Re: Java 10; JAXB; and Tomcat 9

[Emmanuel Bourg]

Le 03/05/2018 à 00:42, Jerry Malcolm a écrit :

> Thanks for the input.  I haven't been keeping up with Java EE for a
> while.  I tried to download EE instead of SE and got a few gigabytes of
> "GlassFish server".  Couldn't even find the jaxb jar files in that
> package.  I haven't researched what GlassFish is... but I know I don't
> need to learn another server right now.   Did I download the wrong
> thing?  Is there still just a plain ol' EE version of Java with jar files?

Here is the standalone JAXB distribution:

https://repo1.maven.org/maven2/com/sun/xml/bind/jaxb-ri/2.3.0/jaxb-ri-2.3.0.zip

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Java 10; JAXB; and Tomcat 9

[Jerry Malcolm]

On 5/2/2018 4:37 PM, Emmanuel Bourg wrote:

Le 02/05/2018 à 23:14, Jerry Malcolm a écrit :

I just did a clean install of TC 9 on a new system.  I downloaded the
latest JDK, (10).  My code started getting errors about JAXB Exception
class not found.  I had already faced this with the JAMES installation
and found out JAXB was removed in Java 9+, but was still available if
called out.  The forums said to include --add-modules java.xml.bind on
the Java command line.  This fixed it in JAMES.  But I added this to the
java options in the TC configuration app and get an "invalid option"
error.  Am I putting this option in the wrong place on the config
panel?  Is there another way to call out JAXB in TC?

The java.xml.bind module is going to be removed from Java 11 and the
--add-modules trick will no longer work. I suggest adding the jaxb jar
to your classpath instead for a long term solution.

Emmanuel Bourg

Thanks for the input.  I haven't been keeping up with Java EE for a 
while.  I tried to download EE instead of SE and got a few gigabytes of 
"GlassFish server".  Couldn't even find the jaxb jar files in that 
package.  I haven't researched what GlassFish is... but I know I don't 
need to learn another server right now.   Did I download the wrong 
thing?  Is there still just a plain ol' EE version of Java with jar files?


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Java 10; JAXB; and Tomcat 9

[Emmanuel Bourg]

Le 02/05/2018 à 23:14, Jerry Malcolm a écrit :
> I just did a clean install of TC 9 on a new system.  I downloaded the
> latest JDK, (10).  My code started getting errors about JAXB Exception
> class not found.  I had already faced this with the JAMES installation
> and found out JAXB was removed in Java 9+, but was still available if
> called out.  The forums said to include --add-modules java.xml.bind on
> the Java command line.  This fixed it in JAMES.  But I added this to the
> java options in the TC configuration app and get an "invalid option"
> error.  Am I putting this option in the wrong place on the config
> panel?  Is there another way to call out JAXB in TC?

The java.xml.bind module is going to be removed from Java 11 and the
--add-modules trick will no longer work. I suggest adding the jaxb jar
to your classpath instead for a long term solution.

Emmanuel Bourg

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Java 10; JAXB; and Tomcat 9

[Jerry Malcolm]

I just did a clean install of TC 9 on a new system.  I downloaded the 
latest JDK, (10).  My code started getting errors about JAXB Exception 
class not found.  I had already faced this with the JAMES installation 
and found out JAXB was removed in Java 9+, but was still available if 
called out.  The forums said to include --add-modules java.xml.bind on 
the Java command line.  This fixed it in JAMES.  But I added this to the 
java options in the TC configuration app and get an "invalid option" 
error.  Am I putting this option in the wrong place on the config 
panel?  Is there another way to call out JAXB in TC?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 6 vulnerability scan default error page help

[alejandro . vargas]

You need to unpack catalina.jar in tomcat lib directory,
then go to org\apache\catalina\util\,
open ServerInfo.properties and edit it

server.info=Apache Tomcat
server.number=
server.built=

You need to set to empty these variables, as shown above.

Save the file.
Pack as jar again
Put in the tomcat\lib directory again.

Hope this could help you, I'm using Tomcat 8.0.27



"Berneburg, Cris J. - US"  escribió:

We are getting dinged by a vulnerability scan for the default  
not-found error page being returned by Tomcat for a Status 404.


On my dev server when requesting an invalid URL, Tomcat returns a  
Status 404 page that displays the Tomcat version.  Right, I need to  
do something about that.


However, I can't find where the error-page for 404 is defined.  It's  
not defined in:

- webapps/ROOT/WEB-INF/web.xml
- conf/web.xml
- conf/server.xml
- conf/context.xml

Also, I can't find a notFound or error page either.

How do I get rid of or override the default error / 404 / not-found  
page if I can't find it or where it is currently defined?  Also, how  
is Tomcat returning the default 404 error page if it does not exist?  
 I hope it's not hardcoded in a servlet response.


FYI, we're going to remove the ROOT, docs, and examples folders to  
mitigate other scan findings.


And we're using Tomcat 6.0.37 (ahem).

--
Cris Berneburg
CACI Lead Software Engineer





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 6 vulnerability scan default error page help

[Mark Thomas]

On 02/05/18 20:51, Leon Rosenberg wrote:
> Hi Mark,
> 
> I agree with you that the complaint about version number is rather a minor
> one, however, I've had the same situation as one of our projects had to
> pass through a PCI Compliance test, and this is what they really test for.

Don't get me started on PCI compliance...

