Re: Tomcat 8.5.12 Not Responding

2017-03-22 Thread Mark Thomas 
On 22/03/17 16:20, Igal @ Lucee.org wrote:
> Looks like all the threads are waiting on the same lock?
> 
> parking to wait for <0x0006c09932f8> (a
> java.util.concurrent.locks.ReentrantLock$NonfairSync)

Agreed. But I don't see anything holding that lock. That looks like a
JVM bug to me.

Mark


> 
> 
> Igal Sapir
> Lucee Core Developer
> Lucee.org 
> 
> On 3/22/2017 8:50 AM, Igal @ Lucee.org wrote:
>>
>> I am running an application on Tomcat 8.5.12 on Windows 2008R2 64bit
>> with Server JRE 1.8.0u121. Right now the process is still running but
>> no requests are being processed, or take a very long time to process.
>>
>> For example, I created a simple test.html file with one line of html
>> and it took several minutes to serve it.
>>
>> This application has been running on Tomcat 8.5.11 for a while with no
>> issue, so I suspect some bug may have been introduced in 8.5.12.
>>
>> STDERR shows the following possibly related entries:
>>
>> Exception in thread "http-nio-8181-exec-1"
>> java.lang.IllegalMonitorStateException
>> at
>> java.util.concurrent.locks.ReentrantLock$Sync.tryRelease(ReentrantLock.java:151)
>>
>> at
>> java.util.concurrent.locks.AbstractQueuedSynchronizer.release(AbstractQueuedSynchronizer.java:1261)
>>
>> at
>> java.util.concurrent.locks.ReentrantLock.unlock(ReentrantLock.java:457)
>> at
>> java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:449)
>>
>> at org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:103)
>> at org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:31)
>> at
>> java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1067)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1127)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>
>> at
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>
>> at java.lang.Thread.run(Thread.java:745)
>> Exception in thread "http-nio-8181-exec-6"
>> java.lang.IllegalMonitorStateException
>> at
>> java.util.concurrent.locks.ReentrantLock$Sync.tryRelease(ReentrantLock.java:151)
>>
>> at
>> java.util.concurrent.locks.AbstractQueuedSynchronizer.release(AbstractQueuedSynchronizer.java:1261)
>>
>> at
>> java.util.concurrent.locks.ReentrantLock.unlock(ReentrantLock.java:457)
>> at
>> java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:449)
>>
>> at org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:103)
>> at org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:31)
>> at
>> java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1067)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1127)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>
>> at
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>
>> at java.lang.Thread.run(Thread.java:745)
>>
>> Thread dump is attached.
>>
>> Any ideas?
>>
>> Thank you,
>>
>>
>> Igal Sapir
>> Lucee Core Developer
>> Lucee.org  
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Migration

2017-03-22 Thread Berneburg, Cris J. - US 
Osama

> I have been asked by a company to update their existing working
> tomcat 5 application, which is working on an old Windows 2003
> platform and accessing SQL 2005. The new servers are Windows and
> SQL 2012. I downloaded  and installed Tomcat 8.5.12. So, what I
> need to do for migrating the existing application to work on the
> new environment?

If you do not have automated integrated testing to test your current SQL, 
stored procedures, etc., on the new SQL Server 2012 platform, one thing I would 
recommend is using the "SQL Server 2012 Upgrade Advisor".  It will help point 
out the areas in your current SQL server 2005 database that are not compatible 
with 2012.  There are some differences that could cause your stored procedures 
and other SQL to no longer run/compile.

--
Cris Berneburg
CACI Lead Software Engineer



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Validator fpr policy files

2017-03-22 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Karsten,

On 3/22/17 8:08 AM, Schöke, Karsten wrote:
> if a tool exists, that parse one or more tomcat security policy
> files, that are validate? I will use that in a continues
> integration environment, for policy file deployment and to
> guarantee that the tomcat starts with new policy files...

Are you asking if there is a validator for Java security-policy files?

Something like this?
http://www.devx.com/Java/Article/27962

(I have no experience with that tool... I just Googled for "java
security policy file validator).

