AW: Basic question about application configuration
Hi Mathieu, > -Ursprüngliche Nachricht- > Von: Mathieu Dubois > Gesendet: Mittwoch, 23. Oktober 2019 03:00 > An: users@tomcat.apache.org [SNIP] > I have read a bit about Tomcat and if I understand correctly, the > correct way to do is to declare a Resource in the configuration of each > server which represents the DB to use and then adapt the code (in > particular Hibernate configuration) to use this Resource based on it's > name. Then the same WAR file can be deployed on any servers provided > it's configured without maven (i.e. I just have to upload the WAR file > and voilà). > > Is that correct ? Yes, it is a common approach in the Java Application world called jndi. So your app would also work on a different application server like Wildfly or Liberty. But the way you define it in your application server differs, So see here for comparison: https://tomcat.apache.org/tomcat-8.0-doc/jndi-resources-howto.html https://developer.jboss.org/thread/279940 -- Mit freundlichen Grüßen / Kind Regards/ नमस्ते(Namaste) Bernd Schatz ITT/FT - Java Free and Open Source Software (JFoSS) HPC Z252 Gebäude VDZ Ost 1.OG Plieninger Str. 150 70567 Stuttgart Bernd Schatz Büro: +49 711 17 41463 Mobile: +49 151 5862 6591 FAX: +49 711 17 7904 1252 mailto:bernd.sch...@daimler.com https://git.daimler.com/jfoss https://matter.i.daimler.com https://matter.i.daimler.com/daimler-ag/channels/jfoss If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Basic question about application configuration
Dear Tomcat users, I am not familiar with Tomcat or the Java world in general so I have a rather simple question. Part of my job is to maintain and evolve a Java web application based on JBPM which as such use a (MySQL) DB. This application is independently deployed on a handful Tomcat servers (each instance uses a different DB). We use a very old version of Tomcat (5.5.17) but I don't think that this is related to my question. We use maven to create the WAR file. Right now we have to create one WAR file per server based on different maven profiles (i.e. running `mvn -Pserver1 ...' then `mvn -Pserver2 ...', etc.). Those profiles contains the MySQL DB to use (and other configuration) which is used to configure Hibernate (and other libraries) at compile time for this server. As you can imagine, there are several problems with this approach: it is impossible to deploy without the source code and maven, the configuration of each deployment has to be in the code, etc. I have read a bit about Tomcat and if I understand correctly, the correct way to do is to declare a Resource in the configuration of each server which represents the DB to use and then adapt the code (in particular Hibernate configuration) to use this Resource based on it's name. Then the same WAR file can be deployed on any servers provided it's configured without maven (i.e. I just have to upload the WAR file and voilà). Is that correct ? Thanks in advance, Mathieu Dubois -- Mathieu Dubois - IR - UMR 8030 équipe LABGeM CEA - Genoscope. 2 rue Gaston Crémieux. 91057 Evry Cedex France. Bureau B07 +33 1 60 87 53 35 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: postgresql jndi datasource with certificate authentication?
Thank you all for the suggestions. Based on the documentation, my setup should work: The server certificate is already processed and accepted (I know that because I could not get it right at the first try). The driver is supposed to work with a PEM certificate and a pkcs-8 DER encoded key, and those what I supply to it. The problem seems to be that the java installation (openjdk-11) does not have a cryptographic security provider understanding a specific oid. What I understand is that BouncyCastle have that security provider, and I should be able to configure it somewhere either in the java setup or tomcat. I have already tried in the java setup, but the documented way did not seem to work. I have no idea how to configure it in Tomcat datasource, this is why I have asked here. The other reason is to see whether anyone have a similar setup: if so, then someone already dealt with same problem, and I should like to see how. It's true that it seems to be a pgjdbc related problem: it does not work with directly jdbc calls. I am trying to get help from the jdbc guys, this is why I have an open issue there: https://github.com/pgjdbc/pgjdbc/issues/1585 On 10/22/19 6:10 PM, Christopher Schultz wrote: > Arpad, > > On 10/22/19 12:19, logo wrote: >> I have the following in context.xml: >> >> > type="javax.sql.DataSource" >> driverClassName="org.postgresql.Driver" >> url="jdbc:postgresql://infra.kodekonveyor.com:5432/users?ssl=truesslmode=verify-ca" >> >> >> username="market" maxTotal="20" maxIdle="10" >> maxWaitMillis="-1"/> >> >> I have this in ~tomcat/.postgresql: >> >> root@market:/var/lib/tomcat9/.postgresql# ls -lL >> total 11 >> -rw-r--r-- 1 root root 4597 Oct 21 12:49 postgresql.crt >> -r 1 tomcat root 1329 Oct 21 17:40 postgresql.pk8 >> -rw-r--r-- 1 root root 1493 Oct 21 12:49 root.crt > > The documentation for the driver[1] is a little unclear, but it seems > that you can indeed specify the location of the client certificate > using sslcert=/path/to/cert and sslkey=/path/to/key connection > parameters. Their defaults are ${user.home}/.postgresql/postgresql.crt > and ${user.home}/.postgresql/postgresql.pk8 (and > ${user.home}/.postgresql/root.crt for the root certificate). > > So I think those settings should be working. > > Under the notes in [1], it says: > > " > If you are using Java's default mechanism (not LibPQFactory) to create > the SSL connection you will need to make the server certificate > available to Java, the first step is to convert it to a form Java > understands. > " > > I'm not sure what LibPQFactory is, but you may have to convert to > PKCS12/JKS and use their process to use those certificates. > > The documentation suggests that you will need to start your JVM with > specific system properties to make your connection. IMO this is a > terrible bug because it means you can't configure these things on a > per-connection basis. The documentation is also incomplete because > they only tell you how to configure a trust store (to trust the > server) and not how to configure the key store (which contains your > client certificate). The correct system properties to use for a key > store are: > > javax.net.ssl.keyStore (path to keystore) > javax.net.ssl.keyStorePassword (password for keystore) > javax.net.ssl.keyStoreType (type of keystore, PKCS12, JCEKS, JKS, etc.) > > At this point, all of your questions should be directed to the > PostgreSQL community since it's the driver you are having trouble > configuring. It appears that Tomcat is working as expected and you > just need help with the driver configuration. > > Hope that helps, > -chris > > [1] https://jdbc.postgresql.org/documentation/head/ssl-client.html > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OT Developer Praise - was Re: EOL for Tomcat 9.X ?
