Re: application goes down after restart the tomcat server 8.29 or restart the OS

[Loai Abdallatif]

Thanks Chris, you input  appreciated

On Fri, Jun 8, 2018 at 10:31 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Loai,
>
> On 6/7/18 5:26 PM, Loai Abdallatif wrote:
> > thanks Chris, yes the apps are dependent on each others
>
> Sounds like you need to loosen that requirement.
>
> Try techniques such as "lazy initialization", or even
> automated-retries if something isn't up the first time to try to
> connect to it.
>
> Good luck,
> - -chris
>
> > On Thu, Jun 7, 2018 at 5:12 PM, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > Loai,
> >
> > On 6/6/18 4:32 PM, Loai Abdallatif wrote:
>  Dear Colleagues I have HR application deployed on two tomcat
>  workers , but when I restart the tomcat instance or restart
>  the OS , then the application failed to start and just works
>  if I re-deploy the application again , please advise
> >
> > My guess is that your application relies on load-order of
> > applications being initialized, and when one of the dependencies
> > isn't running, the application cannot start.
> >
> > If that's the case, you need to make sure that your applications
> > can tolerate unavailability of any dependencies during startup.
> >
> > -chris
> >>
> >> -
> >>
> >>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsa2ZIACgkQHPApP6U8
> pFhrWxAAs0YJgtBYpX/t0CMh2g57T6hHGMy8GDX1PnWIK4soJq+O9AXsecq9tdsj
> 9DQZ1zd1Bp4CeXQAy5JkUqcBD72TRArcly/4LUxQTNrftoPCnwK6kbyNYm3ftljE
> a07we37pAOXqxsaUyzlASQidq0uBhQVGzx4Q6UdhRKunsT95ddJUDBTlGJjV8qTa
> IoNpyzW11DSOPrYyZqFEq1nHwwkqpIuGUGOdNTWtS+O5i5g06YX1Et3Q7Gbpc9b7
> YsXALyYQ5o9K7Crq9qglPXukOqsKWnmX0oy7fhkFwrBYdQlV8STCzsGgh87bc1gx
> ltSA75pZ1gt/hqjQAXZwCpCb9PLvY6mDCpB6THou19QgMu4LwNTyxZRo4DlSBx5b
> +5PDkFO+MUISq7qfvjc6Qggn1RZ9KQF1PlwL7COcdjwwW3lLo7uRf9f4sQgT8IvT
> rzg4pSRPMJPRCngkoK6CrFnwCa4qO9esCsXAOBwpsSswSm/0lI5FfqQyaeCOynwT
> F1oCMWie99SE+xZo+iTgnxnxGJE+bJ3bJfw8xWw9Op9OCN3RHRS9MjPW6w+8hYUV
> slooqpR2b9+jzAjhefh/ewEJB9nE+8vi8keBJaIXqgQMh6w+jdE5NpqRJdCk64S2
> hORTO0+NTE84oMdkKPuA5EKg+NDcApWhalSJn4sphjhTSNBqtSE=
> =mpVz
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Configuration of Tomcat Container to use SAML authentication

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Sandeep,

On 6/8/18 10:39 AM, Sandeep Muddamsetty wrote:
> We are trying to implement  SAML SSO configuration on Tomact 8.5.X 
> servers . As we came to know that there is no direct
> implementation of this authentication process  through some of the
> blogs and need to depend on third party tools to make it possible .
> As we are seeing so many tools  while searching for this but  not
> getting exact information to use which tool . Do we have any apache
> recommended tools for this ?.

I don't have a particular recommendation for you, but if you find
something that works well, would you mind sharing your experience with
the community?

I have implemented SAML SSO myself, but we don't use Tomcat's built-in
authentication and authorization framework, so it wouldn't be applicable
.

You will almost certainly have to implement a Valve (which is a
Tomcat-specific component) to accomplish this. You might want to look
at the org.apache.catalina.authenticator.FormAuthenticator source code
to see how it's done. Much of the heavy-lifting is done by the
AuthenticatorBase class, but the
doAuthenticate(Request,HttpServletResponse) method is where the "real
work" gets done to handle the incoming data, etc.

