Re: Apache TomCat 5.5

2016-09-14 Thread tomcat 

Mary,
have a look here : http://tomcat.apache.org/whichversion.html
Tomcat 5.5 was first released about 10 years ago, and the last modification to 
it was in 2012.
The current "stable" version is Tomcat 8.5.5.

For Open Source and free software such as Apache Tomcat, that means that your chances of 
getting support and help for such an old version are really not good, because most of the 
people which would be able to help you probably do not run that version anywhere anymore.

Even the documentation is not directly available on-line anymore.

Regarding your particular issue, it is even possible that the requirement which you are 
mentioning is younger than Tomcat 5.5 and cannot be met by such an old software version.
It is even likely that, considering the age of your Tomcat and the age of the Java JVM it 
is probably running under, there are a whole lot of other security issues with your 
server, which make it impossible to make it "secure as the government requires".


What I am saying is that you are probably wasting your time, and ultimately your 
employer's time, with this approach.


You seem to mention below that you are using Tomcat "with IIS".  Maybe this IIS is a 
front-end to Tomcat, and users access Tomcat always through IIS.
If so, then as long as the connection between IIS and Tomcat is secure (e.g. they run on 
the same host), then you should probably take care of the SSL/HTTPS (and header) aspect on 
the IIS front-end.
That is, if you /really/ cannot upgrade Tomcat and if your applications /really/ do not 
run under a newer version of Tomcat and Java.



On 14.09.2016 20:49, Pham, Mary (NIH/OD/ORS) [E] wrote:

Hi Daniel,

A new bee has to learn on an outdated systems!  We cann't up upgrade due to 
dependency of apps and forms, that's what I've learned.
Thank you for the link.  To be honest I do not know what to do yet.  I've 
checked and seen several web.xml files, in different directoriesSome I 
think is original, some had modified.

Regards,

-Mary

-Original Message-
From: Daniel Küppers [mailto:dan...@tetralog.com]
Sent: Wednesday, September 14, 2016 11:17 AM
To: Tomcat Users List 
Subject: Re: Apache TomCat 5.5



Hello EveryOne,

As new bee of Apache.  We have been using one of the old Apache TomCat on windows server 
2008R2, IIS 7.  After we purchased and installed the SSL certificate.  We need to apply a 
header directive in Apache "Strict-Transport-Security" so that our web site 
would be secured as the Government required.  My question is where can I insert this 
line?  In which and where's the files in Apache TomCat 5.5, JDK 8 updated 102.  Is it in 
the same server.xml file as we modified the connector for SSL.
Look forward to hearing from your supports.

Regards,


Mary Pham
Information Technology Specialist
National Institutes of Health Library
Division of Library Services
Office of Research Services
10 Center Drive, Room 1L07, MSC 1150
Bethesda, MD 20892-1150
T. 301.496.1506
maryp...@mail.nih.gov

Hello Mary,

you are using a quite outdated tomcat. A quick googling brought me to 
stackoverflow, which might solve the problem for your tomcat 5.5. the easiest 
way possible is to add a filter to your webapp and apply the HSTS header in the 
response. You can make use of the buildin HSTS support, if its possible to 
upgrade your tomcat to a recent version.
Related SO-Question:
http://stackoverflow.com/questions/27541755/add-hsts-feature-to-tomcat

Best regards,

Daniel

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AccessLogValve logging incorrect/cached data

2016-09-14 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ryan,

On 9/13/16 5:13 PM, Ryan Melissari wrote:
> We have recently noticed that our Tomcat installation is writing
> incorrect data to the localhost_access_log.  It seems to be writing
> cached data of a previous request for some or all of the fields.
> For example, sometimes the jsessionid of another IP/client is
> written in the logs of having made a request for a page.  There are
> other times where the request came from one computer, but is logged
> with the IP and sessionid of another computer.  I have included a
> sample of the access log that shows what I mean.
> 
> So far we have upgraded to the newest version of Tomcat (8.5.5) and
> added RECYCLE_FACADES=true to our catalina.properties file.   We
> also see the same behavior from inside our application using
> getRemoteAddr().  At this point I am not really sure how to proceed
> as google doesn't return anything about a problem like this.  Any
> suggestions would be appreciated.

You mean you set the system property
org.apache.catalina.connector.RECYCLE_FACADES=true, right?

How did you set that system property?

It's still possible that your application is trashing a request or
response object before the logger has a chance to emit the log message
(which typically happens at end *end* of the request processing cycle).

