[Bug 63766] New: Resource leak: under certain conditions, request objects related to WebSockets are not freed

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=63766

Bug ID: 63766
   Summary: Resource leak: under certain conditions, request
objects related to WebSockets are not freed
   Product: Tomcat 8
   Version: 8.5.38
  Hardware: Macintosh
Status: NEW
  Severity: major
  Priority: P2
 Component: WebSocket
  Assignee: dev@tomcat.apache.org
  Reporter: francis.vanae...@servicenow.com
  Target Milestone: 

Created attachment 36794
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36794=edit
Code to reproduce the problem (see description)

Resource leak: under certain conditions, request objects related to WebSockets
are not freed

When Tomcat 8.5.38 is setting up a WebSocket (WS) connection with a client (or
has just set up the connection - not sure), and then receives a TCP RST on that
connection, it is possible that the associated objects are never freed. The
objects are of the classes below.

org.apache.tomcat.websocket.server.WsHandshakeRequest
org.apache.catalina.connector.Request
org.apache.coyote.Request
org.apache.coyote.RequestInfo
org.apache.catalina.connector.RequestFacade

We saw this happen in production, and we were able to reproduce this with test
code, running against our application, and against an out-of-the-box (OOB)
(embedded) Tomcat.

I have attached the stack traces of the two use cases (our application and OOB
Tomcat). Interestingly, the stack traces are different.

To reproduce the problem in a test environment, we have modified a TCP proxy to
send a RST packet to the server shortly after sending the WebSocket upgrade
HTTP request. When opening many WS connections, and having them automatically
interrupted with RST packets, after a while a number of objects seem to be
stuck in memory (see screenshot requests_objects.png). The objects stay in
memory even when the proxy and client are shut down.

Thank you for having a look at this. This failure mode does not happen often,
but when it happens, it eventually can bring the JVM down because of memory
pressure.

ATTACHMENT

The attachment contains:

tomcat-webserver: an OOB (embedded) Tomcat with a WS endpoint
websockets/tcp-proxy: a TCP proxy, modified to send RST packets - run ProxyMain
to start the proxy
websockets/websockets-client: a simple WS client, opening many connections -
run SadPath to reproduce the problem
requests_objects.png: a VisualVM screenshot showing stuck objects
web_socket_connection_reset.txt: two stack traces (the first when reproducing
the problem with our application, the second when reproducing the problem with
tomcat-webserver)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63765] NIO2 Connector with OpenSSL 1.1.1 hangs with TLSv1.3

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=63765

--- Comment #1 from Remy Maucherat  ---
This looked like the usual not-unwrapping-enough "IO" issue, so changing the
initial value of unwrapBeforeRead to true in SecureNio2Channel.reset avoids it.
Not sure if it is 100% safe (although it looks rather similar to NIO with its
non blocking read returning 0).
I cannot reproduce this that reliably personally, it may be only visible on
localhost.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 02/05: Fix Javadoc warnings

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 6c17de0f2838c8b4857541f89889a3eb82a961a6
Author: Mark Thomas 
AuthorDate: Mon Sep 23 14:36:19 2019 +0100

Fix Javadoc warnings
---
 java/org/apache/tomcat/util/buf/B2CConverter.java | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/java/org/apache/tomcat/util/buf/B2CConverter.java 
b/java/org/apache/tomcat/util/buf/B2CConverter.java
index 31ad092..0b58d3f 100644
--- a/java/org/apache/tomcat/util/buf/B2CConverter.java
+++ b/java/org/apache/tomcat/util/buf/B2CConverter.java
@@ -71,6 +71,13 @@ public class B2CConverter {
 
 /**
  * Only to be used when it is known that the encoding name is in lower 
case.
+ * @param lowerCaseEnc The name of the encoding for the required charset in
+ * lower case
+ *
+ * @return The Charset corresponding to the requested encoding
+ *
+ * @throws UnsupportedEncodingException If the requested Charset is not
+ *  available
  */
 public static Charset getCharsetLower(String lowerCaseEnc)
 throws UnsupportedEncodingException {
@@ -85,6 +92,7 @@ public class B2CConverter {
 return charset;
 }
 
+
 private final CharsetDecoder decoder;
 private ByteBuffer bb = null;
 private CharBuffer cb = null;
@@ -135,6 +143,8 @@ public class B2CConverter {
  * @param bc byte input
  * @param cc char output
  * @param endOfInputIs this all of the available data
+ *
+ * @throws IOException If the conversion can not be completed
  */
 public void convert(ByteChunk bc, CharChunk cc, boolean endOfInput)
 throws IOException {


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 05/05: Add Javadoc for the Common Annotation API

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 38a69916b9ddfc789c8eac3b46b175b2dc8d6efe
Author: Mark Thomas 
AuthorDate: Mon Sep 23 21:32:55 2019 +0100

Add Javadoc for the Common Annotation API
---
 build.xml   | 22 ++
 java/javax/annotation/Resource.java |  2 ++
 webapps/docs/changelog.xml  |  3 +++
 webapps/docs/project.xml|  2 ++
 4 files changed, 29 insertions(+)

diff --git a/build.xml b/build.xml
index 3af3184..8fbe02d 100644
--- a/build.xml
+++ b/build.xml
@@ -2028,6 +2028,27 @@ Apache Tomcat ${version} native binaries for Win64 
AMD64/EMT64 platform.
 description="Create the Tomcat javadoc" >
 
+
+  
+
+
+  
+
 
 
   