Oh, and Cris - take a look at the ErrorReportValve. That is where the
default error page is coming from.

Mark


> 
> regards
> Leon
> 
> On Wed, May 2, 2018 at 9:42 PM, Mark Thomas  wrote:
> 
>> On 02/05/18 20:27, Berneburg, Cris J. - US wrote:
>>> We are getting dinged by a vulnerability scan for the default not-found
>> error page being returned by Tomcat for a Status 404.
>>>
>>> On my dev server when requesting an invalid URL, Tomcat returns a Status
>> 404 page that displays the Tomcat version.  Right, I need to do something
>> about that.
>>>
>>> However, I can't find where the error-page for 404 is defined.  It's not
>> defined in:
>>> - webapps/ROOT/WEB-INF/web.xml
>>> - conf/web.xml
>>> - conf/server.xml
>>> - conf/context.xml
>>>
>>> Also, I can't find a notFound or error page either.
>>>
>>> How do I get rid of or override the default error / 404 / not-found page
>> if I can't find it or where it is currently defined?  Also, how is Tomcat
>> returning the default 404 error page if it does not exist?  I hope it's not
>> hardcoded in a servlet response.
>>>
>>> FYI, we're going to remove the ROOT, docs, and examples folders to
>> mitigate other scan findings.
>>>
>>> And we're using Tomcat 6.0.37 (ahem).
>>
>> And you are worried about returning the version number? Have you seen
>> how many real security issues (as opposed to this version number
>> non-issue) there are in 6.0.37? I can't help but think your priorities
>> are all wrong.
>>
>> Hiding the version info is trivial
>> Create the following directory structure:
>> $CATALINA_HOME/lib/org/apache/catalina/util
>>
>> Download this file:
>> https://svn.apache.org/viewvc/tomcat/archive/tc6.0.x/trunk/
>> java/org/apache/catalina/util/ServerInfo.properties?
>> revision=1803960=co
>>
>> Place it in that directory and modify the three properties to whatever
>> value you like.
>>
>> Restart Tomcat.
>>
>> Mark
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 6 vulnerability scan default error page help

[Leon Rosenberg]

Hi Mark,

I agree with you that the complaint about version number is rather a minor
one, however, I've had the same situation as one of our projects had to
pass through a PCI Compliance test, and this is what they really test for.

regards
Leon

On Wed, May 2, 2018 at 9:42 PM, Mark Thomas  wrote:

> On 02/05/18 20:27, Berneburg, Cris J. - US wrote:
> > We are getting dinged by a vulnerability scan for the default not-found
> error page being returned by Tomcat for a Status 404.
> >
> > On my dev server when requesting an invalid URL, Tomcat returns a Status
> 404 page that displays the Tomcat version.  Right, I need to do something
> about that.
> >
> > However, I can't find where the error-page for 404 is defined.  It's not
> defined in:
> > - webapps/ROOT/WEB-INF/web.xml
> > - conf/web.xml
> > - conf/server.xml
> > - conf/context.xml
> >
> > Also, I can't find a notFound or error page either.
> >
> > How do I get rid of or override the default error / 404 / not-found page
> if I can't find it or where it is currently defined?  Also, how is Tomcat
> returning the default 404 error page if it does not exist?  I hope it's not
> hardcoded in a servlet response.
> >
> > FYI, we're going to remove the ROOT, docs, and examples folders to
> mitigate other scan findings.
> >
> > And we're using Tomcat 6.0.37 (ahem).
>
> And you are worried about returning the version number? Have you seen
> how many real security issues (as opposed to this version number
> non-issue) there are in 6.0.37? I can't help but think your priorities
> are all wrong.
>
> Hiding the version info is trivial
> Create the following directory structure:
> $CATALINA_HOME/lib/org/apache/catalina/util
>
> Download this file:
> https://svn.apache.org/viewvc/tomcat/archive/tc6.0.x/trunk/
> java/org/apache/catalina/util/ServerInfo.properties?
> revision=1803960=co
>
> Place it in that directory and modify the three properties to whatever
> value you like.
>
> Restart Tomcat.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: tomcat 6 vulnerability scan default error page help

[Mark Thomas]

On 02/05/18 20:27, Berneburg, Cris J. - US wrote:
> We are getting dinged by a vulnerability scan for the default not-found error 
> page being returned by Tomcat for a Status 404.
> 
> On my dev server when requesting an invalid URL, Tomcat returns a Status 404 
> page that displays the Tomcat version.  Right, I need to do something about 
> that.
> 
> However, I can't find where the error-page for 404 is defined.  It's not 
> defined in:
> - webapps/ROOT/WEB-INF/web.xml
> - conf/web.xml
> - conf/server.xml
> - conf/context.xml
> 
> Also, I can't find a notFound or error page either.
> 
> How do I get rid of or override the default error / 404 / not-found page if I 
> can't find it or where it is currently defined?  Also, how is Tomcat 
> returning the default 404 error page if it does not exist?  I hope it's not 
> hardcoded in a servlet response.
> 
> FYI, we're going to remove the ROOT, docs, and examples folders to mitigate 
> other scan findings.
> 
> And we're using Tomcat 6.0.37 (ahem).

And you are worried about returning the version number? Have you seen
how many real security issues (as opposed to this version number
non-issue) there are in 6.0.37? I can't help but think your priorities
are all wrong.

