Re: http status 400 question

[David Wall]

I've never done a request dumper before, but is there a way to trigger 
it only if Tomcat is going to issue a 400?


Sorry for replying to my own posting, but for JSP urls, we do seem to 
know that request.getScheme() for example returns null when things are 
bad, though I'm not sure how a bad request even makes it to my JSP if 
it's truly malformed.


Could I use that somehow so do the request dumper aspect?  I need a few 
pointers for doing it, but it sounds like I need to install some code 
that would check for the scheme being null and then do something else to 
cause the request to dump.


Is that right?  Is that a possible approach I should take?   The issue 
is this is a customer system so we cannot make changes but in the 
evenings when they are not using it and then it probably will have to 
run all day before it can be removed later.


Thanks for any tips!

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: http status 400 question

[David Wall]

On 4/16/2014 3:17 PM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


The access log of course does not give the whole story. It's possible
that the client sent for example a badly-formed HTTP header value. In
those cases, the request-line (shown in the access log) can be read
and the target context determined, but the headers can fail.

Can you narrow-down the types of requests that cause this to occur at
all? If so, you could enable a request dumper and set it to match
those requests (I think you have to write a Valve to sniff the request
and place an attribute in the request in order to trigger the request
dumper to dump the request). I wouldn't recommend using the
request-dumper on all requests: it would slow everything to a crawl
and likely represent a privacy problem as well).

- -chris


Chris,

Thanks for the reply.  We're not sure about the status 400s -- like 
today, we show 349 of them, but yesterday it was 157, and on Monday 
122.  The prior Wednesday, there were 0.


Some appear to be hack attempts or the like with requests like this:
62.210.114.138 - - [10/Apr/2014:04:02:28 -0400] "GET 
/w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 - 0 -
62.210.114.138 - - [10/Apr/2014:04:02:28 -0400] "GET 
/w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 - 0 -


But most seem to be a combination of images and JSPs that are on our 
system.  Even the user agent strings appear to be highly varied and 
requests come throughout the day.


I've never done a request dumper before, but is there a way to trigger 
it only if Tomcat is going to issue a 400?


We run the same sort of software on other servers that seem to have 
these only rarely, and the access logs make them appear like they are 
hacker/sniffers perhaps:


107.152.128.226 - - [31/Dec/1969:16:00:00 -0800] "-" 400 - 0 -
107.152.128.226 - - [31/Dec/1969:16:00:00 -0800] "-" 400 - 0 -
188.95.234.6 - - [16/Apr/2014:04:59:58 -0700] "HEAD / HTTP/1.1" 400 - 0 -

But the ones originally mentioned seem to be more likely coming from 
regular users.  What is odd is we've never had any reports of users 
complaining, but you'd think those 400s would cause someone to grumble.  
Because they appear to have valid URLs in the access logs, often 
containing the unique 20 random characters that are used by our 
application to identify a specific resource, it seems unlikely they are 
also hacker types.  The links otherwise work if we enter them into our 
browser and they should be impossible for others to guess.


David



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JNDI initialization since Tomcat 8.0.1

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David,

On 4/16/14, 10:44 AM, David Landis wrote:
> On Sun, Apr 13, 2014 at 4:02 PM, Konstantin Kolinko 
> wrote:
>> 
>> 
>> By the way, there exists an Apache project implementing the JPA 
>> specification, http://openjpa.apache.org/
> 
> 
> It does not really work with Tomcat though does it? See this
> issue: https://issues.apache.org/jira/browse/OPENJPA-1590
> 
> or others. Also the build-time enhancement is a mess people
> shouldn't have to deal with. I was disappointed by this myself, not
> to mention that nobody seems to update the openjpa website anymore
> nor do they support jpa 2.1. Stalled project.