I suspect if you began with that code and started chopping-out pieces
and replacing them with parsing of the SAML response, validating and
verifying its authenticity, and then obtaining the user's identity
through the various SAML attributes sent by the identity provider, you
could get quite far on your own.

If you want to use an outside authentication system, it wouldn't
surprise me to discover that Spring Security already had a plug-in for
this kind of thing.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsa3d0ACgkQHPApP6U8
pFgk1A//dRubWfOSrqniOQcUz0kFPtgyCYVOKBus6HLoo2+nWR6yXarLvbA8WG0+
rOcpmrSI4k2hcsjtDCG1GgtzdKVKdQhWJk5ZZOAomEl5Bwyj97geUxtrsnOwgXBY
BxY+p1m0IJuTSG5qF8i+zkvdfSRESghPx+wAUwxhf8g/XGucGA+S39HyEUrEGx6y
hkgdWvZdj13MIBADidY54yyq7mCqccAz+Qn7D87E5i65D4aM4mBjqUM33U+55t/C
6FQjRSDJVO0ShRrQg4gPLk7r9f1BNibr0gdiy5oCg4P/zbDLEvVNVnViGQV4gjmx
P3scgYGhamHLdTyGtmN1Bz19Ls1GFLia9JdA/2AtD41V6wpTIoWoN8wdHDOWTuO6
JTRDzTmLimjI38ca5ze26JJITueKK4MTpSL7eAcRopXfW4qoNi6Rc87hUUA/btT7
UhZGqeDVlyXTGQi5/KdL6BaFan+s6ILG/Ntuy9jCyohx/Jwrwx0XoksbjgTxYhhd
zYRlHG8XSEcGt9epHLm5G2Rnk8GfeuzuBtj512+QxsX6VrI2q3sHuIPIgA7Egsa4
LMNntcn156spvvrF2AbsGevCqKp+fka6JL6FT7cT7EHJ60spi93kLpKx+oN1j4wI
YInTT9ClPaEvj85EO5eKJdTAMPReB0Hj3ZvUeoj4Kvx1enenTG4=
=1Fc/
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CONFIGURATION OF REALM

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jonathan,

On 6/8/18 10:33 AM, Jonathan Kilach wrote:
> I have tomcat 8.5 installed on windows 7. The unit is functional, 
> no errors. I am working with an open source web app(Open Baraza 
> from
> https://sourceforge.net/projects/obsacco/files/?source=navbar) and
> have it successfully installed, I suppose the database is correctly
> set as it is able to open the web app interface.
> 
> However, in the login screen of the webapp(Open baraza) once I 
> input the log in prompts for user name and password I am unable to 
> login in due to password/username do not match. I am sure of the 
> username and password since I can access the table from pg admin
> to see them and also it is the default for the app as per initial 
> setup. I suppose there is more configuration needed to be done on 
> realm authentication as below is the errors generated on the *log 
> file* by tomcat

Do you know if the application manages logins or if the container
(Tomcat) does?

> Help me configure realm if that is where the error is so that i
> can log in to the app
> 
> *Error message generated by catalina logfiles.*
> 
> 08-Jun-2018 00:27:52.856 INFO [localhost-startStop-1] 
> org.apache.catalina.startup.HostConfig.deployDirectory Deploying 
> web application directory [C:\tomcat8.5\webapps\baraza]
> 08-Jun-2018 00:27:52.884 WARNING [localhost-startStop-1] 
> org.apache.tomcat.util.digester.SetPropertiesRule.begin 
> [SetPropertiesRule]{Context/Realm} Setting property 'digest' to 
> 'md5' did not find a matching property.

That's a BIG RED FLAG right there.

If the application is using md5 hashes to store its passwords, it's
very poorly written. Fortunately, there is a migration path to
non-crappy security[1].

> --- *realm 
> class configuration in /config/server.xml*
> 
>  dataSourceName="jdbc/authority" userTable="entitys" 
> userNameCol="user_name" userCredCol="entity_password" 
> userRoleTable="entitys" roleNameCol="function_role"/>
> 
> 

Tomcat doesn't use /config/server.xml. Is that a part of a local
customization?