+  
   
   
   
diff --git a/java/javax/annotation/Resource.java 
b/java/javax/annotation/Resource.java
index 19a63b1..0ef8c41 100644
--- a/java/javax/annotation/Resource.java
+++ b/java/javax/annotation/Resource.java
@@ -40,6 +40,8 @@ public @interface Resource {
 public String mappedName() default "";
 /**
  * @since Common Annotations 1.1
+ *
+ * @return The name of the entry, if any, to use for this resource
  */
 public String lookup() default "";
 }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index f7ca4df..3018274 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -165,6 +165,9 @@
 Spelling and formatting corrections for the cluster how-to. Pull 
request
 provided by Bill Mitchell. (markt)
   
+  
+Add Javadoc for the Common Annotations API implementation. (markt)
+  
 
   
   
diff --git a/webapps/docs/project.xml b/webapps/docs/project.xml
index ebf0e16..f05047d 100644
--- a/webapps/docs/project.xml
+++ b/webapps/docs/project.xml
@@ -86,6 +86,8 @@
 
 
+
 https://tomcat.apache.org/connectors-doc/"/>
 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 04/05: Remaining Javadoc fixes for Java 13 in org.apache.coyote

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit b62bdb6dc347ff71797c0c37814e8dc5dd9e
Author: Mark Thomas 
AuthorDate: Mon Sep 23 19:01:26 2019 +0100

Remaining Javadoc fixes for Java 13 in org.apache.coyote
---
 java/org/apache/coyote/ajp/AjpNioProcessor.java | 21 -
 java/org/apache/coyote/ajp/AjpProcessor.java|  9 +
 java/org/apache/coyote/ajp/AjpProtocol.java |  6 --
 3 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/coyote/ajp/AjpNioProcessor.java 
b/java/org/apache/coyote/ajp/AjpNioProcessor.java
index 8ab67e5..ff100fb 100644
--- a/java/org/apache/coyote/ajp/AjpNioProcessor.java
+++ b/java/org/apache/coyote/ajp/AjpNioProcessor.java
@@ -330,7 +330,21 @@ public class AjpNioProcessor extends 
AbstractAjpProcessor {
 
 
 /**
- * Read the specified amount of bytes, and place them in the input buffer.
+ * Read at least the specified amount of bytes, and place them
+ * in the input buffer. Note that if any data is available to read then 
this
+ * method will always block until at least the specified number of bytes
+ * have been read.
+ *
+ * @param buf   Buffer to read data into
+ * @param pos   Start position
+ * @param n The minimum number of bytes to read
+ * @param blockFirstRead
+ *  If there is no data available to read when this method is
+ *  called, should this call block until data becomes 
available?
+ *
+ * @return The number of bytes read
+ *
+ * @throws IOException If an I/O error occurs during the read
  */
 protected int read(byte[] buf, int pos, int n, boolean blockFirstRead)
 throws IOException {
@@ -429,6 +443,11 @@ public class AjpNioProcessor extends 
AbstractAjpProcessor {
 /**
  * Read an AJP message.
  *
+ * @param message   The message to populate
+ * @param blockFirstRead
+ *  If there is no data available to read when this method is
+ *  called, should this call block until data becomes 
available?
+ *
  * @return The number of bytes read
  * @throws IOException any other failure, including incomplete reads
  */
diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java 
b/java/org/apache/coyote/ajp/AjpProcessor.java
index 4bf6dbf..1f11948 100644
--- a/java/org/apache/coyote/ajp/AjpProcessor.java
+++ b/java/org/apache/coyote/ajp/AjpProcessor.java
@@ -302,6 +302,13 @@ public class AjpProcessor extends 
AbstractAjpProcessor {
 /**
  * Read at least the specified amount of bytes, and place them
  * in the input buffer.
+ *
+ * @param buf   Buffer to read data into
+ * @param pos   Start position
+ * @param n The minimum number of bytes to read
+ * @return  true if the requested number of bytes were read
+ *  else false
+ * @throws IOException If an I/O error occurs during the read
  */
 protected boolean read(byte[] buf, int pos, int n)
 throws IOException {
@@ -354,6 +361,8 @@ public class AjpProcessor extends 
AbstractAjpProcessor {
 /**
  * Read an AJP message.
  *
+ * @param message   The message object to populate
+ *
  * @return true if the message has been read, false if the short read
  * didn't return anything
  * @throws IOException any other failure, including incomplete reads
diff --git a/java/org/apache/coyote/ajp/AjpProtocol.java 
b/java/org/apache/coyote/ajp/AjpProtocol.java
index f99a99f..50f6f58 100644
--- a/java/org/apache/coyote/ajp/AjpProtocol.java
+++ b/java/org/apache/coyote/ajp/AjpProtocol.java
@@ -116,8 +116,10 @@ public class AjpProtocol extends 
AbstractAjpProtocol {
  * required.
  *
  * @param socketIgnored for BIO
- * @param processor
- * @param isSocketClosing
+ * @param processor The process that was processing this
+ *  connection and is no longer required
+ * @param isSocketClosing   Is the socket associated with this
+ *  connection in the process of closing
  * @param addToPoller   Ignored for BIO
  */
 @Override


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 03/05: Fix Javadoc warnings with Java 13

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 3dd36e49f33f687b00a161a30af1cf33e7cb3120
Author: Mark Thomas 
AuthorDate: Mon Sep 23 14:45:14 2019 +0100

Fix Javadoc warnings with Java 13
---
 java/org/apache/tomcat/util/buf/Ascii.java | 39 --
 1 file changed, 32 insertions(+), 7 deletions(-)

diff --git a/java/org/apache/tomcat/util/buf/Ascii.java 
b/java/org/apache/tomcat/util/buf/Ascii.java
index 2f20293..9d6e9bf 100644
--- a/java/org/apache/tomcat/util/buf/Ascii.java
+++ b/java/org/apache/tomcat/util/buf/Ascii.java
@@ -76,6 +76,8 @@ public final class Ascii {
 