You'd better not tell the TomEE project that OpenJPA doesn't work with
Tomcat. They might have to stop claiming they are doing it.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTTwMZAAoJEBzwKT+lPKRYMmQQAJLG2tVwJQ5lvHF94cdt5mh/
z2x+LaQ/SlOlF4stw8BEpxo5z/rbKDIigUfvaJST5d/Z7llPdWRfMo5C1lJjJvcg
LvFHj4ivyrwBYLxhHRjj2/0HpR+HElSDBC0LmfqbJAeViR8LgtKPYcVrxv0CyWyH
unO7+6RR8sx+MSxlNruGdkZQzryDIrrsohswZCzTY5LlM7smtcRKBZqcZKa2OoVz
EFwp3AUlWw2VA8Lu9wEnkph9TFlp8zRy9O2I8MUCq6caE7tEhNBIe1VatO6pYLpI
VlPNVchTbgz6LisfSTLPE3nLE69dHi5ejG6Je6tqsXX0I2kcgvAVNEIHXlhGUolK
ea/RV/6mipIbhXZDudDsKdNW8HFW+x916oCxJvPwaQcx2v2wuHiuEizCarWg+ZVR
aCOTP3klP+BocfaHVrpe4JvfTb3uMXD4vgbD3Hbs3k/PtI9bmJ1Bj86/JDMqI+XY
8Kz+P+ItPkEPldr9/jSDCot4JlDhOWLoaCAsuQF3UN5+ZLbtXFjYkWt1y5ugqUiM
bfoBJubrHapIYd5c66jo1jf9dylI8+BlvwU5mXGSPSoqnrpVj9nn956NlJ7E5a0H
MzBULsMy1tbFF+NBPKFzpG9OicHbMKvL3EKQLj+d0F+DBmwwcXYsjYJJ+j87LdGL
1PM2wDFrorUnFJs2F+Xy
=vTHo
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: http status 400 question

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David,

On 4/16/14, 12:42 PM, David Wall wrote:
> I am running Tomcat 7.0.47 and it occasionally returns HTTP status
> codes of 400, such as the following from my access log.
> 
> A 400 suggests a malformed request, but many of these are simple
> GET requests on an image, so it seems odd they are malformed.
> We're not positive, but it seems that as these occur on JSP
> requests, we appear to be able to process a request though we get
> 'null' for various things like request.getRequestURI(),
> request.getScheme(), etc.
> 
> I read something about these and perhaps character set encoding,
> and we do have code like this at the beginning of our page
> processing (though the cannot be directly tied as our JSP/servlets
> don't process images and javascript requests):
> 
> try { if ( request.getCharacterEncoding() == null ) 
> request.setCharacterEncoding(CHARSET_UTF_8); 
> response.setCharacterEncoding(CHARSET_UTF_8); } catch(
> UnsupportedEncodingException e ) { app.warning("PageBean.init() -
> Failed to set request/response to UTF-8 encoding."); }
> 
> 
> Here's our access log of some recent 400s:
> 
> 199.231.xx.xxx - - [16/Apr/2014:12:16:31 -0400] "GET 
> /XXX/esfapp/images/esignFormsPlain.gif HTTP/1.1" 400 - 0
> Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;
> Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
> CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; .NET4.0C;
> .NET4.0E) 199.231.xx.xxx - - [16/Apr/2014:12:16:33 -0400] "GET 
> /XXX/esfapp/scripts/sorttable.js HTTP/1.1" 400 - 0 Mozilla/4.0 
> (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2;
> .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media
> Center PC 6.0; MS-RTC LM 8; .NET4.0C; .NET4.0E) 199.231.xx.xxx - -
> [16/Apr/2014:12:16:33 -0400] "GET /XXX/esfapp/scripts/sorttable.js
> HTTP/1.1" 400 - 4 - 199.231.xx.xxx - - [16/Apr/2014:12:16:33 -0400]
> "GET /XXX/esfapp/images/calendar20x14.gif HTTP/1.1" 400 - 0
> Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;
> Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
> CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; .NET4.0C;
> .NET4.0E)
> 
> 160.109.NN.NN - - [16/Apr/2014:12:17:18 -0400] "GET 
> //images/logoR.gif HTTP/1.1" 400 - 2 Mozilla/4.0 (compatible;
> MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR
> 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
> 3.5.30729; .NET4.0C) 160.109.NN.NN - - [16/Apr/2014:12:17:18 -0400]
> "GET //images/logoR.gif HTTP/1.1" 400 - 0 Mozilla/4.0
> (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2;
> .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET
> CLR 3.5.30729; .NET4.0C)
> 
> 71.220.ZZZ.ZZZ - - [16/Apr/2014:12:28:44 -0400] "GET 
> /ZZ/leaserenewal/js/form-functions.js HTTP/1.1" 400 - 0
> Mozilla/5.0 (Windows NT 5.1; rv:28.0) Gecko/20100101 Firefox/28.0

The access log of course does not give the whole story. It's possible
that the client sent for example a badly-formed HTTP header value. In
those cases, the request-line (shown in the access log) can be read
and the target context determined, but the headers can fail.

