Tomcat valve JAAS : form error page displayed first before response reaches back to Tomcat valve
Hi,I'm building a website using form based authentication integrating with JAAS for user based authentication. I don't have issue when a successful credential is authenticated. Rather I'm having difficulty understanding the flow of JAAS back to the client should the form based authentication failed.SOFTWARE:1. Apache Tomee plus 1.7.12. Java 83. Tomcat JAAS RealmOBJECTIVE:Custom error captured in JAAS login module to propagate to error pageBASIC UNDERSTANDING:The Tomcat JAAS layer is not integrated with the web container layer. Hence the former does not have access to request, session etc.SOLUTION:Using ThreadLocal which capture the custom error message in JAAS layer to be used when the flow reaches back to the custom valve on the way back to the browser.PROBELM:Understanding of basic request/response flow involving Tomcat and JAASa. request -- valve -- JAAS -- Filter -- Servlet/JSPb. response -- valve (**) -- JAAS -- Filter -- Servlet/JSP(refer to above clause b)ThreadLocal in the JAAS layer managed to capture the custom error message and it i managed to print it after the getNext() method of the custom valve. Thought of adding this custom error as an attribute in the session object.However I noticed that the error page is already displayed before i could add this cusom error (immediately after the getNext method).Due to that the ready custom error message cannot be usedSAMPLE CODES:1. web.xml login-configauth-methodFORM/auth-methodform-login-config form-login-page/login.jsp/form-login-page form-error-page/login-redirect-error.jsp?error=true/form-error-page /form-login-config/login-config2. Custom valve and defined in META-INF/context.xmlpublic class SecurityValve extends ValveBase { public void invoke(Request request, Response response) throws IOException, ServletException { getNext().invoke(request, response); system.out.println(after getNext()); -- break point (BP) }}1. Did a break point on SecurityValve (indicated at BP) 2. On forms, i purposely enter wrong credential and submit 3. Break point stops at BP 4. login-redirect-error.jsp displayed already5. Since it stop at break point BP in SecurityValve, the response back to client flow has not reached the browser. Yet the login-redirect-error.jsp is already displayedQUESTIONS: How can the login-redirect-error.jsp be displayed on the browser when the response flowing back to client stop at break point BP? The flow back to the client is not fully done yet.I would really appreciate any help.Thanks.
Tomcat valve JAAS : form error page displayed first before response reaches back to Tomcat valve
Hi,I'm building a website using form based authentication integrating with JAAS for user based authentication. I don't have issue when a successful credential is authenticated. Rather I'm having difficulty understanding the flow of JAAS back to the client should the form based authentication failed. SOFTWARE:1. Apache Tomee plus 1.7.12. Java 83. Tomcat JAAS Realm OBJECTIVE:Custom error captured in JAAS login module to propagate to error page BASIC UNDERSTANDING: The Tomcat JAAS layer is not integrated with the web container layer. Hence the former does not have access to request, session etc. SOLUTION: Using ThreadLocal which capture the custom error message in JAAS layer to be used when the flow reaches back to the custom valve on the way back to the browser. PROBELM:Understanding of basic request/response flow involving Tomcat and JAAS a. request -- valve -- JAAS -- Filter -- Servlet/JSPb. response -- valve (**) -- JAAS -- Filter -- Servlet/JSP (refer to above clause b)ThreadLocal in the JAAS layer managed to capture the custom error message and it i managed to print it after the getNext() method of the custom valve. Thought of adding this custom error as an attribute in the session object. However I noticed that the error page is already displayed before i could add this cusom error (immediately after the getNext method). Due to that the ready custom error message cannot be used SAMPLE CODES: 1. web.xml login-configauth-methodFORM/auth-methodform-login-config form-login-page/login.jsp/form-login-page form-error-page/login-redirect-error.jsp?error=true/form-error-page /form-login-config/login-config 2. Custom valve and defined in META-INF/context.xml public class SecurityValve extends ValveBase { public void invoke(Request request, Response response) throws IOException, ServletException { getNext().invoke(request, response); system.out.println(after getNext()); -- break point (BP) } } 1. Did a break point on SecurityValve (indicated at BP) 2. On forms, i purposely enter wrong credential and submit 3. Break point stops at BP 4. login-redirect-error.jsp displayed already5. Since it stop at break point BP in SecurityValve, the response back to client flow has not reached the browser. Yet the login-redirect-error.jsp is already displayed QUESTIONS: How can the login-redirect-error.jsp be displayed on the browser when the response flowing back to client stop at break point BP? The flow back to the client is not fully done yet. I would really appreciate any help.Thanks.