Hiding the version info is trivial
Create the following directory structure:
$CATALINA_HOME/lib/org/apache/catalina/util

Download this file:
https://svn.apache.org/viewvc/tomcat/archive/tc6.0.x/trunk/java/org/apache/catalina/util/ServerInfo.properties?revision=1803960=co

Place it in that directory and modify the three properties to whatever
value you like.

Restart Tomcat.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 6 vulnerability scan default error page help

[Leon Rosenberg]

Hi Cris,

try to add following to your web.xml

404   
/error404.html

regards
Leon


On Wed, May 2, 2018 at 9:27 PM, Berneburg, Cris J. - US  wrote:

> We are getting dinged by a vulnerability scan for the default not-found
> error page being returned by Tomcat for a Status 404.
>
> On my dev server when requesting an invalid URL, Tomcat returns a Status
> 404 page that displays the Tomcat version.  Right, I need to do something
> about that.
>
> However, I can't find where the error-page for 404 is defined.  It's not
> defined in:
> - webapps/ROOT/WEB-INF/web.xml
> - conf/web.xml
> - conf/server.xml
> - conf/context.xml
>
> Also, I can't find a notFound or error page either.
>
> How do I get rid of or override the default error / 404 / not-found page
> if I can't find it or where it is currently defined?  Also, how is Tomcat
> returning the default 404 error page if it does not exist?  I hope it's not
> hardcoded in a servlet response.
>
> FYI, we're going to remove the ROOT, docs, and examples folders to
> mitigate other scan findings.
>
> And we're using Tomcat 6.0.37 (ahem).
>
> --
> Cris Berneburg
> CACI Lead Software Engineer
>
>

tomcat 6 vulnerability scan default error page help

[Berneburg, Cris J. - US]

We are getting dinged by a vulnerability scan for the default not-found error 
page being returned by Tomcat for a Status 404.

On my dev server when requesting an invalid URL, Tomcat returns a Status 404 
page that displays the Tomcat version.  Right, I need to do something about 
that.

However, I can't find where the error-page for 404 is defined.  It's not 
defined in:
- webapps/ROOT/WEB-INF/web.xml
- conf/web.xml
- conf/server.xml
- conf/context.xml

Also, I can't find a notFound or error page either.

How do I get rid of or override the default error / 404 / not-found page if I 
can't find it or where it is currently defined?  Also, how is Tomcat returning 
the default 404 error page if it does not exist?  I hope it's not hardcoded in 
a servlet response.

FYI, we're going to remove the ROOT, docs, and examples folders to mitigate 
other scan findings.

And we're using Tomcat 6.0.37 (ahem).

--
Cris Berneburg
CACI Lead Software Engineer

Re: Jsp pages with scriptlet and javadoc comments loaded in char[]

[Terence M. Bandoian]

On 5/2/2018 07:30, M. Manna wrote:

Hi Mark,

Basically, our application has quite a lot of large objects which are
singletons. When we checked the list of char[] objects loaded in the
memory, some of them showed JspServlet related Strings and had commented
code loaded into char[].
we have quite a lot of Strings loaded in memory (using maps) which are
necessary. heap-dump will always report this as a memleak but it's not - So
trying to understand whether we can utilise anything from tomcat side to
remove
I understand it sounds odd, but at that point it appeared to be something
we can just strip out. But from your comments, it doesn't seem to be an
option.

Thanks,



Pre-compiling the JSP pages might be worth consideration.

-Terence Bandoian



On 2 May 2018 at 10:39, Mark Thomas  wrote:


On 02/05/18 10:31, M. Manna wrote:

Hi All,

I had a specific question regarding JSPs loaded in web-application
container for jasper to compilation. If I have a JSP page which has
scriptlet and javadoc comments/code comments, aren't those loaded into

the

char[] of JSP pages too?

No.


I understand that Jasper compiles the JSPs but
those comments aren't stripped out (apologies if I have missed something

in

source code). I am using tomcat 8.5.28.

Yes, they are. HTML comments (which are essentially template text) are not.


In other words, by cutting down all javadoc comments/commented code from
JSP scriptlets, can I assume some savings will be made in terms of char[]
memory size when my servers are very busy? I have about ~3k JSP pages

with

a mixture of nice clean JSPs and really messy scriptlets. And I am trying
to find some options to tune GC and see if reducing char[] sizes can help
me in any way.

Seems like an odd way to tune GC. What problem are you trying to solve?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat9 j_security_check request.getRequestURI() incorrect after POST

[Dirk Ooms]

Mark,

you can reproduce it using the FormAuthentication example in the examples (
http://localhost:8080/examples/jsp/security/protected/)

edit index.jsp
1. add the line "RequestURI: <%= request.getRequestURI() %>" in
begin of body
2. change the method of the form from GET to POST

scenario:
1. go to http://localhost:8080/examples/jsp/security/protected/
2. log in
3. open second tab/window to same url
4. log out in second tab/window
5. go to initial window and submit form
6. log in again
7. observe the malformed requestURI

see also attached screenshots (if they make it to the mailing list).

dirk


On 1 May 2018 at 16:20, Dirk Ooms  wrote:

> apologies for the incomplete info. it is tomcat 9.0.6
>
> i will try to set up a test case and get back to you.
>
> dirk
>
>
> On 1 May 2018 at 16:07, Mark Thomas  wrote:
>
>> On 01/05/18 14:36, Dirk Ooms wrote:
>> > Hello,
>> >
>> > i did an upgrade from tomcat5.5 to tomcat9 and i'm using
>> j_security_check.
>> >
>> > in tomcat5.5 when a user was not logged in and he/she requested a url,
>> the
>> > login page was returned and after logging in the user was given the
>> > requested resource. when i requested request.getRequestURI() in my code
>> the
>> > returned uri was correct for both GET and POST.
>> >
>> > in tomcat9 this is not the case anymore for POST (for GET still ok).
>> when i
>> > call request.getRequestURI() after the user is logged in, it returns
>> > "chString" in my case, which is a part of the name of the first form
>> field
>> > ("searchString") of the original POST.
>> >
>> > any idea? am i missing something?
>>
>> The exact Tomcat 9 version.
>>
>> A test case that demonstrates the issue.
>>
>> Mark
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Insert key-store implementation into Tomcat Connector

[Mark Boon]

Thank you for the information.

Mark Boon

On 5/2/18, 3:35 AM, "Mark Thomas"  wrote:

On 02/05/18 01:48, Mark Boon wrote:
> In the Tomcat TLS Connecter configuration, there’s the 
trustManagerClassName that can be set to a Java implementation of the 
X509TrustManager interface. There’s also a configuration called keystoreFile 
from which it will read the certificate-key pair to set up the SSL connection. 
I was wondering if there’s also a way to configure a class that will provide 
the SSL certificate? My company would like to plug in their own mechanism to 
store and retrieve certificates, rather than the Java Key Store.
> 
> I have seen references to a keystoreProvider, but I have been unable to 
find anything that provides an example how that is to be used, so I’m not sure 
that serves for what I’m looking for.
> 
> Any pointer to how that could be accomplished would be highly appreciated.

Writing a custom Keystore provider would be the most portable solution.


https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.oracle.com_javase_8_docs_technotes_guides_security_crypto_HowToImplAProvider.html=DwIDaQ=uilaK90D4TOVoH58JNXRgQ=_kwXikaSZUUarF811P_o9Q=8HmxxPHbEVv5mWXdTWFydzyBxICcZhOKruAGLF3F5xU=Y4hc81hr--crgkyPquO5rADDFJ-2uJTEv3oC6WtbCKU=

has some pointers.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Problem finding native shared library (.so)

[Guang Chao]

On Wed, May 2, 2018 at 2:51 AM, Reynolds, Scott  wrote:

> Hi,
>
> I'm trying to deploy a webapp to Tomcat 8.0.39 on CentOS 7 x86_64 that
> depends on native shared libraries.  I can't install the shared libraries
> in a system-wide location because there are multiple applications/webapps
> being deployed to this system that use different versions of the same
> native shared libraries.  We're already running two instances of Tomcat to
> isolate the webapps from one another.  Here's what's going on:
>
> Tomcat #1 (/opt/tomcatwx) - The webapp described below is able to find all
> necessary native shared libraries
>
> bin/setenv.sh source's bin/setenv-wx.sh.
>
> bin/setenv-wx.sh appends -Djava.library.path=/usr/
> lib64:/lib64:/lib:/usr/lib:/opt/tomcatwx/lib/gdal to JAVA_OPTS.
>
> conf/catalina.properties appends ,"${catalina.home}/lib/gdal","
> ${catalina.home}/lib/gdal/*.jar" to common.loader.
>
> lib/gdal contains the following files:
> drwxr-xr-x. 2 tomcatwx root 4096 Apr 16 01:06 data
> -rw-r--r--. 1 tomcatwx root   134785 Apr 16 00:59 gdal.jar
> -rwxr-xr-x. 1 tomcatwx root86176 Apr 16 00:59 libgdalconstjni.so
> -rwxr-xr-x. 1 tomcatwx root  1911144 Apr 16 00:59 libgdaljni.so
> -rwxr-xr-x. 1 tomcatwx root 93499064 Apr 16 00:59 libgdal.so
> -rwxr-xr-x. 1 tomcatwx root   222448 Apr 16 00:59 libgnmjni.so
> -rwxr-xr-x. 1 tomcatwx root   968920 Apr 16 00:59 libogrjni.so
> -rwxr-xr-x. 1 tomcatwx root   483536 Apr 16 00:59 libosrjni.so
> -rw-r--r--. 1 tomcatwx root   335488 Apr 16 15:28 libproj.so
> -rw-r--r--. 1 tomcatwx root 2021 Apr 16 01:06
> ./lib/gdal/data/gdalicon.png
> -rw-r--r--. 1 tomcatwx root19884 Apr 16 01:06
> ./lib/gdal/data/gdalvrt.xsd
> -rw-r--r--. 1 tomcatwx root   234839 Apr 16 01:06
> ./lib/gdal/data/gdal_datum.csv
> -rwxr-xr-x. 1 tomcatwx root  1911144 Apr 16 00:59 ./lib/gdal/libgdaljni.so
> -rwxr-xr-x. 1 tomcatwx root86176 Apr 16 00:59
> ./lib/gdal/libgdalconstjni.so
> -rw-r--r--. 1 tomcatwx root   134785 Apr 16 00:59 ./lib/gdal/gdal.jar
> -rwxr-xr-x. 1 tomcatwx root 93499064 Apr 16 00:59 ./lib/gdal/libgdal.so
>
>
> Tomcat #2 (/srv/tomcat) - The webapp described below is unable to find a
> native shared library referenced by the JNI shared library.
> Native library load failed.
> java.lang.UnsatisfiedLinkError: /srv/tomcat/lib/3p/libgdaljni.so:
> libgdal.so.20: cannot open shared object file: No such file or directory
>
> bin/setenv.sh source's bin/setenv-3p.sh.
>
> bin/setenv-3-.sh appends -Djava.library.path=/srv/tomcat/lib/3p to
> JAVA_OPTS.
>
> conf/catalina.properties appends 
> ,"${catalina.home}/lib/3p","${catalina.home}/lib/3p/*.jar"
> to common.loader.
>
> lib/3p contains the following files:
> drwxr-xr-x. 2 tomcat tomcat 4096 Dec  5 20:04 gdal
> -rwxr-xr-x. 1 tomcat tomcat   128680 Dec  5 20:06 libgdalconstjni.so
> -rwxr-xr-x. 1 tomcat tomcat  1982984 Dec  5 20:06 libgdaljni.so
> lrwxrwxrwx. 1 tomcat tomcat   17 Dec  5 20:04 libgdal.so ->
> libgdal.so.20.3.101632
> lrwxrwxrwx. 1 tomcat tomcat   17 Dec  5 20:04 libgdal.so.20 ->
> libgdal.so.20.3.101632
> -rwxr-xr-x. 1 tomcat tomcat 93494552 Dec  5 20:04 libgdal.so.20.3.101632
> -rwxr-xr-x. 1 tomcat tomcat   294464 Dec  5 20:06 libgnmjni.so
> -rw-r--r--. 1 tomcat tomcat  3409872 Jul 15  2016 libjhdf5.so
> -rw-r--r--. 1 tomcat tomcat  1268496 Jul 15  2016 libjhdf.so
> -rwxr-xr-x. 1 tomcat tomcat  1039816 Dec  5 20:06 libogrjni.so
> -rwxr-xr-x. 1 tomcat tomcat   554768 Dec  5 20:06 libosrjni.so
> lrwxrwxrwx. 1 tomcat tomcat   17 Dec  5 19:35 libproj.so ->
> libproj.so.12.0.03
> lrwxrwxrwx. 1 tomcat tomcat   17 Dec  5 19:35 libproj.so.12 ->
> libproj.so.12.0.03
> -rwxr-xr-x. 1 tomcat tomcat  1871352 Dec  5 19:35 libproj.so.12.0.03
> drwxr-xr-x. 2 tomcat tomcat 4096 Dec  5 19:35 proj
>
>
I thought this is just file permission issue, but you have rx for
everyone.  I think your best bet is to remove the synbolink link and copy
libgdal.so.20.3.101632  to libgdal.so.  Why are you using symbolink link on
the second instance but not on the first? Why not just copy the whole file
structure from the first one?