Can you narrow-down the types of requests that cause this to occur at
all? If so, you could enable a request dumper and set it to match
those requests (I think you have to write a Valve to sniff the request
and place an attribute in the request in order to trigger the request
dumper to dump the request). I wouldn't recommend using the
request-dumper on all requests: it would slow everything to a crawl
and likely represent a privacy problem as well).

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTTwGUAAoJEBzwKT+lPKRYNG8P/RqIbJ0BpHZXhaCQT/hwUbpG
u4R6rlCf3LVmKYBiTNLGzr93gWw985iHCE+i6XDw+xUZlHIKeXHCNdtu0TCaOZ4P
s4qH1cOU8JDea9z/7OmM8lI1+DWxT1lsIrBLuDrg5lUTWHvV5LGNVWTQ3664q4kR
ewiM5+ayLdfOezyo/LDkLNPG9V5Xluzbnm5BGIFco7Djzq9ygmGlggCzRsryM1iM
tOBuO3a4cvYH3wNwtCANVjqYCKg0Af9+1g/teCBc7Wq3ulVOsMr1kvqGzD4eMtYo
DD5LO8RYOTwzTuKaGORJRX/JeIGm4iurCNbDW3VqPK56nxNwIlpBCyNH0xiOqhvF
JQmRjpigLEPv/UCdkDji++jgiqxJeFn+/HO4aZPtqT/KtSAqqwI6QsLjewdxdq9E
z1ddm0p+ee+XI8vpQHgHP+pJaGEaBLrzck0WrT/rCnOzMmozYmlEJL4Saq6v65Km
5h3NCPOg4v3SsL3Gu1nGLwpOU0fjKoysdVyl/ceEAA6LXZVaS0A5ylRZpG1zHtgq
LVMU3BVQZKecQidPrM7XtRF+WPe6twciVyJ/H+LouSaUyRTvvFTrbotLE4QjfZYv
8lX5lkgoSkN0lxzDkanZIGa4dGgxkGR6QyA/lirSaSxMvHSuuy8XWh/LA/mdJdj7
5zdb2kJ0T+QlGh5uiAm0
=zgV9
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Patching Tomcat for Heartbleed

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Greg,

On 4/16/14, 2:28 PM, Cormier, Greg wrote:
>> -Original Message- From: Konstantin Kolinko
>> [mailto:knst.koli...@gmail.com] Sent: April-16-14 2:12 PM To:
>> Tomcat Users List Subject: Re: Patching Tomcat for Heartbleed
>> 
>> 2014-04-16 21:44 GMT+04:00 Cormier, Greg
>> :
>>> I have a Tomcat 7.0.30 server I'm trying to patch to resolve
>>> the heartbleed
>> exploit.
>>> 
>>> I shut down the server and overwrite tcnative-1.dll with the
>>> recently
>> released version.
>>> 
>>> When I restart tomcat, I get errors about the Java Key Store.
>>> 
>>> Apr 16, 2014 9:36:07 AM
>>> org.apache.catalina.core.AprLifecycleListener init INFO: The
>>> APR based Apache Tomcat Native library which allows optimal
>> performance in production environments was not found on the 
>> java.library.path: D:\Tomcat 
>> 7.0\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Wi
>>
>> 
ndows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\S
>> ystem32\WindowsPowerShell\v1.0\;C:\OpenSSL-Win32\bin;;.
>> 
>> The above means that tcnative-1.dll was not found in the
>> directories listed above.
>> 
>> I would guess that you used a wrong DLL. It must match the CPU
>> architecture of JRE/JDK that you are using.
>> 
>> Is tcnative-1.dll file readable?
> 
> Hmm, I think this might be the case - I may have snagged the 32 bit
> version instead of 64 bit! I will try this after business hours so
> I can take Tomcat offline and let you know!

If you bounced Tomcat and got the above error, then your connector is
dead anyway. Unless you rolled-back to the prior configuration, you
are already down.