Olaf, On 10/22/19 12:17, Olaf Kock wrote: On 22.10.19 17:56, Michael Osipov wrote: Am 2019-10-22 um 16:43 schrieb Christopher Schultz: So Tomcat 9 is looking good for aother 10 years at this point. ...and this is the reason why I appreciate the Tomcat devs' work. I can simply stick to a version and virtually forget about compat issues. For me the reason is that I've never worried which version to pick: Always picked the latest available and never ran into issues where the newer version was imposing problems when used instead of the earlier version. And that includes major version upgrades FWIW, I'm a (minor) Tomcat developer and I move VERY slowly. When I joined the list back in 2013, I was running Tomcat 4.something. Between then and now, I upgraded to each and every major version of Tomcat that was available only after about a year of testing in development. When I started my upgrade march, I think Tomcat 7 was just about to be released. That's when I upgraded to Tomcat 5.0 (or maybe I skipped to 5.5). Then 6.0, then 7.0, then 8.0, and only with our most recent major release -- about a year ago -- did we move to 8.5. We are looking at 9.0, now, but it's not actually in any testing environments at this point. We only use standard servlet-2.0-style stuff so we aren't upgrading for any new features like Websocket, async, etc. Big Thank You! I'll be at B-Sides DC this weekend if anyone wants to buy me a beer. :) -chris PS They just released the dev preview of Java 14. I'm already 6 versions behind - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Cannot add dependency job for unit systemd-console-setup.service
Emefile, On 10/20/19 10:00, Zero wrote: On 10/20/19 3:28 PM, Emefile Francis Nwajie wrote: Thank you Andre for helping out. I figured that the "systemd-console-setup.service" was disabled in the server. I have enable it. However, tomcat still refuses to start. Below is the content of tomcat.service: [Unit] Description=Apache Tomcat 9 After=syslog.target network.target [Service] User=tomcat Group=tomcat Type=forking Environment=CATALINA_PID=/opt/tomcat/tomcat.pid Environment=CATALINA_HOME=/opt/tomcat Environment=CATALINA_BASE=/opt/tomcat ExecStart=/opt/tomcat/bin/startup.sh ExecStop=/opt/tomcat/bin/shutdown.sh Restart=on-failure [Install] WantedBy=multi-user.target Now it doesn't give any error other than "Unit tomcat.service entered failed state." Tomcat logs its state in logfiles located in /var/log or /opt/tomcat/log. Maybe check those loggings to get an idea of why it fails to startup. Also: $ journalctl -u tomcat.service Because why should you be able to read a log file directly when you can run a program to read it for you? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: postgresql jndi datasource with certificate authentication?
Arpad, On 10/22/19 12:19, logo wrote: I have the following in context.xml: url="jdbc:postgresql://infra.kodekonveyor.com:5432/users?ssl=truesslmode=verify-ca" username="market" maxTotal="20" maxIdle="10" maxWaitMillis="-1"/> I have this in ~tomcat/.postgresql: root@market:/var/lib/tomcat9/.postgresql# ls -lL total 11 -rw-r--r-- 1 root root 4597 Oct 21 12:49 postgresql.crt -r 1 tomcat root 1329 Oct 21 17:40 postgresql.pk8 -rw-r--r-- 1 root root 1493 Oct 21 12:49 root.crt The documentation for the driver[1] is a little unclear, but it seems that you can indeed specify the location of the client certificate using sslcert=/path/to/cert and sslkey=/path/to/key connection parameters. Their defaults are ${user.home}/.postgresql/postgresql.crt and ${user.home}/.postgresql/postgresql.pk8 (and ${user.home}/.postgresql/root.crt for the root certificate). So I think those settings should be working. Under the notes in [1], it says: " If you are using Java's default mechanism (not LibPQFactory) to create the SSL connection you will need to make the server certificate available to Java, the first step is to convert it to a form Java understands. " I'm not sure what LibPQFactory is, but you may have to convert to PKCS12/JKS and use their process to use those certificates. The documentation suggests that you will need to start your JVM with specific system properties to make your connection. IMO this is a terrible bug because it means you can't configure these things on a per-connection basis. The documentation is also incomplete because they only tell you how to configure a trust store (to trust the server) and not how to configure the key store (which contains your client certificate). The correct system properties to use for a key store are: javax.net.ssl.keyStore (path to keystore) javax.net.ssl.keyStorePassword (password for keystore) javax.net.ssl.keyStoreType (type of keystore, PKCS12, JCEKS, JKS, etc.) At this point, all of your questions should be directed to the PostgreSQL community since it's the driver you are having trouble configuring. It appears that Tomcat is working as expected and you just need help with the driver configuration. Hope that helps, -chris [1] https://jdbc.postgresql.org/documentation/head/ssl-client.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OT Developer Praise - was Re: EOL for Tomcat 9.X ?
