RE: 21 second pause that randomly happens

[charlie arehart]

David? Are you still needing help with this? Your answers to what I ask may 
help us get you to a solution.

/charlie

-Original Message-
From: charlie arehart  
Sent: Tuesday, July 17, 2018 01:14 PM
To: 'Tomcat Users List' 
Subject: RE: 21 second pause that randomly happens

Going back to David's original note, you wrote, " We have a customer who is 
experiencing a random, 21 second pause when using out Tomcat based application 
server. We believe this may be during a TCP connect and timeout. Logging 
indicates the pause happens before the request makes it to our back end."

Can you clarify what you mean by the "back end" here? 

Since you say it's a pause "when using" Tomcat, I can't tell if you're saying 
Tomcat IS the backend, or instead if the request hangs WHILE running in Tomcat 
but doesn't reach some other "backend" that the Tomcat-based app should then 
talk to. You did refer in a later note to a "backend agent log", so I'm 
inclined to think it's the latter.

In that case, it seems you are wondering (in one note) whether the request 
might be hung up in the connector (getting TO Tomcat). 

But do you know for sure whether the request is actually running IN Tomcat? You 
could use any of various JVM or Tomcat monitoring tools to know a) if the 
request reaches Tomcat, b) if it is hanging while running there, and then c) 
just WHAT the request is hanging and waiting for (which could well be that 
"other backend" the app needs to talk to). 

But before elaborating on approaches, I wanted to ask what you may or may not 
know in regard to the above, first. :-)

/charlie 



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: 21 second pause that randomly happens

[charlie arehart]

Going back to David's original note, you wrote, " We have a customer who is 
experiencing a random, 21 second pause when using out Tomcat based application 
server. We believe this may be during a TCP connect and timeout. Logging 
indicates the pause happens before the request makes it to our back end."

Can you clarify what you mean by the "back end" here? 

Since you say it's a pause "when using" Tomcat, I can't tell if you're saying 
Tomcat IS the backend, or instead if the request hangs WHILE running in Tomcat 
but doesn't reach some other "backend" that the Tomcat-based app should then 
talk to. You did refer in a later note to a "backend agent log", so I'm 
inclined to think it's the latter.

In that case, it seems you are wondering (in one note) whether the request 
might be hung up in the connector (getting TO Tomcat). 

But do you know for sure whether the request is actually running IN Tomcat? You 
could use any of various JVM or Tomcat monitoring tools to know a) if the 
request reaches Tomcat, b) if it is hanging while running there, and then c) 
just WHAT the request is hanging and waiting for (which could well be that 
"other backend" the app needs to talk to). 

But before elaborating on approaches, I wanted to ask what you may or may not 
know in regard to the above, first. :-)

/charlie 



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: IIS authentication applies to static but not dynamic requests (servlets, JSPs). Any way to control that?

[charlie arehart]

> -Original Message-
> From: Igal @ Lucee.org  
> Sent: Monday, June 11, 2018 04:55 PM
> To: users@tomcat.apache.org
> Subject: Re: IIS authentication applies to static but not dynamic requests 
> (servlets, JSPs). Any way to control that?
>
> Charlie,
>
> Are you sure that the static requests are passed to Tomcat?  Can you verify 
> that in the response headers?
>
> The logical explanation that I can think of is that IIS still serves the 
> static content, but passes the JSP stuff to Tomcat without checking the 
> security permissions.
>
> HTH,
>
> Igal Sapir

Thanks, Igal. No, I agree the static files are NOT passed to Tomcat. I wasn't 
saying that they were. :-) I was implying rather that they do NOT go to Tomcat, 
and are NOT processed by the Tomcat connector/ISAPI Filter (because they are 
not in the uriworkermap.properties list of processed URLs). 

This was to confirm that they WERE therefore being handled CORRECTLY by IIS, in 
that a user trying to run the request who did NOT have access to the files (per 
Windows on the server) would find the request rejected (per the Windows 
Authentication feature in IIS).

