Tomcat valve JAAS : form error page displayed first before response reaches back to Tomcat valve‏

[Kim Ming Yap]

Hi,I'm building a website using form based authentication integrating with JAAS 
for user based authentication. I don't have issue when a successful credential 
is authenticated. Rather I'm having difficulty understanding the flow of JAAS 
back to the client should the form based authentication failed.SOFTWARE:1. 
Apache Tomee plus 1.7.12. Java 83. Tomcat JAAS RealmOBJECTIVE:Custom error 
captured in JAAS login module to propagate to error pageBASIC UNDERSTANDING:The 
Tomcat JAAS layer is not integrated with the web container layer. Hence the 
former does not have access to request, session etc.SOLUTION:Using ThreadLocal 
which capture the custom error message in JAAS layer to be used when the flow 
reaches back to the custom valve on the way back to the 
browser.PROBELM:Understanding of basic request/response flow involving Tomcat 
and JAASa. request -- valve -- JAAS -- Filter -- Servlet/JSPb. response 
-- valve (**) -- JAAS -- Filter -- Servlet/JSP(refer to above clause 
b)ThreadLocal in the JAAS layer managed to capture the custom error message and 
it i managed to print it after the getNext() method of the custom valve. 
Thought of adding this custom error as an attribute in the session 
object.However I noticed that the error page is already displayed before i 
could add this cusom error (immediately after the getNext method).Due to that 
the ready custom error message cannot be usedSAMPLE CODES:1. web.xml
login-configauth-methodFORM/auth-methodform-login-config  
form-login-page/login.jsp/form-login-page  
form-error-page/login-redirect-error.jsp?error=true/form-error-page
/form-login-config/login-config2. Custom valve and defined in 
META-INF/context.xmlpublic class SecurityValve extends ValveBase {
public void invoke(Request request, Response response) throws IOException, 
ServletException {   getNext().invoke(request, response);   
system.out.println(after getNext()); -- break point (BP)  }}1. Did a 
break point on SecurityValve (indicated at BP) 2. On forms, i purposely 
enter wrong credential and submit 3. Break point stops at BP 4. 
login-redirect-error.jsp displayed already5. Since it stop at break point 
BP in SecurityValve, the response back to client flow has not reached the 
browser. Yet the login-redirect-error.jsp is already displayedQUESTIONS:   How 
can the login-redirect-error.jsp be displayed on the browser when the response 
flowing back to client stop at break point BP? The flow back to the client is 
not fully done yet.I would really appreciate any help.Thanks.
  

Tomcat valve JAAS : form error page displayed first before response reaches back to Tomcat valve

[Kim Ming Yap]

Hi,I'm building a website using form based authentication integrating with JAAS 
for user based authentication. I don't have issue when a successful credential 
is authenticated. Rather I'm having difficulty understanding the flow of JAAS 
back to the client should the form based authentication failed.
SOFTWARE:1. Apache Tomee plus 1.7.12. Java 83. Tomcat JAAS Realm
OBJECTIVE:Custom error captured in JAAS login module to propagate to error page
BASIC UNDERSTANDING:
The Tomcat JAAS layer is not integrated with the web container layer. Hence the 
former does not have access to request, session etc.
SOLUTION:
Using ThreadLocal which capture the custom error message in JAAS layer to be 
used when the flow reaches back to the custom valve on the way back to the 
browser.
PROBELM:Understanding of basic request/response flow involving Tomcat and JAAS
a. request -- valve -- JAAS -- Filter -- Servlet/JSPb. response -- 
valve (**) -- JAAS -- Filter -- Servlet/JSP
(refer to above clause b)ThreadLocal in the JAAS layer managed to capture the 
custom error message and it i managed to print it after the getNext() method of 
the custom valve. Thought of adding this custom error as an attribute in the 
session object.
However I noticed that the error page is already displayed before i could add 
this cusom error (immediately after the getNext method).
Due to that the ready custom error message cannot be used
SAMPLE CODES:
1. web.xml
login-configauth-methodFORM/auth-methodform-login-config
  form-login-page/login.jsp/form-login-page  
form-error-page/login-redirect-error.jsp?error=true/form-error-page
/form-login-config/login-config
2. Custom valve and defined in META-INF/context.xml
public class SecurityValve extends ValveBase {
public void invoke(Request request, Response response) throws 
IOException, ServletException {   getNext().invoke(request, response);  
 system.out.println(after getNext()); -- break point (BP)  }
}
1. Did a break point on SecurityValve (indicated at BP) 2. On forms, i 
purposely enter wrong credential and submit 3. Break point stops at BP  
   4. login-redirect-error.jsp displayed already5. Since it stop at break 
point BP in SecurityValve, the response back to client flow has not reached the 
browser. Yet the login-redirect-error.jsp is already displayed
QUESTIONS:   How can the login-redirect-error.jsp be displayed on the browser 
when the response flowing back to client stop at break point BP? The flow back 
to the client is not fully done yet.
I would really appreciate any help.Thanks.