Olaf, On 10/22/19 12:17, Olaf Kock wrote: On 22.10.19 17:56, Michael Osipov wrote: Am 2019-10-22 um 16:43 schrieb Christopher Schultz: So Tomcat 9 is looking good for aother 10 years at this point. ...and this is the reason why I appreciate the Tomcat devs' work. I can simply stick to a version and virtually forget about compat issues. For me the reason is that I've never worried which version to pick: Always picked the latest available and never ran into issues where the newer version was imposing problems when used instead of the earlier version. And that includes major version upgrades FWIW, I'm a (minor) Tomcat developer and I move VERY slowly. When I joined the list back in 2013, I was running Tomcat 4.something. Between then and now, I upgraded to each and every major version of Tomcat that was available only after about a year of testing in development. When I started my upgrade march, I think Tomcat 7 was just about to be released. That's when I upgraded to Tomcat 5.0 (or maybe I skipped to 5.5). Then 6.0, then 7.0, then 8.0, and only with our most recent major release -- about a year ago -- did we move to 8.5. We are looking at 9.0, now, but it's not actually in any testing environments at this point. We only use standard servlet-2.0-style stuff so we aren't upgrading for any new features like Websocket, async, etc. Big Thank You! I'll be at B-Sides DC this weekend if anyone wants to buy me a beer. :) -chris PS They just released the dev preview of Java 14. I'm already 6 versions behind - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Adding the manager app to an existing installation
Tom, On 10/18/19 12:54, Tom Povey wrote: Typo in my email. They’re on 8.5.36. I will upgrade them to the latest 8.5. Might be easiest to copy/paste the tomcat-users.xml file into an email and DEFINITELY REMOVE YOUR PASSWORDS from it. -chris On 18 Oct 2019, at 16:45, Olaf Kock wrote: On 18.10.19 17:21, Tom Povey wrote: Hi, I’ve been asked to help with an existing Tomcat install which is supporting a live website. When it was installed, it did not have the manager app added. We want to use the manager app now. I have copied the manager folder from another Tomcat install (same version which is 5.5.36) and updated tomcat-users in the /conf directory but I can’t login to the manager gui. I give the username and password for the manager-gui role but it just comes back and redisplays the login prompt. tomcat-users.xml, as far as I remember, requires restart of the server to be taken into account. You didn't mention that you did this. Plus, you only said "updated": By default there's no account in there, I'm assuming that you "updated" correctly. You might want to post it here (bar the actual password). Plus, your version is 1 day shy of being 7 years old, with the end-of-life being even a few more days longer in the past (30 Sep 2012) http://tomcat.apache.org/tomcat-55-eol.html It's about time to move on... Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
OT Developer Praise - was Re: EOL for Tomcat 9.X ?
On 22.10.19 17:56, Michael Osipov wrote: > Am 2019-10-22 um 16:43 schrieb Christopher Schultz: >> >> So Tomcat 9 is looking good for aother 10 years at this point. > > ...and this is the reason why I appreciate the Tomcat devs' work. I > can simply stick to a version and virtually forget about compat issues. > For me the reason is that I've never worried which version to pick: Always picked the latest available and never ran into issues where the newer version was imposing problems when used instead of the earlier version. And that includes major version upgrades Big Thank You! Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: postgresql jndi datasource with certificate authentication?