The problem is that jsps and servlets, which ARE passed to Tomcat by the 
connector (are in the uriworkermap.properties mappings) are NOT being properly 
rejected by IIS (or the connector, whichever should have control).

Now, I should add that I had in mind at one time a test to change the order of 
the modules in IIS, to put the ISAPIFilterModule below the 
WindowsAuthentication and FileAuthorization module, to see if that would 
"help'. But really, that should not be needed (even if it would help). Users of 
Tomcat (who want to implement web server file security like this) shouldn't 
(I'd think) have to know of such a low-level tweak. I would think that the 
connector (the Tomcat isapifilter.dll) could/should implement such a security 
for the user. I suppose someone may quibble with that.

I had also meant to test things out in pure asp.net, to see if an aspx page got 
honored this way (was protected by Windows Auth and file security, like a 
static file). I forgot to do these before writing. (Someone wanting me to get 
this to the Tomcat folks for attention pressed me about it, and I forgot these 
were 2 things I wanted to check before writing in.)

But perhaps someone familiar with all this may have a thought based simply on 
what has been shared so far.

/charlie


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

IIS authentication applies to static but not dynamic requests (servlets, JSPs). Any way to control that?

[charlie arehart]

Folks, I have found that if Windows authentication (NTLM) is enabled for a site 
(or folder) in IIS, such authentication does apply (and is honored) for static 
files (html, images) but NOT dynamic ones (servlets, JSPs). Is that intended?

To be clear, this is the latest Tomcat 8 (8.5.31) and the latest IIS connector 
(1.2.43). The uriworkermap.properties is configured to pass all requests to 
Tomcat (not just JSPs, for instance). 

What I’m referring to in particular is this: consider that I set the security 
properties for one of the JSP example folders:

‪ C:\Program Files\Apache Software Foundation\Tomcat 
8.5_Tomcat8_5_31\webapps\examples\jsp\jsp2\el

such that my user had been denied access to that folder.

And let’s say I have configured a site in IIS that listens on port 91 to pass 
to Tomcat. If I open a new browser window (so as to not have any caching of 
previous authentication), and I visit this URL:

http://localhost:91/examples/jsp/jsp2/el/basic-arithmetic.html

I get a prompt in the browser to login, and if I login with the user whose 
permissions had been denied, I get a rejection from IIS. (In my case, I am 
running my Tomcat test site on port 91 in IIS. It’s not at all pertinent if 
there is a non-std port or port 80 used.)

The key issue is that if I then visit a JSP or servlet, that IS ALLOWED to run, 
even though a static file is rejected:

http://localhost:91/examples/jsp/jsp2/el/basic-arithmetic.jsp

I have found nothing in the docs to indicate that this is expected behavior. 
Can anyone offer any thoughts? I am happy to do any tests or shared any needed 
diagnostics to help resolve this. Thanks.



/charlie

RE: Use IIS Authentication in Apache Tomcat 8.0.22 (HTTP/1.1 Connector protocol)

[charlie arehart]

Can you clarify why you would not want to use the AJP connector in your case? 
I'm just asking this simpler question, since no one offered any answer when you 
asked essentially the same question last week. 

More important, have you confirmed whether things WOULD work as expected if you 
used the AJP connector instead? And if so, then again why not use it? Or are 
you thinking for some reason you CANNOT?

/charlie

PS I have a different question on IIS authentication and Tomcat, which I will 
ask separately.

-Original Message-
From: Agrawal, Suraj (CORP)  
Sent: Wednesday, May 23, 2018 04:41 PM
To: users@tomcat.apache.org
Subject: Use IIS Authentication in Apache Tomcat 8.0.22 (HTTP/1.1 Connector 
protocol)

Hi Team,

We are trying to implement SSO using windows integrated authentication (NTLM) 
on Apache Tomcat 8.0.22 through reverse proxy in IIS.
We were able to pass the Authentication token to Apache , but the apache is not 
allowing the IIS authentication to pass through. It is not recognizing what 
authentication is coming by the reverse proxy IIS server request.

