Re: Long lasting websocket sessions

[Alex O'Ree]

No devices in-between, browser to local host. Good feedback though, I'll
try to reproduce with the snake app
Thanks!

On Fri, Feb 16, 2024, 2:47 PM Chuck Caldarale  wrote:

>
> > On Feb 16, 2024, at 11:31, Mark Thomas  wrote:
> >
> > On 09/02/2024 13:47, Alex O'Ree wrote:
> >> I've been experimenting with tomcat 9.x in seeing how long i can get a
> web
> >> socket session to last. I'm currently struggling to get past 30 minutes
> or
> >> so. Looking for guidance on how to best increase this or if this is a
> bad
> >> idea.
> >> Here's the current configuration and what i've tried thus far:
> >> The server continuously streams messages the client, about 1 per second
> >> The client periodically (every 30 seconds) sends a keep alive text
> message
> >> back to the server
> >> The server side endpoint sets the Session.setTimeout(0); according to
> the
> >> docs, this should prevent timeouts
> >> The server side WAR file/WEB-INF/web.xml had a session timeout defined
> at
> >> 15 minutes but i then removed it in order to increase the websocket
> >> duration.
> >> Despite all this, both the client and server log a session disconnect,
> but
> >> i'm still not sure what the reasoning is. I'm still assuming it's some
> kind
> >> of timeout mechanism.
> >
> > I think you need to do a little more investigation with your
> application. I've been running the snake WebSocket example on 9.0.x for
> over any hour wihtout any issues.
>
>
> Are there any boxes (eg, load balancer, firewall) between the client and
> server that might be forcibly dropping TCP connections after 30 minutes?
>
>   - Chuck
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Long lasting websocket sessions

[Alex O'Ree]

I've been experimenting with tomcat 9.x in seeing how long i can get a web
socket session to last. I'm currently struggling to get past 30 minutes or
so. Looking for guidance on how to best increase this or if this is a bad
idea.

Here's the current configuration and what i've tried thus far:

The server continuously streams messages the client, about 1 per second
The client periodically (every 30 seconds) sends a keep alive text message
back to the server
The server side endpoint sets the Session.setTimeout(0); according to the
docs, this should prevent timeouts
The server side WAR file/WEB-INF/web.xml had a session timeout defined at
15 minutes but i then removed it in order to increase the websocket
duration.

Despite all this, both the client and server log a session disconnect, but
i'm still not sure what the reasoning is. I'm still assuming it's some kind
of timeout mechanism.

Re: Need help tomcat

[Alex O'Ree]

Assuming windows sc delete servicename

On Mon, Oct 2, 2023, 7:44 AM jean-frederic clere  wrote:

> On 10/1/23 09:02, Deepak Lalchandani wrote:
> > I have deleted and Uninstalled all tomcat services but despite that the
> > tomcat service exists in services window . I want to delete the services
> > permanently which is not happening
> >
> > Please help
> >
> > Deepak
> >
>
> Have you tried to remove the service using
> https://commons.apache.org/proper/commons-daemon/procrun.html
>
> //DS is the option to delete the service
>
> --
> Cheers
>
> Jean-Frederic
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: just wondering.. encryption in context.xml?

[Alex O'Ree]

For context.xml, you can do the following

make a java project with the following dependency

org.apache.tomcat
tomcat-dbcp
INSERT APPROPRIATE VERSION HERE
provided


Make a class that extends org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory
then you can transform the stored credential using whatever makes sense to
you. Perhaps an AES based mechanism.

In context.xml specify a "factory" attribute that points at your extended
BasicDataSourceFactory

A similar technique can be used for SSL keystore passwords in server.xml by
extending the http protocol classes and overriding the password mechanisms.
Enjoy


On Sat, Apr 8, 2023 at 3:02 PM Chuck Caldarale  wrote:

> You might want to take a look at this:
>
> Password - Apache Tomcat - Apache Software Foundation
> 
> cwiki.apache.org
> 
> [image: favicon.ico]
> 
> 
>
>   - Chuck
>
>
> On 2023-04-08, at 13:57, Kevin Huntly  wrote:
>
> okay that's fair
>
> On Sat, Apr 8, 2023, 14:31 Thomas Hoffmann (Speed4Trade GmbH)
>  wrote:
>
> Hello,
>
> -Ursprüngliche Nachricht-
> Von: Kevin Huntly 
> Gesendet: Samstag, 8. April 2023 19:40
> An: users@tomcat.apache.org
> Betreff: just wondering.. encryption in context.xml?
>
> is there currently a method for encrypting or otherwise obfuscating
>
> passwords
>
> (like for MySQL) in the context.mxl
> 
>
> Kevin Huntly
> Email: kmhun...@gmail.com
> Cell: 716/424-3311
> 
>
>
> You might use environment variables or java system properties.
> If someone has access to your context.xml, then your server is compromised
> anyway.
>
> Greetings,
> Thomas
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>

Re: Got a customer who's paranoid about Manager

[Alex O'Ree]

is removing the manager war an option for you? i don't think it's required
for operation. you could also rename it so that it's in a different url
path than the default

On Wed, Feb 22, 2023 at 12:58 PM Mark Thomas  wrote:

> On 22/02/2023 17:49, James H. H. Lampert wrote:
> > On 2/22/23 9:23 AM, Mark Thomas wrote:
> >> Fire them and hire a security consultant with a proper understanding
> >> of risk?
> >
> > Pardon my Yiddish, but "Fun dayn moyl in Gots oyern." (From your mouth
> > to God's ears. Such a colorful language.)
> >
> > But just because you're paranoid doesn't mean they're not out to get you.
> >
> > So just add
> >
> >denyStatus="404"
> > to the RemoteAddrValve?
>
> Exactly.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Tomcat maven plugin

[Alex O'Ree]

Is the tomcat maven plugin still maintained? I noticed it hasn't been
updated in a while

Re: Let's Encrypt with Tomcat?

[Alex O'Ree]

i use letsencrypt with tomcat. i adopted a cronjob/bash script that auto
renews the cert before expiration, it then stops tomcat, refreshes the jks
files, then restarts tomcat. yeah it's down time, but it is minimal and it
works

On Thu, Dec 26, 2019 at 7:49 PM James H. H. Lampert <
jam...@touchtonecorp.com> wrote:

> We have a Tomcat (8.5.40) server running on an Amazon EC2 instance,
> currently using a Java Keystore for the SSL support.
>
> We would like to be able to use Let's Encrypt, but I've learned that
> Let's Encrypt and Tomcat don't get along all that well together. The
> best I've found so far are article at:
>
> <
> https://medium.com/@raupach/how-to-install-lets-encrypt-with-tomcat-3db8a469e3d2
> >
>
> and this thread in the Let's Encrypt community forum:
>
>
> <
> https://community.letsencrypt.org/t/how-can-i-automate-renewals-with-tomcat/81423
> >
>
> Does anybody here have any experience with situations like this? Does
> anybody here have any suggestions? Or, as another alternative, does
> anybody here know of some Amazon AWS product that could front-end a
> single-box, non-load-balanced Tomcat server, and use Amazon's free
> "Public Certificates"? (I've already posted that last to the relevant
> Amazon forum.)
>
> James H. H. Lampert
> Touchtone Corporation
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Intermittent JSP Caching/Compiling Issue while under load

[Alex O'Ree]

Sounds a lot like the issue I reported a few months ago

On Mon, Nov 4, 2019, 3:12 PM Tim K  wrote:

> On Mon, Nov 4, 2019, 10:30 AM Mark Thomas  wrote:
>
> >
> > Thanks. That helps as it means the issue should be reproducible on a
> > single, stand-alone instance.
> >
> > Mark
> >
>
> I was able to reproduce this behavior with a single server running a
> vanilla 9.0.21 using the example hello.jsp file...  I was hitting the url
> every 0.5 seconds.
>
> >
>

Re: user self registration/account creation

[Alex O'Ree]

thanks i'll look into it

On Mon, Oct 7, 2019 at 3:36 AM Mark Thomas  wrote:

> On 06/10/2019 20:31, Alex O'Ree wrote:
> > i have a password protected web app and would like to provide users with
> > the ability to self register for a new account. looks like the easiest
> way
> > to do this with tomcat is with a jdbc realm to protect the web app and
> > anonymous access to the self registration app.
> >
> > a few questions on this.
> >
> > is there a pre made app that could be used for the user account creation
> > app? i'll probably need something for admins to revoke accounts, disable
> > accounts, edit role memberships etc. ugh, and then there is user password
> > resets and complexity requirements... some kind of captcha thing to
> prevent
> > bots. i also need to track and report to the user when a password
> expires,
> > last login ip address and user agent field. quite a bit of stuff to
> write.
> > if there is something available that is asf license compatible, i'd love
> to
> > hear about it.
>
> CAS:
> https://www.apereo.org/projects/cas
>
> I think CAS does everything you asked for.
>
> Spring Security is the other option that comes to mind but my
> understanding is that you'd need to build some of the management UIs
> yourself.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

user self registration/account creation

[Alex O'Ree]

i have a password protected web app and would like to provide users with
the ability to self register for a new account. looks like the easiest way
to do this with tomcat is with a jdbc realm to protect the web app and
anonymous access to the self registration app.

a few questions on this.

is there a pre made app that could be used for the user account creation
app? i'll probably need something for admins to revoke accounts, disable
accounts, edit role memberships etc. ugh, and then there is user password
resets and complexity requirements... some kind of captcha thing to prevent
bots. i also need to track and report to the user when a password expires,
last login ip address and user agent field. quite a bit of stuff to write.
if there is something available that is asf license compatible, i'd love to
hear about it.

assuming no, i currently use a digestor to put passwords into the
tomcat-users.xml file. if i write a webapp to add the users to the
database, would the password field just be the hashed value? anything else
i need to do?

Re: Is it possible to disable JMX?

[Alex O'Ree]

you may have to edit catalina.bat and add --no-jmx to the command line

On Mon, Aug 26, 2019 at 2:05 PM Pascal Schumacher 
wrote:

> |Hi,
>
> according to https://tomcat.apache.org/tomcat-9.0-doc/changelog.html it
> should be possible to disable JMX when using Tomcat 9.0.20+.
>
> I tried different way to pass --no-jmx to Tomcat 9.0.24 ("catalina.bat
> start --no-jmx", "startup.bat --no-jmx", editing catalina.bat), but the
> "Catalina" folder is present in JMX and memory consumption remains the
> same.
>
> I guess I am misunderstanding something and there is not way to disable
> JMX when using org.apache.catalina.startup.Bootstrap?
>
> Thanks and kind regards,
> Pascal|
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: how to enable OCSP for Tomcat w OpenSSL

[Alex O'Ree]

This thread was super useful. thanks for sharing

On Wed, Apr 17, 2019 at 3:29 PM John Palmer  wrote:

> I'm still struggling with getting APR/OpenSSL to do the OCSP check.
>
> I'd appreciate some tips:
> versions: Java 8 (1.8.0_202), 64-bit, tomcat 8.5.38, APR 1.2.21
> using APR/OpenSSL (the tc-native-1.dll binary for Windows, compiled w OCSP
> support - the X64 dll from
> tomcat-native-1.2.21-openssl-1.1.1a-ocsp-win32-bin.zip)
>
> I can't get certificate revocation checking, specifically OCSP to happen
> from the APR/OpenSSL code;
> it seems to be happening instead from the Java (JSSE) code instead.
>
> I suspect a logic error is setting the OpenSSL revocation configuration
> (callback?) code to be set, then reset with the JSSE revocation
> configuration (due to the Catlina log excerpts shown below).
> I've tried following the APR initialization logic in the tomcat 8.5.35
> source, (but I get lost)...
> OpenSSLContext.java has
> SSLContext.setCertVerifyCallback()
> I suspect this is getting called correctly, then getting stepped on by the
> JSSE configuration being called (when it should be skipped).
>
> But I may just have something misconfigured.
>
>
> steps to reproduce:
>
> First, get Java revocation checking working without tc-native:
> UNcomment ocsp.enable=true in the Java\jre\lib\security\java.security file
> add
> revocationEnabled="true"
> certificateVerification="require"
> to the SSLHostConfig / Connector section of the server.xml config file.
>
>
> add -Djava.security.debug="certpath" to the Tomcat Java options (shows the
> JSSE cert validation - including OCSP if any - in the std-err log)
> or
> -Djava.security.debug="certpath ocsp"  (adds hexdumps of the OCSP REQUEST
> and RESPONSE. Generally not needed)
> (add -Djavax.net.ssl.trustStore=NONE to prevent the default truststore from
> being loaded - just because it clutters the std-out log)
>
> added to loggin.properties to see some of what Tomcat is logging:
> org.apache.tomcat.util.net.openssl.level=ALL
> org.apache.tomcat.util.net.level=ALL
> org.apache.tomcat.jni.level=ALL
>
> Restart tomcat,
> access via a browser with an appropriate cert (or OpenSSL or other client
> with options to send a client cert).
>
> You now can see JSSE doing OCSP checks in the (tocat)stderr logs (wireshark
> confirms this).
>
> stop tomcat, copy the tc-native-1.dll compiled with OCSP support, restart
> tomcat...
> access via browser (or client) with a cert etc...
>
> You'll see the tomcat stderr logs show that JSSE is STILL doing the OCSP
> checks.
>
> Catalina and stdout logs show that APR/OpenSSL is loading the server and
> trusted certs, doing the SSL handshakes etc, but not the certificate
> verification. this seems to be falling through to the JSSE certificate
> verification..
> (and that JSSE is ALSO loading the trusted certs (and the server cert, I
> think).
>
>
>
> the Catlina log shows that the APR/OpenSSL stuff is loading and configuring
> properly first:
>
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR
> based Apache Tomcat Native library [1.2.21] using APR version [1.6.5].
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
> capabilities: IPv6 [true], sendfile [true], accept filters [false], random
> [true].
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
> configuration: useAprConnector [false], useOpenSSL [true]
> org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
> successfully initialized [OpenSSL 1.1.1a  20 Nov 2018]
> org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol
> The ["https-openssl-nio2-A.B.C.D-443"] connector has been configured to
> support negotiation to [h2] via ALPN
> org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
> ["https-openssl-nio2-A.B.C.D-443"]
> org.apache.tomcat.util.net.SSLUtilBase.getEnabled The [protocols] that are
> active are : [[TLSv1.3, TLSv1.2]]
> org.apache.tomcat.util.net
> .openssl.ciphers.OpenSSLCipherConfigurationParser.convertForJSSE
> jsse.openssl.effectiveCiphers
> org.apache.tomcat.util.net.SSLUtilBase.getEnabled The [ciphers] that are
> active are : [[TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> TLS_PSK_DHE_WITH_AES_256_CCM_8, TLS_DHE_PSK_WITH_AES_256_CCM,
> TLS_DHE_RSA_WITH_AES_256_CCM_8, TLS_DHE_RSA_WITH_AES_256_CCM,
> TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
> TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA, TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
> TLS_SRP_SHA_WITH_AES_256_CBC_SHA, TLS_AES_256_GCM_SHA384,
> TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
> TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
> 

Re: on 8.5.40, random tmpFile.renameTo with jsp files

[Alex O'Ree]

OK some updates. I compiled this afternoon off of the tomcat 8.5.x branch
and made changes to SmapUtil.java around line 206 give or take.
The changes were basically
if (!tmpFile.renameTo(...)) {
Files.move(tmpFile.toPath(), classFile.toPath(),
StandardCopyOption.REPLACE_EXISTING);
}

Variables:
- Environmental, there was a reboot in between test scenarios
- Moving from 8.5.40 to head

Result:
At first it was promising that i thought it may have been fixed, however I
did run into another exception with the Files.move call, exception was
file exists already. Previously, it was maybe 1/100 jsps, now it's closer
to 1 of 400. Definitely better, but is it because of the update to the
newer
code base or is it due to the code change i made. I'll do some more
experiments tomorrow to try and narrow it down



On Mon, Jun 10, 2019 at 3:32 PM Alex O'Ree  wrote:

> > Anything unusual about that file system?
>
> Nope, just a standard NTFS windows 7 setup. I've seen in a development
> environment (no special file permissions) and in more of a production
> environment on win10 and server 2016 whereby the file system is locked down
> in a similar fashion to how it's done on linux.
>
> > How much load (users, req/s) is the system under?
>
> In terms of the jsp error, this particular app is typically just a single
> user hitting it. There's lots of other non-jsp traffic to the server
> though. I've also seen this error a lot in my dev setup.
>
> > Any changes from default JSP Servlet (Jasper) settings?
>
> none
>
> > Does the access log indicate concurrent access for the problematic
> resources?
>
> Well. It's happening pretty frequently during a controlled set of selenium
> unit tests. It's a single browser session doing http get's to all the jsp
> pages one at a time, primarily just to ensure that they compile correctly.
> Shouldn't be an concurrent sessions on this context.
>
> > Alex, are you able to edit the code and replace the File.renameTo call
> with an equivalent Files.move and see if it's either (a) more reliable
> or (b) gives you better error information?
>
> Yes I can give it a try.
>
> > One more idea. Virus scanner locking files?
>
> I've seen it on systems with and without a/v. On the system with it, I was
> able to temporarily disable it but still got on the tmp.rename error.
>
>
> On Mon, Jun 10, 2019 at 2:48 PM Mark Thomas  wrote:
>
>> On 10/06/2019 12:08, Alex O'Ree wrote:
>> > I am on windows 7. Same partition as the os.
>>
>> Hmm. That is odd. A few random (ish) questions:
>>
>> Anything unusual about that file system?
>>
>> How much load (users, req/s) is the system under?
>>
>> Any changes from default JSP Servlet (Jasper) settings?
>>
>> Does the access log indicate concurrent access for the problematic
>> resources?
>>
>> Mark
>>
>>
>> >
>> > On Mon, Jun 10, 2019, 3:20 AM Mark Thomas  wrote:
>> >
>> >> On 07/06/2019 15:35, Alex O'Ree wrote:
>> >>> HTTP Status 500 – Internal Server Error
>> >>> Type Exception Report
>> >>>
>> >>> Message Unable to compile class for JSP
>> >>>
>> >>> Description The server encountered an unexpected condition that
>> >>> prevented it from fulfilling the request.
>> >>
>> >> Not as helpful as I had hoped.
>> >>
>> >> Given that the issue is random and that immediately retrying usually
>> >> works that tends to rule out permission issues.
>> >>
>> >> Where is the work directory located? If it is anywhere other than local
>> >> disk that might be the source of the problem.
>> >>
>> >> I'll look into improving those error messages a little (at least
>> provide
>> >> source and destination file names).
>> >>
>> >> Mark
>> >>
>> >>
>> >>>
>> >>> Exception
>> >>>
>> >>> org.apache.jasper.JasperException: Unable to compile class for JSP
>> >>>
>> >>
>> org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:610)
>> >>>
>> >>
>> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:399)
>> >>>
>> >>
>> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
>> >>>
>>  org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
>> >>>   javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
>> >>>
>> >>  org.apache.tomcat.we

Re: on 8.5.40, random tmpFile.renameTo with jsp files

[Alex O'Ree]

> Anything unusual about that file system?

Nope, just a standard NTFS windows 7 setup. I've seen in a development
environment (no special file permissions) and in more of a production
environment on win10 and server 2016 whereby the file system is locked down
in a similar fashion to how it's done on linux.

> How much load (users, req/s) is the system under?

In terms of the jsp error, this particular app is typically just a single
user hitting it. There's lots of other non-jsp traffic to the server
though. I've also seen this error a lot in my dev setup.

> Any changes from default JSP Servlet (Jasper) settings?

none

> Does the access log indicate concurrent access for the problematic
resources?

Well. It's happening pretty frequently during a controlled set of selenium
unit tests. It's a single browser session doing http get's to all the jsp
pages one at a time, primarily just to ensure that they compile correctly.
Shouldn't be an concurrent sessions on this context.

> Alex, are you able to edit the code and replace the File.renameTo call
with an equivalent Files.move and see if it's either (a) more reliable
or (b) gives you better error information?

Yes I can give it a try.

> One more idea. Virus scanner locking files?

I've seen it on systems with and without a/v. On the system with it, I was
able to temporarily disable it but still got on the tmp.rename error.


On Mon, Jun 10, 2019 at 2:48 PM Mark Thomas  wrote:

> On 10/06/2019 12:08, Alex O'Ree wrote:
> > I am on windows 7. Same partition as the os.
>
> Hmm. That is odd. A few random (ish) questions:
>
> Anything unusual about that file system?
>
> How much load (users, req/s) is the system under?
>
> Any changes from default JSP Servlet (Jasper) settings?
>
> Does the access log indicate concurrent access for the problematic
> resources?
>
> Mark
>
>
> >
> > On Mon, Jun 10, 2019, 3:20 AM Mark Thomas  wrote:
> >
> >> On 07/06/2019 15:35, Alex O'Ree wrote:
> >>> HTTP Status 500 – Internal Server Error
> >>> Type Exception Report
> >>>
> >>> Message Unable to compile class for JSP
> >>>
> >>> Description The server encountered an unexpected condition that
> >>> prevented it from fulfilling the request.
> >>
> >> Not as helpful as I had hoped.
> >>
> >> Given that the issue is random and that immediately retrying usually
> >> works that tends to rule out permission issues.
> >>
> >> Where is the work directory located? If it is anywhere other than local
> >> disk that might be the source of the problem.
> >>
> >> I'll look into improving those error messages a little (at least provide
> >> source and destination file names).
> >>
> >> Mark
> >>
> >>
> >>>
> >>> Exception
> >>>
> >>> org.apache.jasper.JasperException: Unable to compile class for JSP
> >>>
> >>
> org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:610)
> >>>
> >>
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:399)
> >>>
> >>
> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
> >>>   org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
> >>>   javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
> >>>
> >>  org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> >>>
> >>
> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
> >>> Root Cause
> >>>
> >>> java.io.IOException: tmpFile.renameTo(classFile) failed
> >>>
> >>
> org.apache.jasper.compiler.SmapUtil$SDEInstaller.install(SmapUtil.java:204)
> >>>
>  org.apache.jasper.compiler.SmapUtil.installSmap(SmapUtil.java:163)
> >>>
> >>
> org.apache.jasper.compiler.JDTCompiler.generateClass(JDTCompiler.java:564)
> >>>   org.apache.jasper.compiler.Compiler.compile(Compiler.java:378)
> >>>   org.apache.jasper.compiler.Compiler.compile(Compiler.java:350)
> >>>   org.apache.jasper.compiler.Compiler.compile(Compiler.java:334)
> >>>
> >>
> org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:595)
> >>>
> >>
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:399)
> >>>
> >>
> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
> >>>   org.apache.jasper.servlet.JspServlet.service(JspServlet.ja

Re: on 8.5.40, random tmpFile.renameTo with jsp files

[Alex O'Ree]

in tomcat/work/Catalina/localhost/(mywebapp)/org/apache/jsp/dir/
I have something like
help_jsp.java
help_jsp.classtmp

all other jsp pages have the pattern
page_jsp.java
page_jsp.class


On Mon, Jun 10, 2019 at 11:53 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Alex,
>
> On 6/10/19 03:20, Mark Thomas wrote:
> > On 07/06/2019 15:35, Alex O'Ree wrote:
> >> HTTP Status 500 – Internal Server Error Type Exception Report
> >>
> >> Message Unable to compile class for JSP
> >>
> >> Description The server encountered an unexpected condition that
> >> prevented it from fulfilling the request.
> >
> > Not as helpful as I had hoped.
> >
> > Given that the issue is random and that immediately retrying
> > usually works that tends to rule out permission issues.
> >
> > Where is the work directory located? If it is anywhere other than
> > local disk that might be the source of the problem.
> >
> > I'll look into improving those error messages a little (at least
> > provide source and destination file names).
>
> After the error, what file(s) are on the disk in the work directory?
>
> - -chris
>
> >> org.apache.jasper.JasperException: Unable to compile class for
> >> JSP
> >> org.apache.jasper.JspCompilationContext.compile(JspCompilationContext
> .java:610)
> >>
> >>
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.ja
> va:399)
> >> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:3
> 86)
> >>
> >>
> org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
> >> javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
> >> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52
> )
> >>
> >>
> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFil
> ter.java:71)
> >> Root Cause
> >>
> >> java.io.IOException: tmpFile.renameTo(classFile) failed
> >> org.apache.jasper.compiler.SmapUtil$SDEInstaller.install(SmapUtil.jav
> a:204)
> >>
> >>
> org.apache.jasper.compiler.SmapUtil.installSmap(SmapUtil.java:163)
> >> org.apache.jasper.compiler.JDTCompiler.generateClass(JDTCompiler.java
> :564)
> >>
> >>
> org.apache.jasper.compiler.Compiler.compile(Compiler.java:378)
> >> org.apache.jasper.compiler.Compiler.compile(Compiler.java:350)
> >> org.apache.jasper.compiler.Compiler.compile(Compiler.java:334)
> >> org.apache.jasper.JspCompilationContext.compile(JspCompilationContext
> .java:595)
> >>
> >>
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.ja
> va:399)
> >> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:3
> 86)
> >>
> >>
> org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
> >> javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
> >> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52
> )
> >>
> >>
> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFil
> ter.java:71)
> >> Note The full stack trace of the root cause is available in the
> >> server logs.
> >>
> >>
> >>
> >>
> >> On Fri, Jun 7, 2019 at 4:58 AM Mark Thomas 
> >> wrote:
> >>
> >>> On 06/06/2019 20:38, Alex O'Ree wrote:
> >>>> I've upgraded from .34 to .40 somewhat recently (on windows)
> >>>> and have
> >>> been
> >>>> getting random errors rendering jsp pages recently. The trace
> >>>> is always related to jasper failing to rename a file. I'm not
> >>>> really sure what the issue is. Has anyone seen this or
> >>>> something similar?
> >>>>
> >>>> Usually retrying the request resolves the issue immediately
> >>>> but something seems fishy. This worked fine on previous
> >>>> versions.
> >>>
> >>> Can you provide a stack trace please.
> >>>
> >>> Thanks,
> >>>
> >>> Mark
> >>>
> >>> 
> - -
> >>>
> >>>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>
> >>>
> >>
> >
> >
> > -

Re: on 8.5.40, random tmpFile.renameTo with jsp files

[Alex O'Ree]

I am on windows 7. Same partition as the os.

