrote:

Hello experts.

We are using FormAuthenticator and face a following issue:

1) Session persistence is disabled 2) User is on login page 3)
Restart Tomcat 4) User tries authentication

He receives error 400 or 408.

While digging deeper we discovered that in this case Tomcat
validates session id and if it's old/invalid - prevents
logging-in even though valid credentials are passed.

We tried landingPage solution - it looks better than error
400/408 but anyway it forces user to enter credentials twice (or
we don't know how to pass credentials to landingPage
implicitly).

We think that an improvement of user experience would be :

FormAuthenticator: 255 if (session == null) { session =
request.getSessionInternal(false); }

== if (session == null) { session =
request.getSessionInternal(true); }

So if session is invalid or missing - simply create it.

Does this idea make sense?

No. It makes no sense at all.


Can we achieve the goal of not forcing user entering credentials
twice without changes in Tomcat ?

No. The credentials are stored in the session. If you restart
Tomcat with session persistence disabled those credentials are lost
and the user is going to have to re-enter them.

I think the OP is saying that the credentials are only entered a
single time. The Tomcat restart between showing and submitting the
login page is the source of the problem.

Leonid, the servlet spec is very clear about the workflow for
authentication: the client must request a protected resource, then the
container challenges the client for authentication (shows the login
page), and then the client must submit valid credentials (send a
request to j_security_check). After that, the container must
re-process the client's original request with the newly-authenticated
principal.

Tomcat stores the original request in the session. If you lose your
session between presenting the login page and submitting the
credentials, Tomcat has no way to re-process the original request.

IMO, this is a hole in the spec, because it doesn't allow people to
login simply because they want to; instead, they must first attempt to
reach a protected resource.

If you want your users to be able to login without requesting a
protected resource, you may write your own login-handler and call
ServletRequest.login(). That way, you won't require a session to exist
during that whole workflow.

- -chris


It all begs the question, by pure curiosity if nothing else, of how often the OP restarts 
his Tomcat, that this issue seems to bother him so.

Last time I looked, my 20-odd Tomcats had been running for some 240 days or so.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Problem specifying cipher suites in tomcat6

2015-05-29 Thread André Warnier

Sean Dawson wrote:

I had significant problems trying to uncover a change in tomcat7 that broke
our app when upgrading from 42 to 57, for a couple weeks over Christmas
holidays.

Turns out it was something we shouldn't have been doing -

you mean, apart from top-posting here ?

but it was

definitely a change in tomcat (51 or so) that resulted in the issue(s).

Just something to keep in mind.

Well yes, but in all truth, if you were doing something which you should not have been
doing - and bonus points for admitting it - then you cannot really blame the tomcat
developers for making a change which broke it, even over Christmas, can you ?

At the contrary, you should be grateful : the fact that the change pointed out the bad
thing in your code, may have prevented the later advent of a nuclear war. That would have
been even less fun over Christmas.

As a concession, maybe George's post below could have been prefixed with If your code is
well-behaved, ..

On Fri, May 29, 2015 at 11:43 AM, George Sexton geor...@mhsoftware.com
wrote:

On 5/29/2015 5:16 AM, David kerber wrote:

On 5/29/2015 3:32 AM, Ramon Pfeiffer wrote:

Sadly, it's a system I inherited last year and now have the pleasure to
work with. I can't update Tomcat for I don't know what will break.

There's a fair chance that you can update to the latest version of TC 6
without anything breaking, but of course that's not guaranteed.

I can think of very few instances where a change in Tomcat broke my app.
The only one I can really remember was a change that I initiated :)

--
George Sexton
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: can we pass OS username while connection Database from Tomcat

2015-05-28 Thread André Warnier


Mark Thomas wrote:

On 28/05/2015 08:26, Vijay Kumar wrote:

Hi,

Is it possible to pass OS username when making connection to any Database
from Tomcat context.xml?


In theory this should be possible if you are using SPNEGO authentication.

Testing this to figure out what is required to make it work is on the
TODO list. It is likely that some combination of configuration, Tomcat
code changes and application changes will be required.



I think that the term OS username should be carefully defined here, along with the 
precise circumstances in which this would apply.
Also, connecting to a database using the user-id kind of defeats any kind of db connection 
persistence/pooling/sharing at the container level.
If this kind of thing is desired anyway, should it then not be done at the application 
level, where you can retrieve the UserPrincipal anyway ?




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: can we pass OS username while connection Database from Tomcat

2015-05-28 Thread André Warnier

Vijay Kumar wrote:

Hi Mark,

Thanks for your update.

I should have specify my requirement little more clear to you to understand
what you are saying.

I have Oracle Database where my objects are installed and I have also a
Linux instance where i installed Tomcat.
I am currently creating connection to the Oracle database from Tomcat using
'apps' user as this schema is having all permissions.

One of my client want to monitor the connections that are created from my
application. For this i want to pass my Linux user information (userid)
while creating the connection from my application or in context.xml file.

Please suggest is it possible or not?

Possible, it certainly is.
But is it the best solution to fulfill your customer's wishes, that is another
question.

I believe that you have to think carefully about all the implications, in your application
as well as on the performance of the system, before rushing to any kind of solution.

For example, would it not be easier for your application to just write a line to some
logfile, whenever it accesses the database on behalf of the logged-in user (and read and
analyse that file later, and provide that information to your customer) ?
If your customer just wants to know who is really using the database and/or how much, that
would be enough.

If you really want to open the connection to the database under each individual user-id,
then it means for example that the database has to know each of those user-id's (and keep
them up-to-date). It also means that different user-id's could have different access
rights (or none), and that your application would have to take this into account.
And so on.. It is not just the fact of opening the connection. It may be the whole
design of your application that would need to change.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: can we pass OS username while connection Database from Tomcat

2015-05-28 Thread André Warnier

Vijay Kumar wrote:

Hi Mark,

Please find below my exact requirement.

Please suggest the approaches? If SPENGO can you redirect me any doc/post
how to achieve this?

Vijay,
you are repeating yourself (and still top-posting), but you are not providing the crucial
information which would enable someone to really help you.

For example, what Linux user information (userid) are you talking about ?

Is it the Linux user-id under which Tomcat is running ?
That would probably be tomcat, so that is probably not going to help you fulfill your
customer's wishes.

Is it the user-id of the /user/ of your Tomcat application ?
In that case, how does Tomcat know this user-id ? Do the users login into your application
? How ? What is the user authentication mechanism being used, now, at the Tomcat level ?

Does the Oracle database also know this user-id ? How ?

What does One of my client want to monitor the connections mean, exactly ? what does the
customer want to know, and when ? Is this customer the only user/manager of the Oracle
database, or are there multiple users/managers of the Oracle database ?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: can we pass OS username while connection Database from Tomcat

2015-05-28 Thread André Warnier

Vijay, do not top post. As you can see below, it makes it difficult to follow the 
conversation.


Vijay Kumar wrote:

Hi Mark,

Thanks for your update.

I should have specify my requirement little more clear to you to understand
what you are saying.

I have Oracle Database where my objects are installed and I have also a
Linux instance where i installed Tomcat.
I am currently creating connection to the Oracle database from Tomcat using
'apps' user as this schema is having all permissions.

One of my client want to monitor the connections that are created from my
application. For this i want to pass my Linux user information (userid)
while creating the connection from my application or in context.xml file.

Please suggest is it possible or not?

Regards,
Vijay G

On Thu, May 28, 2015 at 1:14 PM, Mark Thomas ma...@apache.org wrote:


On 28/05/2015 08:26, Vijay Kumar wrote:

Hi,

Is it possible to pass OS username when making connection to any Database
from Tomcat context.xml?

In theory this should be possible if you are using SPNEGO authentication.

Testing this to figure out what is required to make it work is on the
TODO list. It is likely that some combination of configuration, Tomcat
code changes and application changes will be required.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: can we pass OS username while connection Database from Tomcat

2015-05-28 Thread André Warnier


Vijay Kumar wrote:

Hi ,

I am referring User_Id as Linux User_id where we installed Tomcat.

My Oracle Database don't know about this user_id.




We seem to have some communication issue.
But I have sinned a lot in my life, so this will probably count as redemption 
points.

Another try :

1) read this : http://tomcat.apache.org/lists.html
Paragraph tomcat-users -- important -- 6.

2) in Oracle, create the user tomcat

3) in your database configuration in server.xml or context.xml, replace apps by 
tomcat.
And then tell us if this is the answer to your question, or why it is not.




Thanks,
Vijay G

On Thu, May 28, 2015 at 3:20 PM, André Warnier a...@ice-sa.com wrote:


Vijay Kumar wrote:


Hi Mark,

Please find below my exact requirement.

I have Oracle Database where my objects are installed and I have also a
Linux instance where i installed Tomcat.
I am currently creating connection to the Oracle database from Tomcat
using
'apps' user as this schema is having all permissions.