[Authentication (NTLM) --> Reverse proxy --> pass the call with NTLM token to 
to Apache Tomcat]

For "AJP/1.3" connection protocol there is an attribute "tomcatAuthentication" 
which allows Apache to use the authentication user information from IIS.
But we didn't found anything similar for "HTTP/1.1" connection protocol, can 
you please help.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: configuring ciphers for SSL Labs server test

[charlie arehart]

Also, Baron, about the URL you're testing on your site via by SSLLabs: is that 
really one being served by Tomcat's web server? That's whose connector you're 
showing here. 

If instead you are fronting/proxying Tomcat with Apache or IIS, then my 
understanding is that the SSL support is handled by that web server, not Tomcat 
(and the connector handling that would be one with a protocol="AJP/1.3" or the 
like), and you'd then be wanting to really resolve the poor grades via 
configuration of those instead.

I am open to being corrected by you or others here, of course.

/charlie

>> On 5/10/18 2:45 PM, Baron Fujimoto wrote:
>>> I'm trying to improve our grade on SSL Labs SSL server test[1] for 
>>> our Tomcat configuraton. Currently, their report caps our grade at B 
>>> because, "This server does not support Authenticated encryption 
>>> (AEAD) cipher suites". They report that we support the following cipher 
>>> suites:
>>>

>>>
>>>  >> address="0.0.0.0"
>>> port="8443"
>>> maxThreads="500"
>>> maxPostSize="10"
>>> scheme="https" secure="true"
>>> defaultSSLHostConfigName="foo.example.edu"
>>> SSLEnabled="true" >
>>>  



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

on getting started contributing doc improvements (was RE: On Tomcat 8.5.16, RemoteHostFilter ...)

[charlie arehart]

Pardon the top-posting, but I wanted to take André's helpful reply about 
getting started in contributing doc improvements (below) and then respond 
to/expand upon it. 

Since it really is an entirely different subject than the OP's intent for the 
original thread, I have started this new one. (And this is my first time 
changing the subject line like that, mid-discussion, here on this list. So if 
that’s wrong either technically or per community standards, just let me know.)

So first, here is what André had written to me, for context, then my reply is 
below.

> -Original Message-
> From: André Warnier (tomcat) <a...@ice-sa.com> 
> Subject: Re: On Tomcat 8.5.16, RemoteHostFilter throwing ServletException the 
> property [allow] is not defined
> 
> On 29.03.2018 23:36, charlie arehart wrote:
> > (And as I said in another thread, I don't propose these changes as if 
> > to say to someone, "now go do it". I'm saying it as someone who would 
> > try to step in and help, if permitted.)
> 
> I think that you can do that.
> Have a look here :
> http://tomcat.apache.org/getinvolved.html
> You have already done the first step.
> You can do the second step, whenever you want : if you see a question to 
> which you can contribute a useful response, please do.
> The next step would be the FAQ or Wiki. That's also fairly easy : go to 
> https://wiki.apache.org/tomcat/FrontPage
> and see the "If you do decide to contribute," paragraph.
> (You could for example start by providing some additional examples, as a FAQ 
> article. And I am sure that with a simple request on this list, a link to 
> that FAQ could then be easily added to the main docs).
> If you want to contribute directly by improving the docs, that gets a bit 
> more involved, because it requires downloading the code, submitting patches 
> etc. But it can be done (I did it once, at a time when I wasn't even sure 
> what "diff" meant).
> That will lead you here : http://www.apache.org/dev/contributors.html
> (Note: the process for the documentation is exactly the same as for the code; 
> and as a contribution, it will be appreciated in the same way - or even more, 
> considering the inherent aversion of programmers toward documentation..) And 
> the ultimate reward (after a few years of hard and consciencious work) would 
> be here :
> http://tomcat.apache.org/whoweare.html
> 

Thanks very much for all that, André, and I have already started reading all 
the content about "the process". :-)  A couple things flow from your 
suggestions there.

