Re: Curl problem with reloadSslHostConfigs, Re: Let's Encrypt with Tomcat?
James,
> Am 07.01.2020 um 03:11 schrieb James H. H. Lampert :
>
> Dear Mr. Schultz, et al.:
>
> The manager password on this Tomcat server has an embedded curly brace, and
> an embedded question mark.
>
> If I do this (the names have been changed to protect the innocent, and the
> -k!)
>
>> curl -k
>> "https://foo:b?a{r@localhost:8443/manager/jmxproxy?invoke=Catalina%3Atype%3DProtocolHandler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22=reloadSslHostConfigs;
>
> I get curl: (3) [globbing] unmatched brace in column xx
>
> If I change the curly brace to "%7B," I get:
>
>> curl -k
>> "https://foo:b?a%7Br@localhost:8443/manager/jmxproxy?invoke=Catalina%3Atype%3DProtocolHandler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22=reloadSslHostConfigs;
>
> I get curl: (3) Port number ended with 'n'
>
> And if I put the user-ID and password in with a -u clause on curl, rather
> than in the URL itself, I get "Unauthorized."
>
> What is wrong here? Are there characters it simply can't tolerate in
> passwords, even if URL-escaped?
I‘d prefer them in -u.
for separation of concerns, add a separate user with a longer one and shell
friendly password only with the role below...
> Or do I need to give the manager user an additional role? Currently, I have:
>
manager-jmx
(and maybe for other script-actions manager-script)
Peter
> --
> JHHL
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Ignore duplicate HTTP headers in Tomcat 8.5.50-0+deb9u1
Hi Christopher, Am 06.01.20 um 17:39 schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dennia, On 1/6/20 07:09, Dennis Rech wrote: we have an application where HTTP clients have a kind of unclean way of submitting HTTP POST requests to our tomcat server for data upload: The |POST| and |Host: xxx| part appears twice in the request. Yuck. You mean like this? POST /foo HTTP/1.1 POST /foo HTTP/1.1 Host: foo.com Host: foo.com Content-Type: application/x-www-url-encoded Content-Length: 13 q=Hello World ? No, rather like that: POST /foo HTTP/1.1 Host: foo.com POST /foo HTTP/1.1 Host: foo.com Content-[stuff] [...] Until now this didn't cause any problems with tomcat, but since the latest release, Tomcat refuses to accept this message and returns a 400 bad request immediately. Having two "host" headers should be okay. But repeating the request line is a clear violation of the HTTP spec that will be difficult to get over. I can't believe Tomcat ever allowed that, though it may have done so. I read in the changelog that since Tomcat 8.5.22 it will also reply with Bad request 400 if there are two Host fields in the header. But I guess the double "POST" is even worse. Unfortunately we'll not be able to change the client-side code. Is there any way to tell the tomcat connector "ignore duplicate headers" or so to make it work again? I guess the rewrite filters for tomcat won't help as tomcat probably discards the incoming message before handing it over to rewrite. Tomcat is responsible for reading the request line and routing the request to an application. If the request is broken badly enough, it won't be able to route. Headers are parsed as a part of that, and: POST /foo HTTP/1.1 is not a valid header for at least two reasons: 1. There is no : character (required, even when the header has no value) 2. There are spaces in the "name" (the name is everything before colon ) Well, "POST"... is the actual request followed by the HTTP headers. POST is not part of the actual header. Maybe I haven't pointed that out. Example request: |POST /data/upload/test HTTP/1.1 Host: www.myhost.de:8180 POST /data/upload/test HTTP/1.1 Host: www.myhost.de:8180 [...rest of the request is ok...] | This got word-wrapped. Was this? Yes I copied it from a formatted document, the pipes probably indicate that this text was preformatted in the original document, sorry. Also the newlines are missing. POST /data/upload/test HTTP/1.1 Host: www.myhost.de:8180 POST/data/upload/test HTTP/1.1 Host: www.myhost.de:8180 [...here comes the remaining header with Content-Length etc followed by the body...] POST /data/upload/test HTTP/1.1 Host: www.myhost.de:8180 POST /data/upload/test HTTP/1.1 Host: www.myhost.de:8180 [...rest of the request is ok...] ? Yikes. What kind of client is this? It's a remote unit transmitting data to a server using POST file uploads with - obviously - a little bug in the firmware that builds the HTTP request manually as there is no