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJY0qLLAAoJEBzwKT+lPKRYn88P/2Emvdw3Rt70YBhwJBL5xX1/
g0t0p1A5JAGEmQFTBEZu2+mp9SZkPTefnkaqoE//c98fRG3CN5PYtFldtPcV+y70
3qbg5cCNvKb+6rf+uTKctCXer28JFTEj18PprV3dM0fRBODmlOmPwG7TCI1p1PQO
nryDWbdYceWsYuP40eRyWY8f0q196oewqu20hRT57oHSQo19YAbfejCCBoEsPBD2
vNWZVZW4skKOWg0Nu9NF10ASv3sRAdGYfRVHRh+lVbZxdIsEZSz9E0j9LKilJCgn
tWXOb+cGXbM5X0FmOtRVflqUX2CWVnC9RsWkAttBsGuPKgcn0ER+UcW8/n/Raykx
WEchhww9AjMNacVxqugjx9oGC9OfT0KOOYjcwN3y4Z6wdyFkOFKsBw0snIV5wXNi
eLjQqqsyUnydSyjDEEINw7uRBsqhQ8rh7ZLKFb79E4cnEfYz6C/J1jw2TCppcBtQ
zXJU+VxAP5DsObLuiCGAjf+rbuGIbNHTb4qnz7HMri1NQ7a3hYdhE10DXiYJOzBz
rrk1DsBMZ0ux1V/lfVYI5eYf/viOtGXg3XiM3HAAQ9Pl7mwGkxK6XR1wku8CA3Tz
4L79SCtHncklEj3vmBzUGCVUtCz6g1WWEPChBGQkWRrcblCPhZJkq4EbSckrYHMS
rrKs8Lz5pks0nsiTKV5Q
=Ht4n
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Migration

2017-03-22 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Osama,

On 3/21/17 3:43 PM, M. Osama Alghwell wrote:
> On Mar 21, 2017 7:21 PM, "Christopher Schultz"
>  wrote:
> 
> Osama,
> 
> On 3/21/17 1:10 PM, M. Osama Alghwell wrote:
 I have been asked by a company to update their existing
 working tomcat 5 application, which is working on an old
 Windows 2003 platform and accessing SQL 2005. The new servers
 are Windows and SQL 2012. I downloaded  and installed Tomcat
 8.5.12. So, what I need to do for migrating the existing
 application to work on the new environment? Thank you in
 advance for your reply.
> 
>> Read through the Migration Guide: 
>> http://tomcat.apache.org/migration.html

> The migration guide for migrating from Tomcat 7 to 8

Is it?

> I need from 5 to 8.

I understand. The Migration Guide covers all (reasonably-recent) version
s.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJY0qHgAAoJEBzwKT+lPKRYoY4P/iu3h8vTd9m19PaaN847SZVE
ir1003x1rLyFdodhaYLKW+atMLeaGl+Y4pzjL+f54wzYKFGl7O/kK7+w4ji1pHrt
VpL+oUXd379Z1BPrG8iZXKE/lqdqpWArVrsanPz3/5a+UKoiEkz0l7Bu7zULhKBj
dx7L9c9x2qiXgaICeIa/ZgP04Sz8CZry6koeFHaATCsWiyr/VBzDt4cpfmVOsRIx
IRnixreh9l30+PVbDIZR864+M5G88xjLs26Mkc4YNtXmwPAb8q5LtQGDhHrVAWes
aZMbhR2iPsv5LOCj5DLpI2+AXmFiGWhDzhcYc9emqLKhB+r1DQNR+CtMz5gd/Ocz
SxNXdD4y2qB/gy1Jpkwyb4ne0+DrU4Ff4uR4XcY6JtPewZZN+RxtQKhvROKBr3ZI
BwoT0mB8CEkQr+IFaDfBlLPLRf18y0zZFIHBwiGrECr0Mia8UOABu/eGG6xIIh0/
/DE23PUf2pq4Vgy4I2adj9NpngytkUpO/Mm+j1PBiMRW11bPwBNVsUNQF9SIHAFc
D6BGFXEBlLXeBzohhxYL0MkAfewc60FlNHJAAVTzppwZ/JQfDOciJIfBpTyMSah9
PhN7DUiLrom5UMj995QmhLOrf+JCsbxBTbeuMgVW6opJgllLQujcN8A1J7nGCPPf
R+kSlAzBtHivI3Vb3pBd
=uihm
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Migration