 /**
  * Returns the upper case equivalent of the specified ASCII character.
+ * @param c The char
+ * @return the upper case equivalent char
  * @deprecated Unused. Will be removed in Tomcat 8.0.x onwards.
  */
 @Deprecated
@@ -85,14 +87,17 @@ public final class Ascii {
 
 /**
  * Returns the lower case equivalent of the specified ASCII character.
+ * @param c The char
+ * @return the lower case equivalent char
  */
-
 public static int toLower(int c) {
 return toLower[c & 0xff] & 0xff;
 }
 
 /**
- * Returns true if the specified ASCII character is upper or lower case.
+ * @return true if the specified ASCII character is a upper
+ * or lower case
+ * @param c The char
  * @deprecated Unused. Will be removed in Tomcat 8.0.x onwards.
  */
 @Deprecated
@@ -101,7 +106,9 @@ public final class Ascii {
 }
 
 /**
- * Returns true if the specified ASCII character is upper case.
+ * @return true if the specified ASCII character is a upper
+ * case
+ * @param c The char
  * @deprecated Unused. Will be removed in Tomcat 8.0.x onwards.
  */
 @Deprecated
@@ -110,7 +117,9 @@ public final class Ascii {
 }
 
 /**
- * Returns true if the specified ASCII character is lower case.
+ * @return true if the specified ASCII character is a lower
+ * case
+ * @param c The char
  * @deprecated Unused. Will be removed in Tomcat 8.0.x onwards.
  */
 @Deprecated
@@ -119,7 +128,9 @@ public final class Ascii {
 }
 
 /**
- * Returns true if the specified ASCII character is white space.
+ * @return true if the specified ASCII character is a white
+ * space
+ * @param c The char
  * @deprecated Unused. Will be removed in Tomcat 8.0.x onwards.
  */
 @Deprecated
@@ -128,9 +139,9 @@ public final class Ascii {
 }
 
 /**
- * Returns true if the specified ASCII character is a digit.
+ * @return true if the specified ASCII character is a digit.
+ * @param c The char
  */
-
 public static boolean isDigit(int c) {
 return isDigit[c & 0xff];
 }
@@ -140,6 +151,7 @@ public final class Ascii {
  * @param b the bytes to parse
  * @param off the start offset of the bytes
  * @param len the length of the bytes
+ * @return the int value
  * @exception NumberFormatException if the integer format was invalid
  * @deprecated Unused. Will be removed in Tomcat 8.0.x onwards.
  */
@@ -166,6 +178,12 @@ public final class Ascii {
 }
 
 /**
+ * Parses an unsigned int from the specified subarray of characters.
+ * @param b the characters to parse
+ * @param off the start offset of the characters
+ * @param len the length of the characters
+ * @return the int value
+ * @exception NumberFormatException if the long format was invalid
  * @deprecated Unused. Will be removed in Tomcat 8.0.x onwards.
  */
 @Deprecated
@@ -195,6 +213,7 @@ public final class Ascii {
  * @param b the bytes to parse
  * @param off the start offset of the bytes
  * @param len the length of the bytes
+ * @return the long value
  * @exception NumberFormatException if the long format was invalid
  */
 public static long parseLong(byte[] b, int off, int len)
@@ -220,6 +239,12 @@ public final class Ascii {
 }
 
 /**
+ * Parses an unsigned long from the specified subarray of characters.
+ * @param b the characters to parse
+ * @param off the start offset of the characters
+ * @param len the length of the characters
+ * @return the long value
+ * @exception NumberFormatException if the long format was invalid
  * @deprecated Unused. Will be removed in Tomcat 8.0.x onwards.
  */
 @Deprecated


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 7.0.x updated (7caf1a8 -> 38a6991)

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


from 7caf1a8  Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63758
 new b999540  Fix Javadoc errors with Java 13. Clean-up (spacing, 
unnecessary (...))
 new 6c17de0  Fix Javadoc warnings
 new 3dd36e4  Fix Javadoc warnings with Java 13
 new b62bdb6  Remaining Javadoc fixes for Java 13 in org.apache.coyote
 new 38a6991  Add Javadoc for the Common Annotation API

The 5 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 build.xml  | 22 
 java/javax/annotation/Resource.java|  2 ++
 java/org/apache/coyote/ajp/AjpNioProcessor.java| 21 +++-
 java/org/apache/coyote/ajp/AjpProcessor.java   |  9 +
 java/org/apache/coyote/ajp/AjpProtocol.java|  6 ++--
 java/org/apache/tomcat/util/buf/Ascii.java | 39 ++
 java/org/apache/tomcat/util/buf/B2CConverter.java  | 10 ++
 .../tomcat/util/digester/SetPropertiesRule.java| 10 ++
 webapps/docs/changelog.xml |  3 ++
 webapps/docs/project.xml   |  2 ++
 10 files changed, 107 insertions(+), 17 deletions(-)


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 01/05: Fix Javadoc errors with Java 13. Clean-up (spacing, unnecessary (...))