Arpad and Chris, Am 2019-10-22 18:07, schrieb Christopher Schultz: Magosányi, On 10/22/19 11:09, Magosányi Árpád wrote: As I understand you are suggesting to use direct connection to the database. The servlet needs a JNDI datasource, and the question is about configuring that datasource in tomcat. As I can modify the servlet, I could choose to set up hibernate in other ways, but I would like to separate the concerns of providing the database and using it between the operations staff and development. And JNDI is exactly for that. I think Peter was suggesting that you change your connection URL and the format of your keystore. +1 PKCS#8 is not a recognized format for Java keystores; you'll need to use JKS or PKCS#12 (recommended, as JKS is being deprecated). I was looking for the right type name. Thanks Chris. Peter -chris On 10/22/19 2:27 PM, logo wrote: Arpad, have you tried sth like this: StringBuffer sb = new StringBuffer("jdbc:postgresql://infra.kodekonveyor.com:5432/users?useSSL=true=true=UTF-8&"); sb.append("user=market=&"); sb.append("clientCertificateKeyStoreUrl=file:var/lib/tomcat9/.postgresql/client.jks&"); sb.append("clientCertificateKeyStorePassword=changeit"); Connection c = DriverManager.getConnection(sb.toString()); and convert the pem certificate to JKS/P12 ? I have this working in mysql... Peter Am 2019-10-22 12:56, schrieb Magosányi Árpád: Hi! Anyone have a postgresql jndi datasource with certificate authentication working? I have the following in context.xml: url="jdbc:postgresql://infra.kodekonveyor.com:5432/users?ssl=truesslmode=verify-ca" username="market" maxTotal="20" maxIdle="10" maxWaitMillis="-1"/> I have this in ~tomcat/.postgresql: root@market:/var/lib/tomcat9/.postgresql# ls -lL total 11 -rw-r--r-- 1 root root 4597 Oct 21 12:49 postgresql.crt -r 1 tomcat root 1329 Oct 21 17:40 postgresql.pk8 -rw-r--r-- 1 root root 1493 Oct 21 12:49 root.crt where the crt file is a pem client certificate, root.crt is the ca cert, and pk8 is the client key in der pkcs-8 format. The logs: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED Server version name: Apache Tomcat/9.0.16 (Ubuntu) Server built: Sep 11 2019 19:47:51 UTC Server version number: 9.0.16.0 OS Name: Linux OS Version:4.15.0-65-generic Architecture: amd64 Java Home: /usr/lib/jvm/java-11-openjdk-amd64 JVM Version: 11.0.4+11-post-Ubuntu-1ubuntu218.04.3 JVM Vendor:Ubuntu CATALINA_BASE: /var/lib/tomcat9 CATALINA_HOME: /usr/share/tomcat9 Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED Command line argument: -Djava.util.logging.config.file=/var/lib/tomcat9/conf/logging.properties Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Command line argument: -Djava.awt.headless=true Command line argument: -XX:+UseG1GC Command line argument: -Djdk.tls.ephemeralDHKeySize=2048 Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 Command line argument: -Dignore.endorsed.dirs= Command line argument: -Dcatalina.base=/var/lib/tomcat9 Command line argument: -Dcatalina.home=/usr/share/tomcat9 Command line argument: -Djava.io.tmpdir=/tmp Loaded APR based Apache Tomcat Native library [1.2.21] using APR version [1.6.3]. APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] OpenSSL successfully initialized [OpenSSL 1.1.1 11 Sep 2018] Initializing ProtocolHandler ["ajp-nio-8009"] Server initialization in [1,859] milliseconds Starting service [Catalina] Starting Servlet engine: [Apache Tomcat/9.0.16 (Ubuntu)] Deploying web application archive [/var/lib/tomcat9/webapps/market.war] SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/var/lib/tomcat9/webapps/market/WEB-INF/lib/slf4j-simple-1.7.24.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/var/lib/tomcat9/webapps/market/WEB-INF/lib/logback-classic-1.2.3.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type
Re: postgresql jndi datasource with certificate authentication?
Magosányi, On 10/22/19 11:09, Magosányi Árpád wrote: As I understand you are suggesting to use direct connection to the database. The servlet needs a JNDI datasource, and the question is about configuring that datasource in tomcat. As I can modify the servlet, I could choose to set up hibernate in other ways, but I would like to separate the concerns of providing the database and using it between the operations staff and development. And JNDI is exactly for that. I think Peter was suggesting that you change your connection URL and the format of your keystore. PKCS#8 is not a recognized format for Java keystores; you'll need to use JKS or PKCS#12 (recommended, as JKS is being deprecated). -chris On 10/22/19 2:27 PM, logo wrote: Arpad, have you tried sth like this: StringBuffer sb = new StringBuffer("jdbc:postgresql://infra.kodekonveyor.com:5432/users?useSSL=true=true=UTF-8&"); sb.append("user=market=&"); sb.append("clientCertificateKeyStoreUrl=file:var/lib/tomcat9/.postgresql/client.jks&"); sb.append("clientCertificateKeyStorePassword=changeit"); Connection c = DriverManager.getConnection(sb.toString()); and convert the pem certificate to JKS/P12 ? I have this working in mysql... Peter Am 2019-10-22 12:56, schrieb Magosányi Árpád: Hi! Anyone have a postgresql jndi datasource with certificate authentication working? I have the following in context.xml: url="jdbc:postgresql://infra.kodekonveyor.com:5432/users?ssl=truesslmode=verify-ca" username="market" maxTotal="20" maxIdle="10" maxWaitMillis="-1"/> I have this in ~tomcat/.postgresql: root@market:/var/lib/tomcat9/.postgresql# ls -lL total 11 -rw-r--r-- 1 