Re: Crypto Randomly Not Getting Initialized

[r . barclay]

Hey Jerry,

> Caused by: java.lang.SecurityException: Can not initialize cryptographic 
> mechanism
>      at 
> java.base/javax.crypto.JceSecurity.(JceSecurity.java:120) ... 86 mo
> Caused by: java.lang.SecurityException: Can't read cryptographic policy 
> directory: unlimited

Does this help?
https://stackoverflow.com/a/58183460/

Yours,
Reg


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Apache httpd as reverse proxy in front of Tomcat 10.1 - Different Connectors vs. HTTP request smuggling

[r . barclay]

Hello,

I have some questions about HTTP request smuggling in the context of Tomcat 
with Apache httpd as its reverse proxy.

First of all, a few words about my current setup: At the moment I have a few 
applications that are deployed this way:
I use Tomcat 10.1 as my backend server. It only activates its AJP connector (no 
HTTP(S)).
In front, there is an Apache httpd 2.4 with mod_jk as a reverse proxy for my 
Tomcat.
Apache httpd does SSL termination and HSTS redirecting and rejects some trash 
traffic before it could reach Tomcat.
mod_jk is used with the more or less default configuration, which includes 
reuse of backend AJP connections.

Question 1:
Assuming I use the up-to-date package versions in Debian 11, is this setup 
prone to HTTP request smuggling?
If that might be the case, what steps should be taken against?
Do users have to enable "JkOptions +DisableReuse" to prevent HTTP request 
smuggling?
Or is the AJP protocol somewhat "immune" against the confusion about the 
request headers Content-Length, Transfer-Encoding etc.?
I haven't found much about the topic "mod_jk + request smuggling".

Question 2:
In a new application I will have to use websockets.
It seems websockets do not work over AJP / mod_jk.
So I will have to enable Tomcat's HTTP connector and use mod_proxy_wstunnel in 
the Apache httpd reverse proxy.
Therefore, the setup probably won't use AJP / mod_jk at all, but 
mod_proxy_http, connecting to Tomcat's HTTP connector.
What steps does one have to take against HTTP request smuggling in this case?
Do we have to use "disablereuse=on keepalive=off" on the Apache httpd side?

What are your experiences / best practices?

Question 3:
Do the Apache httpd and Apache Tomcat projects coordinate their header 
processing algorithms, header normalization efforts etc. to combat HTTP request 
smuggling?
So is the combination of "Apache httpd + (mod_jk | mod_proxy_*) + Apache 
Tomcat" considered "HTTP request smuggling"-safe in general?

Thanks a lot for any advice!

Reg





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 9.0.71 Anomalies

[HARRIS Mark R * DOC]

We experienced a very similar situation with Oracle connections not releasing.  
We did not hit an error state because our DBA team alerted us and we began to 
immediately fail-over to freshly restarted Tomcat instances.

We recently upgraded Tomcat from v9.0.38 to v9.0.65.  We also are using Spring 
in our application.

When we saw this thread, for a rough test, we started up a new Tomcat v9.0.38 
instance in the same production environment as the problematic v9.0.65 
instances and started draining customers to the downgraded instance.  The 
v9.0.38 instance is growing the number of connections within the bounds defined 
for our connection pool and is correctly releasing the connections when demand 
drops.

We have since spun up several new v9.0.38 Tomcat instances and taken all of the 
9.0.65 instances offline.

Sorry, since our DBA team was pro-active enough to alert us before we started 
generating stack traces, I don't have any to share.  Likewise we do not have GC 
or JVM dumps to share.  We were in production break/fix mode and in a rush to 
keep our production environment responsive to our customers.  

R. Mark Harris
Information Technology Systems
Oregon Department of Corrections

-Original Message-
From: Mark Thomas 
Sent: Saturday, March 4, 2023 12:45 AM
To: users@tomcat.apache.org
Subject: Re: Tomcat 9.0.71 Anomalies

On 03/03/2023 20:19, jonmcalexan...@wellsfargo.com.INVALID wrote:
> Hi Mark,
> 
> On the slowness, this is when they are retrieving random .js files from the 
> exploded war file after deployment.

To clarify, these are .js files loaded directly from the file system? 
They are not packaged in a JAR file?

> It's taking an a long
>   amount of time. Some of these are quite large, like 2MB or more. When the 
> issue shows, doing a curl we get to here and then it pauses for some time 
> before it feeds back the data.
> 
> *   Trying **.**.**.**:8443...
> * TCP_NODELAY set
> * Connected to server port 8443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> * SSL connection using TLSv1.2 / 
> * ALPN, server accepted to use http/1.1
> * Server certificate:
> *  subject:
> *  start date:
> *  expire date:
> *  issuer:
> *  SSL certificate verify result: unable to get local issuer certificate 
> (20), continuing anyway.
>> GET  HTTP/1.1
>> Host:
>> User-Agent: curl/7.65.3
>> Accept: */*
>>
> 
> And it just hangs out here before finally getting the requested file.

How repeatable is this?

How long does it hang before delivering content? Is it always the same or does 
it vary.

Which connector are you using?

What Tomcat version did you upgrade from?

How does the problem before the upgrade compare to the problem after the 
upgrade?

What component is serving the content? Is it Tomcat's default servlet or is it 
something else?

When it happens, take 3 thread dumps a few seconds apart. The aim is to figure 
out why it is hanging.

> In looking at the catalina.out log file, I am not seeing any 
> errors/stack-traces.
> 
> Any ideas as to what may be causing this?

Not at the moment. The information requested above should at least narrow down 
which parts we need to think about.

Mark

> 
> Thank you,
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you 
> are not the addressee or authorized to receive this for the addressee, you 
> must not use, copy, disclose, or take any action based on this message or any 
> information herein. If you have received this message in error, please advise 
> the sender immediately by reply e-mail and delete this message. Thank you for 
> your cooperation.
> 
>> -Original Message-
>> From: Mark Thomas 
>> Sent: Friday, March 3, 2023 1:32 AM
>> To: users@tomcat.apache.org
>> Subject: Re: Tomcat 9.0.71 Anomalies
>>
>> On 02/03/2023 21:54, jonmcalexan...@wellsfargo.com.INVALID wrote:
>>> Hello gentle beings,

Re: AW: Request for SSL Setup

[Manibharathi R]

Thanks for your prompt response.

Could you please send me the procedure that how can we generate certficates
files?

-Original Message-
From: Thomas Hoffmann (Speed4Trade GmbH)
Sent: Tuesday, June 28, 2022 12:13 PM
To: Tomcat Users List
Subject: AW: Request for SSL Setup

This email came from an external source. Please do not click links or open
attachments unless you recognize the sender.


Hello,


-Ursprüngliche Nachricht-
Von: Manibharathi R 
Gesendet: Dienstag, 28. Juni 2022 07:16
An: users@tomcat.apache.org
Betreff: Request for SSL Setup

Dear Team,

Greetings,

I have done keystore generation, import key features and changes done in
server.xm. But still I am unable to access throught https.

Kindly send me the causes of this issue

Regards,
R.Manibharathi,
AM,Android Mobile App Developer





Could you please check all logfiles if there are some errors shown?
Any stacktraces, warnings or errors visible?
Is there a line like "org.apache.coyote.AbstractProtocol.start Starting
ProtocolHandler ["https-openssl-nio-443"]" ?

Greetings, Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Regards,
R.Manibharathi,
AM,Android Mobile App Developer




This email and its attachments may contain confidential, proprietary or legally 
privileged information and is intended solely for the use of the individual or 
entity to whom it is addressed. If you have erroneously received this message, 
please delete it immediately and notify the sender. Any unauthorized review, 
use, disclosure, dissemination, forwarding, printing or copying of this email 
or any action taken in reliance on this e-mail is strictly prohibited and may 
be unlawful. E-mail transmission cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, destroyed, 
incomplete or contain viruses and any views expressed in this message are those 
of the individual sender and no binding nature of the message shall be implied 
or assumed unless the sender does so expressly with due authority of Suguna 
Foods Private Limited, its associates/subsidiaries.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Request for SSL Setup

[Manibharathi R]

Dear Team,

Greetings,

I have done keystore generation, import key features and changes done in 
server.xm. But still I am unable to access throught https.

Kindly send me the causes of this issue

Regards,
R.Manibharathi,
AM,Android Mobile App Developer



This email and its attachments may contain confidential, proprietary or legally 
privileged information and is intended solely for the use of the individual or 
entity to whom it is addressed. If you have erroneously received this message, 
please delete it immediately and notify the sender. Any unauthorized review, 
use, disclosure, dissemination, forwarding, printing or copying of this email 
or any action taken in reliance on this e-mail is strictly prohibited and may 
be unlawful. E-mail transmission cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, destroyed, 
incomplete or contain viruses and any views expressed in this message are those 
of the individual sender and no binding nature of the message shall be implied 
or assumed unless the sender does so expressly with due authority of Suguna 
Foods Private Limited, its associates/subsidiaries.

Re: Log format access logs standard

[rinilnath r]

%S did solve. Thanks to Mark.


Thanks and Regards,
Rinilnath
Mobile#9786285451

On Tue, 7 Jun, 2022, 20:07 Jalaj Asher, 
wrote:

> Can you try  JSessionID ?
>
> -Original Message-
> From: rinilnath r 
> Sent: Tuesday, June 7, 2022 7:25 AM
> To: Tomcat Users List 
> Subject: Re: Log format access logs standard
>
> [You don't often get email from riniln...@gmail.com. Learn why this is
> important at https://aka.ms/LearnAboutSenderIdentification ]
>
> Attention! - This email has originated from an External Source outside of
> eClinicalWorks. Always use caution when opening attachments, clicking
> links, or when responding to this email. If you feel this is a phishing
> scam, please use the Phish Alert Report button in Outlook.
>
>
> Thanks Mark, i corrected that by removing the > symbol
>
> But my next problem is to log the session ID I tried
> x-H(requestSessionId), but it is not the correct.
>  Please help
>
> Thanks and Regards,
> Rinilnath
> Mobile#9786285451
>
> On Tue, 7 Jun, 2022, 12:11 Mark Thomas,  wrote:
>
> > On 07/06/2022 07:06, rinilnath r wrote:
> > > Hi,
> > >
> > > What's the meaning of this?
> > > %>s
> >
> > If that appears in the pattern attribute of an AccessLogValve then it
> > is an error and you'll see the following in the access log:
> >
> > ???>???s
> >
> > Mark
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>
> CONFIDENTIALITY NOTICE TO RECIPIENT: This transmission contains
> confidential information belonging to the sender that is legally privileged
> and proprietary and may be subject to protection under the law, including
> the Health Insurance Portability and Accountability Act (HIPAA). If you are
> not the intended recipient of this e-mail, you are prohibited from sharing,
> copying, or otherwise using or disclosing its contents. If you have
> received this e-mail in error, please notify the sender immediately by
> reply e-mail and permanently delete this e-mail and any attachments without
> reading, forwarding or saving them. Thank you.
>
> CONFIDENTIALITY NOTICE TO RECIPIENT: This transmission contains
> confidential information belonging to the sender that is legally privileged
> and proprietary and may be subject to protection under the law, including
> the Health Insurance Portability and Accountability Act (HIPAA). If you are
> not the intended recipient of this e-mail, you are prohibited from sharing,
> copying, or otherwise using or disclosing its contents. If you have
> received this e-mail in error, please notify the sender immediately by
> reply e-mail and permanently delete this e-mail and any attachments without
> reading, forwarding or saving them. Thank you.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Log format access logs standard

[rinilnath r]

Thanks Mark, i corrected that by removing the > symbol

But my next problem is to log the session ID
I tried x-H(requestSessionId), but it is not the correct.
 Please help

Thanks and Regards,
Rinilnath
Mobile#9786285451

On Tue, 7 Jun, 2022, 12:11 Mark Thomas,  wrote:

> On 07/06/2022 07:06, rinilnath r wrote:
> > Hi,
> >
> > What's the meaning of this?
> > %>s
>
> If that appears in the pattern attribute of an AccessLogValve then it is
> an error and you'll see the following in the access log:
>
> ???>???s
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Log format access logs standard

[rinilnath r]

Hi,

What's the meaning of this?
%>s

Thanks and Regards,
Rinilnath
Mobile#9786285451

Re: Issues when building native image with GraalVM

[Mar R]

 >Tomcat is a Jakarta EE container, [...]
>If you don't like that, then you have to look at a framework targeted
>at making native images. My employer happens to make Quarkus.

Thanks for the suggestion, seems like this will close the gap to a full
native image that's bothering me :D


>I don't understand what you mean about the problem with
>ServletContextListener. I don't understand why there would be a
>problem with that. Please try to debug it further if you can.

I don't have any idea how to debug it further, I brought it to the minimum
possible. It's a new project with just 1 servlet, 1 jsp and 1 class
implementing ServletContextListener (InitClass.java). I could only leave
the InitClass but then the issue wouldn't appear because something has to
access it in some way after it's initialized. So at least a servlet or a
jsp has to exist and access it.
As for being an issue, I could be wrong because I don't understand at all
how the -generateCode and --useGeneratedCode part of the process works. I
looked a lot but found zero doc/info about those. The only thing I've
discovered is that those are related  to Tomcat (probably about embedding
Tomcat) and not Graal. (found reference of them in the source code.)
So I could only suppose: -generateCode generates some kind of code/info
upon using the webapp, which will be used by  -useGenerateCode. Considering
-useGenerateCode is used alongside the native image agent I suppose the
previous generated info is needed by the native image agent.
So, based on these suppositions, I've found it strange that if something
access a class implementing ServletContextListener after (obviously) it was
initialized, the webapp workflow goes on like that class didn't even exist.
To debug this I put a simple System.out.println("") in the
static block, in the constructor and in the initializer block. Upon the
start of the webapp all 3 get correctly run, but once soemthing access that
class only the static block gets executed and the previous instance gets
lost. So the effects of whatever code was run before is now lost.
I don't know how to explain this clearly I'm sorry, the fastest and best
way would be to try directly, I provided all the code, files, commands I
used.


>About JMX, Tomcat uses JMX and has it enabled by default. You can
>disable JMX use in Tomcat with --no-jmx (until recently this was done
>internally in Tomcat when using AOT).

Thanks I'll try again this way, as soon as I discover where to use it :D


Il giorno mar 4 gen 2022 alle ore 14:22 Rémy Maucherat  ha
scritto:

> On Fri, Dec 31, 2021 at 2:47 PM Mar R  wrote:
> >
> > I forgot something sorry. Maybe I'm missing something important but,
> about
> > classloading, on native image shouldn't it NOT exist? As far as I
> > understood after you have a native image you have (resources a part)
> > everything you need inside the binary + libraries, in my case .exe and
> .dll
> > files.
> > Unless I missed something and a graal native image has a jvm or sort of
> > which will actually run, so now i get why java code outside of the binary
> > will actually be used, BUT then I don't get why it was designed this way,
> > this isn't AOT anymore
>
> Tomcat is a Jakarta EE container, so it does that and runs regular
> webapps (the main big difference is that the JSPs of the webapp have
> to be precompiled - luckily this has been a feature for a while).
> Graal doesn't remove classloading anyway, the webapp initialization is
> the same, and all components are loaded dynamically from descriptors
> or annotations.
> If you don't like that, then you have to look at a framework targeted
> at making native images. My employer happens to make Quarkus.
>
> As for the issues, you should close
> https://github.com/oracle/graal/issues/4164
>
> I fixed the following issues (will be in the next releases in January):
> - Packaging some now missing resource bundles (you can ignore warnings
> like this)
> - Better escaping for call method rules argument values in generated
> code (this causes a problem with your Windows paths with the watched
> resources)
>
> I don't understand what you mean about the problem with
> ServletContextListener. I don't understand why there would be a
> problem with that. Please try to debug it further if you can.
>
> About JMX, Tomcat uses JMX and has it enabled by default. You can
> disable JMX use in Tomcat with --no-jmx (until recently this was done
> internally in Tomcat when using AOT).
>
> Rémy
>
> >
> > Il giorno ven 31 dic 2021 alle ore 14:42 Mar R <
> marco.robiat...@gmail.com>
> > ha scritto:
> >
> > > Il giorno mar 28 dic 2021 alle ore 22:26 Rémy Maucherat <
> r...@apache.org>
> > > ha scritto:
> > >
> > >> On Tue, Dec 28, 2021

Re: Issues when building native image with GraalVM

[Mar R]

I again forgot something, sorry I spent too much time on this I'm a little
tired.