  

Re: Http 2 support in Tomcat

[PerfGuru]

Thanks Rainer, I was looking at reasons not to use websockets and found this 
recent blog. Be interesting to see if HTTP/2 has simular issues. 
http://www.pubnub.com/knowledge-base/discussion/311/current-websockets-limitations
 Regards,-Tony 
  From: Rainer Jung rainer.j...@kippdata.de
 To: Tomcat Users List users@tomcat.apache.org 
 Sent: Friday, May 15, 2015 3:12 PM
 Subject: Re: Http 2 support in Tomcat
   
Am 15.05.2015 um 20:43 schrieb PerfGuru:
 Thanks Mark  Chris this is a very informative. I am using a httpd that 
 supports http/2 and wow is it impressive. Sorry, I had to stop using 
 Apache/Tomcat to use it but the performance and bandwidth gains are so nice 
 it is addicting and my users have noticed. I will look into jre/jdk 9 and ask 
 Oracle if servlet 4 is in the EA's. I would like to stay with http/2 rather 
 than go to websockets but I am an early adaptor and if it is stable and has 
 servlet 4 with http/2 I will give it a try and let you know the results. Best 
 Regards,-Tony

Note that web socket and HTTP/2 serve very different purposes. Web 
sockets provide you basically with a socket you can use for setting up 
your own protocol and get rid of request/response semantics. Web socket 
allow to set up asynchoneous communication.

HTTP/2 more or less has the same request/response semantics as HTTP. It 
is onyl a more efficient implementation of that by combining multiple 
request/response streams into one TCP connection, using header 
compression etc. etc. HTTP/2 is still synchroneous. Yes, there is a 
notion of server push, but push in HTTP/2 is very different from what 
one would name a push in the web socket world.

I think it would be better to clearly keep the two terms web socket and 
HTTP/2 separated.

Regards,

Rainer






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



  

Re: Supported Tomcat version for Java 1.8.25

[Fabian Fingerle]

Hi Vijay,

Am Mon, 18 May 2015 00:27:56 +0530
schrieb Vijay Kumar vijy.gan...@gmail.com:

 Does Tomcat each version is designed to support a set of Java
 versions? What is the best Tomcat version which I have to use in
 order to support Java 1.8.25?

officially Tomcat 7.0.x is supported with java 1.6 or later [1].

There are a lot of solved software bugs within tomcat related to java
1.8 like this [2].

Therefore you should be able to start Tomcat 7.0.x with java 1.8, but
you should update from 7.0.16 to the latest version 7.0.62 [3].

Best Regards
 Fabian Fingerle

[1] http://tomcat.apache.org/whichversion.html
[2] https://bz.apache.org/bugzilla/show_bug.cgi?id=57173#c16
[3] http://tomcat.apache.org/download-70.cgi


pgpJOHxOshI3S.pgp
Description: Digitale Signatur von OpenPGP

Supported Tomcat version for Java 1.8.25

[Vijay Kumar]

Hi,

We have a product which we certified on Tomcat 7.0.16 with JRE 1.6

One of our Customer want to upgrade his Java environment from 1.6 to 1.8.25

So i tried to start the Tomcat 7.0.16 using Java 1.8.25 and got below error
during the deployment of WAR file.
org.xml.sax.SAXNotRecognizedException:
http://apache.org/xml/features/validation/dynamic

Does Tomcat each version is designed to support a set of Java versions?
What is the best Tomcat version which I have to use in order to support
Java 1.8.25?

Thanks,
Vijay G

Problem with APR library - Tomcat 7

[Dejan Stamenov]

Hello,

 

I am working on a project where I need to install SSL certificates on Tomcat
7 server for my Java application. I have been experimenting around, I have
set up the connector in the server.xml file, but when I look into the logs I
can see this:

http://prntscr.com/76a98v

 

For the connector to be working, I needed to install APR library. I did so,
following this guide here:
http://www.techsww.com/tutorials/libraries/apr/installation/installing_apach
e_portable_runtime_library_on_ubuntu_linux.php

In my case, I use the apr-1.5.2 version. Also, in the configure -prefix part
I have specified the URL that is shown on my server error log, i.e.
/usr/lib/x86_64-linux-gnu. After server reboot, I still get the same error.
Have been looking around the internet how to solve this, but only found a
couple of open questions on Stack Overflow/Exchange with no answers in them.