2017-03-22 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Osama,

On 3/21/17 3:46 PM, M. Osama Alghwell wrote:
> On Mar 21, 2017 7:25 PM, "Caldarale, Charles R"
>  wrote:
> 
>>> From: M. Osama Alghwell [mailto:malghw...@gmail.com] Subject:
>>> Migration
>> 
>>> I have been asked by a company to update their existing working
>>> tomcat 5 application, which is working on an old Windows 2003
>>> platform and
>> accessing
>>> SQL 2005. The new servers are Windows and SQL 2012. I
>>> downloaded  and installed Tomcat 8.5.12. So, what I need to do
>>> for migrating the existing application to work on the new
>>> environment?
>> 
>> The first step is to read the migration guides: 
>> http://tomcat.apache.org/migration.html
>> 
>> You'll need to look at all the ones that change levels, since the
>> steps are cumulative and there is no 5 -> 8.5 doc.
>> 
>> Once you've absorbed that, come back with specific questions.
> 
> I will follow the steps from 5 to 6, from 6 to 7, then from 7 to
> 8, is this what I should do?

You need to read and understand the migrations from 5.0 -> 8.5, but
there's no reason to actually install and test with each individual
major version in between.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJY0qGZAAoJEBzwKT+lPKRYfTAP/jnayHvU3lNAy8zB4S+ca3n4
V1ZU8rUjAIYkaWQwnVVIN76OkYhexNixKOjJ7BlvEZp5Gt4a+lA4/gbqsQwIZeWg
eIj0S4I0rW1HYzvGWxTau17hzSZi5XZKmeaYuffXz0labQJH7PldJcTamXMitCpK
rN2MtdWnzUS9l1Jj6p8wFf+oEWmCQJl3nwUut+oC8tgGPBf2ie+1Li4owXBTVvKZ
IOfRgASeOODzlf233pSLhgQWC8VQCtWkfofPwzgy+CS+Qtz2YVBKmhB5OwteY7J1
kkPxxSHRyUYE0FInb/btgU/Zj2nlYoJGTNxI8128bSvSwkVguyH6JVSqeePx+yNJ
vfE1UJ0ipgaF61jItj9dlAC1yP2UdBEwGyootHHVjZ+yUXIB/pknQfmsRRGHOEh4
im9gMqBOyORWc0WKGD7ia1Te08D/54D49tC+pFxjkYTJ5Nu31A4SecK6sso3ozZS
cGqUaqvBJTdlEGcEdBKrQM7/V16uRVIlScfAn9NsT9pL0kATdHbXm2Sc/QhIGajx
Fwn/QPdfTq6F6vUCDw2/4ydWIHedkgQQYZnJbXTME89FvuBx//tOupse9TiNURk0
88qQ8UzNG5YHKTflICR1nT9hw2WsRk5Xl9abSkZvrMYu6XKmK7+ZAuZsrw/2U/zA
ytKUfgtTlQoCJGEvNVNk
=NmkW
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 8.5.12 Not Responding

2017-03-22 Thread Igal @ Lucee.org 

Looks like all the threads are waiting on the same lock?

parking to wait for <0x0006c09932f8> (a 
java.util.concurrent.locks.ReentrantLock$NonfairSync)



Igal Sapir
Lucee Core Developer
Lucee.org 

On 3/22/2017 8:50 AM, Igal @ Lucee.org wrote:


I am running an application on Tomcat 8.5.12 on Windows 2008R2 64bit 
with Server JRE 1.8.0u121. Right now the process is still running but 
no requests are being processed, or take a very long time to process.


For example, I created a simple test.html file with one line of html 
and it took several minutes to serve it.


This application has been running on Tomcat 8.5.11 for a while with no 
issue, so I suspect some bug may have been introduced in 8.5.12.