With dev builds, the only difference is that on JAVA 17 there's no need
anymore to use -J--add-exports=java.management/sun.management=ALL-UNNAMED

and github issues link is https://github.com/oracle/graal/issues/4164

Il giorno ven 31 dic 2021 alle ore 14:47 Mar R 
ha scritto:

> I forgot something sorry. Maybe I'm missing something important but, about
> classloading, on native image shouldn't it NOT exist? As far as I
> understood after you have a native image you have (resources a part)
> everything you need inside the binary + libraries, in my case .exe and .dll
> files.
> Unless I missed something and a graal native image has a jvm or sort of
> which will actually run, so now i get why java code outside of the binary
> will actually be used, BUT then I don't get why it was designed this way,
> this isn't AOT anymore
>
> Il giorno ven 31 dic 2021 alle ore 14:42 Mar R 
> ha scritto:
>
>> Il giorno mar 28 dic 2021 alle ore 22:26 Rémy Maucherat 
>> ha scritto:
>>
>>> On Tue, Dec 28, 2021 at 7:18 PM Mar R  wrote:
>>> >
>>> > Tomcat 10.0.14
>>> > Windows 10 x64 21H1 OS Build 19043.1415
>>> >
>>> > openjdk version "17.0.1" 2021-10-19
>>> > OpenJDK Runtime Environment GraalVM CE 21.3.0 (build
>>> > 17.0.1+12-jvmci-21.3-b05)
>>> > OpenJDK 64-Bit Server VM GraalVM CE 21.3.0 (build
>>> 17.0.1+12-jvmci-21.3-b05,
>>> > mixed mode, sharing)
>>> >
>>> > NetBeans 12.6, maven webapp project
>>> > Maven 3.8.4
>>> > Ant 1.10.12
>>> >
>>> > Followed guide at https://tomcat.apache.org/tomcat-10.0-doc/graal.html
>>> >
>>> > Sorry in advance if not all issues should be reported here but instead
>>> are
>>> > graalvm native image related, I'm reporting everything here and on
>>> their
>>> > github fro completeness.
>>> >
>>> >
>>> https://drive.google.com/file/d/17flFW5nlNCdojlvJxCOy23NJBj03p46u/view?usp=sharing
>>> > In this link you can find a folder with everything I used from tomcat
>>> > stuffed folder downloaded from the github link present in the tomcat
>>> AOT
>>> > guide, to all commands I put in a script for easier testing purpose,
>>> source
>>> > webapp, built webapp, screenshots, everything :D
>>> >
>>> > I'll start by saying I'm well aware I could definitely have overlooked
>>> > something, anyway I managed to get to the final native image and it
>>> works,
>>> > BUT:
>>> >
>>> > If you remove .class files from webapps/webappname folder, when you
>>> run the
>>> > binary file, it won't find those files, only jsps. This is strange
>>> because
>>> > those files are actually present in the fat jar, and this actually
>>> beats
>>> > the purpose of builidng a native image if you have to ship it with java
>>> > files.
>>> >
>>> > If there is a class extending ServletContextListener (InitClass in this
>>> > webapp), when running command with "--catalina -generateCode"
>>> parameter,
>>> > where you have to access all jsps and servlets, the class extending
>>> > ServletContextListener will be initialized/used(?) like 2 times, but
>>> the
>>> > second time not completly, resetting everything done in the first
>>> > initialization.
>>> > In this webapp it happens when you access the only servlet present.
>>> > Anyway all code is in the google drive link and in InitClass i put some
>>> > prints so you can see what I mean.
>>> > In another bigger webapp my InitClass initializes a lot of things used
>>> by
>>> > the webapp basically screwing it.
>>> > This issues happens only in this phase becasue in the second phase
>>> where
>>> > the parameter is "useGeneratedCode" it works normally both with this
>>> simple
>>> > test webapp and in my other one
>>> >
>>> > When building with native-image command, if
>>> > "-J--add-exports=java.management/sun.management=ALL-UNNAMED" isn't
>>> used as
>>> > additional parameter, errors will pop on run crashing the app.
>>> (screenshot
>>> > in the google drive link)
>>>
>>> Before looking at it more deeply (later ...), let's take this step by
>>> step:
>>> - Even tho

Re: Issues when building native image with GraalVM

[Mar R]

I forgot something sorry. Maybe I'm missing something important but, about
classloading, on native image shouldn't it NOT exist? As far as I
understood after you have a native image you have (resources a part)
everything you need inside the binary + libraries, in my case .exe and .dll
files.
Unless I missed something and a graal native image has a jvm or sort of
which will actually run, so now i get why java code outside of the binary
will actually be used, BUT then I don't get why it was designed this way,
this isn't AOT anymore

Il giorno ven 31 dic 2021 alle ore 14:42 Mar R 
ha scritto:

> Il giorno mar 28 dic 2021 alle ore 22:26 Rémy Maucherat 
> ha scritto:
>
>> On Tue, Dec 28, 2021 at 7:18 PM Mar R  wrote:
>> >
>> > Tomcat 10.0.14
>> > Windows 10 x64 21H1 OS Build 19043.1415
>> >
>> > openjdk version "17.0.1" 2021-10-19
>> > OpenJDK Runtime Environment GraalVM CE 21.3.0 (build
>> > 17.0.1+12-jvmci-21.3-b05)
>> > OpenJDK 64-Bit Server VM GraalVM CE 21.3.0 (build
>> 17.0.1+12-jvmci-21.3-b05,
>> > mixed mode, sharing)
>> >
>> > NetBeans 12.6, maven webapp project
>> > Maven 3.8.4
>> > Ant 1.10.12
>> >
>> > Followed guide at https://tomcat.apache.org/tomcat-10.0-doc/graal.html
>> >
>> > Sorry in advance if not all issues should be reported here but instead
>> are
>> > graalvm native image related, I'm reporting everything here and on their
>> > github fro completeness.
>> >
>> >
>> https://drive.google.com/file/d/17flFW5nlNCdojlvJxCOy23NJBj03p46u/view?usp=sharing
>> > In this link you can find a folder with everything I used from tomcat
>> > stuffed folder downloaded from the github link present in the tomcat AOT
>> > guide, to all commands I put in a script for easier testing purpose,
>> source
>> > webapp, built webapp, screenshots, everything :D
>> >
>> > I'll start by saying I'm well aware I could definitely have overlooked
>> > something, anyway I managed to get to the final native image and it
>> works,
>> > BUT:
>> >
>> > If you remove .class files from webapps/webappname folder, when you run
>> the
>> > binary file, it won't find those files, only jsps. This is strange
>> because
>> > those files are actually present in the fat jar, and this actually beats
>> > the purpose of builidng a native image if you have to ship it with java
>> > files.
>> >
>> > If there is a class extending ServletContextListener (InitClass in this
>> > webapp), when running command with "--catalina -generateCode" parameter,
>> > where you have to access all jsps and servlets, the class extending
>> > ServletContextListener will be initialized/used(?) like 2 times, but the
>> > second time not completly, resetting everything done in the first
>> > initialization.
>> > In this webapp it happens when you access the only servlet present.
>> > Anyway all code is in the google drive link and in InitClass i put some
>> > prints so you can see what I mean.
>> > In another bigger webapp my InitClass initializes a lot of things used
>> by
>> > the webapp basically screwing it.
>> > This issues happens only in this phase becasue in the second phase where
>> > the parameter is "useGeneratedCode" it works normally both with this
>> simple
>> > test webapp and in my other one
>> >
>> > When building with native-image command, if
>> > "-J--add-exports=java.management/sun.management=ALL-UNNAMED" isn't used
>> as
>> > additional parameter, errors will pop on run crashing the app.
>> (screenshot
>> > in the google drive link)
>>
>> Before looking at it more deeply (later ...), let's take this step by
>> step:
>> - Even though you are generating a fat JAR and building a native
>> image, the webapps should stay unchanged. All classes and JARs in
>> WEB-INF will be needed for annotation scanning and whatever
>> "classloading". So this is not a bug. Don't worry, regular Java
>> classes that have not been compiled in a native image are never going
>> to be magically dynamically loaded and run, since this isn't possible
>> at all.
>> - Java 17 with Graal is completely untested (Java 11 is) since it's
>> very new. Since you seem very adventurous, you can also try to compile
>> in the Panama support for OpenSSL.
>> - I haven't tested the JMX support, which is fairly new in Graal.
>> Adding the module declaration on the command line if needed

Re: Issues when building native image with GraalVM

[Mar R]

Il giorno mar 28 dic 2021 alle ore 22:26 Rémy Maucherat 
ha scritto:

> On Tue, Dec 28, 2021 at 7:18 PM Mar R  wrote:
> >
> > Tomcat 10.0.14
> > Windows 10 x64 21H1 OS Build 19043.1415
> >
> > openjdk version "17.0.1" 2021-10-19
> > OpenJDK Runtime Environment GraalVM CE 21.3.0 (build
> > 17.0.1+12-jvmci-21.3-b05)
> > OpenJDK 64-Bit Server VM GraalVM CE 21.3.0 (build
> 17.0.1+12-jvmci-21.3-b05,
> > mixed mode, sharing)
> >
> > NetBeans 12.6, maven webapp project
> > Maven 3.8.4
> > Ant 1.10.12
> >
> > Followed guide at https://tomcat.apache.org/tomcat-10.0-doc/graal.html
> >
> > Sorry in advance if not all issues should be reported here but instead
> are
> > graalvm native image related, I'm reporting everything here and on their
> > github fro completeness.
> >
> >
> https://drive.google.com/file/d/17flFW5nlNCdojlvJxCOy23NJBj03p46u/view?usp=sharing
> > In this link you can find a folder with everything I used from tomcat
> > stuffed folder downloaded from the github link present in the tomcat AOT
> > guide, to all commands I put in a script for easier testing purpose,
> source
> > webapp, built webapp, screenshots, everything :D
> >
> > I'll start by saying I'm well aware I could definitely have overlooked
> > something, anyway I managed to get to the final native image and it
> works,
> > BUT:
> >
> > If you remove .class files from webapps/webappname folder, when you run
> the
> > binary file, it won't find those files, only jsps. This is strange
> because
> > those files are actually present in the fat jar, and this actually beats
> > the purpose of builidng a native image if you have to ship it with java
> > files.
> >
> > If there is a class extending ServletContextListener (InitClass in this
> > webapp), when running command with "--catalina -generateCode" parameter,
> > where you have to access all jsps and servlets, the class extending
> > ServletContextListener will be initialized/used(?) like 2 times, but the
> > second time not completly, resetting everything done in the first
> > initialization.
> > In this webapp it happens when you access the only servlet present.
> > Anyway all code is in the google drive link and in InitClass i put some
> > prints so you can see what I mean.
> > In another bigger webapp my InitClass initializes a lot of things used by
> > the webapp basically screwing it.
> > This issues happens only in this phase becasue in the second phase where
> > the parameter is "useGeneratedCode" it works normally both with this
> simple
> > test webapp and in my other one
> >
> > When building with native-image command, if
> > "-J--add-exports=java.management/sun.management=ALL-UNNAMED" isn't used
> as
> > additional parameter, errors will pop on run crashing the app.
> (screenshot
> > in the google drive link)
>
> Before looking at it more deeply (later ...), let's take this step by step:
> - Even though you are generating a fat JAR and building a native
> image, the webapps should stay unchanged. All classes and JARs in
> WEB-INF will be needed for annotation scanning and whatever
> "classloading". So this is not a bug. Don't worry, regular Java
> classes that have not been compiled in a native image are never going
> to be magically dynamically loaded and run, since this isn't possible
> at all.
> - Java 17 with Graal is completely untested (Java 11 is) since it's
> very new. Since you seem very adventurous, you can also try to compile
> in the Panama support for OpenSSL.
> - I haven't tested the JMX support, which is fairly new in Graal.
> Adding the module declaration on the command line if needed depending
> on the Java version doesn't seem that surprising. If you were running
> Java 8 you wouldn't need it. For the longest time, JMX was disabled
> with Graal (with no way to enable it). Since it supposedly "works",
> the regular Tomcat standalone defaults are used (so you can use the
> command line to disable it again; to be honest I would probably do
> that ...).
> - You can keep your server.xml (more flexible), but once everything
> works (if you get there then it's good !) you can indeed generate the
> equivalent code for server.xml/context.xml with -generateCode and
> avoid some reflection. This is really completely optional. So it seems
> there's a problem with ServletContextListener then (this is strange
> since it's a web.xml component, for which I never added the actual
> code generation - it was tempting but way too complex if the goal was
> to support everything). So I

Issues when building native image with GraalVM

[Mar R]

Tomcat 10.0.14
Windows 10 x64 21H1 OS Build 19043.1415

openjdk version "17.0.1" 2021-10-19
OpenJDK Runtime Environment GraalVM CE 21.3.0 (build
17.0.1+12-jvmci-21.3-b05)
OpenJDK 64-Bit Server VM GraalVM CE 21.3.0 (build 17.0.1+12-jvmci-21.3-b05,
mixed mode, sharing)

NetBeans 12.6, maven webapp project
Maven 3.8.4
Ant 1.10.12

Followed guide at https://tomcat.apache.org/tomcat-10.0-doc/graal.html

Sorry in advance if not all issues should be reported here but instead are
graalvm native image related, I'm reporting everything here and on their
github fro completeness.

https://drive.google.com/file/d/17flFW5nlNCdojlvJxCOy23NJBj03p46u/view?usp=sharing
In this link you can find a folder with everything I used from tomcat
stuffed folder downloaded from the github link present in the tomcat AOT
guide, to all commands I put in a script for easier testing purpose, source
webapp, built webapp, screenshots, everything :D

I'll start by saying I'm well aware I could definitely have overlooked
something, anyway I managed to get to the final native image and it works,
BUT:

If you remove .class files from webapps/webappname folder, when you run the
binary file, it won't find those files, only jsps. This is strange because
those files are actually present in the fat jar, and this actually beats
the purpose of builidng a native image if you have to ship it with java
files.

If there is a class extending ServletContextListener (InitClass in this
webapp), when running command with "--catalina -generateCode" parameter,
where you have to access all jsps and servlets, the class extending
ServletContextListener will be initialized/used(?) like 2 times, but the
second time not completly, resetting everything done in the first
initialization.
In this webapp it happens when you access the only servlet present.
Anyway all code is in the google drive link and in InitClass i put some
prints so you can see what I mean.
In another bigger webapp my InitClass initializes a lot of things used by
the webapp basically screwing it.
This issues happens only in this phase becasue in the second phase where
the parameter is "useGeneratedCode" it works normally both with this simple
test webapp and in my other one

When building with native-image command, if
"-J--add-exports=java.management/sun.management=ALL-UNNAMED" isn't used as
additional parameter, errors will pop on run crashing the app. (screenshot
in the google drive link)

Re: HttpNIO error

[rinilnath r]

@chris,

Tomcat 9.0.50

Thanks and Regards,
Rinilnath
Mobile#9786285451

On Tue, 31 Aug, 2021, 19:24 rinilnath r,  wrote:

> Hi Chris,
>
> Java : 1.8.0_45
> OS : Windows 7
>
>   protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> connectionTimeout="6" maxConnections "1" redirect Port="8443"
> enableLookups "false" acceptCount="100" maxPostSize "10485760"
> maxHttpHeaderSize="8192" compression="on" disableUploadrimeout="true"
> compressionMinSize="2048" acceptor ThreadCount="2" compressableMimeType=
> "text/html,text/plain, text/css, application/javascript, application/json,
> application/x-font-ttf, application/x-font-otf, imag e/svg+xml image/jpeg,
> image/png,image/gif, audio/mpeg, video/mp4" URIEncoding="utf-8"
> processorCache="2" tepNoDelay= "true" connectioniLinger="5" server
> ="Server Version 11.0"/>
>
>
>
> Thanks and Regards,
> Rinilnath
> Mobile#9786285451
>
> On Tue, 31 Aug, 2021, 19:16 Christopher Schultz, <
> ch...@christopherschultz.net> wrote:
>
>> Rinilnath,
>>
>> On 8/31/21 09:23, rinilnath r wrote:
>> > I am using tomcat Http11nio2protocol. I configured it in server XML.
>> >
>> > When I start the server it failed to start
>> >
>> > UnsupportedOperationException. SO_LINGER not supported
>> >
>> > Any help please?
>>
>> Please post:
>>
>> 1. Your Java version
>> 2. Your OS and version
>> 3. Your  configuration, minus any secrets you may have
>>
>> -chris
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

Re: HttpNIO error

[rinilnath r]

Hi Chris,

Java : 1.8.0_45
OS : Windows 7

 



Thanks and Regards,
Rinilnath
Mobile#9786285451

On Tue, 31 Aug, 2021, 19:16 Christopher Schultz, <
ch...@christopherschultz.net> wrote:

> Rinilnath,
>
> On 8/31/21 09:23, rinilnath r wrote:
> > I am using tomcat Http11nio2protocol. I configured it in server XML.
> >
> > When I start the server it failed to start
> >
> > UnsupportedOperationException. SO_LINGER not supported
> >
> > Any help please?
>
> Please post:
>
> 1. Your Java version
> 2. Your OS and version
> 3. Your  configuration, minus any secrets you may have
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

HttpNIO error

[rinilnath r]

Hi,

I am using tomcat Http11nio2protocol. I configured it in server XML.