1) If you (or anyone following along and responsible for that FrontPage) are 
open to more feedback, your second step pointed me to the section there about, 
"If you do decide to contribute". The next words there say "you will need to 
create a Wiki login name", but it doesn't say how to do that. Now, sure, one 
might figure it out by thinking to click the login button at the top of the 
page, which then offers a link to create one. But it could be quite helpful if 
it just went ahead and offered that link under those words "create a Wiki login 
name", going to https://wiki.apache.org/tomcat/FrontPage?action=newaccount. :-)

2) Anyway, I did that, and the sentence then goes on to say that we should then 
send that new login name to the dev or users list, asking to be added to the 
ContributorsGroup. Now, I realize I should (and will) join the dev list also, 
but since the discussion has started here and may seem to come "out of left 
field" from me there, I will offer here that the login name is CharlieArehart.  
Let me know, folks involved, if you prefer I share that on the dev list instead 
for some reason (in which case, maybe that wording that says "or Tomcat Users" 
should be removed). As always, I'm just trying to help, not to criticize.

3) And to your final points, yep, I would be only interested in contributing to 
the docs (and happily) but not code. I truly am just a user of Tomcat--and 
other Java app servers. Though I've helped people troubleshoot issues with them 
for 10+ years, I've not written a line of production Java code since before 
then, so I won't be nearly as helpful with that!

And I do see (from Mark's link to the doc repo, in another doc-related thread 
yesterday) that the project uses SVN. I'll start getting my head back into that 
(vs Git) in the meantime. :-)

4) Finally, thanks for the link to the whoweare page. That was helpful. I see 
now that you and Mark, who had been contributing on this thread, as well as you 
both and Christopher and Felix who were participating in my other thread about 
doc contribution, are all committers. Thanks very much for all you guys (and 
others here) do. Again, I just want to help, as a long-time user.

I'm also a voracious 

RE: How to offer a link correction for the Tomcat docs?

[charlie arehart]

-Original Message-
> From: Felix Schumacher  
> 
> All changes to sources are send to the dev list, so I didn't feel the need to 
> announce it independently. But as a 
> small defence on my side, in my last mail to you on the user-owners, I wrote 
> that I would probably have a look 
> at it and thought that would be enough to inform you about it. Sorry, that I 
> didn't send a follow up and didn't
> answer earlier to your follow-up on this list.



> That is the reason, why I thought it a good idea to discuss this on the 
> public users list.
> 
> I still believe that your real concern is not about these few b's missing 
> from links in the documentation, but 
> rather how to report those mistakes in general, how to submit fixes in an 
> easy way and most importantly: where 
> is this written on the tomcat home page.
> 
> And to address these things, I found it important, that you started this 
> discussion on the mailing list. Those on 
> the dev list mostly know how to contribute changes, but we also want 
> newcomers to become contributors. Thus 
> it is important, that we have a clearly described way on how to contribute at 
> a prominent place on the home page.
> 
> Best regards,
>  Felix

Thanks, ok, and +1 to that, Felix. :-)

/charlie


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: How to offer a link correction for the Tomcat docs?

[charlie arehart]

> From: Christopher Schultz <ch...@christopherschultz.net> 
>
> Mark,
> 
> On 3/29/18 6:07 PM, Mark Thomas wrote:
> > On 29/03/18 21:38, charlie arehart wrote:
>>> Thanks. I'm guessing someone fixed it before you looked, as I see now 
>>> that it is fixed as well. (And same for the 7 doc.)
>>> 
>>> Now, if you may be tempted to say that you don’t think anyone had 
>>> changed it recently,
>> 
>> That is what version control is for: 
>> http://svn.apache.org/viewvc?rev=1827860=rev
>> 
>> Felix made a bunch of changes to fix this of which the above change is 
>> just the first.
>
>Aha. I even knew "where" I was looking and I still missed it.
>
>- -chris

Well, FWIW, I will say that I did not know, Chris. :-) 

And to Mark, I would ask: how would I have known to look there? I don't mean to 
sound snarky, but I said in my very first post on the subject that I was new to 
the list (though not new to Tomcat, as a user at least).