root root 4597 Oct 21 12:49 postgresql.crt -r 1 tomcat root 1329 Oct 21 17:40 postgresql.pk8 -rw-r--r-- 1 root root 1493 Oct 21 12:49 root.crt where the crt file is a pem client certificate, root.crt is the ca cert, and pk8 is the client key in der pkcs-8 format. The logs: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED Server version name: Apache Tomcat/9.0.16 (Ubuntu) Server built: Sep 11 2019 19:47:51 UTC Server version number: 9.0.16.0 OS Name: Linux OS Version:4.15.0-65-generic Architecture: amd64 Java Home: /usr/lib/jvm/java-11-openjdk-amd64 JVM Version: 11.0.4+11-post-Ubuntu-1ubuntu218.04.3 JVM Vendor:Ubuntu CATALINA_BASE: /var/lib/tomcat9 CATALINA_HOME: /usr/share/tomcat9 Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED Command line argument: -Djava.util.logging.config.file=/var/lib/tomcat9/conf/logging.properties Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Command line argument: -Djava.awt.headless=true Command line argument: -XX:+UseG1GC Command line argument: -Djdk.tls.ephemeralDHKeySize=2048 Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 Command line argument: -Dignore.endorsed.dirs= Command line argument: -Dcatalina.base=/var/lib/tomcat9 Command line argument: -Dcatalina.home=/usr/share/tomcat9 Command line argument: -Djava.io.tmpdir=/tmp Loaded APR based Apache Tomcat Native library [1.2.21] using APR version [1.6.3]. APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] OpenSSL successfully initialized [OpenSSL 1.1.1 11 Sep 2018] Initializing ProtocolHandler ["ajp-nio-8009"] Server initialization in [1,859] milliseconds Starting service [Catalina] Starting Servlet engine: [Apache Tomcat/9.0.16 (Ubuntu)] Deploying web application archive [/var/lib/tomcat9/webapps/market.war] SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/var/lib/tomcat9/webapps/market/WEB-INF/lib/slf4j-simple-1.7.24.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/var/lib/tomcat9/webapps/market/WEB-INF/lib/logback-classic-1.2.3.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.SimpleLoggerFactory] 3 Spring WebApplicationInitializers detected on classpath onStartup getContext getRootConfigClasses
Re: EOL for Tomcat 9.X ?
Am 2019-10-22 um 16:43 schrieb Christopher Schultz: Robert, On 10/18/19 11:46, Robert Hicks wrote: Thanks! Further, releases of the servlet spec seem to be published approximately every 4 years in recent memory[1]. Tomcat 9 implements spec version 4.0, released in Sept 2017. If that version is superseded twice and history is a guide, then version 6.0 of the spec will be released sometime in 2025. At that point, Tomcat 11 will be the new state-of-the-art, but Tomcat 9 will still be supported, along with Tomcat 10 as well. When servlet 7.0 is announced (2029), we'll probably start looking for an EOL schedule for Tomcat 9, which will be at least 12 months away from the publication of servlet 7.0. So Tomcat 9 is looking good for aother 10 years at this point. ...and this is the reason why I appreciate the Tomcat devs' work. I can simply stick to a version and virtually forget about compat issues. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: postgresql jndi datasource with certificate authentication?
Peter, As I understand you are suggesting to use direct connection to the database. The servlet needs a JNDI datasource, and the question is about configuring that datasource in tomcat. As I can modify the servlet, I could choose to set up hibernate in other ways, but I would like to separate the concerns of providing the database and using it between the operations staff and development. And JNDI is exactly for that. On 10/22/19 2:27 PM, logo wrote: > Arpad, > > have you tried sth like this: > > StringBuffer sb = new > StringBuffer("jdbc:postgresql://infra.kodekonveyor.com:5432/users?useSSL=true=true=UTF-8&"); > sb.append("user=market=&"); > > sb.append("clientCertificateKeyStoreUrl=file:var/lib/tomcat9/.postgresql/client.jks&"); > sb.append("clientCertificateKeyStorePassword=changeit"); > > Connection c = DriverManager.getConnection(sb.toString()); > > and convert the pem certificate to JKS/P12 ? I have this working in > mysql... > > Peter > > Am 2019-10-22 12:56, schrieb Magosányi Árpád: >> Hi! >> >> Anyone have a postgresql jndi datasource with certificate authentication >> working? >> >> I have the following in context.xml: >> >> > type="javax.sql.DataSource" >> driverClassName="org.postgresql.Driver" >> >> url="jdbc:postgresql://infra.kodekonveyor.com:5432/users?ssl=truesslmode=verify-ca" >> >> username="market" maxTotal="20" maxIdle="10" >> maxWaitMillis="-1"/> >> >> I have this in ~tomcat/.postgresql: >> >> root@market:/var/lib/tomcat9/.postgresql# ls -lL >> total 11 >> -rw-r--r-- 1 root root 4597 Oct 21 12:49 postgresql.crt >> -r 1 tomcat root 1329 Oct 21 17:40 postgresql.pk8 >> -rw-r--r-- 1 root root 1493 Oct 21 12:49 root.crt >> >> where the crt file is a pem client certificate, root.crt is the ca cert, >> and pk8 is the client key in der pkcs-8 format. >> >> The logs: >> >> NOTE: Picked up JDK_JAVA_OPTIONS: >> --add-opens=java.base/java.lang=ALL-UNNAMED >> --add-opens=java.base/java.io=ALL-UNNAMED >> --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED >> Server version name: Apache Tomcat/9.0.16 (Ubuntu) >> Server built: Sep 11 2019 19:47:51 UTC >> Server version number: 9.0.16.0 >> OS Name: Linux >> OS Version: 4.15.0-65-generic >> Architecture: amd64 >> Java Home: /usr/lib/jvm/java-11-openjdk-amd64 >> JVM Version: 