Tomcat 7.0.39 - Embedded Tomcat within Eclipse Juno doesn’t pick assets from DOC ROOT

[Saurabh Agrawal]

Hi,

I have developed Struts 2 application which is deployed on Tomcat. I am using 
Eclipse to do the coding and configured Tomcat with Eclipse to deploy the war 
from Eclipse itself.

My requirement is that all static assets should be served from Apache HTTP 
Server because in our production environment that will be the set up.

As a result, I have configured image URLS like –



The assumpition is common folder will be the present in the doc root. I have 
copied common folder in the ROOT of Tomcat so that it can be accessed from 
/common in the URL. However, my images are not getting picked with the above 
URL.

However, if I create a war file using Maven and deploy it on the server, 
/common works. So I think it may be the problem wuth embedded tomcat instance 
within eclipse for which may be ROOT is not the doc root.

Can anyone suggest how can it work i.e. deploying application from eclipse to a 
configured tomcat instance in eclipse ?

Thanks.

Regards,
SAURABH AGRAWAL
Manager Technology
—
SapientNitro
Aachvis Softech Private Limited SEZ,
“Oxygen”, (Tower C), Ground – 3rd Floor,
Plot No. 7, Sector 144 Expressway,
Noida 201 304, Uttar Pradesh, India

desk  +91 (120) 479 5000
mobile  +91 981 866 4383
fax  +91 (120) 479 5001

The information transmitted is intended only for the person or entity to which 
it is addressed and may contain confidential and/or privileged material. Any 
review, retransmission, dissemination or other use of, or taking of any action 
in reliance upon, this information by persons or entities other than the 
intended recipient is prohibited. If you received this in error, please contact 
the sender and delete the material from any computer.

A Couple of 8.0.0 WebSocket Questions

[Igor Urisman]

Dear all,

1. I see how to close a session from either end of the connection.  That,
of course, leaves the underlying endpoint intact. Is there a way to
un-deploy an entire server endpoint so that no new connections can be made
to it?  If so, will it close existing sessions?

2. Is there a way to query the ServerContainer for deployed endpoints?  I'd
like to do that to check that there isn't already one at a given path.  The
only solution I've found so far is to try to deploy it and, if the generic
DeploymentException is thrown, parse the error message.  Not great.

3. What's the recommended way of binding an HTTP session to a Websocket
one?  I was able to get this to work by using a custom
ServerEndpointConfig.Configurator class that augments the base
modifyHandshake() method by stashing the HTTP session in a ThreadLocal
variable.  Seems like the linkage between the WebSocket session and the
HTTP session is so basic that perhaps there's a more straightforward way to
do this?

Many thanks in advance and apologies if this has been covered on this list
or I'm overlooking it in the docs.

-Igor.

Cannot create tomcat-6.0.29 daemon

[Sumilang Plucena]

I have successfully installed tomcat-6.0.29 on ubuntu-12.04. Never had problem 
starting from /opt/tomcat-6.0.29/bin/startup.sh. I had no error on the first 
part. I'm stuck on this part. 


CATALINA_BASE=$CATALINA_HOME
 cd $CATALINA_HOME
    >>when I issue this command it goes to my root folder instead of going to 
my tomcat folder which is  /opt/tomcat-6.0.29. 
>>my workaround i skip cd $CATALINA_HOME and just stay on my /opt/tomcat-6.0.29 
>>folder
 ./bin/jsvc \
>>when I run this using the cd $CATALINA_HOME, It will give me an error that no 
>>such file or directory
>>my workaround never issue the cd $CATALINA_HOME
 -classpath $CATALINA_HOME/bin/bootstrap.jar \
-outfile $CATALINA_BASE/logs/catalina.out \
-errfile $CATALINA_BASE/logs/catalina.err \
>>Gives an error no such file or directory, not present in the $CATALINA_HOME
 -Dcatalina.home=$CATALINA_HOME \
-Dcatalina.base=$CATALINA_BASE \
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
-Djava.util.logging.config.file=$CATALINA_BASE/conf/logging.properties \
org.apache.catalina.startup.Bootstrap                       >>20568 
jsvc error: no classpath specified

  >>20568 jsvc error: Cannot parse command line arguments

Re: Tomcat & ipv6

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Olivier,

Please do not hijack threads by replying to an existing message on the
list. Instead, start a completely new message with the desired subject.

- -chris

On 8/9/13 2:46 PM, olivier giorgi wrote:
> Hello to all,
> 
> How to configure Tomcat in ipv6 ?
> 
> What are the corresponding changes to be done in server.xml ?
> 
> Is there a specific JVM argument ?
> 
> Thanks in advance. Best regards Olivier.
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSBUqVAAoJEBzwKT+lPKRYMVoQAJUwhCsW84lxm1CvWdD5nkOe
X4yiAsj/R0ZEiD/mDZ9OvGHXqD38fOHbdZXlliwvj5m6M+/csQ8rw7sKhon0shK3
nUVfiXSnfgwhGihu/G3JVnNba67FlFlceDWCgRnwxbPtIIIWE0Wt3AMgwmM1Cskm
CfF49M59XHp7wKpEUUUyhqrwGUoRd2fJeONZ7vtwpl4CktH8WOwJMXRmco4CVP2f
s6vRUA+SwEl0SQnin0TbJY/PQpjh/1d5UARPMI/rKN8aECc00IVflG6f354u++Cj
uRYoOwsf3u6Vkssv6nFHXWH9mzfEPsiYGacbqFY+HqT8AXlYVHXi4Kq6mxQURETz
iG3QoX7y/E6d/t2LbNR3kUnJrSbIR83DUaGoUVS2FmRhOq2DkT3JtueezuMAFiXq
K4ww6Lt/HkJ9XRs9Pk4lxT1z4Ve6bP0/42KfhiDHoCjEKvhp2pT2VCulSvBmWbOi
OgCrA1Em8UIQX2gyVXmUKZJSl3JfQ6++YBL/p0wW3nIPIb3iHSE5TsIBqTsTWYeL
2B9hv8ncprlbi0MMykJ82iCflruWmiY5sbRuhMO5qKBaBtDVBSFDMAG6kVaVTZPZ
7gpYrkx+QD4+K6NDz3DAIRKZLE+B0x6T/edHN4tzewPL4ZCjcvjFFgBPZ6DG3g31
AfzCSmYGujYN9R1zB5lY
=7eI6
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat & ipv6

[olivier giorgi]

Hello to all,

How to configure Tomcat in ipv6 ?

What are the corresponding changes to be done in server.xml ?
 
Is there a specific JVM argument ?
 
Thanks in advance.
Best regards Olivier.

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 8/9/13 12:17 PM, Mark Eggers wrote:
> On 8/9/2013 8:10 AM, Mark Thomas wrote:
>> On 09/08/2013 15:28, Christopher Schultz wrote:
>>> Mark,
>>> 
>>> On 8/9/13 9:14 AM, Mark Thomas wrote:
 On 09/08/2013 14:50, Christopher Schultz wrote:
>>> 
> It's too bad it took a researcher a year to figure out
> that compression of any kind makes encryption (where the
> attacker can force random probing attacks) weak. It's not
> like SSL+compression and SSL-compression+compression is
> that different.
>>> 
 It didn't. The original CRIME presentation covered this
 topic. I fail to understand why such a fuss is being made of
 this re-hashing.
>>> 
>>> I wouldn't say this constitutes a "fuss".
>> 
>> "fuss" was a reference to how some folks are reacting to this
>> "new" attack, "BREACH". First it isn't new, second it isn't (in
>> my view) practical.
>> 
 The original CRIME presentation also (correctly) pointed out
 that any attack based on this is entirely theoretical and not
 currently at all practical.
>>> 
>>> Coffee shop + XSS? Perhaps a stretch.
>> 
>> To succeed, the attacker requires:
>> 
>> a) The victim is using a site that uses HTTP-level compression
>> on responses b) The site echoes user input in HTTP response
>> bodies c) The response bodies contain a constant secret (eg. CSRF
>> token)
>> 
>> So far, not too hard. c) is a little unusual. Session IDs are
>> normally in cookie headers, CSRF tokens should change on every
>> request. That said, there are plenty of sites that meet a) to
>> c).
>> 
>> d) The attacker has the ability to view the victim's encrypted
>> traffic. e) The attacker has the ability to cause the victim to
>> send HTTP requests to the vulnerable web server.
>> 
>> e) is where I think this attack becomes impractical. This may
>> change over time but at the moment the coffee shop scenario would
>> require social engineering the victim or subverting the router if
>> the site mixed HTTP and HTTPS. A malicious ISP / $work sysadmin
>> is another option with mixed HTTP/HTTPS.
> 
> I was reading about the pineapple wifi mark iv the other day. It
> looks to be a particularly powerful piece of pen testing equipment.
> This tool in a coffee shop would probably be all you need to have a
> good chance at e).
> 
> In short, don't do banking (or other sensitive work) at a coffee
> shop when the pages are a mix of HTTP and HTTPS.