When I start the server it failed to start

UnsupportedOperationException. SO_LINGER not supported

Any help please?

Thanks and Regards,
Rinilnath
Mobile#9786285451

AW: Troubleshoot with registered libraries after startup

[Glorius, R. (RPD)]

I've also tried to put it in the webapps-javaee directory. The convertion 
works, but same problem on converter-handling.

It feels like a random thing on startup the war file. Because after multiple 
cleanup and restart with exactly the "same" war-file it sometimes works.

Is it possibel that a wrong order in the classpath structure is the problem 
(non fixed - only lib-folder is added in javac ant generation file)?
Does the tomcat have an internal priority handling for the referenced libraries 
inside the war? 

Robert

-Ursprüngliche Nachricht-
Von: Mark Thomas  
Gesendet: Dienstag, 27. April 2021 10:24
An: users@tomcat.apache.org
Betreff: Re: Troubleshoot with registered libraries after startup

Have you converted the WAR file for Jakarta EE? If not, put it in the 
webapps-javaee directory rather than webapps and Tomcat will convert your WAR 
file for you.

Mark


On 27/04/2021 09:12, Glorius, R. (RPD) wrote:
> Hello,
> 
> I've got a question for a troubleshoot with my Tomcat (10.0.5):
> 
> My war-file contains liblaries like Jersey and Jackson in the latest version 
> for a JSON-REST API.
> 
> After Deployment my Tomcat starts very well without some Exceptions oder 
> Failures inside logging. That's fine.
> My REST-Service is also working.
> 
> But random the registered JSON-Converter/Formatter (JacksonFeature) don't 
> works. It seems that the feature hasn't registered by loading the war-file 
> inside the Webapps-folder. After multiple redeploy or stop/start actions the 
> JSON-Converter from the same war-file works as expected.
> 
> Is this a known bug on the latest tomcat version?
> Best regards,
> Robert Glorius
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Troubleshoot with registered libraries after startup

[Glorius, R. (RPD)]

Hello,

I've got a question for a troubleshoot with my Tomcat (10.0.5):

My war-file contains liblaries like Jersey and Jackson in the latest version 
for a JSON-REST API.

After Deployment my Tomcat starts very well without some Exceptions oder 
Failures inside logging. That's fine.
My REST-Service is also working.

But random the registered JSON-Converter/Formatter (JacksonFeature) don't 
works. It seems that the feature hasn't registered by loading the war-file 
inside the Webapps-folder. After multiple redeploy or stop/start actions the 
JSON-Converter from the same war-file works as expected.

Is this a known bug on the latest tomcat version?
Best regards,
Robert Glorius

RE: Release Schedule

[Bush, Clinton R (CGI Federal)]

I have searched your website, wiki, and the web, in general, to locate a 
release schedule or roadmap for Tomcat. Does the Apache Tomcat community have a 
future release schedule?

Working with the government, we must anticipate (loosely) when we will need to 
update servers, APIs, etc. to satisfy cybersecurity requirements. As part of 
that, I am trying to gather release schedules for the software we use.

Thanks!

Clinton R. Bush

Senior Software Developer
CGI Federal, Inc.
(229)889-6551
(229)308-2820
clinton.b...@cgifederal.com<mailto:clinton.b...@cgifederal.com>

Proprietary/confidential information belonging to CGI Federal Inc. or its 
affiliates may be contained in this message. If you are not a recipient 
indicated or intended in this message (or responsible for the delivery of this 
message to such person), or if you think for any reason that this message may 
have been addressed to you in error, you may not use or copy or deliver this 
message to anyone else. In such case, you should destroy this message and are 
asked to notify the sender by reply email.

Re: error 0 issue

[Kumar R]

Hi,
Thanks for your reply...!
As the application is available for users, also cost is involved for new
Linux VM.

Is it possible with existing window VM 32 bit.

Thanks
Rajib

On Wed, Jun 26, 2019, 10:49 PM John Larsen  wrote:

> Why windows - especially from 2003. If app is in java you'll get huge
> performance boost moving to linux.
>
> John Larsen
>
>
> On Wed, Jun 26, 2019 at 11:11 AM Kumar R  wrote:
>
> > Hi Team,
> > Is it possible to go for higher version of JDK(64 bit) and Tomcat(64bit)
> on
> > 32 bit window 2003 architecture.
> > If so, kindly let me know the possible difficulties.
> > Thanks
> > Rajib
> >
> > On Tue, Jun 25, 2019, 1:17 AM Kumar R  wrote:
> >
> > > Hi,
> > > Thanks for the help.
> > > Thanks & Regards
> > > Rajib
> > >
> > > On Tue, Jun 25, 2019, 1:14 AM Felix Schumacher <
> > > felix.schumac...@internetallee.de> wrote:
> > >
> > >>
> > >>
> > >> Am 24. Juni 2019 21:23:24 MESZ schrieb Kumar R  >:
> > >> >Hi Team,
> > >> >I am facing server 0 issue while starting tomcat 5 service after
> > >> >increase
> > >> >the heap size from 1024 to 2048.
> > >> >
> > >> >Server:-
> > >> >Windows 32
> > >> >Jre:-
> > >> >1.5.0_15-h04, mixed mode sharing
> > >>
> > >> The 32 bit version of Java under windows can't use more than about 1.5
> > GB
> > >> of ram.
> > >>
> > >> Note that the versions of Java and tomcat are way out of date. Please
> do
> > >> yourself a favor and update them.
> > >>
> > >> Felix
> > >>
> > >>
> > >> >Tomcat:-
> > >> >5.5
> > >> >Error:-
> > >> >Jakarta log:- create JavaVM failed, failed initializing java.
> > >> >Event log:-
> > >> >The Apache Tomcat service terminated with services-specific error
> > >> >0(0x0)
> > >> >Thanks
> > >> >Rajib
> > >>
> > >> -
> > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > >> For additional commands, e-mail: users-h...@tomcat.apache.org
> > >>
> > >>
> >
>

Re: error 0 issue

[Kumar R]

Hi,
Thanks for your help.
Thanks
Rajib

On Wed, Jun 26, 2019, 10:56 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> John,
>
> On 6/26/19 13:18, John Larsen wrote:
> > Why windows - especially from 2003. If app is in java you'll get
> > huge performance boost moving to linux.
>
> [Citation Needed]
>
> - -chris
>
> > On Wed, Jun 26, 2019 at 11:11 AM Kumar R 
> > wrote:
> >
> >> Hi Team, Is it possible to go for higher version of JDK(64 bit)
> >> and Tomcat(64bit) on 32 bit window 2003 architecture. If so,
> >> kindly let me know the possible difficulties. Thanks Rajib
> >>
> >> On Tue, Jun 25, 2019, 1:17 AM Kumar R 
> >> wrote:
> >>
> >>> Hi, Thanks for the help. Thanks & Regards Rajib
> >>>
> >>> On Tue, Jun 25, 2019, 1:14 AM Felix Schumacher <
> >>> felix.schumac...@internetallee.de> wrote:
> >>>
> >>>>
> >>>>
> >>>> Am 24. Juni 2019 21:23:24 MESZ schrieb Kumar R
> >>>> :
> >>>>> Hi Team, I am facing server 0 issue while starting tomcat 5
> >>>>> service after increase the heap size from 1024 to 2048.
> >>>>>
> >>>>> Server:- Windows 32 Jre:- 1.5.0_15-h04, mixed mode sharing
> >>>>
> >>>> The 32 bit version of Java under windows can't use more than
> >>>> about 1.5
> >> GB
> >>>> of ram.
> >>>>
> >>>> Note that the versions of Java and tomcat are way out of
> >>>> date. Please do yourself a favor and update them.
> >>>>
> >>>> Felix
> >>>>
> >>>>
> >>>>> Tomcat:- 5.5 Error:- Jakarta log:- create JavaVM failed,
> >>>>> failed initializing java. Event log:- The Apache Tomcat
> >>>>> service terminated with services-specific error 0(0x0)
> >>>>> Thanks Rajib
> >>>>
> >>>> ---
> - --
> >>>>
> >>>>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>>> For additional commands, e-mail:
> >>>> users-h...@tomcat.apache.org
> >>>>
> >>>>
> >>
> >
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl0Tqq8ACgkQHPApP6U8
> pFgz1xAAoUIZqeeLFRjApi2WXdmOCOugEQ9mA0ZODdQ5ZxeoU0kvavPLWknlqgdK
> aPxY3fO2mggEyLbD6603KkY/OeuFBMteZLnTSCNKDUh8m6LYg32r0BaL0HH9nhr6
> X7v8ra/EUpfnNNqR1y8sFz5M/CFCBy3tXYvTZNNMF99tGNaWNw4/GpoTb/thlYr/
> 3nZLa16++maZOkC8WGAoP6wZWVTWTnAwiPf1OrjK0znAmuaNOHi2y/Wifcq8h43b
> u/NwJwR0QdimYRcVLv1i4f47n1keK2TAAgFI8fcks+2XFsXK4N1j1Keyy2n3/bG1
> ZmJNd3nH37wA/TzmurJknmT/q1hkOu8kc+0CDD9VWVv1+By46CRMr75fiBjbvIfk
> 5Ar1MUuPWttMqbb5rjB3Vl9+KQx3YiujPvcgcMqxHYtKZ2qu5dir0ez2+ipOAlN5
> IdZfkmBEdXGEPbm6IwV5LJ3OcT7GWM2/8qHslZSEismGyHUzqnmFwu2D8zo3o3Nb
> ot0tEdvmLhegNfoPuwKdJ+mLJUfvjUcPTdeJfIkAq1bKbmr/pRpXOXn51b4fk71Q
> /xzH4vKs+ikl0SNyukF2825CgVCgA2PsB0Ed4X6aFB9m8gOfMc6lEra0FCzACtc6
> BICYcg8iyc7PHqEfAfLWh7HYVmWWaqxaJL6DagPBqKGeFdog6eU=
> =ZnUP
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: error 0 issue

[Kumar R]

Hi Team,
Is it possible to go for higher version of JDK(64 bit) and Tomcat(64bit) on
32 bit window 2003 architecture.
If so, kindly let me know the possible difficulties.
Thanks
Rajib

On Tue, Jun 25, 2019, 1:17 AM Kumar R  wrote:

> Hi,
> Thanks for the help.
> Thanks & Regards
> Rajib
>
> On Tue, Jun 25, 2019, 1:14 AM Felix Schumacher <
> felix.schumac...@internetallee.de> wrote:
>
>>
>>
>> Am 24. Juni 2019 21:23:24 MESZ schrieb Kumar R :
>> >Hi Team,
>> >I am facing server 0 issue while starting tomcat 5 service after
>> >increase
>> >the heap size from 1024 to 2048.
>> >
>> >Server:-
>> >Windows 32
>> >Jre:-
>> >1.5.0_15-h04, mixed mode sharing
>>
>> The 32 bit version of Java under windows can't use more than about 1.5 GB
>> of ram.
>>
>> Note that the versions of Java and tomcat are way out of date. Please do
>> yourself a favor and update them.
>>
>> Felix
>>
>>
>> >Tomcat:-
>> >5.5
>> >Error:-
>> >Jakarta log:- create JavaVM failed, failed initializing java.
>> >Event log:-
>> >The Apache Tomcat service terminated with services-specific error
>> >0(0x0)
>> >Thanks
>> >Rajib
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

Re: error 0 issue

[Kumar R]

Hi,
Thanks for the help.
Thanks & Regards
Rajib

On Tue, Jun 25, 2019, 1:14 AM Felix Schumacher <
felix.schumac...@internetallee.de> wrote:

>
>
> Am 24. Juni 2019 21:23:24 MESZ schrieb Kumar R :
> >Hi Team,
> >I am facing server 0 issue while starting tomcat 5 service after
> >increase
> >the heap size from 1024 to 2048.
> >
> >Server:-
> >Windows 32
> >Jre:-
> >1.5.0_15-h04, mixed mode sharing
>
> The 32 bit version of Java under windows can't use more than about 1.5 GB
> of ram.
>
> Note that the versions of Java and tomcat are way out of date. Please do
> yourself a favor and update them.
>
> Felix
>
>
> >Tomcat:-
> >5.5
> >Error:-
> >Jakarta log:- create JavaVM failed, failed initializing java.
> >Event log:-
> >The Apache Tomcat service terminated with services-specific error
> >0(0x0)
> >Thanks
> >Rajib
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

error 0 issue

[Kumar R]

Hi Team,
I am facing server 0 issue while starting tomcat 5 service after increase
the heap size from 1024 to 2048.

Server:-
Windows 32
Jre:-
1.5.0_15-h04, mixed mode sharing
Tomcat:-
5.5
Error:-
Jakarta log:- create JavaVM failed, failed initializing java.
Event log:-
The Apache Tomcat service terminated with services-specific error 0(0x0)
Thanks
Rajib

RE: Fwd: Tomcat-embed-core-9.0.12.jar bug about Content-Length Corrupting Parsing logic for Subsequent Request

[Caldarale, Charles R]

> From: Bhavesh Mistry [mailto:mistry.p.bhav...@gmail.com] 
> Subject: Re: Fwd: Tomcat-embed-core-9.0.12.jar bug about Content-Length
Corrupting 
> Parsing logic for Subsequent Request

> I am stating following when you have request/response on the same TCP 
> connection.  for example,

> My understanding (please correct me if my wrong):

It's wrong.  All TCP traffic, including HTTP requests, is a stream of bytes.
There are no indications where one request ends and another starts other
than the content length in each request.  If the malformed request specifies
a length smaller than the actual content size, the next request will appear
to start somewhere in the content stream.  Similarly, if the
request-specified content length is larger than the sent size, the connector
consumes part of the next request as the content of the prior.  There is no
way for a server to correct this client misbehavior, other than by the
server administrator disabling keep-alive - with serious performance impacts
for well-mannered clients.  Fix your broken client.

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Tomcat 8 runs under Java 7, but not Java 8

[Caldarale, Charles R]

> From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] 
> Subject: Re: Tomcat 8 runs under Java 7, but not Java 8

> Excerpt from the relevant time period, catalina.2018-12-18.log:

> > 18-Dec-2018 20:18:55.419 SEVERE [main]
org.apache.catalina.core.StandardServer.await 
> > StandardServer.await: create[localhost:8005]:
> >  java.net.BindException: Address already in use (Bind failed)

> > 18-Dec-2018 20:31:12.604 SEVERE [main]
org.apache.coyote.AbstractProtocol.init Failed 
> > to initialize end point associated with ProtocolHandler
["https-jsse-nio-443"]
> >  java.net.BindException: Address already in use

> > 18-Dec-2018 20:31:55.545 SEVERE [main]
org.apache.catalina.core.StandardServer.await 
> > StandardServer.await: create[localhost:8005]:
> >  java.net.BindException: Address already in use (Bind failed)

The above indicates you have a Tomcat (or something much like it) already
running...

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Translation help wanted

[Caldarale, Charles R]

> From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
> Subject: Re: Translation help wanted

> There is no need to have an en-BR, en-US and eu-AU when simply "en" will
work.

Might need an en-EastEnders or en-Yorkshire though...

