Re: confusions with conf/tomcat-users.xml setup

[M. Manna]

I would recommend reading the role settings from here first:

https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html

Also, if everything is okay for you try using comma-separated roles e.g.
roles=“manager-gui,admin”. Even better, try to create new roles and assign
them correctly.

See if that works for you.

Thanks,


On Thu, 25 Jul 2019 at 12:35, Hu, Zhiliang [AN S]  wrote:

> I have Apache Tomcat/7.0.94 installed and running.  However I had a hard
> time to get to the ManagerApp and Host Manager to work properly.  Briefly:
>
> If I set up "conf/tomcat-users.xml" as in:
> 
> 
> 
> 
> -- The "/manager/html/" can get connected and "/host-manager/html" gets
> "404 Access Denied";
>
> If I set up "conf/tomcat-users.xml" as in:
> 
> 
> 
> 
> -- The "/manager/html/" gets "404 Access Denied" and "/host-manager/html"
> can get connected;
>
> If I set up "conf/tomcat-users.xml" as in:
> 
> 
> 
>
> 
> 
> 
> -- The "/manager/html/" can get connected and "/host-manager/html" gets
> "404 Access Denied" -- obviously the second "rolename" overrides the first
> one.
>
> How can I get both to work?
>
> Thanks in advance,
>
> ZL
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

confusions with conf/tomcat-users.xml setup

[Hu, Zhiliang [AN S]]

I have Apache Tomcat/7.0.94 installed and running.  However I had a hard time 
to get to the ManagerApp and Host Manager to work properly.  Briefly:

If I set up "conf/tomcat-users.xml" as in:




-- The "/manager/html/" can get connected and "/host-manager/html" gets "404 
Access Denied";

If I set up "conf/tomcat-users.xml" as in:




-- The "/manager/html/" gets "404 Access Denied" and "/host-manager/html" can 
get connected;

If I set up "conf/tomcat-users.xml" as in:







-- The "/manager/html/" can get connected and "/host-manager/html" gets "404 
Access Denied" -- obviously the second "rolename" overrides the first one.

How can I get both to work?

Thanks in advance,

ZL



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: why is ContextListener.attributeAdded means?

[Karen Goh]

 




On Wednesday, July 24, 2019, 11:29:39 PM GMT+8, Mark Eggers 
 wrote:


On 7/24/2019 12:58 AM, Karen Goh wrote:
> 
>
>
>
>
> On Wednesday, July 24, 2019, 12:54:35 PM GMT+8, Mark Eggers 
>  wrote:
>
>
> Karen,
>
> On 7/23/2019 7:41 PM, Karen Goh wrote:
>> Dear experts,
>>
>> I need some help again.
>>
>> I am trying to get a html page out on my browser, I changed my Tomcat server 
>> as the previous one has some Ant script 'creeping in when I downloaded an 
>> example'. However, I do not know why am I receiving an error message ?
>>
>> Background :-
>> -
>> Netbean IDE
>> Windows OS
>> Tomcat 9.0.12
>> JEE
>>
>> Error Message :
>>
>> 24-Jul-2019 10:03:27.271 INFO [main] 
>> org.apache.catalina.core.ApplicationContext.log ContextListener: 
>> contextInitialized()
>> 24-Jul-2019 10:03:27.271 INFO [main] 
>> org.apache.catalina.core.ApplicationContext.log SessionListener: 
>> contextInitialized()
>> 24-Jul-2019 10:03:27.292 INFO [main] 
>> org.apache.catalina.core.ApplicationContext.log ContextListener: 
>> attributeAdded('StockTicker', 'async.Stockticker@4fa4f485')
>>
>> Can I know why there is a ContextListner:attributeAdded('StockTicer', 
>> 'async.Stockticker@4fa4f485') as appeared in the log ?
>>
>> How do I make it go away so that I can run my webApp ?
>>
>> Thank you for your help.
>> Karen
>
>
> This is coming from the examples that are shipped with Tomcat. In
> particular, this appears to be from the Stock Ticker asynchronous example.
>
> In other words, this is nothing to be concerned about.
>
> . . . just my two cents.
> /mde/
>
> I have never seen this log infor pop up.
>
> Now, I have another problem - Tomcat server keeps popping up the 
> authentication gui - Tomcat manager.
>
> I can't get this Tomcat Manager GUI to stop appear. And I have not configure 
> the app to use Tomcat Manager at all.
>
> Please let me know how to stop if from appearing.
>
> Tks.