> Tomcat 8.5.5 OS:  Solaris 11.3 sun4v sparc Java:  1.8.0_92 
> TCNative: 1.2.7
> 
> 
> 
> 
> *server.xml:*  protocol="org.apache.coyote.http11.Http11NioProtocol" 
> maxThreads="300" SSLEnabled="true" scheme="https" secure="true" 
> clientAuth="false" sslProtocol="TLSv1.2" maxHttpHeaderSize="65536" 
> keystoreFile="/tomcat/.keystore" keystorePass="" compression="on" 
> compressableMimeType="text/html,text/xml,text/plain,text/css,text/java
script,application/javascript"
>>
>
> 

> 
> ...
> 
>  directory="logs" prefix="localhost_access_log" suffix=".txt" 
> renameOnRotate="true" pattern="%h %l %u
> %{-MM-dd'T'HH:mm:ss.SSSZ}t %r %s %B %S %D
> %{Referer}i" />
> 
> 
> 
> *Clients:*
> 
> Client1: 192.168.1.100 JSESSIONID:
> C345EEC54EA556A5E55CE1F7AAB9B706
> 
> Client2: 192.168.1.105 JSESSIONID:
> DF4331A7668F8D67249A86DA2313029D
> 
> 
> 
> *localhost_access_log.txt:*
> 
> 192.168.1.100 - - 2016-09-13T14:33:34.154-0500 "GET 
> /javascript/flyout-nav.js HTTP/1.1" 304 0
> DF4331A7668F8D67249A86DA2313029D 7 https://192.168.1.1/
> 
> 192.168.1.105 - - 2016-09-13T14:57:59.110-0500 "GET 
> /javascript/custom-expand.js HTTP/1.1" 304 0 
> C345EEC54EA556A5E55CE1F7AAB9B706 11 https://192.168.1.1/

That certainly looks weird. Why is your "Referer" header coming in as
192.168.1.1? That looks like a home router's default IP address.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX2cuhAAoJEBzwKT+lPKRYZa0P/iTFmPHzw2Kd1m8JXyFQZxZw
zLswCiZCbLBRLVW3dfjgsDEtacx0+1WCwZDKm8NNUN2GbPuGfkqZhLmds0N8kfxI
TyNaJPlSXHPP5syUoWVMd3sB0X+o4k5xBNNBI9uFUQ0dUmw5JxRpyI+hHXTpUC+K
NS4ZKHdvUGJbXOION29tGQrkNORtRtVKGalu/vDxz6HSJC1AOPwAkT1SlmHp7UOF
cDeDyJDVLP9SAnFlu/RxIS7yuakyBpOTormEZHAJ1zRbIrKUk6qsJ/2ffyejcaBR
MgyrEALO9XN8MU2q+4TGWRl+qAAvWjuThZaJe7Z13OwyNS0/FwJ5RwRELrwgJlvc
nAfPU0BLZbnoK5dGiD2n81KUvN99+OJ5jvlfOcWSR3yncIvQAUAswR1rEdX8VFCB
Bcb+brZG9I9UvCvUP39OyyiuJp02WLGor9kJXiuGe7DxKBVOZ3a9rr69vTx2nd5C
DWmhkust6LhcjsarmmApe1k0f3UrCytl1nwRiFw4l7b/4R8VFHyaVuwGQb3uYsrh
EB22vkEtk9+oTiH6LvItw7EJX45JwuCiK59qcFL6g4do+it0V3zwInmgVUY27QoC
gW+LUQrplv7MdOCTPXYQnqs6tG5e9nO3WIjg4NYg3Vhu9IAYVhwDQsw//6k7BgKh
uKqvbWKapQTuKKjCBvvO
=bocl
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Fwd: Compiling Tomcat Native 1.2.8

2016-09-14 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Pierce,

On 9/12/16 4:32 PM, Pierce Allen wrote:
> I run a collection Tomcat web servers on Redhat 7.2 (up-to-date)
> 
> Normally we like to compile and use the latest stable version of
> Tomcat Native we can get our hands on (currently the one that ships
> with Tomcat 8.5.5.0 is labeled tcnative 1.2.8). However, when I try
> to compile recent versions of Tomcat Native I get an error that my
> OpenSSL version is too low:
> 
> checking OpenSSL library version >= 1.0.2... configure: error:
> Your version of O penSSL is not compatible with this version of
> tcnative
> 
> I don't really want to muck up the distro by trying to update
> OpenSSL by downloading and compiling OpenSSL's source code. RedHat
> backports security fixes to OpenSSL 1.0.1e so there are no
> "heartbleed" or other known vulnerabilities with the in-band
> OpenSSL version.  Is there some workaround or procedure that can be
> used to get recent versions of Tomcat Native to compile on up to
> date RedHat systems?

You can still run with a tcnative 1.1 against this older version of
OpenSSL. What version do you actually have?