Lots of people will stupidly connect to any unencrypted WiFi when they
are out and about. I'd say this is a fairly plausible attack vector.

Note that unencrypted + encrypted traffic is not necessary. You can
just look over someone's shoulder to see what bank they're using.
These days in the US most people use one of only like 5 banks. (It's
kind of sad.) Once you know the site that is being used, just browse
there yourself and attempt to login: you can probably see what kind of
authentication / session tracking is being used without tricking the
target into revealing that kind of information to you via HTTP (i.e.
without HTTPS).

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSBRr1AAoJEBzwKT+lPKRYxHwP/2WZmt7P+gtsiZ2Qx/S+idmr
xN+k/XHS4kaxWOBdo8sK3lzZYE9mB5ROtsuVYQQZ1WRJaQS0Vb09/VCJ4GnpOSFf
SR9aThyAXCxnnxF2vviTZUL93Dwh0LM/HwbRGpjYy5Tns0+qXATwm1IBNK3jzarF
Mvx2SOrMAGqiTEet9CqW/7yYQV31kFpLaZGiDsdJT6FM+mBG8OrVcYstBr0b6qXF
LC2IILQshvHvcAUmAEDDPO8NRfgxCY+4uzY9M028DromKeliAQ7PO0KD4E3nErZZ
xL5ysEgSKSahd+0a1QJRXvLccb4XRLL9GCcSP9/TvUzqbOahWUDrIHgLGJWZYAfS
ql4nO2QLtVDfTdtgBUyuNQsn+AlJZHR96g/N7lHuxZU8fap5Auir8xFijWDRWrdn
LfykGonHPZ75UDlOFQmMUPM/8H6AFbymw9R8ZhpbCMwEPAU/SqVARbCLAThIVQWN
zrroWjVqMLdUTbdqvT3Xi9EnmXkPuszHGjqQRtVgt60MRRZ63bkM8+F2hnJGlSId
VpUFi6RrK0wM4TFd2viGlW7SbSbl/vSHAPruAYzwAJvkI+g2QduW8HVV4lESyZ+T
C9vVnz59BJwsokc5H3ykNCcnurkaWCBwEm70LTc9MQKlS8ICyOtKX31TugZvzPKv
EiJZhuKGsOZR/+lf3ser
=98t0
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

[Mark Eggers]

On 8/9/2013 8:10 AM, Mark Thomas wrote:

On 09/08/2013 15:28, Christopher Schultz wrote:

Mark,

On 8/9/13 9:14 AM, Mark Thomas wrote:

On 09/08/2013 14:50, Christopher Schultz wrote:



It's too bad it took a researcher a year to figure out that
compression of any kind makes encryption (where the attacker can
force random probing attacks) weak. It's not like SSL+compression
and SSL-compression+compression is that different.



It didn't. The original CRIME presentation covered this topic. I
fail to understand why such a fuss is being made of this
re-hashing.


I wouldn't say this constitutes a "fuss".


"fuss" was a reference to how some folks are reacting to this "new"
attack, "BREACH". First it isn't new, second it isn't (in my view)
practical.


The original CRIME presentation also (correctly) pointed out that
any attack based on this is entirely theoretical and not currently
at all practical.


Coffee shop + XSS? Perhaps a stretch.


To succeed, the attacker requires:

a) The victim is using a site that uses HTTP-level compression on responses
b) The site echoes user input in HTTP response bodies
c) The response bodies contain a constant secret (eg. CSRF token)

So far, not too hard. c) is a little unusual. Session IDs are normally
in cookie headers, CSRF tokens should change on every request. That
said, there are plenty of sites that meet a) to c).

d) The attacker has the ability to view the victim's encrypted traffic.
e) The attacker has the ability to cause the victim to send HTTP
requests to the vulnerable web server.

e) is where I think this attack becomes impractical. This may change
over time but at the moment the coffee shop scenario would require
social engineering the victim or subverting the router if the site mixed
HTTP and HTTPS. A malicious ISP / $work sysadmin is another option with
mixed HTTP/HTTPS.


I was reading about the pineapple wifi mark iv the other day. It looks 
to be a particularly powerful piece of pen testing equipment. This tool 
in a coffee shop would probably be all you need to have a good chance at e).


In short, don't do banking (or other sensitive work) at a coffee shop 
when the pages are a mix of HTTP and HTTPS.



The point is that folks are starting to chip-away at certain aspects
of TLS. Just like they did with hashing algorithms. MD5 was great when
it came out. So was SSL. There's nothing wrong with looking toward the
future, even if the current crop of problems aren't exactly catastrophic.


Indeed. If only everyone was approaching this with the same sense of
perspective. I agree the attacks will only get better / easier / more
practical but right now there are some big obstacles and I don't see any
obvious roots to getting over them.

Mark


I'm not a security person, nor do I play one online.

. . . . just my two cents
/mde/


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Upgrade to Tomcat 7 Issues

[Mark Eggers]

On 8/9/2013 8:46 AM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256

Chuck,

On 8/9/13 10:08 AM, Caldarale, Charles R wrote:

From: Seema Patel [mailto:seema...@hotmail.com] Subject: RE:
Upgrade to Tomcat 7 Issues



In my WEB-INF/lib I have the following (sorry the list is quite
long): activation.jar



In Tomcat7.0/lib directory I have (I have grouped them
alphabetically so it doesn't make the list too long downwards,
like the above list)



activation.jar j2ee.jar


You must never, never, never have the same class files in multiple
locations in the class loader hierarchy (e.g., activation.jar and
several others).


I don't think "activation" is something provided by servlet
containers. I don't see it in a stock Tomcat, for example.



JavaBeans activation framework (activation.jar) was required for Java 
mail when running on older versions of the JRE. It has been included 
since JRE 6 (can't remember the minor version).


Since the original poster has upgraded to JRE 7, there should be no need 
for this JAR either in $CATALINA_HOME/lib or WEB-INF/lib of the application.



Also, j2ee.jar must never be present anywhere in any Tomcat
installation.


I'm not sure what's in this particular j2ee.jar, but you're probably
right that it does not belong. The container should provide all
services to the webapp. If you want a more fully-functional J2EE
container, consider Apache TomEE.


You need to start over, not adding anything to Tomcat's lib
directory, and try running your webapp.


Absolutely.

- -chris


. . . . just my two cents.
/mde/

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Upgrade to Tomcat 7 Issues

[Caldarale, Charles R]

> From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
> Subject: Re: Upgrade to Tomcat 7 Issues

> I don't think "activation" is something provided by servlet
> containers. I don't see it in a stock Tomcat, for example.