This is a NetBeans thing. NetBeans uses the manager application (and the
manager-script role) to deploy or redeploy to Tomcat.

The instructions for configuring tomcat-users.xml are in that file.

Normally when you add a Tomcat server to NetBeans, it will ask to create
the user with that manager-script role if one does not exist. Or you
could supply one that you've configured in tomcat-users.xml.

Then save the password in NetBeans, so that you won't get prompted each
time there's a deploy or redeploy.

NetBeans by default will redeploy on save if you are currently running
the application. If you save the password for the user with the
manager-script role, then you should not see the prompt.

If the application is not running in Tomcat, then NetBeans won't try to
redeploy on save.


Thanks Mike. 

. . . just my two cents
/mde/


  

Re: Tomcat TLS session resumption in cluster

[Mark Thomas]

On 17/07/2019 00:06, M.S. Dousti wrote:
> Dear all,
> 
> TLS allows session resumption via session IDs or session tickets. [This
> post](
> https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/)
> shows how this can be performed in Apache web server and Nginx. Specially,
> Apache has a [`SSLSessionTicketKeyFile` directive](
> http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslsessionticketkeyfile)
> which allows the TLS session ticket to be encrypted by a specific key,
> rather than a key chosen randomly at startup. This is useful in cluster,
> where any cluster member can open a ticket encrypted by another member via
> a shared key.
> 
> I couldn't find a similar feature in [Tomcat TLS documentation](
> https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support). If
> this can be done via configuration, so much the better.

I am afraid not. At least not at the moment. It looks fairly simple to
implement. Care to open an enhancement request in Bugzilla or a PR in
GitHub?

> Otherwise, I have a
> hunch on how to do it programmatically.
> 
> I found a method called [`setTicketKeys`](
> https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/tomcat/util/net/openssl/OpenSSLSessionContext.html#setTicketKeys-byte:A-)
> which seems to be doing exactly what I want:
> 
> public void setTicketKeys(byte[] keys)
> Sets the SSL session ticket keys of this context.
> Parameters:
> keys - The session ticket keys
> 
> I also found [a class from Facebook Nifty](
> https://github.com/facebookarchive/nifty/blob/master/nifty-ssl/src/main/java/com/facebook/nifty/ssl/OpenSslServerConfiguration.java)
> which uses this function.
> 
> My question is: I need an instance of `OpenSSLSessionContext` to call
> `setTicketKeys()` on. How should I get this instance?
> 
> PS: I use Tomcat 9.0.22 on Windows 10 x64.

You are going to have to patch Tomcat to do this. Somewhere around line
260 of o.a.tomcat.util.net.SSLUtilBase.java would be a reasonable place
to start.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS client cert clarification

[Mark Thomas]

On 12/07/2019 19:07, Wilmoth, Jon wrote:
> Thanks for the very quick response!  Out of curiosity is this ensured by some 
> sort of caching in the Tomcat server after the TLS handshake?  Or is it 
> expected that the client would send the certificate with each post handshake 
> request.  I ask as I'm seeing intermittent requests that do not have a 
> "javax.servlet.request.X509Certificate" attribute value populated.  This also 
> differs by browser (e.g. more frequently on MacOS Chrome 75.0.3770.100, not 
> on MacOS Safari 12.1.1).

It depends.

Without session tickets, the client has to provide the cert and the full
chain in the handshake. With OpenSSL session tickets the server caches
the client cert but not the full chain.

