on 8.5.40, random tmpFile.renameTo with jsp files

[Alex O'Ree]

I've upgraded from .34 to .40 somewhat recently (on windows) and have been
getting random errors rendering jsp pages recently. The trace is always
related to jasper failing to rename a file. I'm not really sure what the
issue is. Has anyone seen this or something similar?

Usually retrying the request resolves the issue immediately but something
seems fishy. This worked fine on previous versions.

how to enable OCSP revocation checking from tomcat 8.5.x using NIO2 w OpenSSL ?

[John Palmer]

What, if anything, needs to be configured to ENABLE (preferably REQUIRE)
tomat to do CLIENT certificate revocation checking via OCSP in Tomcat
8.5.38 using Openssl ?
(will this work with NIO2 ? )

1) using Openssl (the tc-native-1.dll binary for Windows, compiled w OCSP
support - the X64 dll from
tomcat-native-1.2.21-openssl-1.1.1a-ocsp-win32-bin.zip
(i'd prefer to have this working with OpenSSl for a couple of reasons).

2) using JSSE (java 8 (1.8.0_202)) with the NIO2 connector
(I've tried adding -Dcom.sun.net.ssl.checkRevocation=true to the Java
options for the tomat service).


I can't see anything indicating OCSP checks in the logs for either.
(logs do indicate the OpenSSL

for JSSE, by adding -Djavax.net.debug=ssl to the Java Options for the
tomcat service I see logging for key & trust stores being loaded, etc. in
tomcat8-stdout(date).log
the server requesting a client cert, the Client cert being received and
finding a trusted root for it ("Found trusted certificate:"),
but nothing about revocation checking
(I do see:
check handshake state: certificate_verify[15]
update handshake state: certificate_verify[15]

but I'm not sure that's revocation checking...).

for OpenSLL, I'mnot sure how to enable equivalent loggingby enabling
pretty much ALL the logging
org.apache.coyote.http2.level=ALL
org.apache.level=ALL
org.apache.catalina.session.level=ALL
I can see the truststore ("Added client CA cert") being loaded but not much
else about certificates.


Wireshark shows me OCSP calls for the SERVER cert, presumable from the
browswer (fireFox).
(I'm testing this on a personal computer, tomcat and browser on the same
computer).
If there are equivalent OCSP calls for the CLIENT cert, I'm not seeing them.


the Connector part of the server xml.config file is (ip address and server
name etc removed):

 

Re: How to stop trailing slash redirects?

[tomcat]

On 06.06.2019 13:28, Konstantin Kolinko wrote:

чт, 6 июн. 2019 г. в 10:32, Rob Nikander :


Hi,

I would like requests to a webapp to have paths that look like this:

 http://server/myapp    not:  http://server/myapp/ 


But for some reason, Tomcat keeps redirecting the 1st to the 2nd. I’m aware of 
the attribute `mapperContextRootRedirectEnabled` (on the Context), but setting 
that to “false” is not helping.  My web.xml looks like:

 
 MyServlet
 
 /other
 …

What is going on? How do I stop the redirects?


1. Exact version number of Tomcat =? Does it support that attribute?

2. I think that you have to make your servlet the default one,
i.e. to map it to / just like it is done
with DefaultServlet in the default web.xml.

A filter can be mapped like that as well.

3. Beware that session cookies have "/" appended to their Path
attribute by default.

There is a Context attribute that configures that, but beware that
when a cookie path does not have the trailing '/', some browsers will
send this cookie both to myapp and to myappFoo (with any suffix).


In general, disabling the redirect is a bad idea and should be avoided.



I cannot point to a specific RFC spec right now, but I am quite sure that this is also a 
requirement/recommendation for HTTP in general : if the URL given is 
"http://myhost/something;, and "something" is found by the webserver as being a directory, 
the server sends back a redirect to the browser, with the "correct" URL 
"http://myhost/something/;.

(In any case, Apache httpd does that, in its "map to storage" phase).
I believe that doing otherwise may create a lot of confusion as to how to handle "index 
documents" or relative URLs *on the browser side*.


Example :
- suppose your application responding (directly, without redirection) to the URL 
"http://myhost/myapp;. And the first page which this application returns to the browser, 
contains a link like :


(by which you probably mean a file located at the URL 
"http://myhost/myapp/myicon.gif;)
But..
Since the browser now knows that the current page came from "http://myhost/myapp;, in 
order to evaluate the (relative) link "myicon.gif", it will

a) use as base the URL of the current page : "http://myhost/myapp;
b) from this URL, strip the last "non-slash-terminated element", thus here "myapp", 
leaving "http://myhost/;
c) to this, add the relative URL "myicon.gif", thus giving "http://myhost/myicon.gif;, and 
use this URL to retrieve the image from the server.

Which is probably not what you wanted.

This is the expected behaviour of browsers, and the expected behaviour for most other web 
applications.


In summary, not letting the webserver do what it normally does, is probably going to land 
you in some difficult-to-diagnose trouble further down the line.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Re: Making PreResources configuration recurse directories

[Milbaugh, Theodore K (Ted)]