One of my client want to monitor the connections that are created from my
application. For this i want to pass my Linux user information (userid)
while creating the connection from my application or in context.xml file..

Please suggest the approaches? If SPENGO can you redirect me any doc/post
how to achieve this?

 Vijay,

you are repeating yourself (and still top-posting), but you are not
providing the crucial information which would enable someone to really help
you.
For example, what Linux user information (userid) are you talking about ?

Is it the Linux user-id under which Tomcat is running ?
That would probably be tomcat, so that is probably not going to help you
fulfill your customer's wishes.

Is it the user-id of the /user/ of your Tomcat application ?
In that case, how does Tomcat know this user-id ? Do the users login into
your application ? How ? What is the user authentication mechanism being
used, now, at the Tomcat level ?

Does the Oracle database also know this user-id ? How ?

What does One of my client want to monitor the connections mean, exactly
? what does the customer want to know, and when ? Is this customer the only
user/manager of the Oracle database, or are there multiple users/managers
of the Oracle database ?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Fwd: Fwd:

2015-05-26 Thread André Warnier


Hello Yuval.

As a kind of generic answer to your previous enquiries :

Tomcat is a Servlet Container, and the developers who write Tomcat strive to have it 
behave in accordance with the applicable Java Servlet Specification.
Refer to this page to find out which version of Tomcat matches which version of the 
Servlet Specification :   http://tomcat.apache.org/whichversion.html

and then search the web for the appropriate version of the Servlet 
Specifications.

As the name indicates, this document describes in detail what java servlets and servlet 
containers should and should not do, and in some cases how they should do it.
In that specification, there is a chapter entitled Security which among other things 
covers the various forms of user authentication that should be supported by any 
specs-respecting servlet container and which you are encouraged to read, as it already 
contains answers to many of your questions.


In summary though, there are essentially 2 sub-categories there :
- container-managed (which covers Basic, Digest and Form-based user 
authentication)
- application-managed (which is whatever a developer may choose to implement at 
application (webapp/servlet) level, e.g. via servlet filters)


As far as container-managed Form-based authentication is concerned, what Tomcat provides 
is what the Servlet Specification says that it should.

(And that does not cover the remember me feature as you describe it below).

There may be third-parties which offer such enhancements (free or commercial), but you 
will need to search for them.


Note that in addition to the above 3 container-managed authentication mechanisms, Tomcat 
does also provide some additional options, like SPNEGO, JAAS etc..

See here : http://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html
and here : http://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html

And what Tomcat does provide is /sessions/, for which you can set yourself the expiration 
time.  It does not really do the same as the remember me feature you are talking about, 
but it may cover your needs to some extent, depending on your circumstances.

Sessions are also explained in a chapter of the Servlet Specification.

HTH


Yuval Schwartz wrote:

Hello Chris,


Answers below.

Thanks again.

On Mon, May 25, 2015 at 3:18 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Yuval,

On 5/24/15 5:06 PM, Yuval Schwartz wrote:

Firstly, I'd like to clear something up: Is container managed
security security only intended for use with administrative users
of a web application?

No. What would give you that impression?


Because I was intending on using it for all users of my web
application (eg: customers, students, etc. People with no
administrative responsibilities).

You can use it with everyone.


On Sun, May 24, 2015 at 9:00 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

Yuval,

On 5/23/15 7:15 AM, Yuval Schwartz wrote:

I can currently initialize a MessageDigestCredentialHandler
object with my desired salt, iteration and algorithm
parameters and then call the handler's mutate() method before
inserting the password into my database.

Good.


And, from a servlet, the HttpServletRequest Object's login()
(for example) method works when inputting the user_name and
plain text password.

Good.


However, I am still struggling to create my database input
({salt}:{iterations}:{hash}) without inputting my desired
parameter (iterations, saltLength, etc.) to a
MessageDigestCredentialHandler, but rather by getting these
parameters (or the CredentialHandler itself) from the
servlet.

What have you tried? Do you want the remote user to be able to
specify the salt size and iterations?


I'd advise against that, since users may

intentionally reduce their own security (or, worse, intentionally
give you an effectively infinite salt or iteration count, which
could represent a DOS vulnerability).


Without being able to do this, I don't see the purpose of
specifying these parameters in the nested
CredentialHandler element within the Realm element of the
context.xml file (these parameters are retrieved from the
storedCredential when authenticating meaning they're not
used when a method such as request.login() is performed).

The are absolutely used when HttpServletRequest.login() is called.
That login() method ultimately calls Realm.authenticate(), which
uses the CredentialHandler. The settings in CredentialHandler
entirely handle logins for existing users.



Realm.authenticate() calls
MessageDigestCredentialHandler.matches(inputCredential,
storedCredential) calls
DigestCredentialHandlerBase.matchesSaltIterationsEncoded(inputCredent

ials,



storedCredentials) (line 146 of class MessageDigestCredentialHandler)

This method isolates the salt from the storedCredential (line
162) Then isolates the iterations from the storedCredential (line
164) Then uses both these parameters in addition to the

Re: native API - to make Apache/Tomcat faster

2015-05-26 Thread André Warnier


David kerber wrote:

On 5/26/2015 9:36 AM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-


...




The rebooting the server is a cure.


That seems to be a popular cure with Microsoft Windows servers ;)



But unfortunately, it's only treating the symptoms, not curing the 
disease...   :-(




Wait, I am a bit confused now. Is Microsoft Windows the symptom, or the disease 
?


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: native API - to make Apache/Tomcat faster

2015-05-26 Thread André Warnier


Christoph P.U. Kukulies wrote:

Am 26.05.2015 um 15:36 schrieb Christopher Schultz:


So you are using either mod_proxy_ajp or mod_proxy?


mod_proxy




Are you using TLS anywhere in the mix? (I should hope so, since you
are deploying a CMS). Does httpd terminate TLS? Do you encrypt the
connection(s) between httpd and Tomcat using TLS?


No, not using TSL between Apache and tomcat. Using secure http (https) is
planned to be used soon.


We are observing that the server sometimes delivers pages
incompletely.

Have you been able to determine if Tomcat is not sending the whole
page, or if httpd is not proxying the whole page?


I have not yet found the time to debug the connection and to locate the 
actual
missing pieces. It just seems that some js or css is not being loaded 
since the source

code of the page itself is there.


Now that may be something else entirely.
Did you check your js/css links (in the Tomcat pages) and your proxy directives in Apache 
httpd carefully, to see if these (separate) requests for the js/css pieces are being sent 
to where these files really are ?







Portions of the page do not show and trying to restart the service
results in a time out.

A time out where? The service-restart times out, or after a service
restart, requests time out?


When I type NET STOP tomcat7 on the server to stop the service, it 
hangs. Normally

the service should be shut down smoothly.



And that may be a totally separate, unrelated to the first above, issue.



I'm unaware of any problems when up-to-date versions of all components
are being used.


The rebooting the server is a cure.

That seems to be a popular cure with Microsoft Windows servers ;)



--
Christoph


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: how to block the duplicated requests?

2015-05-19 Thread André Warnier


Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

To whom it may concern,

On 5/19/15 8:09 AM, javalishixml wrote:

Just understood you. Really appreciate for your feedback.


How do we judge it's a robot? item1: we find the request IP is
always the same one. item2: our page may contains several
keep-alive connections. But the attack connection only focus on
connection.


Based upon the first request, how can you tell that the robot is going
to make later keep-alive requests?


Based on these 2 items, we think the client is a robot.


Can you write some pseudo-code that shows the algorithm in its
simplest form?

I think maybe putting these 2 items together to consider it as a 
robot is a bit complex. Let's do it from the simple point.


If we always find there is a same IP request our website the same
url for many times, can I block this request at httpd level?


This sounds like a job for mod_qos, mod_evasive, or mod_security.

- -chris


+1.
Also, a quick search in Google for apache filtering unwanted requests, gives a bunch of 
results which you may want to explore.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7 JNDI Realm credential password update availability

2015-05-13 Thread André Warnier


John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) 
wrote:

Hello,

We have a Tomcat 7 server running on Linux that must use LDAP over SSL to 
connect to an AD server for user authentication. This
configuration we have working. The issue is the credentials used to connect to 
the AD server must have the password updated
every 180 days, and therefore updated in the JNDI Realm configuration. Is there 
a way to update the password in server.xml
that would allow it to be recognized as changed without restarting the Tomcat 
server. Or some other configuration what ever
it may be that would achieve this. The goal is to update the password and have 
it recognized as updated with no down time for
the application running on the server.

Any thoughts would be appreciated.


The real issue there, is that the password must be updated every 180 days.
That means that to connect to the AD server, you are probably using a normal user 
account, to which this kind of policy applies.
You should probably request a special service account, of which the password does not 
run out.
Yes, such a service account is probably harder to get, and you will probably have to go 
through some administrative burdens to get it, but that is the right way to run for your 
Tomcat, which is a service, and which should not be submitted to the same kind of 
policies as a normal user.