On Mon, Jun 10, 2019, 3:20 AM Mark Thomas  wrote:

> On 07/06/2019 15:35, Alex O'Ree wrote:
> > HTTP Status 500 – Internal Server Error
> > Type Exception Report
> >
> > Message Unable to compile class for JSP
> >
> > Description The server encountered an unexpected condition that
> > prevented it from fulfilling the request.
>
> Not as helpful as I had hoped.
>
> Given that the issue is random and that immediately retrying usually
> works that tends to rule out permission issues.
>
> Where is the work directory located? If it is anywhere other than local
> disk that might be the source of the problem.
>
> I'll look into improving those error messages a little (at least provide
> source and destination file names).
>
> Mark
>
>
> >
> > Exception
> >
> > org.apache.jasper.JasperException: Unable to compile class for JSP
> >
>  
> org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:610)
> >
>  
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:399)
> >
>  org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
> >   org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
> >   javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
> >
>  org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> >
>  
> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
> > Root Cause
> >
> > java.io.IOException: tmpFile.renameTo(classFile) failed
> >
>  org.apache.jasper.compiler.SmapUtil$SDEInstaller.install(SmapUtil.java:204)
> >   org.apache.jasper.compiler.SmapUtil.installSmap(SmapUtil.java:163)
> >
>  org.apache.jasper.compiler.JDTCompiler.generateClass(JDTCompiler.java:564)
> >   org.apache.jasper.compiler.Compiler.compile(Compiler.java:378)
> >   org.apache.jasper.compiler.Compiler.compile(Compiler.java:350)
> >   org.apache.jasper.compiler.Compiler.compile(Compiler.java:334)
> >
>  
> org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:595)
> >
>  
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:399)
> >
>  org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
> >   org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
> >   javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
> >
>  org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> >
>  
> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
> > Note The full stack trace of the root cause is available in the server
> logs.
> >
> >
> >
> >
> > On Fri, Jun 7, 2019 at 4:58 AM Mark Thomas  wrote:
> >
> >> On 06/06/2019 20:38, Alex O'Ree wrote:
> >>> I've upgraded from .34 to .40 somewhat recently (on windows) and have
> >> been
> >>> getting random errors rendering jsp pages recently. The trace is always
> >>> related to jasper failing to rename a file. I'm not really sure what
> the
> >>> issue is. Has anyone seen this or something similar?
> >>>
> >>> Usually retrying the request resolves the issue immediately but
> something
> >>> seems fishy. This worked fine on previous versions.
> >>
> >> Can you provide a stack trace please.
> >>
> >> Thanks,
> >>
> >> Mark
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: on 8.5.40, random tmpFile.renameTo with jsp files

[Alex O'Ree]

HTTP Status 500 – Internal Server Error
Type Exception Report

Message Unable to compile class for JSP

Description The server encountered an unexpected condition that
prevented it from fulfilling the request.

Exception

org.apache.jasper.JasperException: Unable to compile class for JSP

org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:610)

org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:399)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
Root Cause

java.io.IOException: tmpFile.renameTo(classFile) failed

org.apache.jasper.compiler.SmapUtil$SDEInstaller.install(SmapUtil.java:204)
org.apache.jasper.compiler.SmapUtil.installSmap(SmapUtil.java:163)

org.apache.jasper.compiler.JDTCompiler.generateClass(JDTCompiler.java:564)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:378)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:350)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:334)

org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:595)

org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:399)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
Note The full stack trace of the root cause is available in the server logs.




On Fri, Jun 7, 2019 at 4:58 AM Mark Thomas  wrote:

> On 06/06/2019 20:38, Alex O'Ree wrote:
> > I've upgraded from .34 to .40 somewhat recently (on windows) and have
> been
> > getting random errors rendering jsp pages recently. The trace is always
> > related to jasper failing to rename a file. I'm not really sure what the
> > issue is. Has anyone seen this or something similar?
> >
> > Usually retrying the request resolves the issue immediately but something
> > seems fishy. This worked fine on previous versions.
>
> Can you provide a stack trace please.
>
> Thanks,
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

on 8.5.40, random tmpFile.renameTo with jsp files

[Alex O'Ree]

I've upgraded from .34 to .40 somewhat recently (on windows) and have been
getting random errors rendering jsp pages recently. The trace is always
related to jasper failing to rename a file. I'm not really sure what the
issue is. Has anyone seen this or something similar?

Usually retrying the request resolves the issue immediately but something
seems fishy. This worked fine on previous versions.

Re: Jmx example for adding or removing users?

[Alex O'Ree]

According to this
https://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html#UserDatabaseRealm

It appears that xml file is loaded into a memory realm at start time. JMX
changes are immediate, but is there an easy way to save the changes back to
the xml file?

Digging around in the source, I think the answer is no but I may have
missed something. Can anyone confirm this?



On Fri, May 10, 2019 at 7:07 AM Alex O'Ree  wrote:

> Ahh i missed the exception, had the logs redirected. thanks
>
> On Fri, May 10, 2019 at 3:46 AM Mark Thomas  wrote:
>
>> On 10/05/2019 03:45, Alex O'Ree wrote:
>> > Well less than perfect. Tomcat out of the box is setup with the users
>> xml
>> > file. What's exposed as mbeans is the
>> > "org.apache.catalina.mbeans.MemoryUserDatabaseMBean".
>> > I can add uses to it via mbean, however calling the "save" method does
>> not
>> > update the tomcat-users.xml file. Am i missing something?
>>
>> The MemoryUserDatabase is read-only by default. The attempt to save your
>> changes should have triggered an exception with an appropriate error
>> message.
>>
>> Mark
>>
>>
>> >
>> > On Fri, Apr 26, 2019 at 7:14 PM Alex O'Ree  wrote:
>> >
>> >> Ahh perfect, thanks.
>> >>
>> >> On Fri, Apr 26, 2019 at 12:34 PM Mark Thomas  wrote:
>> >>
>> >>> On 26/04/2019 12:11, Alex O'Ree wrote:
>> >>>> I am looking for a way to programmatically add or remove user
>> accounts
>> >>>> using tomcats user xml file as a store without restarting tomcat. Can
>> >>> this
>> >>>> be done using jmx?
>> >>>>
>> >>>
>> >>> Yes. Look under Users -> UserDatabase
>> >>>
>> >>> Mark
>> >>>
>> >>> -
>> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> >>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> >>>
>> >>>
>> >
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

Re: Jmx example for adding or removing users?

[Alex O'Ree]

Ahh i missed the exception, had the logs redirected. thanks

On Fri, May 10, 2019 at 3:46 AM Mark Thomas  wrote:

> On 10/05/2019 03:45, Alex O'Ree wrote:
> > Well less than perfect. Tomcat out of the box is setup with the users xml
> > file. What's exposed as mbeans is the
> > "org.apache.catalina.mbeans.MemoryUserDatabaseMBean".
> > I can add uses to it via mbean, however calling the "save" method does
> not
> > update the tomcat-users.xml file. Am i missing something?
>
> The MemoryUserDatabase is read-only by default. The attempt to save your
> changes should have triggered an exception with an appropriate error
> message.
>
> Mark
>
>
> >
> > On Fri, Apr 26, 2019 at 7:14 PM Alex O'Ree  wrote:
> >
> >> Ahh perfect, thanks.
> >>
> >> On Fri, Apr 26, 2019 at 12:34 PM Mark Thomas  wrote:
> >>
> >>> On 26/04/2019 12:11, Alex O'Ree wrote:
> >>>> I am looking for a way to programmatically add or remove user accounts
> >>>> using tomcats user xml file as a store without restarting tomcat. Can
> >>> this
> >>>> be done using jmx?
> >>>>
> >>>
> >>> Yes. Look under Users -> UserDatabase
> >>>
> >>> Mark
> >>>
> >>> -
> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>
> >>>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Jmx example for adding or removing users?

[Alex O'Ree]

Well less than perfect. Tomcat out of the box is setup with the users xml
file. What's exposed as mbeans is the
"org.apache.catalina.mbeans.MemoryUserDatabaseMBean".
I can add uses to it via mbean, however calling the "save" method does not
update the tomcat-users.xml file. Am i missing something?

On Fri, Apr 26, 2019 at 7:14 PM Alex O'Ree  wrote:

> Ahh perfect, thanks.
>
> On Fri, Apr 26, 2019 at 12:34 PM Mark Thomas  wrote:
>
>> On 26/04/2019 12:11, Alex O'Ree wrote:
>> > I am looking for a way to programmatically add or remove user accounts
>> > using tomcats user xml file as a store without restarting tomcat. Can
>> this
>> > be done using jmx?
>> >
>>
>> Yes. Look under Users -> UserDatabase
>>
>> Mark
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

Re: Jmx example for adding or removing users?

[Alex O'Ree]

Ahh perfect, thanks.

On Fri, Apr 26, 2019 at 12:34 PM Mark Thomas  wrote:

> On 26/04/2019 12:11, Alex O'Ree wrote:
> > I am looking for a way to programmatically add or remove user accounts
> > using tomcats user xml file as a store without restarting tomcat. Can
> this
> > be done using jmx?
> >
>
> Yes. Look under Users -> UserDatabase
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Jmx example for adding or removing users?

[Alex O'Ree]

I am looking for a way to programmatically add or remove user accounts
using tomcats user xml file as a store without restarting tomcat. Can this
be done using jmx?

Re: JMS Testing

[Alex O'Ree]

JMS is a programming api that is an abstraction for a messaging service.
There's a bunch of implementations of the JMS API, such like car's have the
same human to car interface (steering wheel, pedals, etc), however there's
tons of types and manufacturers. Tomcat serves up web content. Some JMS
brokers may offer endpoints that are web based or management functions that
are web based, but most JMS implementations (that I know of) do not use
HTTP as a transport.

So your question doesn't make sense IMO. JMS is an API. If you want to test
a specific vendor's implementation on tomcat, you may want to consult their
documentation. If you want to test their conformance to JMS, there may be a
technical conformance kit (TCK) which can be used to help automate the
process.

On Mon, Dec 17, 2018 at 6:22 PM Rajendra  wrote:

> Hi,
>
> How to test JMS on Tomcat without writing client code? Please let me know
> if anyone knows the steps or process.
>
> Thanks !
>
> Rajendra
>
>

Re: [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect

[Alex O'Ree]

Roger that,  thanks

On Thu, Oct 18, 2018, 9:38 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Alex,
>
> On 10/18/18 11:08, Alex O'Ree wrote:
> > Basically. I start with the tomcat distro, apply my changes,  then
> > zip it up and distribute. I'm at a situation when patches are
> > preferable over a complete reinstall of my product thus the
> > inquiry.  I can probably just replace all the tomcat bits and be
> > done with it.
>
> Tomcat only ships with .jar files and configuration. Feel free to just
> overwrite all the JAR files with the newer Tomcat ones. It's just as
> easy to replace all two-dozen of them as it would be to replace a
> single one, right?
>
> - -chris
>
> > On Thu, Oct 18, 2018, 8:52 AM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > Alex,
> >
> > On 10/14/18 18:06, Alex O'Ree wrote:
> >>>> Is there perhaps a patch that can be applied or better yet, a
> >>>> list of jars that are were affected by this? (I'm just trying
> >>>> to find a simple way to patch a large volume of servers)
> >
> > There is nothing official. Nobody has individually identified
> > which svn revisions fix this issue, so your only options really
> > are:
> >
> > 1. Grab the previous version from source, apply all patches and
> > deploy (this is the same as just grabbing the new binaries,
> > assuming you trust ASF distros)
> >
> > 2. Grab the new binaries, determine which JARs are different
> > (which may not be super-easy), then copy those to each server. But
> > then you have a server which reports x.y.z but is actually x.y.z+∂
> > :(
> >
> > 3. Look at all the commits in ∂ and try to guess the problem.
> > Then, mitigate it at e.g. reverse-proxy of WAF level. One way would
> > be to prevent redirects to sites other than your own (which is
> > really the big danger for open-redirects). Just look for
> > sketchy-looking Location response headers. :)
> >
> > I'm curious how you handle upgrades in general. This certainly
> > isn't the first security issue inn Tomcat that requires an update
> > in your environment. How do you usually handle updates?
> >
> > -chris
> >
> >>>> On Wed, Oct 10, 2018 at 10:23 AM Christopher Schultz <
> >>>> ch...@christopherschultz.net> wrote:
> >>>>
> >>>> Mark and Michael,
> >>>>
> >>>> On 10/10/18 05:15, Mark Thomas wrote:
> >>>>>>> On 08/10/18 21:55, Michael Yoder wrote:
> >>>>>>>> On Wed, Oct 3, 2018 at 12:50 PM Mark Thomas
> >>>>>>>>  wrote:
> >>>>>>>>> CVE-2018-11784 Apache Tomcat - Open Redirect
> >>>>>>>>
> >>>>>>>> Is it possible to get more information on the
> >>>>>>>> "specially crafted URL"? I'd like more information so
> >>>>>>>> that I can test if some of our apps are vulnerable.
> >>>>>>>
> >>>>>>> Generally, there is a balance to strike here between
> >>>>>>> making it easy for the less technically competent
> >>>>>>> attackers to construct an attack and making it easy for
> >>>>>>> end users to figure out if they are vulnerable. The way
> >>>>>>> we typically do this is by describing the conditions
> >>>>>>> necessary for an attack to be possible as completely as
> >>>>>>> possible but not providing details of how to perform an
> >>>>>>> attack.
> >>>>>>>
> >>>>>>> We also provide references to the commit that fixed
> >>>>>>> the issue. For someone with the right skills, there is
> >>>>>>> usually enough information in the description and the
> >>>>>>> commit for a successful attack to be reverse
> >>>>>>> engineered.
> >>>>
> >>>> It doesn't look like Sergey has posted anything (that I can
> >>>> find) that might be called a full disclosure. If he had, I'd
> >>>> point it out.
> >>>>
> >>>> If I were you, I'd just make sure that you either (a) upgrade
> >>>> or (b) use the existing settings to mitigate the potential
> >>>> problem, as described in the ann

Re: [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect

[Alex O'Ree]

Basically. I start with the tomcat distro, apply my changes,  then zip it
up and distribute. I'm at a situation when patches are preferable over a
complete reinstall of my product thus the inquiry.  I can probably just
replace all the tomcat bits and be done with it.


On Thu, Oct 18, 2018, 8:52 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Alex,
>
> On 10/14/18 18:06, Alex O'Ree wrote:
> > Is there perhaps a patch that can be applied or better yet, a list
> > of jars that are were affected by this? (I'm just trying to find a
> > simple way to patch a large volume of servers)
>
> There is nothing official. Nobody has individually identified which
> svn revisions fix this issue, so your only options really are:
>
> 1. Grab the previous version from source, apply all patches and deploy
>(this is the same as just grabbing the new binaries, assuming you
> trust ASF distros)
>
> 2. Grab the new binaries, determine which JARs are different (which
> may not be super-easy), then copy those to each server. But then you
> have a server which reports x.y.z but is actually x.y.z+∂ :(
>
> 3. Look at all the commits in ∂ and try to guess the problem. Then,
> mitigate it at e.g. reverse-proxy of WAF level. One way would be to
> prevent redirects to sites other than your own (which is really the
> big danger for open-redirects). Just look for sketchy-looking Location
> response headers. :)
>
> I'm curious how you handle upgrades in general. This certainly isn't
> the first security issue inn Tomcat that requires an update in your
> environment. How do you usually handle updates?
>
> - -chris
>
> > On Wed, Oct 10, 2018 at 10:23 AM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > Mark and Michael,
> >
> > On 10/10/18 05:15, Mark Thomas wrote:
> >>>> On 08/10/18 21:55, Michael Yoder wrote:
> >>>>> On Wed, Oct 3, 2018 at 12:50 PM Mark Thomas
> >>>>>  wrote:
> >>>>>> CVE-2018-11784 Apache Tomcat - Open Redirect
> >>>>>
> >>>>> Is it possible to get more information on the "specially
> >>>>> crafted URL"? I'd like more information so that I can test
> >>>>> if some of our apps are vulnerable.
> >>>>
> >>>> Generally, there is a balance to strike here between making
> >>>> it easy for the less technically competent attackers to
> >>>> construct an attack and making it easy for end users to
> >>>> figure out if they are vulnerable. The way we typically do
> >>>> this is by describing the conditions necessary for an attack
> >>>> to be possible as completely as possible but not providing
> >>>> details of how to perform an attack.
> >>>>
> >>>> We also provide references to the commit that fixed the
> >>>> issue. For someone with the right skills, there is usually
> >>>> enough information in the description and the commit for a
> >>>> successful attack to be reverse engineered.
> >
> > It doesn't look like Sergey has posted anything (that I can find)
> > that might be called a full disclosure. If he had, I'd point it
> > out.
> >
> > If I were you, I'd just make sure that you either (a) upgrade or
> > (b) use the existing settings to mitigate the potential problem,
> > as described in the announcement.
> >
> > -chris
> >>
> >> -
> >>
> >>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvInigACgkQHPApP6U8
> pFhgDw/+L0SpWHz4IACgy7xB4ekyHpIt/5wbOEbqTfyZAh0m+LrSZgI73zPJuHtt
> pLnpwgx3lqwCiWTTFFpK8CqhiQ+a+2dKtSTeDlKRJuU4QZLDMSrgYpcWlGJ3h6w/
> LiM2KlnJ1i/jI95NVvoW8HFh/6wHCJLJV+czZJja3Uh/xQz/MTWhmh5dx3eVEIY6
> 7WTB/JNO02wzM8EudqHypypXmwI0pMLbsMsjTSikIHf8m41Qyd+XrY60DKZul8dv
> L6bolXxH23vGnxiv4fnN+tGzIaT1ptXmJ6u/MWFUODtD3PVR3CdjIp2JrXFd3GVN
> wGEow0tPRa3tsUvL/frllk22xhzbtxzu1M0Rf9U02TLB4nolyBIdJ5e3OyAnmS/Q
> ap3aAPVnFWz2twBxUbuXkk4aZ39YziziWqyFO36y5BFNKI5EQlI3GryDbmBZ6SeT
> vOJnMDwLy8o6kRcChNh1LmpjnbZMTYPmSkKEhfzf1tocDdBHZmd5yTIjBNrS0++V
> n572zrrTWiBbca39QKFqEgmB5iy4fWpkVYHPKqmOVT7JLhI74WRnKap9dqrSDGrP
> n1F4AjfuUjmG8H5Vo01bHWBav4aJuMDrLQ+Sr+sUl6uWPu5DDsG+1W9t2JAyC2Vq
> tfP9XLMNBDV+f0BUaYt2aPXmBmLe5IP8FNVAzO1W/2VJG7c1UrM=
> =E/P3
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect

[Alex O'Ree]

Is there perhaps a patch that can be applied or better yet, a list of jars
that are were affected by this? (I'm just trying to find a simple way to
patch a large volume of servers)

On Wed, Oct 10, 2018 at 10:23 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Mark and Michael,
>
> On 10/10/18 05:15, Mark Thomas wrote:
> > On 08/10/18 21:55, Michael Yoder wrote:
> >> On Wed, Oct 3, 2018 at 12:50 PM Mark Thomas 
> >> wrote:
> >>> CVE-2018-11784 Apache Tomcat - Open Redirect
> >>
> >> Is it possible to get more information on the "specially crafted
> >> URL"? I'd like more information so that I can test if some of our
> >> apps are vulnerable.
> >
> > Generally, there is a balance to strike here between making it easy
> > for the less technically competent attackers to construct an attack
> > and making it easy for end users to figure out if they are
> > vulnerable. The way we typically do this is by describing the
> > conditions necessary for an attack to be possible as completely as
> > possible but not providing details of how to perform an attack.
> >
> > We also provide references to the commit that fixed the issue. For
> > someone with the right skills, there is usually enough information
> > in the description and the commit for a successful attack to be
> > reverse engineered.
>
> It doesn't look like Sergey has posted anything (that I can find) that
> might be called a full disclosure. If he had, I'd point it out.
>
> If I were you, I'd just make sure that you either (a) upgrade or (b)
> use the existing settings to mitigate the potential problem, as
> described in the announcement.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu+C0QACgkQHPApP6U8
> pFhCJQ/9Gw/G8dw46y4ItHFCsPTDiTxGenxMmVAlxt7kisblb8H3o9vK8PU96+PD
> Nb44/Vf5hp5XKN5Xuu3czyNjQ2l0QFb/WxZyqSnlWPEWOQs7a6ZFez9MQZ1W1H13
> t6qRCSgcOWcrHvXBKjshspHzY6XeQq2Q5kzHntbVZKjQMQif/Cd73XYX0/GIukcF
> 4tKhQIXRNh99/NOsw6Ot+DgVjksVhVgg62sOuAe7gUh/UNginc07JvYBa9rKgAz+
> JP3Z+PvUyCJFzGSoT1cYAniU+ZNiayquEmMxVeJ4VX6ZK2PMhPjEt58yD3NTOCaN
> fAE7ct9UICZ8g9WP22OcTAfaYgUSBGSCOxd7DkqM/o06Lv2bTsiWYtOr8bhHNnrO
> S7hJJ5a6Tm7TbN4Insm+BQhvts5FeDAsKM92TWGTrAZ52LEhdS2twsRcmCQDE69z
> +mmjRTl+W9UTxl6JTmDHj10d/aWYaA3f2SpZ4A18rRP4JSXQm7Ls/st8hR/TwdKC
> LsQ9RnmrDLgtSyql9keWhwaD28iQix5KgfFXOLrByCByzORnbP3z9VEu1knO1r1f
> Voe8wq8lDf56vRsr5VjjqSgmkeabtz8uxymOSbt8b3spQ6Q2J7y86MDA3/I7ZjTx
> cqgS2JyYAgtlD6vyiNeYRG14XBly3vFZeoCmw6CKFSTFSdK8r3I=
> =2IHD
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat with half open tcp sockets

[Alex O'Ree]

Sorry,  mobile typo.  Soap stack, as in cxf, axis, sun jaxws ri

On Thu, Oct 4, 2018, 12:57 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Alex,
>
> On 10/3/18 20:25, Alex O'Ree wrote:
> > Thanks Chris.  I ended up using aggressive read timeout values on
> > the Web service clients by adding properties to the binding
> > provider. Thing is, every jre version and soap attacks use
> > different versions which made this much harder to track down.
>
> SOAP attacks?
>
> FWIW, all clients should always be specifying sane timeout values.
> Most programmers are lazy, though, and leave them to the default
> (which is almost always "infinite").
>
> - -chris
>
> > On Tue, Oct 2, 2018, 1:44 PM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > Alex,
> >
> > On 9/29/18 08:31, Alex O'Ree wrote:
> >>>> Does tomcat detect or mitigate against half open tcp
> >>>> connections?
> >
> > Not directly. Basically, that's the OS's job.
> >
> >>>> I recently ran into an issue where something in between a
> >>>> java jaxws client and a jaxws service running in tomcat is
> >>>> interfering with the tcp stream. Resolving this client side
> >>>> has been a challenge due the transmitting thread hanging
> >>>> forever waiting to read from the remote server and not being
> >>>> able to be interrupted or aborted. While troubleshooting
> >>>> this, it dawned on me that services running in tomcat may run
> >>>> into a similar problem and was wondering if tomcat has any
> >>>> safe guards for this scenario. If it does, what is the
> >>>> strategy used? I'm thinking maybe I can something similar
> >>>> client side.
> >
> > In these cases, the only option the server has is to close the
> > connection and then let the TCP stack purge the connection after
> > some time in the penalty box (FIN_WAIT, FIN_WAIT2, or TIME_WAIT).
> >
> > If you see these kinds of connections piling-up, you may want to
> > tweak the options of your TCP stack to have them cleared-out more
> > quickly.
> >
> > -chris
> >>
> >> -
> >>
> >>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu2Rm0ACgkQHPApP6U8
> pFirFxAAwDR7FwEYsLMM8iTy5Kl9dmguVDpJPkXKvw8ar3Djrk7/K1SPVodv7AWV
> 2+UqnZvFmDQ9LB9LRKuZc1fqeZsrxltVnJcjSRyIpJQAyWF9D3chNY6h5OYDCi9k
> zuoN6naTcGNzmCTLDhoCNsAOO/u4PP24tBXLWqsXGtViuTHXA3DxjHo26PLfcZPT
> WrhXyfG8o0eOWZ0vfsCbHzjOeyoVspJl5WIqtT4rszAoZnlUmYsSmjQrmZIJsc0l
> TRqHDEZImAbORKiMAt5eTHTnoYN8B6Onp7zhDverCD8vCJS+RabxpXxI/0FH8Y10
> BNKxaNltFfTaqBhWcbcWnO6aKKauLonECjINOEd1Ad0eac0YrkKKBnIIJ6+CTzgh
> k1fVF8eev5s1mGydEaI7zUrvXh4iU6kH6E75GIZF1Mk2xbXZRIEXjcQNF4XvxjPz
> paQh229ozs0Ul8iyNzRhvr/fuPiVmxrKzXLhEZWDiVcZ946G34a5hfkDv6jSevMr
> CnElgmlZ1VwxCzhyiM6EJuoO+pTgj0dOg569xPEhhMtrXyhVtLFFa08IbQFTxLv7
> BYgoQeD8KA8Yxgn0orBBcvP34DAPAw3YZl6FxZ9pxL8X6h+h4fHhqYeHtpMUAqEp
> flwUmO8EW/xgHJF58dihGN0sY2lJD8p5XFsWC30i2LJNE+wd2lU=
> =K14S
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat with half open tcp sockets

[Alex O'Ree]

Thanks Chris.  I ended up using aggressive read timeout values on the Web
service clients by adding properties to the binding provider. Thing is,
every jre version and soap attacks use different versions which made this
much harder to track down.