If you are pretty sure you are not down even with the above errors,
then perhaps you don't need that connector at all. Is Tomcat
terminating SSL for you? No web server or SSL-terminating
load-balancer in front of Tomcat?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTTwBPAAoJEBzwKT+lPKRYBDgP/1yTjd/FIq4QHp2Ozvif+PP7
JW2knwVsk7A/63AmmZqzGPMoZrq7XrGTuhoinfTNCzQn6nlPNi8w/Fw+/btdPisp
LHDcgVThsYJJLhmPq8T3IiH9A9QY9hAugVs4OlGuetHtoZf5J5W7P1qMmrj8/3Cc
ejgKr4/a5/qzIVTsXfY5aNzjQicxC1yJgUwP0kuPojh4yc8ZQ6JO0jEmFCycfrmy
7fHwKosUoWOs4O5+wkzNMnhiEY5hGHDUujY5oQTY9RFdjbGJDzEfxGs2EEiH6S4v
A1pV/Srn/aNdT9PKkP5tH8ZgCJr4W4XRqr60UEe5Q27Ghii5ZzYYHWZ99FZF1TmE
slzL5ZQXEs7wjXt5nwxWOa0zuiP7oTGD02qHiyN76oVcq039x4NXc0JtiZbLJFlG
eR2HstrpRs3eFRXieuPfiFPEdbvn6uzgJi2A4mm+s1XOzyb5x8MGwNaUy3RnANem
OAf9h3BOVEV2wUfHmPhY896uia/cwpVuX0NAOehkJWqQF1UJ7wCeE0bRUjK+B62d
Qm1/j8vgcqNDjRatAFXig+/kLuHsRj+SA1PjoGLdU7UZ03qt075EIGxC/2YjbyKI
0AxJznTMRh0aPAAkyrkdsJIRZdNDWReOFmDAtp3fnsXvSZNjmr54pHK1SQFPvDzP
vwBJAPdIIeeb+G1MPz5+
=Dwd1
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuration question

[Daniel Mikusa]

On Apr 16, 2014, at 1:42 PM, Mark Murphy  wrote:

> How do I prevent Tomcat 6 from responding to a request to an IP address,
> that is I only want my Tomcat server to respond to requests to
> www.mydomain.com vs. 10.1.1.1.

Just an idea, but you could probably do this with a filter or a valve.  You 
could try looking at request.getServerName() (or just the host header) and 
using that to approve or deny the request.

Tomcat has a valve that you can sub class to make this easier (if you go with a 
valve).

  
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/RequestFilterValve.java?view=markup

an example of this is the RemoteHostValve.

  
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/RemoteHostValve.java?view=markup

> 
> Is this possible?
> 
> The problem is that our web security scanner is reporting "Web Server Uses
> Basic Authentication Without HTTPS”,

Is basic auth enabled (look through your application’s web.xml files for 
"auth-method” set to “BASIC”)?  If so, is disabling it an option?  If not, you 
should look at setting a "transport-guarantee” of “CONFIDENTIAL” in web.xml so 
that the application will redirect to HTTPS (or worst case use a filter like 
the UrlRewriteFilter to force HTTPS).

> and the infrastructure guys think it is because Tomcat allows connection to 
> the IP address.

I not sure how this is expected to help.  I suppose if the scanner was sending 
requests using the IP address and not the host, you could filter and block 
those requests.  That might trick the scanner into thinking the server is not 
accepting basic authentication.  I’m not sure how it would address the issue 
mentioned by the scanner though (assuming the scanner is not at fault here).

Dan
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Patching Tomcat for Heartbleed

[Cormier, Greg]

> -Original Message-
> From: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
> Sent: April-16-14 2:12 PM
> To: Tomcat Users List
> Subject: Re: Patching Tomcat for Heartbleed
> 
> 2014-04-16 21:44 GMT+04:00 Cormier, Greg :
> > I have a Tomcat 7.0.30 server I'm trying to patch to resolve the heartbleed
> exploit.
> >
> > I shut down the server and overwrite tcnative-1.dll with the recently
> released version.
> >
> > When I restart tomcat, I get errors about the Java Key Store.
> >
> > Apr 16, 2014 9:36:07 AM org.apache.catalina.core.AprLifecycleListener init
> > INFO: The APR based Apache Tomcat Native library which allows optimal
> performance in production environments was not found on the
> java.library.path: D:\Tomcat
> 7.0\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Wi
> ndows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\S
> ystem32\WindowsPowerShell\v1.0\;C:\OpenSSL-Win32\bin;;.
> 
> The above means that tcnative-1.dll was not found in the directories
> listed above.
> 
> I would guess that you used a wrong DLL.
> It must match the CPU architecture of JRE/JDK that you are using.
> 
> Is tcnative-1.dll file readable?

Hmm, I think this might be the case - I may have snagged the 32 bit version 
instead of 64 bit! I will try this after business hours so I can take Tomcat 
offline and let you know!