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Vulnerabilities for 6.x and 7.x version

2015-05-12 Thread André Warnier


Mittal, Paran (Infosys) wrote:

Hi Team,

We need to understand the fix for tomcat Vulnerabilities for 6.0.29 and 7.0 
version.
We came across a CVE Reference:   CVE-2014-0230 which says
When a response for a request with a request body is returned to the user agent 
before the request body is fully read, by default Tomcat swallows the remaining request 
body so that the next request on the connection may be processed. There was no limit to 
the size of request body that Tomcat would swallow. This permitted a limited Denial of 
Service as Tomcat would never close the connection and a processing thread would remain 
allocated to the connection

Could you please provide us with the Fix or patch for the same as we could not 
found same on the apache tomcat site.


Hi.
I think that this topic has already been extensively discussed on the list.
Please check if this does not already answer your question, if any :

http://marc.info/?t=14308665475r=1w=2


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Issues with Tomcat 7.0.57 not loading ActionServlets

2015-05-07 Thread André Warnier


Raj wrote:

I upgraded my application from tomcat 5.5.15, JDK 1.5, Struts 1.1 on Debian
2.6.32 to
tomcat 7.0.57, JDK 1.6, struts 1.1 on ubuntu14.04 and Action Servlets are
not loading.
I am thinking of this is something to do with version conflict. Please let
me know what I am missing.

Below is the error

Apr 24, 2015 9:00:20 PM org.apache.catalina.core.ApplicationContext log

INFO: org.apache.webapp.balancer.BalancerFilter: init(): ruleChain:
[org.apache.webapp.balancer.RuleChain: RoundRobinRule@643fd34a]

Apr 24, 2015 9:00:20 PM org.apache.catalina.core.ApplicationContext log

INFO: Marking servlet action as unavailable

Apr 24, 2015 9:00:20 PM org.apache.catalina.core.StandardContext
loadOnStartup

SEVERE: Servlet  threw load() exception

javax.servlet.UnavailableException: Cannot load a validator resource from
'/WEB-INF/validator-rules.xml'

at
org.apache.struts.validator.ValidatorPlugIn.init(ValidatorPlugIn.java:174)


snip

Hi.
As far as I know, there is no problem per se in running Apache Tomcat 7.0.57 with a JDK 
1.6 under Linux Debian or Ubuntu.  The above exception happen in the Struts code, not 
Tomcat code.
I believe that you should rather ask for help on the Struts support line, see : 
https://struts.apache.org/mail.html



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [SECURITY] CVE-2014-0230: Apache Tomcat DoS

2015-05-06 Thread André Warnier


Jose María Zaragoza wrote:

2015-05-06 0:53 GMT+02:00 Mark Thomas ma...@apache.org:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

CVE-2014-0230 Denial of Service

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 8.0.0-RC1 to 8.0.8
- - Apache Tomcat 7.0.0 to 7.0.54
- - Apache Tomcat 6.0.0 to 6.0.43

Description:
When a response for a request with a request body is returned to the
user agent before the request body is fully read, by default Tomcat
swallows the remaining request body so that the next request on the
connection may be processed.



I'm trying to understand when that behaviour is happening
When is a response returned before the request body is fully read ?
What happens when  the remaining request body is read ?



Guess for Q1 : when the original request's target is an area which requires 
authentication, and the request is not ?

Q2 : That is explained in the message : it is discarded.
It's just that it may be very large (and/or slow), and Tomcat may have a thread busy for a 
while reading it to the end.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Officially released Apache tomcat version with CVE-2014-0230

2015-05-05 Thread André Warnier

Raghavendra Nilekani wrote:

I have an application where I currently use 6.0.20 version of Apache tomcat
bundle from spring source. Now because of security vulnerabilities I have
to migrate to newer latest version of Apache tomcat. I saw the latest
version on Apace tomcat site is Apache Tomcat 6.0.43 where the highest CVE
fixed is *CVE-2014-0227. *

Now one more latest CVE *Apache Tomcat File Upload denial of service *has
come. The fix for this problem is not officially released by Apache. I see
applying a patch is able to eliminate this problem. The bugfix is ready for
download at svn.apache.org. The vulnerability is also documented in the
databases at X-Force (102131) and SecurityTracker (ID 1032079).

From seclists.org, I heard this problem was identified as a partial DoS

(non persistent, but you can very easily eat up all server ram) and
assigned CVE-2014-0230 and then the person handling it left Red Hat and it
didn't get processed properly.

Can you please tell me, is there any official fix for this problem
available and from where I can download the official fix for this CVE ?
When will Apache tomcat site have a newer version of Apache tomcat with
this CVE fixed ?

Hi.
I believe that you should first read this :
http://tomcat.apache.org/security.html
at least the first section, to get a general idea.

Do not forget that Tomcat is an open-source, free software, that the people developing it
and maintaining it do this on a voluntary base, and that their time is limited.
Other organisations set it as their task to provide their own versions of Tomcat packages,
and to guarantee that they are patched to the latest known security vulnerabilities.

And they (rightly) charge a fee for that work.

That does not mean that the developers of Apache Tomcat do not take security
vulnerabilities seriously, and do not do their best to fix them as quickly as possible.
But it does mean that there is not necessarily always a released version of Tomcat
available on the official website, with patches for the latest vulnerabilities.

So, probably the best you can do is :
1) look in the page above (Lists of security problems fixed in released versions of Apache
Tomcat are available:) for your version of Tomcat, and uprade to a version indicated there
if appropriate
2) otherwise, make pressure on your Tomcat package provider (whom you presumably pay for
that), to provide the patch you need

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: High cpu on Tomcat 8

2015-05-04 Thread André Warnier

Caldarale, Charles R wrote:
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Subject: Re: High cpu on Tomcat 8

Car analogy: it's the distributor cap of all the bytes flying around
the container.

You're dating yourself :-)

Haven't seen a distributor on a car in many years.

Hey, my car has one.
Which probably dates me too, and my car..

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Finding the Apache httpd IP address when AJP is used

2015-04-30 Thread André Warnier

Paul Klinkenberg wrote:

Hi Christopher,

Thanks for taking the time to respond; again much appreciated.

Your point, and André's, is understood. Security should not be done based on
incoming IP address.
With this current project, we off course want to deliver software which is
secure by default. Now, if someone would install Tomcat, then add the mod_cfml
valve, and then doesn't lock port 8080 or 8009, the server would become
vulnerable in the same way as if the /host-manager would not have
password-protection.

Currently, I am discussing with the main mod_cfml developers Jordan Michaels and Bilal Soylu how to implement security, since I now won't be implementing IP restriction. We'll probably go with using the secret configuration parameter for ajp like you suggested.
Or maybe using a shared secret key between the frontend server and the Tomcat valve. In this last case, we would also have tackled security when remote attackers try to contact Tomcat on http-8080 directly, instead of using the ajp connector.

I never knew the remote_addr could not be trusted, but I believe you at once
when you say so.
I thought it was taken from the actual socket connection. With the exception of
ajp by the way, where it is programmatically changed to reflect the remote
client while handling the http call. Out of curiosity, could you shed some
light as to why the remote_addr is not to be trusted in a regular http request?

Thanks again for your time and effort!

Kind regards,

Paul Klinkenberg

On Tomcat, you can set the AJP Connector to only listen on the local IP address of the
Tomcat server host. That means that only local LAN clients (including the httpd
front-end, presumably) can connect to that Connector.
So this already stops any external client (be it workstation or server) from even
connecting to Tomcat using AJP.
It also, presumably, insures that only your internal httpd front-ends can potentially
connect to Tomcat via AJP.

Now if you do not even trust your internal servers/clients, /then/ you need additional
measures. But in such a case, whether you use a secret which the front-end must provide,
or whether you use an additional header or Jk variable, is only a choice; but any of those
requires some setup on the front-ends.

The same is for the other Connectors, like HTTP/HTTPS. If you do not want people to
connect through these, disable them or have them also only listen on a local IP address.

Op 29 apr. 2015, om 17:48 heeft Christopher Schultz
ch...@christopherschultz.net het volgende geschreven:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Paul,

On 4/29/15 11:17 AM, Paul Klinkenberg wrote:

The reason I want to add the IP restriction in the valve, is to
make 100% sure that the request (for creating a new Tomcat context)
is indeed coming from the frontend webserver.

I think there are better ways to do this. Among them:

1. Firewall rule that only allows access to the AJP port from a
certain IP address/range.

2. Use of the secret configuration parameter for mod_jk/AJP connector

In production, we tunnel AJP from our web servers to our application
servers using stunnel, and stunnel connections are only allowed from
the range of IPs used by our web servers. Then, we actually have the
AJP connector listen on ::1 so nobody from the outside can connect to
us, except through such a tunnel.