Re: Http 2 support in Tomcat
Thanks Rainer, I was looking at reasons not to use websockets and found this recent blog. Be interesting to see if HTTP/2 has simular issues. http://www.pubnub.com/knowledge-base/discussion/311/current-websockets-limitations Regards,-Tony From: Rainer Jung rainer.j...@kippdata.de To: Tomcat Users List users@tomcat.apache.org Sent: Friday, May 15, 2015 3:12 PM Subject: Re: Http 2 support in Tomcat Am 15.05.2015 um 20:43 schrieb PerfGuru: Thanks Mark Chris this is a very informative. I am using a httpd that supports http/2 and wow is it impressive. Sorry, I had to stop using Apache/Tomcat to use it but the performance and bandwidth gains are so nice it is addicting and my users have noticed. I will look into jre/jdk 9 and ask Oracle if servlet 4 is in the EA's. I would like to stay with http/2 rather than go to websockets but I am an early adaptor and if it is stable and has servlet 4 with http/2 I will give it a try and let you know the results. Best Regards,-Tony Note that web socket and HTTP/2 serve very different purposes. Web sockets provide you basically with a socket you can use for setting up your own protocol and get rid of request/response semantics. Web socket allow to set up asynchoneous communication. HTTP/2 more or less has the same request/response semantics as HTTP. It is onyl a more efficient implementation of that by combining multiple request/response streams into one TCP connection, using header compression etc. etc. HTTP/2 is still synchroneous. Yes, there is a notion of server push, but push in HTTP/2 is very different from what one would name a push in the web socket world. I think it would be better to clearly keep the two terms web socket and HTTP/2 separated. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Supported Tomcat version for Java 1.8.25
Hi Vijay, Am Mon, 18 May 2015 00:27:56 +0530 schrieb Vijay Kumar vijy.gan...@gmail.com: Does Tomcat each version is designed to support a set of Java versions? What is the best Tomcat version which I have to use in order to support Java 1.8.25? officially Tomcat 7.0.x is supported with java 1.6 or later [1]. There are a lot of solved software bugs within tomcat related to java 1.8 like this [2]. Therefore you should be able to start Tomcat 7.0.x with java 1.8, but you should update from 7.0.16 to the latest version 7.0.62 [3]. Best Regards Fabian Fingerle [1] http://tomcat.apache.org/whichversion.html [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=57173#c16 [3] http://tomcat.apache.org/download-70.cgi pgpJOHxOshI3S.pgp Description: Digitale Signatur von OpenPGP
Supported Tomcat version for Java 1.8.25
Hi, We have a product which we certified on Tomcat 7.0.16 with JRE 1.6 One of our Customer want to upgrade his Java environment from 1.6 to 1.8.25 So i tried to start the Tomcat 7.0.16 using Java 1.8.25 and got below error during the deployment of WAR file. org.xml.sax.SAXNotRecognizedException: http://apache.org/xml/features/validation/dynamic Does Tomcat each version is designed to support a set of Java versions? What is the best Tomcat version which I have to use in order to support Java 1.8.25? Thanks, Vijay G
Problem with APR library - Tomcat 7