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit b999540c826f00ae85f3d8ab8e3bd6beefbe7812
Author: Mark Thomas 
AuthorDate: Mon Sep 23 14:30:52 2019 +0100

Fix Javadoc errors with Java 13. Clean-up (spacing, unnecessary (...))
---
 java/org/apache/tomcat/util/digester/SetPropertiesRule.java | 10 +++---
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/java/org/apache/tomcat/util/digester/SetPropertiesRule.java 
b/java/org/apache/tomcat/util/digester/SetPropertiesRule.java
index 88254a1..ac60a5d 100644
--- a/java/org/apache/tomcat/util/digester/SetPropertiesRule.java
+++ b/java/org/apache/tomcat/util/digester/SetPropertiesRule.java
@@ -94,7 +94,7 @@ public class SetPropertiesRule extends Rule {
  * If a property name is null or the attribute name has no matching
  * property name, then this indicates that the attribute should be 
ignored.
  *
- * Example One
+ * Example One
  *  The following constructs a rule that maps the alt-city
  * attribute to the city property and the 
alt-state
  * to the state property.
@@ -105,7 +105,7 @@ public class SetPropertiesRule extends Rule {
  *new String[] {"city", "state"});
  * 
  *
- * Example Two
+ * Example Two
  *  The following constructs a rule that maps the class
  * attribute to the className property.
  * The attribute ignore-me is not mapped.
@@ -265,12 +265,8 @@ public class SetPropertiesRule extends Rule {
  */
 @Override
 public String toString() {
-
 StringBuilder sb = new StringBuilder("SetPropertiesRule[");
 sb.append("]");
-return (sb.toString());
-
+return sb.toString();
 }
-
-
 }


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 8.5.x updated: Correct version number

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
 new 8b7ade1  Correct version number
8b7ade1 is described below

commit 8b7ade105ee9d17ecf05921eaa8df33caba0ed41
Author: Mark Thomas 
AuthorDate: Mon Sep 23 21:38:23 2019 +0100

Correct version number
---
 webapps/docs/project.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webapps/docs/project.xml b/webapps/docs/project.xml
index 8e416ea..c6e7176 100644
--- a/webapps/docs/project.xml
+++ b/webapps/docs/project.xml
@@ -88,7 +88,7 @@
 
 
-
 https://tomcat.apache.org/connectors-doc/"/>


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch master updated: Correct version number

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/master by this push:
 new 9b2de81  Correct version number
9b2de81 is described below

commit 9b2de812f6ff1c7bc5968898749d0249a9c820c5
Author: Mark Thomas 
AuthorDate: Mon Sep 23 21:37:25 2019 +0100

Correct version number
---
 build.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/build.xml b/build.xml
index a4d4f75..7d37c12 100644
--- a/build.xml
+++ b/build.xml
@@ -1846,9 +1846,9 @@ Apache Tomcat ${version} native binaries for Win64 
AMD64/EMT64 platform.
   sourcepath="${tomcat.dist}/src/java"
   destdir="${tomcat.dist}/webapps/docs/annotationapi"
   version="true"
-  windowtitle="Common Annotations 1.2 API Documentation - Apache Tomcat 
${version}"
-  doctitle="Common Annotations 1.2 API - Apache Tomcat ${version}"
-  header="bCommon Annotations 1.2 - Apache Tomcat 
${version}/b"
+  windowtitle="Common Annotations 1.3 API Documentation - Apache Tomcat 
${version}"
+  doctitle="Common Annotations 1.3 API - Apache Tomcat ${version}"
+  header="bCommon Annotations 1.3 - Apache Tomcat 
${version}/b"
   bottom="Copyright #169; 2000-${year} Apache Software Foundation. 
All Rights Reserved."
   encoding="UTF-8"
   docencoding="UTF-8"


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 8.5.x updated (b7ae3eb -> 99e5ea8)

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


from b7ae3eb  Add release date for 8.5.46
 new 6dae407  Revert "Fix test failures caused by APR crash during shutdown"
 new 99e5ea8  Add Javadoc for the Common Annotation API

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 build.xml| 22 ++
 java/javax/annotation/Resource.java  |  4 
 java/org/apache/tomcat/util/net/AprEndpoint.java |  5 +
 webapps/docs/changelog.xml   |  7 +++
 webapps/docs/project.xml |  4 +++-
 5 files changed, 37 insertions(+), 5 deletions(-)


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 01/02: Revert "Fix test failures caused by APR crash during shutdown"

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 6dae407a9a77bae99cc5bb6a11b200252f45b20c
Author: Mark Thomas 
AuthorDate: Mon Sep 23 21:34:48 2019 +0100

Revert "Fix test failures caused by APR crash during shutdown"

This reverts commit 07f3c37377459615a53293ca52be43de7a44970d.
---
 java/org/apache/tomcat/util/net/AprEndpoint.java | 5 +
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java 
b/java/org/apache/tomcat/util/net/AprEndpoint.java
index 3d1d891..4c1ca49 100644
--- a/java/org/apache/tomcat/util/net/AprEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AprEndpoint.java
@@ -1248,11 +1248,8 @@ public class AprEndpoint extends AbstractEndpoint 
implements SNICallBack {
 // Close all sockets in the add queue
 info = addList.get();
 while (info != null) {
-// Make sure the socket isn't in the poller before we close it
+// Make sure the  socket isn't in the poller before we close it
 removeFromPoller(info.socket);
-// Close the SocketWrapper to prevent any still running 
application
-// threads from trying to use the socket
-connections.get(Long.valueOf(info.socket)).close();
 // Poller isn't running at this point so use destroySocket()
 // directly
 destroySocket(info.socket);


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 02/02: Add Javadoc for the Common Annotation API

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 99e5ea8e5008e8f14c8c2c224d2f98386cc3e4ba
Author: Mark Thomas 
AuthorDate: Mon Sep 23 21:32:55 2019 +0100

Add Javadoc for the Common Annotation API
---
 build.xml   | 22 ++
 java/javax/annotation/Resource.java |  4 
 webapps/docs/changelog.xml  |  7 +++
 webapps/docs/project.xml|  4 +++-
 4 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/build.xml b/build.xml
index 569afa5..63d7989 100644
--- a/build.xml
+++ b/build.xml
@@ -1847,6 +1847,27 @@ Apache Tomcat ${version} native binaries for Win64 
AMD64/EMT64 platform.
 