This valve is a setup not just for me, where I could tweak server
settings and such, but for anyone who uses the mod_cfml connector.

It is installed by default by the Railo/Lucee installers
(getrailo.org http://getrailo.org/ / lucee.org
http://lucee.org/)

It seems a little fragile, because it requires configuration beyond
what an installer can auto-configure for you (i.e. it has no idea what
the IP address of the web server(s) is(are)).

Therefor, I cannot rely on an incoming header, as it could
originate from anywhere. Also, a remote system could call the AJP
endpoint on the Tomcat server, with this JkEnvVar set to a spoofed
value. (if the port is not firewalled off course) So the problem
with both options is, that they cannot be fully trusted.

If you are that paranoid, you also can't trust the source IP address
in the IP header, so you are back to square 1: you can't trust
anything, so don't build your security around this lack-of-trust.

If I am able to find out where the AJP request came from, then I
can validate the caller.

The only way to check the caller would be to get ahold of the Socket
that Tomcat is using to communicate. That's not easily done, since
Tomcat wants to protect its sockets from code messing-around with the
state of those Sockets.

If you don't trust mod_jk to send you the right values, then you also
can't trust the REMOTE_ADDR value that is pointing to the real
client. Basically, it comes down to this: you either trust mod_jk or
not. If you don't, then all bets are off.

If you *can* trust mod_jk, then just forward an environment variable
using JkEnvVar:

Re: Finding the Apache httpd IP address when AJP is used

2015-04-30 Thread André Warnier

Paul Klinkenberg wrote:

Hi André,

Paul Klinkenberg wrote:

Hi Christopher,
Thanks for taking the time to respond; again much appreciated.
Your point, and André's, is understood. Security should not be done based on
incoming IP address.
With this current project, we off course want to deliver software which is
secure by default. Now, if someone would install Tomcat, then add the mod_cfml
valve, and then doesn't lock port 8080 or 8009, the server would become
vulnerable in the same way as if the /host-manager would not have
password-protection.
Currently, I am discussing with the main mod_cfml developers Jordan Michaels and Bilal Soylu how to
implement security, since I now won't be implementing IP restriction. We'll probably go with using
the secret configuration parameter for ajp like you suggested. Or maybe using a shared
secret key between the frontend server and the Tomcat valve. In this last case, we
would also have tackled security when remote attackers try to contact Tomcat on http-8080 directly,
instead of using the ajp connector.
I never knew the remote_addr could not be trusted, but I believe you at once
when you say so.
I thought it was taken from the actual socket connection. With the exception of
ajp by the way, where it is programmatically changed to reflect the remote
client while handling the http call. Out of curiosity, could you shed some
light as to why the remote_addr is not to be trusted in a regular http request?
Thanks again for your time and effort!
Kind regards,
Paul Klinkenberg

On Tomcat, you can set the AJP Connector to only listen on the local IP address of the Tomcat
server host. That means that only local LAN clients (including the httpd
front-end, presumably) can connect to that Connector.
So this already stops any external client (be it workstation or server) from
even connecting to Tomcat using AJP.
It also, presumably, insures that only your internal httpd front-ends can
potentially connect to Tomcat via AJP.

Now if you do not even trust your internal servers/clients, /then/ you need additional
measures. But in such a case, whether you use a secret which the front-end
must provide, or whether you use an additional header or Jk variable, is only a choice;
but any of those requires some setup on the front-ends.

The same is for the other Connectors, like HTTP/HTTPS. If you do not want
people to connect through these, disable them or have them also only listen on
a local IP address.

Thanks for these tips. I see there are quite a few options to secure the AJP
connector, which is great.

For the project I am currently working on, I have to take into consideration that the
user might already have Tomcat installed, and then probably with the default
configuration. That would mean the AJP connector is available, and http connector as
well. When someone now wants to add the mod_cfml valve to their setup, I will warn them
in the install/config notes to lock down their tomcat server, if they haven't done so
already. Next to this, I would like to be able to make the valve secure by
default, without having to rely on external settings.
For this secure by default, a required shared secret key seems like a
solution to me.

Note : to check. I am not sure if the HTTP/HTTPS Connectors provide this shared secret
thing. This may well be an AJP Connector feature only.

Remote users accessing either the http connector or ajp connector (only possible if the
server is not firewalled), would need to have that key in order to get the valve to create
a new context.

I _do_ trust the internal servers/clients, I just want to make sure that if a mod_cfml user was too lame to secure it's server, then mod_cfml isn't the weakest link to be able to hack the server.
I hope that makes sense?

Ok, so at this point, you only want to know, by intellectual curiosity, *how you could*
theoretically, in your Valve, obtain the IP address and port of the front-end proxy server
who is forwarding the original client request to your Tomcat.

Oof, that was hard to write, and I hope it is correct.

Actually, Christopher already provided the answer to that, in a previous post :

That's a clue, but not a very helpful one for you, is it ?

I believe that the main issue here is that there is no such standard functionality
dictated by the Servlet Specification, so there is no obligation for any Servlet Engine to
provide this, and apparently thus Tomcat does not provide a way to obtain this information
easily, because it doesn't have to.
And according to Christopher, there may even be a deliberate attempt from the Tomcat code
to prevent one being able to do such things easily, because it could potentially mess up
things pretty badly if one

Re: [OT] Finding the Apache httpd IP address when AJP is used

2015-04-30 Thread André Warnier

Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Paul,

On 4/30/15 3:24 AM, Paul Klinkenberg wrote:

I never knew the remote_addr could not be trusted, but I believe
you at once when you say so.

I thought it was taken from the actual socket connection. With the
exception of ajp by the way, where it is programmatically changed
to reflect the remote client while handling the http call. Out of
curiosity, could you shed some light as to why the remote_addr is

not to be trusted in a regular http request?

The client can spoof the source IP in the packet headers.

This is not on-topic, but since the point has been raised, and since there are many smart
people on this list..

I am probably not very clever in a hacking kind of way, but I have never been able to
figure out how a client could make use of this to actually achieve something with TCP.

Setting up a TCP connection requires a couple of packet exchanges *back and
forth*.
So, the client can indeed send a first SYN packet to a server, with a spoofed origin IP
address. But then the server would return the ACK packet to that spoofed IP address, which
is presumably not the real client's one, wouldn't it ?

What good would that be to the malevolent client ?
Unless the point is only to flood a server's TCP stack with connection requests which
never can get completed..

If anyone has a clue as to how this can be really exploited, I'm eager to learn.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Finding the Apache httpd IP address when AJP is used

2015-04-30 Thread André Warnier

Paul Klinkenberg wrote:

Hi André,

Paul Klinkenberg wrote:

Hi André,

Paul Klinkenberg wrote:

On Tomcat, you can set the AJP Connector to only listen on the local IP address of the Tomcat
server host. That means that only local LAN clients (including the httpd
front-end, presumably) can connect to that Connector.
So this already stops any external client (be it workstation or server) from
even connecting to Tomcat using AJP.
It also, presumably, insures that only your internal httpd front-ends can
potentially connect to Tomcat via AJP.

Now if you do not even trust your internal servers/clients, /then/ you need additional
measures. But in such a case, whether you use a secret which the front-end
must provide, or whether you use an additional header or Jk variable, is only a choice;
but any of those requires some setup on the front-ends.

The same is for the other Connectors, like HTTP/HTTPS. If you do not want
people to connect through these, disable them or have them also only listen on
a local IP address.

Thanks for these tips. I see there are quite a few options to secure the AJP
connector, which is great.
For the project I am currently working on, I have to take into consideration that the
user might already have Tomcat installed, and then probably with the default
configuration. That would mean the AJP connector is available, and http connector as
well. When someone now wants to add the mod_cfml valve to their setup, I will warn them
in the install/config notes to lock down their tomcat server, if they haven't done so
already. Next to this, I would like to be able to make the valve secure by
default, without having to rely on external settings.
For this secure by default, a required shared secret key seems like a
solution to me.

Note : to check. I am not sure if the HTTP/HTTPS Connectors provide this shared
secret thing. This may well be an AJP Connector feature only.

Remote users accessing either the http connector or ajp connector (only
possible if the server is not firewalled), would need to have that key in order
to get the valve to create a new context.

I _do_ trust the internal servers/clients, I just want to make sure that if a
mod_cfml user was too lame to secure it's server, then mod_cfml isn't the
weakest link to be able to hack the server. I hope that makes sense?

Ok, so at this point, you only want to know, by intellectual curiosity, *how
you could* theoretically, in your Valve, obtain the IP address and port of the
front-end proxy server who is forwarding the original client request to your
Tomcat.
Oof, that was hard to write, and I hope it is correct.

Actually, Christopher already provided the answer to that, in a previous post :

That's a clue, but not a very helpful one for you, is it ?