> 
> 
> > Apr 16, 2014 9:36:11 AM org.apache.coyote.AbstractProtocol init
> > INFO: Initializing ProtocolHandler ["http-bio-443"]
> >
> > Apr 16, 2014 9:36:12 AM org.apache.tomcat.util.net.jsse.JSSESocketFactory
> getStore
> > SEVERE: Failed to load keystore type JKS with path C:\/.keystore due to
> C:\.keystore (The system cannot find the file specified)
> > java.io.FileNotFoundException: C:\.keystore (The system cannot find the
> file specified)
> > at java.io.FileInputStream.open(Native Method)
> > at java.io.FileInputStream.(Unknown Source)
> > at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFacto
> ry.java:400)
> > ...
> >
> >
> > I don't understand why I'm getting these, as I'm 99% sure I'm using APR and
> not JSSE.
> >
> >
> >  
> Replace protocol="HTTP/1.1" with explicit
>  protocol="org.apache.coyote.http11.Http11AprProtocol"
> 
> The former auto-switches between BIO and APR.
> The latter explicitly uses the APR implementation.

Thanks! I will change the config file as well!

> 
> > maxThreads="150" scheme="https" secure="true"
> > clientAuth="false" sslProtocol="TLS"
> > SSLPassword="xxx"
> > SSLCertificateFile="xxx/server.crt"
> > SSLCertificateKeyFile="xxx/privkey.pem"
> > SSLCACertificateFile="xxx/server.crt"
> > SSLCertificateChainFile="xxx/server.crt"
> > Compression="on"/>
> >
> > I haven't setup any keystore, as I'm not using the Java Key store for 
> > this...
> I'm not sure why the new version is trying to find a keystore despite this 
> fact.
> >
> 
> Best regards,
> Konstantin Kolinko
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Patching Tomcat for Heartbleed

[Konstantin Kolinko]

2014-04-16 21:44 GMT+04:00 Cormier, Greg :
> I have a Tomcat 7.0.30 server I'm trying to patch to resolve the heartbleed 
> exploit.
>
> I shut down the server and overwrite tcnative-1.dll with the recently 
> released version.
>
> When I restart tomcat, I get errors about the Java Key Store.
>
> Apr 16, 2014 9:36:07 AM org.apache.catalina.core.AprLifecycleListener init
> INFO: The APR based Apache Tomcat Native library which allows optimal 
> performance in production environments was not found on the 
> java.library.path: D:\Tomcat 
> 7.0\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\OpenSSL-Win32\bin;;.

The above means that tcnative-1.dll was not found in the directories
listed above.

I would guess that you used a wrong DLL.
It must match the CPU architecture of JRE/JDK that you are using.

Is tcnative-1.dll file readable?


> Apr 16, 2014 9:36:11 AM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["http-bio-443"]
>
> Apr 16, 2014 9:36:12 AM org.apache.tomcat.util.net.jsse.JSSESocketFactory 
> getStore
> SEVERE: Failed to load keystore type JKS with path C:\/.keystore due to 
> C:\.keystore (The system cannot find the file specified)
> java.io.FileNotFoundException: C:\.keystore (The system cannot find the file 
> specified)
> at java.io.FileInputStream.open(Native Method)
> at java.io.FileInputStream.(Unknown Source)
> at 
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:400)
> ...
>
>
> I don't understand why I'm getting these, as I'm 99% sure I'm using APR and 
> not JSSE.
>
>
>  maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> SSLPassword="xxx"
> SSLCertificateFile="xxx/server.crt"
> SSLCertificateKeyFile="xxx/privkey.pem"
> SSLCACertificateFile="xxx/server.crt"
> SSLCertificateChainFile="xxx/server.crt"
> Compression="on"/>
>
> I haven't setup any keystore, as I'm not using the Java Key store for this... 
> I'm not sure why the new version is trying to find a keystore despite this 
> fact.
>

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Patching Tomcat for Heartbleed

[Cormier, Greg]

I have a Tomcat 7.0.30 server I'm trying to patch to resolve the heartbleed 
exploit.

I shut down the server and overwrite tcnative-1.dll with the recently released 
version.

When I restart tomcat, I get errors about the Java Key Store.
   
Apr 16, 2014 9:36:07 AM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal 
performance in production environments was not found on the java.library.path: 
D:\Tomcat 
7.0\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\OpenSSL-Win32\bin;;.