On Tue, Oct 2, 2018, 1:44 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Alex,
>
> On 9/29/18 08:31, Alex O'Ree wrote:
> > Does tomcat detect or mitigate against half open tcp connections?
>
> Not directly. Basically, that's the OS's job.
>
> > I recently ran into an issue where something in between a java
> > jaxws client and a jaxws service running in tomcat is interfering
> > with the tcp stream. Resolving this client side has been a
> > challenge due the transmitting thread hanging forever waiting to
> > read from the remote server and not being able to be interrupted or
> > aborted. While troubleshooting this, it dawned on me that services
> > running in tomcat may run into a similar problem and was wondering
> > if tomcat has any safe guards for this scenario. If it does, what
> > is the strategy used? I'm thinking maybe I can something similar
> > client side.
>
> In these cases, the only option the server has is to close the
> connection and then let the TCP stack purge the connection after some
> time in the penalty box (FIN_WAIT, FIN_WAIT2, or TIME_WAIT).
>
> If you see these kinds of connections piling-up, you may want to tweak
> the options of your TCP stack to have them cleared-out more quickly.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluzrmsACgkQHPApP6U8
> pFh2rg//cX7UAqis6qKHTDpgOSSBjFIusm7kdxW58/VpWcp/JzUfNhFLLl0aeCsT
> NbU38l0W0UqYXTCu0sMuPCKGLGYpwuAOCuWq6mJq4VFWtUCyBmCP/A2pvtTzW8js
> f4e0npXpp/3TxdDx9xNpLfWDv6nzqyzEXhIvfWvjtxNmcA1kGq2ueeHgVCWwb6v0
> CJ1VbF52R3B8Gq61u86uV8PPTsUKVIDnn+e+snkLlGMl+lcdBUcGBsxguOaoDHca
> lRN4gkpXjk946Nor7wPkMG4hUBndD7L/nhWNqrqZnd8TKJJxD+98U419LRFq0xSG
> qyAx75oNUUwo2l14q/xGTdAGwOzijfOyvnVscljV9fWGEtOMjOFoqPFlHK6QCec7
> ysZGuSoEJPuBYfFzdnQE4aOiRNYnAkYAmv6CEq/o0DEgZpuxm/ZAaMzrfP6XH8wk
> 072o62Cq0gN50q2KYSi7XJD61Akh4nJUl/7XSYKFU8Tj+jHYQBdw22EXEsgrhPuW
> gyTdH4TxHv40NmMOv9YQXOA0oyiXq/PXGA85gIhQyJdFoa4U8LXC++UBJCk3gNW8
> pOO2pFSJ8WAfOrK45Fcl/NgK4066BSqaQu6txnb/Bo/7VCPrPZvZ2/VgLaO/L6jD
> nb8sXBkozGtrS2sigKHx7HzJNb0r5EE1Uqbpk3YFYcntrl4afHs=
> =yRjT
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Tomcat with half open tcp sockets

[Alex O'Ree]

Does tomcat detect or mitigate against half open tcp connections? I
recently ran into an issue where something in between a java jaxws client
and a jaxws service running in tomcat is interfering with the tcp stream.
Resolving this client side has been a challenge due the transmitting thread
hanging forever waiting to read from the remote server and not being able
to be interrupted or aborted. While troubleshooting this, it dawned on me
that services running in tomcat may run into a similar problem and was
wondering if tomcat has any safe guards for this scenario. If it does, what
is the strategy used? I'm thinking maybe I can something similar client
side.

websocket endpoints not released

[Alex O'Ree]

I ran into a strange issue today. Running tomcat 8.5 with a websocket
endpoint + some javascript to wire up a browser to the socket. All works as
normal, however sometimes if the user refreshes the browser, it seems as if
second web socket is opened by the browser. This leads to the user seeing
duplicate messages which can be confusing. I do have code on the page for
navigation links to close the socket but i'm thinking i haven't handled all
cases. My assumption was that a full browser reload would trigger any open
websockets to close, but apparently they don't (at least with chrome). Has
anyone else ran into a similar issue?

Re: org.apache.tomcat.jdbc.pool casting to original connection class

[Alex O'Ree]

>From what i understand, the postgres jdbc driver does support
reading/writing from a result set or command via a input or output stream,
however from my testing, it looks like it just buffers the whole thing in
memory. I actually had one case where i was able to insert 1.2GB of content
into a bytea column, but could not retrieve it. Something about invalid
allocation size. Postgres's limit is 1GB and they want you to use the large
object api. I think it stores it the file outside of the normal database
table file.

On Tue, Aug 28, 2018 at 10:18 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Torsten,
>
> On 8/28/18 09:27, Torsten Krah wrote:
> > Am Dienstag, den 28.08.2018, 09:21 -0400 schrieb Christopher
> > Schultz:
> >> Interesting. I wonder why Postgres decided not to support that
> >> through the standard JDBC API.
> >>
> >> Have you tried setting the "compatible" flag on the connection
> >> just to see if it works for you?
> >
> > I am curious - afaik the standard JDBC API does not support e.g. to
> > use seek() or truncate() on the BLOB to fast forward to some
> > position in the file - how would you do that with the standard API
> > Christopher - maybe i've missed that feature?
> >
> > The LargeObject API does support this.
>
> I've never tried doing random-access reads into BLOBs in a database
> before... that seems like an architectural mistake to me.
>
> But if I had to, I'd try to:
>
> ResultSet rs = ...;
> Blob blob = rs.getBlob("bigfield");
>
> // Take a chunk out of the middle
> byte[] chunk = blob.getBytes(start, length);
> // or
> InputStream readFromMiddle = blob.getBinaryStream(strart, length);
>
> // Truncate the blob
> blob.truncate(newEndPos);
>
> The Blob API isn't really that extensive... I'm not sure how you could
> have missed those methods in there. It's really all there is.
>
> Now... if Postgres artificially places a 1GiB limit on everything that
> goes through that API, well, then you are kind of screwed.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluFWbwACgkQHPApP6U8
> pFgpoxAAtWj6cROWQXgw/r6H/OeoHnOZI262JqajXi7L3QycYzVwNENNQ1v+fKNS
> AegRgAUTDnw0KBk2hPkZHaCEcNIuzshvxA9Vs2ptLynwEjoGXD17+ZXR85uy4Iq/
> bfmnhSAbDRiNg9VoTFw4Vmbx+dNXZUT8jfkGdWWvTH/27yws72vXSLH/bhnAa/IU
> R1eNqmWGbBIQiQaWk2YhSDKWfuQoNUXxiJPYR07u4MhtxGctPHN7nudZb2ZjFGaF
> qCidhoE6/tuNzkpLyMvrvMGHGCR3mP9Vc1UyHtwwckPTCV+rctV2MfpD7RG00K+m
> ABlhCpkw7n0YEGFe2GQet7xF5dB8aLtcv/XimE0/rkQzhzwMkFtRLS30ONwoCiPh
> ID3gLWOmLaAtlCjgO3/FWZbYqxs2yZYyO3xerukHoji4bUYPwfa1otJBQwrjVgZI
> OQGx4Wy173fjRsIXxdUzgw5hpwocLodtu/U+NGWWpTNNq83/1hw8hEaMHl3p729E
> qifq7DDAnws5nlchr2Njf24tScmNtqw1IZV5T2MU3LDvrhi3t5RukuMe5sSyl6S6
> wEqVfSVHNP/IP7XxtpalwbKSiU0D0kwTA9iBmOPA+aQfD05kFKAD9wT9YHgF5wAw
> NGFZBgIaB374sJWZgMQRl/dfHNrrfXV9Lk7OnHk+vXsrakd2O24=
> =6hok
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: org.apache.tomcat.jdbc.pool casting to original connection class

[Alex O'Ree]

I'm storing large files. Postgres has a limit for blobs and uses a
different api for larger stuff.  Cut off is 1gb

On Mon, Aug 27, 2018, 7:19 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Alex,
>
> On 8/24/18 16:08, Alex O'Ree wrote:
> > I have a use case where i need to downcast a pooled database
> > connection down to the native class that is in use for the driver.
> > Unfortunately I don't see any APIs that I can use to do this. Is
> > there any backdoors or mechanisms I can use?
> >
> > Background, I'm using postgres with tomcat 8.5 and need to access
> > some postgres specific apis, (the large binary object api). I've
> > tried with both the tomcat based pool and the dbp2 connection
> > pooling too.
>
> What's wrong with the existing JDBC APIs for working with BLOBs? It's
> been a really long time since anyone has really had to down-cast JDBC
> interface types to their implementation types to get around
> deficiencies in the APIs.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluEhucACgkQHPApP6U8
> pFh0WA//X5aXgSlXTvwzOnlJdLVwm1Mpu/6FzHycBgK0S4MGlLggNvqdYs/p+ksz
> I6m1vRVPifozU6C7ljAzjOmquN5kG6r00fp4JwK9vehVLBbg991LyGPQe30mQytk
> S6b8qtFcBoAobP0j6KE29adSGJ8mwSAXcPE22NqBPlkj5vA1LwyNxxzgFVIL35lJ
> M5z6cuEfJDcD4pj4azLzdG63y1hWeSyVdRyNC4YaB7vD74+1p42EWoR37djtWzbg
> uvbM/OtsgGZsLeTWNSsR/eiupa0tgnbl99YNIIoSYyYKscS7e00sMs/vV9QxgXYL
> VfQSL3RJMQPmkl35mmyLx7tV0ztmNORpeSLKZM0SQBUTyoVTpm5hB5z7SyO9bxo3
> CUOUpKYQsf1z0BIxTgzwBa+Cs97Qpt/Bx8x/3goyIsAhlGWc+07KhzB0qvAz/vv6
> Pzc4GeLttvGHTeX3thSITEfffLNxydnrAZ0gpU/mZl0a64hIJZ9XcGCwU42ZPgaH
> CPEK9XmPC409zSIW0qMW5fS3dbIag8H7xxrFweu3aXUx1/jsEav0jHcR2J9NZMj2
> SA6qEM0NO+n5MjYat5KgD1G/kT7uDN4efKjakdApJLRy5mlAoe2z9gfcPozLu2aG
> T8SEAvTxd6//sF57l3O0qudXtLSHS4S14QHQsefC+AS8gL4h12Q=
> =D95E
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: org.apache.tomcat.jdbc.pool casting to original connection class

[Alex O'Ree]

I figured it out. Classpath issue. I had the postgres driver in my web app
and in tomcat's lib folder. Removing from the web app fixed it.

On Mon, Aug 27, 2018 at 9:47 AM Alex O'Ree  wrote:

> Unfortunately, it's not working. I've tried unwrap for both
> org.postgresql.jdbc.PgConnection (concrete class) and
> org.psotgresql.PGConnection (interface) and both of them fail to unwrap.
> Any other suggestions?
>
> On Sun, Aug 26, 2018 at 10:04 AM Alex O'Ree  wrote:
>
>> Perfect, thanks
>>
>> On Fri, Aug 24, 2018, 5:05 PM Torsten Krah  wrote:
>>
>>> The isWrapperFor(..) and unwrap(..) methods on the connection API should
>>> work for this.
>>>
>>

Re: org.apache.tomcat.jdbc.pool casting to original connection class

[Alex O'Ree]

Unfortunately, it's not working. I've tried unwrap for both
org.postgresql.jdbc.PgConnection (concrete class) and
org.psotgresql.PGConnection (interface) and both of them fail to unwrap.
Any other suggestions?

On Sun, Aug 26, 2018 at 10:04 AM Alex O'Ree  wrote:

> Perfect, thanks
>
> On Fri, Aug 24, 2018, 5:05 PM Torsten Krah  wrote:
>
>> The isWrapperFor(..) and unwrap(..) methods on the connection API should
>> work for this.
>>
>

Re: org.apache.tomcat.jdbc.pool casting to original connection class

[Alex O'Ree]

Perfect, thanks

On Fri, Aug 24, 2018, 5:05 PM Torsten Krah  wrote:

> The isWrapperFor(..) and unwrap(..) methods on the connection API should
> work for this.
>

org.apache.tomcat.jdbc.pool casting to original connection class

[Alex O'Ree]

I have a use case where i need to downcast a pooled database connection
down to the native class that is in use for the driver. Unfortunately I
don't see any APIs that I can use to do this. Is there any backdoors or
mechanisms I can use?

Background, I'm using postgres with tomcat 8.5 and need to access some
postgres specific apis, (the large binary object api). I've tried with both
the tomcat based pool and the dbp2 connection pooling too.

Re: user lockout realm, logging ip addresses

[Alex O'Ree]

Ok, I've picked up Chris's patch and was able to cobble together something.
Is there any guidance as to how a web app can subscribe to something like
this? I was thinking a singleton class with a register/unregister, but I'm
not sure how the tc community feels about singletons. It could also cause
some issues with webapps unloading and causing classloader leaks. It would
probably be better to have a registration hook somewhere in catalina
servlet land. Basically a webapp can cast the servlet context to a tomcat
class then register it's own listener. Standard context perhaps?

On Sat, Aug 18, 2018 at 9:58 AM, Alex O'Ree  wrote:

> after looking at the code, it's not a simple 1 liner and would require a
> number of api changes. I was able to get it working, but it is a large
> change set. Anyone that extends or builds a custom one of these:
> -Realm
> -AuthenticatorBase
> requires some changes. They are quick to make but it's a large impact. I'm
> not sure how this community feels about API changes and backwards
> compatibility.
>
> For the PR, do you all have a branch naming strategy?
>
> On Sat, Aug 18, 2018 at 8:20 AM, Alex O'Ree  wrote:
>
>> Cool beans. I can do a PR if there's interest.
>>
>> On Sat, Aug 18, 2018 at 7:59 AM, Christopher Schultz <
>> ch...@christopherschultz.net> wrote:
>>
>>> Mark and Alex,
>>>
>>> > On Aug 18, 2018, at 05:46, Mark Thomas  wrote:
>>> >
>>> >> On 18/08/18 10:36, Olaf Kock wrote:
>>> >>
>>> >>> On 18.08.2018 03:58, Alex O'Ree wrote:
>>> >>> Is it possible to configure the user lockout realm to log what ip
>>> address
>>> >>> the failed login attempt came from? I know the information needed
>>> will
>>> >>> also
>>> >>> be in the access log but added it to the "attempt to login from a
>>> locked
>>> >>> account" message would be super helpful. Would it be more advisable
>>> to
>>> >>> extend the existing lockout realm and modify the log statements
>>> myself?
>>> >> Looking at the source here:
>>> >> https://github.com/apache/tomcat/blob/trunk/java/org/apache/
>>> catalina/realm/LockOutRealm.java#L216
>>> >> and here:
>>> >> https://github.com/apache/tomcat/blob/trunk/java/org/apache/
>>> catalina/realm/LocalStrings.properties#L91,
>>> >> you can't configure it. But the realm is simple and you can roll your
>>> own.
>>> >>
>>> >> Is it advisable? If you want that information in this log message: It
>>> >> might be your only option. You'll have to decide how intensely you'd
>>> >> like to have it.
>>> >
>>> > You need this too:
>>> > https://bz.apache.org/bugzilla/show_bug.cgi?id=59750
>>>
>>> I still fully intend to flesh this out.
>>>
>>> Gotta finish a big project at $work first though.
>>>
>>> -chris
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>
>

Re: user lockout realm, logging ip addresses

[Alex O'Ree]

after looking at the code, it's not a simple 1 liner and would require a
number of api changes. I was able to get it working, but it is a large
change set. Anyone that extends or builds a custom one of these:
-Realm
-AuthenticatorBase
requires some changes. They are quick to make but it's a large impact. I'm
not sure how this community feels about API changes and backwards
compatibility.

For the PR, do you all have a branch naming strategy?

On Sat, Aug 18, 2018 at 8:20 AM, Alex O'Ree  wrote:

> Cool beans. I can do a PR if there's interest.
>
> On Sat, Aug 18, 2018 at 7:59 AM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> Mark and Alex,
>>
>> > On Aug 18, 2018, at 05:46, Mark Thomas  wrote:
>> >
>> >> On 18/08/18 10:36, Olaf Kock wrote:
>> >>
>> >>> On 18.08.2018 03:58, Alex O'Ree wrote:
>> >>> Is it possible to configure the user lockout realm to log what ip
>> address
>> >>> the failed login attempt came from? I know the information needed will
>> >>> also
>> >>> be in the access log but added it to the "attempt to login from a
>> locked
>> >>> account" message would be super helpful. Would it be more advisable to
>> >>> extend the existing lockout realm and modify the log statements
>> myself?
>> >> Looking at the source here:
>> >> https://github.com/apache/tomcat/blob/trunk/java/org/apache/
>> catalina/realm/LockOutRealm.java#L216
>> >> and here:
>> >> https://github.com/apache/tomcat/blob/trunk/java/org/apache/
>> catalina/realm/LocalStrings.properties#L91,
>> >> you can't configure it. But the realm is simple and you can roll your
>> own.
>> >>
>> >> Is it advisable? If you want that information in this log message: It
>> >> might be your only option. You'll have to decide how intensely you'd
>> >> like to have it.
>> >
>> > You need this too:
>> > https://bz.apache.org/bugzilla/show_bug.cgi?id=59750
>>
>> I still fully intend to flesh this out.
>>
>> Gotta finish a big project at $work first though.
>>
>> -chris
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>

programmatically adding new users to tomcat-users.xml

[Alex O'Ree]

I'd like to provide users a mechanism to create their own user accounts via
browser instead of requiring access to the server + editing xml files.

I found this solution here
https://stackoverflow.com/a/39770319/1203182
and i found the APIs here
https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/users/MemoryUserDatabase.html

and it looks like it will work but I do have a question. I am using
password hashing for storing passwords. When passing the password over to
the UserDatabase api (createUser) am I supposed to send the clear text
password over or do i need to hash it myself using the same mechanisms
defined in realm config?

Re: user lockout realm, logging ip addresses

[Alex O'Ree]

Cool beans. I can do a PR if there's interest.

On Sat, Aug 18, 2018 at 7:59 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Mark and Alex,
>
> > On Aug 18, 2018, at 05:46, Mark Thomas  wrote:
> >
> >> On 18/08/18 10:36, Olaf Kock wrote:
> >>
> >>> On 18.08.2018 03:58, Alex O'Ree wrote:
> >>> Is it possible to configure the user lockout realm to log what ip
> address
> >>> the failed login attempt came from? I know the information needed will
> >>> also
> >>> be in the access log but added it to the "attempt to login from a
> locked
> >>> account" message would be super helpful. Would it be more advisable to
> >>> extend the existing lockout realm and modify the log statements myself?
> >> Looking at the source here:
> >> https://github.com/apache/tomcat/blob/trunk/java/org/
> apache/catalina/realm/LockOutRealm.java#L216
> >> and here:
> >> https://github.com/apache/tomcat/blob/trunk/java/org/
> apache/catalina/realm/LocalStrings.properties#L91,
> >> you can't configure it. But the realm is simple and you can roll your
> own.
> >>
> >> Is it advisable? If you want that information in this log message: It
> >> might be your only option. You'll have to decide how intensely you'd
> >> like to have it.
> >
> > You need this too:
> > https://bz.apache.org/bugzilla/show_bug.cgi?id=59750
>
> I still fully intend to flesh this out.
>
> Gotta finish a big project at $work first though.
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

user lockout realm, logging ip addresses

[Alex O'Ree]

Is it possible to configure the user lockout realm to log what ip address
the failed login attempt came from? I know the information needed will also
be in the access log but added it to the "attempt to login from a locked
account" message would be super helpful. Would it be more advisable to
extend the existing lockout realm and modify the log statements myself?

Re: Programmatically unlocking an account?

[Alex O'Ree]

No problem.  Thanks!

On Mon, Aug 13, 2018, 3:52 AM Mark Thomas  wrote:

> On 13/08/18 00:32, Alex O'Ree wrote:
> > Thanks everyone. Would it be possible to get this backported to 8.5?
>
> Done. Although I'm afraid it just missed the cut for the 8.5.33 release.
> It will be in 8.5.34 onwards.
>
> Mark
>
>
> >
> > On Tue, Jun 26, 2018 at 12:17 PM, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > Alex,
> >
> > On 6/25/18 8:49 PM, Alex O'Ree wrote:
> >>>> Actually I figured it out. It is possible via the mx bean. I'd like
> >>>> to request that the method isLocked be changed to public in a
> >>>> future version.
> >
> > In spite of my affinity for JMX, I completely forgot about it in this
> > case! Sorry for the confusion.
> >
> > Presumably, you want both isLocked(String) and unlock(String) to be
> > made public?
> >
> > Looks like Mark did exactly that with his latest commit.
> >
> > -chris
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Programmatically unlocking an account?

[Alex O'Ree]

Thanks everyone. Would it be possible to get this backported to 8.5?

On Tue, Jun 26, 2018 at 12:17 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Alex,
>
> On 6/25/18 8:49 PM, Alex O'Ree wrote:
> > Actually I figured it out. It is possible via the mx bean. I'd like
> > to request that the method isLocked be changed to public in a
> > future version.
>
> In spite of my affinity for JMX, I completely forgot about it in this
> case! Sorry for the confusion.
>
> Presumably, you want both isLocked(String) and unlock(String) to be
> made public?
>
> Looks like Mark did exactly that with his latest commit.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZyEACgkQHPApP6U8
> pFhdOBAAlfMA4PeO4EsdyO5XI7RC4erocWAm0Ws8j6w3Q5kzMIQIgc1knKrdBHvP
> gNCoNk39gcdrbF7PzcQMSByaBCf9m09Omgd8plcv3ND/TTCOUbsStwKJpevQQF0E
> ZwFxrNWg8CgsEjJNxgNqWEUm++LIFGGXA9HNeV41cdCBd3E2jQBbuB3CD9Y5VNxm
> RawLNOvlIpjLrx0uTmdH1LeQQ2XdjuiMMZIP/vxqQO2uxO5IogF7JYRCdsxGpd/f
> DQ4ADT8tWjM3vcWwj7BL7vo/D5VCYD3rhOLFIje0lF+7+ZsfCjpkvI+AA+8eo+C6
> lmaUFNj8vkEWV61KUmgPXSMiTGKZ+7kaMG7BcW6VyavrGkJWWfnJ4TDUrzZzpkYs
> NGU3OdruTVwJKufho1PTxv3HF6i4m6SfcsJE/1Y/md9BPhbl1rYU07q+cN54UJfy
> P9vFkXieYaCYUOCTpJsWC9GWJcs4E6aCPNTEiC1ycL2KS81y3aGewizl8Plnh/FD
> sQ+ZZbqIVGieo40jskpjjzSFaZxp7JWGb+Y0Iu+TjW6BWJthfMj6tDlZBAQwitXQ
> D5usdsBNF+qNACKxBmizcgtUG+5J/2+JVvGQ2iFltnF7kN8ahjZy6TkdAzT3NHTy
> hbajJa8URa6pRymAa5Kzk6kqJlgEEPAHL/anRzjY8J93AZ7LaN4=
> =MBiJ
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Requirements for servlet session attributes?