11.0.4+11-post-Ubuntu-1ubuntu218.04.3 >> JVM Vendor: Ubuntu >> CATALINA_BASE: /var/lib/tomcat9 >> CATALINA_HOME: /usr/share/tomcat9 >> Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED >> Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED >> Command line argument: >> --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED >> Command line argument: >> -Djava.util.logging.config.file=/var/lib/tomcat9/conf/logging.properties >> Command line argument: >> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager >> Command line argument: -Djava.awt.headless=true >> Command line argument: -XX:+UseG1GC >> Command line argument: -Djdk.tls.ephemeralDHKeySize=2048 >> Command line argument: >> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources >> Command line argument: >> -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 >> Command line argument: -Dignore.endorsed.dirs= >> Command line argument: -Dcatalina.base=/var/lib/tomcat9 >> Command line argument: -Dcatalina.home=/usr/share/tomcat9 >> Command line argument: -Djava.io.tmpdir=/tmp >> Loaded APR based Apache Tomcat Native library [1.2.21] using APR >> version [1.6.3]. >> APR capabilities: IPv6 [true], sendfile [true], accept filters >> [false], random [true]. >> APR/OpenSSL configuration: useAprConnector [false], useOpenSSL >> [true] >> OpenSSL successfully initialized [OpenSSL 1.1.1 11 Sep 2018] >> Initializing ProtocolHandler ["ajp-nio-8009"] >> Server initialization in [1,859] milliseconds >> Starting service [Catalina] >> Starting Servlet engine: [Apache Tomcat/9.0.16 (Ubuntu)] >> Deploying web application archive >> [/var/lib/tomcat9/webapps/market.war] >> SLF4J: Class path contains multiple SLF4J bindings. >> SLF4J: Found binding in >> [jar:file:/var/lib/tomcat9/webapps/market/WEB-INF/lib/slf4j-simple-1.7.24.jar!/org/slf4j/impl/StaticLoggerBinder.class] >> >> SLF4J: Found binding in >> [jar:file:/var/lib/tomcat9/webapps/market/WEB-INF/lib/logback-classic-1.2.3.jar!/org/slf4j/impl/StaticLoggerBinder.class] >> >> SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an >> explanation. >> SLF4J: Actual binding is of type >> [org.slf4j.impl.SimpleLoggerFactory] >> 3 Spring WebApplicationInitializers detected on classpath >> onStartup >> getContext >>
Re: SameSite Cookie Setup Not Working
Apologies, but got this resolved. the httpOly attribute was missing from one of the apps. I have now set it globally for all my apps. Thanks, On Tue, 22 Oct 2019 at 15:34, M. Manna wrote: > Hello, > > As per the official documentation, I setup my same site cookie using > Rfc62665CookieProcessor and set everything in "strict" mode. > > However, when I restarted my server, I only see httpOnly, secure - but not > SameSite checked under browser's developer console. > > Could someone please help me understand whether something has been missed > at my side? And yes, I am using tomcat 8.5.45 (as I read that it's been > since 8.5.42). Otherwise, cataina bootstrapping would simply say that > there's no samesitecookies attribute. > > Regards, >
Re: EOL for Tomcat 9.X ?
Robert, On 10/18/19 11:46, Robert Hicks wrote: Thanks! Further, releases of the servlet spec seem to be published approximately every 4 years in recent memory[1]. Tomcat 9 implements spec version 4.0, released in Sept 2017. If that version is superseded twice and history is a guide, then version 6.0 of the spec will be released sometime in 2025. At that point, Tomcat 11 will be the new state-of-the-art, but Tomcat 9 will still be supported, along with Tomcat 10 as well. When servlet 7.0 is announced (2029), we'll probably start looking for an EOL schedule for Tomcat 9, which will be at least 12 months away from the publication of servlet 7.0. So Tomcat 9 is looking good for aother 10 years at this point. No promises :) -chris [1] https://en.wikipedia.org/wiki/Java_servlet#History On Fri, Oct 18, 2019 at 11:41 AM Olaf Kock wrote: On 18.10.19 17:25, Robert Hicks wrote: Management is asking me if there is an end of life for Tomcat 9 reported. I don't see anything on the tomcat web site. Mark recently answered this to a the same question for Tomcat 8.5: There is no official date. The Tomcat project maintains 3 major versions in parallel. Currently these are: - 9.0.x - 8.5.x - 7.0.x We always provide at least 12 months notice of EOL. Major releases are aligned with releases of the Servlet specification. The current timetable for the next Servlet spec is TBD. We haven't even announced EOL for 7.0.x yet so you have: - x years until Tomcat 10 / Servlet 4.next is released - 1 year for 7.0.x EOL - y years until Tomcat 11 / Servlet 4.next+1 is released - 1 year for 8.5.x EOL Taking low estimates for x and y of 1 and 2 respectively, you have at least 5 years before 8.5.x is EOL. Take that figure as an "Engineering Estimate". Also known as a "wild guess". - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SameSite Cookie Setup Not Working
Hello, As per the official documentation, I setup my same site cookie using Rfc62665CookieProcessor and set everything in "strict" mode. However, when I restarted my server, I only see httpOnly, secure - but not SameSite checked under browser's developer console. Could someone please help me understand whether something has been missed at my side? And yes, I am using tomcat 8.5.45 (as I read that it's been since 8.5.42). Otherwise, cataina bootstrapping would simply say that there's no samesitecookies attribute. Regards,
Re: postgresql jndi datasource with certificate authentication?