   
+
+  
+
+
+  
+
 
 
   
+  
   
   
   
diff --git a/java/javax/annotation/Resource.java 
b/java/javax/annotation/Resource.java
index af3736c..498ca22 100644
--- a/java/javax/annotation/Resource.java
+++ b/java/javax/annotation/Resource.java
@@ -34,6 +34,8 @@ public @interface Resource {
 public String name() default "";
 /**
  * Uses generics since Common Annotations 1.2.
+ *
+ * @return The type for instances of this resource
  */
 public Class type() default Object.class;
 public AuthenticationType authenticationType() default 
AuthenticationType.CONTAINER;
@@ -42,6 +44,8 @@ public @interface Resource {
 public String mappedName() default "";
 /**
  * @since Common Annotations 1.1
+ *
+ * @return The name of the entry, if any, to use for this resource
  */
 public String lookup() default "";
 }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 1f9471f..e24309c 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -63,6 +63,13 @@
   
 
   
+  
+
+  
+Add Javadoc for the Common Annotations API implementation. (markt)
+  
+
+  
   
 
   
diff --git a/webapps/docs/project.xml b/webapps/docs/project.xml
index 09cb4df..8e416ea 100644
--- a/webapps/docs/project.xml
+++ b/webapps/docs/project.xml
@@ -82,12 +82,14 @@
 
 
 
-
+
 
 
 
 
+
 https://tomcat.apache.org/connectors-doc/"/>
 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch master updated (531cbfc -> 739701a)

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


from 531cbfc  Use Tomcat 9.0.26
 new 004a120  Revert "Fix test failures caused by APR crash during shutdown"
 new 739701a  Add Javadoc for the Common Annotation API

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 build.xml| 22 ++
 java/javax/annotation/Resource.java  |  4 
 java/org/apache/tomcat/util/net/AprEndpoint.java |  5 +
 webapps/docs/changelog.xml   |  3 +++
 webapps/docs/project.xml |  4 +++-
 5 files changed, 33 insertions(+), 5 deletions(-)


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 02/02: Add Javadoc for the Common Annotation API

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 739701a2697b93d52181be04ab5b63bc35dbd63a
Author: Mark Thomas 
AuthorDate: Mon Sep 23 21:32:55 2019 +0100

Add Javadoc for the Common Annotation API
---
 build.xml   | 22 ++
 java/javax/annotation/Resource.java |  4 
 webapps/docs/changelog.xml  |  3 +++
 webapps/docs/project.xml|  4 +++-
 4 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/build.xml b/build.xml
index 1d706c6..a4d4f75 100644
--- a/build.xml
+++ b/build.xml
@@ -1842,6 +1842,27 @@ Apache Tomcat ${version} native binaries for Win64 
AMD64/EMT64 platform.
 
   
+
+  
+
+
+  
+
 
 
   
+  
   
   
   
diff --git a/java/javax/annotation/Resource.java 
b/java/javax/annotation/Resource.java
index af3736c..498ca22 100644
--- a/java/javax/annotation/Resource.java
+++ b/java/javax/annotation/Resource.java
@@ -34,6 +34,8 @@ public @interface Resource {
 public String name() default "";
 /**
  * Uses generics since Common Annotations 1.2.
+ *
+ * @return The type for instances of this resource
  */
 public Class type() default Object.class;
 public AuthenticationType authenticationType() default 
AuthenticationType.CONTAINER;
@@ -42,6 +44,8 @@ public @interface Resource {
 public String mappedName() default "";
 /**
  * @since Common Annotations 1.1
+ *
+ * @return The name of the entry, if any, to use for this resource
  */
 public String lookup() default "";
 }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 99a7fb8..ff0d171 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -68,6 +68,9 @@
   
 Add base GraalVM documentation. (remm)
   
+  
+Add Javadoc for the Common Annotations API implementation. (markt)
+  
 
   
   
diff --git a/webapps/docs/project.xml b/webapps/docs/project.xml
index b7f8ee8..2884849 100644
--- a/webapps/docs/project.xml
+++ b/webapps/docs/project.xml
@@ -82,12 +82,14 @@
 
 
 
-
+
 
 
 
 
+
 https://tomcat.apache.org/connectors-doc/"/>
 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 01/02: Revert "Fix test failures caused by APR crash during shutdown"

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 004a12044557eee0282b715bd30705c494ae1bc4
Author: Mark Thomas 
AuthorDate: Fri Sep 20 10:27:01 2019 +0100

Revert "Fix test failures caused by APR crash during shutdown"

This reverts commit 9825246d0ce833552a3745ac3b02a44551789caa.
---
 java/org/apache/tomcat/util/net/AprEndpoint.java | 5 +
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java 
b/java/org/apache/tomcat/util/net/AprEndpoint.java
index 6dde69c..46c7047 100644
--- a/java/org/apache/tomcat/util/net/AprEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AprEndpoint.java
@@ -1126,11 +1126,8 @@ public class AprEndpoint extends 
AbstractEndpoint implements SNICallB
 // Close all sockets in the add queue
 info = addList.get();
 while (info != null) {
-// Make sure the socket isn't in the poller before we close it
+// Make sure the  socket isn't in the poller before we close it
 removeFromPoller(info.socket);
-// Close the SocketWrapper to prevent any still running 
application
-// threads from trying to use the socket
-connections.get(Long.valueOf(info.socket)).close();
 // Poller isn't running at this point so use destroySocket()
 // directly
 destroySocket(info.socket);


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63765] New: NIO2 Connector with OpenSSL 1.1.1 hangs with TLSv1.3

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=63765

Bug ID: 63765
   Summary: NIO2 Connector with OpenSSL 1.1.1 hangs with TLSv1.3
   Product: Tomcat 9
   Version: 9.0.x
  Hardware: PC
OS: Linux
Status: NEW
  Severity: normal
  Priority: P2
 Component: Connectors
  Assignee: dev@tomcat.apache.org
  Reporter: csuth...@apache.org
  Target Milestone: -

Created attachment 36793
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36793=edit
curl -v output from the failed request and a successful one immediately after

The first request to Tomcat after a restart always hangs (on two of my
machines) and fails with an "Empty reply from server" after one minute when
using NIO2 with JSSE+OpenSSL limited to the TLSv1.3 protocol. If you wait for
the request to end, or terminate it, then the subsequent requests succeed
without issue. I've tried to trace it down, but I don't see any activity in
Tomcat to hint at where this would be :( From my curl output, it's after the
handshake is done.