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Translation help wanted

[Caldarale, Charles R]

> From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
> Subject: Re: Translation help wanted

> Ok, I take it back. I don't think there's an AI smart enough to translate
this one :

> "The attribute directive (declared in line [{1}] and whose name attribute
is [{0}], the 
> value of this name-from-attribute attribute) must be of type
java.lang.String, is 
> "required" and not a "rtexprvalue"."

Maybe we should translate it to English first...

  - Chuck

"This is the sort of bloody nonsense up with which I will not put."
(probably Churchill, in The Strand magazine)


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Handling empty Host in HTTP Header

[Caldarale, Charles R]

> From: Mani [mailto:mani.chandraseka...@protonmail.com.INVALID] 
> Subject: Handling empty Host in HTTP Header

> May I know, when is the next official tomcat release planned? 

Releases for Tomcat versions under active development (including the 8.5
leg) normally occur in the first week of each calendar month.  Last-minute
glitches can affect the schedule, of course.

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Cookie Header Not Being Parsed

[Caldarale, Charles R]

> From: Durand, Dustin [mailto:dustin_dur...@intuit.com] 
> Subject: Cookie Header Not Being Parsed

> I've been attempting to track down an issue where the cookies aren't being

> parsed out of the cookie header in rare cases. We're using a java service 
> that utilizes JSession, so this causes the users session to be lost every 
> time one of these failures occurs.

> Version: Tomcat 8.5.31 and 8.5.34 (Attempted to upgrade)

Thanks for supplying the version info; many people forget.

> During the load tests we see the rare request come into the service where
the 
> filter dumps the cookie header which includes the expected cookies, but
when 
> the filter attempts to pull the cookies from the HttpServletRequest
they're 
> missing. To make it more interesting, the value cookie header usually
matches 
> the previous request(s) cookie header value for that user, which was
parsed 
> successfully.

The last sentence is the key point, indicating the probable source of the
problem: your application is likely hanging on to some reference to the
prior request and inadvertently using it when a new request shows up.  This
often takes the form of instance variables in a servlet being used to hold
request information.  Since the servlet object is shared across all requests
using it, information leakage can occur between concurrent requests; this is
also true for filters used in the request handling.  Leakage can also occur
with other singletons used by the webapp, or in any persistent data
maintained by the app (e.g., in a session object).

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Tomcat Clustering Support

[Caldarale, Charles R]

> From: Mark Thomas [mailto:ma...@apache.org] 
> Subject: Re: Tomcat Clustering Support

> Thread A is in the middle of processing a request. It is evaluating some
> EL which requires access to the view map which in turn causes the
> ViewMap to update the session.
> com.sun.faces.application.view.ViewScopeManager.processEvent locks the
> ViewMap object. It then tries to update the session. To do this it
> requires the session lock. Thread A is waiting for this lock.

Assuming the ViewMap is used by multiple sessions, this locking order goes
against the usual protocol of more local before more global.  Might be
possible to file a bug report with Mojarra, but given that the code appears
to be in a com.sun class, that might not get anywhere.

> Thread B is at the end of a request. The session has been updated and it
> is attempting to write the updated session attributes to the cluster.
> The session lock has been obtained. The individual attributes are being
> written. The code has reached the ViewMap object. In order to write this
> object, the ViewMap object must be locked. Thread B is waiting for this
> lock.

This is the generally the more desirable order.

> Has anyone on the users list come across this problem before? If so, how
> have you solved it? Suggestions for alternative solutions also welcome.

Can the thread doing the session synchronization lock the session, get a
shallow copy of the attributes, unlock the session, then process the
attributes?  Not sure if that would maintain sufficient coherency.

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Contexts: can there be a hierarchy?

[Caldarale, Charles R]

> From: Jäkel, Guido [mailto:g.jae...@dnb.de] 
> Subject: RE: Contexts: can there be a hierarchy?

> why do you call it not really a hierachy? If you name the deployments e.g.
>   ROOT.war
>   foo.war
>   foo#bar.war
> then the "expected" will happen: The longest context path will match to
the 
> corresponding container:

> * all /foo/bar{,/.*} will be served by foo#bar.war,
> * all other /foo{,/.*} will be servered by foo.war
> * all other {,.*} will be served by ROOT.war

It's a hierarchy for the URLs, but not from a webapp location, construction,
or execution perspective - /foo/bar is completely independent of /foo, not
inside or a subset of it.

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Contexts: can there be a hierarchy?

[Caldarale, Charles R]

> From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] 
> Subject: Contexts: can there be a hierarchy?

> Suppose we have a Tomcat 8 server

Let's hope that's Tomcat 8.5, since 8.0 has reached EOL.

> Is there a way to set up contexts in a hierarchy, such that requests for 
> "https://xyz.example/foo/ham,; "https://xyz.example/foo/spam,; and 
> "https://xyz.example/foo/eggs; go to distinct webapp contexts?

Not really a hierarchy, but just name your .war files (or directories)
appropriately:
foo#ham[.war]
foo#eggs[.war]

Look here for more info:
http://tomcat.apache.org/tomcat-8.5-doc/config/context.html#Naming

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Servlet Threads Changing Instance Data

[Caldarale, Charles R]

> From: Jerry Malcolm [mailto:techst...@malcolms.com] 
> Subject: Re: Servlet Threads Changing Instance Data

> I'm not sure what you mean by typically there is only one servlet 
> object.  There's one class.  But a new instance is created on each 
> request, right?

No - there's only one instance of each defined servlet.  All requests for a
particular servlet share that instance.

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Problem with CATALINA_OPTS in setenv.sh

[Caldarale, Charles R]

> From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
> Subject: Re: Problem with CATALINA_OPTS in setenv.sh
 
> > "With the -XX:+AlwaysPreTouch option the JVM touches every single
> > byte of the max heap size with a '0', resulting in the memory being
> > allocated in the physical memory in addition to being reserved in
> > the internal data structure (virtual memory). Pretouching is single
> > threaded, so it is expected behavior that it causes JVM startup to
> > be delayed. The trade off is that it will reduce page access time
> > later, as the pages will already be loaded into memory."

> Sounds like garbage to me. The OS isn't going to keep pages in RAM
> just because they are zeroed. Also, unless the JVM does it exactly
> correctly (which it probably *is* doing), the zeroing-operation might
> actually be a no-op.

Definitely not a no-op - it will cause the guest OS to allocate what it
thinks are real pages, create VMAs, and do all sorts of other bookkeeping
that is pointless in a VM environment.  The hypervisor has the last word
here, and it will happily swap pages that the guest OS thinks are in
pseudo-real memory.  That's why the pre-touch option is useless in anything
other than a dedicated bare-metal system.

> > The fact that Tomcat is crashing during the pre-touch would
> > indicate that you can't actually use a 2 GiB heap on a supposed 4
> > GiB VM - something other than the heap is eating up a lot of space.
> > You should probably remove the option and reduce the heap size.

> But the process isn't failing on pre-touch. It's failing when it's
> trying to bind a socket to a port.

Doing the bind requires additional non-heap process and kernel memory; I
suspect this puts it over the limit imposed by either the guest OS or
hypervisor.  

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.


-Original Message-


The most likely result from using AlwaysPreTouch is that you get more
memory pressure and therefore more swapping to virtual memory. I can't
really see a use-case for this option. I'm guessing your dev requested
this because #security or #sawitonstackoverflow. Given that it crashes
your JVM, I'd say you have a decent argument for NOT using this option
even if it fails the sniff test for other reasons.


- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltjWTQACgkQHPApP6U8
pFgRlBAAl6yo/nyrV7NnaCXMz34b+6OLqpPjTiR5Rm06YoGuoZD5CDpiDgwMR59O
qJmKn6545gtF/CjbjOLdtJCeHH+hMzEKy2JcEfBIkc0pen5jK+AQmFVMl7xpfx+/
qjD08IWALpqAuKTPEZQNUVCAOIVPjOdLuk9wsOXtyTa8TBAoy50nVk9h+O72+Zpr
z25ynggKA/wDzs49NoHaN0x8o8+Y40IJr02dQ9O4QGh+Jt3OT7QxJMDuu7OvFNko
E/Y8PsUeiENSGxVtprw7HbBYhLYQJ8aD3fCk9munDlnyzWhf5ASy5nnRncQfhMsP
XyI8pJKvV+qZNveBIj4jBwO81vjRzUGyUeYwmSPmZq6dFU4ZhNktFEi/iCTy2seb
S36rvGQg16/ekBZtNhqJDdIbeImbjggVK8dwPTqv5FoMx1w8XQB57vh1ROhPo7u2
9esbImd262rdQuE9feAfrY6hi0t9iU40rrCzFntvFm+TpcNyouOgXX7fFIXnVWz8
oGRRYOGFOreSLHjHLn4Nptl220o0Ux8n1iZ7mZDMJSPueidov95YExrYFKawUxwc
kZJi/gEfZfcd3YpxLcH3O6I2vTJmvGPYgIIBIfBR0gSqgGhN9ad87rVoEqM+AE8D
TCsdOSDS7A+PqU50Efwqspp1Xae9z2SXSg5e66kGjKQiJ0oua6A=
=Nn19
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



smime.p7s
Description: S/MIME cryptographic signature

RE: Problem with CATALINA_OPTS in setenv.sh

[Caldarale, Charles R]

> From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] 
> Subject: Problem with CATALINA_OPTS in setenv.sh

> I've been experimenting with some CATALINA_OPTS changes, as recommended 
> by our webapp developer, and one of them is causing Tomcat to "crash on 
> takeoff" with stacktraces like this:
> > 30-Jul-2018 22:58:00.708 SEVERE [main]
org.apache.coyote.AbstractProtocol.init
> > Failed to initialize end point associated with ProtocolHandler
["http-nio-80"]
> >  java.net.SocketException: Cannot allocate memory

> We're running on a Google Compute instance, with 1 CPU and 4G of memory, 

> What the webapp developer asked for was (after I'd vetted his request 
> against the Java 8 docs)
> > -Xms2048m -Xmx2048m -XX:+ScavengeBeforeFullGC -XX:+AlwaysPreTouch
> > -XX:+CMSScavengeBeforeRemark -XX:+CMSClassUnloadingEnabled
> > -XX:+UseConcMarkSweepGC -XX:+CMSPermGenSweepingEnabled

> which produced the crash-on-takeoff, and I was able to narrow it down to 
> specifically the "-XX:+AlwaysPreTouch" that was doing it.

> Anybody have any insights into why that parameter would cause Tomcat to 
> crash on takeoff?

A bit of research shows that +AlwaysPreTouch seems like a really, really bad
idea for anything but small, bare-metal, dedicated systems, and especially
useless on a VM:

"With the -XX:+AlwaysPreTouch option the JVM touches every single byte of
the max heap size with a '0', resulting in the memory being allocated in the
physical memory in addition to being reserved in the internal data structure
(virtual memory). Pretouching is single threaded, so it is expected behavior
that it causes JVM startup to be delayed. The trade off is that it will
reduce page access time later, as the pages will already be loaded into
memory."

The fact that Tomcat is crashing during the pre-touch would indicate that
you can't actually use a 2 GiB heap on a supposed 4 GiB VM - something other
than the heap is eating up a lot of space.  You should probably remove the
option and reduce the heap size.

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Tomcat JDBC Pool memory leak when using StatementFinalizer interceptor

[Caldarale, Charles R]

> From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] 
> Subject: Re: Tomcat JDBC Pool memory leak when using StatementFinalizer
interceptor

> Am 11.07.2018 um 16:22 schrieb Martin Knoblauch:
> >   Now it might be, that we are just using the StatementFinalizer in a
wrong
> > manner. And what we see is expected behavior. Below is our pool
> > configuration. Maybe something is just missing :-)

> The docs in the interceptor says one has to call close on the 
> connection, that the statements created. Does your application call 
> close on the connection?

This section of the doc includes a decent model that your webapp code should
be following:
http://tomcat.apache.org/tomcat-8.0-doc/jndi-datasource-examples-howto.html#
Random_Connection_Closed_Exceptions

Proper use of a finally block is critical.

  - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Re: Tomcat 5.5.17 migration to 6

[Caldarale, Charles R]

> From: David Babooram [mailto:david.baboo...@digicelgroup.com] 
> Subject: Re: Re: Tomcat 5.5.17 migration to 6

> But by decision was based on what was presented in the Apache site. In
that, upgrade from 
> 5.5 was known to only go to 6.

Seriously, don't even think about "upgrading" to another very dead level.
There haven't been updates to Tomcat 6 for over a year; subsequent fixes for
known security holes and other issues have been applied to current levels,
but none of those will ever be retrofitted to Tomcat 6 (and 7, in the not
too distant future).  8.5 or 9.0 are the only sensible choices.

> Nevertheless.. is there some official documents on migrating to 8.5?

Due to the age of where you're starting from (over 12 years old), you're not
going to find anything specific for that level to a current one.  What you
can do is read all of the Migration Guides linked from here:
http://tomcat.apache.org/migration.html
and get a sense of the changes needed for your webapp configurations.

You may well need to update JVM versions as well; if the one you're using is
also 12 years old, it's scary dangerous.

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Getting the Manager app running on localhost.. Please help

[Caldarale, Charles R]

> From: Hassan Schroeder [mailto:hassan.schroe...@gmail.com] 
> Subject: Re: Getting the Manager app running on localhost.. Please help

> FYI, I'm on MacOS (Sierra 10.12.6). I just now

> 1) installed apache-tomcat-8.5.32
> 2) added these two lines to tomcat-users.xml
>
>   
>   

Note that such an addition must be done outside of the sample role/user
elements, since they are commented out.  A common error is failing to remove
or otherwise avoid the comment markers.

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

Intermittently a Tomcat’s 7's response loses all (non-Coyote-added) headers

[R Mundell]

Attention Tomcat developers who know how the Coyote bit of Tomcat works… I’ve 
got a tricky one for you! :-)

We’re struggling with a puzzling problem where intermittently, calls to a 
servlet are delivered back to the client with all of the headers missing except 
the ones that Coyote adds.

In roughly 9,999 out of 10,000 attempts the response returns correctly (which 
includes a number of headers which are added by filters, a body response which 
is gzipped by the servlet and a “Content-Encoding” header which indicates it’s 
gzipped, and the correct “Content-Length” header).

But, intermittently, approximately 1 time out of 10,000 requests, the response 
back to the client contains only 3 headers: “Date”, “Server”, and a 
“Transfer-Encoding” header set to “chunked” (even though the response body is 
not chunked). The result of this is that the gzipped body is presented back to 
the client with the “Content-Encoding” header missing so it’s rendered 
unreadable by the browser, and all of the other headers are missing. (We’ve 
determined this by being able to capture a couple of instances of this issue in 
Fiddler).

Looking at the Coyote source code it would appear that if the “Content-Length” 
header isn’t presented to Coyote from the upstream handling of the filters and 
servlet then it’ll default to a chunked encoding, which explains why the 
response is getting chunked!

So, basically - the filters run without error, the servlet runs without error, 
but the when the response is received back into Coyote’s 
AbstractHttp11Processor.process() method, the headers have disappeared!

Annoyingly we can’t find a recreatable test case, but anecdotally it’s when the 
server is heavily loaded, but there are still plenty of pooled workers 
available, and plenty of memory. This is a very high volume server (probably 
millions of requests a day) so adding verbose logging within Coyote isn’t a 
realistic option.

I don’t believe it’s actually possible for the filters or the servlet to remove 
headers even if they want to (they don’t appear to have any access to the 
MimeHeaders of the Coyote “Response” object, and the HttpServletResponse object 
doesn’t have any methods which allow header removal).

The only clue we have is occasionally we see “INFO: Encountered a non-recycled 
response and recycled it forcedly.” in the logs, but these errors are 
infrequent compared to the number of instances of the problem, and the 
timestamps of these errors don’t correspond to when users have reported the 
error.

My best guess would be somehow the Coyote “Request” object is accidentally 
accessed by two threads concurrently to service two requests, and one request 
is calling the Request.recycle() (which is calling headers.recycle() which 
removes all of the headers) but I’m struggling to see how that could happen. 
Note we are not using async servlets.

I appreciate 7.0.72 isn’t the very latest and greatest version but I can’t find 
anything in the change log for later 7.x, 8.x, 8.5.x or 9.x releases which 
indicate this is a known issue or resolved.