[Alex O'Ree]

The jaws client maybe takes 100ms to fire up.  So it's not terrible slow
but the overall website is noticeably faster when caching it. All of the
resources (wsdls, xsds) are local but there's a quite a few of them.

Caching this object does not work as a session attribute.
HttpServletRequest#setAttribute("mykey", clientObjectHere);
followed by
HttpServletRequest#getAttribute("mykey") == null on subsequent http
requests.

ServletContext#setAttribute and getAttribute does work however it is not
viable in my situation


On Jul 1, 2018 9:43 AM, "Christopher Schultz" 
wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alex,


On 7/1/18 7:48 AM, Alex O'Ree wrote:
> I was working on attempting to increase performance on a web app
> which calls a jaxws service on behalf of the user. The process for
> creating the jaxws client is somewhat slow so I was to try and
> cache the the jaxws client object as an HTTP session attribute. It
> doesn't work for some reason.

Can you define "doesn't work"?


> What does work is attaching the jaxws client object to the
> application context, however this isn't a feasible solution.

So, placing the client into the application via
ServletContex.setAttribute("jaxclient", client) works?


> I vaguely recall running into a similar problem with performing the
> same task in jboss which i think had the requirement for adding a
> @Serializable annotation to anything added to the session object.
> Does tomcat require the same?

Tomcat itself has no specific requirement for session attributes to be
Serializable, unless you want your sessions to be "distributable" (as
in a cluster). If you want to improve performance, using clustering
isn't a great strategy, though.

Tomcat won't fail immediately when adding a non-serializable object to
the session. Instead, it will fail/log-error at the end of the
request-processing when the changes to the session are propagated to
the other node(s) in the cluster. Thus, your local session *should*
continue to work.

I'm curious about what takes so long when creating the JAXWS client.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAls42lEACgkQHPApP6U8
pFhiyw//bRNRj/r6jvIi4WEBHTFt154fmvumT2eL56o3dmfxP+byylgcbwWm7z+P
FvFkR76Vs15P7oSHARsCsSs3xfq46Nn/MyUkZzjdzFSXn4O39AOuzVB2M0NNMsrG
G6xgrBxGCHD3Zfmk4R2cysqpDkWXjNDS1UlBgyn8DfO2kbjZu6f1OxU6Z9xtYDc0
Shjfe+qrFo0kqI3XiJbn0PWB1QtTcF7eKjsOZMub/UsR5F1zH3KgdD7FYOvVllbP
BaBxTdov6Jvbjg0RLKa9+fEmWFGbGkBq1daFLm6+SovSg1KXBzzidDi8k8qAly/P
XjnNjV44l9mj4Uw1I7gArwvOGk/rm6X7m5NjIfeKjnB0rHpHwuqrrSL6sOvX2cEW
UA+TX1sq06e9jeUiAzeS27H+Imfk6pNJycp5sW2JPiR7QTlvJwwJKlYIIs9TEiDo
veQ0hAVRWTc/BPsthXJVakNW0cpySg8Jost/n0jBnl+ryjPnorBdCx6PVLbJ2RnY
1le5p4QCZRLRekDvO2PsGP0TRADWttPilumteTPgDR33KqookS9n02S9Ct6Lobdx
6YXFqtrlAMFzgdvyTtGgRU2J0a95JZWsLme+hLFqsiIAyS+wP8JfewhZr2paGFtI
aTKdqTgyAXa6JmQqHOlZL6i+D8B6RawRl1xlcRc1FF1uEdPDmvc=
=Y2qD
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Requirements for servlet session attributes?

[Alex O'Ree]

I was working on attempting to increase performance on a web app which
calls a jaxws service on behalf of the user. The process for creating the
jaxws client is somewhat slow so I was to try and cache the the jaxws
client object as an HTTP session attribute. It doesn't work for some reason.

What does work is attaching the jaxws client object to the application
context, however this isn't a feasible solution.

I vaguely recall running into a similar problem with performing the same
task in jboss which i think had the requirement for adding a @Serializable
annotation to anything added to the session object. Does tomcat require the
same?

Re: tomcat with laptop + windows sleep

[Alex O'Ree]

I also see a lot of jdbc/my name is not bound in this context. Unable to
find jdbc

On Thu, May 24, 2018, 5:30 PM Alex O'Ree  wrote:

> Yes it is a tomcat managed data source with postgres. The cpu usage is my
> app trying to get a managed data source. Perhaps the jdbc driver is the
> issue. ..
>
> On Wed, May 23, 2018, 11:28 AM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Alex,
>>
>> On 5/22/18 7:39 PM, Alex O'Ree wrote:
>> > I've noticed a behavioral difference from tomcat 7 to 8.5. In v7, I
>> > used to be able to put a computer to "sleep" with tomcat running.
>> > On resume, everything would be just fine. On tomcat 8.5, i'm
>> > noticing that all database connections are basically dropped and do
>> > not appear to to restart/resume when the computer resumes. Actually
>> > the whole computer runs super slow until i kill the tomcat process.
>> > I'm not entirely sure what's going on here. Has anyone else noticed
>> > this kind of behavior?
>>
>> Are you using a tomcat-configured DataSource in your application? If
>> so, what does the configuration look like?
>>
>> I wouldn't expect any problems with sleep. I'm using Tomcat 8.5.29 on
>> MacOS and I haven't noticed any problems when my laptop goes to sleep.
>> I'm using Oracle Java 1.8.0_131 in this particular case.
>>
>> When it's running slowly, can you tell which process is taking up all
>> the CPU (or disk)? Try using the Process Explorer to single-out a
>> process. If it's Tomcat (java.exe), take a thread dump to see what
>> Tomcat is doing.
>>
>> - -chris
>> -BEGIN PGP SIGNATURE-
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsFiIkACgkQHPApP6U8
>> pFi70g/8D9R8EkjpCeNziAUeQmWwxHwui+jbOd1rGjG7EID21mmmJJgw5IO1O8ok
>> F7GUWC8KloqFJ59m+Ib/3NCL5QkiuE/X++AyvDxgwuI1eqlxi86Gu7Jxw6wsfUj2
>> K1Ovp+jUeNEhuxPfx7zBiHXQPa1kN+B7ExxOyVEeybRalF27hlums2zF6IlC4VKm
>> LP2CFqMeEXMbLBEI6wXJrznxlcINwkQzYlX7EAbXzD4tOookS9wYhBeXi+3Yjugp
>> JbMUzIxOVKDzi2W8WYVRPhnhxSjVe5CVsQ32ghlwPEwzbMAgVcoQ7cwZ9r9l1Pg1
>> Z8GMiAk4Ui9m+TlKbW5N1r2RgSKLdhk4yUETgr+ykkyaMhc8Wt46vM1bdGjIgX6W
>> CCj/BHcM5IdLb56m1L0wiG82dftYlBNfu3hAlnoJls1GiVtRg5Ph5Dit+t2xH3Kh
>> GpS9r9HhzqbA3tjv4NSR6oRj5UXc/mu1qj93CFoGPf6ZwC5QiHWOMbeegLJxOXVK
>> yuIK1gl3ehTQhgcB+B2wK+0Id3gtcwOmzdzM3by2aSH+glfpwH3vRlYPLVUpAUf9
>> 7oNuMVwhGHFRKL+PF5o0hVldI/jFF2TqLdiQilTe4pfsRGKslgRJce0TIZT5ZSm5
>> jsQ2nCm1En7b+HW2hOeh2JjRkwwLqa5XIu7pjB2TVY1vhIJkdXs=
>> =aQz0
>> -END PGP SIGNATURE-
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

Re: tomcat with laptop + windows sleep

[Alex O'Ree]

Looking at my stack traces it seems pretty clear. Tomcat can't
lookup/establish a connection to the database because the postgres jdbc
driver failed because of a socket exception, "the network is unreachable".
I'm not sure why this behavior is different from tomcat 7 to 8.5 but it's
becoming a bit of an issue.
SQLException, cannot create PoolableConnectionFactory (The connection
attempt failed) from
org.apache.toimcat.dbcp.dbcp2.BasicDataSource

I do recall there being something different related to database pooling
with tomcat 7 vs 8. Perhaps the delta is there?

On Sun, Jun 3, 2018 at 11:13 AM, Alex O'Ree  wrote:

> I did not copy any tomcat specific jars. I have validation queries
> implemented programmatically.
>
> On Sun, Jun 3, 2018 at 8:44 AM, Felix Schumacher  internetallee.de> wrote:
>
>>
>>
>> Am 02.06.2018 um 20:51 schrieb Alex O'Ree:
>>
>>> I think I've narrowed it down to an issue specific with terracotta quartz
>>> based jobs. I've wired it into using tomcat's jdbc connection pooling.
>>> I'm
>>> also using a super
>>> old version of it so that could be part of the problem. Interestingly
>>> this
>>> didn't happen with tomcat7 but it's more than probably some other change
>>> on
>>> my
>>> end caused this rather strange situation.  Anyhow, it's probably not
>>> tomcat.
>>>
>>
>> You copied the jdbc pool jars from tomcat 7 into tomcat 8.5? Why?
>>
>>
>>> Context.xml is something like this
>>>
>>>
>>> >> type="javax.sql.DataSource"
>>> maxActive="50" maxIdle="30" maxWait="1"
>>> username="user" password="a password"
>>> driverClassName="org.postgresql.Driver"
>>> factory="my.custom.EncryptedConnectionFactory"
>>> url="jdbc:postgresql://localhost:5432/my_database"
>>> />
>>>
>>
>> You could enable validation queries, so that the pool will check the
>> connections validity before handing it out to your application.
>>
>> Regards,
>>  Felix
>>
>>
>>> The encrypted connection factory extends the default one and supports a
>>> basic ciphered password
>>>
>>>
>>>
>>>
>>> On Sat, Jun 2, 2018, 1:34 PM Felix Schumacher >> internetallee.de> wrote:
>>>
>>>
>>>> Am 24. Mai 2018 23:30:10 MESZ schrieb Alex O'Ree :
>>>>
>>>>> Yes it is a tomcat managed data source with postgres. The cpu usage is
>>>>> my
>>>>> app trying to get a managed data source. Perhaps the jdbc driver is the
>>>>> issue. ..
>>>>>
>>>> Care to post your configuration? Maybe there are some changes missing
>>>> when
>>>> you updated to the newer version.
>>>>
>>>> Regards,
>>>>   Felix
>>>>
>>>> On Wed, May 23, 2018, 11:28 AM Christopher Schultz <
>>>>> ch...@christopherschultz.net> wrote:
>>>>>
>>>>> -BEGIN PGP SIGNED MESSAGE-
>>>>>> Hash: SHA256
>>>>>>
>>>>>> Alex,
>>>>>>
>>>>>> On 5/22/18 7:39 PM, Alex O'Ree wrote:
>>>>>>
>>>>>>> I've noticed a behavioral difference from tomcat 7 to 8.5. In v7, I
>>>>>>> used to be able to put a computer to "sleep" with tomcat running.
>>>>>>> On resume, everything would be just fine. On tomcat 8.5, i'm
>>>>>>> noticing that all database connections are basically dropped and do
>>>>>>> not appear to to restart/resume when the computer resumes. Actually
>>>>>>> the whole computer runs super slow until i kill the tomcat process.
>>>>>>> I'm not entirely sure what's going on here. Has anyone else noticed
>>>>>>> this kind of behavior?
>>>>>>>
>>>>>> Are you using a tomcat-configured DataSource in your application? If
>>>>>> so, what does the configuration look like?
>>>>>>
>>>>>> I wouldn't expect any problems with sleep. I'm using Tomcat 8.5.29 on
>>>>>> MacOS and I haven't noticed any problems when my laptop goes to
>>>>>>
>>>>> sleep.
>>>>>
>>>>>> I'm using Oracle Java 1.8.0_131 in this particular case.
>>>>>>
>>>>>> When it's running slowly, 

Re: Programmatically unlocking an account?

[Alex O'Ree]

Actually I figured it out. It is possible via the mx bean. I'd like to
request that the method isLocked be changed to public in a future version.

The use case is not a typical one but I'd like admins to know if a service
account is locked out for some reason and to be able to reset it if
necessary. The timeout is 15 minutes but the account is frequently used by
service processes which causes the timeout to continually get reset (unless
I am misunderstanding the code)

On Mon, Jun 25, 2018, 7:13 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Alex,
>
> On 6/25/18 3:24 PM, Alex O'Ree wrote:
> > Is it possible to programmatically unlock an account that's been
> > locked via the lockoutrealm and the simple xml user store?
>
> Regardless of the user-storage mechanism, the answer is no.
>
> > If so, how?
>
> Sorry.
>
> What's the use-case, here? Support gets a call saying "please unlock
> this account"? What's the lock-timeout in your environment?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsxdvgACgkQHPApP6U8
> pFhrRw//VrUjvQBr3krQMZqzViTmrSK6t/JIpeRAxz17PZ9Pvo9K5OIrKcP1tx/x
> nAFJvkzIiMX4RL7i/6UEx65INiSONApIOOmfFAXKwpjPiHsRxulYMskMi4V8TYNq
> coT7gJUZxq2OBu3XjmeYkGvuxEsqKdMLzFXdWWmaDLd1slxDFThWnXz8RRORIV3u
> Y59zo17tMysI1stdO7OdNKEVuFUFIUJZWMwqRMWYEumOXqOI7ExMLiVlWPeuITuz
> eKCpssMBwolMsjJJlr723YXfsd93yhAsoKaH4lASEhECcXRZHjUgAP5nheWpYTp3
> UhqsUKi8gwINq31UA+Lw6n/aq3OIRzPLhcTaeSXcE5lJ40A85cb+O8rxeuarfM9t
> CSlWVsYa9XPQHUmEApVfo2nVSx2xIorRHMOHvcOToKPRcVtw89xraH7Jykx86eW0
> SCc2DsZWZOtU9HQ8cpDb2ySSlccATYllLPkQEU7Wwq6y0f9Y8CMOZybmZEVC6ghb
> so0F8rq7j1ZL5VjhekEcrvF0eGrKlmIlDxnuz0OgY97JkA4PISopthfT+Ayn2dEj
> i2TbrlkBBYMdjys0be7PSLSqyZvypQIKsTgYa4RK2k8bQeDW/xvrs7UWT14Kp4l0
> M7UpvqeKXNYMYv5cgH/nFV7R8Vj6lnxvtRCXMjySOljzMq7pmE8=
> =R1Pn
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Programmatically unlocking an account?

[Alex O'Ree]

Is it possible to programmatically unlock an account that's been locked via
the lockoutrealm and the simple xml user store? If so, how?

Re: tomcat with laptop + windows sleep

[Alex O'Ree]

I did not copy any tomcat specific jars. I have validation queries
implemented programmatically.

On Sun, Jun 3, 2018 at 8:44 AM, Felix Schumacher <
felix.schumac...@internetallee.de> wrote:

>
>
> Am 02.06.2018 um 20:51 schrieb Alex O'Ree:
>
>> I think I've narrowed it down to an issue specific with terracotta quartz
>> based jobs. I've wired it into using tomcat's jdbc connection pooling. I'm
>> also using a super
>> old version of it so that could be part of the problem. Interestingly this
>> didn't happen with tomcat7 but it's more than probably some other change
>> on
>> my
>> end caused this rather strange situation.  Anyhow, it's probably not
>> tomcat.
>>
>
> You copied the jdbc pool jars from tomcat 7 into tomcat 8.5? Why?
>
>
>> Context.xml is something like this
>>
>>
>> > type="javax.sql.DataSource"
>> maxActive="50" maxIdle="30" maxWait="1"
>> username="user" password="a password"
>> driverClassName="org.postgresql.Driver"
>> factory="my.custom.EncryptedConnectionFactory"
>> url="jdbc:postgresql://localhost:5432/my_database"
>> />
>>
>
> You could enable validation queries, so that the pool will check the
> connections validity before handing it out to your application.
>
> Regards,
>  Felix
>
>
>> The encrypted connection factory extends the default one and supports a
>> basic ciphered password
>>
>>
>>
>>
>> On Sat, Jun 2, 2018, 1:34 PM Felix Schumacher > internetallee.de> wrote:
>>
>>
>>> Am 24. Mai 2018 23:30:10 MESZ schrieb Alex O'Ree :
>>>
>>>> Yes it is a tomcat managed data source with postgres. The cpu usage is
>>>> my
>>>> app trying to get a managed data source. Perhaps the jdbc driver is the
>>>> issue. ..
>>>>
>>> Care to post your configuration? Maybe there are some changes missing
>>> when
>>> you updated to the newer version.
>>>
>>> Regards,
>>>   Felix
>>>
>>> On Wed, May 23, 2018, 11:28 AM Christopher Schultz <
>>>> ch...@christopherschultz.net> wrote:
>>>>
>>>> -BEGIN PGP SIGNED MESSAGE-
>>>>> Hash: SHA256
>>>>>
>>>>> Alex,
>>>>>
>>>>> On 5/22/18 7:39 PM, Alex O'Ree wrote:
>>>>>
>>>>>> I've noticed a behavioral difference from tomcat 7 to 8.5. In v7, I
>>>>>> used to be able to put a computer to "sleep" with tomcat running.
>>>>>> On resume, everything would be just fine. On tomcat 8.5, i'm
>>>>>> noticing that all database connections are basically dropped and do
>>>>>> not appear to to restart/resume when the computer resumes. Actually
>>>>>> the whole computer runs super slow until i kill the tomcat process.
>>>>>> I'm not entirely sure what's going on here. Has anyone else noticed
>>>>>> this kind of behavior?
>>>>>>
>>>>> Are you using a tomcat-configured DataSource in your application? If
>>>>> so, what does the configuration look like?
>>>>>
>>>>> I wouldn't expect any problems with sleep. I'm using Tomcat 8.5.29 on
>>>>> MacOS and I haven't noticed any problems when my laptop goes to
>>>>>
>>>> sleep.
>>>>
>>>>> I'm using Oracle Java 1.8.0_131 in this particular case.
>>>>>
>>>>> When it's running slowly, can you tell which process is taking up all
>>>>> the CPU (or disk)? Try using the Process Explorer to single-out a
>>>>> process. If it's Tomcat (java.exe), take a thread dump to see what
>>>>> Tomcat is doing.
>>>>>
>>>>> - -chris
>>>>> -BEGIN PGP SIGNATURE-
>>>>> Comment: GPGTools - http://gpgtools.org
>>>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>>>
>>>>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsFiIkACgkQHPApP6U8
>>>>> pFi70g/8D9R8EkjpCeNziAUeQmWwxHwui+jbOd1rGjG7EID21mmmJJgw5IO1O8ok
>>>>> F7GUWC8KloqFJ59m+Ib/3NCL5QkiuE/X++AyvDxgwuI1eqlxi86Gu7Jxw6wsfUj2
>>>>> K1Ovp+jUeNEhuxPfx7zBiHXQPa1kN+B7ExxOyVEeybRalF27hlums2zF6IlC4VKm
>>>>> LP2CFqMeEXMbLBEI6wXJrznxlcINwkQzYlX7EAbXzD4tOookS9wYhBeXi+3Yjugp
>>>>> JbMUzIxOVKDzi2W8WYVRPhnhxSjVe5CVsQ32ghlwPEwzbMAgVcoQ7cwZ9r9l1Pg1
>>>>> Z8GMiAk4Ui9m+TlKbW5N1r2RgSKLdhk4yUETgr+ykkyaMhc8Wt46vM1bdGjIgX6W
>>>>> CCj/BHcM5IdLb56m1L0wiG82dftYlBNfu3hAlnoJls1GiVtRg5Ph5Dit+t2xH3Kh
>>>>> GpS9r9HhzqbA3tjv4NSR6oRj5UXc/mu1qj93CFoGPf6ZwC5QiHWOMbeegLJxOXVK
>>>>> yuIK1gl3ehTQhgcB+B2wK+0Id3gtcwOmzdzM3by2aSH+glfpwH3vRlYPLVUpAUf9
>>>>> 7oNuMVwhGHFRKL+PF5o0hVldI/jFF2TqLdiQilTe4pfsRGKslgRJce0TIZT5ZSm5
>>>>> jsQ2nCm1En7b+HW2hOeh2JjRkwwLqa5XIu7pjB2TVY1vhIJkdXs=
>>>>> =aQz0
>>>>> -END PGP SIGNATURE-
>>>>>
>>>>> -
>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>>
>>>>>
>>>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: tomcat with laptop + windows sleep

[Alex O'Ree]

I think I've narrowed it down to an issue specific with terracotta quartz
based jobs. I've wired it into using tomcat's jdbc connection pooling. I'm
also using a super
old version of it so that could be part of the problem. Interestingly this
didn't happen with tomcat7 but it's more than probably some other change on
my
end caused this rather strange situation.  Anyhow, it's probably not tomcat.

Context.xml is something like this




The encrypted connection factory extends the default one and supports a
basic ciphered password




On Sat, Jun 2, 2018, 1:34 PM Felix Schumacher  wrote:

>
>
> Am 24. Mai 2018 23:30:10 MESZ schrieb Alex O'Ree :
> >Yes it is a tomcat managed data source with postgres. The cpu usage is
> >my
> >app trying to get a managed data source. Perhaps the jdbc driver is the
> >issue. ..
>
> Care to post your configuration? Maybe there are some changes missing when
> you updated to the newer version.
>
> Regards,
>  Felix
>
> >
> >On Wed, May 23, 2018, 11:28 AM Christopher Schultz <
> >ch...@christopherschultz.net> wrote:
> >
> >> -BEGIN PGP SIGNED MESSAGE-
> >> Hash: SHA256
> >>
> >> Alex,
> >>
> >> On 5/22/18 7:39 PM, Alex O'Ree wrote:
> >> > I've noticed a behavioral difference from tomcat 7 to 8.5. In v7, I
> >> > used to be able to put a computer to "sleep" with tomcat running.
> >> > On resume, everything would be just fine. On tomcat 8.5, i'm
> >> > noticing that all database connections are basically dropped and do
> >> > not appear to to restart/resume when the computer resumes. Actually
> >> > the whole computer runs super slow until i kill the tomcat process.
> >> > I'm not entirely sure what's going on here. Has anyone else noticed
> >> > this kind of behavior?
> >>
> >> Are you using a tomcat-configured DataSource in your application? If
> >> so, what does the configuration look like?
> >>
> >> I wouldn't expect any problems with sleep. I'm using Tomcat 8.5.29 on
> >> MacOS and I haven't noticed any problems when my laptop goes to
> >sleep.
> >> I'm using Oracle Java 1.8.0_131 in this particular case.
> >>
> >> When it's running slowly, can you tell which process is taking up all
> >> the CPU (or disk)? Try using the Process Explorer to single-out a
> >> process. If it's Tomcat (java.exe), take a thread dump to see what
> >> Tomcat is doing.
> >>
> >> - -chris
> >> -BEGIN PGP SIGNATURE-
> >> Comment: GPGTools - http://gpgtools.org
> >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >>
> >> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsFiIkACgkQHPApP6U8
> >> pFi70g/8D9R8EkjpCeNziAUeQmWwxHwui+jbOd1rGjG7EID21mmmJJgw5IO1O8ok
> >> F7GUWC8KloqFJ59m+Ib/3NCL5QkiuE/X++AyvDxgwuI1eqlxi86Gu7Jxw6wsfUj2
> >> K1Ovp+jUeNEhuxPfx7zBiHXQPa1kN+B7ExxOyVEeybRalF27hlums2zF6IlC4VKm
> >> LP2CFqMeEXMbLBEI6wXJrznxlcINwkQzYlX7EAbXzD4tOookS9wYhBeXi+3Yjugp
> >> JbMUzIxOVKDzi2W8WYVRPhnhxSjVe5CVsQ32ghlwPEwzbMAgVcoQ7cwZ9r9l1Pg1
> >> Z8GMiAk4Ui9m+TlKbW5N1r2RgSKLdhk4yUETgr+ykkyaMhc8Wt46vM1bdGjIgX6W
> >> CCj/BHcM5IdLb56m1L0wiG82dftYlBNfu3hAlnoJls1GiVtRg5Ph5Dit+t2xH3Kh
> >> GpS9r9HhzqbA3tjv4NSR6oRj5UXc/mu1qj93CFoGPf6ZwC5QiHWOMbeegLJxOXVK
> >> yuIK1gl3ehTQhgcB+B2wK+0Id3gtcwOmzdzM3by2aSH+glfpwH3vRlYPLVUpAUf9
> >> 7oNuMVwhGHFRKL+PF5o0hVldI/jFF2TqLdiQilTe4pfsRGKslgRJce0TIZT5ZSm5
> >> jsQ2nCm1En7b+HW2hOeh2JjRkwwLqa5XIu7pjB2TVY1vhIJkdXs=
> >> =aQz0
> >> -END PGP SIGNATURE-
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: tomcat with laptop + windows sleep

[Alex O'Ree]

Yes it is a tomcat managed data source with postgres. The cpu usage is my
app trying to get a managed data source. Perhaps the jdbc driver is the
issue. ..