It's not provided by Tomcat, but that's not the relevant point.  The problem 
was that it was placed in _both_ Tomcat's lib directory and the webapp's 
WEB-INF/lib directory - an absolute no-no.  It can be in each webapp's 
WEB-INF/lib directory (since the relevant class loaders can't see each other), 
or possibly in Tomcat's lib directory (although it might cause other problems 
there, depending on how it's coded).

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Upgrade to Tomcat 7 Issues

[David kerber]

On 8/9/2013 11:46 AM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chuck,

On 8/9/13 10:08 AM, Caldarale, Charles R wrote:

From: Seema Patel [mailto:seema...@hotmail.com] Subject: RE:
Upgrade to Tomcat 7 Issues



In my WEB-INF/lib I have the following (sorry the list is quite
long): activation.jar



In Tomcat7.0/lib directory I have (I have grouped them
alphabetically so it doesn't make the list too long downwards,
like the above list)



activation.jar j2ee.jar


You must never, never, never have the same class files in multiple
locations in the class loader hierarchy (e.g., activation.jar and
several others).


I don't think "activation" is something provided by servlet
containers. I don't see it in a stock Tomcat, for example.


It's not; it's part of the mail package.  But the OP still has it in 
multiple places.  Probably placed in Tomcat7.0/lib manually, and in 
WEB-INF/lib automatically.







Also, j2ee.jar must never be present anywhere in any Tomcat
installation.


I'm not sure what's in this particular j2ee.jar, but you're probably
right that it does not belong. The container should provide all
services to the webapp. If you want a more fully-functional J2EE
container, consider Apache TomEE.


You need to start over, not adding anything to Tomcat's lib
directory, and try running your webapp.


Absolutely.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSBQ7bAAoJEBzwKT+lPKRYz0MQAJ95UbypXpJfS/a9DcqtgB+Z
VL4mVwtrKZfNRAK+vyP8yg/N3FYi+KIFPslZlYUj4/lH49srTQewlYkfw3Z9CaPR
aySxb/UN1EOnTyoW3jGzATC2u8+W8lMSDj6w8nBsefPoAkiQqrsaHpeUtvms+BJG
W3GRUwaTxIjo3J8anoCSea+LMTjYHROQeuECk+eXCMkm0hHC6KYAxKNB3cc2sqiP
zLkh2H8FalQORizUI43XC2H9R+deno8W6HtGnFowOcWIkZIQOok7V1GZGjNrPkB4
VEDQYn0tLvWMH9TpDpU8F3L0h2WedrX4LPVk+iYPI0jbuH2iFmtk8hCvVKv5LZ3O
teA7axTtOTm2LrkAA8luNWNyPVdMlr8dphKpIFQHVytq8EQNAEx3W5LBlYc1hKb9
WpML80J7BIEhJjkuB4rzX1BRqd8tmF7c1LBAl77QgDhkD8Hk66+lLKdsSo9T/B8t
6c2L+/RIpDl2H5ru3oCWlHRw3LF5I4qyh/qSEdqU0udrj+rGMAOP+qIFLhndRKSO
hb4sYipTlplI9Q1pI9skOTNQOFN5ThBjU4WoRnsbvQtjXnmEoR0lV3eUKkPBRuQS
chjmbfw1YdygMNIZEw36dclkPG4Vt3XjQZ8EudAb226BUDF5khpSlooDLEajMiXy
1lAcbwTnbcvjFKXyScTi
=CKJe
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 8/9/13 11:10 AM, Mark Thomas wrote:
> On 09/08/2013 15:28, Christopher Schultz wrote:
>> Mark,
>> 
>> On 8/9/13 9:14 AM, Mark Thomas wrote:
>>> On 09/08/2013 14:50, Christopher Schultz wrote:
>> 
 It's too bad it took a researcher a year to figure out that 
 compression of any kind makes encryption (where the attacker
 can force random probing attacks) weak. It's not like
 SSL+compression and SSL-compression+compression is that
 different.
>> 
>>> It didn't. The original CRIME presentation covered this topic.
>>> I fail to understand why such a fuss is being made of this 
>>> re-hashing.
>> 
>> I wouldn't say this constitutes a "fuss".
> 
> "fuss" was a reference to how some folks are reacting to this
> "new" attack, "BREACH". First it isn't new, second it isn't (in my
> view) practical.

Fair enough.

>>> The original CRIME presentation also (correctly) pointed out
>>> that any attack based on this is entirely theoretical and not
>>> currently at all practical.
>> 
>> Coffee shop + XSS? Perhaps a stretch.
> 
> To succeed, the attacker requires:
> 
> a) The victim is using a site that uses HTTP-level compression on
> responses b) The site echoes user input in HTTP response bodies c)
> The response bodies contain a constant secret (eg. CSRF token)
> 
> So far, not too hard. c) is a little unusual. Session IDs are
> normally in cookie headers, CSRF tokens should change on every
> request. That said, there are plenty of sites that meet a) to c).
> 
> d) The attacker has the ability to view the victim's encrypted
> traffic. e) The attacker has the ability to cause the victim to
> send HTTP requests to the vulnerable web server.
> 
> e) is where I think this attack becomes impractical. This may
> change over time but at the moment the coffee shop scenario would
> require social engineering the victim or subverting the router if
> the site mixed HTTP and HTTPS. A malicious ISP / $work sysadmin is
> another option with mixed HTTP/HTTPS.

I tend to agree: being able to both remotely monitor the victim's
traffic *and* remotely-control the browser means that you already have
quite a bit of control over the situation. Perhaps decrypting the SSL
stream isn't the worst thing an attacker in such a position can
accomplish.

>> The point is that folks are starting to chip-away at certain
>> aspects of TLS. Just like they did with hashing algorithms. MD5
>> was great when it came out. So was SSL. There's nothing wrong
>> with looking toward the future, even if the current crop of
>> problems aren't exactly catastrophic.
> 
> Indeed. If only everyone was approaching this with the same sense
> of perspective. I agree the attacks will only get better / easier /
> more practical but right now there are some big obstacles and I
> don't see any obvious roots to getting over them.

Agreed.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSBRAUAAoJEBzwKT+lPKRYKMsP/3ye2X1m8oZGMxDfjhOxLr+B
xRS1SycborjXnEhAXnGAx+U1jFDzKPWQ0AdDMd2o4NKPqS6jWJTQ37CBeXN+25y2
0+FxZKP9FwrY94qY/dCNHK70nuUda6hpcGcpWRc78swh+hUnBzB0ue52WaaWjTJH
DfTPcRu1zvIeXj1zylIG4GebqKOH1+5P+NgL37+hnzoIwGmsgJ2FeVpAXELrrtZJ
wOcYguKLv0NrqkAx7CvZDmtr6a4ZpZvmyXpVGJlaoi/ejmQzDvtZDOFlsBaYOMwc
4HsweP4mEi7Ms3QYBzn9naVFXr1x+saaoO75F0jnRGE9yLJXbkhGgmpLM/+arnhO
/laV3ZMqHLXZYu+cmZvD/JsdL2liAaMPcwEB3c1ebFuTI8ro7+/7qlVx+H2inGew
2DIvWePjAXyKuudL8GqqHTcsbe6nrbpB41fqRyWCBSxtZwLbUfxgfjfXRQOfkX5e
88f2FmL7/BHq7YgO368rreZWx+RVze2SVv7nGm20M7LzEP6Dd2k7etca+K+KdS9L
ndNs4yHAtK8328dPsCsIYwcI767Y/5qTV3UIV0Bz8YDfjSYZvDQYVlCQRHs1VA/A
xisZptwRA1jZro3WrTlgzjdHfTOcxIYDaL65eZUXcjGgXB2T9YeIAfguf7PFK5wC
I6LlkxLa23oMvDL7Z2+c
=RJjz
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Upgrade to Tomcat 7 Issues

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chuck,

On 8/9/13 10:08 AM, Caldarale, Charles R wrote:
>> From: Seema Patel [mailto:seema...@hotmail.com] Subject: RE:
>> Upgrade to Tomcat 7 Issues
> 
>> In my WEB-INF/lib I have the following (sorry the list is quite
>> long): activation.jar
> 
>> In Tomcat7.0/lib directory I have (I have grouped them
>> alphabetically so it doesn't make the list too long downwards,
>> like the above list)
> 
>> activation.jar j2ee.jar
> 
> You must never, never, never have the same class files in multiple 
> locations in the class loader hierarchy (e.g., activation.jar and 
> several others).