Any ideas about how to further diagnose this would be very gratefully received. 
Otherwise our next step is to blindly update to later versions and just hope it 
goes away.

Thanks,

Richard

RE: Is it possible and how

[Caldarale, Charles R]

> From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
> Subject: Re: Is it possible and how

> On 2/28/18 11:12 AM, M. Osama Alghwell wrote:
> > I have a Java application that run on windows and using to Tomcat 
> > (unfortunately it is Tomcat 4.5 and I an assigned to upgrade it).

There was no Tomcat 4.5; 4.1, 5.0, and 5.5 were released, many years ago.

> > Is it possible to move to Linux platform? and is it possible to
> > jump to Tomcat 8.x? what action should be taken?

> While that sounds like a big jump (Windows -> Linux, Tomcat 4.x ->
> 8.x), it shouldn't be a *huge* change. You'll also need a Java upgrade
> as well, of course (Tomcat 8 requires Java 7 or later; I recommend
> Java 8).

Reading the migration guides would also be useful, although they don't go
all the way back to Tomcat 4:
http://tomcat.apache.org/migration.html

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Running as user tomcat

[Caldarale, Charles R]

> From: Peter@Kreuser-Online [mailto:l...@kreuser.name] 
> Subject: Re: Running as user tomcat

> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris
:

> > I am trying to run tomcat as a non root user.
 
> > It will start as the tomcat user but it will not bind to connector 443
unless it starts as root.

> Unix will not let you open ports below 1024 as non-root user!

> You may use a proxy in front of it or maybe use iptables to be able to use
standard ports AND user tomcat.

And definitely read the wiki entry about this, before doing anything else:
https://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_privileg
es.3F

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

Re: Is tomcat 8.5.24 uses thread pool by default.

[Shiva Kumar K R]

Hi,

I got u right. Thanks for the quick answer.

On 05-Feb-2018 8:32 PM, "Shiva Kumar K R" <shiv...@securelyshare.com> wrote:

> Hi,
>
> Thanks for the response, u r right I'll do the cleanup. And is tomcat uses
> new thread for each request or reuse existing thread.
>
> Thank you,
> Shiva
>
> On 05-Feb-2018 8:28 PM, "Johan Compagner" <jcompag...@servoy.com> wrote:
>
>> If that is the case then the problem is also that you don't clean up the
>> threadlocals..
>> That is a problem by itself, you should always after a request have
>> cleanup
>> all your threadlocals
>>
>> On 5 February 2018 at 15:36, Shiva Kumar K R <shiv...@securelyshare.com>
>> wrote:
>>
>> > Hi,
>> >
>> > Component details:
>> > Tomcat = 8.5.24
>> > Java = 1.8
>> > OS = Ubuntu 16.04 LTS
>> >
>> > Is above tomcat uses thread pool to process requests out of the box
>> without
>> > any explicit configuration of thread pool.
>> >
>> > I faced an issue while using threadlocal which was returning data
>> stored in
>> > previous request instead of current request.
>> >
>> > Thank You,
>> > Shiva Kumar K R
>> >
>>
>>
>>
>> --
>> Johan Compagner
>> Servoy
>>
>

Re: Is tomcat 8.5.24 uses thread pool by default.

[Shiva Kumar K R]

Hi,

Thanks for the response, u r right I'll do the cleanup. And is tomcat uses
new thread for each request or reuse existing thread.

Thank you,
Shiva

On 05-Feb-2018 8:28 PM, "Johan Compagner" <jcompag...@servoy.com> wrote:

> If that is the case then the problem is also that you don't clean up the
> threadlocals..
> That is a problem by itself, you should always after a request have cleanup
> all your threadlocals
>
> On 5 February 2018 at 15:36, Shiva Kumar K R <shiv...@securelyshare.com>
> wrote:
>
> > Hi,
> >
> > Component details:
> > Tomcat = 8.5.24
> > Java = 1.8
> > OS = Ubuntu 16.04 LTS
> >
> > Is above tomcat uses thread pool to process requests out of the box
> without
> > any explicit configuration of thread pool.
> >
> > I faced an issue while using threadlocal which was returning data stored
> in
> > previous request instead of current request.
> >
> > Thank You,
> > Shiva Kumar K R
> >
>
>
>
> --
> Johan Compagner
> Servoy
>

Is tomcat 8.5.24 uses thread pool by default.

[Shiva Kumar K R]

Hi,

Component details:
Tomcat = 8.5.24
Java = 1.8
OS = Ubuntu 16.04 LTS

Is above tomcat uses thread pool to process requests out of the box without
any explicit configuration of thread pool.

I faced an issue while using threadlocal which was returning data stored in
previous request instead of current request.

Thank You,
Shiva Kumar K R

Re: getting "BindException: permission denied" exception when trying to change port 8080 to 8090

[Alceu R. de Freitas Jr.]

 Hello Coty,
For the sake of others readers, I confirm the behavior you identified from 
SELinux:
[root@localhost audit]# grep -P '^type=AVC' audit.log | grep name_bind
type=AVC msg=audit(1513876523.918:145): avc:  denied  { name_bind } for  
pid=10420 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0 
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513876981.747:148): avc:  denied  { name_bind } for  
pid=10726 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0 
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513877805.970:135): avc:  denied  { name_bind } for  
pid=2376 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0 
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513877965.612:138): avc:  denied  { name_bind } for  
pid=2442 comm="java" src=9090 scontext=system_u:system_r:tomcat_t:s0 
tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513878056.773:141): avc:  denied  { name_bind } for  
pid=2512 comm="java" src=1 scontext=system_u:system_r:tomcat_t:s0 
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513878361.650:185): avc:  denied  { name_bind } for  
pid=2609 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0 
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513878699.852:190): avc:  denied  { name_bind } for  
pid=2714 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0 
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513878900.757:193): avc:  denied  { name_bind } for  
pid=2803 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0 
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513879083.533:196): avc:  denied  { name_bind } for  
pid=2870 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0 
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513879865.598:216): avc:  denied  { name_bind } for  
pid=3480 comm="java" src=8090 scontext=system_u:system_r:tomcat_t:s0 
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513885200.245:233): avc:  denied  { name_bind } for  
pid=4385 comm="java" src=9090 scontext=system_u:system_r:tomcat_t:s0 
tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1513964943.996:108): avc:  denied  { name_bind } for  
pid=1808 comm="java" src=9090 scontext=system_u:system_r:tomcat_t:s0 
tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket
[root@localhost audit]# 

Since I'm not acquainted with SELinux, I read some introductory documentation 
about, so I'm guessing here that the proper way to allow a different port (8090 
in your sample of semanage) to be used by Tomcat would be:
semanage port --add -t initrc_t -p tcp 8090

Since the running process of Tomcat is not related to http_port_t:
[root@localhost audit]# ps auxZ | grep -v grep | grep -i jenkins
system_u:system_r:initrc_t:s0   jenkins   1255  3.0 27.0 2417080 274544 ?  
Ssl  10:34   0:51 /etc/alternatives/java -Dcom.sun.akuma.Daemon=daemonized 
-Djava.awt.headless=true -DJENKINS_HOME=/var/lib/jenkins -jar 
/usr/lib/jenkins/jenkins.war --logfile=/var/log/jenkins/jenkins.log 
--webroot=/var/cache/jenkins/war --daemon --httpPort=8090 --debug=5 
--handlerCountMax=100 --handlerCountMaxIdle=20

Is that right?
On the other hand, semanage port -l | grep init or semanage port -l | grep 8090 
gives me nothing.
Thanks,Alceu

Em quinta-feira, 21 de dezembro de 2017 18:49:48 BRST, Coty Sutherland 
 escreveu:  

This behavior is due to a fix in the selinux-policy package; see
https://bugzilla.redhat.com/show_bug.cgi?id=1432083 for more details.
If you check /var/log/audit/audit.log you'll see an AVC denial, such
as:

    type=AVC msg=audit(1513815897.006:136): avc:  denied  { name_bind
} for  pid=1467 comm="java" src=8090
scontext=system_u:system_r:tomcat_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket ...

Previous version tomcat were incorrectly labeled unconfined_t and
could do whatever they wanted, that has been address and now tomcat is
confined by selinux as it should be :)

You can fix the problem by adding the port you want to allow to the
system's HTTP port type, http_port_t: `semanage port --add -t
http_port_t -p tcp 8090`

Cheers,

  

RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than Tomcat 6?

[Caldarale, Charles R]

> From: Eric Robinson [mailto:eric.robin...@psmnv.com] 
> Subject: RE: Is it Normal for Tomcat 8 to Use 20-80% More Memory Than
Tomcat 6?

> if JVM instance "A" is configured as follows on server 1 under tomcat6/jdk
1.6, then 
> instance "A" on server 2 is configured the same, except it is running
under tomcat 
> 8/jdk 1.8. Yet the tomcat 8 ones used 50% more memory, on average. 

> JAVA_OPTS="-Xms16M -Xmx192M \
> -XX:MaxPermSize=192M \

Note that PermGen is no longer used in Java 8, and the above should log a
warning:

Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=192m;
support was removed in 8.0

Here's a brief overview:
https://blogs.oracle.com/poonam/about-g1-garbage-collector,-permanent-genera
tion-and-metaspace

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

Re: getting "BindException: permission denied" exception when trying to change port 8080 to 8090

[Alceu R. de Freitas Jr.]

util.LifecycleBase.init(LifecycleBase.java:107)
    at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:560)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:840)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:642)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:667)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:253)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:427)
Caused by: org.apache.catalina.LifecycleException: Protocol handler 
initialization failed
    at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    ... 12 more
Caused by: java.net.BindException: Permissão negada (Bind failed) :9090
    at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:413)
    at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:715)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:452)
    at 
org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
    at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
    ... 13 more
Caused by: java.net.BindException: Permissão negada (Bind failed)
    at java.net.PlainSocketImpl.socketBind(Native Method)
    at 
java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:387)
    at java.net.ServerSocket.bind(ServerSocket.java:375)
[root@localhost ~]# ps aux | grep -i tomcat
tomcat    4385  3.4 10.8 2306540 110448 ?  Ssl  17:39   0:09 
/usr/lib/jvm/jre/bin/java -classpath 
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
 -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat 
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp 
-Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties 
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 
org.apache.catalina.startup.Bootstrap start
root  4438  0.0  0.0 112680   988 pts/0    R+   17:44   0:00 grep 
--color=auto -i tomcat


   Em quinta-feira, 21 de dezembro de 2017 17:34:39 BRST, Christopher Schultz 
<ch...@christopherschultz.net> escreveu:  
 
 -BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I've never seem "BindException: permission denied" when the port
number is above 1024. Are you sure it's the connector port (e.g. 8090)
it's complaining about?

When you try your "other applications" test, are you sure you are
running as the same effective user as the Tomcat process?

- -chris
  

getting "BindException: permission denied" exception when trying to change port 8080 to 8090

[Alceu R. de Freitas Jr.]

Hello folks,
I'm new to this list, and to Tomcat as well.
I was trying to get Jenkins and Tomcat running on the same VM that I have (with 
CentOS 7), but I'm struggling with a small issue.
Since I already had Jenkins running on port number 8080, I decided to change 
Tomcat to listen to 8090 by editing /etc/tomcat/server.xml, in the following 
line:


And the change:


I soon as I started, I got "BindException: permission denied" exception on the 
catalina log file. If I stop Jenkins daemon and change it back to 8080, it 
works as expected.
I even tried to put port number "1", but results were the same. I checked 
out ports in use with netstat, firewall configuration... I got nothing.
Since I was able to change Jenkins to run on 8090, I'm clueless what is 
happening over there. It seems CentOS is happy letting applications to bind to 
8080 and 8090, so I'm quite curious why things are not working with Tomcat...
Thanks!

RE: Trying to understand How Tomcat uses Keystore for SSL

[Caldarale, Charles R]

> From: Don Flinn [mailto:fl...@alum.mit.edu] 
> Subject: Re: Trying to understand How Tomcat uses Keystore for SSL

> Attached is a first cut at setting up SSL for Tomcat.  It is in MicroSoft
Word.

Most attachments are automatically stripped by the mailing list server.  You
can either send it in plain text or post it somewhere publicly accessible.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.




smime.p7s
Description: S/MIME cryptographic signature

RE: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

[Caldarale, Charles R]

> From: Baron Fujimoto [mailto:ba...@hawaii.edu] 
> Subject: Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution
via JSP upload

> I haven't seen an announcement for 8.0.47, nor does the Apache Tomcat
> website seem to reference it yet, but it appears to be available in the
> distribution archive(s). E.g.:

> 

> Is this 8.0.47 blessed for use?

Pretty much - the voting process completed over the weekend (it passed), but
the announcement isn't made until the mirrors all catch up.  Should be fine
to use from the archive.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Trouble using SSL with Tomcat 9

[Caldarale, Charles R]

> From: Don Flinn [mailto:fl...@alum.mit.edu] 
> Subject: Re: Trouble using SSL with Tomcat 9

> I installed a new download of tomcat 9, established one application with
> php/java bridge (need php and java access). Set the SSL port to an unused
> port, 443, and ran my app who's only out put is an H1 message.  This time
I
> get the expected error from Chrome with the red warning about bad
> certificate.  However, the redirect went to https://localhost/Financial/
> index.php - i.e. NO port number and of course drilling down couldn't find
> my app which is at port 443, I believe.

Port 443 is the standard HTTPS port, so it won't show up in the https: URL
since it's the default.

Unless you're running Tomcat as root (a very, very bad idea), you'll need to
use iptables or equivalent to let Tomcat listen on port 443.
https://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_privileg
es.3F

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

debian 9 and tomcat 8 error at startup

[r . bottoni]

Hi,
i have installed tomcat 8 on a Debian server using aptitude command.
but when tomcat starts, I get this strange error :


26-Sep-2017 07:47:14.613 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server version:
Apache Tomcat/8.5.14 (Debian)
26-Sep-2017 07:47:14.614 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server built:  
Sep 3 2017 17:51:58 UTC
26-Sep-2017 07:47:14.614 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server number: 
8.5.14.0
26-Sep-2017 07:47:14.614 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log OS Name:   
Linux
26-Sep-2017 07:47:14.614 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log OS Version:
4.9.0-3-amd64
26-Sep-2017 07:47:14.614 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Architecture:  
amd64
26-Sep-2017 07:47:14.614 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Java Home: 
/usr/lib/jvm/java-8-oracle/jre
26-Sep-2017 07:47:14.614 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log JVM Version:   
1.8.0_144-b01
26-Sep-2017 07:47:14.614 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:
Oracle Corporation
26-Sep-2017 07:47:14.615 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: 
/var/lib/tomcat8
26-Sep-2017 07:47:14.615 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: 
/usr/share/tomcat8
26-Sep-2017 07:47:14.615 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line 
argument: 
-Djava.util.logging.config.file=/var/lib/tomcat8/conf/logging.properties
26-Sep-2017 07:47:14.615 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line 
argument: 
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
26-Sep-2017 07:47:14.615 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line 
argument: -Djava.awt.headless=true
26-Sep-2017 07:47:14.615 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line 
argument: -XX:+UseConcMarkSweepGC
26-Sep-2017 07:47:14.615 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line 
argument: -Djdk.tls.ephemeralDHKeySize=2048
26-Sep-2017 07:47:14.616 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line 
argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
26-Sep-2017 07:47:14.616 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line 
argument: -Dcatalina.base=/var/lib/tomcat8
26-Sep-2017 07:47:14.616 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line 
argument: -Dcatalina.home=/usr/share/tomcat8
26-Sep-2017 07:47:14.616 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line 
argument: -Djava.io.tmpdir=/tmp/tomcat8-tomcat8-tmp
26-Sep-2017 07:47:14.616 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR 
based Apache Tomcat Native library which allows optimal performance in 
production environments was not found on the java.library.path: 
/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
26-Sep-2017 07:47:14.764 INFO [main] 
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler 
["http-nio-8080"]
26-Sep-2017 07:47:14.789 INFO [main] 
org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a 
shared selector for servlet write/read
26-Sep-2017 07:47:14.791 INFO [main] 
org.apache.catalina.startup.Catalina.load Initialization processed in 
684 ms
26-Sep-2017 07:47:14.826 INFO [main] 
org.apache.catalina.core.StandardService.startInternal Starting service 
Catalina
26-Sep-2017 07:47:14.826 INFO [main] 
org.apache.catalina.core.StandardEngine.startInternal Starting Servlet 
Engine: Apache Tomcat/8.5.14 (Debian)
26-Sep-2017 07:47:14.843 INFO [localhost-startStop-1] 
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web 
application directory /var/lib/tomcat8/webapps/ROOT
26-Sep-2017 07:47:15.141 WARNING [localhost-startStop-1] 
org.apache.tomcat.util.scan.StandardJarScanner.scan Failed to scan 
[file:/usr/share/java/el-api-3.0.jar] from classloader hierarchy
 java.io.FileNotFoundException: /usr/share/java/el-api-3.0.jar (No such 
file or directory)

at java.util.zip.ZipFile.open(Native Method)
at java.util.zip.ZipFile.(ZipFile.java:225)
at java.util.zip.ZipFile.(ZipFile.java:155)
at java.util.jar.JarFile.(JarFile.java:166)
at java.util.jar.JarFile.(JarFile.java:130)
	at 
org.apache.tomcat.util.scan.JarFileUrlJar.(JarFileUrlJar.java:60)
	at 
org.apache.tomcat.util.scan.JarFactory.newInstance(JarFactory.java:49)
	at 
org.apache.tomcat.util.scan.StandardJarScanner.process(StandardJarScanner.java:338)
	at 

RE: More, Re: This is weird (cross-posted to Tomcat and Debian Lists): Tomcat 8.5 is going to /var/lib/tomcat7/webapps/ROOT

[Caldarale, Charles R]

> From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] 
> Subject: More, Re: This is weird (cross-posted to Tomcat and Debian
Lists):
> Tomcat 8.5 is going to /var/lib/tomcat7/webapps/ROOT

> If I remember right, Linux file systems can have not only symbolic links 
> to files, but also multiple hard links to the same file. Is there an 
> easy way to look for something like that?