You can also try to use "--disable-openssl-version-check" with
./configure to ignore the version check and hope for the best.
Officially, tcnative 1.2.x requires a minimum of OpenSSL 1.0.2

http://tomcat.apache.org/native-doc/miscellaneous/changelog.html

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX2ci5AAoJEBzwKT+lPKRYhO4QALNlQJt2jUCIi/nvzSBXeJfP
UG7Ui7gDsuep8GhXVNftb9rY6CXqF66va4lhJUbE2CmNBsyZuLzH8PYxZNthS9IB
em4rLPA9rCKlx+JpZkvSSqNIO4cn9NO8jiZJrBVQRHomvOTkFC6SWI4Dhgoz5xtE
U1PSp2LYpDfgI6ugxPUFc44G4WLOXVzmXlo3i7I9CSfD/BwQQl1xUOkExRXObTDH
va5/uzMqBCFSVo+aUXt6af89ja6hNYHY66wS1wLlspCGWD3Y4MPa3eXy83TUc2ph
F06Y47ShCJPnRI0ssGFNHKSltPLgsYTUzepTQ39517Sn4Svk5Wnk3jD9C18NN7mW
+BRuiIOwScxM2Z8V1LsvaxTtFNE+xP3443CvN08CzDE1+qt1zas6iJXU7ZcIfQFC
5VwQWTfojsxrr6l1/jSBw8qZjc6nFwqDiNsnDpJl0rki39yxTQi6WXl761C49GRZ
2b2lb9j4YPDKr4ia5mnJFY7zGA0Tk9QBZXZvk/P4/qeeZ0o01xjhqOUvz6o9GUfs
Q08Rs6aJyUtvZq75TuY+377Psglrq/IiyldGs3r8f5R2xrL/VxEOPdQXKCEvm8dU
yenLlAGMwfHdEhh8LLgxfhNJtYjjtLLGUjlvvSUT0b0OJl/UO6Xwc4h2tCImZXLs
gKhKu89iXpLMDphJEoCB
=WXCg
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Using hashes in tomcat-users.xml

2016-09-14 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Brian,

On 9/14/16 3:40 PM, Paquin, Brian wrote:
> I was able to setup Tomcat 8.0.35 to use a SHA hashed password in 
> tomcat-users.xml (trying to secure the Manager app a bit more),
> but the same setup does not work on 8.5.5.
> 
> Is there something I need to change to get this to work again?

Yes.

> server.xml engine:  defaultHost="localhost">  className="org.apache.catalina.realm.LockOutRealm" failureCount="3"
> lockOutTime="600" cacheSize="1000" cacheRemovalWarningTime="3600"> 
>  resourceName="UserDatabase"/>   appBase="webapps" unpackWARs="true" autoDeploy="true"
> deployXML="true">  className="org.apache.catalina.realm.MemoryRealm" digest="SHA" /> 
>  directory="logs" prefix="localhost_access_log" suffix=".txt" 
> pattern="%h %l %u %t %r %s %b" />
> 
> Command to generate hash that was used as the user’s password in 
> tomcat-users.xml: /usr/local/tomcat/bin/digest.sh -a SHA
> my_password
> 
> In 8.5.5, I can login to Manager if I replace the SHA hash with
> the plaintext version of the password…
> 
> I read through 
> https://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html, but
> still can’t get it to work.

Have a look at http://tomcat.apache.org/migration-85.html,
specifically http://tomcat.apache.org/migration-85.html#Internal_APIs

Note that SHA passwords are no better than plaintext passwords. If you
want to *actually* add some security, you need to at least use salted
passwords. Better yet, use a PBKDF.

You might want to have a look at this presentation:
http://people.apache.org/~schultz/ApacheCon%20NA%202016/Seamless%20Upgra
des%20for%20Credential%20Security%20in%20Apache%20Tomcat.pdf

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX2cL/AAoJEBzwKT+lPKRYm7AP/jW9ux3JM/zsSJjPymE/xPMw
/mpI1Jh2kCViRA+wF9vWcuuHN/T/ib5MwinYdZnqwvtddRQUoBY5jKKcjieJWhFo
UwdSZGmXGHOtJMyB+9DPIo17HuuSmxMNXDILCAaMd8pXvKZgsPJv4x9/lPC5uHyJ
SpSJ9vcc6NKDzQq8AV/F9Q17HCaGPkl1Vi2d+Sbpvcm5vdqgKcDlGcOe6exUlIWP
pMiOkvo+hEG77WpGKz1E2C0gBz3O1vs2AKwzWP3gmh10NinUNvfzPY9iqAylFNAq
c5Mk+rvliCcQWss+O54IfbVO2dYElbcy3hktn4X7h1UOxSuw6qGJ3HeKsUBKlIho
5rL9J8nwkF+lechxVgdh4Q8CWJVZ5AsicmwMnd88o00TG8fO0XAb3oM496I0meLg
xeiOTexg8S0RPLVFnCQ8mckaeTVzooLzuezJLAXO4YUnEZJHPrehR+ZL8Oblk6Fa
102AA+LFpCkW1L0JEFMrpCzmEc3Ue6VMVPeNorfTv/u2MBFfM+hpR0kmeDURUoA8
C+i0Z4GHxRVL7M96ba2Irxs4eNkCV2v9IvCsgnz3LTXKuAggd/6dCTEPYEkE2sTO
Tju+To9xWVudj6gwmya7SfNeKxb4PECBP4NgD5uRoljNDJNW1Eu80m7C2cxRGao8
LXmKRsuWXsrTt6OOA9wZ
=2Z2D
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Using hashes in tomcat-users.xml