STDERR shows the following possibly related entries:

Exception in thread "http-nio-8181-exec-1" 
java.lang.IllegalMonitorStateException
at 
java.util.concurrent.locks.ReentrantLock$Sync.tryRelease(ReentrantLock.java:151)
at 
java.util.concurrent.locks.AbstractQueuedSynchronizer.release(AbstractQueuedSynchronizer.java:1261)
at 
java.util.concurrent.locks.ReentrantLock.unlock(ReentrantLock.java:457)
at 
java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:449)

at org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:103)
at org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:31)
at 
java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1067)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1127)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

at java.lang.Thread.run(Thread.java:745)
Exception in thread "http-nio-8181-exec-6" 
java.lang.IllegalMonitorStateException
at 
java.util.concurrent.locks.ReentrantLock$Sync.tryRelease(ReentrantLock.java:151)
at 
java.util.concurrent.locks.AbstractQueuedSynchronizer.release(AbstractQueuedSynchronizer.java:1261)
at 
java.util.concurrent.locks.ReentrantLock.unlock(ReentrantLock.java:457)
at 
java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:449)

at org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:103)
at org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:31)
at 
java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1067)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1127)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

at java.lang.Thread.run(Thread.java:745)

Thread dump is attached.

Any ideas?

Thank you,


Igal Sapir
Lucee Core Developer
Lucee.org

Re: Tomcat 8.5.12 Not Responding

2017-03-22 Thread Igal @ Lucee.org 

Hi Violeta,

On 3/22/2017 9:20 AM, Violeta Georgieva wrote:
Please provide information for your Connector configuration (server.xml) 


The only connector that is in use is the http connector:

connectionTimeout="2" />


All the others are commented out.


Igal

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 8.5.12 Not Responding

2017-03-22 Thread Violeta Georgieva 
Hi,

2017-03-22 17:50 GMT+02:00 Igal @ Lucee.org :
>
> I am running an application on Tomcat 8.5.12 on Windows 2008R2 64bit with
Server JRE 1.8.0u121. Right now the process is still running but no
requests are being processed, or take a very long time to process.

Please provide information for your Connector configuration (server.xml)

Regards,
Violeta

> For example, I created a simple test.html file with one line of html and
it took several minutes to serve it.
>
> This application has been running on Tomcat 8.5.11 for a while with no
issue, so I suspect some bug may have been introduced in 8.5.12.
>
> STDERR shows the following possibly related entries:
>
> Exception in thread "http-nio-8181-exec-1"
java.lang.IllegalMonitorStateException
> at
java.util.concurrent.locks.ReentrantLock$Sync.tryRelease(ReentrantLock.java:151)
> at
java.util.concurrent.locks.AbstractQueuedSynchronizer.release(AbstractQueuedSynchronizer.java:1261)
> at
java.util.concurrent.locks.ReentrantLock.unlock(ReentrantLock.java:457)
> at
java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:449)
> at org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:103)
> at org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:31)
> at
java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1067)
> at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1127)
> at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:745)
> Exception in thread "http-nio-8181-exec-6"
java.lang.IllegalMonitorStateException
> at
java.util.concurrent.locks.ReentrantLock$Sync.tryRelease(ReentrantLock.java:151)
> at
java.util.concurrent.locks.AbstractQueuedSynchronizer.release(AbstractQueuedSynchronizer.java:1261)
> at
java.util.concurrent.locks.ReentrantLock.unlock(ReentrantLock.java:457)
> at
java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:449)
> at org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:103)
> at org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:31)
> at
java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1067)
> at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1127)
> at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:745)
>
> Thread dump is attached.
>
> Any ideas?
>
> Thank you,
>
>
> Igal Sapir
> Lucee Core Developer
> Lucee.org
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 8.5.12 Not Responding

2017-03-22 Thread Igal @ Lucee.org 
I am running an application on Tomcat 8.5.12 on Windows 2008R2 64bit 
with Server JRE 1.8.0u121. Right now the process is still running but no 
requests are being processed, or take a very long time to process.


For example, I created a simple test.html file with one line of html and 
it took several minutes to serve it.


This application has been running on Tomcat 8.5.11 for a while with no 
issue, so I suspect some bug may have been introduced in 8.5.12.