Without doing a full directory search, you can't tell if a symlink target
references a directory entry you're interested in.  You can use "ls -l" to
see the link count on a file; if a non-directory file has a link count more
than 1, there's another hard link to it (directories always have a link
count >= 2).

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Performance issue 8.5.20 (metaspace related?)

[Caldarale, Charles R]

> From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
> Subject: Re: Performance issue 8.5.20 (metaspace related?)
 
> > > That sounds like a healthy behavior to me. That means GC is
> > > occurring and Metaspace is getting cleaned up. Why do you think
> > > Metaspace is the problem?

> > Because I can observe that when the metaspace is collected the
> > requests become fast. I observer that a few hours ago, looking at
> > the metaspace graph of the java console and doing requests just
> > after the collect.

> RMI is known for flagrantly wasting permgen/metaspace because of all
> the Proxy objects and special throw-away Class objects it uses, etc.
> But I'm not sure why the metaspace filling up would have such a
> dramatic effect on performance.

> At any rate, this is not a problem with Tomcat itself: this is likely
> entirely JVM-related.

Is it possible that the system is getting into swapping?  The heap has been
set to 20 GiB, but I didn't see any mention of how much actual memory the
system has.  Do you really need a 20 GiB heap?  Sometimes smaller is better.
Might also want to try turning off UseHugeTLBFS.

I wonder if there are heap objects tied up due to dead but not collected
metaspace items; when metaspace is GC'd, the heap usage might well shrink
also.  (This might be a G1GC bug, but that seems unlikely.)  Perhaps the RMI
mechanism (which I haven't looked at in many years) is searching an
ever-growing set of soft/weak references that are removed when metaspace is
collected.  A smaller heap might help there.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: Refreshing webapps slows server

[Caldarale, Charles R]

> From: Jerry Malcolm [mailto:techst...@malcolms.com] 
> Subject: Refreshing webapps slows server

> I have a very weird situation.

Actually, it's fairly common.

> This is somewhat circumstantial.  But TC will run fine for days and 
> never hits OutofMemory situations.  But as soon as I start replacing 
> webapp jar files, things start going bad.  So it appears that the issue 
> is caused by replacing jar files.

This sounds like a classic case of retaining references to now obsolete
classes or instances thereof.  Take a look at the Wiki:
https://wiki.apache.org/tomcat/FAQ/Memory
especially, the link to "classloaders are not being garbage collected" and
these:
https://wiki.apache.org/tomcat/OutOfMemory
https://wiki.apache.org/tomcat/MemoryLeakProtection

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: This is weird: can't bind to 443

[Caldarale, Charles R]

> From: Igal @ Lucee.org [mailto:i...@lucee.org] 
> Subject: Re: This is weird: can't bind to 443

> I agree about the "one more thing to go wrong", but fronting Tomcat with 
> a Web Server gives a performance hit?  I mean, sure, now requests for 
> Tomcat have another step to go through, but all of the static resources 
> (assuming there are static resources) will supposedly be handled more 
> efficiently by a web server, no?

Um, no.  A lot of work has gone into improving Tomcat performance over the
past few years, to the point where it's largely on par with httpd.  Put both
in the mix (assuming you're not using httpd for other reasons), and what
you've mostly done is add latency.

> The added layer usually provides more security as well, provided that the 
> web server doesn't add new vulnerabilities, of course.

Pretty much all components have (undiscovered) vulnerabilities, so having
more components actually increases the attack surface.

> I personally use nginx for SSL termination, which I find easier than 
> Tomcat, though it's been many years since I last tried to setup Tomcat 
> with https.

Now that Tomcat can use OpenSSL directly, it's easier than it used to be.
That said, if you do have a front end to Tomcat, might as well do the SSL
termination there to simplify things.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

RE: This is weird: can't bind to 443

[Caldarale, Charles R]

> From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] 
> Subject: Re: This is weird: can't bind to 443

> > Binding on ports < 1024 on Linux require elevated permissions, no?

> If so, somebody please elaborate.

That's a Linux restriction/feature - must be superuser to use the low port
numbers.

> It currently seems to be running under a user called "tomcat7."

That's good.

> By contrast, the one we've got running on a local CentOS box runs under
root.

That's bad.

> The installation on the Google Debian instance was via an apt-get, and it
put 
> things in places other than where I was expecting them to be

That's a problem with all the 3rd-party repackaged versions of Tomcat.  Best
to use a real one from tomcat.apache.org.

> Any suggestions on what to do about it?

You should never run Tomcat under root - that means the webapps have full
control of the system.  Any webapp bugs open it up to hackers.  Take a look
at the FAQ for how to avoid that problem:

https://wiki.apache.org/tomcat/HowTo#How_to_run_Tomcat_without_root_privileg
es.3F

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.


-Original Message-


--
JHHL

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



smime.p7s
Description: S/MIME cryptographic signature

RE: RemoteEndpoint.Async sendText blocking

[Caldarale, Charles R]

> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Subject: Re: RemoteEndpoint.Async sendText blocking

> When the BIO connector is in use, you end up with weird things like
> this. I would switch to BIO if you want to use async.

Might want to rephrase that...  Presumably Chris meant "switch to NIO".

Note that the BIO connector is removed (yay!) in Tomcat 8.5 and above.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [Tomcat 8.5] Cannot obtain singleton resource with startStopThreads > 1

[Caldarale, Charles R]

> From: MrChuoi [mailto:mrch...@gmail.com] 
> Subject: Re: [Tomcat 8.5] Cannot obtain singleton resource with 
> startStopThreads > 1

> OK. I will put the resource in the context of each webapp to see what is
> going on, but what I don't understand is why this configuration works when
> I start webapps one-by-one sequentially?

I suspect you're not getting a singleton either way (at least you're not 
supposed to).  If you want a singleton, I believe it needs to be specified in 
conf/server.xml via  and a  in the 
 element of each webapp that needs it.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [Tomcat 8.5] Cannot obtain singleton resource with startStopThreads > 1

[Caldarale, Charles R]

> From: MrChuoi [mailto:mrch...@gmail.com]
> Subject: Re: [Tomcat 8.5] Cannot obtain singleton resource with 
> startStopThreads > 1

> Hi Mark,

Don't top-post.  Follow the mailing list guidelines published here:
http://tomcat.apache.org/lists.html#tomcat-users

> And to simplify the declaration of Resource in Tomcat, I put the  ...> in %CATALINA_HOME%\conf\context.xml. Is this a mistake?

That would appear to be one source of difficulty: the items configured in the 
global conf/context.xml are applied to each webapp individually, so you will 
get one instance of the resource for each webapp.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Under system account, Tomcat starts even with shutdown port conflict

[Caldarale, Charles R]

> From: Igor Cicimov [mailto:icici...@gmail.com] 
> Subject: Re: Under system account, Tomcat starts even with shutdown port 
> conflict

> If you are trying to run it on port <1024 you need authbind enabled

Read the original message.  The OP is running on Windows, not Linux, so there 
are no restrictions on port usage.  Some other process is using the port.

Since there are multiple ways to stop Tomcat (especially when running as a 
Windows service), non-availability of the shutdown port is not considered fatal.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Max Sessions Across whole Server

[Anthony, Clark R [US] (MS)]

Hello,
I'm currently using Tomcat 8.5.14. I'd like to be able to limit the number of 
active sessions across the entire Tomcat server. I saw the "maxActiveSessions" 
value in the Manager configuration component, but that appears to be required 
to be nested inside a Context object. So that would seem to me that it is only 
available on a per-application basis. We have other people deploying into our 
Tomcat instance and we can't depend on them to set this limit properly for 
their app.

Is there a way to limit these sessions globally, for the entire Engine or Host 
server? If not, is this something that might be considered for a new feature 
addition in the future? I'm using the SingleSignOn valve if that helps (or 
hinders).

Thanks,
Clark

RE: Tomcat 8.5.4 and LegacyCookieProcessor

[Caldarale, Charles R]

> From: jared.paul.wal...@gmail.com [mailto:jared.paul.wal...@gmail.com] On 
> Behalf Of Jared Walker
> Subject: Tomcat 8.5.4 and LegacyCookieProcessor

> We are migrating to the version of tomcat identified in the subject

Before exposing an almost year-old version to the nasty real world, you might 
want to look at this:
http://tomcat.apache.org/security-8.html
and then pick a newer level (hint: 8.5.15 would be good).

> 1. What are the security and compatibility concerns when using the
> legacy processor

Sorry, can't answer that one.

> 2. The header for LegacyCookieProcesor.java explicitly states: "This
> class is not thread-safe."

> Can someone here with background knowledge explain exactly whats not
> thread-safe about the processor?  Does this mean you cannot use it for
> multiple simultaneous requests (pretty hindering for a server) or does
> this mean that you cannot have multiple threads parse the cookie
> contents of a request in parallel (which isn't a very normal thing to
> do)?

It's neither, really; there is one instance of CookieProcessor per , 
and the fields within LegacyCookieProcessor that make it not thread-safe are 
only set (in Tomcat) when the  is initialized.  Were you to 
dynamically reset the fields while requests were in progress, you could get in 
trouble.  The fields are described here:

http://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: CLOSE_WAIT between Application (Tomcat) and Apache HTTPD

[Caldarale, Charles R]

> From: Adhavan Mathiyalagan [mailto:adhav@gmail.com] 
> Subject: Re: CLOSE_WAIT between Application (Tomcat) and Apache HTTPD

What part of do not top-post do you not understand?

> The Application port is configured in the catalina.properties file
> HTTP_PORT=8030
> JVM_ROUTE=dl360x3805.8030

Those are not tags that mean anything to Tomcat.  If your application is using 
port 8030 on its own, it's your application's responsibility to clean up after 
itself properly.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: changing tomcat default password

[Caldarale, Charles R]

> From: Theresa Whitney [mailto:theresa.whit...@nisd.net] 
> Subject: changing tomcat default password

> I am trying to address a security vulnerability notification for several
> servers.  We have tomcat6 installed.

Right there is your biggest security problem - Tomcat 6 has reached end of life 
and may not receive any more fixes.  To quote from the "Which version?" page:

"Users of Tomcat 6 should be aware that Tomcat 6 has now reached end of life. 
Users of Tomcat 6.x should upgrade to Tomcat 7.x or later."
http://tomcat.apache.org/whichversion.html


> The notification indicates that I need to change the default passwords
> in the admin-users.xml file.

No such file is distributed with a standard Tomcat; are you sure you have the 
right file name?  In which directory is it located?

> Can I just change the password in the xml file?

Difficult to say, since it's not part of an official Tomcat.

> Sorry for my ignorance ... I am a total newbie.

As we all were at some point.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-Original Message-


-- 
Theresa Whitney
Systems Administrator - Server Support
Northside ISD
ph: (210) 397-7727
email:  theresa.whit...@nisd.net

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Migration

[Caldarale, Charles R]

> From: M. Osama Alghwell [mailto:malghw...@gmail.com] 
> Subject: Migration

> I have been asked by a company to update their existing working tomcat 5
> application, which is working on an old Windows 2003 platform and accessing
> SQL 2005. The new servers are Windows and SQL 2012. I downloaded  and
> installed Tomcat 8.5.12. So, what I need to
> do for migrating the existing application to work on the new environment?

The first step is to read the migration guides:
http://tomcat.apache.org/migration.html

You'll need to look at all the ones that change levels, since the steps are 
cumulative and there is no 5 -> 8.5 doc.

Once you've absorbed that, come back with specific questions.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: getRealPath is a bad idea?

[Caldarale, Charles R]

> From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
> Subject: Re: getRealPath is a bad idea?

> I would use a well-known location for the file. Maybe the application
> can be installed anywhere, but the config file needs to be in
> %APPDATA%\YourCompany\YourProduct\config.properties

An alternative is to have the customer define the location in a Java system 
property via setenv.bat (or sevice properties) when installing the webapp.  (I 
know, not pretty, but it's the webapp doing the lookup, not Tomcat.)

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Re:[OT] get NPE from NamingContextListener in app moved from TomEE to Tomcat

[Caldarale, Charles R]

> From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
> Subject: Re:[OT] get NPE from NamingContextListener in app moved from TomEE 
> to Tomcat

> > name="jdbc/tst36" not id=...

> Hmm. When 'name' is null we should have a better behavior than NPE. :(

It gets your attention...

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Apache Tomcat 9

[Caldarale, Charles R]

> From: pina.freder...@gmail.com [mailto:pina.freder...@gmail.com] 
> Subject: Apache Tomcat 9


> I'm trying to teach myself Java Web App Development but can't seem to get 
> this issue resolved.

> Mar 09, 2017 5:44:17 PM org.apache.catalina.core.StandardServer await
> SEVERE: StandardServer.await: create[localhost:8080]: 
> java.net.BindException: Address already in use: JVM_Bind

You already have something on your laptop that's using port 8080.  Either stop 
running that program, or configure your Tomcat to use a different port in the 
 element of server.xml.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: getRealPath is a bad idea?

[Caldarale, Charles R]

> From: Berneburg, Cris J. - US [mailto:cberneb...@caci.com] 
> Subject: RE: getRealPath is a bad idea?

> How do you all configure the location of a special folder that is not part of 
> the 
> deployment package itself?  A site-specific config file perhaps?

Take a look at this:
http://tomcat.apache.org/tomcat-8.5-doc/config/resources.html

A  element within  allows specification of areas outside of 
the Tomcat deployment that the webapp can access via 
ServletContext.getResource() or getResourceAsStream().

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: CVE-2017-6056.

[Caldarale, Charles R]

> From: Paralos Trainings [mailto:paralostranin...@gmail.com] 
> Subject: CVE-2017-6056.

> I'd like to know if the latest version of Tomcat 7 and Tomcat 8 are
> affected by CVE-2017-6056.

Real Tomcat releases (downloaded from tomcat.apache.org) are not affected.  
Some 3rd-party repackaged versions do have the problem due to failure on their 
part to include relevant fixes.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: I want hide apache-coyote1.1 infomation on my tomcat 5.0.28

[Caldarale, Charles R]

> From: grkim [mailto:gr...@injeinc.co.kr] 
> Subject: I want hide apache-coyote1.1 infomation on my tomcat 5.0.28

> I saw "apache-coyote1.1" information on my tomcat reply  when I use curl -
> I IP:PORT on my tomcat 5.0.28.

> I want to hide this for security reason.