2016-09-14 Thread Paquin, Brian 
I was able to setup Tomcat 8.0.35 to use a SHA hashed password in 
tomcat-users.xml (trying to secure the Manager app a bit more), but the same 
setup does not work on 8.5.5.
Is there something I need to change to get this to work again?

server.xml engine:

  

  
  



Command to generate hash that was used as the user’s password in 
tomcat-users.xml:
/usr/local/tomcat/bin/digest.sh -a SHA my_password

In 8.5.5, I can login to Manager if I replace the SHA hash with the plaintext 
version of the password…

I read through https://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html, but 
still can’t get it to work.

Thank you,

Brian

RE: Apache TomCat 5.5

2016-09-14 Thread Caldarale, Charles R 
> From: Pham, Mary (NIH/OD/ORS) [E] [mailto:maryp...@mail.nih.gov] 
> Subject: Apache TomCat 5.5

> We have been using one of the old Apache TomCat on windows server 2008R2, IIS 
> 7.

Firstly, it's Tomcat, not TomCat.

> We need to apply a header directive in Apache "Strict-Transport-Security" so 
> that our web site 
> would be secured as the Government required.

Your web site is pretty much guaranteed to be _insecure_ as long as you're 
running that old - and unsupported - version of Tomcat.  The last Tomcat 5.5 
release was nearly four years ago, and many, many vulnerabilities have been 
addressed since then.  SSL does not protect you against those.  You really must 
upgrade to a supported level (preferably 8.5), after carefully reading the 
migration guides:
http://tomcat.apache.org/migration.html

Not doing so makes anything else you try pointless.

> My question is where can I insert this line?

As suggested by Daniel, a filter is your best bet - but upgrade Tomcat first.  
Not doing so leaves you subject to many more liabilities than lack of HSTS.

 - Chuck 


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Apache TomCat 5.5

2016-09-14 Thread Pham, Mary (NIH/OD/ORS) [E] 
Hi Daniel,

A new bee has to learn on an outdated systems!  We cann't up upgrade due to 
dependency of apps and forms, that's what I've learned.
Thank you for the link.  To be honest I do not know what to do yet.  I've 
checked and seen several web.xml files, in different directoriesSome I 
think is original, some had modified.

Regards,

-Mary

-Original Message-
From: Daniel Küppers [mailto:dan...@tetralog.com] 
Sent: Wednesday, September 14, 2016 11:17 AM
To: Tomcat Users List 
Subject: Re: Apache TomCat 5.5


> Hello EveryOne,
>
> As new bee of Apache.  We have been using one of the old Apache TomCat on 
> windows server 2008R2, IIS 7.  After we purchased and installed the SSL 
> certificate.  We need to apply a header directive in Apache 
> "Strict-Transport-Security" so that our web site would be secured as the 
> Government required.  My question is where can I insert this line?  In which 
> and where's the files in Apache TomCat 5.5, JDK 8 updated 102.  Is it in the 
> same server.xml file as we modified the connector for SSL.
> Look forward to hearing from your supports.
>
> Regards,
>
>
> Mary Pham
> Information Technology Specialist
> National Institutes of Health Library
> Division of Library Services
> Office of Research Services
> 10 Center Drive, Room 1L07, MSC 1150
> Bethesda, MD 20892-1150
> T. 301.496.1506
> maryp...@mail.nih.gov
Hello Mary,

you are using a quite outdated tomcat. A quick googling brought me to 
stackoverflow, which might solve the problem for your tomcat 5.5. the easiest 
way possible is to add a filter to your webapp and apply the HSTS header in the 
response. You can make use of the buildin HSTS support, if its possible to 
upgrade your tomcat to a recent version.
Related SO-Question: 
http://stackoverflow.com/questions/27541755/add-hsts-feature-to-tomcat

Best regards,

Daniel

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question on parallel deployment

2016-09-14 Thread Chris Gamache 
Hi Felipe,

It is my experience that Tomcat will continue to process long-running old
requests while new requests get served the new version of the webapp. When
the requests are finished processing Tomcat will undeploy the old version
of the webapp (undeployOldVersions="true").

If you do happen to create dummy sessions (we do this by touching
req.getSession()) you'll notice that the old version of the webapp won't
undeploy while there are sessions still out there.