> webapps/myapp/WEB-INF/lib contains the JNI jar:
> -rw-r--r--. 1 tomcat tomcat 134646 May  1 14:03 webapps/myapp/WEB-INF/lib/
> gdal-2.2.2.jar
>
> which references libgdaljni.so
> libgdaljni.so references libgdal.so
> which references libgdal.so.20
> which references libgdal.so.20.3.101632
>
> What have I failed to do that is preventing Tomcat/Java from finding the
> fully resolved libgdal.so that is in the same directory where it found
> libgdaljni.so?
>
> I tried eliminating the symbolic links by copying  libgdal.so.20.3.101632
> to libgdal.so, without success.
> I tried copying the gdal-2.2.2.jar to the lib/3p directory, without
> success.
>
> Thanks in advance for any help.
>
> Scott
>
>
>


-- 
Guang 

Re: Jsp pages with scriptlet and javadoc comments loaded in char[]

[M. Manna]

Hi Mark,

Basically, our application has quite a lot of large objects which are
singletons. When we checked the list of char[] objects loaded in the
memory, some of them showed JspServlet related Strings and had commented
code loaded into char[].
we have quite a lot of Strings loaded in memory (using maps) which are
necessary. heap-dump will always report this as a memleak but it's not - So
trying to understand whether we can utilise anything from tomcat side to
remove
I understand it sounds odd, but at that point it appeared to be something
we can just strip out. But from your comments, it doesn't seem to be an
option.

Thanks,

On 2 May 2018 at 10:39, Mark Thomas  wrote:

> On 02/05/18 10:31, M. Manna wrote:
> > Hi All,
> >
> > I had a specific question regarding JSPs loaded in web-application
> > container for jasper to compilation. If I have a JSP page which has
> > scriptlet and javadoc comments/code comments, aren't those loaded into
> the
> > char[] of JSP pages too?
>
> No.
>
> > I understand that Jasper compiles the JSPs but
> > those comments aren't stripped out (apologies if I have missed something
> in
> > source code). I am using tomcat 8.5.28.
>
> Yes, they are. HTML comments (which are essentially template text) are not.
>
> > In other words, by cutting down all javadoc comments/commented code from
> > JSP scriptlets, can I assume some savings will be made in terms of char[]
> > memory size when my servers are very busy? I have about ~3k JSP pages
> with
> > a mixture of nice clean JSPs and really messy scriptlets. And I am trying
> > to find some options to tune GC and see if reducing char[] sizes can help
> > me in any way.
>
> Seems like an odd way to tune GC. What problem are you trying to solve?
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: slow or timeout with client certificate and some http client against tomcat 8.5 with Nio2 OpenSSL implementation