STDERR shows the following possibly related entries:

Exception in thread "http-nio-8181-exec-1" 
java.lang.IllegalMonitorStateException
at 
java.util.concurrent.locks.ReentrantLock$Sync.tryRelease(ReentrantLock.java:151)
at 
java.util.concurrent.locks.AbstractQueuedSynchronizer.release(AbstractQueuedSynchronizer.java:1261)
at 
java.util.concurrent.locks.ReentrantLock.unlock(ReentrantLock.java:457)
at 
java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:449)

at org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:103)
at org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:31)
at 
java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1067)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1127)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

at java.lang.Thread.run(Thread.java:745)
Exception in thread "http-nio-8181-exec-6" 
java.lang.IllegalMonitorStateException
at 
java.util.concurrent.locks.ReentrantLock$Sync.tryRelease(ReentrantLock.java:151)
at 
java.util.concurrent.locks.AbstractQueuedSynchronizer.release(AbstractQueuedSynchronizer.java:1261)
at 
java.util.concurrent.locks.ReentrantLock.unlock(ReentrantLock.java:457)
at 
java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:449)

at org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:103)
at org.apache.tomcat.util.threads.TaskQueue.take(TaskQueue.java:31)
at 
java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1067)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1127)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

at java.lang.Thread.run(Thread.java:745)

Thread dump is attached.

Any ideas?

Thank you,


Igal Sapir
Lucee Core Developer
Lucee.org 
2017-03-22 08:41:44
Full thread dump Java HotSpot(TM) 64-Bit Server VM (25.121-b13 mixed mode):

"Thread-10119" #10181 daemon prio=5 os_prio=0 tid=0x23453000 nid=0x1ce8 
runnable [0x24b0e000]
   java.lang.Thread.State: RUNNABLE
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
at java.net.SocketInputStream.read(SocketInputStream.java:171)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at 
org.apache.http.impl.conn.LoggingInputStream.read(LoggingInputStream.java:87)
at 
org.apache.http.impl.io.SessionInputBufferImpl.streamRead(SessionInputBufferImpl.java:139)
at 
org.apache.http.impl.io.SessionInputBufferImpl.fillBuffer(SessionInputBufferImpl.java:155)
at 
org.apache.http.impl.io.SessionInputBufferImpl.readLine(SessionInputBufferImpl.java:284)
at 
org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:140)
at 
org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:57)
at 
org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:261)
at 
org.apache.http.impl.DefaultBHttpClientConnection.receiveResponseHeader(DefaultBHttpClientConnection.java:165)
at 
org.apache.http.impl.conn.CPoolProxy.receiveResponseHeader(CPoolProxy.java:167)
at 
org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:272)
at 
org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:124)
at 
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:271)
at 
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at 
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at 
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at 
lucee.commons.net.http.httpclient.HTTPEngine4Impl._invoke(HTTPEngine4Impl.java:261)
at 
lucee.commons.net.http.httpclient.HTTPEngine4Impl.get(HTTPEngine4Impl.java:117)

Re: classloader for components in META-INF/context.xml?

2017-03-22 Thread Konstantin Kolinko 
2017-03-17 23:21 GMT+03:00 Mike Wilson :
>
> I also ran into [1].
>
> Some Tomcat configuration with custom components (Valves, Managers etc) may
> be done from a webapp's META-INF/context.xml. But currently if those classes
> are your own custom implementations they will not be found if residing
> inside the webapp's war (but are f ex found if placed in /lib).
>
> Would it make sense for Tomcat to use the webapp classloader for components
> that are specified in META-INF/context.xml?
>
> Best regards
> Mike Wilson
>
> [1]
> http://stackoverflow.com/questions/10924715/creating-a-custom-tomcat-session
> -manager-without-putting-the-jar-in-the-catalina
>

Besides the security issues that Mark mentions,

Note that Web application's classloader is only available when the web
application is running.

It means that

1) All those custom classes (Listeners, Valves etc.) cannot be created
at the time when context.xml is parsed, and must be replaced with some
stub objects.