Seriously?  By running such an old version of Tomcat (released 11.5 years ago), 
you have much more serious security issues than exposure of the Tomcat version. 
 You desperately need to upgrade.

> Doesn't support it on 5.0. version? Or is there any other solution for
> this issue?

> Anybody please give me the solution. 

Upgrade to a supported level, ASAP.  Not doing so is extreme negligence.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Migration to Tomcat 8.0 Post/PreResources vs VirtualWebappLoader with optional resources

[Berg, R. van den (Robin)]

Hi,

No. For the record: I didn't posted the issue on  
https://tomcat.apache.org/tomcat-8.0-doc/config/resources.html. I merely 
stumbled upon somebody having the same issue. I wanted to file an enhancement 
request. But, as also noted by the "what to do before posting a 
bug/enhancement"-page, I wanted to be 
sure there is no solution to this problem yet. 
I was interested whether this was already fixed perhaps, even though I couldn't 
find anything.
Also, maybe somebody knows a 'workaround', which would me because I don't have 
time to wait for the enhancement. Furthermore, I can't even use the 
newest version, unfortunately. That depends on the PAAS party.

Kind Regards,

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Wednesday, December 07, 2016 10:58 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Migration to Tomcat 8.0 Post/PreResources vs VirtualWebappLoader 
with optional resources

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Robin,

On 12/7/16 4:01 AM, Berg, R. van den (Robin) wrote:
> Hello! I have an issue that seems not supported anymore with Tomcat 8. 
> The same problem is also posted in the comments on:
> https://tomcat.apache.org/tomcat-8.0-doc/config/resources.html
> 
> PROBLEM: We used the virtualWebAppLoader to get some extra libraries 
> and classes that were on the machine on the classloader.
> The virtualClasspath-property of the virtualWebAppLoader was a 
> ';'-seperated list of directories. If one of them was empty, that was 
> not a problem. We used the fact that non-existing/empty directories 
> were not loaded, without any exception. MQ were imported on 
> Test-acceptance-production. However, in a local/dev-setup we do not 
> provide these libraries, since MQ-services are stubbed out.
> 
> We used the {Jar|File|Dir}ResourceSet in the context.xml as 
> replacement for the virtualWebAppLoader, as recommended by the 
> migration guide. However, these fail when the base-property is 
> non-existent. Therefore, it breaks dev/local.
> 
> In the comments in
> https://tomcat.apache.org/tomcat-8.0-doc/config/resources.html a 
> solution was posted to extend the {Jar|File|Dir}ResourceSet.
> However, that solution won't work for us, since we can't provide the 
> tomcat-instances on test-acc-prd with an extra class/library with the 
> extended class. (access-rights/cloud-solution only allows default 
> setup).
> 
> PREFERRRED SOLUTION: Just like the tomcat 7  virtualWebAppLoader we 
> would like the ResourceSet to be optional/non-failing if the resource 
> is not available. Is there any configuration/property I can use to do 
> that?

Did you file an enhancement request as suggested by Konstantin all those months 
ago?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYSIXzAAoJEBzwKT+lPKRYRlcP/ip62nstdty643NjIdy8ImN4
/lhGdpw9qUfGTDiGF/wtqfOeAcTOIfoH1f0ZmnNaP9lZFMu917IT6Z0y3+fOwwnE
M3GPKBCZTQne3wY2oHqZujv4WVAiYzmcNlPDxeHljxP/aSiAf6DOyaWwGFLlUIml
7RiGBE+oJGQAMhohulPvSlh1ldSAsF637+xJA0O18DpRdSx9ikgDeeodRtA9Ei1d
R8sbZ9atYTqMH9ee4GBkc8yJDfZqf3Fo1FUjKghB3S4M9yxyjKqLqJORrFm4fOLH
PM4Oq7gkLEJNBWhkzABj6ruMw5/PHXrz4BV+K7rapdCSH7Bg5WXASiX0O0Z/rw1G
nVgd4kVwLRqDnRANjyU8+BnzyDq0sQ0Ndp6EZ/Sw4xBnaopQyYX9jsaqkQ8tqSg2
md4LdkX4axn/w0EhnE/XtVLBmmsjC4L7ALuGFleG+Etp2gh3vKE1rmhphwHUqvXX
GEKjR6HnXbCGKwJHkWt9lawpmK8N+VmI9FSbyx0vh4kheMjIUQmkH7uNnJhGOQc4
FO5GrS+zqEJwuDoBVZny2ZjSeOctu5bPJGfwd2nZa0uG8qra6Qhi8RCLSkG2ZPsq
EABJEpoLZMeiB6U6TFNQrxUFUTn1dtLQgQxKdbq8hUxX4n5KMl/12pZNhyapfor4
/PvNObLiXIy6930k/0Ag
=+++8
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



ATTENTION:
The information in this e-mail is confidential and only meant for the intended 
recipient. If you are not the intended recipient, don't use or disclose it in 
any way. Please let the sender know and delete the message immediately.
--

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Migration to Tomcat 8.0 Post/PreResources vs VirtualWebappLoader with optional resources

[Berg, R. van den (Robin)]

Hello!
I have an issue that seems not supported anymore with Tomcat 8.
The same problem is also posted in the comments on: 
https://tomcat.apache.org/tomcat-8.0-doc/config/resources.html

PROBLEM:
We used the virtualWebAppLoader to get some extra libraries and classes that 
were on the machine on the classloader.
The virtualClasspath-property of the virtualWebAppLoader was a ';'-seperated 
list of directories. If one of them was empty, that was not a problem.
We used the fact that non-existing/empty directories were not loaded, without 
any exception. MQ were imported on
Test-acceptance-production. However, in a local/dev-setup we do not provide 
these libraries, since MQ-services are stubbed out.

We used the {Jar|File|Dir}ResourceSet in the context.xml as replacement for the 
virtualWebAppLoader, as recommended by the migration guide.
However, these fail when the base-property is non-existent. Therefore, it 
breaks dev/local.

In the comments in 
https://tomcat.apache.org/tomcat-8.0-doc/config/resources.html a solution was 
posted to extend the {Jar|File|Dir}ResourceSet.
However, that solution won't work for us, since we can't provide the 
tomcat-instances on test-acc-prd with an extra class/library with the extended 
class. (access-rights/cloud-solution only allows default setup).

PREFERRRED SOLUTION:
Just like the tomcat 7  virtualWebAppLoader we would like the ResourceSet to be 
optional/non-failing if the resource is not available. Is there any 
configuration/property I can use to do that?

Thanks,
Kind Regards,


ATTENTION:
The information in this e-mail is confidential and only meant for the intended 
recipient. If you are not the intended recipient, don't use or disclose it in 
any way. Please let the sender know and delete the message immediately.
--

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Getting "Invalid message received with signature xxxxx" messages in catalina.out

[Caldarale, Charles R]

> From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] 
> Subject: Re: Getting "Invalid message received with signature x" messages 
> in catalina.out

> > No, 8009 is the default port for communication between httpd and Tomcat.  
> > 8005 is 
> > the default shutdown port.

> > If you're not using it, remove (or comment out) the declaration.

> Can somebody point me to the right docs, so I can learn more about this?

Start with the FAQ:
https://wiki.apache.org/tomcat/FAQ/Connectors

Then the official places:
http://tomcat.apache.org/tomcat-8.5-doc/config/http.html
http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Getting "Invalid message received with signature xxxxx" messages in catalina.out

[Caldarale, Charles R]

> From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] 
> Subject: Re: Getting "Invalid message received with signature x" messages 
> in catalina.out

> This is interesting:
>  

> Isn't 8009 some sort of backchannel control port, perhaps the one used 
> for controlled shutdown of Tomcat?

No, 8009 is the default port for communication between httpd and Tomcat.  8005 
is the default shutdown port.

> It seems to be defined as an AJP port "straight out of the box," is also 
> so-defined on our own Tomcat server, and is presumably so-defined at all 
> our other customer installations.

Correct.  If you're not using it, remove (or comment out) the declaration.


> And yet this is the first time I've ever seen these error messages.

Something with access to your network is probing that port.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: war file incompletely deployed

[Caldarale, Charles R]

> From: Christoph P.U. Kukulies [mailto:k...@kukulies.org] 
> Subject: Re: war file incompletely deployed

> This makes sense somehow, but wouldn't a local move or copy from within 
> the server's filesystem have the same complications?

No, a local mv or rename in a modern file system simply changes the directory 
structure; no copy is performed.  A copy does stand a chance of being caught in 
the middle, but the timing window is much, much smaller.  Best to use mv/rename 
whenever possible.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: war file incompletely deployed

[Caldarale, Charles R]

> From: Christoph P.U. Kukulies [mailto:k...@kukulies.org] 
> Subject: war file incompletely deployed

> I started developing a webapp (Windows 7, tomcat 7/x64). I generate a  
> WAR file using eclipse/maven. Once built I copy over the war file
> to a network share on the tomcat server. The share is the tomcat webapps 
> directory.

> Once done tomcat autodeploys the .war file into the webapps subdirectory 
> with the name of the war file (without extension).

Copying over a network link to the final deployment location can be 
problematic.  Tomcat's auto-deployment may see a partially written file and 
initiate deployment prematurely.  Best if you can copy the file to a temporary 
location on the target server and then mv or rename it to the desired spot.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: MaxInactiveInterval

[Caldarale, Charles R]

> From: Mark Thomas [mailto:ma...@apache.org] 
> Subject: Re: MaxInactiveInterval

> On 04/11/2016 15:07, André Warnier (tomcat) wrote:
> > A log message in an application running under Tomcat 8 mentions the
> > "MaxInactiveInterval" setting, saying that it is a bit short..
> > 
> > I think that I understand the meaning of the setting (the time for which
> > a session remains valid, even without interactions).
> > But where in the webapp context, and under what name, should an
> > equivalent parameter be specified ?

> Set it in web.xml. Same with distributable.

This really appears to be a problem in the servlet spec (not surprising), which 
mentions the getMaxInactiveInterval() and setMaxInactiveInterval() APIs but 
only vaguely ties them to the session-timeout element of session-config.  
Tomcat doc does not normally describe the nuances of the servlet spec, but 
something that associates the config name with the API might be useful.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [SECURITY] CVE-2016-6797 Apache Tomcat Unrestricted Access to Global Resources

[R Paul]

Excellent mark..thankyou..i am just trying to learn as much as i can and
that gives me so good data to evaluate paths of understanding...
look forward to communicating again..
rich

On Tue, Nov 1, 2016 at 4:30 PM, Mark Thomas <ma...@apache.org> wrote:

> On 01/11/2016 19:56, R Paul wrote:
> > Hi Mark
> > met you at pivotal...in toronto..
> > i have been watching these forums for some time..and just seeing the
> > quantity of emails
> > are these people experiencing a normal number of issues with gettting
> > tomcat to work with their software?
>
> I think what you see on the users list is fairly typical. Only a
> minority of the issues are actually bugs. Most questions are usage /
> configuration questions or are really application issues. You'll see a
> similar pattern on Stack Overflow.
>
> > Can you catergorize some of those
> > issues to me..as student studying security i am curious...
>
> There are lots of different ways you could categorize the questions. By
> Tomcat component, by root cause, by experience level of user...
>
> The classification I care most about is bug / non-bug and the metric I
> care most about is open bugs (excluding enhancement requests). That
> currently sits around 10 and those are nearly all waiting for more info
> from the reporter before we can fix it. Overall, I'm proud of the fact
> that Tomcat is very stable and that reported bugs get fixed quickly -
> typically a release with a fix is available within a month.
>
> Mark
>
>
> > richard
> >
> >
> > On Thu, Oct 27, 2016 at 8:17 AM, Mark Thomas <ma...@apache.org> wrote:
> >
> >> CVE-2016-6797 Apache Tomcat Unrestricted Access to Global Resources
> >>
> >> Severity: Low
> >>
> >> Vendor: The Apache Software Foundation
> >>
> >> Versions Affected:
> >> Apache Tomcat 9.0.0.M1 to 9.0.0.M9
> >> Apache Tomcat 8.5.0 to 8.5.4
> >> Apache Tomcat 8.0.0.RC1 to 8.0.36
> >> Apache Tomcat 7.0.0 to 7.0.70
> >> Apache Tomcat 6.0.0 to 6.0.45
> >> Earlier, unsupported versions may also be affected.
> >>
> >> Description
> >> The ResourceLinkFactory did not limit web application access to global
> >> JNDI resources to those resources explicitly linked to the web
> >> application. Therefore, it was possible for a web application to access
> >> any global JNDI resource whether an explicit ResourceLink had been
> >> configured or not.
> >>
> >> Mitigation
> >> Users of affected versions should apply one of the following mitigations
> >> - Upgrade to Apache Tomcat 9.0.0.M10 or later
> >> - Upgrade to Apache Tomcat 8.5.5 or later
> >> - Upgrade to Apache Tomcat 8.0.37 or later
> >> - Upgrade to Apache Tomcat 7.0.72 or later
> >>   (Apache Tomcat 7.0.71 has the fix but was not released)
> >> - Upgrade to Apache Tomcat 6.0.47 or later
> >>   (Apache Tomcat 6.0.46 has the fix but was not released)
> >>
> >> Credit:
> >> This issue was discovered by the Apache Tomcat Security Team.
> >>
> >> References:
> >> [1] http://tomcat.apache.org/security-9.html
> >> [2] http://tomcat.apache.org/security-8.html
> >> [3] http://tomcat.apache.org/security-7.html
> >> [4] http://tomcat.apache.org/security-6.html
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: [SECURITY] CVE-2016-6797 Apache Tomcat Unrestricted Access to Global Resources

[R Paul]

Hi Mark
met you at pivotal...in toronto..
i have been watching these forums for some time..and just seeing the
quantity of emails
are these people experiencing a normal number of issues with gettting
tomacat to work with their software? Can you catergorize some of those
issues to me..as student studying security i am curious...
richard


On Thu, Oct 27, 2016 at 8:17 AM, Mark Thomas  wrote:

> CVE-2016-6797 Apache Tomcat Unrestricted Access to Global Resources
>
> Severity: Low
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.0.M9
> Apache Tomcat 8.5.0 to 8.5.4
> Apache Tomcat 8.0.0.RC1 to 8.0.36
> Apache Tomcat 7.0.0 to 7.0.70
> Apache Tomcat 6.0.0 to 6.0.45
> Earlier, unsupported versions may also be affected.
>
> Description
> The ResourceLinkFactory did not limit web application access to global
> JNDI resources to those resources explicitly linked to the web
> application. Therefore, it was possible for a web application to access
> any global JNDI resource whether an explicit ResourceLink had been
> configured or not.
>
> Mitigation
> Users of affected versions should apply one of the following mitigations
> - Upgrade to Apache Tomcat 9.0.0.M10 or later
> - Upgrade to Apache Tomcat 8.5.5 or later
> - Upgrade to Apache Tomcat 8.0.37 or later
> - Upgrade to Apache Tomcat 7.0.72 or later
>   (Apache Tomcat 7.0.71 has the fix but was not released)
> - Upgrade to Apache Tomcat 6.0.47 or later
>   (Apache Tomcat 6.0.46 has the fix but was not released)
>
> Credit:
> This issue was discovered by the Apache Tomcat Security Team.
>
> References:
> [1] http://tomcat.apache.org/security-9.html
> [2] http://tomcat.apache.org/security-8.html
> [3] http://tomcat.apache.org/security-7.html
> [4] http://tomcat.apache.org/security-6.html
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

RE: Tomcat 9 exe, High CPU usage due to TCP I/O with itself

[Caldarale, Charles R]

> From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
> Subject: Re: Tomcat 9 exe, High CPU usage due to TCP I/O with itself

> On 10/27/16 1:45 PM, Dustin Delage wrote:
> > Looks like the app is now slated for redevelopment. Thanks
> > everyone.

> I still think this has nothing to do with your application...