The above is only as accurate at the last time I dug into this. There
are lots of variables, JRE version, JSSE vs OpenSSL, OpenSSL version,
client etc. and some may have changed since my last test.

Mark


> On 7/12/19, 2:00 AM, "Mark Thomas"  wrote:
> 
> On 12/07/2019 08:22, Martynas Jusevičius wrote:
> > In my experience with 8.x -- on all requests.
> 
> The above is correct for JSSE based TLS connections. It also applies to
> most OpenSSL based connections.
> 
> There is one edge case that can cause problems. If:
> 
> - OpenSSL based TLS connections are used;
> - TLS session tickets are enabled; and
> - the session has been resumed via a ticket; then
> 
> the client certificate will be available but the full client certificate
> chain will not. The full chain will only be available in the initial
> connection.
> 
> Mark
> 
> > 
> > On Fri, Jul 12, 2019 at 3:06 AM Wilmoth, Jon
> >  wrote:
> >>
> >> I was hoping to get some clarification on when to expect client x509 
> certs in http requests where the Tomcat server (v9.x) has been configured to 
> “want” or “need” client auth.  
> https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf
>  says:
> >>
> >> “If there is an SSL certificate associated with the request, it must 
> be exposed by the servlet container to the servlet programmer as an array of 
> objects of type java.security.cert.X509Certificate and accessible via a 
> ServletRequest attribute of javax.servlet.request.X509Certificate.”
> >>
> >> Is this only for the request that initiated the TLS handshake?  Or 
> does this mean it will be present on all requests (i.e. requests on a 
> keep-alive connection after the initial handshake) while the TLS connection 
> is still open?
> >>
> >> Thanks,
> >> Jon
> > 
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> > 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Login Failure /manager.html

[John Garmon]

http://localhost:8080/manager/html


I am trying to access the sever status or manager app screens. I am prompted by 
the page to input my credentials, and I input the ones I entered in 
tomcat-users.xml. The page never accepts them and I get 401. I looked at 
catlina.out and it is reading the .xml file from what I can tell. Both the 
host-manager and manger logs are empty. I am using Ubuntu18.04. I am not sure 
what I am doing wrong. I appreciate your help. This is my first time using 
Linux and deploying Tomcat.

Regards,

John


_
John Garmon III, CFA
Foundation Resource Management
Office: +1.501.534.2710
Mobile:+1.501.442.8739
Email: jgar...@frmlr.com
Secure Msg: my.frmlr.com/filedrop/John
Website: www.frmlr.com





This email and any files transmitted with it are the property of Foundation 
Resource Management, Inc., and it is confidential and intended solely for the 
use of the individual or entity to whom they are addressed. If you are not the 
named addressee you should not disseminate, distribute, access, or copy this 
email. Please notify the sender immediately if you have received this email by 
mistake and delete this email from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing, or taking 
any action in reliance on the contents of its information is strictly 
prohibited.





This email and any files transmitted with it are the property of Foundation 
Resource Management, Inc., and it is confidential and intended solely for the 
use of the individual or entity to whom they are addressed. If you are not the 
named addressee you should not disseminate, distribute, access, or copy this 
email. Please notify the sender immediately if you have received this email by 
mistake and delete this email from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing, or taking 
any action in reliance on the contents of its information is strictly 
prohibited.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Login Failure /manager.html

[John Garmon]

http://localhost:8080/manager/html


I am trying to access the sever status or manager app screens. I am prompted by 
the page to input my credentials, and I input the ones I entered in 
tomcat-users.xml. The page never accepts them and I get 401. I looked at 
catlina.out and it is reading the .xml file from what I can tell. Both the 
host-manager and manger logs are empty. I am using Ubuntu18.04. I am not sure 
what I am doing wrong. I appreciate your help. This is my first time using 
Linux and deploying Tomcat.