2) They cannot process "destroy" event (when the application is
undeployed), as the classloader is stopped earlier - on "stop" event.

http://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/Lifecycle.html

3) As Webapp classloader has priority over Tomcat classloader, you
cannot really create any component before Webapp classloader is
started - as the same class can be redefined in the web application.

http://tomcat.apache.org/tomcat-8.5-doc/class-loader-howto.html

4) Some objects are needed before Webapp classloader is started.

If context.xml redefines / reconfigures classloader implementation
(Loader element) - when is it created, and how?
What classloader is used to load and create it and why?

http://tomcat.apache.org/tomcat-8.5-doc/config/loader.html

A Listener can reconfigure web application before it is started. Some
of those will be broken.

E.g. a listener can perform the same actions as "PreResources" or
"PostResources" elements to inject additional JARs into webapp
classpath. It is better to do that before starting a web application
class loader.

http://tomcat.apache.org/tomcat-8.5-doc/config/resources.html

5) Configuration of a web application can be performed externally, via JMX API.

What objects will be exposed via JMX and starting with what moment / state?

http://tomcat.apache.org/tomcat-8.5-doc/monitoring.html

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Validator fpr policy files

2017-03-22 Thread Schöke , Karsten 
Hi @all,

if a tool exists, that parse one or more tomcat security policy files, that are 
validate?
I will use that in a continues integration environment, for policy file 
deployment
and to guarantee that the tomcat starts with new policy files...


Regards
Karsten

Re: classloader for components in META-INF/context.xml?

2017-03-22 Thread Mark Thomas 
On 18/03/17 20:04, Olaf Kock wrote:
> Am 18.03.2017 um 10:54 schrieb Mark Thomas:
>> On 17/03/2017 20:21, Mike Wilson wrote:
>>> I also ran into [1].
>>>
>>> Some Tomcat configuration with custom components (Valves, Managers etc) may
>>> be done from a webapp's META-INF/context.xml. But currently if those classes
>>> are your own custom implementations they will not be found if residing
>>> inside the webapp's war (but are f ex found if placed in /lib).
>>>
>>> Would it make sense for Tomcat to use the webapp classloader for components
>>> that are specified in META-INF/context.xml?
>> Potentially. It needs some thought when running under a SecurityManager.
> Mark,
> you probably know better than me - is there any kind of security
> assumption involved when referencing connection pools etc? The nice
> thing about JNDI resources (etc) is that the application has no
> knowledge of database credentials (unless tricking with reflection) -
> but if it can inject its own classes this way, I'd not be sure any more.

Hmm. I'd need to do some investigation to see what is possible.
Generally, I'd assume a web application has read access to the JNDI
config. If I am right, I'm not sure how practical it would be to stop that.

> Sure, this would be a server side attack, of a rogue web application.
> Not sure if this thought is valid or not - I just wanted to raise the
> issue so that it can be defeated or taken into account. Maybe this is
> what you meant with "when running under a SecurityManager".

This scenario is pretty rare. The most regularly cited use case is
shared hosting with multiple untrusted users sharing a single Tomcat
instance.

Given how trivial it is for one app to DoS the entire server (code a JSP
with a tight loop, request that JSP once per server code, server locks
up) this isn't a deployment strategy that gets used much. One app, one
Tomcat instance is a lot easier to manage in all sorts of ways.

We do try and protect against rouge apps running under a security
manager. Generally, bypassing the security manager gets treated as a low
severity (because it affects so few people) vulnerability. For example,
we recently blocked apps accessing global resources unless they were
explicitly linked to that resource (CVE-2016-6797).

Because custom Valves, Managers, etc. have access to Tomcat's internals
and do get called in the container's security context we'd need to be
careful. They all require configuration via context.xml and that gets
special treatment when running under a security manager. It requires the
system admin to explicitly copy the app provided context.xml to
$CATALINA_BASE// to enable it. The idea is that the admin
reviews the contents and only does this if it is safe. Working out what
is safe is rather tricky though. That would get even harder in the case
of a custom Manager etc.

In short it is a lot easier to treat the entire Tomcat instance as
untrusted rather than the container as trusted but not the app (or one
of the apps running on it).

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org