CG

On Wed, Sep 14, 2016 at 9:12 AM, Felipe Jaekel  wrote:

> Hi,
>
> I've been using parallel deployment successfully with JSF based webapps for
> some years.
>
> Now I'd like to use it with some web service based webapps (CXF). I noticed
> on Tomcat Manager that these webapps doesn't create sessions on the
> requests.
>
> I use *undeployOldVersions="true"* on server.xml, so when I deploy a new
> version of the webapp, will Tomcat wait active requests finish processing
> before undeploying the old version or do I need to create some dummy
> session attribute to make parallel deployment work correctly on this case?
>
> I'm using Tomcat 8.5.4.
>
> Thanks
>

Re: Apache TomCat 5.5

2016-09-14 Thread Daniel Küppers 



Hello EveryOne,

As new bee of Apache.  We have been using one of the old Apache TomCat on windows server 
2008R2, IIS 7.  After we purchased and installed the SSL certificate.  We need to apply a 
header directive in Apache "Strict-Transport-Security" so that our web site 
would be secured as the Government required.  My question is where can I insert this 
line?  In which and where's the files in Apache TomCat 5.5, JDK 8 updated 102.  Is it in 
the same server.xml file as we modified the connector for SSL.
Look forward to hearing from your supports.

Regards,


Mary Pham
Information Technology Specialist
National Institutes of Health Library
Division of Library Services
Office of Research Services
10 Center Drive, Room 1L07, MSC 1150
Bethesda, MD 20892-1150
T. 301.496.1506
maryp...@mail.nih.gov

Hello Mary,

you are using a quite outdated tomcat. A quick googling brought me to 
stackoverflow, which might solve the problem for your tomcat 5.5. the 
easiest way possible is to add a filter to your webapp and apply the 
HSTS header in the response. You can make use of the buildin HSTS 
support, if its possible to upgrade your tomcat to a recent version.
Related SO-Question: 
http://stackoverflow.com/questions/27541755/add-hsts-feature-to-tomcat


Best regards,

Daniel

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Apache TomCat 5.5

2016-09-14 Thread Pham, Mary (NIH/OD/ORS) [E] 
Hello EveryOne,

As new bee of Apache.  We have been using one of the old Apache TomCat on 
windows server 2008R2, IIS 7.  After we purchased and installed the SSL 
certificate.  We need to apply a header directive in Apache 
"Strict-Transport-Security" so that our web site would be secured as the 
Government required.  My question is where can I insert this line?  In which 
and where's the files in Apache TomCat 5.5, JDK 8 updated 102.  Is it in the 
same server.xml file as we modified the connector for SSL.
Look forward to hearing from your supports.

Regards,


Mary Pham
Information Technology Specialist
National Institutes of Health Library
Division of Library Services
Office of Research Services
10 Center Drive, Room 1L07, MSC 1150
Bethesda, MD 20892-1150
T. 301.496.1506
maryp...@mail.nih.gov

Stay connected with the NIH Library
NIH Library: http://nihlibrary.nih.gov
Facebook: http://www.facebook.com/nihlibrary
Twitter: http://www.twitter.com/nihlib


Mary Pham, BS
Information Technology Specialist
National Institutes of Health Library
Division of Library Services
Office of Research Services
10 Center Drive, Room 1L07, MSC 1150
Bethesda, MD 20892-1150
T. 301.496.1506
maryp...@mail.nih.gov

Stay connected with the NIH Library
NIH Library: http://nihlibrary.nih.gov
Facebook: http://www.facebook.com/nihlibrary
Twitter: http://www.twitter.com/nihlib
_

Question on parallel deployment

2016-09-14 Thread Felipe Jaekel 
Hi,

I've been using parallel deployment successfully with JSF based webapps for
some years.

Now I'd like to use it with some web service based webapps (CXF). I noticed
on Tomcat Manager that these webapps doesn't create sessions on the
requests.

I use *undeployOldVersions="true"* on server.xml, so when I deploy a new
version of the webapp, will Tomcat wait active requests finish processing
before undeploying the old version or do I need to create some dummy
session attribute to make parallel deployment work correctly on this case?

I'm using Tomcat 8.5.4.

Thanks

RE: tomcat8 unable to load the Resource/property file from jar

2016-09-14 Thread Venkata Reddy P 
YES Tim, in  webapps/auth/WEB-INF/lib   

-Original Message-
From: Tim Watts [mailto:t...@cliftonfarm.org] 
Sent: Wednesday, September 14, 2016 6:00 PM
To: Tomcat Users List
Subject: RE: tomcat8 unable to load the Resource/property file from jar

On Wed, 2016-09-14 at 11:54 +, Venkata Reddy P wrote:
> Thanks Chris for replying. 
> 
> I have tried placing all the jars into webapps/auth/web-inf/lib folder 
> but still getting the null value.
> 
You mean WEB-INF/lib not web-inf/lib, right?  Case matters.