Apr 16, 2014 9:36:11 AM org.apache.coyote.AbstractProtocol init 
INFO: Initializing ProtocolHandler ["http-bio-443"]

Apr 16, 2014 9:36:12 AM org.apache.tomcat.util.net.jsse.JSSESocketFactory 
getStore
SEVERE: Failed to load keystore type JKS with path C:\/.keystore due to 
C:\.keystore (The system cannot find the file specified)
java.io.FileNotFoundException: C:\.keystore (The system cannot find the file 
specified)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.(Unknown Source)
at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:400)
...


I don't understand why I'm getting these, as I'm 99% sure I'm using APR and not 
JSSE.




I haven't setup any keystore, as I'm not using the Java Key store for this... 
I'm not sure why the new version is trying to find a keystore despite this fact.

Thanks,
Greg


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Configuration question

[Mark Murphy]

How do I prevent Tomcat 6 from responding to a request to an IP address,
that is I only want my Tomcat server to respond to requests to
www.mydomain.com vs. 10.1.1.1.

Is this possible?

The problem is that our web security scanner is reporting "Web Server Uses
Basic Authentication Without HTTPS", and the infrastructure guys think it
is because Tomcat allows connection to the IP address.

Does this make sense?

http status 400 question

[David Wall]

I am running Tomcat 7.0.47 and it occasionally returns HTTP status codes 
of 400, such as the following from my access log.


A 400 suggests a malformed request, but many of these are simple GET 
requests on an image, so it seems odd they are malformed.  We're not 
positive, but it seems that as these occur on JSP requests, we appear to 
be able to process a request though we get 'null' for various things 
like request.getRequestURI(), request.getScheme(), etc.


I read something about these and perhaps character set encoding, and we 
do have code like this at the beginning of our page processing (though 
the cannot be directly tied as our JSP/servlets don't process images and 
javascript requests):


try
{
if ( request.getCharacterEncoding() == null )
request.setCharacterEncoding(CHARSET_UTF_8);
response.setCharacterEncoding(CHARSET_UTF_8);
}
catch( UnsupportedEncodingException e )
{
app.warning("PageBean.init() - Failed to set request/response to 
UTF-8 encoding.");

}


Here's our access log of some recent 400s:

199.231.xx.xxx - - [16/Apr/2014:12:16:31 -0400] "GET 
/XXX/esfapp/images/esignFormsPlain.gif HTTP/1.1" 400 - 0 Mozilla/4.0 
(compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET 
CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 
6.0; MS-RTC LM 8; .NET4.0C; .NET4.0E)
199.231.xx.xxx - - [16/Apr/2014:12:16:33 -0400] "GET 
/XXX/esfapp/scripts/sorttable.js HTTP/1.1" 400 - 0 Mozilla/4.0 
(compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET 
CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 
6.0; MS-RTC LM 8; .NET4.0C; .NET4.0E)
199.231.xx.xxx - - [16/Apr/2014:12:16:33 -0400] "GET 
/XXX/esfapp/scripts/sorttable.js HTTP/1.1" 400 - 4 -
199.231.xx.xxx - - [16/Apr/2014:12:16:33 -0400] "GET 
/XXX/esfapp/images/calendar20x14.gif HTTP/1.1" 400 - 0 Mozilla/4.0 
(compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET 
CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 
6.0; MS-RTC LM 8; .NET4.0C; .NET4.0E)


160.109.NN.NN - - [16/Apr/2014:12:17:18 -0400] "GET 
//images/logoR.gif HTTP/1.1" 400 - 2 Mozilla/4.0 (compatible; MSIE 
8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 1.1.4322; .NET 
CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C)
160.109.NN.NN - - [16/Apr/2014:12:17:18 -0400] "GET 
//images/logoR.gif HTTP/1.1" 400 - 0 Mozilla/4.0 (compatible; MSIE 
8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 1.1.4322; .NET 
CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C)


71.220.ZZZ.ZZZ - - [16/Apr/2014:12:28:44 -0400] "GET 
/ZZ/leaserenewal/js/form-functions.js HTTP/1.1" 400 - 0 Mozilla/5.0 
(Windows NT 5.1; rv:28.0) Gecko/20100101 Firefox/28.0



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JNDI initialization since Tomcat 8.0.1

[David Landis]

On Sun, Apr 13, 2014 at 4:02 PM, Konstantin Kolinko
wrote:
>
>
> By the way, there exists an Apache project implementing the JPA
> specification,
> http://openjpa.apache.org/


It does not really work with Tomcat though does it? See this issue:
https://issues.apache.org/jira/browse/OPENJPA-1590

or others. Also the build-time enhancement is a mess people shouldn't have
to deal with. I was disappointed by this myself, not to mention that nobody
seems to update the openjpa website anymore nor do they support jpa 2.1.
Stalled project.