The content looks okay, other than "entities" being misspelled. I'd be
surprised if the "userTable" and the "userRoleTable" are supposed to
be the same thing. Usually, user-to-role is a many-to-many
relationship, not a one-to-one kind of thing. Unless users have
exactly one role.

>  *context configuration in 
> /config/context.xml*
> 
> 
> 
>  type="javax.sql.DataSource" driverClassName="org. 
> postgresql.Driver" url="jdbc:postgresql://127.0.0.1:5432/sacco" 
> username="postgres" password="" maxTotal="20" maxIdle="10"
>  maxWaitMillis="-1"/>
> 
> 
> 

That looks okay except:

1. /config/context.xml isn't a usual Tomcat configuration file. Local
customization?

2. If /config/context.xml is really CATALINA_BASE/conf/context.xml,
then that  is available to every single web application in
the whole container. It would be better to put that  into
your application's META-INF/context.xml file instead of the global one.

> ___ *context configuration in 
> /META-INF/context.xml*
> 
> 
> 
>  userNameCol="user_name" roleNameCol="function_role" 
> userCredCol="entity_password" digest="md5" className="org.apache. 
> catalina.realm.JDBCRealm" userRoleTable="entitys" 
> driverName="org.postgresql.Driver" 
> connectionName="postgres">
> 
>  name="jdbc/postgres" maxWait="50" removeAbandoned="true" 
> driverClassName="org.postgresql.Driver"
> type="javax.sql.DataSource" password=""
> url="jdbc:postgresql://localhost/sacco" auth="Container"
> removeAbandonedTimeout="50">
> 
> 

Okay, so all of that stuff is in two places at once. Given the warning
you are getting about the digest="md5" in the log file, Tomcat is
clearly building the DataSource in your META-INF/context.xml file.

If you are going to be defining both the  and the  in
META-INF/context.xml, then you need to add localDataSource="true" to
the  so it knows it's not a "global data source", coming from
server.xml in . I would recommend not putting
any of this in server.xml.

Hope that helps,
- -chris

[1] http://tomcat.apache.org/presentations.html [search for "seamless
upgrades"]
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsa3E8ACgkQHPApP6U8
pFjOyQ/8DfGEarbnVtB+QihKt21BuchDmvr1RB9d6xFtsCjY5z6qHd2mKHhPFCMN
LOlrs6xoewfVIAtAKx37854e8x2/4sgQNkRmbVHybIlG5TyAziClLo2+LAvY5LFU
nO+YH7i3TX89tskBFqlo0wVY8HEL/FKffkFU0ekCKuThYKB0MKPFwAFAgDXNg136
mV1ixzskpC5sBqQwySRsJYFJ7xmyKF7kdhcenQymuuXZfSvGZekTfk3xDhEMomcB
Ki5vbH7T1y6wz+OAch1hLeOPqavt+p0QqZ/yaRU8ownleCIaZ8b0T7tGGzCzLwMt
dSufC3qFkEbl1yTLIKHRo7bScUm+eXx8nzHxrQZOSioh5HFais6VZgV6uqXi7jGk
OC73JowSK5gFIjowTMkUW9IFdeHIX5inyCwoRNY7yTnld88TQnC8OhRYQ+EU5oJ9
/WvAvNpd8bwd4bAGQgMApdB3uUq8Mn7rUf258qdKm1K5sZt2agnOvZSKbcn1vllW

Re: application goes down after restart the tomcat server 8.29 or restart the OS

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Loai,

On 6/7/18 5:26 PM, Loai Abdallatif wrote:
> thanks Chris, yes the apps are dependent on each others

Sounds like you need to loosen that requirement.

Try techniques such as "lazy initialization", or even
automated-retries if something isn't up the first time to try to
connect to it.