I believe that the main issue here is that there is no such standard
functionality dictated by the Servlet Specification, so there is no obligation
for any Servlet Engine to provide this, and apparently thus Tomcat does not
provide a way to obtain this information easily, because it doesn't have to.
And according to Christopher, there may even be a deliberate attempt from the
Tomcat code to prevent one being able to do such things easily, because it
could potentially mess up

Re: Finding the Apache httpd IP address when AJP is used

2015-04-29 Thread André Warnier


Paul Klinkenberg wrote:

Hi Tomcat users!

I have been working on an update for a Tomcat valve called mod_cfml. The 
project aims to provide automatic web context creation in Tomcat, when coming 
from a frontend webserver.
The live code base can be found at https://github.com/utdream/mod_cfml 
https://github.com/utdream/mod_cfml

One of the features I wanted to add, is adding an IP restriction in the valve (see github https://github.com/paulklinkenberg/mod_cfml/commit/dab058b7f38f98a6e7f076323e3d23be476e6de6). 
While testing, I noticed that AJP works very well: it hides the IP address of the caller, which is the front-end Apache webserver, and instead returns the IP of the remote client / the client who called the frontend webserver.

I have been digging around quite a lot, but have not been able to find the 
Apache httpd IP address :-(

My question is hopefully simple to answer: can I retrieve the IP address which 
called the AJP connector, from within the valve?

My server.xml is:

Server port=8005 shutdown=SHUTDOWN
  Listener className=org.apache.catalina.startup.VersionLoggerListener /
  Listener className=org.apache.catalina.core.AprLifecycleListener 
SSLEngine=on /
  Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener 
/
  Listener 
className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener /
  Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener 
/
  GlobalNamingResources
Resource name=UserDatabase auth=Container
  type=org.apache.catalina.UserDatabase
  description=User database that can be updated and saved
  factory=org.apache.catalina.users.MemoryUserDatabaseFactory
  pathname=conf/tomcat-users.xml /
  /GlobalNamingResources
  Service name=Catalina
Connector port=8080 protocol=HTTP/1.1
   connectionTimeout=2
   redirectPort=8443 /
Connector port=8009 protocol=AJP/1.3 redirectPort=8443 /
Engine name=Catalina defaultHost=localhost
  Realm className=org.apache.catalina.realm.LockOutRealm
Realm className=org.apache.catalina.realm.UserDatabaseRealm
   resourceName=UserDatabase/
  /Realm
  Host name=localhost appBase=webapps unpackWARs=true 
autoDeploy=true
Valve
className=mod_cfml.core
loggingEnabled=true
waitForContext=10
maxContexts=
timeBetweenContexts=0
scanClassPaths=false
allowedIPs=127.0.0.1,192.168.1.52 /
  /Host
/Engine
  /Service
/Server

Thanks in advance for your time!

Kind regards,

Paul Klinkenberg
The Netherlands

p.s. I asked this question, in other wording, on SackOverflow.com 
http://sackoverflow.com/ as well. I hope I have better luck here ;-)
http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp
 
http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp



Hi.
With Apache httpd and mod_jk as front-end, you have (at least) 2 options :
- set an additional HTTP request header at the Apache httpd level, before the request is 
proxied to the back-end Tomcat
- set a JkEnvVar value at the at the Apache httpd level, before the request is proxied 
to Tomcat
You can then retrieve these set values at the Tomcat level, either by parsing the request 
headers, or by retrieving a request attribute corresponding to the JkEnvVar.
The JkEnvVar/attribute method is probably more efficient in a mod_jk context; the HTTP 
header solution is more portable, since it does not depend on specifically mod_jk being 
used as a connector.


Presumably, when at the Apache httpd level you decide to proxy a request to a back-end 
Tomcat, you know through which interface you'll do it, and what its IP address is, and you 
can put it into one of the things above.


Is that enough info to get you started ?

Caveat : one part I am not quite sure of, is what things you do have easy access to, at 
the level of a Valve.  The above is what you'd do at a webapp level, I hope it is also 
accessible at your Valve level.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Finding the Apache httpd IP address when AJP is used

2015-04-29 Thread André Warnier


As a P.S. :
Maybe you should also look at this, to see if it would fit your needs :
http://tomcat.apache.org/tomcat-8.0-doc/proxy-howto.html


André Warnier wrote:

Paul Klinkenberg wrote:

Hi Tomcat users!

I have been working on an update for a Tomcat valve called mod_cfml. 
The project aims to provide automatic web context creation in Tomcat, 
when coming from a frontend webserver.
The live code base can be found at https://github.com/utdream/mod_cfml 
https://github.com/utdream/mod_cfml


One of the features I wanted to add, is adding an IP restriction in 
the valve (see github 
https://github.com/paulklinkenberg/mod_cfml/commit/dab058b7f38f98a6e7f076323e3d23be476e6de6). 
While testing, I noticed that AJP works very well: it hides the IP 
address of the caller, which is the front-end Apache webserver, and 
instead returns the IP of the remote client / the client who called 
the frontend webserver.
I have been digging around quite a lot, but have not been able to find 
the Apache httpd IP address :-(


My question is hopefully simple to answer: can I retrieve the IP 
address which called the AJP connector, from within the valve?


My server.xml is:

Server port=8005 shutdown=SHUTDOWN
  Listener 
className=org.apache.catalina.startup.VersionLoggerListener /
  Listener className=org.apache.catalina.core.AprLifecycleListener 
SSLEngine=on /
  Listener 
className=org.apache.catalina.core.JreMemoryLeakPreventionListener /
  Listener 
className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener 
/
  Listener 
className=org.apache.catalina.core.ThreadLocalLeakPreventionListener /

  GlobalNamingResources
Resource name=UserDatabase auth=Container
  type=org.apache.catalina.UserDatabase
  description=User database that can be updated and saved
  
factory=org.apache.catalina.users.MemoryUserDatabaseFactory

  pathname=conf/tomcat-users.xml /
  /GlobalNamingResources
  Service name=Catalina
Connector port=8080 protocol=HTTP/1.1
   connectionTimeout=2
   redirectPort=8443 /
Connector port=8009 protocol=AJP/1.3 redirectPort=8443 /
Engine name=Catalina defaultHost=localhost
  Realm className=org.apache.catalina.realm.LockOutRealm
Realm className=org.apache.catalina.realm.UserDatabaseRealm
   resourceName=UserDatabase/
  /Realm
  Host name=localhost appBase=webapps unpackWARs=true 
autoDeploy=true

Valve
className=mod_cfml.core
loggingEnabled=true
waitForContext=10
maxContexts=
timeBetweenContexts=0
scanClassPaths=false
allowedIPs=127.0.0.1,192.168.1.52 /
  /Host
/Engine
  /Service
/Server

Thanks in advance for your time!

Kind regards,

Paul Klinkenberg
The Netherlands

p.s. I asked this question, in other wording, on SackOverflow.com 
http://sackoverflow.com/ as well. I hope I have better luck here ;-)
http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp 
http://stackoverflow.com/questions/29858030/where-can-i-find-the-apache-httpd-server-ip-from-within-a-tomcat-valve-when-ajp 





Hi.
With Apache httpd and mod_jk as front-end, you have (at least) 2 options :
- set an additional HTTP request header at the Apache httpd level, 
before the request is proxied to the back-end Tomcat
- set a JkEnvVar value at the at the Apache httpd level, before the 
request is proxied to Tomcat
You can then retrieve these set values at the Tomcat level, either by 
parsing the request headers, or by retrieving a request attribute 
corresponding to the JkEnvVar.
The JkEnvVar/attribute method is probably more efficient in a mod_jk 
context; the HTTP header solution is more portable, since it does not 
depend on specifically mod_jk being used as a connector.


Presumably, when at the Apache httpd level you decide to proxy a request 
to a back-end Tomcat, you know through which interface you'll do it, and 
what its IP address is, and you can put it into one of the things above.


Is that enough info to get you started ?

Caveat : one part I am not quite sure of, is what things you do have 
easy access to, at the level of a Valve.  The above is what you'd do at 
a webapp level, I hope it is also accessible at your Valve level.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: how to convert https to http by using mod_jk

2015-04-27 Thread André Warnier

chenk...@126.com wrote:
 
 
 
 
 
 hi：? ??? ? I'm using apache + tomcat to build my website。The tomcat ?provide 
 http service and apache provide both http/https。I tried two method to 
 implements：
 by mod_proxy:ProxyPass / balancer://mycluster/ stickysession=JSESSIONID 
 nofailover=On?
 ProxyPassReverse / balancer://mycluster/?
 Proxy balancer://mycluster?
 BalancerMember http://127.0.0.1:8080 route=tomcat1?
 BalancerMember http://127.0.0.1:8081 route=tomcat2?
 /Proxy
 by mod_jk：I didn't know how to convet https to http like mod_proxy
 

Hi.
Your email format is a bit bizarre.  Try to set up your email program to send 
emails to
the list as plain text.