[Rémy Maucherat]

On Wed, May 2, 2018 at 12:22 PM Mark Thomas  wrote:

> On 02/05/18 09:31, Rémy Maucherat wrote:
> > On Wed, May 2, 2018 at 5:19 AM Hugh H  wrote:
> >
> >> Hi Mark,
> >>
> >> Here are the logs you requested
> >>
> >> client:
> >> https://1drv.ms/t/s!Aii8T4l0bnqVlyAuRIjSuluBe8vy
> >>
> >> server:
> >> https://1drv.ms/u/s!Aii8T4l0bnqVlx-TGo6I0dMXZxG1
> >>
> >>
> >> I checked the system clock right before my testing and the server and
> the
> >> client are synchronized.
> >>
> >
> > Ok, so all seems fine with the SSL handshake, reading the request data,
> but
> > then there is some error processing the request. The processor is already
> > recycled and the ERROR status leads to closing.
> >
> > I have no idea what could fail or how since it's a 100% super simple
> > request. Maybe enable FINE for everything and trying to see what happens
> > between these two:
> > 01-May-2018 15:22:25.854 FINE [https-openssl-nio2-11443-exec-5]
> > org.apache.coyote.AbstractProcessorLight.process Socket:
> > [org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper@ed820bc
> > :org.apache.tomcat.util.net.SecureNio2Channel@2878c1ae:sun.nio.ch
> .UnixAsynchronousSocketChannelImpl[connected
> > local=/1***.***.***.*67:11443 remote=/1**.***.***.*81:24776]], Status in:
> > [OPEN_READ], State out: [OPEN]
> > 01-May-2018 15:22:25.854 FINE [https-openssl-nio2-11443-exec-5]
> > org.apache.coyote.AbstractProtocol$ConnectionHandler.release Pushed
> > Processor [org.apache.coyote.http11.Http11Processor@739e50bf]
>
> I read those logs slightly differently. The first request appears to be
> processed normally. The "State out: [OPEN]" indicates that.
>
> The processing thread (https-openssl-nio2-11443-exec-5) completes
> normally. There is no pipelined data else it would be processed on this
> same thread.
>
> The next log message is on a new thread:
>
> 01-May-2018 15:22:25.867 FINE [https-openssl-nio2-11443-exec-6]
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process Processing
> socket
> [org.apache.tomcat.util.net.SecureNio2Channel@2878c1ae:sun.nio.ch
> .UnixAsynchronousSocketChannelImpl[connected
> local=/1***.***.***.*67:11443 remote=/1**.***.***.*81:24776]] with
> status [ERROR]
>
> That indicates to me that at some point during the processing of the
> request, an error occurred and a call was made to endpoint.processSocket
> with SocketEvent.ERROR. Because we only allow a single thread to use a
> socket at a time, this event was queued until the previous thread
> completed. As soon as exec-5 completed, this event was processed on
> exec-6 and closed the socket.
>
> Since the client never receives the response, my guess is that there is
> an I/O error on the write.
>
> I've looked at all the places were SocketEvent.ERROR is triggered. If
> you exclude Async requests, HTTP/2 and WebSocket and anything associated
> with the NIO or APR connectors, the only thing left is the NIO2
> completion handlers. It looks like one of the completion handlers is
> failing. The problem is that we don't know why.
>
> I think it makes sense to add some debug logging to each of the NIO2
> completion handlers that logs the exception in case of a failure.
>
> If I do this, are you able to build Tomcat trunk from source and re-test
> with that?
>

If it is only blocking writes causing an error, then it's not using any
completion handlers, it's the future write in
SecureNio2Channel.FutureWrite. Ok with adding debug logging for the
"fails", it doesn't hurt obviously.

Rémy

Re: Information on sessionCacheSize !

[Mark Thomas]

On 02/05/18 01:18, Utkarsh Dave wrote:
> Hello Team and Tomcat users,
> 
> I am trying to gather more information and the effect of parameter
> "sessionCacheSize" in server.xml for a ssl connector.
> I see this from the documentation "The number of SSL sessions to maintain
> in the session cache."

See also:
https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLSessionContext.html#setSessionCacheSize-int-

This is where the provided value ends up.

> If i do not add this parameter...my tomcat slows down and all the web
> access becomes extremly slow within a couple of days.
> This is because by default "0" size is assigned to this parameter which
> means unlimited cached sessions.
> So we added the parameter with the value of sessionCacheSize=1
> What is the effect of 10k cached session on tomcat, can the problem reoccur
> once 10k sessions are cached back.

Each system will be different. The only way to know the impact on your
system is to test it.

> I am planning to modify it to test this with a value of sessionCacheSize=1.
> How can I test to come to a good value for sessioncachesize.

Profiling and testing.

Mark

> My product is using tomcat 7.0.81 (bio connector) with openjdk1.7.0.161 on
> Linux RedHat 6.
> 
> -Thanks
> Utkarsh
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Insert key-store implementation into Tomcat Connector

[Mark Thomas]

On 02/05/18 01:48, Mark Boon wrote:
> In the Tomcat TLS Connecter configuration, there’s the trustManagerClassName 
> that can be set to a Java implementation of the X509TrustManager interface. 
> There’s also a configuration called keystoreFile from which it will read the 
> certificate-key pair to set up the SSL connection. I was wondering if there’s 
> also a way to configure a class that will provide the SSL certificate? My 
> company would like to plug in their own mechanism to store and retrieve 
> certificates, rather than the Java Key Store.
> 
> I have seen references to a keystoreProvider, but I have been unable to find 
> anything that provides an example how that is to be used, so I’m not sure 
> that serves for what I’m looking for.
> 
> Any pointer to how that could be accomplished would be highly appreciated.