 

Regards,

Dejan Stamenov

 mailto:dejanstameno...@outlook.com dejanstameno...@outlook.com
Student at the Faculty of computer science and engineering, Skopje
Student ID: 122003
Prilep, Macedonia
+389(0)75 279 857

 

Re: Issue in setting up SHA2 certificate with tomcat6

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Pavan,

(Note: only a single post is necessary)

On 5/15/15 10:28 PM, Pavan Kasarla wrote:
 I am trying to configure SHA2 algorithm certificates with tomcat6
 in centos 6. I have created a keystore of format JKS using
 keytool and imported the certificate and intermediates to the
 keystore. When i restart the tomcat, logs do not show any kind of
 errors it starts up normally but when i try to connect to host from
 a browser it shows the following error
 
 
 my system configuration
 
 OS : centos tomcat 6

Specifically, which Tomcat version are you using?

 java1.7.x
 
 In chrome Version 39.0.2171.71 (64-bit)
 
 SSL connection error Hide detailsUnable to make a secure connection
 to the server. This may be a problem with the server, or it may be
 requiring a client authentication certificate that you don't have. 
 Error code: ERR_SSL_PROTOCOL_ERROR
 
 
 In firefox it shows Cannot communicate securely with peer: no
 common encryption algorithm(s). (Error code:
 ssl_error_no_cypher_overlap)
 
 tomcat configuration for the certificate in server.xml Connector
 port=8443 maxHttpHeaderSize=8192 maxThreads=150
 minSpareThreads=25 maxSpareThreads=75 enableLookups=false
 disableUploadTimeout=true acceptCount=100 scheme=https
 secure=true SSLEnabled=true 
 keystoreFile=/etc/tomcat6/x.jks keystorePass=xx 
 clientAuth=false  sslEnabledProtocols=TLSv1, TLSv1.1, TLSv1.2
 /
 
 When i change the tomcat keystore with another certificates of
 SHA1 algorithm everything works fine.

So the only difference is SHA1 versus SHA2 hash on the certificate?

Java 1.7 handles both of those without a problem.

Can you try connecting to your server using OpenSSL's s_client program?

$ openssl s_client -connect hostname:443
CONNECTED(0003)
depth=1 [cert subject]
- ---
Certificate chain
 [cert chain]
- ---
Server certificate
- -BEGIN CERTIFICATE-
[certificate]
- -END CERTIFICATE-
[cert info]
- ---
No client certificate CA names sent
- ---
SSL handshake has read 3601 bytes and written 700 bytes
- ---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: RC4-SHA
Session-ID:
5712CBF2C60CFB9DDD456DA9E67B1F6CDD5FDE12178266E5AB0888CF21859B8A
Session-ID-ctx:
Master-Key:
2EFB02FD1F605120E55D3C293CE9E5CE5076CBA1E286A91EB271F7D145825CE441EF2614
B9E0CB743C690DC4E45262CF
Key-Arg   : None
Start Time: 1431870170
Timeout   : 300 (sec)
Verify return code: 0 (ok)
- ---
^C

At the bottom, you can see the connection information that was
negotiated with the server. s_client has options to allow you to set
the protocol(s) supported, the cipher(s) supported, etc. Perhaps you
can narrow-down the problem.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVWJtvAAoJEBzwKT+lPKRY4RkP/2ffTOIT3b4XH1zZLAqUmwUt
RQ5Kl283hjPhbGqDdLhrGOUUUyANvJUTwNVGdvm4+lcgmF9HLU/wvHBodN7rQnF5
FLRGrC5qDDBdQXN+QvHrnPgEq2pXSw77ZXRNHjN+m91IXrtrbaBdMFNPGziD+xJ6
JIOv9YzgR6DPDyxmPhiWKv2/lU2VwFRhe9R4OVmSyICc27pyDxuOVrIPPvq7AJz7
mctLU0sZy741UCg4tiHXphP6ASk1aoZd8b8lRfMswMs7CI/e4QIwTUF535Pdkh0G
hht4Op+zsgDt0nesxKkheSoMmGkBaFa9e5ceTm0DXpY4RGsBme+u87vS5GF9ZsUi
uRlDgNNEaVMYn1p+zkLjrBZ6RvGpJpEpyA2+AGm24LygfOsFZwHoM89Hpr5HMRAY
uDf57CmuZE/9LaBjUSarAflxefRPb6cNSueXDnA5TVmO2d/4P52ZY5CBm+l0Egkh
YP3ojAAF/ySMpskjdPysCKg40QSwGor3pMc2cDoR2357T3syl0SuapnjuR+uoLPY
rQRDclqx9hjVYi9yGuepRSHKvlI1Hzbam9d/Go8vxk0wS2n5iTRTAs908Is9Xz0M
ZdME6e+2gtgEFU7VmZ04QazypUe+5ZlGglCHHOUF2vllKoViY9Pz39wwwMrJGJuY
Qi26dbjkau+iu/kA9/zF
=mOl8
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org