About your question, here are some semi-graphic explanations about how you can 
connect
Apache httpd to Tomcat. There are many ways. - xxx - indicates the protocol 
used.

configuration 1 : using mod_proxy_http and simple HTTP all the way :

browser - HTTP - Apache httpd + mod_proxy_http - HTTP - Tomcat HTTP 
Connector -
Tomcat webapp


configuration 2 : using mod_proxy_http and HTTPS from browser :

browser - HTTPS - Apache httpd + mod_proxy_http - HTTP - Tomcat HTTP 
Connector -
Tomcat webapp


configuration 3 : using mod_proxy_http and HTTPS all the way :

browser - HTTPS - Apache httpd + mod_proxy_http - HTTPS - Tomcat HTTPS 
Connector -
Tomcat webapp

(Note : this is quite inefficient if Apache httpd and Tomcat are on the same 
host (or
connected via a secure link), because all data gets encrypted/decrypted 
multiple times)


configuration 4 : using mod_proxy_ajp :

browser - HTTP - Apache httpd + mod_proxy_ajp - AJP - Tomcat AJP Connector 
- Tomcat
webapp

configuration 5 : HTTPS variant of using mod_proxy_ajp :

browser - HTTPS - Apache httpd + mod_proxy_ajp - AJP - Tomcat AJP Connector 
- Tomcat
webapp


configuration 6 : using mod_jk :

browser - HTTP - Apache httpd + mod_jk - AJP - Tomcat AJP Connector - 
Tomcat webapp


configuration 7 : HTTPS variant of using mod_jk :

browser - HTTPS - Apache httpd + mod_jk - AJP - Tomcat AJP Connector - 
Tomcat webapp


AJP is a protocol that is not the same as HTTP/HTTPS. But it transports the same
information as HTTP/HTTPS, and for the Tomcat webapp (and the browser) it is 
the same.

The setups of mod_jk and mod_proxy_ajp are different, but they offer generally 
comparable
options.  Choosing one or the other is generally a question of personal 
preference, or of
availability on any given OS platform.

There is no secure variant of the AJP protocol (iow there is no AJPS e.g.).
This does not really matter if the connection between Apache httpd and Tomcat 
in inside
the same host, or (in many cases) if the connection between Apache httpd and 
Tomcat
happens over your local LAN, and you are not concerned by men-in-the-middle 
there.

In configurations 2, 5 and 7, only the part browser -- Apache httpd is under 
HTTPS.
That is generally called terminating HTTPS at the Apache httpd level.
But in all cases, if Tomcat needs to know some details about the browser HTTPS 
connection,
it can get them, because the connector modules can forward that information via 
HTTP
headers (or AJP attributes).





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Sending HTTP Trailers from a client (not servlet)

2015-04-24 Thread André Warnier


Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

Bump.

Anyone?



No, but I tried.  But everything I found seems to say that such trailers are really rarely 
used, and that's probably why you are not getting any echo.
I believe that initially you mentioned that you had found a perfectly good use case, but 
you never explained what it was...




- -chris

On 4/18/15 12:19 PM, Christopher Schultz wrote:

All,

I've got a perfect use-case for HTTP trailers but it doesn't seem
like any existing client (e.g. HttpURLConnection, HttpClient) has
support for them on the /sending/ side.

HttpURLConnection doesn't have a way (that I can see) to fetch 
trailing headers, but it may just be that you have to consume the 
response and then check the headers (similar to what you'd do in a 
Servlet when the client actually sends trailing headers to the

server).

HttpClient allows you to get the trailing headers from a response
in a very awkward way by reading them from the ChunkedInputStream
which is buried a few levels deep, evidently.

But neither seem to have a way to actually *send* headers to the
server.

Has anyone ever actually done this from a Java-based client? I'm 
currently using my own wrapper around HttpURLConnection (because 
HttpClient seemed to heavy for my purposes) and it's been working 
great for a few years. I'd like to support a streaming mode plus 
trailer headers with it, and I'd prefer not to dump

HttpURLConnection and replace it with low-level socket work because
them I'll have to do a whole bunch of work to reproduce what
HttpURLConnection is already providing (e.g. TLS, auto-redirects,
etc.).

Any ideas from the community?

Thanks, -chris

-



To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org

For additional commands, e-mail: users-h...@tomcat.apache.org


-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVOk4RAAoJEBzwKT+lPKRYLQUP/RtRPIVVhWQaFCDXV3PGwGqS
6Mm1mWndE+Ma1QpmQyHJtEDOI1r2dli/eUVclhlNtQyw4oc3vJssgmi0rfCmsJKJ
c0U5eFA+odNnJKGh06y3ItCR/KVYhwNzbMS7LGw537AAiFb4Ls7ZgdmJeMndL7zE
7ovalopWzqmATijOKZoWFIe3NEDvudGN+dYefOgBzQc5fTYyu1tsDJGUEF8BEULA
tW9aueeQztSJOG3+PgrdVOP3bGBYARorzcJgv5xF7wUEad2vbLcsrkphFZGVgsmH
NKOf7WVEqEWkAGap43Cb57j324nAcR/W1OqWMoUYlIhuR+r8YA9VM7Nm84xqsV2j
Fp5qQEzagkVAdGXibBBzEfa2neb1/HGtEOfNyH8O+zgC4+yJZH88lwY6FpnrUo5B
A3J0Pk0Gq2BW/CjjKUsfX97215BmZkM/I6BF7pZSshMdC4BHwNidtvh8X/acVc7+
8AZMTV+RyQUAZR4SagDUvaaATKBhC4K/SVvGOH9wAW+0HwDwE1luj4S9dkch0dzA
50CoJWaZLm/9Hk68xazvyxcHFLsu5cUf7CC9MvHZR8022kFX8fLHf2YNxZVv+jUO
UiXou9VKYIlPkhzDyHfl8HhWFRR+cO1D/nTzaDk7iqSQNKXr0PXTsvbUNCDjX8so
Tfkc7x6zoIuRGS0r3rAM
=BpMx
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: File descriptors peaks with latest stable build of Tomcat 7

2015-04-22 Thread André Warnier

Rainer Jung wrote:

Am 22.04.2015 um 11:58 schrieb Thomas Boniface:
What concerns me the most is the CLOSE_WAIT on tomcat side because
when an
fd peak appears the web application appears to be stuck. It feels like
all

its connections are consumed and none can be established from nginx
anymore. Shouldn't the CLOSE_WAIT connection be recycled to received new
connections from nginx ?

Just to clarify:

Every connection has two ends. In netstat the local end is left, the
remote end is right. If a connection is between processes both on the
same system, it will be shown in netstat twice. Once for each endpoint
being the local side.

CLOSE_WAIT for a connection between a (local) and b (remote) means, that
b has closed the connection but not a. There is no automatism for a
closing it because b has closed it. If CLOSE_WAIT pile up, then the idea
of b and a when a connection should no longer be used are disparate.
E.g. they might have very different idle timeouts (Keep Alive Timeout on
HTTP speak), or one observed a problem that the other didn't observe.

When I did the counting for

Count IP:Port ConnectionState
8381127.0.0.1:8080 CLOSE_WAIT

the 127.0.0.1:8080 was left in netstat output, so local. It means
the other side (whatever is the other side of the connection, likely
nginx) has closed the connection alardy, but not Tomcat.

And the total number of those connections:

Count IP:Port ConnectionState
8381127.0.0.1:8080 CLOSE_WAIT
1650127.0.0.1:8080 ESTABLISHED

indeed sums up to the default maxConnections 1 mentioned by Chris.

What I do not understand is, that the same connections looked at from
nginx being the local end, show a totally different statistics:

Count IP:Port ConnectionState
20119127.0.0.1:8080 SYN_SENT
4692127.0.0.1:8080 ESTABLISHED
488127.0.0.1:8080 FIN_WAIT2
122127.0.0.1:8080 TIME_WAIT
13127.0.0.1:8080 FIN_WAIT1

But maybe that's a problem to solve after you fixed the CLOSED_WAIT (or
the 1000 limit) and redo the whole observation.

Pretty big numbers you habe ...

Thomas,
to elaborate on what Rainer is writing above :

A TCP connection consists of 2 pipes, one in each direction (client to server, server to
client).
From a TCP point of view, the client is the one which initially requests the
connection. The server is the one which accepts that connection. (This is different
from the more general idea of server, as in Tomcat server. When Tomcat accepts a HTTP
connection, it acts as server; when a Tomcat webapp establishes a connection with an
external HTTP server, the webapp (and by extension Tomcat) is the client).