Regards,

John


_
John Garmon III, CFA
Foundation Resource Management
Office: +1.501.534.2710
Mobile:+1.501.442.8739
Email: jgar...@frmlr.com
Secure Msg: my.frmlr.com/filedrop/John
Website: www.frmlr.com





This email and any files transmitted with it are the property of Foundation 
Resource Management, Inc., and it is confidential and intended solely for the 
use of the individual or entity to whom they are addressed. If you are not the 
named addressee you should not disseminate, distribute, access, or copy this 
email. Please notify the sender immediately if you have received this email by 
mistake and delete this email from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing, or taking 
any action in reliance on the contents of its information is strictly 
prohibited.





This email and any files transmitted with it are the property of Foundation 
Resource Management, Inc., and it is confidential and intended solely for the 
use of the individual or entity to whom they are addressed. If you are not the 
named addressee you should not disseminate, distribute, access, or copy this 
email. Please notify the sender immediately if you have received this email by 
mistake and delete this email from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing, or taking 
any action in reliance on the contents of its information is strictly 
prohibited.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Login Failure /manager.html

[John Garmon]

http://localhost:8080/manager/html


I am trying to access the sever status or manager app screens. I am prompted by 
the page to input my credentials, and I input the ones I entered in 
tomcat-users.xml. The page never accepts them and I get 401. I looked at 
catlina.out and it is reading the .xml file from what I can tell. Both the 
host-manager and manger logs are empty. I am using Ubuntu18.04. I am not sure 
what I am doing wrong. I appreciate your help. This is my first time using 
Linux and deploying Tomcat.

Regards,

John


_
John Garmon III, CFA
Foundation Resource Management
Office: +1.501.534.2710
Mobile:+1.501.442.8739
Email: jgar...@frmlr.com
Secure Msg: my.frmlr.com/filedrop/John
Website: www.frmlr.com





This email and any files transmitted with it are the property of Foundation 
Resource Management, Inc., and it is confidential and intended solely for the 
use of the individual or entity to whom they are addressed. If you are not the 
named addressee you should not disseminate, distribute, access, or copy this 
email. Please notify the sender immediately if you have received this email by 
mistake and delete this email from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing, or taking 
any action in reliance on the contents of its information is strictly 
prohibited.

Negative pattern match in rewrite rule is not as documented

[Michael Chen]

Hi,

The mention of using "NOT character ('!')" in rule patterns as negative
match no longer matches implementation:

https://tomcat.apache.org/tomcat-8.5-doc/rewrite.html

In the rules, the NOT character ('!') is also available as a possible
> pattern prefix. This enables you to negate a pattern; to say, for instance:
> ``*if the current URL does NOT match this pattern*''. This can be used
> for exceptional cases, where it is easier to match the negative pattern, or
> as a last default rule.
>

The current implementation uses java.util.regex, which does not support a
simple ! prefix as a negative match regex:

https://docs.oracle.com/javase/8/docs/api/index.html?java/util/regex/Pattern.html

Instead, you need to use zero-width lookahead like this (to match any URL
but /portal/api/.*)

^(?!/portal/api/.*).*$

This inaccurate documentation exist in all versions, at least since 8.0.x.
For backward compatibility to the above documentation, RewriteRule needs
the `positive` variable and logic found in the RewriteCond class.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63608

Thanks

--Michael
.

-- 
CONFIDENTIALITY NOTICE: This e-mail, including attachments, is for the sole 
use of the intended recipient(s) and may contain confidential and 
privileged information or otherwise be protected by law. Any unauthorized 
review, use, disclosure or distribution is prohibited. If you are not the 
intended recipient, please contact the sender and destroy all copies and 
the original message.

RE: Security vulnerabilities with tomcat 9

[Berneburg, Cris J. - US]

Hi Sumit

Please see my response below your question.