> Is there any way to confirm the property file in tomcat classpath?
> 
> Many Thanks.
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Monday, September 12, 2016 2:39 AM
> To: Tomcat Users List
> Subject: Re: tomcat8 unable to load the Resource/property file from 
> jar
> 
> Venkata,
> 
> On 9/9/16 2:48 PM, Venkata Reddy P wrote:
> > These jars are deployed in common folder to make use of my two web 
> > applications. I have modified the catalina.properties file to load 
> > these jars by tomcat server.
> 
> What happens if you put those JAR files separately into each web application?
> 
> I would expect the code as presented to work, but it's worth trying.
> And much easier to deal with than a complicated deployment where you need to 
> stash things in Tomcat's common classloader.
> 
> -chris
> 
> > -Original Message- From: Christopher Schultz 
> > [mailto:ch...@christopherschultz.net] Sent: 10 September 2016
> > 00:08 To: Tomcat Users List Subject: Re: tomcat8 unable to load the 
> > Resource/property file from jar
> > 
> > Venkata,
> > 
> > On 9/9/16 5:18 AM, Venkata Reddy P wrote:
> >> I have tried it and still getting the null value. URL url = 
> >> Auth.class.getClassLoader().getResource("/com/trianz/auth/auth.prop
> >> er
> t
> >
> >> 
> ies");
> > 
> >> The Auth.java is part of other jar called tools.jar
> > 
> >> My jars: 1)auth.jar com/trianz/auth/*.java 
> >> com/trianz/auth/auth.properties
> > 
> >> 2)tools.jar com/trianz/tools /Auth.java 
> >> com/trianz/tools/*.properties
> > 
> >> Many thanks for the response.
> > 
> > And where are those .jar files located?
> > 
> > -chris
> > 
> >> -Original Message- From: Christopher Schultz 
> >> [mailto:ch...@christopherschultz.net] Sent: Thursday, September 08,
> >> 2016 8:33 PM To: Tomcat Users List Subject: Re: tomcat8 unable to 
> >> load the Resource/property file from jar
> > 
> >> Venkata,
> > 
> >> On 9/7/16 4:49 AM, Venkata Reddy P wrote:
> >>> Recently we have upgraded the one of application from tomcat6.x to
> >>> tomcat8.0.36 version. In tomcat6, i was able to read the 
> >>> property/resource file from the jar file but certain reasons after 
> >>> upgrading to the tomca8.0.36 its failing to load.
> > 
> >>> My jar: auth.jar com/trianz/auth/*.java 
> >>> com/trianz/auth/auth.properties
> > 
> >>> //failing code, here url always getting null value. URL  url =
> >>>  
> >>> Auth.class.getClassLoader().getResource("com/trianz/auth/auth.prop
> >>> er
> t
> >
> >>> 
> i
> > 
> >>> 
> > es");
> > 
> >>> I am sure by looking at the tomcat catalina.startup logs the 
> >>> auth.jar is loading properly Is there any way to confirm the file 
> >>> in classpath "com/trianz/auth/auth.properties"? How do I fix this?
> > 
> >>> Many Thanks in advance.
> > 
> >> Can you try reading the file like this:
> > 
> >> URL url =
> >> Auth.class.getClassLoader().getResource("/com/trianz/auth/auth.prop
> >> er
> t
> >
> >> 
> ie
> > 
> > 
> > s")
> > 
> >> ? (note the leading "/")
> > 
> >> Also, from where is the Auth class being loaded? Where is auth.jar 
> >> located?
> > 
> >> -chris
> > 
> >> ---
> >> --
> >
> >> 
> > 
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> > 
> > 
> >> ---
> >> --
> >
> >> 
> > 
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> > 
> > 
> > 
> > -
> >
> > 
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> > 
> > 
> > 
> > -
> >
> > 
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> > 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail:

RE: tomcat8 unable to load the Resource/property file from jar

2016-09-14 Thread Tim Watts 
On Wed, 2016-09-14 at 11:54 +, Venkata Reddy P wrote:
> Thanks Chris for replying. 
> 
> I have tried placing all the jars into webapps/auth/web-inf/lib
> folder but still getting the null value.
> 
You mean WEB-INF/lib not web-inf/lib, right?  Case matters.