Hello, I am working on a project where I need to install SSL certificates on Tomcat 7 server for my Java application. I have been experimenting around, I have set up the connector in the server.xml file, but when I look into the logs I can see this: http://prntscr.com/76a98v For the connector to be working, I needed to install APR library. I did so, following this guide here: http://www.techsww.com/tutorials/libraries/apr/installation/installing_apach e_portable_runtime_library_on_ubuntu_linux.php In my case, I use the apr-1.5.2 version. Also, in the configure -prefix part I have specified the URL that is shown on my server error log, i.e. /usr/lib/x86_64-linux-gnu. After server reboot, I still get the same error. Have been looking around the internet how to solve this, but only found a couple of open questions on Stack Overflow/Exchange with no answers in them. Regards, Dejan Stamenov mailto:dejanstameno...@outlook.com dejanstameno...@outlook.com Student at the Faculty of computer science and engineering, Skopje Student ID: 122003 Prilep, Macedonia +389(0)75 279 857
Re: Issue in setting up SHA2 certificate with tomcat6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Pavan, (Note: only a single post is necessary) On 5/15/15 10:28 PM, Pavan Kasarla wrote: I am trying to configure SHA2 algorithm certificates with tomcat6 in centos 6. I have created a keystore of format JKS using keytool and imported the certificate and intermediates to the keystore. When i restart the tomcat, logs do not show any kind of errors it starts up normally but when i try to connect to host from a browser it shows the following error my system configuration OS : centos tomcat 6 Specifically, which Tomcat version are you using? java1.7.x In chrome Version 39.0.2171.71 (64-bit) SSL connection error Hide detailsUnable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error code: ERR_SSL_PROTOCOL_ERROR In firefox it shows Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) tomcat configuration for the certificate in server.xml Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLEnabled=true keystoreFile=/etc/tomcat6/x.jks keystorePass=xx clientAuth=false sslEnabledProtocols=TLSv1, TLSv1.1, TLSv1.2 / When i change the tomcat keystore with another certificates of SHA1 algorithm everything works fine. So the only difference is SHA1 versus SHA2 hash on the certificate? Java 1.7 handles both of those without a problem. Can you try connecting to your server using OpenSSL's s_client program? $ openssl s_client -connect hostname:443 CONNECTED(0003) depth=1 [cert subject] - --- Certificate chain [cert chain] - --- Server certificate - -BEGIN CERTIFICATE- [certificate] - -END CERTIFICATE- [cert info] - --- No client certificate CA names sent - --- SSL handshake has read 3601 bytes and written 700 bytes - --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: RC4-SHA Session-ID: 5712CBF2C60CFB9DDD456DA9E67B1F6CDD5FDE12178266E5AB0888CF21859B8A Session-ID-ctx: Master-Key: 2EFB02FD1F605120E55D3C293CE9E5CE5076CBA1E286A91EB271F7D145825CE441EF2614 B9E0CB743C690DC4E45262CF Key-Arg : None Start Time: 1431870170 Timeout : 300 (sec) Verify return code: 0 (ok) - --- ^C At the bottom, you can see the connection information that was negotiated with the server. s_client has options to allow you to set the protocol(s) supported, the cipher(s) supported, etc. Perhaps you can narrow-down the problem. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVWJtvAAoJEBzwKT+lPKRY4RkP/2ffTOIT3b4XH1zZLAqUmwUt RQ5Kl283hjPhbGqDdLhrGOUUUyANvJUTwNVGdvm4+lcgmF9HLU/wvHBodN7rQnF5 FLRGrC5qDDBdQXN+QvHrnPgEq2pXSw77ZXRNHjN+m91IXrtrbaBdMFNPGziD+xJ6 JIOv9YzgR6DPDyxmPhiWKv2/lU2VwFRhe9R4OVmSyICc27pyDxuOVrIPPvq7AJz7 mctLU0sZy741UCg4tiHXphP6ASk1aoZd8b8lRfMswMs7CI/e4QIwTUF535Pdkh0G hht4Op+zsgDt0nesxKkheSoMmGkBaFa9e5ceTm0DXpY4RGsBme+u87vS5GF9ZsUi uRlDgNNEaVMYn1p+zkLjrBZ6RvGpJpEpyA2+AGm24LygfOsFZwHoM89Hpr5HMRAY uDf57CmuZE/9LaBjUSarAflxefRPb6cNSueXDnA5TVmO2d/4P52ZY5CBm+l0Egkh YP3ojAAF/ySMpskjdPysCKg40QSwGor3pMc2cDoR2357T3syl0SuapnjuR+uoLPY rQRDclqx9hjVYi9yGuepRSHKvlI1Hzbam9d/Go8vxk0wS2n5iTRTAs908Is9Xz0M ZdME6e+2gtgEFU7VmZ04QazypUe+5ZlGglCHHOUF2vllKoViY9Pz39wwwMrJGJuY Qi26dbjkau+iu/kA9/zF =mOl8 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org