My environment is Fedora 30 laptop using a local build of Tomcat master
(9.0.27-dev), tomcat-native (1.2.23-dev), APR 1.6.5, and OpenSSL 1.1.1.c.

To reproduce:

1) Configure your Connector







2) Start tomcat
3) Initiate a request with curl and observe the one minute delay and empty
response

curl --insecure -v https://localhost:8443

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 63759] Unable to launch uninstaller: insufficient permissions to access Uninstall.exe

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=63759

Mark Thomas  changed:

   What|Removed |Added

 OS||All

--- Comment #1 from Mark Thomas  ---
This looks like a result of the permissions changes made for bug 55969. This
side-effect was discussed in that bug although no mitigation was put in place.

I'm reluctant to make the whole installation readable to the current user but I
do think there is an argument for making "Uninstall.exe" and "tomcat.ico"
readable to all users / the current user depending on the option chosen for
"Create shortcuts for all users"

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Better support for OpenJSSE?

[Rainer Jung]

Am 23.09.2019 um 12:56 schrieb Rémy Maucherat:
On Mon, Sep 23, 2019 at 12:42 PM Rainer Jung > wrote:


Hi dev@, hi George,

Am 20.09.2019 um 01:36 schrieb George Stanchev:
 > Since I was the one that brought up a question about OpenJSSE on the
 > User Mailing List several weeks ago, just wanted to bring up to your
 > attention that there are quirks of OpenJSSE that people are
discovering.
 > I was able to get TC85 to run with OpenJSSE but admitting haven’t
done
 > extensive testing. For example this thread [1]. There are also other
 > projects (such as OkHttp http client) that have ran into
specificities
 > on running with OpenJSSE.
 >
 > [1]
https://github.com/openjsse/openjsse/issues/10#issuecomment-533318077
 >
 > (sorry for top posting, Outlook doesn’t make it easy)

I answered on tc-users to your test observations (warnings). IMHO they
are not OpenJSSE related.

Concerning the GH issue, I did not yet see any similar problems, at
least not for TC 9. When using the security manager I added

grant codeBase "file:/path/to/openjsse.jar" {
          permission java.security.AllPermission;
};

to catalina.policy and again observed no problems.

My updated patch implementing the ALPN check in the normal compat
classes is here:

http://home.apache.org/~rjung/patches/tc9-openjsse-v2.patch

I will now check the unit tests for changed behavior.

What would be interesting to know, is whether Graal supports the ALPN
methods or not, so that I can check/implement the correct behavior of
the new isAlpnSupported() ind GraalCompat. It looks a bit strange, that
currently GraalCompat only overwrites one method from JreCompat whereas
Jre9Compat overwrites all of them.


Graal still only does Java 8 at the moment :) So no ALPN, but OTOH Java 
8 doesn't otherwise cause too many problems.

Graal works with tomcat-native/OpenSSL and HTTP/2 works fine there.


Thanks Rémy, so I'll add fixed no-support for JSSE based ALPN into 
GraalCompat in the next version of my patch.



Rémy


Regards,

Rainer

 > *From:*Rémy Maucherat mailto:r...@apache.org>>
 > *Sent:* Thursday, September 19, 2019 5:02 AM
 > *To:* Tomcat Developers List mailto:dev@tomcat.apache.org>>
 > *Subject:* Re: Better support for OpenJSSE?
 >
 > On Thu, Sep 19, 2019 at 12:01 PM Mark Thomas mailto:ma...@apache.org>
 > >> wrote:
 >
 >     On 19/09/2019 09:27, Rainer Jung wrote:
 >
 >     
 >
 >      > I made a patch to detect ALPN support at runtime using
reflection.
 >      > Please have a look. Feedback welcome, whether we want to
include
 >     that or
 >      > whether we want to stick with the simpler approach we
currently use.
 >
 >     Past experience suggests a lot of users will be on Java 8 for
quite some
 >     time. I think it makes sense to support this.
 >
 >      > Of
 >      > course the windows for Java 8 plus OpenJSSE is getting
smaller over
 >      > time, and users could also use tcnative to get TLS 1.3 and
HTTP/2. On
 >      > the other hand integration of OpenJSSE is pretty simple
and some
 >     users
 >      > don't like native code in their JVM (and its maintenance).
IMHO
 >     support
 >      > for OpenJSSE (including HTTP/2) would be a nice addition.
 >      >
 >      > My TC 9 patch is available under:
 >      >
 >      > http://home.apache.org/~rjung/patches/tc9-openjsse.patch
 >      >
 >      > It moves the ALPN detection from classes Jre(9)Compat to
class TLS in
 >      > the same package and uses the same approach that we use
for other
 >      > runtime detection. It needs to make one method accessible,
 >     because under
 >      > Java 9+ the implementation class SSLEngineImpl is no
longer a public
 >      > class. Since it is accessed normally via SSLEngine, direct
method
 >     calls
 >      > still work, but reflective calls no longer.
 >
 >     Currently TLS.java is only used by the unit tests.
 >
 >     We only need to use reflection on Java 8 since we know ALPN
is available
 >     on Java 9 onwards.
 >
 >     The module system adds additional restrictions to calling
 >     setAccessible() that might cause problems in the future.
 >
 > I was a bit worried about that too.
 >
 >
 >     I wonder if a cleaner solution might be:
 >
 >     - Move isTlsv13Available to TesterSupport and deprecate TLS.java
 >
 >     - Add isAlpnAvailable() to JreCompat where:
 >        - Java 7 (for 8.5.x) hard codes to false
 >        - Java 8 uses reflection
 >        - Java 9 hard codes to true
 >
 > +1
 >
 > Personally 

Re: Better support for OpenJSSE?