On Wed, May 23, 2018, 11:28 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Alex,
>
> On 5/22/18 7:39 PM, Alex O'Ree wrote:
> > I've noticed a behavioral difference from tomcat 7 to 8.5. In v7, I
> > used to be able to put a computer to "sleep" with tomcat running.
> > On resume, everything would be just fine. On tomcat 8.5, i'm
> > noticing that all database connections are basically dropped and do
> > not appear to to restart/resume when the computer resumes. Actually
> > the whole computer runs super slow until i kill the tomcat process.
> > I'm not entirely sure what's going on here. Has anyone else noticed
> > this kind of behavior?
>
> Are you using a tomcat-configured DataSource in your application? If
> so, what does the configuration look like?
>
> I wouldn't expect any problems with sleep. I'm using Tomcat 8.5.29 on
> MacOS and I haven't noticed any problems when my laptop goes to sleep.
> I'm using Oracle Java 1.8.0_131 in this particular case.
>
> When it's running slowly, can you tell which process is taking up all
> the CPU (or disk)? Try using the Process Explorer to single-out a
> process. If it's Tomcat (java.exe), take a thread dump to see what
> Tomcat is doing.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsFiIkACgkQHPApP6U8
> pFi70g/8D9R8EkjpCeNziAUeQmWwxHwui+jbOd1rGjG7EID21mmmJJgw5IO1O8ok
> F7GUWC8KloqFJ59m+Ib/3NCL5QkiuE/X++AyvDxgwuI1eqlxi86Gu7Jxw6wsfUj2
> K1Ovp+jUeNEhuxPfx7zBiHXQPa1kN+B7ExxOyVEeybRalF27hlums2zF6IlC4VKm
> LP2CFqMeEXMbLBEI6wXJrznxlcINwkQzYlX7EAbXzD4tOookS9wYhBeXi+3Yjugp
> JbMUzIxOVKDzi2W8WYVRPhnhxSjVe5CVsQ32ghlwPEwzbMAgVcoQ7cwZ9r9l1Pg1
> Z8GMiAk4Ui9m+TlKbW5N1r2RgSKLdhk4yUETgr+ykkyaMhc8Wt46vM1bdGjIgX6W
> CCj/BHcM5IdLb56m1L0wiG82dftYlBNfu3hAlnoJls1GiVtRg5Ph5Dit+t2xH3Kh
> GpS9r9HhzqbA3tjv4NSR6oRj5UXc/mu1qj93CFoGPf6ZwC5QiHWOMbeegLJxOXVK
> yuIK1gl3ehTQhgcB+B2wK+0Id3gtcwOmzdzM3by2aSH+glfpwH3vRlYPLVUpAUf9
> 7oNuMVwhGHFRKL+PF5o0hVldI/jFF2TqLdiQilTe4pfsRGKslgRJce0TIZT5ZSm5
> jsQ2nCm1En7b+HW2hOeh2JjRkwwLqa5XIu7pjB2TVY1vhIJkdXs=
> =aQz0
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

tomcat with laptop + windows sleep

[Alex O'Ree]

I've noticed a behavioral difference from tomcat 7 to 8.5. In v7, I used to
be able to put a computer to "sleep" with tomcat running. On resume,
everything would be just fine. On tomcat 8.5, i'm noticing that all
database connections are basically dropped and do not appear to to
restart/resume when the computer resumes. Actually the whole computer runs
super slow until i kill the tomcat process. I'm not entirely sure what's
going on here. Has anyone else noticed this kind of behavior?

Re: Tomcat Silent Remote Uninstall - How to do it?

[Alex O'Ree]

Pretty sure there is a script in the bin folder that can be ran from an
elevated the command line. Something like 'service install', then call 'net
start tomcat8'

On Fri, Apr 20, 2018 at 4:53 PM, <
ross.a.reichenber...@wellsfargo.com.invalid> wrote:

> Hello,
> I need to know how to silently remotely uninstall Tomcat (8.0.23) on
> 2012R2 64 bit server? I have many servers that I need to uninstall this
> version from so that I can install an updated version.
>
> I know there is a silent install command but I have not been able to find
> a silent uninstall option?
>
> Any users who have any insights on how others are doing this please let me
> know!
>
> Please let me know!
> Thanks
> Ross
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: User session validation

[Alex O'Ree]

Thanks for the info

On Thu, Mar 29, 2018, 12:30 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Alex,
>
> On 3/28/18 7:20 PM, Alex O'Ree wrote:
> > Does tomcat do any validation on session id's based on up
> > addresses? I'm thinking that if some one intercepts the session
> > token and tries to use it from another ip address,  then it's
> > feasible to detect this and invalidate the session.
>
> This is basically a session-fixation attack[1]. Another flavor of the
> attack is to simply guess a valid session id and take-over the session.
>
> Tomcat does not include any capabilities to mitigate these attacks.
> It's fairly easy to implement such a mitigation by using a Filter that
> does something like this:
>
>
>   void doFilter() {
> session = request.getSession(false);
> if(null != session) {
>   if(!session.storedIP.equals(request.IP))
> response.sendError(403);
> }
> // invoke the filer chain
>   }
>
> There are several problems with this technique, not the least of which
> is that any proxy between you and the client will change the IP
> address of the "client" such that multiple clients can look like a
> single IP address. AOL is famous for all users coming from a small
> number of IP addresses.
>
> Another reason this might be a problem is with mobile devices. IP
> addresses can change for various reasons. Forcing the user to
> re-authenticate may be inconvenient in that setting.
>
> Finally, guessing a valid session identifier is infeasible. Tomcat's
> default 16-byte session id provides
> 340282366920938463463374607431768211456 possible session identifiers.
> Assuming that java.util.SecureRandom provides sufficient entropy to
> make all possible session identifiers equally possible, and an
> attacker can try an Internet-melting 1,000,000,000 (1B) session
> identifiers per second, it would take 10812500537664228356827 years to
> perform an exhaustive search. Most session identifiers are only valid
> for a few minutes or hours, so random guessing is simply infeasible.
>
> As for interception of a valid session identifier, the solution is to
> use TLS so interception is infeasible under most circumstances.
>
> As for mitigations session-fixation specifically (where the attacker
> tricks you into using a known session identifier for authentication),
> Tomcat changes the session identifier when authentication occurs.
> Assuming the attacker cannot see the request/response where the
> authentication occurs (in which case, they could intercept the
> username and password, therefore session-fixation isn't necessary),
> only the legitimate user will see the session-identifier change, and
> the attacker is thwarted.
>
> Hope that helps,
> - -chris
>
> [1] https://en.wikipedia.org/wiki/Session_fixation
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlq9FJIACgkQHPApP6U8
> pFhIuRAAkaYp2FQ2KeE6wyFeEszMIwZbm1eNwdpYWpxv0sxAu+nDfFZd0+Lej+fK
> 5CrNzR6fimgAmIxH6PEK+rJ6gpELLF1zBfbX34e8/cRkdw6oZP1xajNCXt8DbiPl
> upnCkRDNv6XklkkvNikrW6RPnknEXMNIEayKz3gpLZ7J02PVNjQk8hHC2Z+r8BKC
> C+VGyNMeNQbYegUVs6tf1bR0kbDCn4xr1s5+Urui2KS5ru59EiPN8NIA6uYdE1aq
> HeJAbFRrywsjcK3r6mPzQmXIshOW0SWzNqorBUfiByAcjXVtipvCz5G/zgtKhsqn
> 0wNsZuT7Xd1Af0/5b+FYVd0U12ZTjSX1S77cvGufFw6OIRY2VEkni8Om0cdGiBKz
> Hy88VDhyLSwGclZnxuKaj1GAGKktptv/iPACTZxpZrVUWaHR1f1HvFzDUVV4DWQ7
> s9aRbCNdbRuUkvsLduGtI1EsqD1vmhDWhO01e3kd6OAaa6rCOJ9uXRbFOruwkg9E
> qeqbTxHQTgJ3jC/3h+sQCvVQt29GCjtKHoRwDCCiIeU/oDsygy5kxXTJai9OjoF2
> IaAeTa1XfM+Y+fz9pZOP560k2VtBc4cWucFKuffmMvyi/or8ChKJ3lD/a7mn9Hq3
> vmLstp0MLl0cDSduhYm5YD7VPGf900F9YtcMWCIM6bb1S9lp9ac=
> =1fdw
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

User session validation

[Alex O'Ree]

Does tomcat do any validation on session id's based on up addresses? I'm
thinking that if some one intercepts the session token and tries to use it
from another ip address,  then it's feasible to detect this and invalidate
the session.

Re: Tomcat shutdown, webapp vs database pools

[Alex O'Ree]

Thanks for the info. I'll investigate further into the listeners.

On Sat, Mar 17, 2018 at 4:27 AM, Mark Thomas <ma...@apache.org> wrote:

> On 16/03/18 22:42, Alex O'Ree wrote:
> > I have a war file that defines a context.xml file, some cxf based web
> > services and a few other background tasks using quartz that are
> initialized
> > in a servlet context listener.
> >
> > When tomcat shuts down, it appears that tomcat stops the database
> > connection pool before the cxf services or the quartz tasks. This causes
> > huge amounts of log output. I'm a bit unclear as to how to adjust/change
> > the shutdown order of the database pool vs the servlet listeners.
> >
> > The web app's web.xml does declare a resource-ref element that points at
> > the jndi lookup name, but perhaps the configuration is wrong.
> >
> > I have looked at https://tomcat.apache.org/
> tomcat-8.0-doc/jndi-resources-
> > howto.html#JDBC_Data_Sources and my configuration appears to be correct,
> > however something is still not quite right.
> >
> > What am I doing wrong?
>
> Don't know.
>
> The listeners are stopped before the JNDI resources so I'm not sure what
> is going on. Is it possible the listener isn't waiting for the cxf
> services or the quartz tasks to complete before it exits the
> contextDestroyed() method?
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Tomcat shutdown, webapp vs database pools

[Alex O'Ree]

I have a war file that defines a context.xml file, some cxf based web
services and a few other background tasks using quartz that are initialized
in a servlet context listener.

When tomcat shuts down, it appears that tomcat stops the database
connection pool before the cxf services or the quartz tasks. This causes
huge amounts of log output. I'm a bit unclear as to how to adjust/change
the shutdown order of the database pool vs the servlet listeners.

The web app's web.xml does declare a resource-ref element that points at
the jndi lookup name, but perhaps the configuration is wrong.

I have looked at https://tomcat.apache.org/tomcat-8.0-doc/jndi-resources-
howto.html#JDBC_Data_Sources and my configuration appears to be correct,
however something is still not quite right.

What am I doing wrong?

Re: intermittent connectivity failure under ssl

[Alex O'Ree]

I'll see what I can cook up. It'll be a complete tomcat setup and it was
reproducible with just a hello world jsp file + test ssl certs and configs.
Using any browser or java client connecting to tomcat. Page reloads are
intermittently failing.  Where's the best place to dump this? And
obviously, you'll need a windows box to replicate (x64)

On Fri, Mar 9, 2018 at 3:01 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Alex,
>
> On 3/9/18 2:50 PM, Mark Thomas wrote:
> > On 09/03/18 19:39, Alex O'Ree wrote:
> >> So I believe i have a resolution for this issue (still
> >> undergoing additional testing). I hate SSL by the way. After
> >> exhaustive scanning of the java.net.debug logs i came up with
> >> nothing. 0 hints to the problem. I tried with browsers and java
> >> http clients and all of them ended with a socket exception
> >> (unexpected end of file). Did i mention i'm using the windows
> >> variant of tomcat 8.5.28? On a whim, I asked a coworker who has
> >> been using tomcat for quite some time. He suggested that issue
> >> may be related to OpenSSL. After checking the configs and reading
> >> the docs here:
> >> http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomca
> t_Configuration_File
> >>
> >>
> for my setup, it was defaulting to use open ssl since it was not defined
>  in
> >> the config file. After changing the JSSEImplementation my
> >> problems appear to be sorted. Literally 3 months trying to solve
> >> this one. Whatever version of open ssl that comes with the
> >> windows build of tomcat has something wrong with it.
> >
> > Unlikely.
> >
> > More likely is that there is a bug in the APR/Native connector. But
> > with a reliable way to reproduce the problem, we'll never know.
>
> If you are willing to see if you can come up with a repeatable test
> case, it would be VERY helpful. Mark has a knack for finding and
> fixing irritating bugs like this in the connector very quickly, but
> not if he can't see the problem happen.
>
> I'd certainly like to see any issue with the native library (or its
> use of OpenSSL) found and fixed for everyone's sake.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqi6CsACgkQHPApP6U8
> pFjQCw//cTuR+GNMMG/cdhyZ09+bWd6NPDdAdc8/poIPrBoKgz7LbSPiWa5QzZBa
> VlOyRmfHizZPCUslmxxJUEUI45vLzHePmetUQaOfAfLp1QQEnQXnQFtL7/x4/RG8
> TZJLOBud708YSDFKQesHQSxd424+ZFXgn6kGpUXKNRIqkqtlmiVFPQ0uatqNUQTF
> htMcMOhL3cxAXOEqkJL7HAEFnJAR1Q9A1itG2nk2hk2yn0wa2aQxQxp5EEa/Gwts
> +7XgZAiHTxvptJSd7lKpvG3l8wi//aC4JMQQZi9WgJf/+pK3HL5PZ55R52uojB+i
> IVUFOMM/gTavyMrHPvLWNUF2AITzXmov85ZJmRZdOsBT4WaUMr4XawFViktoeJMq
> aQonhP5RCOvWLnKHqxmTShExezV9gs+HgmxSRCVCNF0dqVFIa/X3rm/i/pfJJXCe
> IaXJTMRizpKlQfYz5zrptTUzJ0sfRqxL8WEjz6C4Z1FEOeIqW04V4UsVH2Hz5BUO
> WPBjWq807WjeEcpvwE6YkxcHitXIlof9GcCIFWKE6ub0GOI1QSWHWAOIraHSK8OZ
> jWonnzE/FWojuiK4Ntbx0JrWGgIkXMhBprkHI1WRMk+nbHqT64xYQkhDYl//j5rq
> Va3eZ3gz1yYt4D/Qi8q7lxhqLfe8cNkJeO3gCoPJLuKl+lISTSE=
> =neYx
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: intermittent connectivity failure under ssl

[Alex O'Ree]

So I believe i have a resolution for this issue (still undergoing
additional testing). I hate SSL by the way. After exhaustive scanning of
the java.net.debug logs i came up with nothing. 0 hints to the problem. I
tried with browsers and java http clients and all of them ended with a
socket exception (unexpected end of file). Did i mention i'm using the
windows variant of tomcat 8.5.28? On a whim, I asked a coworker who has
been using tomcat for quite some time. He suggested that issue may be
related to OpenSSL. After checking the configs and reading the docs here:
http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
for my setup, it was defaulting to use open ssl since it was not defined in
the config file. After changing the JSSEImplementation my problems appear
to be sorted. Literally 3 months trying to solve this one. Whatever version
of open ssl that comes with the windows build of tomcat has something wrong
with it.


On Mon, Mar 5, 2018 at 9:29 AM, Alex O'Ree <spyhunte...@gmail.com> wrote:

> thanks. what else could be cause this? Chrome says error empty response
> frequently
>
> On Mon, Mar 5, 2018 at 9:27 AM, Rémy Maucherat <r...@apache.org> wrote:
>
>> On Mon, Mar 5, 2018 at 2:59 PM, Alex O'Ree <alexo...@apache.org> wrote:
>>
>> > I may be on to something. I found at a coderanch something that was
>> > related. I'm using a class that extends Http11NioProtocol to provide
>> > encryption support for the keystore passwords. I was setting the xml
>> > attribute in server.xml/Connector@protocol = the class name of the
>> > extended
>> > class. This may be related to the problem as it looks like the protocol
>> > attribute must be one of HTTP/1.1, etc.
>> >
>> > Assuming this is the issue, which attribute can i used to specify my
>> > overridden class?
>> >
>>
>> That's the correct way to use this attribute, you should specify your
>> custom class that way.
>>
>> For server.xml values encryption, you can also use the Tomcat vault here:
>> https://github.com/picketbox/tomcat-vault
>>
>> Rémy
>>
>>
>> >
>> > On Fri, Mar 2, 2018 at 1:58 PM, Alex O'Ree <alexo...@apache.org> wrote:
>> >
>> > > Remy, what more information would you like? Any more info on the issue
>> > > that you are referencing?
>> > >
>> > > On Fri, Mar 2, 2018 at 10:56 AM, Rémy Maucherat <r...@apache.org>
>> wrote:
>> > >
>> > >> On Fri, Mar 2, 2018 at 4:19 PM, Alex O'Ree <alexo...@apache.org>
>> wrote:
>> > >>
>> > >> > Ran into a strange problem, not too sure what the problem is.
>> > Basically,
>> > >> > I'm getting intermittent connectivity from a http client to tomcat
>> but
>> > >> only
>> > >> > through SSL using the Http11NioProtocol. Some http requests go
>> > through,
>> > >> > others fail with the stack trace below. Usually, restarting tomcat
>> > fixes
>> > >> > it, but it appears to be random and unpredictable. This is a bit
>> of a
>> > >> major
>> > >> > issue for me so any help is appreciated.
>> > >> >
>> > >> > Any pointers for how to troubleshoot this? Running tomcat 8.5.28.
>> > >> >
>> > >> > There's no tomcat logs to indicate that there's a problem. The
>> > >> following is
>> > >> > logged on the client side:
>> > >> >
>> > >> > Caused by: java.net.SocketException: SocketException invoking
>> > >> > https://localhost:8443/myproject/services/Endpoint1: Unexpected
>> end
>> > of
>> > >> > file from server
>> > >> >
>> > >> > 
>> > >> >
>> > >> > Caused by: java.net.SocketException: Unexpected end of file from
>> > server
>> > >> > at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.
>> > >> > java:792)
>> > >> > at sun.net.www.http.HttpClient.pa
>> rseHTTP(HttpClient.java:647)
>> > >> > at sun.net.www.protocol.http.HttpURLConnection.
>> > getInputStream0(
>> > >> > HttpURLConnection.java:1536)
>> > >> > at sun.net.www.protocol.http.HttpURLConnection.
>> > getInputStream(
>> > >> > HttpURLConnection.java:1441)
>> > >> > at java.net.HttpURLConnection.getResponseCode(
>> > >> > HttpURLConnection.java:480)
>> > >> > at sun.net.www.protocol.https.HttpsURLConnectionImpl.
>> > >> > getResponseCode(HttpsURLConnectionImpl.java:338)
>> > >> > at org.apache.cxf.transport.http.URLConnectionHTTPConduit$
>> > >> > URLConnectionWrappedOutputStream.getResponseCode(
>> > >> > URLConnectionHTTPConduit.java:266)
>> > >> > at org.apache.cxf.transport.http.
>> > HTTPConduit$WrappedOutputStrea
>> > >> m.
>> > >> > handleResponseInternal(HTTPConduit.java:1543)
>> > >> > at org.apache.cxf.transport.http.
>> > HTTPConduit$WrappedOutputStrea
>> > >> m.
>> > >> > handleResponse(HTTPConduit.java:1513)
>> > >> > at org.apache.cxf.transport.http.HTTPConduit$
>> > >> > WrappedOutputStream.close(HTTPConduit.java:1318)
>> > >> > ... 46 more
>> > >> >
>> > >>
>> > >> It's impossible to say without more information, but this could look
>> > like
>> > >> an issue that is fixed in the next build.
>> > >>
>> > >> Rémy
>> > >>
>> > >
>> > >
>> >
>>
>
>

Re: intermittent connectivity failure under ssl

[Alex O'Ree]

thanks. what else could be cause this? Chrome says error empty response
frequently

On Mon, Mar 5, 2018 at 9:27 AM, Rémy Maucherat <r...@apache.org> wrote:

> On Mon, Mar 5, 2018 at 2:59 PM, Alex O'Ree <alexo...@apache.org> wrote:
>
> > I may be on to something. I found at a coderanch something that was
> > related. I'm using a class that extends Http11NioProtocol to provide
> > encryption support for the keystore passwords. I was setting the xml
> > attribute in server.xml/Connector@protocol = the class name of the
> > extended
> > class. This may be related to the problem as it looks like the protocol
> > attribute must be one of HTTP/1.1, etc.
> >
> > Assuming this is the issue, which attribute can i used to specify my
> > overridden class?
> >
>
> That's the correct way to use this attribute, you should specify your
> custom class that way.
>
> For server.xml values encryption, you can also use the Tomcat vault here:
> https://github.com/picketbox/tomcat-vault
>
> Rémy
>
>
> >
> > On Fri, Mar 2, 2018 at 1:58 PM, Alex O'Ree <alexo...@apache.org> wrote:
> >
> > > Remy, what more information would you like? Any more info on the issue
> > > that you are referencing?
> > >
> > > On Fri, Mar 2, 2018 at 10:56 AM, Rémy Maucherat <r...@apache.org>
> wrote:
> > >
> > >> On Fri, Mar 2, 2018 at 4:19 PM, Alex O'Ree <alexo...@apache.org>
> wrote:
> > >>
> > >> > Ran into a strange problem, not too sure what the problem is.
> > Basically,
> > >> > I'm getting intermittent connectivity from a http client to tomcat
> but
> > >> only
> > >> > through SSL using the Http11NioProtocol. Some http requests go
> > through,
> > >> > others fail with the stack trace below. Usually, restarting tomcat
> > fixes
> > >> > it, but it appears to be random and unpredictable. This is a bit of
> a
> > >> major
> > >> > issue for me so any help is appreciated.
> > >> >
> > >> > Any pointers for how to troubleshoot this? Running tomcat 8.5.28.
> > >> >
> > >> > There's no tomcat logs to indicate that there's a problem. The
> > >> following is
> > >> > logged on the client side:
> > >> >
> > >> > Caused by: java.net.SocketException: SocketException invoking
> > >> > https://localhost:8443/myproject/services/Endpoint1: Unexpected end
> > of
> > >> > file from server
> > >> >
> > >> > 
> > >> >
> > >> > Caused by: java.net.SocketException: Unexpected end of file from
> > server
> > >> > at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.
> > >> > java:792)
> > >> > at sun.net.www.http.HttpClient.
> parseHTTP(HttpClient.java:647)
> > >> > at sun.net.www.protocol.http.HttpURLConnection.
> > getInputStream0(
> > >> > HttpURLConnection.java:1536)
> > >> > at sun.net.www.protocol.http.HttpURLConnection.
> > getInputStream(
> > >> > HttpURLConnection.java:1441)
> > >> > at java.net.HttpURLConnection.getResponseCode(
> > >> > HttpURLConnection.java:480)
> > >> > at sun.net.www.protocol.https.HttpsURLConnectionImpl.
> > >> > getResponseCode(HttpsURLConnectionImpl.java:338)
> > >> > at org.apache.cxf.transport.http.URLConnectionHTTPConduit$
> > >> > URLConnectionWrappedOutputStream.getResponseCode(
> > >> > URLConnectionHTTPConduit.java:266)
> > >> > at org.apache.cxf.transport.http.
> > HTTPConduit$WrappedOutputStrea
> > >> m.
> > >> > handleResponseInternal(HTTPConduit.java:1543)
> > >> > at org.apache.cxf.transport.http.
> > HTTPConduit$WrappedOutputStrea
> > >> m.
> > >> > handleResponse(HTTPConduit.java:1513)
> > >> > at org.apache.cxf.transport.http.HTTPConduit$
> > >> > WrappedOutputStream.close(HTTPConduit.java:1318)
> > >> > ... 46 more
> > >> >
> > >>
> > >> It's impossible to say without more information, but this could look
> > like
> > >> an issue that is fixed in the next build.
> > >>
> > >> Rémy
> > >>
> > >
> > >
> >
>

Re: intermittent connectivity failure under ssl

[Alex O'Ree]

I may be on to something. I found at a coderanch something that was
related. I'm using a class that extends Http11NioProtocol to provide
encryption support for the keystore passwords. I was setting the xml
attribute in server.xml/Connector@protocol = the class name of the extended
class. This may be related to the problem as it looks like the protocol
attribute must be one of HTTP/1.1, etc.

Assuming this is the issue, which attribute can i used to specify my
overridden class?