Arpad, have you tried sth like this: StringBuffer sb = new StringBuffer("jdbc:postgresql://infra.kodekonveyor.com:5432/users?useSSL=true=true=UTF-8&"); sb.append("user=market=&"); sb.append("clientCertificateKeyStoreUrl=file:var/lib/tomcat9/.postgresql/client.jks&"); sb.append("clientCertificateKeyStorePassword=changeit"); Connection c = DriverManager.getConnection(sb.toString()); and convert the pem certificate to JKS/P12 ? I have this working in mysql... Peter Am 2019-10-22 12:56, schrieb Magosányi Árpád: Hi! Anyone have a postgresql jndi datasource with certificate authentication working? I have the following in context.xml: I have this in ~tomcat/.postgresql: root@market:/var/lib/tomcat9/.postgresql# ls -lL total 11 -rw-r--r-- 1 root root 4597 Oct 21 12:49 postgresql.crt -r 1 tomcat root 1329 Oct 21 17:40 postgresql.pk8 -rw-r--r-- 1 root root 1493 Oct 21 12:49 root.crt where the crt file is a pem client certificate, root.crt is the ca cert, and pk8 is the client key in der pkcs-8 format. The logs: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED Server version name: Apache Tomcat/9.0.16 (Ubuntu) Server built: Sep 11 2019 19:47:51 UTC Server version number: 9.0.16.0 OS Name: Linux OS Version: 4.15.0-65-generic Architecture: amd64 Java Home: /usr/lib/jvm/java-11-openjdk-amd64 JVM Version: 11.0.4+11-post-Ubuntu-1ubuntu218.04.3 JVM Vendor: Ubuntu CATALINA_BASE: /var/lib/tomcat9 CATALINA_HOME: /usr/share/tomcat9 Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED Command line argument: -Djava.util.logging.config.file=/var/lib/tomcat9/conf/logging.properties Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Command line argument: -Djava.awt.headless=true Command line argument: -XX:+UseG1GC Command line argument: -Djdk.tls.ephemeralDHKeySize=2048 Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 Command line argument: -Dignore.endorsed.dirs= Command line argument: -Dcatalina.base=/var/lib/tomcat9 Command line argument: -Dcatalina.home=/usr/share/tomcat9 Command line argument: -Djava.io.tmpdir=/tmp Loaded APR based Apache Tomcat Native library [1.2.21] using APR version [1.6.3]. APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] OpenSSL successfully initialized [OpenSSL 1.1.1 11 Sep 2018] Initializing ProtocolHandler ["ajp-nio-8009"] Server initialization in [1,859] milliseconds Starting service [Catalina] Starting Servlet engine: [Apache Tomcat/9.0.16 (Ubuntu)] Deploying web application archive [/var/lib/tomcat9/webapps/market.war] SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/var/lib/tomcat9/webapps/market/WEB-INF/lib/slf4j-simple-1.7.24.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/var/lib/tomcat9/webapps/market/WEB-INF/lib/logback-classic-1.2.3.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.SimpleLoggerFactory] 3 Spring WebApplicationInitializers detected on classpath onStartup getContext getRootConfigClasses [main] INFO com.kodekonveyor.market.WebInitializer - getRootConfigClasses getServletConfigClasses [main] INFO com.kodekonveyor.market.WebInitializer - getServletConfigClasses getServletMappings [main] INFO com.kodekonveyor.market.WebInitializer - getServletMappings At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Initializing Spring root WebApplicationContext [main] INFO org.springframework.web.context.ContextLoader - Root WebApplicationContext: initialization started [main] INFO org.springframework.data.repository.config.RepositoryConfigurationDelegate - Bootstrapping Spring Data repositories in DEFAULT mode. [main] INFO org.springframework.data.repository.config.RepositoryConfigurationDelegate -
postgresql jndi datasource with certificate authentication?