Maybe, maybe not.  On a fresh install of Tomcat 9.0.0.M11 using JDK 1.8.0_102 
running as a service on Windows 7 Pro, I see the following ports in use:

Protocol  Local Address Remote AddressState
TCP   :8009   :0  LISTENING
TCP   :8080   :0  LISTENING
TCP   :8005   :0  LISTENING
TCP   :55089  :55090  ESTABLISHED
TCP   :55090  :55089  ESTABLISHED
TCP   :55091  :55092  ESTABLISHED
TCP   :55092  :55091  ESTABLISHED
TCP   :55093  :55094  ESTABLISHED
TCP   :55094  :55093  ESTABLISHED
TCP   :55095  :55096  ESTABLISHED
TCP   :55096  :55095  ESTABLISHED
TCP   :55097  :55098  ESTABLISHED
TCP   :55098  :55097  ESTABLISHED
TCP   :55099  :55100  ESTABLISHED
TCP   :55100  :55099  ESTABLISHED
TCPV6 :8009   :0  LISTENING
TCPV6 :8080   :0  LISTENING

I haven't figured out what all the paired ports with established connections 
are used for yet; maybe stdin, stdout, stderr, and ??  If some of the ports are 
redirects of stdout and/or stderr, the webapp could be dumping a lot of junk 
there, causing the high CPU usage.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Is UTF-8 used everywhere for Tomcat 8.5.6?

[R]

Hi,

I have a default installation of Tomcat 8.5.6. When I make a POST request
with a tilde character, and the encoding is set to UTF-8, it seems that my
servlet handler is decoding it incorrectly. I have to set the character
encoding on the HttpServletRequest parameter to decode properly, example:

  protected void doPost(HttpServletRequest request, ...) {
  // I have to set this manually.
  request.setCharacterEncoding("UTF-8");

  // Decoding works now.
  String test = request.getParam("test");
  ...
  }

Reading the Tomcat docs, it seems like everything should be UTF-8 by
default. Is there a setting we still have to apply to get UTF-8 to be the
default encoding?

Thanks

RE: Single sign on

[Caldarale, Charles R]

> From: Linux Support [mailto:ossuppor...@gmail.com] 
> Subject: Single sign on

> Using 8.5.5 on solaris. Can you please point me in the direction of some
> documentation/link/blog for how to set up the SSO for a application
> deployed.

Start here.
http://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Single_Sign_On_Valve

If you want to utilize an existing authentication/authorization system, look 
through this to see if there's a Realm you can use:
http://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html
http://tomcat.apache.org/tomcat-8.5-doc/config/jaspic.html

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Host appBase vs. Context docBase

[Caldarale, Charles R]

> From: Igal @ Lucee.org [mailto:i...@lucee.org] 
> Subject: Host appBase vs. Context docBase

> Suppose that I have an application at C:\WebApps\App1

Suppose you tell us your Tomcat version.

> 
> 
> 

> 
> 
>   
> 

Both of the above are incorrect.  It is highly unlikely that you want the 
 name to be App1.  The appBase attribute of  must point to a 
directory where one or more webapps are located for automatic deployment.  It 
must never point to a specific webapp.  The path attribute of the  
element must not be used unless the  element is in server.xml, which 
it should not be.  The docBase attribute is used only when the  
element is located in conf/Catalina/[host]/[appName].xml.

You need to read the documentation for , , and deployment for 
the Tomcat version you're using.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: apache-tomcat-9.0.0.M10: Change Context-Path in META-INF/context.xml not working

[Caldarale, Charles R]

> From: Maik Brauer [mailto:m...@brauer.nrw] 
> Subject: apache-tomcat-9.0.0.M10: Change Context-Path in META-INF/context.xml 
> not working

> I have a standard Tomcat9 installation. I just put a helloworld.war in the 
> webapps folder 
> and inside the META-INF I put the context.xml with a different path like: 
> 

Which is not allowed.

> But the context is still http://localhost/helloworld instead 
> http://localhost/newcontext.

As it should be.

> I tried so many things, but it is not possible to get Tomcat convinced to use 
> the new path.

Correct.

> Anybody who can help?

Read the doc:
http://tomcat.apache.org/tomcat-9.0-doc/config/context.html

In particular, this sentence describing the path attribute:

"This attribute must only be used when statically defining a Context in 
server.xml. In all other circumstances, the path will be inferred from the 
filenames used for either the .xml context file or the docBase."

Rename your .war file if you want a different context name.  You may also place 
your webapp outside of the appBase directory, and place a [context_name].xml 
file in conf/Catalina/localhost with a docBase attribute pointing to the webapp 
location.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Apache TomCat 5.5

[Caldarale, Charles R]

> From: Pham, Mary (NIH/OD/ORS) [E] [mailto:maryp...@mail.nih.gov] 
> Subject: Apache TomCat 5.5

> We have been using one of the old Apache TomCat on windows server 2008R2, IIS 
> 7.

Firstly, it's Tomcat, not TomCat.

> We need to apply a header directive in Apache "Strict-Transport-Security" so 
> that our web site 
> would be secured as the Government required.

Your web site is pretty much guaranteed to be _insecure_ as long as you're 
running that old - and unsupported - version of Tomcat.  The last Tomcat 5.5 
release was nearly four years ago, and many, many vulnerabilities have been 
addressed since then.  SSL does not protect you against those.  You really must 
upgrade to a supported level (preferably 8.5), after carefully reading the 
migration guides:
http://tomcat.apache.org/migration.html

Not doing so makes anything else you try pointless.

> My question is where can I insert this line?

As suggested by Daniel, a filter is your best bet - but upgrade Tomcat first.  
Not doing so leaves you subject to many more liabilities than lack of HSTS.

 - Chuck 


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Trouble setting TOMCAT_USER

[Caldarale, Charles R]

> From: Jorge Alfonso [mailto:jo...@qbex.com] 
> Subject: RE: Trouble setting TOMCAT_USER

> In order to setup the users for Tomcat you have to edit the file
> tomcat-users.xml

 That has absolutely nothing to do with what the OP is asking about.  The 
tomcat-users.xml file is the toy control for what users can be authenticated 
and authorized by Tomcat, not what userid Tomcat runs under.

Unfortunately, the OP is using a 3rd-party repackaged version of Tomcat, which 
the Apache organization has neither control nor even knowledge of.  Whatever 
startup mechanism that kicks off that particular Tomcat is specific to the 
repackager, and the query will need to be submitted to whatevever support 
organization that has.

 - Chuck 

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat 8.5 Resource Setting Says it's being ignored but documentation shows it is supported

[Caldarale, Charles R]

> From: McKenzie, Mitch [mailto:mmcken...@markelcorp.com] 
> Subject: Tomcat 8.5 Resource Setting Says it's being ignored but 
> documentation shows it is supported


> Seeing the following  warning for all of my datasources when tomcat 8.5.4 
> starts up : 
> Ignoring unknown property: value of "3" for "validationInterval" property

As you should.

> factory="org.apache.tomcat.dbcp.dbcp2.BasicDataSourceFactory"

> I see validationInterval in the docs here: 
> https://tomcat.apache.org/tomcat-8.5-doc/jdbc-pool.html

Which is the doc for org.apache.tomcat.jdbc.pool.  If you're using DBCP2, you 
should be looking at the following doc, which is linked to from at least two 
places in the Tomcat web pages:
http://commons.apache.org/proper/commons-dbcp/configuration.html

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Set up postgresql on tomcat7

[Caldarale, Charles R]

> From: Andrew Davis [mailto:drsockmon...@gmail.com] 
> Subject: Re: Set up postgresql on tomcat7

> Its a redhat ..  i don't think tomcat 7 or later will run on this.

Stop top posting; read the rules here:
http://tomcat.apache.org/lists.html#tomcat-users

The distributor of your OS is completely irrelevant.  What's important is the 
version of the JVM you have installed.  Look at this page to see what version 
of Tomcat will run with your JVM:
http://tomcat.apache.org/whichversion.html

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Unable to access Manager App, Host Manager and Server Status urls

[Caldarale, Charles R]

> From: Andrew M [mailto:bluemind2...@yahoo.com.INVALID] 
> Subject: Unable to access Manager App, Host Manager and Server Status urls

> I have added these three lines in my tomcat-users.xml file:
> 
> 

And did you remove the comment markers that bracket that area of the file?

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Native Library Error using Context forward in server.xml

[Caldarale, Charles R]

> From: Pietag, Tobias (Enterprise Security Services) 
> [mailto:tobias.pie...@hpe.com] 
> Subject: RE: Native Library Error using Context forward in server.xml

> We are using the Context in the server.xml to change the root application to 
> a 
> different webapp. 

That's a really, really bad idea.  Name your default webapp ROOT, and be done 
with it.  Alternatively, construct a ROOT webapp that does nothing but redirect 
to iiq (or vice-versa).

>  deployOnStartup="true" >
>    

Read the doc and discover why that path attribute is using an illegal value, 
even when in server.xml.
 
> So that the webapp can be call from https://url:8443/ and 
> https://url:8443/iiq. 

You should do this with a redirect.

> If the webapp is open from both URLs, it will result in the following error.

That's because it's not "the webapp"; your configuration forces it to be 
deployed twice, once as the default, once as iiq.  Each deployment uses a 
separate classloader so the underlying classes (and native library references) 
cannot be mixed.
 
> It seems that the tomcat sees both URLs as different applications and tries 
> to load native library twice.

Exactly.

> After removing the Context element it's working without any error.

Except you cannot reach the webapp without using iiq in the URL.

> Is this the normal behavior with the Context element ?

Yes.

> Is there an option to change this behavior, or does it look like a bug ?

It's a bug in your configuration and deployment strategy.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomat8.5 write logs with incorret os permission

[Caldarale, Charles R]

> From: 韭菜 [mailto:jiu...@qq.com] 
> Subject: tomat8.5 write logs with incorret os permission

> When using tomcat8.0, it starts and write logs as follows: 
> (apache-tomcat-8.0.x) -rw-rw-r-- 1 app app 873710 Aug  4 20:08 catalina.log  
> When using tomcat8.5.x (include tomcat 9.0.x), it starts and write logs as 
> follows: 
> (apache-tomcat-8.5.4) -rw-r- 1 app app 100824 Aug  4 20:10 catalina.log 

A highly appropriate change, much needed to prevent untrusted users from 
accessing private information in the log.

> So, tomcat8.5 caused other os users can not read its logs and webapps logs 
> that deployed 
> at tomcat8.5. the logs files should has permission 664, not 640.

Definitely not a good idea.

> I thinks it is not good for java webapp devlopers ,  when my web app write 
> logs as 
> data log, the logs files can not rsync by other users and hosts.

As it should be.

> but it works at tomcat7.0.x and tomcat8.0.x

"Works" is your definition; any site interested at all in secure operations 
would consider the old permissions to be dangerous and broken.

> So I asked users to require further support for tomcat8.x write log files 
> feature.

Definitely a bad idea to relax the default permissions back to where they were. 
 If you want to expose your own system to abuse, you can set umask as 
documented in the changelog.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Internal Error 500

[Caldarale, Charles R]

> From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
> Subject: Re: Internal Error 500

> On 04.08.2016 11:15, Syed Mudassir Ahmed wrote:
> > What are the various reasons for the tomcat server to throw internal server
> > error 500?

> In general, search Google for : http status codes

Note that this is the same OP that works for an "expert" IT consulting company 
and wanted volunteers on this mailing list to do his work for him.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat 8 RemoteIpValve Issues

[Caldarale, Charles R]

> From: Kasa, Nubli [mailto:mmohd...@iu.edu] 
> Subject: RE: Tomcat 8 RemoteIpValve Issues

> This doesn't seem to be the case with a fresh new install on Tomcat 8 on 
> Ubuntu. Our sysadmin 
> also did a fresh install on Redhat with the same result.

Install of what?  A real Tomcat from tomcat.apache.org, or a 3rd-party 
repackaged (and reconfigured) version?  For the latter, you may need to consult 
with the 3rd party, since they've been known to change the defaults somewhat 
arbitrarily.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Issue with Tomcat7

[Caldarale, Charles R]

> From: Olaf Kock [mailto:tom...@olafkock.de] 
> Subject: Re: Issue with Tomcat7

> If you want 1:1 attention, go the paid route. If you want community
> support: State your problem. If you want free community 1:1 attention:
> Good luck - state explicitly that this is what you're looking for and
> see who answers. I won't.

What's really annoying is that the OP works for an IT consulting company that 
is getting paid for their "expertise".  Sure looks like another attempt to get 
someone else to do their job and then take credit for it (monetary and 
otherwise).

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat 7.0.70 War Redeployed every few minutes

[Caldarale, Charles R]

> From: Andrew Moore [mailto:andrew.mo...@petcircle.com.au] 
> Subject: Tomcat 7.0.70 War Redeployed every few minutes

> We noticed that we were getting Connection Refused when trying to connect
> to port 8080 remotely. And then we could see this was being caused by the
> war redeploying automatically every few minutes.

This can be caused by an inappropriate timestamp on the .war file - one that's 
in the future.  Another possibility is that something is doing a touch on .jar 
or .class files in the expanded directory.  Or maybe the timestamps on the 
files inside the .war are off.

Might want to look at the deployment doc:
http://tomcat.apache.org/tomcat-7.0-doc/deployer-howto.html#Deploying_on_a_running_Tomcat_server
to see if this is similar to what you see going on.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Servlet overridden by Apache Tomcat welcome page?

[Caldarale, Charles R]

> From: Mark Eggers [mailto:its_toas...@yahoo.com.INVALID] 
> Subject: Re: Servlet  overridden by Apache Tomcat welcome 
> page?

> I just played with Eclipse Neon (newest release). It does copy over a
> Tomcat configuration into your workspace, and then runs Tomcat from that
> (sort of like RUNNING.txt).

I thought there was some way to disable such obnoxiousness, but I don't 
remember the details.

> That being said, Eclipse does not handle ROOT well at all by default. If
> I tell Maven to have a final name of ROOT, then Eclipse edits the
> workspace server.xml with:
> 
> path="/ROOT"
>reloadable="true"
>source="org.eclipse.jst.jee.server:CSEFive"/>
> 

Clearly broken.  (Also, there is no  attribute of "source".)

> If I name things normally, then the application comes up as CSEFive, and
> the portion of server.xml reads as follows:
> 
> docBase="CSEFive"
>path="/CSEFive"
>reloadable="true"
>source="org.eclipse.jst.jee.server:CSEFive"/>
> 

Other than the source attribute, at least that's legal.

> The only way that I know of to manage this from within Eclipse is the
> following:

> Right-mouse click on the project, and go the the following in the drop
> down menu:

> Properties->Web Project Settings

> Change the Context root to /

Strictly speaking, this isn't correct; the default webapp must have an empty 
path string.

> Run your project from within Eclipse, and it will come up as
> http://localhost:8080/

That's an accident, since the path attribute is not valid.

> Eclipse will rewrite the server.xml in your workspace to:
> 
> docBase="CSEFive"
>path="/"
>reloadable="true"
>source="org.eclipse.jst.jee.server:CSEFive"/>
> 

The path attribute is illegal.  You would think after this number of years, 
Eclipse would at least get the syntax right.

> In any case, once you move out of an Eclipse-controlled Tomcat,

Which seems to be highly desirable, given the mess Eclipse is making.

> the WAR file needs to be named ROOT.war (case matters, even on Windows).

As Hassan previously noted.

> You'll need to move Tomcat's default ROOT web application to another
> location.

Or just delete it.

> In short, it's an Eclipse artifact.

A seriously broken artifact.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Servlet overridden by Apache Tomcat welcome page?

[Caldarale, Charles R]

> From: Paul Roubekas [mailto:paul@orthogroup.holdings] 
> Subject: Re: Servlet  overridden by Apache Tomcat welcome 
> page?

> After making the above suggested changes the desired behavior goes
> away.  Now instead of my application's landing page I get the tomcat
> welcome page.

You appear to have ignored what Hassan S said earlier in this thread; I'll 
repeat it here:

"Assuming a default installation, you should see the index.jsp page
associated with the *default context*, which in Tomcat is named
ROOT (case sensitive).

"You need to move or delete the existing ROOT and rename your
own WAR file (or directory) to ROOT."

I suspect you did not delete the existing ROOT directory.

> I am using Eclipse Mars.2  Is it possible I simply
> implemented the suggestions incorrectly?  Below is what eclipse did to
> the server.xml file.

>  path="/ROOT##000" reloadable="true"
> source="org.eclipse.jst.jee.server:ROOT##000">

I'm not an Eclipse user, but any IDE that blindly updates configuration files 
without your explicit permission sounds extremely dangerous.  Others may have 
suggestions about how to stop such bad behavior.  You really, really do not 
want to put any  elements in server.xml.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-- 
The people that bring you Usque .

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org