-Original Message-
From: Sumit Bhardwaj  
Sent: Saturday, July 20, 2019 8:48 AM
To: Tomcat Users List 
Subject: Security vulnerabilities with tomcat 9

> Hi,
>
> We are using tomcat 9 and getting following two vulnerabilities in security 
> scans.
>
> Cookie Does Not Contain The "secure" Attribute (1)  Cookie Does Not Contain 
> The "HTTPOnly" Attribute (1)
>
> We have done things mentioned in
> https://geekflare.com/secure-cookie-flag-in-tomcat/
>
> 
> true
> true
> 
>
> and also updating the *context.xml for *useHttpOnly="true"
> It has not helped.
>
> We also tried updating our web application's web.xml with the cookie-config, 
> but it has also not helped.
>
> What else do we need to do?
>
> Best
> Sumit

We went through something similar during security scans.  We are currently 
running Tomcat 8.5.x.  Apache httpd manages the HTTPS, so TC does not use HTTPS 
in our config.  Made 2 changes to our application's web/xml.  Maybe it will 
work in TC 9.x also?

1. Inserted "web-app_3_1.xsd" into the web-app tag schemaLocation attribute:


http://xmlns.jcp.org/xml/ns/javaee;
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd;
  version="3.1"
  metadata-complete="true">

2. Inserted cookie-config and http-only tags into the existing session-config 
tag below session-timeout:


15

true

   

PLEASE NOTE: I am not an expert, but hopefully this information is correct 
enough to be useful.  If not, I trust some of the real experts to correct any 
errancies.  :-) 

ALSO, it may help them to help you if you answer their questions when they ask 
you for more details.  ;-)

Don't know about the true option.

--
Cris Berneburg
CACI Lead Software Engineer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Have to Login Twice to Enter the Application Main Page

[Hua, Gary - Saint Louis, MO - Contractor]

Tomcat Experts:

   I deployed my web application TOPS in to our DEV web server. I start 
the web server 9.0.13,  and enter the application URL,, the login screen show 
up.

   I entered the LoginID/Password and click the "Login" button,   the log 
on the catalina.out is:

23-Jul-2019 16:59:49.752 FINE [https-jsse-nio-9443-exec-8] 
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling 
hasUserDataPermission()
23-Jul-2019 16:59:49.752 FINE [https-jsse-nio-9443-exec-8] 
org.apache.catalina.realm.RealmBase.hasUserDataPermission   User data 
constraint already satisfied
23-Jul-2019 16:59:49.752 FINE [https-jsse-nio-9443-exec-8] 
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling 
accessControl()
23-Jul-2019 16:59:49.752 FINE [https-jsse-nio-9443-exec-8] 
org.apache.catalina.realm.RealmBase.hasResourcePermission   Checking roles null
23-Jul-2019 16:59:49.752 FINE [https-jsse-nio-9443-exec-8] 
org.apache.catalina.realm.RealmBase.hasResourcePermission Passing all access
23-Jul-2019 16:59:49.752 FINE [https-jsse-nio-9443-exec-8] 
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Successfully passed 
all security const


  The LoginID and Password text box were cleared, and I have to enter 
LoginID/Password again, and then click "Login" button,   now it allow me to go 
to the application main home page. The log on the catalina.out is:

23-Jul-2019 17:14:31.130 FINE [https-jsse-nio-9443-exec-8] 
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling 
hasUserDataPermission()
23-Jul-2019 17:14:31.131 FINE [https-jsse-nio-9443-exec-8] 
org.apache.catalina.realm.RealmBase.hasUserDataPermission   User data 
constraint already satisfied
23-Jul-2019 17:14:31.131 FINE [https-jsse-nio-9443-exec-8] 
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling 
accessControl()
23-Jul-2019 17:14:31.131 FINE [https-jsse-nio-9443-exec-8] 
org.apache.catalina.realm.RealmBase.hasResourcePermission   Checking roles 
GenericPrincipal[topsadmin(CN=ADMINTOPS,OU=National Application 
Groups,OU=Groups Role-Based,DC=devsub,DC=dev,DC=dce, DC=gov, ADMINTOPS,)]
23-Jul-2019 17:14:31.131 FINE [https-jsse-nio-9443-exec-8] 
org.apache.catalina.realm.RealmBase.hasResourcePermission Passing all access
23-Jul-2019 17:14:31.131 FINE [https-jsse-nio-9443-exec-8] 
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Successfully passed 
all security constraints


The login-config in web.xml:


FORM
SecureRealm

/F_login.jsp
/notAuthenticated.jsp







   So the question is:why the first time I click the "Login" button  it 
didn't get any roles for the login user (It suppose to connect to LDAP for 
authentication),  and I have to login one more time to get it?