I don't think "activation" is something provided by servlet
containers. I don't see it in a stock Tomcat, for example.

> Also, j2ee.jar must never be present anywhere in any Tomcat
> installation.

I'm not sure what's in this particular j2ee.jar, but you're probably
right that it does not belong. The container should provide all
services to the webapp. If you want a more fully-functional J2EE
container, consider Apache TomEE.

> You need to start over, not adding anything to Tomcat's lib
> directory, and try running your webapp.

Absolutely.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSBQ7bAAoJEBzwKT+lPKRYz0MQAJ95UbypXpJfS/a9DcqtgB+Z
VL4mVwtrKZfNRAK+vyP8yg/N3FYi+KIFPslZlYUj4/lH49srTQewlYkfw3Z9CaPR
aySxb/UN1EOnTyoW3jGzATC2u8+W8lMSDj6w8nBsefPoAkiQqrsaHpeUtvms+BJG
W3GRUwaTxIjo3J8anoCSea+LMTjYHROQeuECk+eXCMkm0hHC6KYAxKNB3cc2sqiP
zLkh2H8FalQORizUI43XC2H9R+deno8W6HtGnFowOcWIkZIQOok7V1GZGjNrPkB4
VEDQYn0tLvWMH9TpDpU8F3L0h2WedrX4LPVk+iYPI0jbuH2iFmtk8hCvVKv5LZ3O
teA7axTtOTm2LrkAA8luNWNyPVdMlr8dphKpIFQHVytq8EQNAEx3W5LBlYc1hKb9
WpML80J7BIEhJjkuB4rzX1BRqd8tmF7c1LBAl77QgDhkD8Hk66+lLKdsSo9T/B8t
6c2L+/RIpDl2H5ru3oCWlHRw3LF5I4qyh/qSEdqU0udrj+rGMAOP+qIFLhndRKSO
hb4sYipTlplI9Q1pI9skOTNQOFN5ThBjU4WoRnsbvQtjXnmEoR0lV3eUKkPBRuQS
chjmbfw1YdygMNIZEw36dclkPG4Vt3XjQZ8EudAb226BUDF5khpSlooDLEajMiXy
1lAcbwTnbcvjFKXyScTi
=CKJe
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

[Mark Thomas]

On 09/08/2013 15:28, Christopher Schultz wrote:
> Mark,
> 
> On 8/9/13 9:14 AM, Mark Thomas wrote:
>> On 09/08/2013 14:50, Christopher Schultz wrote:
> 
>>> It's too bad it took a researcher a year to figure out that 
>>> compression of any kind makes encryption (where the attacker can
>>> force random probing attacks) weak. It's not like SSL+compression
>>> and SSL-compression+compression is that different.
> 
>> It didn't. The original CRIME presentation covered this topic. I
>> fail to understand why such a fuss is being made of this
>> re-hashing.
> 
> I wouldn't say this constitutes a "fuss".

"fuss" was a reference to how some folks are reacting to this "new"
attack, "BREACH". First it isn't new, second it isn't (in my view)
practical.

>> The original CRIME presentation also (correctly) pointed out that
>> any attack based on this is entirely theoretical and not currently
>> at all practical.
> 
> Coffee shop + XSS? Perhaps a stretch.

To succeed, the attacker requires:

a) The victim is using a site that uses HTTP-level compression on responses
b) The site echoes user input in HTTP response bodies
c) The response bodies contain a constant secret (eg. CSRF token)

So far, not too hard. c) is a little unusual. Session IDs are normally
in cookie headers, CSRF tokens should change on every request. That
said, there are plenty of sites that meet a) to c).

d) The attacker has the ability to view the victim's encrypted traffic.
e) The attacker has the ability to cause the victim to send HTTP
requests to the vulnerable web server.

e) is where I think this attack becomes impractical. This may change
over time but at the moment the coffee shop scenario would require
social engineering the victim or subverting the router if the site mixed
HTTP and HTTPS. A malicious ISP / $work sysadmin is another option with
mixed HTTP/HTTPS.

> The point is that folks are starting to chip-away at certain aspects
> of TLS. Just like they did with hashing algorithms. MD5 was great when
> it came out. So was SSL. There's nothing wrong with looking toward the
> future, even if the current crop of problems aren't exactly catastrophic.

Indeed. If only everyone was approaching this with the same sense of
perspective. I agree the attacks will only get better / easier / more
practical but right now there are some big obstacles and I don't see any
obvious roots to getting over them.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Upgrade to Tomcat 7 Issues

[Seema Patel]

Ok thanks for the help.  I'll redo it again.  If I get any further errors I'll 
post a new question.

Thanks again.
Seema


> From: chuck.caldar...@unisys.com
> To: users@tomcat.apache.org
> Date: Fri, 9 Aug 2013 09:08:55 -0500
> Subject: RE: Upgrade to Tomcat 7 Issues
> 
> > From: Seema Patel [mailto:seema...@hotmail.com] 
> > Subject: RE: Upgrade to Tomcat 7 Issues
> 
> > In my WEB-INF/lib I have the following (sorry the list is quite long):
> > activation.jar
> 
> > In Tomcat7.0/lib directory I have (I have grouped them alphabetically 
> > so it doesn't make the list too long downwards, like the above list) 
> 
> > activation.jar
> > j2ee.jar
> 
> You must never, never, never have the same class files in multiple locations 
> in the class loader hierarchy (e.g., activation.jar and several others).  
> Also, j2ee.jar must never be present anywhere in any Tomcat installation.  
> You need to start over, not adding anything to Tomcat's lib directory, and 
> try running your webapp.  If it fails, determine why, and decide where the 
> necessary .jar file should go (the answer is almost always WEB-INF/lib, 
> except for JDBC drivers when Tomcat is handling the connection pooling).
> 
>  - Chuck
> 
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
> MATERIAL and is thus for use only by the intended recipient. If you received 
> this in error, please contact the sender and delete the e-mail and its 
> attachments from all computers.
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
  

RE: Upgrade to Tomcat 7 Issues

[Caldarale, Charles R]

> From: Seema Patel [mailto:seema...@hotmail.com] 
> Subject: RE: Upgrade to Tomcat 7 Issues

> In my WEB-INF/lib I have the following (sorry the list is quite long):
> activation.jar

> In Tomcat7.0/lib directory I have (I have grouped them alphabetically 
> so it doesn't make the list too long downwards, like the above list) 

> activation.jar
> j2ee.jar

You must never, never, never have the same class files in multiple locations in 
the class loader hierarchy (e.g., activation.jar and several others).  Also, 
j2ee.jar must never be present anywhere in any Tomcat installation.  You need 
to start over, not adding anything to Tomcat's lib directory, and try running 
your webapp.  If it fails, determine why, and decide where the necessary .jar 
file should go (the answer is almost always WEB-INF/lib, except for JDBC 
drivers when Tomcat is handling the connection pooling).