These 2 pipes can be closed independently of one another, but both need to be closed for
the connection to be considered as closed and able to disappear.
When the client wants to close the connection, it will send a close request packet on
the client-to-server pipe.
The server receives this, and knows then that the client will not send anything anymore
onto that pipe. For a server application reading that pipe, this would result in the
equivalent of an end of file on that datastream.
In response to the client close request, the server is supposed to react by not sending
any more data onto the server-to-client pipe, and in turn to send a close request onto
that pipe.
Once these various close messages have been received and acknowledged by both sides of the
connection, the connection is considered as closed, and the resources associated with it
can be reclaimed/recycled/garbage collected etc.. (closed is like a virtual state; it
means that there is no connection).

But if one side fails to fulfill its part of that contract, the connection is still there,
and it just remains there forever until something forceful terminates it. And all the
resources tied to that connection also remain tied to it, and are subtracted from the
overall resources which the server has available to perform other tasks.
From a server point of view, the ideal situation is when all connections are actually
active and really being used to do something useful (sending or receiving data e.g.).
The worst situation is when there are many useless connections : connections in some
state or the other, not actually doing anything useful, but tying up resources
nevertheless. This can get to the point where some inherent limit is reached, and the
server cannot accept any more connections, although in theory it still has enough other
resources available which would allow it to process more useful transactions.

Most of the TCP states that you see in the netstat output are transient, and last only a
few milliseconds usually. They are just part of the overall TCP connection lifecycle
which is cast in stone and which you can do nothing about.
But, for example, if there is a permanent very high number of connections in the
CLOSE_WAIT state, that is not normal.

See here

Re: File descriptors peaks with latest stable build of Tomcat 7

2015-04-22 Thread André Warnier


Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Neill,

On 4/22/15 9:12 AM, Neill Lima wrote:

If I am not wrong, if the application in question is monitored in
VisualVM through JMX (https://visualvm.java.net/) you could trigger
a Force GC from its monitoring console.


You can do this, but it won't close any CLOSE_WAIT connections.
Tomcat's timeout must be reached. I suspect that the timeout(s) are
simply way too long.



Just humor me..
If it doesn't, it doesn't.  But it's easy to do, does not require a change of 
configuration nor a shutdown/restart of Tomcat, and it may show us something in principle 
unexpected.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: File descriptors peaks with latest stable build of Tomcat 7

2015-04-22 Thread André Warnier


Rainer Jung wrote:

Am 22.04.2015 um 00:08 schrieb André Warnier:
...

The OP has a complex setup, where we are not even sure that the various
connections in various states are even related directly to Tomcat or not.
Graphically, we have this :

client -- TCP -- nginx -- TCP -- Tomcat -- webapp -- TCP --
external servers

The output of netstat shows all the connections and their state, at the
OS level.  Even assuming that nginx runs on a separate host, that still
leaves the possibility that most of the connections in CLOSE_WAIT state
for example, would be connections between the webapps and external
servers, having not much to do with Tomcat per se.
But of course they use fd's and resources, just like the others. And for
lsof, they would appear as belonging to the Tomcat process.


See my response from 1.5 days ago which contains the individual 
statistics for each of the above three TCP parts.




Yes, sorry Rainer, I did not read that as carefully as I should have.

And I do agree that the two main things which the OP should have a good look 
at, are
- the nginx settings for keep-alive (client-nginx side)
- the various webapp-to-external servers connections in CLOSE_WAIT state
Collectively, these things must be using a lot of resources on the server, and probably 
slow it down significantly.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: File descriptors peaks with latest stable build of Tomcat 7

2015-04-21 Thread André Warnier

Thomas Boniface wrote:

The file descriptor peak show up in our monitoring application. We have
some charts showing the number of file descriptors owned by the tomcat
process (ls /proc/$(pgrep -u tomcat7)/fd/ | wc -l).

The calatalina.out log shows errors, the most frequent being a
java.io.IOException: Broken pipe.

[..]

A broken pipe, from the server perspective while sending a response to the client, is a
rather usual thing. It usually means that the (human) client got tired of waiting for a
response, and clicked somewhere else in the browser (maybe a cancel button; maybe he
closed the window; etc..). The browser would then immediately close the connection with
the server, and when the server eventually tries to write anything else to that
connection, the broken pipe exception would be the result.
With the numbers you quoted previously regarding the number of simultaneous client
sessions, it doesn't look extraordinary that this would happen regularly.
Maybe the thing to investigate here is whether your server is really so slow in answering
clients, that a significant portion of them do get tired of waiting and get an
irresistible urge to click elsewhere..

Apart from the human client, browsers themselves have a built-in timeout for waiting for a
server response, and will themselves give up after a while. That is on the order of 4-5
minutes after sending the request and not receiving anything from the server in response.
Some applications are such that they can sometimes take more than that to be able to send
a response. In such cases, to avoid the browser timeout (and connection close), there are
tricks to use, to send intermediate kind of wait message to the browser, so that it
does not hang up.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: File descriptors peaks with latest stable build of Tomcat 7

2015-04-21 Thread André Warnier


Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

André,

On 4/21/15 10:56 AM, André Warnier wrote:

Thomas Boniface wrote:

The file descriptor peak show up in our monitoring application.
We have some charts showing the number of file descriptors owned
by the tomcat process (ls /proc/$(pgrep -u tomcat7)/fd/ | wc
-l).

The calatalina.out log shows errors, the most frequent being a 
java.io.IOException: Broken pipe.



[..]

A broken pipe, from the server perspective while sending a
response to the client, is a rather usual thing.  It usually means
that the (human) client got tired of waiting for a response, and
clicked somewhere else in the browser (maybe a cancel button;
maybe he closed the window; etc..).


In this case, though, the client is nginx and not a human at a browser.

If the browser severs the connection to nginx, I'm not sure what nginx
does with the connection to Tomcat. 


Nginx has no way to know that the client dropped the connection (the client-receiving part 
of it), until Nginx tries to send some data (presumably coming from Tomcat) to the client 
browser and finds no listener anymore.  When that is the case, presumably Nginx closes its 
own receiving part connected to Tomcat, which propagates the error to Tomcat.

(Buffering of all kinds neglected here).

I would expect that it either

cleans it up nicely (e.g. drains the bytes from the connection, then
closes), or just drops the connection to the back-end Tomcat (which
might be more efficient if Tomcat is expected to send relatively large
responses).

I don't know how nginx works when acting as a proxy. Does it use HTTP
keep-alive and process many requests through a single connection
(possibly not all from the same end user), or does it make and close
many connections?



I don't know how Nginx works precisely, but it must have all kinds of settings to tune 
such behaviours in function of the circumstances.  If the back-end Tomcat application 
works under a Windows NTLM-like authentication mechanism e.g., then using different 
connections for the same client (or vice-versa, sharing some connections between different 
clients) would play havoc with said AAA mechanism, which is connection-oriented.


This seems to say that Nginx, by default, buffers the entire back-end server response 
before starting to send it to the client : 
http://nginx.com/resources/admin-guide/reverse-proxy/

But it also says that this can be tuned, and even disabled.

It also hints at the fact that even if the client specifies keep-alive with Nginx, nginx 
itself, when dealing with the back-end server, disables the keep-alive (Connection: close).
This probably makes sense, in a scenario where the client may think that all responses 
come from the same back-end server, but Nginx in the middle distributes the requests to 
several back-end servers.  It would make no sense in that case to use keep-alive with the 
back-end servers, which may only ever see one request each from that client.



If it makes and closes many connections, Tomcat won't hang up the
phone unless some kind of timeout occurs.

Thomas, I'd advise you to do the following:

1. Check the nginx configuration. Specifically, the keep-alive and
timeout associated with the proxy configuration.

2. Make sure that Tomcat's timeouts are appropriate for those matching
settings in nginx.

It's common for users to misconfigure httpd+Tomcat by settings
different timeouts on either side of the connection, and the result is
many broken pipe or similar errors on the Tomcat side.


I'll +1 all that in any case.

The OP has a complex setup, where we are not even sure that the various connections in 
various states are even related directly to Tomcat or not.

Graphically, we have this :

client -- TCP -- nginx -- TCP -- Tomcat -- webapp -- TCP -- external 
servers

The output of netstat shows all the connections and their state, at the OS level.  Even 
assuming that nginx runs on a separate host, that still leaves the possibility that most 
of the connections in CLOSE_WAIT state for example, would be connections between the 
webapps and external servers, having not much to do with Tomcat per se.
But of course they use fd's and resources, just like the others. And for lsof, they 
would appear as belonging to the Tomcat process.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: File descriptors peaks with latest stable build of Tomcat 7

2015-04-20 Thread André Warnier

Thomas Boniface wrote:

I did some captures during a peak this morning, I have some lsof and
netstat data.