Hi! Anyone have a postgresql jndi datasource with certificate authentication working? I have the following in context.xml: I have this in ~tomcat/.postgresql: root@market:/var/lib/tomcat9/.postgresql# ls -lL total 11 -rw-r--r-- 1 root root 4597 Oct 21 12:49 postgresql.crt -r 1 tomcat root 1329 Oct 21 17:40 postgresql.pk8 -rw-r--r-- 1 root root 1493 Oct 21 12:49 root.crt where the crt file is a pem client certificate, root.crt is the ca cert, and pk8 is the client key in der pkcs-8 format. The logs: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED Server version name: Apache Tomcat/9.0.16 (Ubuntu) Server built: Sep 11 2019 19:47:51 UTC Server version number: 9.0.16.0 OS Name: Linux OS Version: 4.15.0-65-generic Architecture: amd64 Java Home: /usr/lib/jvm/java-11-openjdk-amd64 JVM Version: 11.0.4+11-post-Ubuntu-1ubuntu218.04.3 JVM Vendor: Ubuntu CATALINA_BASE: /var/lib/tomcat9 CATALINA_HOME: /usr/share/tomcat9 Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED Command line argument: -Djava.util.logging.config.file=/var/lib/tomcat9/conf/logging.properties Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Command line argument: -Djava.awt.headless=true Command line argument: -XX:+UseG1GC Command line argument: -Djdk.tls.ephemeralDHKeySize=2048 Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 Command line argument: -Dignore.endorsed.dirs= Command line argument: -Dcatalina.base=/var/lib/tomcat9 Command line argument: -Dcatalina.home=/usr/share/tomcat9 Command line argument: -Djava.io.tmpdir=/tmp Loaded APR based Apache Tomcat Native library [1.2.21] using APR version [1.6.3]. APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] OpenSSL successfully initialized [OpenSSL 1.1.1 11 Sep 2018] Initializing ProtocolHandler ["ajp-nio-8009"] Server initialization in [1,859] milliseconds Starting service [Catalina] Starting Servlet engine: [Apache Tomcat/9.0.16 (Ubuntu)] Deploying web application archive [/var/lib/tomcat9/webapps/market.war] SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/var/lib/tomcat9/webapps/market/WEB-INF/lib/slf4j-simple-1.7.24.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/var/lib/tomcat9/webapps/market/WEB-INF/lib/logback-classic-1.2.3.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.SimpleLoggerFactory] 3 Spring WebApplicationInitializers detected on classpath onStartup getContext getRootConfigClasses [main] INFO com.kodekonveyor.market.WebInitializer - getRootConfigClasses getServletConfigClasses [main] INFO com.kodekonveyor.market.WebInitializer - getServletConfigClasses getServletMappings [main] INFO com.kodekonveyor.market.WebInitializer - getServletMappings At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Initializing Spring root WebApplicationContext [main] INFO org.springframework.web.context.ContextLoader - Root WebApplicationContext: initialization started [main] INFO org.springframework.data.repository.config.RepositoryConfigurationDelegate - Bootstrapping Spring Data repositories in DEFAULT mode. [main] INFO org.springframework.data.repository.config.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 198ms. Found 1 repository interfaces. [main] INFO org.springframework.data.repository.config.RepositoryConfigurationDelegate - Bootstrapping Spring Data repositories in DEFAULT mode. [main] INFO org.springframework.data.repository.config.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 35ms. Found 1 repository interfaces. [main] INFO org.springframework.context.support.PostProcessorRegistrationDelegate$BeanPostProcessorChecker - Bean
Re: Security issue involving HTTP response headers
Hi James, see below: Am 2019-10-21 23:34, schrieb James H. H. Lampert: httpHeaderSecurity org.apache.catalina.filters.HttpHeaderSecurityFilter antiClickJackingOption SAMEORIGIN Mark mentioned it before, that can also go into your apps web.xml and instead of activating it for the whole tomcat instance, can only apply to your app. You can also remove the antiClickJacking option (antiClickJackingEnabled=false) or extend it like this: X-Frame-Options: allow-from https://example.com/ see https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options But that will affect also your app. BTW: if you add this only to your app, the system will still "fail" all security scans, as most scanners will run on IPs or the root context and then see that the headers are missing. So the other app will need a fix too. HTH, Peter In the filter mapping section of the web.xml add the following. httpHeaderSecurity /* REQUEST Before I installed the above filter on the customer box (which *only* serves the webapp for our product), I tested it on our own box. And seeing no immediate problems, I didn't bother to pull it out of our box. Then I discovered that another webapp sharing the Tomcat server on our box, one that *by design* is placed in a frame, in a page residing on another server, had stopped working. With the filter in place, it works fine if you go directly to the page, but it fails if you go to the page on the other server. That raises two questions: 1. Is there something I can set in the above code, in order to allow this webapp to appear in the aforementioned frame where it is supposed to appear, but not if it's put in a frame on some other arbitrary page, elsewhere? 2. Are there other side effects of the HTTP header security filter that I should know about? It seems that on the aforementioned customer box, something happened recently that seems to be keeping our webapp from exporting M$ Excel files to the user. We don't think it's related (and have reason to believe it isn't), but one never can tell, and it never hurts to ask. -- James H. H. Lampert (As my freshman woodshop teacher in high school was fond of saying, "The only dumb question is the one that doesn't get asked.") - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org