> Is there any way to confirm the property file in tomcat classpath?
> 
> Many Thanks.
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
> Sent: Monday, September 12, 2016 2:39 AM
> To: Tomcat Users List
> Subject: Re: tomcat8 unable to load the Resource/property file from jar
> 
> Venkata,
> 
> On 9/9/16 2:48 PM, Venkata Reddy P wrote:
> > These jars are deployed in common folder to make use of my two web 
> > applications. I have modified the catalina.properties file to load 
> > these jars by tomcat server.
> 
> What happens if you put those JAR files separately into each web application?
> 
> I would expect the code as presented to work, but it's worth trying.
> And much easier to deal with than a complicated deployment where you need to 
> stash things in Tomcat's common classloader.
> 
> -chris
> 
> > -Original Message- From: Christopher Schultz 
> > [mailto:ch...@christopherschultz.net] Sent: 10 September 2016
> > 00:08 To: Tomcat Users List Subject: Re: tomcat8 unable to load the 
> > Resource/property file from jar
> > 
> > Venkata,
> > 
> > On 9/9/16 5:18 AM, Venkata Reddy P wrote:
> >> I have tried it and still getting the null value. URL url = 
> >> Auth.class.getClassLoader().getResource("/com/trianz/auth/auth.proper
> t
> >
> >> 
> ies");
> > 
> >> The Auth.java is part of other jar called tools.jar
> > 
> >> My jars: 1)auth.jar com/trianz/auth/*.java 
> >> com/trianz/auth/auth.properties
> > 
> >> 2)tools.jar com/trianz/tools /Auth.java com/trianz/tools/*.properties
> > 
> >> Many thanks for the response.
> > 
> > And where are those .jar files located?
> > 
> > -chris
> > 
> >> -Original Message- From: Christopher Schultz 
> >> [mailto:ch...@christopherschultz.net] Sent: Thursday, September 08, 
> >> 2016 8:33 PM To: Tomcat Users List Subject: Re: tomcat8 unable to 
> >> load the Resource/property file from jar
> > 
> >> Venkata,
> > 
> >> On 9/7/16 4:49 AM, Venkata Reddy P wrote:
> >>> Recently we have upgraded the one of application from tomcat6.x to 
> >>> tomcat8.0.36 version. In tomcat6, i was able to read the 
> >>> property/resource file from the jar file but certain reasons after 
> >>> upgrading to the tomca8.0.36 its failing to load.
> > 
> >>> My jar: auth.jar com/trianz/auth/*.java 
> >>> com/trianz/auth/auth.properties
> > 
> >>> //failing code, here url always getting null value. URL  url =
> >>>  
> >>> Auth.class.getClassLoader().getResource("com/trianz/auth/auth.proper
> t
> >
> >>> 
> i
> > 
> >>> 
> > es");
> > 
> >>> I am sure by looking at the tomcat catalina.startup logs the 
> >>> auth.jar is loading properly Is there any way to confirm the file in 
> >>> classpath "com/trianz/auth/auth.properties"? How do I fix this?
> > 
> >>> Many Thanks in advance.
> > 
> >> Can you try reading the file like this:
> > 
> >> URL url =
> >> Auth.class.getClassLoader().getResource("/com/trianz/auth/auth.proper
> t
> >
> >> 
> ie
> > 
> > 
> > s")
> > 
> >> ? (note the leading "/")
> > 
> >> Also, from where is the Auth class being loaded? Where is auth.jar 
> >> located?
> > 
> >> -chris
> > 
> >> -
> >
> >> 
> > 
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> > 
> > 
> >> -
> >
> >> 
> > 
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> > 
> > 
> > -
> >
> > 
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> > 
> > 
> > -
> >
> > 
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> > 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat8 unable to load the Resource/property file from jar

2016-09-14 Thread Venkata Reddy P 
Thanks Chris for replying. 

I have tried placing all the jars into webapps/auth/web-inf/lib  folder but 
still getting the null value.

Is there any way to confirm the property file in tomcat classpath?

Many Thanks.
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Monday, September 12, 2016 2:39 AM
To: Tomcat Users List
Subject: Re: tomcat8 unable to load the Resource/property file from jar

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Venkata,

On 9/9/16 2:48 PM, Venkata Reddy P wrote:
> These jars are deployed in common folder to make use of my two web 
> applications. I have modified the catalina.properties file to load 
> these jars by tomcat server.

What happens if you put those JAR files separately into each web application?

I would expect the code as presented to work, but it's worth trying.
And much easier to deal with than a complicated deployment where you need to 
stash things in Tomcat's common classloader.