It seems to me that most file descriptors used by tomcat are some http
connections:

thomas@localhost  ~/ads3/tbo11h12  cat lsof| wc -l
17772
thomas@localhost  ~/ads3/tbo11h12  cat lsof | grep TCP | wc -l
13966

(Note that the application also send request to external servers via http)

Regarding netstat I did a small script to try to aggregate connections with
a human readable name, if my script is right the connections between nginx
and tomcat are as follows:

tomcat = nginx SYN_RECV 127
tomcat = nginx ESTABLISHED 1650
tomcat = nginx CLOSE_WAIT 8381
tomcat = nginx TIME_WAIT 65

nginx = tomcat SYN_SENT 20119
nginx = tomcat ESTABLISHED 4692
nginx = tomcat TIME_WAIT 122
nginx = tomcat FIN_WAIT2 488
nginx = tomcat FIN_WAIT1 13

I don't understand the distinction here. Tomcat should never initiate connections *to*
nginx, or ?

For personal historical reasons, the high number of connections in CLOSE_WAIT state above
triggered my interest. Search Google for : tcp close_wait state meaning
Basically, it can mean that the client wants to go away, and closes its end of the
connection to the server, but the application on the server never properly closes the
connection to the client. And as long as it doesn't, the corresponding connection will
remain stuck in the CLOSE_WAIT state (and continue to use resources on the server, such as
an fd and associated resources).

All that doesn't mean that this is your main issue here, but it's something to
look into.

Concerning the other response and the system max number of file, I am not
sure this is where our issue lies. The peak itself seems to be a sympton of
an issue, tomcat fd are around 1000 almost all the time except when a peak
occurs. In such cases it can go up to 1 or more sometimes.

Thomas

2015-04-20 15:41 GMT+02:00 Rainer Jung rainer.j...@kippdata.de:

Am 20.04.2015 um 14:11 schrieb Thomas Boniface:

Hi,

I have tried to find help regarding an issue we experience with our
platform leading to random file descriptor peaks. This happens more often
on heavy load but can also happen on low traffic periods.

Our application is using servlet 3.0 async features and an async
connector.
We noticed that a lot of issues regarding asynchronous feature were fixed
between our production version and the last stable build. We decided to
give it a try to see if it improves things or at least give clues on what
can cause the issue; Unfortunately it did neither.

The file descriptor peaks and application blocking happens frequently with
this version when it only happens rarely on previous version (tomcat7
7.0.28-4).

Tomcat is behind an nginx server. The tomcat connector used is configured
as follows:

We use an Nio connector:
Connector port=8080 protocol=org.apache.coyote.
http11.Http11NioProtocol
selectorTimeout=1000
maxThreads=200
maxHttpHeaderSize=16384
address=127.0.0.1
redirectPort=8443/

In catalina I can see some Broken pipe message that were not happening
with
previous version.

I compared thread dumps from server with both the new and old version of
tomcat and both look similar from my stand point.

My explanation may not be very clear, but I hope this gives an idea how
what we are experiencing. Any pointer would be welcomed.

If the peaks happen long enough and your platforms has the tools available
you can use lsof to look for what those FDs are - or on Linux looking at
ls -l /proc/PID/fd/* (PID is the process PID file) - or on Solaris use
the pfiles command.

If the result is what is expected, namely that by far the most FDs are
coming from network connections for port 8080, then you can check via
netstat in which connection state those are.

If most are in ESTABLISHED state, then you/we need to further break down
the strategy.

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Multiple login/home pages within a tomcat app

2015-04-08 Thread André Warnier


Olayemi Olatunji wrote:

Hello Guys,



I’m sort of a newbie to this but I need to know if its achievable.



I want to create multiple login pages within a single web app e.g
www.tomcat.org/login1, /login2



How can I achieve this?




Hi.
Since you claim to be a newbie at this, I'll try to provide a learning answer.

1) the simple answer to your question would be : no (or at least not when using the 
standard built-in authentication mechanisms).
But do not be too disappointed, because a more complete answer might be perhaps, but it 
depends on the circumstances and on what you want to achieve exactly.


2) a basic and generic explanation of how WWW authentication works :

a) the browser sends a request to the server, for some server resource (e.g. a specific 
HTML page)
b) the server receives this request, and checks in its configuration, if this resource is 
protected and requires some form of authentication/permission.

If not, the server returns the requested page and things stop here.
So the rest below, is in the case where the requested resource is protected.
c) the server then checks if the browser request already contained some form of user 
authentication. (This can be various things, and i will not elaborate at this stage).
If the request contained such an authentication, the server verifies it, and if it is ok, 
the server returns the requested resource (e.g. the desired HTML page), and things again 
stop here.
d) if the request did not contain ditto valid authentication, instead of returning the 
requested resource, the server sends back something, to let the browser/user know that an 
authentication is required.  This can also be various things, and I will again not 
elaborate, but let's suppose that in your case what is returned is a login page.
e) the user/browser gets and sees the login page.  The user fills it in, with user-id and 
password, and sends this info back to the server.
f) the server verifies the submitted user-id/password, and if it is ok, returns the 
desired resource to the browser/user.  At the same time as sending that requested page, 
the server also sends some token to the browser (for example a cookie), containing the 
proof that this browser/user is now authenticated.
g) for subsequent requests to the same server, the browser now always sends this token 
along with the next requests.  This will fulfill the check that happens at (c) above, so 
that for these following requests, the server will be happy and will return the requested 
pages, without asking again for authentication.


There are many variations possible in the details, but in rough terms, all forms of WWW 
authentication follow more or less the above scheme.


Your question relates to step (d) above.
The server has to return a login page, but you say that it should return a specific one 
among several possible login pages.

The question thus becomes : how does the server know /which/ login page to 
return ?
(The user is not yet known/authenticated, so the server cannot use the user-id or any 
other user-related information in order to choose.)

So what other criteria can the server use then ?

Possibilities would be :
- the login page changes depending on the time of day (that's kind of unusual, but it is 
just to illustrate the point)

- the login page changes depending on the user's IP address
- the login page changes depending on something else which the browser sends along with 
the initial request


So, what is your use case precisely, and what are you trying to achieve ?






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Rendering JSP files through Apache

2015-04-08 Thread André Warnier


Leggio, Andrew wrote:

I have the following being used in my conf file:

IfModule mod_proxy_ajp.so
  ProxyPass / ajp://localhost:8009/
/IfModule

Does this actually direct jsp files to use Tomcat?



That is a funny way of putting it.
What the above does - if everything else is installed and configured correctly - is 
proxying *all* HTTP requests originally directed to Apache httpd (including requests for 
any JSP page), toward a Tomcat supposedly running on the same host, and supposedly 
listening on port 8009.

Now whether this is actually what is happening or not, is anyone's guess so far.
Chances are that this is not happening though, since otherwise you probably would not be 
asking what's wrong.


The question is also : if you are going to proxy all requests from Apache httpd to Tomcat 
anyway, then why do you think that you need Apache httpd ?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Fedora 20 Yum and tomcat setup

2015-04-08 Thread André Warnier


Salam Y. Elias wrote:

Thanks Chuck, recommandation was great.

I downloaded 8.0.21, created three directories, each one with its own
Tomcat, chnaged some ports in server.xml and all 3 applications are
running like a charm.

However, I am trying to replace the Root with my application. I delete
the Root directory and create something like this

/opt/apache-tomcat-8-perfs/webapps/ROOT.war/my.war

I understand that when I start tomcat it should explode the war which is
not happening.

In my server.xml I have autoDeploy=true as follows

 Host name=localhost  appBase=webapps
unpackWARs=true autoDeploy=true

but nothing happens, nothing is exploded and deployed to my webapps



this may help : 
http://wiki.apache.org/tomcat/HowTo#How_do_I_make_my_web_application_be_the_Tomcat_default_application.3F


(the last section looks like it was written specially for you)

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Fedora 20 Yum and tomcat setup

2015-04-08 Thread André Warnier


André Warnier wrote:

Salam Y. Elias wrote:

Thanks Chuck, recommandation was great.

I downloaded 8.0.21, created three directories, each one with its own
Tomcat, chnaged some ports in server.xml and all 3 applications are
running like a charm.

However, I am trying to replace the Root with my application. I delete
the Root directory and create something like this

/opt/apache-tomcat-8-perfs/webapps/ROOT.war/my.war

I understand that when I start tomcat it should explode the war which is
not happening.

In my server.xml I have autoDeploy=true as follows

 Host name=localhost  appBase=webapps
unpackWARs=true autoDeploy=true

but nothing happens, nothing is exploded and deployed to my webapps



this may help : 
http://wiki.apache.org/tomcat/HowTo#How_do_I_make_my_web_application_be_the_Tomcat_default_application.3F 



(the last section looks like it was written specially for you)

Errata : it is not the last section, it is the 2d section, about deploying your 
application as a war file.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

1 2 3 4 5 6 7 8 9 10 >

1 - 100 of 4293 matches

Mail list logo