Good luck,
- -chris

> On Thu, Jun 7, 2018 at 5:12 PM, Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
> Loai,
> 
> On 6/6/18 4:32 PM, Loai Abdallatif wrote:
 Dear Colleagues I have HR application deployed on two tomcat 
 workers , but when I restart the tomcat instance or restart
 the OS , then the application failed to start and just works
 if I re-deploy the application again , please advise
> 
> My guess is that your application relies on load-order of
> applications being initialized, and when one of the dependencies
> isn't running, the application cannot start.
> 
> If that's the case, you need to make sure that your applications
> can tolerate unavailability of any dependencies during startup.
> 
> -chris
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsa2ZIACgkQHPApP6U8
pFhrWxAAs0YJgtBYpX/t0CMh2g57T6hHGMy8GDX1PnWIK4soJq+O9AXsecq9tdsj
9DQZ1zd1Bp4CeXQAy5JkUqcBD72TRArcly/4LUxQTNrftoPCnwK6kbyNYm3ftljE
a07we37pAOXqxsaUyzlASQidq0uBhQVGzx4Q6UdhRKunsT95ddJUDBTlGJjV8qTa
IoNpyzW11DSOPrYyZqFEq1nHwwkqpIuGUGOdNTWtS+O5i5g06YX1Et3Q7Gbpc9b7
YsXALyYQ5o9K7Crq9qglPXukOqsKWnmX0oy7fhkFwrBYdQlV8STCzsGgh87bc1gx
ltSA75pZ1gt/hqjQAXZwCpCb9PLvY6mDCpB6THou19QgMu4LwNTyxZRo4DlSBx5b
+5PDkFO+MUISq7qfvjc6Qggn1RZ9KQF1PlwL7COcdjwwW3lLo7uRf9f4sQgT8IvT
rzg4pSRPMJPRCngkoK6CrFnwCa4qO9esCsXAOBwpsSswSm/0lI5FfqQyaeCOynwT
F1oCMWie99SE+xZo+iTgnxnxGJE+bJ3bJfw8xWw9Op9OCN3RHRS9MjPW6w+8hYUV
slooqpR2b9+jzAjhefh/ewEJB9nE+8vi8keBJaIXqgQMh6w+jdE5NpqRJdCk64S2
hORTO0+NTE84oMdkKPuA5EKg+NDcApWhalSJn4sphjhTSNBqtSE=
=mpVz
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SPENGO config in Tomcat's web.xml

[Mark Thomas]

On 08/06/18 17:26, Randy Oun wrote:
> Hello Tomcat user group.
> 
> I am setting update Tomcat 8.5.23 with Kerberos/SPNEGO.  Since the Tomcat
> server will be only hosting one web application and we only want SPNEGO
> only on certain environments we were trying to add security contraints to
> Tomcat's web.xml instead of the application's web.xml.
> 
> Unfortunately it doesn't seem like it is taking effect.  The only change is
> is adding the app's URI context to the url-pattern in Tomcat's web.xml.
> 
> Is something misconfigured?

Yes.

The global web.xml is merged into the application web.xml for every web
application.

You want to use exactly the same URLs (no leading "/app") in the global
web.xml as you do in the application web.xml.

As an aside, configuring application specific settings in the global
web.xml is not recommended. If you ever need to deploy a second web
application you are going to have difficulties.

Mark



>  If not, what can I do to get this to work?
> 
> In TOMCAT_HOME/conf/web.xml...
> -
> 
> 
>   
> NoSSO
> URIs that should not trigger
> SPNEGO
> /app/ping
>  /app/ws/*
>  /app/service/*
>   
> 
>   
>   
> 
>   SSO
>   Default context path that will trigger
> Kerberos-SPNEGO SSO
>   /app/*
> 
> 
>   **
> 
>   
>   
> SPNEGO
> SPNEGO Realm
>   
> 
> In app web.xml...
> ---
> 
> 
>   
> NoSSO
> URIs that should not trigger
> SPNEGO
> /ping
>  /ws/*
>  /service/*
>   
> 
>   
>   
> 
>   SSO
>   Default context path that will trigger
> Kerberos-SPNEGO SSO
>   /*
> 
> 
>   **
> 
>   
>   
> SPNEGO
> SPNEGO Realm
>   
> 
> Thanks!
> 
> Randy
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

SPENGO config in Tomcat's web.xml

[Randy Oun]

Hello Tomcat user group.