So mine is a sincere question: is there some way that I, as a mere use of the 
docs, would have even known that they were in that version control resource? 
Let alone what specific one? Are you thinking that there is some resource that 
readily tells us that, as users? If I missed it, I do apologize.

Or might you just have thought that this was discussed often enough here that 
one should have known? Again, I admitted I was a new user, but perhaps you did 
not read that very first message. (No one replied for a few days, which is why 
I pinged about it again today.)

And to that point, and indeed your observation that this was changed by 
Felix...well, he never said so here. Again, that's why I pinged the list on 
this. I do appreciate that it was done, of course!  And also that (like Andre 
said in another thread today) doing doc changes is a thankless enough task. :-) 
I'm just saying a lot of back and forth could have been saved. Browser caching 
of the page clearly kept me from seeing the change on my own.

And again, I am trying to learn the ins and outs here, so as not to be a burden 
to the list. I hope ultimately to "give" far more than "take", over time, if I 
can (as I've done for many years in other forums and lists).


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: On Tomcat 8.5.16, RemoteHostFilter throwing ServletException the property [allow] is not defined

[charlie arehart]

> -Original Message-
> From: André Warnier (tomcat)  
>
> Hi.
> Sorry for top-posting, but maybe a real dev would want to have a look at this.
> If you scroll below to the original post, it seems that putting an invalid 
> value (a bad
> regex) in the param-value of the "allow" param, triggers an error message 
> that is at least confusing :
> 
> >> Exception starting filter [Remote Host Filter] 
> >> javax.servlet.ServletException: The property [allow] is not defined for 
> >> filters of type [org.apache.catalina.filters.RemoteHostFilter]
>  >>   at org.apache.catalina.filters.FilterBase.init(FilterBase.java:52)
> ...
> 
> That was for :
> >>   
> >>   allow
> >>   *\.example\.com
> >>   
>
> The OP cited Tomcat 8.5.16.

FWIW, I'll throw out as well that the particular section of the doc page about 
that filter doesn't have an example (showing some sample XML for use with the 
filter), while many others (7  of the 14 filters listed) do. 

Of course, if one did read about the others they could see examples and perhaps 
connect dots. I just wonder if, had an example been there, the OP might have 
more readily seen his mistake. (And as I said in another thread, I don't 
propose these changes as if to say to someone, "now go do it". I'm saying it as 
someone who would try to step in and help, if permitted.)

/charlie


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: How to offer a link correction for the Tomcat docs?

[charlie arehart]

Thanks. I'm guessing someone fixed it before you looked, as I see now that it 
is fixed as well. (And same for the 7 doc.)

Now, if you may be tempted to say that you don’t think anyone had changed it 
recently, I would just offer here a screenshot of the 8 doc page, from the 
browser where I tripped over the problem (and which I had not reloaded since 
seeing your answer here). It clearly shows that it WAS wrong at some point. :-) 




And in case the image doesn’t make it through, here’s a dropbox link to it: 
https://www.dropbox.com/s/k9wivla0vwu91a1/ 

I can’t imagine any way I’d see that in my browser other than if the link was 
indeed wrong in the HTML. In fact, I was able to do a view source and there is 
was:

17) MBeans Descriptors

(But I realize that for some users it’s possible that the HTML I just pasted 
won’t show up.)

As always, just trying to help.

/charlie

 

-Original Message-
> From: Christopher Schultz  
> 

> Charlie,

> 

> 

> Can you give me a page reference? When looking at:

> http://tomcat.apache.org/tomcat-8.0-doc/index.html

> 

> The link has the proper URL.

 



 

> Specific page?   
> http://tomcat.apache.org/tomcat-7.0-doc/index.html looks okay to me.

> 

> - -chris

 

RE: How to offer a link correction for the Tomcat docs?