Writing a custom Keystore provider would be the most portable solution.

https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html

has some pointers.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: slow or timeout with client certificate and some http client against tomcat 8.5 with Nio2 OpenSSL implementation

[Mark Thomas]

On 02/05/18 09:31, Rémy Maucherat wrote:
> On Wed, May 2, 2018 at 5:19 AM Hugh H  wrote:
> 
>> Hi Mark,
>>
>> Here are the logs you requested
>>
>> client:
>> https://1drv.ms/t/s!Aii8T4l0bnqVlyAuRIjSuluBe8vy
>>
>> server:
>> https://1drv.ms/u/s!Aii8T4l0bnqVlx-TGo6I0dMXZxG1
>>
>>
>> I checked the system clock right before my testing and the server and the
>> client are synchronized.
>>
> 
> Ok, so all seems fine with the SSL handshake, reading the request data, but
> then there is some error processing the request. The processor is already
> recycled and the ERROR status leads to closing.
> 
> I have no idea what could fail or how since it's a 100% super simple
> request. Maybe enable FINE for everything and trying to see what happens
> between these two:
> 01-May-2018 15:22:25.854 FINE [https-openssl-nio2-11443-exec-5]
> org.apache.coyote.AbstractProcessorLight.process Socket:
> [org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper@ed820bc
> :org.apache.tomcat.util.net.SecureNio2Channel@2878c1ae:sun.nio.ch.UnixAsynchronousSocketChannelImpl[connected
> local=/1***.***.***.*67:11443 remote=/1**.***.***.*81:24776]], Status in:
> [OPEN_READ], State out: [OPEN]
> 01-May-2018 15:22:25.854 FINE [https-openssl-nio2-11443-exec-5]
> org.apache.coyote.AbstractProtocol$ConnectionHandler.release Pushed
> Processor [org.apache.coyote.http11.Http11Processor@739e50bf]

I read those logs slightly differently. The first request appears to be
processed normally. The "State out: [OPEN]" indicates that.

The processing thread (https-openssl-nio2-11443-exec-5) completes
normally. There is no pipelined data else it would be processed on this
same thread.

The next log message is on a new thread:

01-May-2018 15:22:25.867 FINE [https-openssl-nio2-11443-exec-6]
org.apache.coyote.AbstractProtocol$ConnectionHandler.process Processing
socket
[org.apache.tomcat.util.net.SecureNio2Channel@2878c1ae:sun.nio.ch.UnixAsynchronousSocketChannelImpl[connected
local=/1***.***.***.*67:11443 remote=/1**.***.***.*81:24776]] with
status [ERROR]

That indicates to me that at some point during the processing of the
request, an error occurred and a call was made to endpoint.processSocket
with SocketEvent.ERROR. Because we only allow a single thread to use a
socket at a time, this event was queued until the previous thread
completed. As soon as exec-5 completed, this event was processed on
exec-6 and closed the socket.

Since the client never receives the response, my guess is that there is
an I/O error on the write.

I've looked at all the places were SocketEvent.ERROR is triggered. If
you exclude Async requests, HTTP/2 and WebSocket and anything associated
with the NIO or APR connectors, the only thing left is the NIO2
completion handlers. It looks like one of the completion handlers is
failing. The problem is that we don't know why.

I think it makes sense to add some debug logging to each of the NIO2
completion handlers that logs the exception in case of a failure.

If I do this, are you able to build Tomcat trunk from source and re-test
with that?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Jsp pages with scriptlet and javadoc comments loaded in char[]

[Mark Thomas]

On 02/05/18 10:31, M. Manna wrote:
> Hi All,
> 
> I had a specific question regarding JSPs loaded in web-application
> container for jasper to compilation. If I have a JSP page which has
> scriptlet and javadoc comments/code comments, aren't those loaded into the
> char[] of JSP pages too?

No.

> I understand that Jasper compiles the JSPs but
> those comments aren't stripped out (apologies if I have missed something in
> source code). I am using tomcat 8.5.28.

Yes, they are. HTML comments (which are essentially template text) are not.

> In other words, by cutting down all javadoc comments/commented code from
> JSP scriptlets, can I assume some savings will be made in terms of char[]
> memory size when my servers are very busy? I have about ~3k JSP pages with
> a mixture of nice clean JSPs and really messy scriptlets. And I am trying
> to find some options to tune GC and see if reducing char[] sizes can help
> me in any way.

Seems like an odd way to tune GC. What problem are you trying to solve?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Jsp pages with scriptlet and javadoc comments loaded in char[]

[M. Manna]

Hi All,

I had a specific question regarding JSPs loaded in web-application
container for jasper to compilation. If I have a JSP page which has
scriptlet and javadoc comments/code comments, aren't those loaded into the
char[] of JSP pages too? I understand that Jasper compiles the JSPs but
those comments aren't stripped out (apologies if I have missed something in
source code). I am using tomcat 8.5.28.

In other words, by cutting down all javadoc comments/commented code from
JSP scriptlets, can I assume some savings will be made in terms of char[]
memory size when my servers are very busy? I have about ~3k JSP pages with
a mixture of nice clean JSPs and really messy scriptlets. And I am trying
to find some options to tune GC and see if reducing char[] sizes can help
me in any way.