I am setting update Tomcat 8.5.23 with Kerberos/SPNEGO.  Since the Tomcat
server will be only hosting one web application and we only want SPNEGO
only on certain environments we were trying to add security contraints to
Tomcat's web.xml instead of the application's web.xml.

Unfortunately it doesn't seem like it is taking effect.  The only change is
is adding the app's URI context to the url-pattern in Tomcat's web.xml.

Is something misconfigured?  If not, what can I do to get this to work?

In TOMCAT_HOME/conf/web.xml...
-


  
NoSSO
URIs that should not trigger
SPNEGO
/app/ping
 /app/ws/*
 /app/service/*
  

  
  

  SSO
  Default context path that will trigger
Kerberos-SPNEGO SSO
  /app/*


  **

  
  
SPNEGO
SPNEGO Realm
  

In app web.xml...
---


  
NoSSO
URIs that should not trigger
SPNEGO
/ping
 /ws/*
 /service/*
  

  
  

  SSO
  Default context path that will trigger
Kerberos-SPNEGO SSO
  /*


  **

  
  
SPNEGO
SPNEGO Realm
  

Thanks!

Randy

Configuration of Tomcat Container to use SAML authentication

[Sandeep Muddamsetty]

Hi ,
 We are trying to implement  SAML SSO configuration on Tomact 8.5.X servers 
. As we came to know that there is no direct implementation of this 
authentication process  through some of the blogs and need to depend on third 
party tools to make it possible . As we are seeing so many tools  while 
searching for this but  not getting exact information to use which tool . Do we 
have any apache recommended tools for this ?.

Thanks In Advance .




Thanks & Regards,
-
Sandeep Muddamsetty |  V3OPS Group
Email ID : smuddamse...@vitechinc.com
-



This e-mail message and any files transmitted with it may contain confidential 
and proprietary information and are intended solely for the use of the 
individual or entity to which they are addressed. Any unauthorized review, use, 
disclosure or distribution is strictly prohibited. If you have received this 
e-mail in error please notify the sender by reply email and destroy all copies 
of the original message. Thank you for your cooperation.

CONFIGURATION OF REALM

[Jonathan Kilach]

Hi all,

I have tomcat 8.5 installed on windows 7. The unit is functional, no
errors. I am working with an open source web app(Open Baraza from
https://sourceforge.net/projects/obsacco/files/?source=navbar) and have it
successfully installed, I suppose the database is correctly set as it is
able to open the web app interface.

However, in the login screen of the webapp(Open baraza) once I input the
log in prompts for user name and password I am unable to login in due to
password/username do not match. I am sure of the username and password
since I can access the table from pg admin to see them and also it is the
default for the app as per initial setup. I suppose there is more
configuration needed to be done on realm authentication as below is the
errors generated on the *log file* by tomcat

Help me configure realm if that is where the error is so that i can log in
to the app

*Error message generated by catalina logfiles.*

08-Jun-2018 00:27:52.856 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web
application directory [C:\tomcat8.5\webapps\baraza]
08-Jun-2018 00:27:52.884 WARNING [localhost-startStop-1]
org.apache.tomcat.util.digester.SetPropertiesRule.begin
[SetPropertiesRule]{Context/Realm} Setting property 'digest' to 'md5' did
not find a matching property.

---
*realm class configuration in /config/server.xml*



  

*context configuration in /config/context.xml*








___
*context configuration in /META-INF/context.xml*








___
*web configuration in /WEB-INF/web.xml*

Users Security Constraint

Users Protected Area
/b_export.jsp
/b_passwordchange.jsp
/b_print.jsp
/b_report.jsp
/b_searchlist.jsp
/form.exel.jsp
/form.jsp
/form.report.jsp
/index.jsp
/billing.jsp
/show_report
/grid_export
/jsondata
/ajax

DELETE
GET
POST
PUT


admin
member
staff
applicant
director
subscription





FORM
Form-Based Authentication Area

/logon.jsp
/logonError.jsp




admin
member
staff
applicant
director
subscription





*Regards,*

*Jonathan Kilach*



-- 

*Regards,*

*Jonathan Kilach*

P.O. Box 28083 00200, Nairobi Kenya

Cell:+254-702-085-852

Email: jkil...@gmail.com