Thanks
Gary

Re: why is ContextListener.attributeAdded means?

[Mark Eggers]

On 7/24/2019 12:58 AM, Karen Goh wrote:
>  
> 
> 
> 
> 
> On Wednesday, July 24, 2019, 12:54:35 PM GMT+8, Mark Eggers 
>  wrote:
> 
> 
> Karen,
> 
> On 7/23/2019 7:41 PM, Karen Goh wrote:
>> Dear experts,
>>
>> I need some help again.
>>
>> I am trying to get a html page out on my browser, I changed my Tomcat server 
>> as the previous one has some Ant script 'creeping in when I downloaded an 
>> example'. However, I do not know why am I receiving an error message ?
>>
>> Background :-
>> -
>> Netbean IDE
>> Windows OS
>> Tomcat 9.0.12
>> JEE
>>
>> Error Message :
>>
>> 24-Jul-2019 10:03:27.271 INFO [main] 
>> org.apache.catalina.core.ApplicationContext.log ContextListener: 
>> contextInitialized()
>> 24-Jul-2019 10:03:27.271 INFO [main] 
>> org.apache.catalina.core.ApplicationContext.log SessionListener: 
>> contextInitialized()
>> 24-Jul-2019 10:03:27.292 INFO [main] 
>> org.apache.catalina.core.ApplicationContext.log ContextListener: 
>> attributeAdded('StockTicker', 'async.Stockticker@4fa4f485')
>>
>> Can I know why there is a ContextListner:attributeAdded('StockTicer', 
>> 'async.Stockticker@4fa4f485') as appeared in the log ?
>>
>> How do I make it go away so that I can run my webApp ?
>>
>> Thank you for your help.
>> Karen
> 
> 
> This is coming from the examples that are shipped with Tomcat. In
> particular, this appears to be from the Stock Ticker asynchronous example.
> 
> In other words, this is nothing to be concerned about.
> 
> . . . just my two cents.
> /mde/
> 
> I have never seen this log infor pop up.
> 
> Now, I have another problem - Tomcat server keeps popping up the 
> authentication gui - Tomcat manager.
> 
> I can't get this Tomcat Manager GUI to stop appear. And I have not configure 
> the app to use Tomcat Manager at all.
> 
> Please let me know how to stop if from appearing.
> 
> Tks.

This is a NetBeans thing. NetBeans uses the manager application (and the
manager-script role) to deploy or redeploy to Tomcat.

The instructions for configuring tomcat-users.xml are in that file.

Normally when you add a Tomcat server to NetBeans, it will ask to create
the user with that manager-script role if one does not exist. Or you
could supply one that you've configured in tomcat-users.xml.

Then save the password in NetBeans, so that you won't get prompted each
time there's a deploy or redeploy.

NetBeans by default will redeploy on save if you are currently running
the application. If you save the password for the user with the
manager-script role, then you should not see the prompt.

If the application is not running in Tomcat, then NetBeans won't try to
redeploy on save.