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Upgrade to Tomcat 7 Issues

[Seema Patel]

In my WEB-INF/lib I have the following (sorry the list is quite long):

activation.jar
axis.jar
BTDslCheckerLib.jar (this is one of our java projects)
commons-beanutils.jar
commons-codec-1.3.jar
commons-collections.jar
commons-digester.jar
commons-discovery-0.2.jar
commons-fileupload.jar
common-httpclient-3.0.1.jar
commons-logging-1.0.4.jar
commons-validator.jar
ditchnet-tabs-taglib.jar
itext-1.4.jar
jaxen-core.jar
jaxen-jdom.jar
jaxrpc.jar
jbossall-client.jar
jcifs-1.2.17dynamic-dc.jar
jcifs-1.3.17.jar
jdom.jar
jstl.jar
log4j-1.2.13.jar
mail.jar
poi-2.5.1-final-20040804.jar
poi-3.7-20101029.jar
poi-contrib-2.5.1-final-20040804.jar
saaj.jar
saxpath.jar
SOPortalCommon.jar (this is one of our java projects)
standard.jar
struts.jar
struts-el.jar
commonlib.jar (this is one of our java projects)
portalcommonlib.jar (this is one of our java projects)
wsclients.jar (this is one of our java projects)
wsdl4j-1.5.1.jar
yahoo-toolkit.jar (this is one of our java projects that uses the yahoo toolkit 
yui stuff)

In terms of upgrading, I downloaded jre7 and installed it, changed the projects 
to use jre7 and in eclipse I pointed the installed JREs to use jre7.
I then downloaded Tomcat7, changed the server.xml file to have the Resource 
tags/elements in GlobalNamingResources tag to point to my databases (9 Resource 
tags in total, all taken from the server.xml file in Tomcat 5.5).  In Service 
tag/element, I have added the following:



I have commented out:



In the Engine tag/element I have added:

ldap://xxx:3268";
connectionName="xxx@xxx.local" connectionPassword="xxx"
referrals="follow" userBase="dc=xxx,dc=local"
userSearch="(sAMAccountName={0})" userSubtree="true"
roleBase="dc=xxx,dc=local" roleSearch="(member={0})"
roleName="cn" roleSubtree="true" />

which is just before the Host tag/element.

In Tomcat7.0/lib directory I have (I have grouped them alphabetically so it 
doesn't make the list too long downwards, like the above list) (some of which I 
have added, but not sure if they're needed):

activation.jar, annotations-api.jar
catalina.jar, catalina-ant.jar, catalina-ha.jar, catalina-tribes.jar
ecj-4.2.2.jar, el-api.jar
j2ee.jar
jasper.jar, jasper-el.jar
jaxen-core.jar, jaxen-jdom.jar, jdom.jar, jsp.jar, jtds-1.2.jar
log4j-1.2.13.jar
mysql-connector-java-5.0.8-bin.jar
naming-factory.jar, naming-facotry-dbcp.jar, naming-resources.jar
servlet-api.jar
tomcat-api.jar, tomcat-coyote.jar, tomcat-dbcp.jar, tomcat-i18n-es.jar, 
tomcat-i18n-fr.jar, tomcat-i18n-ja.jar, tomcat-jdbc.jar, tomcat-util.jar
xmlrpc-1.2-b1.jar

I believe that's everything I have done, but I may have left something out, as 
I have been trying to get it working for the pass 2 days and may have changed 
something that I don't remember.  If there is anything more you need to know 
then please let me know.

Thanks
Seema

> Date: Fri, 9 Aug 2013 09:07:48 -0400
> From: ch...@christopherschultz.net
> To: users@tomcat.apache.org
> Subject: Re: Upgrade to Tomcat 7 Issues
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Seema,
> 
> On 8/9/13 5:17 AM, Seema Patel wrote:
> > I've upgraded my tomcat from 5.5 to 7.0. I've also upgraded the jre
> > from 1.5 to 7.
> > 
> > I'm trying to get my existing struts/servlets projects to run, but
> > I'm getting the following error when running tomcat in my
> > tomcat7-stderr...log file:
> > 
> > INFO: Deploying configuration descriptor C:\Tomcat
> > 7.0\conf\Catalina\localhost\common.xml 09-Aug-2013 10:11:44
> > org.apache.catalina.core.ContainerBase addChildInternal SEVERE:
> > ContainerBase.addChild: start: 
> > org.apache.catalina.LifecycleException: Failed to start component
> > [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/common]]
> >
> > 
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
> > at
> > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
> >
> > 
> at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
> > at
> > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:633)
> >
> > 
> at
> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:656)
> > at
> > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1635)
> >
> > 
> at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> > at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at
> > java.util.concurrent.FutureTask.run(Unknown Source) at
> > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
> > Source) at
> > java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) 
> > at java.lang.Thread.run(Unknown Source) Caused by:
> > java.lang.NoSuchMethodError:
> > javax.servlet.ServletContext.getSessionCookieConfig()Ljavax/servlet/SessionCookieConfig;
> >
> > 
> at org.apache.catalina.deploy.WebXml.configureContext(WebXml.java:1374)
> > at
> > org.apache.catalina.star

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 8/9/13 9:14 AM, Mark Thomas wrote:
> On 09/08/2013 14:50, Christopher Schultz wrote:
> 
>> It's too bad it took a researcher a year to figure out that 
>> compression of any kind makes encryption (where the attacker can
>> force random probing attacks) weak. It's not like SSL+compression
>> and SSL-compression+compression is that different.
> 
> It didn't. The original CRIME presentation covered this topic. I
> fail to understand why such a fuss is being made of this
> re-hashing.

I wouldn't say this constitutes a "fuss".

> The original CRIME presentation also (correctly) pointed out that
> any attack based on this is entirely theoretical and not currently
> at all practical.

Coffee shop + XSS? Perhaps a stretch.

The point is that folks are starting to chip-away at certain aspects
of TLS. Just like they did with hashing algorithms. MD5 was great when
it came out. So was SSL. There's nothing wrong with looking toward the
future, even if the current crop of problems aren't exactly catastrophic.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSBO5wAAoJEBzwKT+lPKRYxakP/2PXSoCBrzgvVjkKrmvOh2Ag
5IVuP5eoIVpTT/ud6d8/uYDnSVSA/OI64lFZqZDwuiu11XnMC/uxDc/O4cfbCxA4
AYu0BgY/NDPUCAyPIcjujP22oBZibvYVr9RFrTFHdtmAaVT7KiLglCUaJzxuZtt7
6/A1+y4Q5X+g40fukNtIbwW7Of3hA2KNPeWt5s6aivYaUdQDfdYfMYh+kED+JMhS
HKpmaEBoj0KwOAv5iKbWaVphe+ZuFuqnLJq82GbJqWsiwQ3uykK0x/gAI9tmWe4D
SwpSszi5jwyv8SAoewyNLQr0ojNlzwkftVOrBEFyijfCAhu86xPHGDn1QghFQEpg
ALXn0oMQkeP7zVfxv4f2ID/u5iOtkT2O8G/jeq3jA08Ide7qi1+kNsWZyrvGS9r7
qkCoE9GayRgGKIEAS+mJLMhJ28ttJ4wvugSpsaSSNOu6CTWIY5mnlovbpPir18GN
uZCKMofeIn/fHAROFiHyFudP00z/uxX8r//gCCo0rcwcXRMUS/lxHZJNjYDL+ACA
QFiSWvgAlm8JWEpgF2DjckIND5ZoFvBS5KztkLlbZCeqzw9iSA/FY4r7EqfbQ0Rj
Nr9yvDGONDzgUp2BwHJIcYKIB5QQnSD1JfshVn//hv7Cm7v1GoA0b71Kkb2V+3s+
wZQf5DcDObBEck5VG2qE
=xEbv
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat shutdown behaviour

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Vimal,

On 8/9/13 1:01 AM, Vimal Jain wrote:
> I am using tomcat-6 on my Ubuntu 13.10 desktop. My question is :-
> When i run shutdown script of tomcat , does tomcat wait for
> currently running threads to complete before shutting down ?

Do you mean "does Tomcat complete all in-progress requests before
shutting down"?