- -chris

> -Original Message- From: Christopher Schultz 
> [mailto:ch...@christopherschultz.net] Sent: 10 September 2016
> 00:08 To: Tomcat Users List Subject: Re: tomcat8 unable to load the 
> Resource/property file from jar
> 
> Venkata,
> 
> On 9/9/16 5:18 AM, Venkata Reddy P wrote:
>> I have tried it and still getting the null value. URL url = 
>> Auth.class.getClassLoader().getResource("/com/trianz/auth/auth.proper
t
>
>> 
ies");
> 
>> The Auth.java is part of other jar called tools.jar
> 
>> My jars: 1)auth.jar com/trianz/auth/*.java 
>> com/trianz/auth/auth.properties
> 
>> 2)tools.jar com/trianz/tools /Auth.java com/trianz/tools/*.properties
> 
>> Many thanks for the response.
> 
> And where are those .jar files located?
> 
> -chris
> 
>> -Original Message- From: Christopher Schultz 
>> [mailto:ch...@christopherschultz.net] Sent: Thursday, September 08, 
>> 2016 8:33 PM To: Tomcat Users List Subject: Re: tomcat8 unable to 
>> load the Resource/property file from jar
> 
>> Venkata,
> 
>> On 9/7/16 4:49 AM, Venkata Reddy P wrote:
>>> Recently we have upgraded the one of application from tomcat6.x to 
>>> tomcat8.0.36 version. In tomcat6, i was able to read the 
>>> property/resource file from the jar file but certain reasons after 
>>> upgrading to the tomca8.0.36 its failing to load.
> 
>>> My jar: auth.jar com/trianz/auth/*.java 
>>> com/trianz/auth/auth.properties
> 
>>> //failing code, here url always getting null value. URL  url =
>>>  
>>> Auth.class.getClassLoader().getResource("com/trianz/auth/auth.proper
t
>
>>> 
i
> 
>>> 
> es");
> 
>>> I am sure by looking at the tomcat catalina.startup logs the 
>>> auth.jar is loading properly Is there any way to confirm the file in 
>>> classpath "com/trianz/auth/auth.properties"? How do I fix this?
> 
>>> Many Thanks in advance.
> 
>> Can you try reading the file like this:
> 
>> URL url =
>> Auth.class.getClassLoader().getResource("/com/trianz/auth/auth.proper
t
>
>> 
ie
> 
> 
> s")
> 
>> ? (note the leading "/")
> 
>> Also, from where is the Auth class being loaded? Where is auth.jar 
>> located?
> 
>> -chris
> 
>> -
>
>> 
> 
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
>> -
>
>> 
> 
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX1cfgAAoJEBzwKT+lPKRYmHIP/jsftQpRftre+Uztu0NNvQae
3aThWLhGBbtVi8LQGQYf5C6nRsQNW+RL5mY73CKdVe8Ux6+ae7hyaXDHTo8yMDrV
66nq3kRJTjYl3nNjAltTjsVNwdjCiabHoF4LxLnfOwmVBF3+LyJ3AWCzj8Z+EKO/
RXq9rX/0FwOZEr+p8ihS7ucMvJnZR6tPiyGgmk6GwYxGe6lYVyctwOiugYv7wAiC
D0uwtgr19eYreJlv+m9WwNvmLg5B+zOl7ZWQWmJ/vamoTFNxAUstaaGXuGv+ojC3
E5USMruCF1MjXG1KJ3LNaByFtZnPtvJy0I+E0j2rFDSQuto6CCPckk9qK9ERKYFO
JelWfd5kzKtX5Keacwc4m6Sv9ttw5U3bn6jziH6B+YWjJKwgzKXzhe7lIbbTt+0l
dvKroBxJlJp0WjUnjpElV6nN8qJfGnpQTqa+AvkGuNTZfs6CxXtrisFjw9Sle2Lg
mNzjP/6sUBTUEdwv6Q6uGWcT3kxmuzLzPVqG4z0lG9E85NI7102Uwvuyf1YaXhl/
I2zwNZJ5vWGtCOvibLDd31IwmJwfUSjEzVKzfTmJeC+cMyMIK54eJlBBDhuEfJI9
XHfwI24P8lZmDDTtu5uSfTkOL+tTHvrWLgu80t3qO0EDXnkfTijpAubB6oFvE3YQ
UY1yEAnm57IzLFw75bJX
=vxK0
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For

Re: HttpServletRequest.login & remoteUser null

2016-09-14 Thread nclemeur 
>> Hello,
>> 
>> I am using HttpServletRequest.login to authenticate users on an ajax
>> call.
>> This is working fine and the relevant realm is queried. However, on
>> subsequent requests, I have quite often the remote user being null
>> despite
>> having the correct JSESSION cookie set from the login call.
>> 
>> This is not happening always, but it is quite frequent. Interestingly, if
>> a
>> set an attribute in the session, that session and attributes are
>> preserved
>> in the subsequent requests.
>> 
>> Is there anything else that I should do to preserve authentication
>> information? It is very strange that this process is working
>> intermittently. As a workaround I am wrapping the request and overrides
>> the
>> getRemoteUser/getUserPrinciper/isUserInRole to get this information from
>> the information I am storing in the session, but I would prefer to have
>> this working without this workaround (for example the AccessLogValve does
>> not report the user correctly when using that workaround).

> Tomcat version?

> What authentication, if any, do you have configured in web.xml?

> Do you have any security constraints defined anywhere (annotations or 
> in web.xml)?

I was having this problem in tomcat 8.0.35. I did try to reproduce it on a
simpler setup on 8.0.37 and 8.5.5, but could not succeed... 

I'll try integrate my tests in my main app to see if I can reproduce it
then.

Cheers

Nicolas



--
View this message in context: 
http://tomcat.10.x6.nabble.com/HttpServletRequest-login-remoteUser-null-tp5054934p5055008.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org