. . . just my two cents
/mde/





signature.asc
Description: OpenPGP digital signature

Re: OT: Connection timeout with HttpClient

[Suvendu Sekhar Mondal]

Hi Chris,

On Tue, Jul 23, 2019 at 6:00 PM Christopher Schultz
 wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Suvendu,
>
> On 7/23/19 07:39, Suvendu Sekhar Mondal wrote:
> > One of our legacy applications is using Apache Commons HttpClient
> > 3.1. POST call to one REST service is failing with
> > "java.net.ConnectException: Connection timed out: connect"
> > exception[1]. Timeout is occurring after one minute. To figure out
> > where thread is spending all the time, I took multiple thread
> > dumps. In all of them, thread is trying to create secure socket[2].
> > I am not seeing any thread pool issue. Also the target REST service
> > is working properly with same payload while invoked from Postman.
> > It is only failing consistently when going through the HttpClient.
> > I am trying to figure out why it is taking so long in connecting to
> > the socket. I am looking for suggestion on how to attack this one.
> >
> > Tomcat: 7.0.55 JRE: 1.8_92 -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
>
> Your version is Tomcat is quite old and contains numerous "important"
> publicly-known vulnerabilities. You should upgrade ASAP.
>
Yes, I agree. There are some "technical debt" and upgrade Tomcat and
Apache are one of them. We have plans to do it on next release. :)

> The connection timeout you are seeing is on the client end: your
> client is connecting to another server and the server isn't responding
> fast enough. That's why your stack trace always shows the thread
> "creating a socket": it's trying to connect to the remote service and
> it's never completing.
>
> Since it's failing on "connect" and not "read", it's likely that there
> is a firewall between your client and the service you are trying to
> connect to which is dropping all packets instead of returning a
> "connection refused" response.
>
> So this isn't a problem with your code or with Tomcat. It's a problem
> between your client (which has the stack trace below) and the service
> that code is trying to call.
>
I am planning to use Wireshark to find out the root cause. Some weird
thing must be happening while making call through our client code.
Let's see.

> - -chris
>
> >
> > [1] java.net.ConnectException: Connection timed out: connect at
> > java.net.TwoStacksPlainSocketImpl.socketConnect(Native Method) at
> > java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.jav
> a:350)
> >
> >
> at
> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImp
> l.java:206)
> > at
> > java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:
> 188)
> >
> >
> at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
> > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at
> > java.net.Socket.connect(Socket.java:589) at
> > sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) at
> > sun.security.ssl.SSLSocketImpl.(SSLSocketImpl.java:472) at
> > sun.security.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImp
> l.java:153)
> >
> >
> at
> org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSo
> cket(SSLProtocolSocketFactory.java:82)
> > at
> > org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.create
> Socket(SSLProtocolSocketFactory.java:127)
> >
> >
> at
> org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:70
> 7)
> > at
> > org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(Http
> MethodDirector.java:387)
> >
> >
> at
> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMetho
> dDirector.java:171)
> > at
> > org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java
> :397)
> >
> >
> at
> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3
> 23)
> >
> > [2] "http-apr-18100-exec-5" #327 daemon prio=5 os_prio=0
> > tid=0x2efbf800 nid=0x2508 runnable [0x2e55d000]
> > java.lang.Thread.State: RUNNABLE at
> > java.net.TwoStacksPlainSocketImpl.socketConnect(Native Method) at
> > java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.jav
> a:350)
> >
> >
> - - locked <0x00071a984780> (a java.net.TwoStacksPlainSocketImpl)
> > at
> > java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketI
> mpl.java:206)
> >
> >
> at
> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:18
> 8)
> > at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172) at
> > java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at
> > java.net.Socket.connect(Socket.java:589) at
> > sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) at
> > sun.security.ssl.SSLSocketImpl.(SSLSocketImpl.java:472) at
> > sun.security.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImp
> l.java:153)
> >
> >
> at
> org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSo
> cket(SSLProtocolSocketFactory.java:82)
> > at
> > org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.create
> 

PooledConnection#connectUsingDriver, Thread.currentThread().getContextClassLoader() is null

[Clemens Wyss DEV]