Regards,

Re: slow or timeout with client certificate and some http client against tomcat 8.5 with Nio2 OpenSSL implementation

[Rémy Maucherat]

On Wed, May 2, 2018 at 5:19 AM Hugh H  wrote:

> Hi Mark,
>
> Here are the logs you requested
>
> client:
> https://1drv.ms/t/s!Aii8T4l0bnqVlyAuRIjSuluBe8vy
>
> server:
> https://1drv.ms/u/s!Aii8T4l0bnqVlx-TGo6I0dMXZxG1
>
>
> I checked the system clock right before my testing and the server and the
> client are synchronized.
>

Ok, so all seems fine with the SSL handshake, reading the request data, but
then there is some error processing the request. The processor is already
recycled and the ERROR status leads to closing.

I have no idea what could fail or how since it's a 100% super simple
request. Maybe enable FINE for everything and trying to see what happens
between these two:
01-May-2018 15:22:25.854 FINE [https-openssl-nio2-11443-exec-5]
org.apache.coyote.AbstractProcessorLight.process Socket:
[org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper@ed820bc
:org.apache.tomcat.util.net.SecureNio2Channel@2878c1ae:sun.nio.ch.UnixAsynchronousSocketChannelImpl[connected
local=/1***.***.***.*67:11443 remote=/1**.***.***.*81:24776]], Status in:
[OPEN_READ], State out: [OPEN]
01-May-2018 15:22:25.854 FINE [https-openssl-nio2-11443-exec-5]
org.apache.coyote.AbstractProtocol$ConnectionHandler.release Pushed
Processor [org.apache.coyote.http11.Http11Processor@739e50bf]

Rémy


>
> Thanks,
> Hugh
>
> On May 1, 2018, at 9:31 AM, Mark Thomas > wrote:
>
> On 01/05/18 03:11, 旭东 胡 wrote:
> Hi Mark,
>
> Unfortunately,  8.5.31 does not resolve my issue. You can find the
> catalina.out log by https://1drv.ms/u/s!Aii8T4l0bnqVlx0mqtHngJ_1OvRo.
> From my client log the timeout occurs:
> 1. between 15:03:48 and 15:04:48
> 2. between 15:04:48 and 15:05:48
> 3. between 15:05:49 and 15:06:49
> 4. between 15:06:59 and 15:07:49
> 5. between 15:07:59 and 15:08:49
> 6. between 15:08:59 and 15:09:49
>
> The problematic port is 11443. Sorry there is a health checking, which I
> cannot turned off, on port 10443 adding a lot noise.
>
> OK.
>
> First of all, please ensure that the time on the client and server are
> synchronized. Give that the server log doesn't show the server starting
> until 15:04:00 the client and server look to be ~25 seconds out of sync.
>
> What I see in most of the connections is the TLS handshake completing
> and the I/O layer passing the socket to the protocol layer for
> processing. The socket is returned from the protocol layer with an
> instruction to close the socket.
>
> We need to see what is happening in the protocol layer. Please add the
> following to logging.properties, restart Tomcat 8.5.31 and repeat your
> test:
> org.apache.coyote.level=FINE
>
> Please also include the client logs this time.
>
> Thanks,
>
> Mark
>
>
>
> Thanks,
> Hugh
>
> On Apr 30, 2018, at 5:08 AM, Mark Thomas > wrote:
>
> On 30/04/18 01:48, ** * wrote:
> Hi,
>
> I met a weird issue during setting up tomcat 8.5 with Http11Nio2Protocol
> connector and OpenSSLImplementation. The issue is that a request would be
> timeout using apache HttpClient and client certificate after serval
> previous requests. It also happens with RestAssured and SoapUI. Please note
> it works fine for first several requests and then failed with timeout.
>
> However, this issue is not observed when JMeter, tried both JAVA and
> non-JAVA implementation, and insomnia REST client being used. I used a
> static page to rule out application factors. Also Http11NioProtocol works
> fine for all above clients. The only thing I changed for Http11NioProtocol
> is to specify  protocol="org.apache.coyote.http11.Http11NioProtocol”
> instead of protocol="org.apache.coyote.http11.Http11Nio2Protocol”. Also, I
> have another  connector configured not checking client certificate. This
> one also works fine regardless of Http11NioProtocol or Http11Nio2Protocol
> being used.
>
> Would you please help to identify if I have anything wrong in my
> configuration?  I tried to set the log level to fine. But I did not find
> anything useful. Please help.
>
> 8.5.31 fixes an error in this area that might be relevant. The release
> vote for 8.5.31 is currently in progress. Details on the dev@ list. If
> you could download the 8.5.31 release candidate and test against that,
> that would be helpful.
>
> If that doesn't work then we'll need the following (again with 8.5.31 so
> we are testing the latest code):
>
> Enable debug logging for the I/O layer:
> org.apache.tomcat.util.net.level=FINE
>
> Enable TLS debug logging for the client:
> -Djavax.net.debug=all
>
> Recreate the problem.
>
> Provide us with:
> - the logs for the 30s before the error and 5s after it
> - the point in the logs where the error occurred
>
> Thanks,
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org users-unsubscr...@tomcat.apache.org>
> For additional commands, e-mail: users-h...@tomcat.apache.org