[Rémy Maucherat]

On Mon, Sep 23, 2019 at 12:42 PM Rainer Jung 
wrote:

> Hi dev@, hi George,
>
> Am 20.09.2019 um 01:36 schrieb George Stanchev:
> > Since I was the one that brought up a question about OpenJSSE on the
> > User Mailing List several weeks ago, just wanted to bring up to your
> > attention that there are quirks of OpenJSSE that people are discovering.
> > I was able to get TC85 to run with OpenJSSE but admitting haven’t done
> > extensive testing. For example this thread [1]. There are also other
> > projects (such as OkHttp http client) that have ran into specificities
> > on running with OpenJSSE.
> >
> > [1]
> https://github.com/openjsse/openjsse/issues/10#issuecomment-533318077
> >
> > (sorry for top posting, Outlook doesn’t make it easy)
>
> I answered on tc-users to your test observations (warnings). IMHO they
> are not OpenJSSE related.
>
> Concerning the GH issue, I did not yet see any similar problems, at
> least not for TC 9. When using the security manager I added
>
> grant codeBase "file:/path/to/openjsse.jar" {
>  permission java.security.AllPermission;
> };
>
> to catalina.policy and again observed no problems.
>
> My updated patch implementing the ALPN check in the normal compat
> classes is here:
>
> http://home.apache.org/~rjung/patches/tc9-openjsse-v2.patch
>
> I will now check the unit tests for changed behavior.
>
> What would be interesting to know, is whether Graal supports the ALPN
> methods or not, so that I can check/implement the correct behavior of
> the new isAlpnSupported() ind GraalCompat. It looks a bit strange, that
> currently GraalCompat only overwrites one method from JreCompat whereas
> Jre9Compat overwrites all of them.
>

Graal still only does Java 8 at the moment :) So no ALPN, but OTOH Java 8
doesn't otherwise cause too many problems.
Graal works with tomcat-native/OpenSSL and HTTP/2 works fine there.

Rémy


>
> Regards,
>
> Rainer
>
> > *From:*Rémy Maucherat 
> > *Sent:* Thursday, September 19, 2019 5:02 AM
> > *To:* Tomcat Developers List 
> > *Subject:* Re: Better support for OpenJSSE?
> >
> > On Thu, Sep 19, 2019 at 12:01 PM Mark Thomas  > > wrote:
> >
> > On 19/09/2019 09:27, Rainer Jung wrote:
> >
> > 
> >
> >  > I made a patch to detect ALPN support at runtime using reflection.
> >  > Please have a look. Feedback welcome, whether we want to include
> > that or
> >  > whether we want to stick with the simpler approach we currently
> use.
> >
> > Past experience suggests a lot of users will be on Java 8 for quite
> some
> > time. I think it makes sense to support this.
> >
> >  > Of
> >  > course the windows for Java 8 plus OpenJSSE is getting smaller
> over
> >  > time, and users could also use tcnative to get TLS 1.3 and
> HTTP/2. On
> >  > the other hand integration of OpenJSSE is pretty simple and some
> > users
> >  > don't like native code in their JVM (and its maintenance). IMHO
> > support
> >  > for OpenJSSE (including HTTP/2) would be a nice addition.
> >  >
> >  > My TC 9 patch is available under:
> >  >
> >  > http://home.apache.org/~rjung/patches/tc9-openjsse.patch
> >  >
> >  > It moves the ALPN detection from classes Jre(9)Compat to class
> TLS in
> >  > the same package and uses the same approach that we use for other
> >  > runtime detection. It needs to make one method accessible,
> > because under
> >  > Java 9+ the implementation class SSLEngineImpl is no longer a
> public
> >  > class. Since it is accessed normally via SSLEngine, direct method
> > calls
> >  > still work, but reflective calls no longer.
> >
> > Currently TLS.java is only used by the unit tests.
> >
> > We only need to use reflection on Java 8 since we know ALPN is
> available
> > on Java 9 onwards.
> >
> > The module system adds additional restrictions to calling
> > setAccessible() that might cause problems in the future.
> >
> > I was a bit worried about that too.
> >
> >
> > I wonder if a cleaner solution might be:
> >
> > - Move isTlsv13Available to TesterSupport and deprecate TLS.java
> >
> > - Add isAlpnAvailable() to JreCompat where:
> >- Java 7 (for 8.5.x) hard codes to false
> >- Java 8 uses reflection
> >- Java 9 hard codes to true
> >
> > +1
> >
> > Personally I wouldn't use OpenJSSE over tomcat-native (performance ?
> > long term support ?), but since it's only about making the Tomcat code a
> > bit more flexible that works for me.
> >
> > Rémy
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

Re: Better support for OpenJSSE?

[Rainer Jung]

Hi dev@, hi George,

Am 20.09.2019 um 01:36 schrieb George Stanchev:
Since I was the one that brought up a question about OpenJSSE on the 
User Mailing List several weeks ago, just wanted to bring up to your 
attention that there are quirks of OpenJSSE that people are discovering. 
I was able to get TC85 to run with OpenJSSE but admitting haven’t done 
extensive testing. For example this thread [1]. There are also other 
projects (such as OkHttp http client) that have ran into specificities 
on running with OpenJSSE.