Context:
Debian GNU/Linux 9 \n \l
java version 1.8.0_162
Tomcat 8.5.35

From time to time we are facing the follwing exception (call stack):
...
Caused by: java.sql.SQLException: Unable to load class: org.mariadb.jdbc.Driver 
from ClassLoader:java.net.URLClassLoader@4c873330;ClassLoader:null
at 
org.apache.tomcat.jdbc.pool.PooledConnection.connectUsingDriver(PooledConnection.java:292)
at 
org.apache.tomcat.jdbc.pool.PooledConnection.connect(PooledConnection.java:212)
at 
org.apache.tomcat.jdbc.pool.ConnectionPool.createConnection(ConnectionPool.java:736)
at 
org.apache.tomcat.jdbc.pool.ConnectionPool.borrowConnection(ConnectionPool.java:668)
at 
org.apache.tomcat.jdbc.pool.ConnectionPool.getConnection(ConnectionPool.java:198)
at 
org.apache.tomcat.jdbc.pool.DataSourceProxy.getConnection(DataSourceProxy.java:132)
at org.apache.torque.Torque.getConnection(Torque.java:924)
... 53 common frames omitted
Caused by: java.lang.ClassNotFoundException: Unable to load class: 
org.mariadb.jdbc.Driver from 
ClassLoader:java.net.URLClassLoader@4c873330;ClassLoader:null
at 
org.apache.tomcat.jdbc.pool.ClassLoaderUtil.loadClass(ClassLoaderUtil.java:56)
at 
org.apache.tomcat.jdbc.pool.PooledConnection.connectUsingDriver(PooledConnection.java:280)
... 59 common frames omitted
Caused by: java.lang.ClassNotFoundException: Classloader is null
at 
org.apache.tomcat.jdbc.pool.ClassLoaderUtil.loadClass(ClassLoaderUtil.java:40)
... 60 common frames omitted

According to the code (in PooledConnection# connectUsingDriver) 
Thread.currentThread().getContextClassLoader() returns null

Googling for " Thread.currentThread().getContextClassLoader() is null" the 
common demoniator seems to be `getContextClassLoader can be null`. If this is 
true there should be
a) a null-check in PooledConnection# connectUsingDriver
b) if null, then there should be a fallback-Classloader (the system class 
laoder?)

WDYT ?

Or any ideas why the given exception pops up from time to time

Thx
Clemens

Re: why is ContextListener.attributeAdded means?

[Karen Goh]

 




On Wednesday, July 24, 2019, 12:54:35 PM GMT+8, Mark Eggers 
 wrote:


Karen,

On 7/23/2019 7:41 PM, Karen Goh wrote:
> Dear experts,
>
> I need some help again.
>
> I am trying to get a html page out on my browser, I changed my Tomcat server 
> as the previous one has some Ant script 'creeping in when I downloaded an 
> example'. However, I do not know why am I receiving an error message ?
>
> Background :-
> -
> Netbean IDE
> Windows OS
> Tomcat 9.0.12
> JEE
>
> Error Message :
>
> 24-Jul-2019 10:03:27.271 INFO [main] 
> org.apache.catalina.core.ApplicationContext.log ContextListener: 
> contextInitialized()
> 24-Jul-2019 10:03:27.271 INFO [main] 
> org.apache.catalina.core.ApplicationContext.log SessionListener: 
> contextInitialized()
> 24-Jul-2019 10:03:27.292 INFO [main] 
> org.apache.catalina.core.ApplicationContext.log ContextListener: 
> attributeAdded('StockTicker', 'async.Stockticker@4fa4f485')
>
> Can I know why there is a ContextListner:attributeAdded('StockTicer', 
> 'async.Stockticker@4fa4f485') as appeared in the log ?
>
> How do I make it go away so that I can run my webApp ?
>
> Thank you for your help.
> Karen


This is coming from the examples that are shipped with Tomcat. In
particular, this appears to be from the Stock Ticker asynchronous example.

In other words, this is nothing to be concerned about.

. . . just my two cents.
/mde/

I have never seen this log infor pop up.

Now, I have another problem - Tomcat server keeps popping up the authentication 
gui - Tomcat manager.

I can't get this Tomcat Manager GUI to stop appear. And I have not configure 
the app to use Tomcat Manager at all.

Please let me know how to stop if from appearing.

Tks.