RE: Tomcat logging with Log4j

[Scott Bailey]

I was able to get one of our developers and it was simple for them to add the 
logging for our app to the logback we are using a file and add logging 
rotation. My issue is resolved. Thanks for the help though.

-Original Message-
From: Scott Bailey [mailto:sbai...@donlen.com]
Sent: Tuesday, April 15, 2014 3:15 PM
To: Tomcat Users List
Subject: RE: Tomcat logging with Log4j

Hello Christopher,
> What steps did you actually take?
Steps on this site: 
http://mrhaki.blogspot.com/2011/02/configure-log4j-on-tomcat.html

Downloaded new jars from "extras" for tomcat. tomcat-juli.jar and 
tomcat-juli-adapters.jar. Placed the tomcat-juli.jar file in our 
$CATALINA_BASE/bin directory. The file tomcat-juli-adapters.jar is copied to 
our $CATALINA_BASE/lib directory.
Downloaded the latest log4j 1.2 library from the download page and copied to 
the $CATALIN_BASE/lib directory.
Added the Log4j configuration file as it is on the link above. Disable the old 
Tomcat JUL logging configuration by deleting logging.properties Placed the 
Log4j configuration file. In the $CATALINA_BASE/lib directory


I am not a java person but I believe we are using logback is what our java 
developers say, we do not state what files to log to but what to log and I 
think Tomcat logged it to the log file.









Thanks!



-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Tuesday, April 15, 2014 2:22 PM
To: Tomcat Users List
Subject: Re: Tomcat logging with Log4j

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Scott,

On 4/15/14, 2:50 PM, Scott Bailey wrote:
> We need to add log rotation and log size management to tomcat 7.
> Tried converting to Log4j steps from tomcat website
> (http://tomcat.apache.org/tomcat-7.0-doc/logging.html) but did not
> work, was able to get it to work from
> (http://mrhaki.blogspot.com/2011/02/configure-log4j-on-tomcat.html).
>
>
It seems we are not getting any logging from our webapp though, and
> prior to this change it was getting logged in stdout and stderr.

What steps did you actually take?

> Does something need to be changed in log4j.properties to still capture
> stdout and stderr to log file with Log4j?

How are you logging from within your application? ServletContext.log()?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTTYbNAAoJEBzwKT+lPKRYHB4P/RUlDHyT2wQTt41S0YB/VbCR
leQxOtDJYeO3WZ3qERNP1yzmX3GW2xKfxy8+5yXAgmPugO4LXbW2sj7a4VEDuR3D
l5a/AkjqvsEdJFvWAB/77NFzWvcbOfiBT5Iw8AdkoprzaitdsD7UelLA7OlLbSCr
EnLp1ZQmVJHEdAaFc0Rr2tH7SY1oSFZM19wmihBPTFZsOfnssiEnDnO6zhxgl9kG
IlvNNuadefd0TxUiaNsncNYQatGjNsWHsjf6miYcEuJ2ZEz8x0YBzZv60MP0qiVi
U/YvkvQCwGJU9wYvK9SjKpmJrunnB2dt3zKL724+qCw4D8h7qcccq6yytBXGRDha
x4847oIbkvG7fqtljQTjfefuh8fFKalEVR8LP3huQtHqkpT4YRnRhJifFwZQmz1E
aj7h/dz91F5pWmN673Fs8aO5LAM8qvsk7sT89QtBle0REeFZFEGPqGwBsDDV4sgE
Shnr4JuR+xVyGCInHzV/zMDJ4EtVZVHRNFUnG9zS9Q5+FWfiOVc4cqxb4s6NgRKg
mVhC8qharbzt/3I0nLNtMIxbz8c7hB2zNGBgjaQHEZ8BNp0+p3MtEOz9fGywi0pR
CEL+HtjWbfaV+O8d3HSLyQMqtT5/ZOm10ZBG0s1yFjhaoxwz3yUjLLu2G3TeGJeD
rRzHvGKrkAwWRehs+Zgm
=g0p8
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