On Fri, Mar 2, 2018 at 1:58 PM, Alex O'Ree <alexo...@apache.org> wrote:

> Remy, what more information would you like? Any more info on the issue
> that you are referencing?
>
> On Fri, Mar 2, 2018 at 10:56 AM, Rémy Maucherat <r...@apache.org> wrote:
>
>> On Fri, Mar 2, 2018 at 4:19 PM, Alex O'Ree <alexo...@apache.org> wrote:
>>
>> > Ran into a strange problem, not too sure what the problem is. Basically,
>> > I'm getting intermittent connectivity from a http client to tomcat but
>> only
>> > through SSL using the Http11NioProtocol. Some http requests go through,
>> > others fail with the stack trace below. Usually, restarting tomcat fixes
>> > it, but it appears to be random and unpredictable. This is a bit of a
>> major
>> > issue for me so any help is appreciated.
>> >
>> > Any pointers for how to troubleshoot this? Running tomcat 8.5.28.
>> >
>> > There's no tomcat logs to indicate that there's a problem. The
>> following is
>> > logged on the client side:
>> >
>> > Caused by: java.net.SocketException: SocketException invoking
>> > https://localhost:8443/myproject/services/Endpoint1: Unexpected end of
>> > file from server
>> >
>> > 
>> >
>> > Caused by: java.net.SocketException: Unexpected end of file from server
>> > at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.
>> > java:792)
>> > at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647)
>> > at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
>> > HttpURLConnection.java:1536)
>> > at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
>> > HttpURLConnection.java:1441)
>> > at java.net.HttpURLConnection.getResponseCode(
>> > HttpURLConnection.java:480)
>> > at sun.net.www.protocol.https.HttpsURLConnectionImpl.
>> > getResponseCode(HttpsURLConnectionImpl.java:338)
>> > at org.apache.cxf.transport.http.URLConnectionHTTPConduit$
>> > URLConnectionWrappedOutputStream.getResponseCode(
>> > URLConnectionHTTPConduit.java:266)
>> > at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>> m.
>> > handleResponseInternal(HTTPConduit.java:1543)
>> > at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStrea
>> m.
>> > handleResponse(HTTPConduit.java:1513)
>> > at org.apache.cxf.transport.http.HTTPConduit$
>> > WrappedOutputStream.close(HTTPConduit.java:1318)
>> > ... 46 more
>> >
>>
>> It's impossible to say without more information, but this could look like
>> an issue that is fixed in the next build.
>>
>> Rémy
>>
>
>

Re: intermittent connectivity failure under ssl

[Alex O'Ree]

Remy, what more information would you like? Any more info on the issue that
you are referencing?

On Fri, Mar 2, 2018 at 10:56 AM, Rémy Maucherat <r...@apache.org> wrote:

> On Fri, Mar 2, 2018 at 4:19 PM, Alex O'Ree <alexo...@apache.org> wrote:
>
> > Ran into a strange problem, not too sure what the problem is. Basically,
> > I'm getting intermittent connectivity from a http client to tomcat but
> only
> > through SSL using the Http11NioProtocol. Some http requests go through,
> > others fail with the stack trace below. Usually, restarting tomcat fixes
> > it, but it appears to be random and unpredictable. This is a bit of a
> major
> > issue for me so any help is appreciated.
> >
> > Any pointers for how to troubleshoot this? Running tomcat 8.5.28.
> >
> > There's no tomcat logs to indicate that there's a problem. The following
> is
> > logged on the client side:
> >
> > Caused by: java.net.SocketException: SocketException invoking
> > https://localhost:8443/myproject/services/Endpoint1: Unexpected end of
> > file from server
> >
> > 
> >
> > Caused by: java.net.SocketException: Unexpected end of file from server
> > at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.
> > java:792)
> > at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647)
> > at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
> > HttpURLConnection.java:1536)
> > at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
> > HttpURLConnection.java:1441)
> > at java.net.HttpURLConnection.getResponseCode(
> > HttpURLConnection.java:480)
> > at sun.net.www.protocol.https.HttpsURLConnectionImpl.
> > getResponseCode(HttpsURLConnectionImpl.java:338)
> > at org.apache.cxf.transport.http.URLConnectionHTTPConduit$
> > URLConnectionWrappedOutputStream.getResponseCode(
> > URLConnectionHTTPConduit.java:266)
> > at org.apache.cxf.transport.http.HTTPConduit$
> WrappedOutputStream.
> > handleResponseInternal(HTTPConduit.java:1543)
> > at org.apache.cxf.transport.http.HTTPConduit$
> WrappedOutputStream.
> > handleResponse(HTTPConduit.java:1513)
> > at org.apache.cxf.transport.http.HTTPConduit$
> > WrappedOutputStream.close(HTTPConduit.java:1318)
> > ... 46 more
> >
>
> It's impossible to say without more information, but this could look like
> an issue that is fixed in the next build.
>
> Rémy
>

intermittent connectivity failure under ssl

[Alex O'Ree]

Ran into a strange problem, not too sure what the problem is. Basically,
I'm getting intermittent connectivity from a http client to tomcat but only
through SSL using the Http11NioProtocol. Some http requests go through,
others fail with the stack trace below. Usually, restarting tomcat fixes
it, but it appears to be random and unpredictable. This is a bit of a major
issue for me so any help is appreciated.

Any pointers for how to troubleshoot this? Running tomcat 8.5.28.

There's no tomcat logs to indicate that there's a problem. The following is
logged on the client side:

Caused by: java.net.SocketException: SocketException invoking
https://localhost:8443/myproject/services/Endpoint1: Unexpected end of
file from server



Caused by: java.net.SocketException: Unexpected end of file from server
at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:792)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647)
at 
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1536)
at 
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
at 
java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
at 
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:266)
at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1543)
at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1513)
at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1318)
... 46 more

SSL: Unexpected end of file from server

[Alex O'Ree]

I have a CXF web service client accessing a CXF SOAP service running in
tomcat. I'm seeing intermitent issues only when using SSL and I'm not
entirely sure why.
The client logs the following
SocketException: Unexpected end of file from server
at sun.net.www.http.Client.parseHTTPHeader

I'm using the default connector that tomcat ships with (Http11NioProtocol)
on the latest 8.5.28



Is there anything I can do on the tomcat side to try and troubleshoot this?

Re: No reliable way to know if the request emerged from localhost

[Alex O'Ree]

I think this means,  no remote http access, but allow admins remote desktop
access. Once in a local desktop sessions,  allow the http access since the
request comes from local host

This issue is get remote address usually returns a non loop back ip
address, even if the url was to localhost

On Feb 27, 2018 6:27 AM, "Mark Thomas"  wrote:

> On 27/02/18 08:29, Vasantharaju Trichy wrote:
> > Tomcat version 7.0.82 | Windows
> >
> >
> >
> > We have a requirement such that admins(tomcat users) need to login
> remotely
> > to the machine where Tomcat is hosted and access tomcat webapp to perform
> > certain action or see certain pages . These pages or actions are not
> > permitted if users login remotely
>
> This requirement makes no sense.
>
> "...need to login remotely..."
> and
> "...are not permitted if users login remotely..."
>
> are mutually exclusive.
>
> The logical answer to your question is unplug the box and your
> requirements are guaranteed to be met.
>
> I suspect, however, that you have not correctly stated your
> requirements. What did you really mean?
>
>
> Mark
>
>
> >
> >
> >
> > Initially thought  *request.getRemoteAddr* can be used determine actual
> > client ip is local or not but looks like based *X-Forwarded-For* header
> it
> > is easy to spoof *request.getRemoteAddr* . The spoofing is possible even
> > from trusted internal proxies
> >
> >
> >
> > So thought *request.getServerName* is reliable than
> *request.getRemoteAddr*
> >
> >
> >
> > But *HOST* header can be spoofed to reflect *request.getServerName*
> >
> >
> >
> > Strangely Tomcat honors HOST header to update request. getServerName .
> >
> >
> >
> > I strongly feel this is a tomcat issue  or let us know how can we
> reliably
> > determine if the request is originated from local or this is something
> not
> > possible
> >
> >
> >
> >
> >
> > Thanks in advance,
> >
> > Vasanth
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: using default cacerts AND custom keystore

[Alex O'Ree]

anything related to SSL, key stores, trust stores, X509 certificates, etc
will do that to you!

On Mon, Feb 19, 2018 at 9:16 AM, Chris Cheshire 
wrote:

> On Fri, Feb 16, 2018 at 2:11 PM, Christopher Schultz
>  wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Chris,
> >
> > On 2/14/18 3:34 PM, Chris Cheshire wrote:
> >> On Wed, Feb 14, 2018 at 12:30 PM, Mark Thomas 
> >> wrote:
> >>> On 14/02/18 17:17, Chris Cheshire wrote:
>  I am trying to set up my webapp to connect to an external
>  database via ssl. The database uses a self-signed certificate.
>  I have created a keystore with the self-signed CA and the
>  client key & cert. This keystore is configured via JAVA_OPTS in
>  setenv.sh
> 
>  JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks
>  \ -Djavax.net.ssl.keyStorePassword=password \
>  -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \
>  -Djavax.net.ssl.trustStorePassword=password"
> 
>  This allows me to connect to the database without a problem.
>  However now I cannot connect to any external web service
>  because their certs will no longer validate.
> 
>  How do I configure tomcat such that the default cacerts is used
>  in addition to my self-signed certificates without importing
>  those into the default keystore (which is a Bad Idea™)?
> >>>
> >>> This is nothing to do with Tomcat. Tomcat plays no role in
> >>> out-going TLS connections.
> >>>
> >>> The short answer is rather than using system properties, you
> >>> should set the keystore and truststore programmatically so they
> >>> apply just to the database connections rather than globally.
> >>>
> >>
> >> So after a bit of digging [1,2] I found that this is achieved by
> >> adding the following parameters to the mysql jdbc url in the
> >> resource definition:
> >>
> >> clientCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
> >>
> >>
> > clientCertificateKeyStorePassword=password
> >> trustCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
> >> trustCertificateKeyStorePassword=changeit
> >>
> >> Note that  [2] has a couple of errors. A) it specifies
> >> clientCertificateKeyStore[Url|Password] in lieu of trustStore
> >> system property, that should be
> >> trustCertificateKeyStore[Url|Password] B) it specifies specifies
> >> the urls in the form file:path_to_truststore_file, that is also
> >> incorrect it should be file://path_to_truststore_file (which will
> >> give a triple slash if an absolute path is used)
> >>
> >>
> >> [1]
> >> https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-con
> > figuration-properties.html
> >>
> >>
> > [2]
> > https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using
> > - -ssl.html
> >
> > It might depend upon the version of Connector/J you are using. For
> > example, I have this in my connection URL:
> >
> > '...=file:/etc/mysql/mysql.jks'
> >
> > Only a single leading / for an absolute path in my case, and it works
> > as expected.
> >
> > The use of file:// was a historical mistake web browser users made,
> > thinking that // was necessary between the protocol and anything after
> > it. It was never the case, and any software requiring a URL like
> > file:/// should be considered broken.
> >
> > - -chris
>
> So I went back to retest everything to make sure I wasn't going crazy,
> and it turns out that I actually am. It really is working as expected
> without the double slash (and with). I guess I went crosseyed looking
> at the error logs after so many attempts trying to get this working
> initially.
>
> Chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Possibility of simplifying a UI vs services war setup

[Alex O'Ree]

Hi everyone, yet another email. I'm not too sure who to ask but I figured
the tomcat crew would be a good place to start. Maybe SO is more
appropriate

I have a two web app (war files) system, one containing just the UI and the
other containing a collection of CXF soap services and some rest services
and a web socket endpoint.

The UI basically contains a bunch of JSP files and web service clients
(mostly soap/jaxws) and talks to the services war. This basically means the
UI can reconnected to the same tomcat server and reauthenticate the same
user session.

Design decisions that got me to the setup
- i wanted the ability to run without the user interface
- i wanted to be able to run multiple service wars on multiple servers to
maintain high availability
- i wanted to be able to run the ui on a different server and use
application code to support failover/balancing between multiple instances
of the services war.

I'm open to revising/revisiting of these design decisions but at the time
they made sense. Anyhow, if you've made it this far, I did have a few
questions.

>From the UI war, is there a way I can somehow get a reference to the
service implementation classes in the services war? It would save me the
time and expense of serializing xml and yet another authentication
challenge and tcp socket overhead. As far as I know, this shouldn't be
possible due to class loader isolation but maybe there is some other JNDI
based thing that would work.

I'm not sure how common of a problem this is but if anyone has a similar
setup, i'd be interested to see how you solved it. I also have the added
complexity of supporting both http client cert and username/password
setups, but that can be saved for another conversation.

Http with client certificate authentication

[Alex O'Ree]

Howdy folks,

If I setup a tomcat connector in server.xml with clientAuth="true" and have
the key store for tomcat and a trust store is the following true?

- all public key certificates issued by CA's the trust store are allowed in?
- all user public key certificates in the trust store are allowed in
(assuming their CA's are also in the same trust store)?
- are the JRE's "cacert" file merged in with this trust store? (this is
normally the case but i figured i'd ask for clarity)


Finally regarding certificate validation:
- i'm assuming basic validation checks are performed, time checks, etc
- if the requesting user cert has a CRL or OCSP url attached to the cert,
does tomcat do anything to validate that the cert is still valid?

Regarding OCSP, I did see some documentation in the guides related to
windows native connector but I don't think i'm using that and would prefer
to remain portable to linux if possible. It's also not clear from the docs
on how or why it's used.

Re: Error parsing HTTP request header, HTTP method names must be tokens

[Alex O'Ree]

Thanks. I'll try the logging change to see if i can at least narrow it down
a bit more.

On Wed, Feb 21, 2018 at 7:49 PM, Konstantin Kolinko <knst.koli...@gmail.com>
wrote:

> 2018-02-21 22:19 GMT+03:00 Alex O'Ree <alexo...@apache.org>:
> > That's the error message. The problem is I have no idea which client it
> is
> > and what character it is sending that is causing the issue. Thus I would
> > like to get the offending header logged in some way.
>
> The "http-nio-8080-exec-3" in the message is the thread name. It can
> be written to the Access Log with "%I"
>
> http://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Access_Logging
>
> Also look for response status in an access log. I think those requests
> are handled with status "400".
>
> You will see an IP address there. You wont't see any headers (such as
> User-Agent) as those have not been parsed yet.
>
> > On Tue, Feb 20, 2018 at 4:25 PM, Coty Sutherland <csuth...@apache.org>
> > wrote:
> >
> >> On Tue, Feb 20, 2018 at 4:01 PM, Alex O'Ree <alexo...@apache.org>
> wrote:
> >> > I keep running into the an IllegalArgumentException at or near
> startup of
> >> > tomcat 8.5 with a bunch of cxf web services deployed and I have no
> idea
> >> > what's causing it. The error message mentions turning on logging at
> the
> >> > debug level.
> >>
> >> Random shot in the dark given the minimal date provided :) Does it
> >> look like this:
> >>
> >> INFO [http-nio-8080-exec-3]
> >> org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
> >> request header
> >>  Note: further occurrences of HTTP request parsing errors will be
> >> logged at DEBUG level.
> >>  java.lang.IllegalArgumentException: Invalid character found in the
> >> request target. The valid characters are defined in RFC 7230 and RFC
> >> 3986
> >> at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(
> >> Http11InputBuffer.java:460)
> >> at org.apache.coyote.http11.Http11Processor.service(
> >> Http11Processor.java:291)
> >> at org.apache.coyote.AbstractProcessorLight.process(
> >> AbstractProcessorLight.java:66)
> >> at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(
> >> AbstractProtocol.java:754)
> >> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.
> >> doRun(NioEndpoint.java:1376)
> >> at org.apache.tomcat.util.net.SocketProcessorBase.run(
> >> SocketProcessorBase.java:49)
> >> at java.util.concurrent.ThreadPoolExecutor.runWorker(
> >> ThreadPoolExecutor.java:1149)
> >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> >> ThreadPoolExecutor.java:624)
> >> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(
> >> TaskThread.java:61)
> >> at java.lang.Thread.run(Thread.java:748)
> >>
> >> If so, then your client is sending you requests with unencoded special
> >> characters that are now disallowed by Tomcat.
> >>
>
> >> Question: Assuming i need to edit the logging.properties file, which
> setting/line do i have to edit to reveal what the root cause is?
>
> http://tomcat.apache.org/tomcat-8.5-doc/logging.html
> and also official Java documentation on java.util.logging.
>
> From the log message cited by Coty, I think you need to add
> org.apache.coyote.http11.Http11Processor.level = FINE
>
> In short, you need both
> 1) .level = FINE
> 2) .level = FINE
>
> "1)" controls whether a log event is raised,
> "2)" controls writing it out to a specific output (console, file)
>
> "2)" is already set in the logging.properties file provided by Tomcat.
>
> Best regards,
> Konstantin Kolinko
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: TomcatCon Training: Tomcat for Administrators

[Alex O'Ree]

@Mark
I just found the videos from the last tomcatcon. I actually
watched/listened to them all. Great to here the inside scoop on stuff, hope
you all make more! I think i must have ran into most of the issues that
were discussed and rewrote most of my application (primarily due to me
using incorrect characters in the query string). Looking forward to the
next set

On Mon, Feb 19, 2018 at 5:12 PM, Coty Sutherland 
wrote:

> On Mon, Feb 19, 2018 at 4:30 PM, Mark Thomas  wrote:
> > On 19/02/18 17:53, Israel Timoteo wrote:
> >> Any plans for having this type of sessions in the US?
> >
> > We are expecting a Tomcat presence ApacheCon NA in September in Canada.
> > I expect we'll have some of this content available there.
> >
> > Beyond that it will be down to there being:
> > - the audience
> > - the content available that the audience want
> > - someone available who can deliver the content
> >
> > The community can help with at least 2 of those 3.
> >
> > There is also the possibility of delivery via a Webinar style approach
> > but I'm really not sure how well that would work for a training course.
>
> Did I suggest (or mention that I was planning on) doing something like
> https://www.katacoda.com/ before? I think an interactive approach to
> training would be awesome. Using containers for Tomcat seems a bit
> redundant to me (mostly because I don't have any real deployments of
> Tomcat), I think that using them for demoing things and having
> reproducible environments would be a good user experience for
> trainees.
>
> >
> > Mark
> >
> >>
> >> 
> >> Israel Timoteo
> >>
> >>> On Feb 19, 2018, at 10:50 AM, Rémy Maucherat  wrote:
> >>>
> >>> On Mon, Feb 19, 2018 at 5:28 PM, Mark Thomas  wrote:
> >>>
>  On 19/02/18 16:23, Coty Sutherland wrote:
> > Do we plan on doing any audio or video to go along with the slides
> for
> > these? We could add them to the youtube channel for those that can't
> > attend the live training.
> 
>  My current thinking is that I'd do a separate recording of the modules
>  for that rather than try and record the sessions. I want to be able to
>  focus on the attendees in the training. The recording would be video
> of
>  the slides and demos with audio of me talking.
> 
> >>>
> >>> As you said in London, that's material that is usually really nice when
> >>> you're there, but really boring when you're by yourself watching on
> >>> youtube. Although I agree we need one (current) copy of the trainings
> on
> >>> youtube for reference ...
> >>>
> >>> Rémy
> >>>
> >>>
> 
>  Mark
> 
> 
> >
> > On Mon, Feb 19, 2018 at 9:50 AM, Mark Thomas 
> wrote:
> >> All,
> >>
> >> The Apache Tomcat PMC is delighted to announce that the
> registration for
> >> the training course "Tomcat for Administrators" is now open.
> >>
> >> This one-day training course will take place in central Manchester,
> UK
> >> on Tuesday April 10, 2018.
> >>
> >> Full details, including the schedule is available on the website:
> >> http://tomcat.apache.org/conference.html
> >>
> >> Registration is via EventBrite:
> >> https://www.eventbrite.com/e/tomcatcon-training-tomcat-for-
>  administrators-tickets-43039556472?aff=lists
> >>
> >> We hope to see you there.
> >>
> >> Mark
> >> on behalf of the Apache Tomcat PMC
> >>
> >> 
> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >
> > 
> -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> 
>  -
>  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>  For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> >>
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Error parsing HTTP request header, HTTP method names must be tokens

[Alex O'Ree]

That's the error message. The problem is I have no idea which client it is
and what character it is sending that is causing the issue. Thus I would
like to get the offending header logged in some way.

On Tue, Feb 20, 2018 at 4:25 PM, Coty Sutherland <csuth...@apache.org>
wrote:

> On Tue, Feb 20, 2018 at 4:01 PM, Alex O'Ree <alexo...@apache.org> wrote:
> > I keep running into the an IllegalArgumentException at or near startup of
> > tomcat 8.5 with a bunch of cxf web services deployed and I have no idea
> > what's causing it. The error message mentions turning on logging at the
> > debug level.
>
> Random shot in the dark given the minimal date provided :) Does it
> look like this:
>
> INFO [http-nio-8080-exec-3]
> org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
> request header
>  Note: further occurrences of HTTP request parsing errors will be
> logged at DEBUG level.
>  java.lang.IllegalArgumentException: Invalid character found in the
> request target. The valid characters are defined in RFC 7230 and RFC
> 3986
> at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(
> Http11InputBuffer.java:460)
> at org.apache.coyote.http11.Http11Processor.service(
> Http11Processor.java:291)
> at org.apache.coyote.AbstractProcessorLight.process(
> AbstractProcessorLight.java:66)
> at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(
> AbstractProtocol.java:754)
> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.
> doRun(NioEndpoint.java:1376)
> at org.apache.tomcat.util.net.SocketProcessorBase.run(
> SocketProcessorBase.java:49)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:624)
> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(
> TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:748)
>
> If so, then your client is sending you requests with unencoded special
> characters that are now disallowed by Tomcat.
>
> > Question: Assuming i need to edit the logging.properties file, which
> > setting/line do i have to edit to reveal what the root cause is?
>
> I can't answer that without more information. What is throwing the
> exception? A stack trace would be helpful.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Error parsing HTTP request header, HTTP method names must be tokens

[Alex O'Ree]

I keep running into the an IllegalArgumentException at or near startup of
tomcat 8.5 with a bunch of cxf web services deployed and I have no idea
what's causing it. The error message mentions turning on logging at the
debug level.

Question: Assuming i need to edit the logging.properties file, which
setting/line do i have to edit to reveal what the root cause is?

Re: web socket user roles

[Alex O'Ree]

I think I answered my own question. Looks like
`ServerEndpointConfig.Configurator` is the class i want and it can be
attached to annotations of the web socket endpoint

On Fri, Feb 9, 2018 at 4:42 PM, Alex O'Ree <alexo...@apache.org> wrote:

> Is there any kind of trickery to get user roles from a web socket server
> running in tomcat? I'm looking at javax.websocket.Session and I'm not
> seeing anything other than obtaining the user principle.
>
> Further more, aside from SSL/TLS, are there any other security related
> guides that I should be aware of when using web socket connections in
> tomcat?
>

web socket user roles

[Alex O'Ree]

Is there any kind of trickery to get user roles from a web socket server
running in tomcat? I'm looking at javax.websocket.Session and I'm not
seeing anything other than obtaining the user principle.

Further more, aside from SSL/TLS, are there any other security related
guides that I should be aware of when using web socket connections in
tomcat?

How does tomcat handle session ids?

[Alex O'Ree]

I was recently perusing security implementation guides and ran across one
that required that sessions id's be "destroyed" after use and not reused.
>From my understanding, it looks like the java/tomcat/servlet equivalent is
the jessionid. I'm assuming this is probably a randomly generated id but I
honestly don't know without digging through the code base.

If it is a randomly generated UUID it's a pretty safe assumption that a
duplicate id is very unlikely and that reusing a session id for a different
tomcat user session is also very unlikely. Is this correct?

The action of destroying the session id server side (again without looking
at the code) is probably just a string that is eventually gc'd. Is that
correct or is it something more sophisticated?

Anyhow, I figured I would ask the tomcat community on this one.

Re: jsp precompile options

[Alex O'Ree]

Mark, thanks for the clarification. I don't know why I assumed it was
needed. Awesome!
Juan, I'll give that one a shot, thanks!