[1] https://github.com/openjsse/openjsse/issues/10#issuecomment-533318077

(sorry for top posting, Outlook doesn’t make it easy)


I answered on tc-users to your test observations (warnings). IMHO they 
are not OpenJSSE related.


Concerning the GH issue, I did not yet see any similar problems, at 
least not for TC 9. When using the security manager I added


grant codeBase "file:/path/to/openjsse.jar" {
permission java.security.AllPermission;
};

to catalina.policy and again observed no problems.

My updated patch implementing the ALPN check in the normal compat 
classes is here:


http://home.apache.org/~rjung/patches/tc9-openjsse-v2.patch

I will now check the unit tests for changed behavior.

What would be interesting to know, is whether Graal supports the ALPN 
methods or not, so that I can check/implement the correct behavior of 
the new isAlpnSupported() ind GraalCompat. It looks a bit strange, that 
currently GraalCompat only overwrites one method from JreCompat whereas 
Jre9Compat overwrites all of them.


Regards,

Rainer


*From:*Rémy Maucherat 
*Sent:* Thursday, September 19, 2019 5:02 AM
*To:* Tomcat Developers List 
*Subject:* Re: Better support for OpenJSSE?

On Thu, Sep 19, 2019 at 12:01 PM Mark Thomas > wrote:


On 19/09/2019 09:27, Rainer Jung wrote:



 > I made a patch to detect ALPN support at runtime using reflection.
 > Please have a look. Feedback welcome, whether we want to include
that or
 > whether we want to stick with the simpler approach we currently use.

Past experience suggests a lot of users will be on Java 8 for quite some
time. I think it makes sense to support this.

 > Of
 > course the windows for Java 8 plus OpenJSSE is getting smaller over
 > time, and users could also use tcnative to get TLS 1.3 and HTTP/2. On
 > the other hand integration of OpenJSSE is pretty simple and some
users
 > don't like native code in their JVM (and its maintenance). IMHO
support
 > for OpenJSSE (including HTTP/2) would be a nice addition.
 >
 > My TC 9 patch is available under:
 >
 > http://home.apache.org/~rjung/patches/tc9-openjsse.patch
 >
 > It moves the ALPN detection from classes Jre(9)Compat to class TLS in
 > the same package and uses the same approach that we use for other
 > runtime detection. It needs to make one method accessible,
because under
 > Java 9+ the implementation class SSLEngineImpl is no longer a public
 > class. Since it is accessed normally via SSLEngine, direct method
calls
 > still work, but reflective calls no longer.

Currently TLS.java is only used by the unit tests.

We only need to use reflection on Java 8 since we know ALPN is available
on Java 9 onwards.

The module system adds additional restrictions to calling
setAccessible() that might cause problems in the future.

I was a bit worried about that too.


I wonder if a cleaner solution might be:

- Move isTlsv13Available to TesterSupport and deprecate TLS.java

- Add isAlpnAvailable() to JreCompat where:
   - Java 7 (for 8.5.x) hard codes to false
   - Java 8 uses reflection
   - Java 9 hard codes to true

+1

Personally I wouldn't use OpenJSSE over tomcat-native (performance ? 
long term support ?), but since it's only about making the Tomcat code a 
bit more flexible that works for me.


Rémy


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

RE: Tomcat 7.0.96 - Issue with Kerberos Authentication

[Mehta, Vipul]

Hello Mark,

Is this the correct discussion thread : 
https://www.mail-archive.com/users@tomcat.apache.org/msg132812.html

Thanks,
Vipul

-Original Message-
From: Mark Thomas  
Sent: Wednesday, September 18, 2019 7:07 PM
To: dev@tomcat.apache.org
Subject: Re: Tomcat 7.0.96 - Issue with Kerberos Authentication

This is a question for the users list.

And a review of the recent archives for that list will find a similar question 
along with a solution.

Mark


On 18/09/2019 11:35, Mehta, Vipul wrote:
> In case of Kerberos authentication of user with tomcat webapp via 
> browser, we are facing issue with following class in tomcat version 7.0.96:
> 
> https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> ub.com%2Fapache%2Ftomcat%2Fblob%2F7.0.x%2Fjava%2Forg%2Fapache%2Fcatali
> na%2Fconnector%2FRequest.javadata=02%7C01%7Cvmehta%40informatica.
> com%7Ce54a477b0a9b43cb823108d73c3d49b5%7C2638f43ef77d4fc7ab927b753b787
> 6fd%7C0%7C1%7C637044106235837509sdata=lVVR0J3Nx0uQdOlbrHI4a6b3n8M
> G6cxHRHH%2BHU8nkAI%3Dreserved=0
> 
>  
> 
> public Principal getUserPrincipal()
> 
> => return ((GenericPrincipal) userPrincipal).getUserPrincipal(); 
> #LINE-2650
> 
>  
> 
> This returns javax.security.auth.kerberos.KerberosPrincipal instance 
> using which it is not possible to get the actual delegated credential.
> 
> Shouldn't it simply return GenericPrincipal instance which contains 
> KerberosPrincipal as well as delegated GSSCredential ?
> 
>  
> 
> We are using following realm config in server.xml:
> 
>  className="org.apache.catalina.realm.JAASRealm"
> roleClassNames="org.apache.catalina.realm.GenericPrincipal"
> stripRealmForGss="false" useContextClassLoader="false"
> userClassNames="org.apache.catalina.realm.GenericPrincipal,
> javax.security.auth.kerberos.KerberosPrincipal"/>
> 
>  
> 
>  
> 
> Thanks,
> 
> Vipul
> 
>  
> 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional 
commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org