> -Original Message-
> From: Christopher Schultz 
> Sent: Wednesday, June 5, 2019 4:37 PM
> To: users@tomcat.apache.org
> Subject: [EXTERNAL] Re: Making PreResources configuration recurse directories
> 
> Nationwide Information Security Warning: This is an external email. Do not 
> click
> on links or open attachments unless you trust the sender.
> --
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Theodore,
> 
> On 6/5/19 15:16, Milbaugh, Theodore K (Ted) wrote:
> > I am using Tomcat version 9.0.12
> >
> > I have a PreResources tag in my context.xml like this:
> >
> >  > className="org.apache.catalina.webresources.StandardRoot">
> >  > className="org.apache.catalina.webresources.DirResourceSet"
> > base="C:\\good_files\\goodies_in_here" internalPath="/"
> > webAppMount="/" /> 
> >
> > This works great, in that if I access a JSP like this:
> >
> > http://localhost:8080/candy/chocolate.jsp
> >
> > I am able to access the JSP with no issues. However, there are
> > subdirectories in C:\good_files\goodies_in_here. If I try to access a
> > JSP in a subdirectory:
> >
> > http://localhost:8080/candy/crunchy/peanut_brittle.jsp
> >
> > I get a 404, even though the file
> > C:\good_files\goodies_in_here\crunchy\ peanut_brittle.jsp exists.
> > Do I have to create a PreResources tag for each subdirectory in my
> > tree?
> 
> What you are doing is expected to work. It doesn't map a single directory and
> its (non-directory) contents into a single directory. It grafts entire trees 
> into
> the URL space.
> 
> It may be a copy/paste error, but I see a space between your "crunchy/" and
> "peanut_brittle.jsp" strings. It should not matter, but if you replace "\\" 
> in your
> configuration with "/", does that improve things?
> 
> I would caution you about the use of . If there is for example a
> WEB-INF/web.xml file in there or WEB-INF/classes, then those will be loaded
> before the web application's "normal" files are loaded, which may be 
> surprising.
> 
> - -chris

Chris:
I might have been seeing a permissions error. I copied all of the resource 
files to a local directory, and everything is working as expected now.

Thanks for your advice, I changed my configuration to a PostResources tag, and 
used forward slashes for my directory specification.

Ted Milbaugh
ted.milba...@nationwide.com

Re: How to stop trailing slash redirects?

[Konstantin Kolinko]

чт, 6 июн. 2019 г. в 10:32, Rob Nikander :
>
> Hi,
>
> I would like requests to a webapp to have paths that look like this:
>
> http://server/myapp    not:  http://server/myapp/ 
> 
>
> But for some reason, Tomcat keeps redirecting the 1st to the 2nd. I’m aware 
> of the attribute `mapperContextRootRedirectEnabled` (on the Context), but 
> setting that to “false” is not helping.  My web.xml looks like:
>
> 
> MyServlet
> 
> /other
> …
>
> What is going on? How do I stop the redirects?

1. Exact version number of Tomcat =? Does it support that attribute?

2. I think that you have to make your servlet the default one,
i.e. to map it to / just like it is done
with DefaultServlet in the default web.xml.

A filter can be mapped like that as well.

3. Beware that session cookies have "/" appended to their Path
attribute by default.

There is a Context attribute that configures that, but beware that
when a cookie path does not have the trailing '/', some browsers will
send this cookie both to myapp and to myappFoo (with any suffix).


In general, disabling the redirect is a bad idea and should be avoided.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to stop trailing slash redirects?

[Mark Thomas]

On 06/06/2019 09:27, Mark Thomas wrote:
> On 06/06/2019 08:31, Rob Nikander wrote:
>> Hi,
>>
>> I would like requests to a webapp to have paths that look like this:
>>
>> http://server/myapp    not:  http://server/myapp/ 
>> 
>>
>> But for some reason, Tomcat keeps redirecting the 1st to the 2nd. I’m aware 
>> of the attribute `mapperContextRootRedirectEnabled` (on the Context), but 
>> setting that to “false” is not helping.  My web.xml looks like:
>>
>> 
>> MyServlet
>> 
>> /other
>> …
>>
>> What is going on? How do I stop the redirects?
> 
> Why do you want to do this? What problem are you trying to solve?
> 
> I'm not sure you what you are asking is possible although I'll need to
> dig through the mapping code to be certain.
This is going to come down to what the Servlet spec says.


The empty string ("") is a special URL pattern that exactly maps
to the application's context root, i.e., requests of the form
http://host:port//



A request URI of /foo will be redirected to a URI of /foo/


Section 12.2 states that an application's context root includes the
trailing slash.

Section 10.10 states that requests for directories without a trailing
slash will be redirected.

Hence you see a redirect. Either from the Mapper or from the Default
Servlet.

I did look at the possibility of mapping http://host:port/
directly to a Servlet mapped to "". I wondered about security
constraints but RealmBase looks like it would handle this case correctly.

What makes me think this is the wrong thing to do is the next part of
section 12.2.


In this case the path info is ’/’ and the servlet path
and context path is empty string (““).


Given that "RequestURI = ContextPath + ServletPath + PathInfo", the
statement that the path info in this case is "/" makes me think that the
current Tomcat behaviour is correct.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to stop trailing slash redirects?

[Mark Thomas]

On 06/06/2019 08:31, Rob Nikander wrote:
> Hi,
> 
> I would like requests to a webapp to have paths that look like this:
> 
> http://server/myapp    not:  http://server/myapp/ 
> 
> 
> But for some reason, Tomcat keeps redirecting the 1st to the 2nd. I’m aware 
> of the attribute `mapperContextRootRedirectEnabled` (on the Context), but 
> setting that to “false” is not helping.  My web.xml looks like:
> 
> 
> MyServlet
> 
> /other
> …
> 
> What is going on? How do I stop the redirects?

Why do you want to do this? What problem are you trying to solve?

I'm not sure you what you are asking is possible although I'll need to
dig through the mapping code to be certain.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to stop trailing slash redirects?

[Rob Nikander]

Hi,

I would like requests to a webapp to have paths that look like this:

http://server/myapp    not:  http://server/myapp/ 


But for some reason, Tomcat keeps redirecting the 1st to the 2nd. I’m aware of 
the attribute `mapperContextRootRedirectEnabled` (on the Context), but setting 
that to “false” is not helping.  My web.xml looks like:


MyServlet

/other
…

What is going on? How do I stop the redirects?

thanks,
Rob