[charlie arehart]

>From: André Warnier (tomcat)  
>
>Hi.
>I think that you are right, there is something not quite right, right now, 
>with the comment section (apparently on all pages).
>As I recall, it used to be that there was an editable section at the bottom of 
>each page, where one could actually write a comment related to the 
>documentation page in question.
>(And that would probably have been the right place to mention the problem).
>
>Now this seems to be replaced everywhere by a fixed message, with links, which 
>don't seem to lead to anywhere one could actually place a comment.
>
>I have no idea if this is intended, but it seems a bit kafka-esque.
>
>Also the top link of the left-hand menu (Docs Home), could be expected to lead 
>to a page covering the docs of all the versions. But instead of that, it seems 
>to loop to the same version on which one already is.

Yep, thanks for the commiseration, André. :-) Hope that comments section will 
someday be working again. There are actually other "opportunities for 
improvement" that I have seen and wanted to suggest, and now it's no wonder 
that such may exist, given the challenge proposing changes (and even with the 
"comment" mechanism it's not clear if anyone took ownership to make changes).

If there's a way to go about getting permission to actually make actual doc 
changes and push them for approval by the doc owner, I'd welcome the opp to 
through that process, to help out.

/charlie


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: How to offer a link correction for the Tomcat docs?

[charlie arehart]

>From: Christopher Schultz  
>Sent: Thursday, March 29, 2018 10:59 AM
>

>
> > Until that’s resolved, is this or another TC list a good place to 
> > report such a broken link, or other doc suggestion? Thanks.
>
> Here is perfect.
> 
> Which link is broken?
>
> - -chris

Thanks, and yep, I would indeed have preferred to add the observation as a 
comment there if I could have.  I hope someday that system is working again.

So the broken link is the one on the left nav there for "mbeans descriptor". 
While it should go to:

https://tomcat.apache.org/tomcat-8.0-doc/mbeans-descriptors-howto.html

It mistakenly tries to go to the following (missing the b in mbeans):

https://tomcat.apache.org/tomcat-8.0-doc/means-descriptors-howto.html

FWIW, I have checked the other links on the left of that TC 8 User Guide, and 
they otherwise do all work as expected.

Finally, the same error above was in the TC7 docs, if you have ability to 
change those. Again, thanks for stepping in.

/charlie


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: How to offer a link correction for the Tomcat docs?

[charlie arehart]

Anyone have a suggestion of where better to ask this, if not here?

/charlie

-Original Message-
From: charlie arehart <charlie_li...@carehart.org> 
Sent: Tuesday, March 27, 2018 05:05 PM
To: 'Tomcat Users List' <users@tomcat.apache.org>
Subject: How to offer a link correction for the Tomcat docs?

Greetings. I’m a new list member, though a fairly long-time Tomcat user. 

I found a broken link in the Tomcat User Guide (8 and 7), on its left nav bar.  
How would I best go about reporting such a broken link in the Tomcat docs?

To be clear, while there is a comments section at the bottom of the doc pages, 
that points folks to https://tomcat.apache.org/tomcat-8.0-doc/comments.html to 
learn more, which in turn points to https://comments.apache.org/help.html. But 
that gets a 503 service unavailable error. I find a jira discussion indicating 
this is a long-standing issue, which was hoped to be solved by now: 
https://issues.apache.org/jira/browse/INFRA-15947.



Until that’s resolved, is this or another TC list a good place to report such a 
broken link, or other doc suggestion? Thanks.

/charlie



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to offer a link correction for the Tomcat docs?

[charlie arehart]

Greetings. I’m a new list member, though a fairly long-time Tomcat user. 

I found a broken link in the Tomcat User Guide (8 and 7), on its left nav bar.  
How would I best go about reporting such a broken link in the Tomcat docs?

To be clear, while there is a comments section at the bottom of the doc pages, 
that points folks to https://tomcat.apache.org/tomcat-8.0-doc/comments.html to 
learn more, which in turn points to https://comments.apache.org/help.html. But 
that gets a 503 service unavailable error. I find a jira discussion indicating 
this is a long-standing issue, which was hoped to be solved by now: 
https://issues.apache.org/jira/browse/INFRA-15947.



Until that’s resolved, is this or another TC list a good place to report such a 
broken link, or other doc suggestion? Thanks.

/charlie