On Sun, Jan 28, 2018 at 5:45 AM, Mark Thomas <ma...@apache.org> wrote:

> On 27/01/18 13:35, Alex O'Ree wrote:
> > Using tomcat 8.5...
> >
> > I have a web app that still uses jsp's and i'm looking into a few options
> > to (a) aid development and (b) reduce or eliminate the need for the JDK
> in
> > a production setup and just run a JRE.
>
> Tomcat doesn't need the JDK and hasn't for a good number of years.
> Tomcat includes the Eclipse compiler and uses that to compile JSPs by
> default.
>
> > (a) Making development easier. My project is maven based and I'd like to
> > run some kind of JSP precompile at build time to ensure that all jsp
> files
> > can be compiled (no typos). I've tried a bunch of examples from SO but
> > haven't found anything that functionally works.
>
> If you don't show us a) what you tried and b) what error message you got
> we can't help you and point you in the right direction.
>
> > (b) Along the same lines, if the solution to question a can inject the
> > precompiled jsp files into the WAR, and that is deployed to tomcat, my
> > assumption is that the JDK and thus javac would not be necessary at
> > runtime. Is this an accurate statement or do other elements within tomcat
> > require the JDK? This is assuming that all JSP's deployed to tomcat are
> > precompiled somehow.
>
> The JDK is not necessary to run any currently supported version of Tomcat.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

jsp precompile options

[Alex O'Ree]

Using tomcat 8.5...

I have a web app that still uses jsp's and i'm looking into a few options
to (a) aid development and (b) reduce or eliminate the need for the JDK in
a production setup and just run a JRE.

(a) Making development easier. My project is maven based and I'd like to
run some kind of JSP precompile at build time to ensure that all jsp files
can be compiled (no typos). I've tried a bunch of examples from SO but
haven't found anything that functionally works.

(b) Along the same lines, if the solution to question a can inject the
precompiled jsp files into the WAR, and that is deployed to tomcat, my
assumption is that the JDK and thus javac would not be necessary at
runtime. Is this an accurate statement or do other elements within tomcat
require the JDK? This is assuming that all JSP's deployed to tomcat are
precompiled somehow.

Re: ALv2 Tomcat Training material

[Alex O'Ree]

Understanding web.xml

Understanding webapps without web.xml

Security, authn and authz, ldap setups

fIle system permissions

On Jan 25, 2018 6:04 AM, "Mark Thomas"  wrote:

> On 08/01/18 09:39, Mark Thomas wrote:
> > On 05/01/18 22:09, Don Flinn wrote:
> >> Hi Mark,
> >>
> >> I think this is an excellent and useful task. The first step is to
> define
> >> the audiences of which I would like to suggest five.
> >>
> >> 1. Experienced System administrators with experience in security and SSL
> >> 2. Experienced System administrators with no or little experience in
> >> security and SSL
> >> 3  Non system administrators with  experience in security and SSL
> >> 4. Non system administrators with  no or little experience in security
> and
> >> SSL
> >> 5. Overarching each of the above is the different CAs that might be used
> >
> > You could probably break down the audience in a similar manner for most
> > of the Tomcat topics.
> >
> >> A question would be are audiences 3 and 4 populated.  I for one fall
> >> somewhere between 3 and 4, but maybe I'm the only one.  It seems to me
> that
> >> small companies would fall into 3 and 4.  A big further complication is
> >> item 5, which applies to each of the others.
> >
> > Indeed. The general idea would be to write material that covers all of
> > these and then adjust what is actually taught to the particular audience.
> >
> >> I wrote a short write-up to this site about a month age addressing
> >> audiences 2, 3 and 4, mostly 4 and was told that this was not what was
> >> wanted, that all the information was somewhere on the web.  That is true
> >> but trying to find it, absorb and apply it is difficult.
> >
> > We do try and keep the docs succinct and direct users elsewhere for
> > background. I remember that write up - it is similar to the content of
> > the intro to TLS presentation I have given previously. It is the sort of
> > content we would want to include in the training course.
> >
> > More generally, I'm updating the wiki with the suggestions as I spot
> > them on the mailing list. Please do keep the suggestions coming and ping
> > me if I miss something.
> >
> > Mark
> >
> >
> >>
> >> Don
> >>
> >>
> >> On Thu, Jan 4, 2018 at 5:16 AM, Mark Thomas  wrote:
> >>
> >>> Hi,
> >>>
> >>> One of the things on my TODO list is to put together some Tomcat
> >>> training material licensed under the Apache License (version 2). i.e.
> >>> material that would be made freely available for folks to use.
> >>>
> >>> I'd also like to make the training material available on YouTube as
> well
> >>> as run some training courses (for a small fee) to deliver the material
> >>> face to face.
> >>>
> >>> The structure I have in mind is a series of modules (say 30 mins in
> >>> length) that can be organised in different ways to suit different
> needs.
> >>> e.g. put the introductory modules for each area together to provide an
> >>> 'Introduction to Tomcat course', put all the TLS modules together to
> >>> provide an in depth 'Tomcat and TLS' course etc.
> >>>
> >>> I think a lot of the raw content is already available. We have the
> >>> various Tomcat presentations that have been given over the years and my
> >>> employer has agreed to let me make use of the material from our (now
> >>> possibly a little dated) Tomcat training courses.
> >>>
> >>> I can't do this alone. Not in any reasonable time frame anyway. So I am
> >>> reaching out to the community for help.
> >>>
> >>> The first step is to come with:
> >>> - a list of modules
> >>> - potential courses formed from combinations of modules
> >>>
> >>> I am asking for your ideas for modules, courses and combinations of
> >>> modules that could make up those courses.
> >>>
> >>> We have a blank wiki page to host this:
> >>> https://cwiki.apache.org/confluence/display/TOMCAT/
> Tomcat+Training+Course
> >>>
> >>> Feel free to ask for edit access to that page (you'll need to create an
> >>> account and let us know the user name) so you can add ideas directly or
> >>> add ideas to this thread and I'll add them to the wiki page.
> >>>
> >>> The second step is to start populating the modules with actual content.
> >>> As a motivator to get this done, I'd like to run a public Tomcat
> >>> training course in late March / early April using this material. My
> >>> current thinking is that the course would cost ~£100 plus food per
> >>> person for the full day. Possible locations for this course are:
> >>> - Cardiff
> >>> - Birmingham
> >>> - Manchester
> >>> - Glasgow
> >>> (all in the UK - if successful we can expand to mainland Europe and
> beyond)
> >>>
> >>> My second request is for feedback on which location(s) are preferable
> >>> and what content would you like to see in the training course. I'll
> take
> >>> this feedback, put together a course and then make it available to
> book.
> >>>
> >>> I look forward to all your ideas.
>
> Ping.
>
> The current list of ideas is here:
> 

Re: No movement at Debug mode

[Alex O'Ree]

Do you mean you cannot get a debugger to attach to Tomcat and thus step
through your app?
Make sure you start tomcat with "catalina jpda run". I think it listens on
port 8000 by default. You can then use just about any IDE to attach the
debugger via JPDA to localhost port 8000.

On Sun, Jan 21, 2018 at 10:37 AM, Karen Goh 
wrote:

> Hi expert,
>
> I have been stuck at this problem - No debug movement , for quite some
> time and am seeking help from this user group.
>
> After submitting my form using JSP,
>
> So, here's what appeared at the console :
>
> an 21, 2018 11:25:58 PM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Server version:Apache Tomcat/8.5.24
> Jan 21, 2018 11:25:58 PM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Server built:  Nov 27 2017 13:05:30 UTC
> Jan 21, 2018 11:25:58 PM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Server number: 8.5.24.0
> Jan 21, 2018 11:25:58 PM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: OS Name:   Windows 10
> Jan 21, 2018 11:25:58 PM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: OS Version:10.0
> Jan 21, 2018 11:25:58 PM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Architecture:  amd64
> Jan 21, 2018 11:25:58 PM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Java Home: C:\Program Files\Java\jdk1.8.0_151\jre
> Jan 21, 2018 11:25:58 PM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: JVM Version:   1.8.0_151-b12
> Jan 21, 2018 11:25:58 PM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: JVM Vendor:Oracle Corporation
> Jan 21, 2018 11:25:58 PM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: CATALINA_BASE: C:\Users\Karen.Goh\workspace5\Servers2\Tomcat
> v8.5 Server at localhost-config\Hi5SProject
> Jan 21, 2018 11:25:58 PM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: CATALINA_HOME: C:\Program Files\Apache\apache-tomcat-8.5.24
> Jan 21, 2018 11:25:58 PM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: -agentlib:jdwp=transport=dt_
> socket,suspend=y,address=localhost:51917
> Jan 21, 2018 11:25:58 PM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: -Dcatalina.base=C:\Users\
> Karen.Goh\workspace5\Servers2\Tomcat v8.5 Server at
> localhost-config\Hi5SProject
> Jan 21, 2018 11:25:58 PM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: -Dcatalina.home=C:\Program
> Files\Apache\apache-tomcat-8.5.24
> Jan 21, 2018 11:25:58 PM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: 
> -Dwtp.deploy=C:\Users\Karen.Goh\workspace5\Servers2\Tomcat
> v8.5 Server at localhost-config\Hi5SProject\wtpwebapps
> Jan 21, 2018 11:25:58 PM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: -Djava.endorsed.dirs=C:\Program
> Files\Apache\apache-tomcat-8.5.24\endorsed
> Jan 21, 2018 11:25:58 PM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: -Dfile.encoding=Cp1252
> Jan 21, 2018 11:25:58 PM org.apache.catalina.core.AprLifecycleListener
> lifecycleEvent
> INFO: The APR based Apache Tomcat Native library which allows optimal
> performance in production environments was not found on the
> java.library.path: [C:\Program Files\Java\jdk1.8.0_151\bin;C:
> \WINDOWS\Sun\Java\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\Program
> Files\Java\jdk1.8.0_151\jre\bin;C:/Program 
> Files/Java/jdk1.8.0_151/bin/../jre/bin/server;C:/Program
> Files/Java/jdk1.8.0_151/bin/../jre/bin;C:/Program
> Files/Java/jdk1.8.0_151/bin/../jre/lib/amd64;C:\Program
> Files\MySQL\mysql-5.7.20-win32\bin;C:\Program
> Files\Java\jdk1.8.0_151\bin;C:\Program Files\eclipse;;.]
> Jan 21, 2018 11:25:59 PM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["http-nio-8080"]
> Jan 21, 2018 11:26:00 PM org.apache.tomcat.util.net.NioSelectorPool
> getSharedSelector
> INFO: Using a shared selector for servlet write/read
> Jan 21, 2018 11:26:00 PM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["ajp-nio-8009"]
> Jan 21, 2018 11:26:00 PM org.apache.tomcat.util.net.NioSelectorPool
> getSharedSelector
> INFO: Using a shared selector for servlet write/read
> Jan 21, 2018 11:26:00 PM org.apache.catalina.startup.Catalina load
> INFO: Initialization processed in 5550 ms
> Jan 21, 2018 11:26:00 PM org.apache.catalina.core.StandardService
> startInternal
> INFO: Starting service [Catalina]
> Jan 21, 2018 11:26:00 PM org.apache.catalina.core.StandardEngine
> startInternal
> INFO: Starting Servlet Engine: Apache Tomcat/8.5.24
> Jan 21, 2018 11:26:02 PM org.apache.jasper.servlet.TldScanner scanJars
> INFO: At least one JAR was scanned for TLDs yet contained no TLDs. 

Re: Valve to dump response messages?

[Alex O'Ree]

Thanks Chris, I do have a similar solution using servlet filters, however i
was looking for a solution using a valve. I do not know much about how
valves work yet but i'm digging through the source now...

On Mon, Jan 15, 2018 at 12:27 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Alex,
>
> On 1/13/18 9:03 PM, Alex O'Ree wrote:
> > After googling, I've found the request dumper valve, but I was
> > wondering if there was an equivalent for response content? I have
> > been able to rig up a http servlet filter that can capture and log
> > response messages but i was looking for a more universal way to
> > accomplish this for all http requests/responses to tomcat.
>
> Have a look at this:
> http://markmail.org/message/fumpfuspt7a3nesz
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpc5JYdHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhB4Q/+MCjRFDwweGXioqGt
> T3rdtnwfYIMrUgxNDV+8hPdp2BabliNIkmLL3DVCdKqPrRISkQlQRsDBp+FTwIp0
> 0bX6BgTxVGz4hMfRIAMzU4Kz4Mb6f8/Q4x9hXSi331jl+4aSC5LWLHzuT1MOsPU7
> m9oGodiRdr7jYs+JMKF9315hRsDF4oBvfFDEwT321np8+DdUYi5+uQfoROq+0Okp
> G/ZAQEsUURamZIrp3+bULJNFQhkEcIaLjywJasrGmYyxEmD8aX6s7F5b1StWuTrX
> i21sW+2Lv2Vf1iMNPRfg2N2qA4IZ6tGcZmDanYrOKYnd48G2tQn3rMW5x642uSII
> AlmOy6jaAScUnhN1qEhFbkZimHCzlI2bD3YixaLKS5pJssRvlPaIZuRcv0tTMKId
> mZxUaDVxF6b/v5FYI7zmdtmKIF7rzEwWr/Qr6DjFuAi09LiU6zzX3Hsdrq7w1Ivg
> oOU5pKJ8T14z+2t9wAeXBKyWXCto6ZBjtUhVZ7X+HxqcT0p71pcpjVK5DaIFzGI5
> vI6eWWt6G9SEBXOGOponnN/1iS/Bm9JyJ0dlxTPeqs2mnzjMzPdHD6suYzs+/LYH
> zqzvl696jS5wjKpOyVmE3Aypy+1SkRCP01NIndYC0KGmIcw73I8mAFXGb8dGWFKE
> RqPz0mTVoL5scWBCQlJ6+DTkX8Y=
> =I+5u
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Valve to dump response messages?

[Alex O'Ree]

After googling, I've found the request dumper valve, but I was wondering if
there was an equivalent for response content? I have been able to rig up a
http servlet filter that can capture and log response messages but i was
looking for a more universal way to accomplish this for all http
requests/responses to tomcat.

Re: Skip resource path in TLD scanner?

[Alex O'Ree]

I'm having similar issues after updating from tomcat7 to tomcat8.5. The
build script for my app adds some sql drivers to tomcat's lib folder,
specifically the derby driver. On bootup tomcat logs a ton of error
messages saying that it couldn't find (what looks to be) internationalized
resource files for derby, which aren't present.

On Fri, Nov 17, 2017 at 2:39 PM, Ray Holme 
wrote:

> I use JSP and there are taglibs used.
> But you can cut the scan time way down by not scanning any libraries that
> don't have TLDs
>  (nested files with name => .tld)
> You can find this by using "jar t" or "unzip -l" on each library (thanks
> Chris).
>
> If you are a Unix (Linux or MAC) user you may cheat a little by using the
> script attached.
> You may put any all .jar files in .../apache/lib or
> .../apache/webapps/*/WEB-INF/lib into the
>   .../apache/conf/catalina.properties file if they do not have taglibs.
> So 90% of what I need does not have taglibs (just jstl-impl-...jar DOES
> and must be left out of the DO NO SCAN line.
> This took my startup time from a couple minutes to under a second.
>
> Best of luck.
>
>
> On Friday, November 17, 2017 1:26 PM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Matt,
>
> On 11/16/17 12:11 PM, Matt Cosentino wrote:
> > This keeps getting worse, my site was down for over a minute while
> > the TLD scanner ran. There must be something I can do.
> If you need taglibs, you'll need to do TLS scanning. There really is
> no way to avoid that that I know of. One of many reasons I don't like
> JSP as a technology.
>
> If you are having a problem with downtime, you have other options that
> might help in other areas. For example, you could set up a second
> server and load-balance between the two of them. This protects you
> from a number of downtime-causing issues such as power failures, JVM
> crashes, and -- as in your example here -- planned maintenance.
>
> Running a single instance of your application in a production
> environment where uptime matters is really not an appropriate
> solution. If you had two servers, your application's restart time
> would not have been an issue.
>
> - -chris
>
> > -Original Message- From: Mark Thomas
> > [mailto:ma...@apache.org] Sent: Saturday, April 29, 2017 5:02 AM
> > To: Tomcat Users List  Subject: Re: Skip
> > resource path in TLD scanner?
> >
> > On 28/04/17 17:00, Matt Cosentino wrote:
> >> Yes, it's other folders within WEB-INF. I turned on the
> >> TldScanner logging and it is definitely what is causing the
> >> delay. My situation probably isn't very typical. The delay varies
> >> in my various web applications, the worst being about 20 seconds.
> >> It all adds up though, and every second counts when our sites are
> >> down.
> >
> > There is a solution available but it is intended more for the
> > embedded use case rather than a standard Tomcat install. Using it
> > in a standard install would require (effectively) patching Tomcat.
> >
> > The general idea would be to use the TldPreScanned class. That does
> > require all the TLDs to be listed in advance. On the plus side, no
> > scanning delay. On the down side, adding TLDs requires code
> > changes. Doing this with a standard Tomcat install requires changes
> > to the JasperInitializer (hence the patch). I don't think there is
> > a pure config way around that but I'll look into it.
> >
> > A better solution would probably be to make it easier to plugin in
> > a custom TLDScanner - i.e. purely with config. If you'd like us to
> > explore this option we should re-open 61052 and adjust accordingly.
> > I don't think there is enough demand for filtering resource paths
> > to make that worth implementing.
> >
> > One final thought. Are you running the web application from a WAR
> > or an expanded directory? (The latter would be faster).
> >
> > Mark
> >
> >
> >
> >>
> >> - Matt
> >>
> >>
> >> -Original Message- From: Mark Thomas
> >> [mailto:ma...@apache.org] Sent: Friday, April 28, 2017 7:28 AM
> >> To: Tomcat Users List  Subject: Re: Skip
> >> resource path in TLD scanner?
> >>
> >> On 27/04/17 23:39, Matt Cosentino wrote:
> >>> https://tomcat.apache.org/tomcat-8.0-doc/config/systemprops.html
> >>>
> >>>
> >>>
> There is one for skipping jar files:
> >>>
> >>> tomcat.util.scan.StandardJarScanFilter.jarsToSkip
> >>
> >> 
> >>
> >>> It skips /WEB-INF/classes/ and /WEB-INF/lib/, but it does not
> >>> check any property to skip user defined paths.
> >>
> >> Is it other paths within WEB-INF you need to skip?
> >>
> >> When I read "skipping resource paths" I was thinking of skipping
> >> the various places where Tomcat treat directories as JARs that
> >> then get scanned for TLDs (which can be configured via the
> >> JarScanner). But it sounds like skipping those won't help you.
> >>
> >> How sure are you that it is checking the 

Re: URL-encoding and "#"

[Alex O'Ree]

What was unexpected for me, was that even if the the symbol is URL
encoded, it was still stripped out by tomcat. I understand now
allowing a backslash in a URL, however if it is URL encoded as
%5C then why not allow it? Maybe I'm missing something

On Fri, Oct 13, 2017 at 7:17 AM, i...@flyingfischer.ch
<i...@flyingfischer.ch> wrote:
> Am 13.10.2017 um 12:48 schrieb Alex O'Ree:
>> Well that explains a lot. Similar issue for me. With url encoding,  tomcat
>> is dropping back slash and the plus symbol.
>
> While I think it is perfectly eligible to strive for a most perfect
> alignement with standards and specs, I think Tomcat should allow a
> reasonnable set of characters to be optionally allowed (as they already
> are in Tomcat up to 8.5).
>
> I am aware that these options may be a security issue and that the
> documentation should state that clearly. However it is not always
> possible to correct the environment to be "standard" compatible and the
> educational approach by not allowing these options is understandable but
> may be not appropriate in many situations.
>
> Best regards
> Markus
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: URL-encoding and "#"

[Alex O'Ree]

Well that explains a lot. Similar issue for me. With url encoding,  tomcat
is dropping back slash and the plus symbol.

On Oct 13, 2017 3:01 AM, "Mark Thomas"  wrote:

> On 13/10/2017 07:38, Peter Kreuser wrote:
> > Chris,
> >
> >
> >
> >
> > Peter Kreuser
> >> Am 13.10.2017 um 04:29 schrieb Christopher Schultz <
> w...@christopherschultz.net>:
> >>
> > James,
> >
>  On 10/12/17 8:44 PM, James H. H. Lampert wrote:
>  Question:
> 
>  The application we're developing has a suite of web services
>  (RESTful, Swagger-based), and at least one of them can accept a
>  pound sign ("#") as a URL parameter.
> 
>  Several months ago, with the application and all of its services
>  running on Tomcat 7, it was accepting a plain, naked # in the URL.
>  Now, running on Tomcat 8.5, it's returning an error message
>  ("HTTP/1.1 400").
> >
> > No client should ever send a naked # to a server. It's a violation of
> > the spec, full stop. That isn't to say that Tomcat should fail in any
> > particular way, but Tomcat is well within its rights to say "a # is
> > not allowed in a URL, so this is a bad request".
> >
> >
> >> Nevertheless there is AFAIR a commandline switch to set TC 8.5 to the
> old behavior.
>
> From memory, # isn't one of the allowed exceptions.
>
> The full list of invalid characters in the request line that Tomcat
> started to check for is:
> ' ', '\"', '#', '<', '>', '\\', '^', '`', '{', '|', '}'
>
> The allowed exceptions are (currently) '{', '|', '}'
>
> Mark
>
> >> James, please browse the mail archives.
> >> From a quick look this seems to help, for a short term solution:
> >
> >> https://marc.info/?l=tomcat-user=150183715500537=2
> >
> >> Please nevertheless fix the client, for a better world as Chris pointed
> out ;-P.
> >
> >> Best regards
> >
> >> Peter
> >
>  The developer (in a different time zone) has explained about
>  URL-encoding, but hasn't said whether there was anything in his
>  code to make it stop tolerating the naked # sign.
> 
>  Did the change from Tomcat 7 to Tomcat 8.5 have anything to do
>  with this?
> >
> > Each version of Tomcat gets more and more strict about the garbage it
> > will accept from clients. This is done to improve the world as a
> > whole, and also improve security when it comes to things like
> > converting URL paths into filesystem paths, etc. Strictly speaking,
> > everything should *always* be safe, but it helps to stop The Badness
> > at the earliest opportunity.
> >
>  And if so, are there any other common ASCII characters that used
>  to be accepted as characters, but now have to be URL-encoded?
> > Anything in the URL spec that is allowed should be allowed. Clients
> > should expect that anything not mentioned in the spec would be
> > rejected by a compliant server.
> >
> > -chris
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: installing certificates

[Alex O'Ree]

Graphical keystore tool - http://keystore-explorer.org/

It may make things easier

On Mon, Oct 9, 2017 at 6:13 PM, Adam Pease
 wrote:
> Hi Chris,
>   Many thanks for the quick response!  There's a lot of new terminology (to
> me) to all this and it's quite confusing I'm afraid.
>
>   I tried Let's Encrypt just now but since I'm running Tomcat sites either
> I'm not doing it right, or it doesn't know how to verify domains when they
> don't answer on port 80.  So I get "The server could not connect to the
> client to verify the domain :: Timeout"
>   Following the process at "gethttpsforfree.com" resulted in two long hex
> keys: one titled "Signed Certificate" and one titled "Intermediate
> Certificate".  I'm not sure what a "server certificate" is.  Is that a
> public/private key pair that I generated at the beginning of this process
> with
>
> openssl genrsa 4096 > account.key
>
> or what I did at the beginning of the tomcat instructions
>
> $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
>
> But that generates a .keystore file which is already a parameter to the
> failing command.
>
> I really appreciate your help.
>
> all the best,
> Adam
>
>
> On 10/09/2017 02:00 PM, Christopher Schultz wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Adam,
>>
>> On 10/9/17 4:24 PM, Adam Pease wrote:
>>>
>>> Hi, I'm running Tomcat 8.5.23 on an AWS Ubuntu Linux 16.04 LTS
>>> installation.  I'm trying to follow the instructions at
>>> https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html to get
>>> HTTPS running under tomcat.
>>
>>
>> Version mismatch. You want this guide:
>> https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
>>
>>> My site runs with a self-signed certificate.  Now I'm trying to
>>> install a proper certificate from > https://gethttpsforfree.com/
>>
>> Try Let's Encrypt. I know nothing about "gethttpsforfree.com", but
>> I've personally done Let's Encrypt.
>>
>>> After the rather lengthy process to generate the "Signed
>>> Certificate" and "Intermediate Certificate" it appears I'm ready to
>>> follow the instructions under the heading "Importing the
>>> Certificate".
>>
>>
>> BTW, LE is a single command to get a signed certificate.
>>
>>> My first question is whether there is a difference between the
>>> certificates mentioned in
>>>
>>> - "import a so called Chain Certificate or Root Certificate into
>>> your keystore"
>>>
>>> and
>>>
>>> - "After that you can proceed with importing your Certificate."
>>
>>
>> You have a "server certificate" -- that's yours, and represents you.
>> There is (usually) another certificate, called the "chain" or
>> "intermediate" certificate, which represents the Certificate Authority
>> who signed your certificate.
>>
>> When your server performs a TLS handshake with the client, it needs to
>> present a "certificate chain" which includes your server certificate
>> (the "leaf") and any certificates required to link the server cert to
>> a root certificate which is stored within the client and already
>> trusted (e.g. VeriSign, DigiCert, etc.). So your server needs to have
>> multiple certificates available to send, and only one "belongs" to you.
>>
>>> I was able to execute the command:
>>>
>>> keytool -import -alias root -keystore 
>>> -trustcacerts -file 
>>>
>>> using a single file that has the "Signed Certificate" and
>>> "Intermediate Certificate" from gethttpsforfree.  But then I get an
>>> error from the next command
>>>
>>> ~$ keytool -import -alias tomcat -keystore .keystore -file
>>> chained.pem Enter keystore password: keytool error:
>>> java.lang.Exception: Certificate reply does not contain public key
>>> for 
>>
>>
>> Which file is which? Looks like you imported the chain twice.
>>
>>> When I run
>>>
>>> ~$ keytool -list -v
>>>
>>> I see (in part)
>>>
>>> Alias name: tomcat Creation date: Oct 9, 2017 Entry type:
>>> PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner:
>>> CN=Adam Pease
>>>
>>> I'm very new to certificates.  Could someone point me in the right
>>> direction?
>>
>>
>> Java keystores are a nightmare... it's not your fault. ;)
>>
>> It looks like you didn't successfully import the CA's
>> root/intermediate certificate. Can you reply with some more specifics?
>> What files do you have from the CA, what keystore(s) do you have, and
>> what are the exact commands you are running? You've left-out some
>> important details from your post above.
>>
>> Here's what I have in my "Java Keystore Cheat Cheet":
>>
>> Create your server key and self-signed cert:
>>>
>>> $ keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 4096
>>> -alias ${HOSTNAME} -keystore ${HOSTNAME}.jks
>>
>>
>> Now, export your CSR:
>>
>>> $ keytool -certreq -sigalg SHA256withRSA -keystore ${HOSTNAME}.jks
>>>
>> Use that CSR to get your cert signed.
>>
>> Now, import the signed cert back into your keystore, starting with the
>> root and/or intermediate cert and finishing with your server's cert:
>>

Re: Tomcat unstable after updating apache http client

[Alex O'Ree]

Ill see if I can make a test war they'd reduces it to the minium.