Honestly, I get horribly confused whenever I try to read the
Connector/Processor/Protocol/Lifecycle/etc. code (as I just did,
again), but it looks like Tomcat closes the ServerSocket (which will
drop any request that hasn't yet been accepted -- those in the TCP
accept queue) immediately. I have to imagine that any in-progress
non-asynchronous requests that have been assigned threads will
complete successfully, since they threads are being managed by a
thread pool. I'm not sure what happens to asynchronous requests that
are still in mid-flight.

Note that running 'bin/catalina.sh stop' does not stop Tomcat before
it exists. That command merely sends a "SHUTDOWN" command to Tomcat
via a socket (under the default configuration) or sends a signal to
the process (if you have changed the default).

In the former case (SHUTDOWN command), your shutdown-request completes
almost immediately, while the true server process goes through an
orderly shutdown process as (lightly) described above. In the latter
case (signal), a KILL signal is sent and your JVM might not shutdown
in an orderly way -- and you may destroy in-process requests.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSBO1YAAoJEBzwKT+lPKRYXMEQALpeFF12SE3Cm9DoVwtjlgKb
MFef+u54uzRqyRufoamHnO6rbqLd4OPNQIiSbx/eJ2Xr3QQhhF5THRSfQY6hJpxN
phxKRWoPVQiEGffo/qXFOmGM10tUbTe1BTD2ZKfUoqy6N4G1EDeUhuEBke2yaBga
G5CUcjSYAPqRUMHcQi+EH+8oVGAB3TFXkQAl9a2zz4CqLi8fP/GVeMl8DAN91kCG
0IV6qSw8s6TdC5f3HXtOrp1fEhS15PPdF6gPfBFpKII2IFddGfDwghDhSaabWBrV
Q1rMqngNKLArTcXOv4ahXsBAykNaUq2MLLFs2NW2Giy61q9LZ5W5Ip1sa7TqEAU6
hiZU7VDkbrjz3iMLe2UvfoiIi+6P5CAfTL1tKVdGkAo4bN1EwZDShD9hQjvLnJFU
9ScaHfsor0iTwu1UvKjOWER8jids3ntju8kXsGs+WA4SOn517q7Ni0/3DPYkTZQL
idQHx8VC0GaENkPQfWRU+CCH73GuWuSKmgWrDnL3mxFNoCPZLFix7fwYBk+5OOSn
PeIs0OYhWlMyWj+wNtp7hqx4Bk7XvNKxwpCID+keB8Ffj8JR5hKyKBbJBzCw3RRa
YLSaqjCvsq0Ab7k9IyDntH9lVPLRvpxb/d16PZw11IvMlQsbg5KZRSXnXZNabkSf
atnhsLEmjGu3fPs8+Ror
=ZQGX
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

[Mark Thomas]

On 09/08/2013 14:50, Christopher Schultz wrote:

> It's too bad it took a researcher a year to figure out that
> compression of any kind makes encryption (where the attacker can force
> random probing attacks) weak. It's not like SSL+compression and
> SSL-compression+compression is that different.

It didn't. The original CRIME presentation covered this topic. I fail to
understand why such a fuss is being made of this re-hashing.

The original CRIME presentation also (correctly) pointed out that any
attack based on this is entirely theoretical and not currently at all
practical.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Upgrade to Tomcat 7 Issues

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Seema,

On 8/9/13 5:17 AM, Seema Patel wrote:
> I've upgraded my tomcat from 5.5 to 7.0. I've also upgraded the jre
> from 1.5 to 7.
> 
> I'm trying to get my existing struts/servlets projects to run, but
> I'm getting the following error when running tomcat in my
> tomcat7-stderr...log file:
> 
> INFO: Deploying configuration descriptor C:\Tomcat
> 7.0\conf\Catalina\localhost\common.xml 09-Aug-2013 10:11:44
> org.apache.catalina.core.ContainerBase addChildInternal SEVERE:
> ContainerBase.addChild: start: 
> org.apache.catalina.LifecycleException: Failed to start component
> [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/common]]
>
> 
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
>
> 
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:633)
>
> 
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:656)
> at
> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1635)
>
> 
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at
> java.util.concurrent.FutureTask.run(Unknown Source) at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
> Source) at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) 
> at java.lang.Thread.run(Unknown Source) Caused by:
> java.lang.NoSuchMethodError:
> javax.servlet.ServletContext.getSessionCookieConfig()Ljavax/servlet/SessionCookieConfig;
>
> 
at org.apache.catalina.deploy.WebXml.configureContext(WebXml.java:1374)
> at
> org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1346)
>
> 
at
org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:878)
> at
> org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:376)
>
> 
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
> at
> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
>
> 
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5322)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
>
> 
... 11 more
> 
> Any ideas?  Have I missed something?

Sounds like you have a library in your WEB-INF/lib directory that you
should not have. Can you give us a listing of what you have there?
Tomcat should be protecting itself against loading javax.servlet.*
classes from your webapp, but that sure looks like what is happening.

Or maybe you copied old (Tomcat) libraries from your Tomcat 5.5
install to Tomcat 7.0?

Can you tell us exactly how you upgraded from one to another (be as
specific as possible without writing a 50-page description).


- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSBOmkAAoJEBzwKT+lPKRYBkcP/j3SfgL5v0KbZa37blpSu3pt
9yUsosdIcy36baBdxefOZKyRhLVSQusdm7egj3SbY2O7/GofcoCPrU17iF4jltqL
S0czwXKFItmX+H+44siEJO295oC91GF6ogBQPdOveJXI96bbZo1DTs/TqeFVK66R
x6MO0Xp/KYBYYx06bLU/kqbUA1WpvZ47x5y69JCJ88beCvhFjixFIKNJmlxZ6xLZ
hxUjery+59Ao/lVKSRhVsY5ytuI66rKgaCwYEsO57c+gBkO0Ex8QCdOUFIBYuj8/
AXOOuyElbxri1jAnoaqG81nVPK1KdPkNAlueYBt1ke0j+bxl/H+VOjz2siyjJB3j
o4Uag/z8e5APLautD+0b37TjMZWrxy7sm5AMrKCsSgYEuX88VU26kpkFlqTy6OQI
BDqqvnTf0mHFfQPO96+vOnhpGKRkXFxORAfGynixeoKw8n13YKdyV6wxKfLne6gc
cbR01SRMXe3O71o5+jH1PB6ZhGh9PRA4wgUDuUuht96Jdv6lmizOpl8ZZWHIRtjU
v4KQu6X9akHLNM29JWVD/6XuhwD7Tr4tiHHQHHR8ozLt6hg7SdAiDSUBQw7RkF6s
NUK2FkUDUA6ICncZ61TiHkaxyH+SCh4c5Z6ThP8pvbUTmWV2UZ1VLJ/6T9GvCyPY
5+XsswfHm40lBbprZn2F
=7d1+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Downgrade Tomcat7 to Tomcat6

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Sumilang,

On 8/9/13 5:53 AM, Sumilang Plucena wrote:
> When I installed tomcat6 through the repository then tried
> upgrading it from the shell it's possible but when I tried doing
> the same process through manual installation gave me an error that
> tomcat6 is not installed. Is there a more detailed and friendlier
> instruction on how to install tomcat6 on linux other than the link
> I tried to follow and ended up using other website for
> instruction.

That was a terrible mistake. If you are going to use the
package-manager, stick with the package manager. If you want to do a
manual install, do it separately. You can mix-and match any of the
following:

1. Tomcat 6 via package-manager
2. Tomcat 6 via tomcat.apache.org
3. Tomcat 7 via package-manager
4. Tomcat 7 via tomcat.apache.org

Most folks recommend you go with #2 and #4 because we (on the mailing
list) can be the most helpful. My experience is that apt-based
packages for Tomcat are fairly reasonable to deal with. If you'd
prefer to use a package-manager version of Tomcat, go for it. Just
understand that these things are usually woefully out of date.