DISCLAIMER: This electronic mail message and any attached files contain 
information intended for the exclusive use of the intended addressee and may 
contain information that is proprietary, privileged, confidential and/or exempt 
from disclosure under applicable law. If you are not the intended recipient, 
you are hereby notified that any viewing, copying, disclosure or distribution 
of this information may be subject to legal restriction or sanction. Please 
notify sender if you are an unintended recipient and delete the original 
message without making copies. Thank you.
B CB  [  
X  ܚX KK[XZ[
 \ \  ][  X  ܚX P X ]
 \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 \ \  Z[ X ]
 \X K ܙ B
DISCLAIMER: This electronic mail message and any attached files contain 
information intended for the exclusive use of the intended addressee and may 
contain information that is proprietary, privileged, confidential and/or exempt 
from disclosure under applicable law. If you are not the intended recipient, 
you are hereby notified that any viewing, copying, disclosure or distribution 
of this information may be subject to legal restriction or sanction. Please 
notify sender if you are an unintended recipient and delete the original 
message without making copies. Thank you.

Re: How to programmatically get the disableURLRewriting context attribute value?

[Mark Thomas]

On 16/04/2014 09:31, lo lo wrote:
> Tomcat version 6.0.x on Linux OS
> 
> Hello all,
> 
> Sorry to post my question again but I have no answer till now.

http://wiki.apache.org/tomcat/FAQ/Tomcat_User#Q2


> Could anyone tell me if it would be better to post it to the tomcat-dev
> mailing list?

No, this should not be posted to the dev list.

Mark


> I don't think so, but maybe I'm wrong.
> 
> For more details, please see the original question here:
> 
> http://marc.info/?l=tomcat-user&m=139713494623287&w=2
> 
> Thanks in advance for your help,
> 
> Regards,
> 
> Lo
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Performance - Java Profiler, JVM instrmentation

[Frederik Nosi]

Hi Shanti,
On 04/15/2014 09:56 PM, Shanti Suresh wrote:
[...]

I find Chris' example on writing filters to map to URL patterns for
response-time metrics relevant.  I would also like stall counts,
concurrent invocations etc.

What is a stall-count? How would you record "concurrent invocations",
etc.?


So here is my understanding of these metrics:

So if a request for a servlet or JSP exceeds a given time interval, that
would be a stall.  The interval may depend upon the application.  In some
cases, 10 seconds would be considered a stall, some cases, 30 seconds would
be a stall.


This can be done enabling the access log and adding a %D on the log 
format string, here's

what i add to server.xml in tomcat 6:


directory="logs"

   prefix="access." suffix=".log" resolveHosts="false"
   pattern='%h %u %t "%r" %s %b %I %D'
   buffered="false" />


then you get another log file, in this case access.DATE.log where the 
last entry is the time in milliseconds

it took to complete the request.

Than just do a:

cat access.DATE.log | awk '{ if ($NF > DURATION) { print $0 } }'

Hope you got the idea





Similarly, how many times a servlet is invoked in a given time period would
count as concurrent invocations.  Intervals used for the reckoning here may
be shorter - like 5 seconds - to make it more meaningful for concurrency
values.


You can use the access log for this too

[..]


Frederik

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to programmatically get the disableURLRewriting context attribute value?

[lo lo]

Tomcat version 6.0.x on Linux OS

Hello all,

Sorry to post my question again but I have no answer till now.
Could anyone tell me if it would be better to post it to the tomcat-dev
mailing list?
I don't think so, but maybe I'm wrong.

For more details, please see the original question here:

http://marc.info/?l=tomcat-user&m=139713494623287&w=2

Thanks in advance for your help,

Regards,

Lo

Re: tomcat 7.0.53 error

[Martin Knoblauch]

On Wed, Apr 16, 2014 at 7:03 AM, Philippe Couas  wrote:

> Hi, I want migrate from tomcat 7.0.52 to 7.0.53. My tomcat is launched in
> standalone mode from command line (linux level3)Currently i have a servlet
> that create image to disk and only with last version i have following error
> message"Exception in thread "http-bio-8080-exec-10"
> java.lang.InternalError: Can't connect to X11 window server using ':0.0' as
> the value of the DISPLAY variable."Same servlet running perfect with
> previous version. RegardsPhil


Hi Philippe,

 seems some [new] component wants to talk to the X server. Can you try to
add "-Djava.awt.headless=true" to the JAVA_OPTS when starting Tomcat? We
are using that to avoid dependence on X11 in our application.

Cheers
Martin
-- 
--
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www: http://www.knobisoft.de