On Oct 5, 2017 8:04 AM, "Mark Thomas" <ma...@apache.org> wrote:

On 05/10/17 12:12, Alex O'Ree wrote:
> I ran into a strange issue the other day.  Running tomcat 7.0.81. I have a
> war file with apache http client vs 4.3.3. I was having some issues with
my
> code in the war and experimented with updating the http client to 4.5.3.
> The result was bizarre.
>
> Tomcat would start as normal but stop serving http requests after the
first
> request.
>
> When running in the terminal,  I couldn't stop tomcat with ctrl c. I had
to
> force close it with task mgr.
>
> Is this expected?

No, not at all. Can you create a test war that demonstrates the issue?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat unstable after updating apache http client

[Alex O'Ree]

I ran into a strange issue the other day.  Running tomcat 7.0.81. I have a
war file with apache http client vs 4.3.3. I was having some issues with my
code in the war and experimented with updating the http client to 4.5.3.
The result was bizarre.

Tomcat would start as normal but stop serving http requests after the first
request.

When running in the terminal,  I couldn't stop tomcat with ctrl c. I had to
force close it with task mgr.

Is this expected?

tomcat7 eol date?

[Alex O'Ree]

Is there an approximate or estimated date in which ASF will stop
supporting patches for Tomcat7?

I'm assuming that the tomcat major versions are tied to oracle's
support for the JRE, which implies that when oracle stops supporting
JRE7 that tomcat7 support will stop around the same time. Is that more
or less accurate?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: publishing tomcat server as maven artifact

[Alex O'Ree]

They weren't, other than that releases were happening at some point.

Ahh sorry you're right. What about the other variants, such as the
windows x64 builds with the service wrappers?

On Sat, Sep 23, 2017 at 4:05 AM, Mark Thomas <ma...@apache.org> wrote:
> On 23/09/17 02:27, Alex O'Ree wrote:
>> In light of the recent security issues, has the tomcat dev's ever
>> consider publishing the tomcat server as a maven artifact?
>
> How are those two related?
>
>> I just tomcat as a base server for Apache jUDDI and for several other
>> projects whereby I create preconfigured tomcat instance. It's also
>> super useful for integration testing. Anyhow, just food for thought
>
> The Tomcat community has been doing that for years:
>
> https://search.maven.org/#search%7Cga%7C1%7Corg.apache.tomcat
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

publishing tomcat server as maven artifact

[Alex O'Ree]

In light of the recent security issues, has the tomcat dev's ever
consider publishing the tomcat server as a maven artifact?

I just tomcat as a base server for Apache jUDDI and for several other
projects whereby I create preconfigured tomcat instance. It's also
super useful for integration testing. Anyhow, just food for thought

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Invalid characters in request header

[Alex O'Ree]

Is there a way too log whatever the offending header was?

On Sep 9, 2017 6:30 AM, "Martynas Jusevičius" 
wrote:

> Well then you're out of luck. Everything is as expected though, at least on
> your end -- client sends invalid request, gets error response. What else do
> you need?
>
> On Sat, Sep 9, 2017 at 12:13 PM, Yuval Schwartz 
> wrote:
>
> > Is that in my control? The url is not one that appears on my website,
> it's
> > something that was manually written by some client.
> >
> > On Sat, Sep 9, 2017 at 1:12 PM, Martynas Jusevičius <
> > marty...@atomgraph.com>
> > wrote:
> >
> > > Tomcat is an HTTP sever, and if your client is sending invalid HTTP
> > > requests, Tomcat is right to respond with 400. The solution is to fix
> the
> > > client.
> > >
> > > On Sat, Sep 9, 2017 at 12:09 PM, Yuval Schwartz <
> > yuval.schwa...@gmail.com>
> > > wrote:
> > >
> > > > Hello Martynas, thanks.
> > > >
> > > > I'm not sure 404 is better than 400.
> > > >
> > > > Wouldn't it be preferable to validate the url before it has a chance
> to
> > > > throw the exception?
> > > > I guess my only reason for preferring this is because I don't want it
> > > > crowding up my logs.
> > > > I figure if I can filter it out beforehand then it's not really an
> > > > exception? But I would be happy to hear thoughts on this as I'm still
> > > > fairly new to programming. I'm not sure what is considered best
> > practice
> > > > here.
> > > >
> > > > Thanks.
> > > >
> > > > On Sat, Sep 9, 2017 at 12:24 PM, Martynas Jusevičius <
> > > > marty...@atomgraph.com
> > > > > wrote:
> > > >
> > > > > How is 404 beter than 400?
> > > > >
> > > > > On Sat, Sep 9, 2017 at 9:46 AM, Yuval Schwartz <
> > > yuval.schwa...@gmail.com
> > > > >
> > > > > wrote:
> > > > >
> > > > > > Tomcat version:8.0.43
> > > > > > jdk1.8.0_05
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > > I've asked a similar question in the past about illegal
> characters
> > in
> > > > the
> > > > > > http request header (May 15, 2017).
> > > > > >
> > > > > > Certain users are able to send http requests to my server that
> > > contain
> > > > > the
> > > > > > space character.
> > > > > > This character is obviously not allowed. Tomcat recognizes it and
> > > > throws
> > > > > an
> > > > > > IllegalArgumentException and a http response code 400 is returned
> > to
> > > > the
> > > > > > client.
> > > > > > From my logs:
> > > > > >
> > > > > >
> > > > > >
> > > > > > *Error parsing HTTP request header...*
> > > > > > *java.lang.IllegalArgumentException: Invalid character found in
> > the
> > > > > > request
> > > > > > target. The valid characters are defined in RFC 7230 and RFC
> 3986*
> > > > > >
> > > > > > Is there any way to validate the url before it reaches tomcat so
> > > that I
> > > > > can
> > > > > > return a 404 if an invalid character is found in the url? I would
> > > just
> > > > > like
> > > > > > to avoid exceptions being thrown where possible.
> > > > > >
> > > > > > Thank you.
> > > > > >
> > > > >
> > > >
> > >
> >
>

Re: Getting user role membership without context

[Alex O'Ree]

Mark, spot on! My ldap setup was incorrect, the group/role i was
expecting was in an OU that was not included in the roleSearchBase.
After that was resolved, i'm good to go. Thanks for your help

On Tue, Aug 8, 2017 at 2:44 AM, Mark Thomas <ma...@apache.org> wrote:
> Personally, I'd step through the JNDIRealm with a debugger (I use
> Eclipse) to see exactly what is going on. If you aren't set up for that,
> enabling debug logging for the JNDIRealm should provide some insight but
> it might not answer everything.
>
> Mark
>
>
> On 04/08/17 21:24, Alex O'Ree wrote:
>> Rehashing this. "Works" was working with the out of the box
>> tomcat-users.xml file. When incorporating a JNDI/Ldap setup, I'm not
>> getting the expected result.
>>
>> Server.xml setup
>> Realm
>> - UserLockOutRealm
>> -- JDNIRealm
>> -- UserRoleRealm (paraphrasing here, this is the default xml file thing)
>>
>> Consider the following ldap setup (MS active directory)
>> -LdapUserBob, memberOf=GroupAdmins,GroupNotRelevant objectclass=user
>> -GroupAdmins, objectclass=group
>> -GroupUsers, objectclass=group
>> -GroupNotRelevant, objectclass=group
>>
>> In the war/WEB-INF/web.xml, i have the user constraint setup with
>> mappings from the ldap groups to application roles.
>> Everything works as expected when logging in as LdapUserBob. The
>> mapped roles resolve in this context and the application requires the
>> mapped role GroupAdmins. LdapUserBob can get in, no one else can
>> though (expected)
>>
>> Using my hack job reflection solution and stepping through the code, I
>> can get a user object from the realm representing LdapUserBob and the
>> user object has exactly one role attached to it, GroupNotRelevant. I'm
>> a bit unclear as to why only the non relevant group is added to the
>> user role. When calling isUserInRole from the servlet context, it's
>> returning false. I'm assuming there's something wrong with the JNDI
>> realm configuration but since it works correctly under normal
>> circumstances and not using the reflection solution, I'm a bit puzzled
>> and am unsure how to proceed.
>>
>>
>> On Wed, Jul 19, 2017 at 11:20 AM, Alex O'Ree <spyhunte...@gmail.com> wrote:
>>> Got it to work! Thanks Mark!
>>>
>>> On Wed, Jul 19, 2017 at 10:40 AM, Mark Thomas <ma...@apache.org> wrote:
>>>> On 19/07/17 15:34, Alex O'Ree wrote:
>>>>> Context.findChild and findChildren returns an instance of "Container".
>>>>> It looks like StandardWrapper extends Container, so I should be able
>>>>> to type cast it. The question is, is it always going to be an instance
>>>>> of StandardWrapper?
>>>>
>>>> For a Context, it should always be an instance of Wrapper so as long as
>>>> you cast to Wrapper, you should be fine.
>>>>
>>>> In a default Tomcat install it will always be StandardWrapper but better
>>>> to use the interface here since it has the method you need.
>>>>
>>>> Mark
>>>>
>>>>
>>>>>
>>>>> On Tue, Jul 18, 2017 at 6:40 PM, Mark Thomas <ma...@apache.org> wrote:
>>>>>> On 18/07/17 23:21, Alex O'Ree wrote:
>>>>>>> Nice, any idea which method I need to call?
>>>>>>
>>>>>> You already have the Context so you want
>>>>>>
>>>>>> Context.findChildren()
>>>>>>
>>>>>> for a list of all the Wrappers (and it is the wrapper object you need) or
>>>>>>
>>>>>> Context.findChild(String)
>>>>>>
>>>>>> for a specific Wrapper if you know the name. The name should be the name
>>>>>> used in web.xml to define the Servlet.
>>>>>>
>>>>>> Mark
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> On Jul 18, 2017 3:54 PM, "Mark Thomas" <ma...@apache.org> wrote:
>>>>>>>
>>>>>>>> On 18/07/17 17:41, Alex O'Ree wrote:
>>>>>>>>> Alright, quick update on this.
>>>>>>>>>
>>>>>>>>> At this point, I have servlet context and a username running off the
>>>>>>>>> main tomcat http threads (quartz job)
>>>>>>>>>
>>>>>>>>>> StandardContext tomcat;load from reflection from 
>>>>>>>>>> Applic

Re: Question - JVM Host display page

[Alex O'Ree]

Try

Tomcat/webapps/root/index.jsp

On Aug 6, 2017 7:44 AM, "bebe böbe"  wrote:

> Hi,
>
> I reserved the domain "palibacsi.de" with "JVM Host".
> When someone visits the page, I want it to display my "index.html" file.
> Instead it now displays the Tomcat homepage.
> How could I change this?
> Sorry if the question is too basic...
>
> Thanks,
> Thomas
>

Re: Getting user role membership without context

[Alex O'Ree]

Rehashing this. "Works" was working with the out of the box
tomcat-users.xml file. When incorporating a JNDI/Ldap setup, I'm not
getting the expected result.

Server.xml setup
Realm
- UserLockOutRealm
-- JDNIRealm
-- UserRoleRealm (paraphrasing here, this is the default xml file thing)

Consider the following ldap setup (MS active directory)
-LdapUserBob, memberOf=GroupAdmins,GroupNotRelevant objectclass=user
-GroupAdmins, objectclass=group
-GroupUsers, objectclass=group
-GroupNotRelevant, objectclass=group

In the war/WEB-INF/web.xml, i have the user constraint setup with
mappings from the ldap groups to application roles.
Everything works as expected when logging in as LdapUserBob. The
mapped roles resolve in this context and the application requires the
mapped role GroupAdmins. LdapUserBob can get in, no one else can
though (expected)

Using my hack job reflection solution and stepping through the code, I
can get a user object from the realm representing LdapUserBob and the
user object has exactly one role attached to it, GroupNotRelevant. I'm
a bit unclear as to why only the non relevant group is added to the
user role. When calling isUserInRole from the servlet context, it's
returning false. I'm assuming there's something wrong with the JNDI
realm configuration but since it works correctly under normal
circumstances and not using the reflection solution, I'm a bit puzzled
and am unsure how to proceed.


On Wed, Jul 19, 2017 at 11:20 AM, Alex O'Ree <spyhunte...@gmail.com> wrote:
> Got it to work! Thanks Mark!
>
> On Wed, Jul 19, 2017 at 10:40 AM, Mark Thomas <ma...@apache.org> wrote:
>> On 19/07/17 15:34, Alex O'Ree wrote:
>>> Context.findChild and findChildren returns an instance of "Container".
>>> It looks like StandardWrapper extends Container, so I should be able
>>> to type cast it. The question is, is it always going to be an instance
>>> of StandardWrapper?
>>
>> For a Context, it should always be an instance of Wrapper so as long as
>> you cast to Wrapper, you should be fine.
>>
>> In a default Tomcat install it will always be StandardWrapper but better
>> to use the interface here since it has the method you need.
>>
>> Mark
>>
>>
>>>
>>> On Tue, Jul 18, 2017 at 6:40 PM, Mark Thomas <ma...@apache.org> wrote:
>>>> On 18/07/17 23:21, Alex O'Ree wrote:
>>>>> Nice, any idea which method I need to call?
>>>>
>>>> You already have the Context so you want
>>>>
>>>> Context.findChildren()
>>>>
>>>> for a list of all the Wrappers (and it is the wrapper object you need) or
>>>>
>>>> Context.findChild(String)
>>>>
>>>> for a specific Wrapper if you know the name. The name should be the name
>>>> used in web.xml to define the Servlet.
>>>>
>>>> Mark
>>>>
>>>>
>>>>>
>>>>> On Jul 18, 2017 3:54 PM, "Mark Thomas" <ma...@apache.org> wrote:
>>>>>
>>>>>> On 18/07/17 17:41, Alex O'Ree wrote:
>>>>>>> Alright, quick update on this.
>>>>>>>
>>>>>>> At this point, I have servlet context and a username running off the
>>>>>>> main tomcat http threads (quartz job)
>>>>>>>
>>>>>>>> StandardContext tomcat;load from reflection from ApplicationContext
>>>>>> from ServletContext as ApplicationContextFacade
>>>>>>>> Realm realm = tomcat.getRealm()
>>>>>>>
>>>>>>> At this point, realm is a LockoutRealm that contains two child realms,
>>>>>>> the JNDI Realm and the standard UserDatabaseRealm
>>>>>>>
>>>>>>>> Principal user = realm.authenticate(username);
>>>>>>>
>>>>>>> At this point, the user object is populated and appears to have the
>>>>>>> roles attached to it (they are listed in the to String method).
>>>>>>>
>>>>>>>> realm.hasRole(new StandardWrapper(), user, role);
>>>>>>>
>>>>>>> This part returns false, if and only if the ldap membership matches
>>>>>>> exactly. Mapped roles via servlet/security-role-ref/role-link and
>>>>>>> role-name do not appear to be effect.
>>>>>>>
>>>>>>> I think this may have something to do with the Principal object not
>&

Re: Storing JNDI binding password using encryption

[Alex O'Ree]

The jar file is in /tomcat/lib. The class is super simple

package org.redacted;
public class JNDIRealmExt extends JNDIRealm{
@Override public String getConnectionPassword(){
 return Utility.decrypt(connectionPassword);
}
}

server.xml looks like this



ldap://localhost:389;
userBase="..."
userSearch="..."
roleBase="..."
roleName=".."
roleSubtree=".."
roleSearch=".."
referrals="follow"

/>





I'm attaching the debugger pretty close to tomcat's startup and the
getConnectionPassword method never fires. I do see tons of logs in the
console for ldap connection failures due to the password not
functioning (pretty much immediately locks the account out at the ldap
server). The stack trace does not included my extended JNDI class,
only the tomcat provided JNDIRealm class.

On Wed, Jul 19, 2017 at 3:03 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Alex,
>
> On 7/19/17 1:53 PM, Alex O'Ree wrote:
>> On Wed, Jul 19, 2017 at 12:09 PM, Mark Thomas <ma...@apache.org>
>> wrote:
>>> On 19/07/17 16:22, Alex O'Ree wrote:
>>>> Assuming I had access to a reversible encryption mechanism and
>>>> wanted to store the JNDI binding password in an encrypted form
>>>> by extending the JNDIRealm class, which method should i
>>>> override to encrypt the password stored in server.xml on the
>>>> fly?
>>>
>>> You could do this via a custom PropertySource. I wouldn't
>>> recommend it.
>>>
>>> https://wiki.apache.org/tomcat/FAQ/Password
>>
>> I tried just extend the JDNI Realm class and overriding
>> getConnectionPassword but it doesn't appear that my code ever
>> called, even those my fully qualified classname is listed in the
>> realm xml element. Any ideas?
>
> Please post your configuration (without secrets) and as much of your
> code as is relevant.
>
> Also, where did you place your .class file for your JNDIRealm subclass?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJZb60bAAoJEBzwKT+lPKRYgGkP/25fnw6EVElSQCmXVgINsCBX
> rBb/77kSxNGnnBO1KBmGszjyUUXmW0aKDfwLM+fR+poGYyI3IOyzwZ7iZlXiQ2+2
> iqNfoqv8J/OjFezV9fRMKSk3Iws5CGJcuV13wUgmgAKgquUOvR21hKI8j3BbQvq8
> S0Z1hXxLdCNGLWesQiXJEg4wYzNSDjlruOHaAFH7sQ6pyfCYKKEpOs73no3QVeTd
> Rl/xIP70wu36IYIGPedUrufARij5bQOVd8mqi4VAyOxj8f3ENsbT/qFHA5xAb8Qi
> m8TofIkYYXOC11rBHsr17zobPawiZurh/ocUC4/8GN3O1FWYwd4jrAiJXlVPe8pQ
> SuLLTygXu2NTa5F6atjFbKeBDSasBFNSAuEE1OaW7qYIYW3oc+4vNRegcK3SAnRK
> R+2GonQLMUB51H5AHuU/pXcuZXZWbxxE1Fu1xMMULtVpI6iIxLLxKvw6y+MV2S2w
> AVcWJASMdAXmBq8NgiYVj/yjn/jlXdDMvJSs1mUzKE8egMHxZkGkbyEDcwjGjTod
> b3SgvDRD/DcjwubzsanNPFwDmsdFTRrvhOHmtbFkZ+Rod/QWlRkgDN0kC2SyltmY
> Dp5zcTlJW33RTQl9T9Hzg3rkH4OFOpchw4ObmhLwgrPPl25SPCq9sn8JHMvZrbii
> 4z8GSeBeaXCf9UVubrrR
> =9o3d
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Storing JNDI binding password using encryption

[Alex O'Ree]

Thanks Mark

I tried just extend the JDNI Realm class and overriding
getConnectionPassword but it doesn't appear that my code ever called,
even those my fully qualified classname is listed in the realm xml
element. Any ideas?

On Wed, Jul 19, 2017 at 12:09 PM, Mark Thomas <ma...@apache.org> wrote:
> On 19/07/17 16:22, Alex O'Ree wrote:
>> Assuming I had access to a reversible encryption mechanism and wanted
>> to store the JNDI binding password in an encrypted form by extending
>> the JNDIRealm class, which method should i override to encrypt the
>> password stored in server.xml on the fly?
>
> You could do this via a custom PropertySource. I wouldn't recommend it.
>
> https://wiki.apache.org/tomcat/FAQ/Password
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Storing JNDI binding password using encryption

[Alex O'Ree]

Assuming I had access to a reversible encryption mechanism and wanted
to store the JNDI binding password in an encrypted form by extending
the JNDIRealm class, which method should i override to encrypt the
password stored in server.xml on the fly?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Getting user role membership without context

[Alex O'Ree]

Got it to work! Thanks Mark!

On Wed, Jul 19, 2017 at 10:40 AM, Mark Thomas <ma...@apache.org> wrote:
> On 19/07/17 15:34, Alex O'Ree wrote:
>> Context.findChild and findChildren returns an instance of "Container".
>> It looks like StandardWrapper extends Container, so I should be able
>> to type cast it. The question is, is it always going to be an instance
>> of StandardWrapper?
>
> For a Context, it should always be an instance of Wrapper so as long as
> you cast to Wrapper, you should be fine.
>
> In a default Tomcat install it will always be StandardWrapper but better
> to use the interface here since it has the method you need.
>
> Mark
>
>
>>
>> On Tue, Jul 18, 2017 at 6:40 PM, Mark Thomas <ma...@apache.org> wrote:
>>> On 18/07/17 23:21, Alex O'Ree wrote:
>>>> Nice, any idea which method I need to call?
>>>
>>> You already have the Context so you want
>>>
>>> Context.findChildren()
>>>
>>> for a list of all the Wrappers (and it is the wrapper object you need) or
>>>
>>> Context.findChild(String)
>>>
>>> for a specific Wrapper if you know the name. The name should be the name
>>> used in web.xml to define the Servlet.
>>>
>>> Mark
>>>
>>>
>>>>
>>>> On Jul 18, 2017 3:54 PM, "Mark Thomas" <ma...@apache.org> wrote:
>>>>
>>>>> On 18/07/17 17:41, Alex O'Ree wrote:
>>>>>> Alright, quick update on this.
>>>>>>
>>>>>> At this point, I have servlet context and a username running off the
>>>>>> main tomcat http threads (quartz job)
>>>>>>
>>>>>>> StandardContext tomcat;load from reflection from ApplicationContext
>>>>> from ServletContext as ApplicationContextFacade
>>>>>>> Realm realm = tomcat.getRealm()
>>>>>>
>>>>>> At this point, realm is a LockoutRealm that contains two child realms,
>>>>>> the JNDI Realm and the standard UserDatabaseRealm
>>>>>>
>>>>>>> Principal user = realm.authenticate(username);
>>>>>>
>>>>>> At this point, the user object is populated and appears to have the
>>>>>> roles attached to it (they are listed in the to String method).
>>>>>>
>>>>>>> realm.hasRole(new StandardWrapper(), user, role);
>>>>>>
>>>>>> This part returns false, if and only if the ldap membership matches
>>>>>> exactly. Mapped roles via servlet/security-role-ref/role-link and
>>>>>> role-name do not appear to be effect.
>>>>>>
>>>>>> I think this may have something to do with the Principal object not
>>>>>> having a login context. Normally, this is available via a servlet, but
>>>>>> this it is not.
>>>>>>
>>>>>> I think the root cause might be this line.
>>>>>> https://github.com/apache/tomcat/blob/TOMCAT_7_0_42/
>>>>> java/org/apache/catalina/realm/RealmBase.java#L933
>>>>>>
>>>>>> Which probably does the translation from the LDAP defined group or
>>>>>> role into what the application is expecting. Am I on the right path
>>>>>> here?
>>>>>
>>>>> Yes. If you check auth outside of a Servlet, the role mappings for the
>>>>> Servlet won't apply. If you know which servlet to use for the role
>>>>> mappings you can get that from the Context (Wrappers represent Servlets
>>>>> and are children of the Context).
>>>>>
>>>>> Mark
>>>>>
>>>>> -
>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>>
>>>>>
>>>>
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org