For some reason, Tomcat patches simply don't make it into
package-manager repositories. I think it's because Tomcat doesn't
produce actual patches like the httpd team does. So, it's much more
difficult for package-managers to consume individual fixes for e.g.
security fixes while keeping the package itself as super-stable as
they like things to be (at least I think this is what the Debian folks
do).

> About the second question. I upgraded tomcat6 my first
> uninstalling it then installing tomcat7 from the repository.

You probably didn't need to do that: you should be able to have both
Tomcat 6 and Tomcat 7 installed simultaneously (and switch between them).

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSBOkFAAoJEBzwKT+lPKRYt1QP/RATe3Ampd/96GiIZ0KWieTF
nMFswHzlEqV5LyZmUmirXg4xLoNh+cXDA14JpmrNM6YSZp80mEpSq5vxpbIKIIFv
V3VEfrG4+eWz+A4HA6Y/bNJomyaobZ77JdUj0+3uQnvvOUU2kg2ZKdA/qAE6xFC7
miswbpxkGFJLKmGyG2NyxCSFjo/HbqwOy8MkYA4Qbm6kJvCcS672q78qWJj2J9o4
UEUYka/6XtXtZ4WP2X3Dy/5H4z5wOUXIJjQfzxCWat8w68CvOigCHJO5Bzlp98zX
dd6J985rlW6IoUW9+W7hSuASYkhyfVAmqnERd6L1MvtVzLQU1uCt0+YidLqky1ve
pc+3ihF1K4pXPkdN3B9MYtiaRpbqaxzMnzzAreKewJZ86vfb1QcDBdZMkFG0aV/5
di7xknieLyqbY3go8ALF0vrh71JkEIvjv1u8j1Zz0V0xPSTrMfvOf2WoDGNl/05b
VtSFvJa3hPvVKw3Dphr9BFyPZNiraYjycIN3Aq2kPRNIit8XGPf+ndlxW6BXlnLr
Sl56gwGJU9mLEQPePMDZpUpYcWsUEE263QXYEE9kSuFT/+fpUKP2wFFeP3LT2CYj
Pgk0K1WjRoHGlksFQIjk8o3K6Z+QRYWRZmz8RHaoADvuFMBXnGTNzXIH5Gow0C2U
o4hmiIB5x1eY1Axy0nqs
=Q/mm
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Martin,

On 8/8/13 8:20 PM, Martin Gainty wrote:
> as earlier mentioned
> 
> chrome is the only browser that supports compression on SSL
> streams

Mozilla Firefox had implemented TLS+compression for SPDY requests, and
thus was vulnerable. Since CRIME, both browsers have disabled
compression for TLS.

Disabling TLS compression whilst enabling gzip compression merely
re-enables a similar attack that had been mitigated by disabling SSL
compression in the first place.

So, it doesn't matter what browser you use, since you can usually bet
that the client supports gzip and/or deflate compression for
Content-Encoding. (Well, you don't have to bet, since the client
advertises that fact via Accept-Encoding). The point is that this is
not something most people are safe from due to their browsers'
inabilities. On the contrary: swapping TLS compression with "regular"
compression has given this attack much wider applicability.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSBOeeAAoJEBzwKT+lPKRY4GEQAJb9odexFRiOncyPUJpoW/Cr
yhQGyrDD606jcfhtv029BWw8RB2fRK0Efo03+0LJ8auGA9jPdD/u/aZYWBmzUcm6
w7fNR+zk288OjHpfU0PQ0c7ypK1vcEpVw57+f6aqMsdw/MaSlhQLX9ducsUZRzu2
TrHBlJPngu17HK9y5jg9i0YHJ6wMbvfD+8Dk17NoabthxgO3An9CNznp7IYSCyx2
9Y8dVT6d6W538JMgm+Ov+iAYwoZNslnKDo46bqHXbeuLo5VAn8wmisY+tW9QmbdP
cVsl6I+E2WGKGt2TvWGYwODKDCyxgDkLXjFRp13vpkpFTmYsvLSbiajJsur/kO1H
qcTq0ygdtoMe8waiB/eXbZx0aWVsfG90R7SaiUsznR3lTJfFPrDst3IuOJgafLIw
t1KvU3p1AcbFhAXZG3Oo9Ltwm3rxYvNuGi4eD8Khq8JOiMk4P+hhQwN30jCno7X6
0bV/tbIlp1SfU3SNFjUESIG4GIJGNUIOVuW8Ga1s1/8HQhMVnjHDG6eapeW0OS1h
srC3RKmPvWo0BEs4XmDanmssGqeOBZmhgO1SDGi/aY9Jl/NQVkBApzfdaJ1eDUB2
PfTzSOUz2SFEJy5nwkWR0y0S4hoN4i8sVgrqtUtmRZIzuqFr+SJlaIxfujzNWaxS
3X77ZRaLZXxUdEEV1HKR
=44Ps
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David,

On 8/8/13 5:47 PM, David Landis wrote:
> On Thu, Aug 8, 2013 at 5:19 PM, Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
>> 
>> ... and the SSLDisableCompression setting (when set to "false")
>> is intended to mitigate the CRIME attack against SSL/TLS
>> compression. Feel free to read online all about the CRIME
>> attack.
>> 
> 
> That was what I was hoping it did when I asked the original
> question :)
> 
> 
>> I haven't really done any analysis of SSL compression (that is, 
>> compression as implemented by the TLS/SSL layer) alone versus 
>> compression-less-SSL + gzip, but I suspect that any combination
>> of compression and encryption can lead to CRIME-like attacks ...
> 
> 
> That seems to be true since there is now the BREACH attack:
> 
> http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/
>
>  which (I think) is compression-less-SSL + gzip.

It is compression + deflate as explained in the article, but gzip
basically works the same way (LZ77 + Huffman).

It's too bad it took a researcher a year to figure out that
compression of any kind makes encryption (where the attacker can force
random probing attacks) weak. It's not like SSL+compression and
SSL-compression+compression is that different.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSBOWnAAoJEBzwKT+lPKRYuMoP/0cFjaVbiLs+Qw3QQS/z/A0p
mq/5QTNhsUqSsRmhnjAThGSBZPCpXB9We9ecTqV1moxR9iG94x/oya/3yToYmJ1r
Msat1HB97YRotPxyWCweZ2nllTPshlkyTnhojcD18csnA0pAfn/LzqimRXFelX2f
Vnkgoygb6qL5f6fIMpVVWrjzn1BsAGQxjNQwJtteimLC1GE7sYOarQ4MuqMrQzM2
/5tqOpJQnVgZRL+IdqNLHpYWGx8FhonV6KDXlVTAkl6LOgTWpVlWNrHzq8/wFpxO
3XssLKcO2oHm2mGvD8c6ivRwvVjvZlQd1VapamJpIxGl+ezlbyLwPx0USiIUrcNO
m6uyO1I9Zq9Vw63VMwbatYqA3nTqNwKhdaMl3H7jj4KJDxVyr/0RUNIuUu4+yECZ
XLUpSucIluDL90BrXfvYaSf8yCbkRBhk5fW9IgzDOOgXFlQNsYdb5RGtFxksIb24
irmiv4naxNKqBdyvVPDvib7hXwAAX4K8xhYitv7gakpCS7JPZrWA7hFl5YCdt7H7
pnCGLXTiyMpTRhQ7WNDm7sCFLD1YL67axRHBm1nMSbxOBwR3CiZ5UINOlqyj3Wp7
ZDZQNkdF0NBK9XL5J4fyapXDGYX+N6y0ikK1bR24qncrPuVq6RNkpJ04UlWWENq9
wzgcOoLG/iO4WpuAcoJC
=iH73
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Downgrade Tomcat7 to Tomcat6

[Daniel Mikusa]

On Aug 9, 2013, at 5:53 AM, Sumilang Plucena  
wrote:

> Installed tomcat6 through the repository

Uninstall this.  See reasons listed in my previous email.

> and by manual configuration. I tried following the manual installation from 
> this resource http://tomcat.apache.org/tomcat-6.0-doc/setup.html but end up 
> following from another website 
> http://www.howtogeek.com/howto/linux/installing-tomcat-6-on-ubuntu/. 

and what happened?  Did it work?

> When I installed tomcat6 through the repository then tried upgrading it from 
> the shell it's possible

Forget about the repository.  See reasons listed in my previous email.

> but when I tried doing the same process through manual installtion gave me an 
> error that tomcat6 is not installed.

Upgrades are easy.  You just download and install the new version along side 
your existing version, migrate your config from the old to new version (use a 
diff tool or [1]) and deploy your apps to the new instance.  More info on 
upgrades can be found here [2].

While it's a bit more complicated to initially setup, you can streamline the 
upgrade process further by using separate CATALINA_HOME and CATALINA_BASE 
environment variables.  For more info on how to do this, see the "Advanced 
Configuration - Multiple Tomcat Instances" in RUNNING.txt.

  [1] - https://tomcat.apache.org/migration-6.html#Upgrading_6.0.x
  [2] - https://tomcat.apache.org/migration.html

> Is there a more detailed and friendlier instruction on how to install tomcat6 
> on linux other than the link I tried to follow and ended up using other 
> website for instruction.

You should look at RUNNING.txt [3].  It's not a pretty HTML page, but it says 
exactly what you need to know about installing.  The only part missing from 
RUNNING.txt would be instructions for installing as init.d script to start on 
boot.  This is documented here [4].

  [3] - https://tomcat.apache.org/tomcat-6.0-doc/RUNNING.txt
  [4] - https://tomcat.apache.org/tomcat-6.0-doc/setup.html#Unix_daemon

Finally, if you have any specific questions about installing or upgrading, or 
encounter any problems while trying, just ask on the list.  For best results, 
include as much detail about your question / problem as possible.  Include OS, 
full Tomcat version, logs, full error message or anything else relevant to the 
problem.

Dan

> About the second question. I upgraded tomcat6 my first uninstalling it then 
> installing tomcat7 from the repository.
> 
> Thanks for the reply.
> 
> 
> 
> On Thu, 8/8/13, Daniel Mikusa  wrote:
> 
> Subject: Re: Downgrade Tomcat7 to Tomcat6
> To: "Tomcat Users List" 
> Date: Thursday, August 8, 2013, 2:25 PM
> 
> On Aug 7, 2013, at 9:53 PM, Sumilang
> Plucena 
> wrote:
> 
>> I have a development server Ubuntu12.10 and
> Tomcat-7.0.30.
> 
> Are you installing from the Ubuntu repository or from the
> tomcat.apache.org download?  
> 
> If you're installing from an Ubuntu repository, I'd suggest
> that you don't.  The versions there are always way
> behind and install files into distro specific locations
> (which makes it harder for us, the tomcat mailing list, to
> support).
> 
> Installation from the zip / tar.gz on tomcat.apache.org is
> quite simple and give you more control over the version you
> install (i.e. you can get all the latest security fixes) and
> where you install the files.  In fact, when you use
> this method you can even install multiple versions on the
> same machine at the same time, which makes upgrades a bit
> easier.
> 
>> But prior to upgrading Tomcat7 from Tomcat-6.0.29 we
> never had problem with our website.
> 
> You're going from one major version of Tomcat to another,
> which means you could see some differences with your
> applications.  Please checkout the migration guide for
> more information about what has changed.
> 
>https://tomcat.apache.org/migration-7.html
> 
>> I would like to know how I can go about downgrading
> Tomcat7 without affecting applications hosted by tomcat7.
> 
> I'd suggest just fixing the issue that you are seeing with
> Tomcat 7 (feel free to post another thread asking for help
> with that), but if you *really* want to downgrade I suppose
> it should be possible.  First, how did you upgrade from
> Tomcat 6 to Tomcat 7?  What steps did you take?
> 
> Dan
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Downgrade Tomcat7 to Tomcat6

[Sumilang Plucena]

Installed tomcat6 through the repository and by manual configuration. I tried 
following the manual installation from this resource 
http://tomcat.apache.org/tomcat-6.0-doc/setup.html but end up following from 
another website 
http://www.howtogeek.com/howto/linux/installing-tomcat-6-on-ubuntu/. 

When I installed tomcat6 through the repository then tried upgrading it from 
the shell it's possible but when I tried doing the same process through manual 
installtion gave me an error that tomcat6 is not installed. Is there a more 
detailed and friendlier instruction on how to install tomcat6 on linux other 
than the link I tried to follow and ended up using other website for 
instruction.

About the second question. I upgraded tomcat6 my first uninstalling it then 
installing tomcat7 from the repository.

Thanks for the reply.



On Thu, 8/8/13, Daniel Mikusa  wrote:

 Subject: Re: Downgrade Tomcat7 to Tomcat6
 To: "Tomcat Users List" 
 Date: Thursday, August 8, 2013, 2:25 PM
 
 On Aug 7, 2013, at 9:53 PM, Sumilang
 Plucena 
 wrote:
 
 > I have a development server Ubuntu12.10 and
 Tomcat-7.0.30.
 
 Are you installing from the Ubuntu repository or from the
 tomcat.apache.org download?  
 
 If you're installing from an Ubuntu repository, I'd suggest
 that you don't.  The versions there are always way
 behind and install files into distro specific locations
 (which makes it harder for us, the tomcat mailing list, to
 support).
 
 Installation from the zip / tar.gz on tomcat.apache.org is
 quite simple and give you more control over the version you
 install (i.e. you can get all the latest security fixes) and
 where you install the files.  In fact, when you use
 this method you can even install multiple versions on the
 same machine at the same time, which makes upgrades a bit
 easier.
 
 > But prior to upgrading Tomcat7 from Tomcat-6.0.29 we
 never had problem with our website.
 
 You're going from one major version of Tomcat to another,
 which means you could see some differences with your
 applications.  Please checkout the migration guide for
 more information about what has changed.
 
    https://tomcat.apache.org/migration-7.html
 
 > I would like to know how I can go about downgrading
 Tomcat7 without affecting applications hosted by tomcat7.
 
 I'd suggest just fixing the issue that you are seeing with
 Tomcat 7 (feel free to post another thread asking for help
 with that), but if you *really* want to downgrade I suppose
 it should be possible.  First, how did you upgrade from
 Tomcat 6 to Tomcat 7?  What steps did you take?
 
 Dan
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Upgrade to Tomcat 7 Issues

[Seema Patel]

Hi,

I've upgraded my tomcat from 5.5 to 7.0.
I've also upgraded the jre from 1.5 to 7.

I'm trying to get my existing struts/servlets projects to run, but I'm getting 
the following error when running tomcat in my tomcat7-stderr...log file:

 INFO: Deploying configuration descriptor C:\Tomcat 
7.0\conf\Catalina\localhost\common.xml
09-Aug-2013 10:11:44 org.apache.catalina.core.ContainerBase addChildInternal
SEVERE: ContainerBase.addChild: start: 
org.apache.catalina.LifecycleException: Failed to start component 
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/common]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:633)
at 
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:656)
at 
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1635)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NoSuchMethodError: 
javax.servlet.ServletContext.getSessionCookieConfig()Ljavax/servlet/SessionCookieConfig;
at org.apache.catalina.deploy.WebXml.configureContext(WebXml.java:1374)
at 
org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1346)
at 
org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:878)
at 
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:376)
at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at 
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5322)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
... 11 more

Any ideas?  Have I missed something?

Thanks
Seema