curl library for the unit etc. which can be used to generate the requests. I wonder if there is a parameter for the |Connector| part in server.xml or so to workaround this problem and restore the old behaviour without downgrading. The good news is that the second POST could theoretically be considered to be a "broken" header and ignored. But Tomcat has been getting progressively more strict about what it will accept. There are all kinds of nasty ways to use malformed messages like this to confuse environments where e.g. a reverse-proxy and the origin server behave differently when they see requests like those above. It's better to just fail and fix the software. Why can't you fix the clients? Is this another case of internet-of-things garbage that can't practically be repaired? Something like that. The devices could be updated in theory but probably not over-the-air and many of them are already deployed somewhere in the "wild" so we don't have physical access to them anymore. Unfortunately we did not notice that in the past as tomcat always accepted these requests until the latest update for debian came out. I totally agree that the best solution would be to let those devices send proper HTTP protocol but I guess we'll have to find a workaround on server-side. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4TYrsACgkQHPApP6U8 pFjNyRAAnebbKRBT99Zgk8vfnW4gUOGXYlgX8Xk2W8bUI7UPfqpphS6+t6Lwjti1 SBnS2qKuUXELMI7fca5Iq2NhKD9cCxZhuWrRQ6+jSZESaT6EEGeKYFaJ3Jtn5Dv6 ll6JKASuNTZtaDo+df0xYnDUvk6kT99aM3GY4FwYNLl/FIxv58D6YbUXN0TYLJQy 0IrnalQEQO8b8SiZcOPPAeA8ODZJQ37egAe3kP3xyWQPMl2u/966c0b711qZJ8JY D9JaR0fnVTZMHCHQmK9xLQKqra4T7uOv0UslQVheq47+SuXJea+qz1AmSJf3CU57 bL4zD7XVKkcC/bsOu1uWUSaKjN0KRnIqwxwo2trpPyoMpKJBGY26GdekpM/jeLdU eyh4I8f8fJkJ7GerLZrZSGxKIlTs86fzM96wr/P4pgSclBjgCO3RMf9phl7URmgp
RE: performance issue with Tomcat 8.5.35 in org.apache.tomcat.util.net.NioBlockingSelector.write API
Hi Rémy/ Christopher, It will stuck there for 10-15 minutes, so it will take time to load simple Web UI, there is no WebSocket call. I am giving you one of the sample where it will take 90% time in write operation, sometime it will reach to 100%. O-javax.servlet.http.HttpServlet.service(HttpServlet.java:742) count=1797(%100.00) O-org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) count=1797(%100.00) O-javax.servlet.http.HttpServlet.service(HttpServlet.java:661) count=1797(%100.00) O-org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872) count=1797(%100.00) O-org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) count=1797(%100.00) O-org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901) count=1797(%100.00) O-org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967) count=1797(%100.00) O-com.ptc.mvc.gwt.GwtHandlerAdapter.handle(GwtHandlerAdapter.java:117) count=1797(%100.00) O-com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62) count=1797(%100.00) O-com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:313) count=1678(%93.378) | O-com.google.gwt.user.server.rpc.RemoteServiceServlet.writeResponse(RemoteServiceServlet.java:460) count=1678(%93.378) | O-com.google.gwt.user.server.rpc.RPCServletUtils.writeResponse(RPCServletUtils.java:375) count=1669(%92.877) || O-java.io.OutputStream.write(OutputStream.java:75) count=1669(%92.877) || O-com.dynatrace.diagnostics.agent.introspection.uem.impl.AutoHtmlInjectorStream.write(Unknown Source) count=1669(%92.877) || O-wt.servlet.CompressionFilter$GzippingResponse$GzipAsAppropStream.write(CompressionFilter.java:687) count=1669(%92.877) || O-wt.servlet.CompressionFilter$GzippingResponse$GzipAsAppropStream$BufferStream.write(CompressionFilter.java:757) count=1669(%92.877) || O-wt.servlet.ServletRequestMonitor$CountingOutputStream.write(ServletRequestMonitor.java:2388) count=1669(%92.877) || O-com.dynatrace.diagnostics.agent.introspection.uem.impl.AutoHtmlInjectorStream.write(Unknown Source) count=1669(%92.877) || O-org.apache.catalina.connector.CoyoteOutputStream.write(CoyoteOutputStream.java:96) count=1669(%92.877) || O-org.apache.catalina.connector.OutputBuffer.write(OutputBuffer.java:369) count=1669(%92.877) || O-org.apache.catalina.connector.OutputBuffer.writeBytes(OutputBuffer.java:391) count=1669(%92.877) || O-org.apache.catalina.connector.OutputBuffer.append(OutputBuffer.java:724) count=1669(%92.877) || O-org.apache.catalina.connector.OutputBuffer.appendByteArray(OutputBuffer.java:795) count=1669(%92.877) || O-org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:351) count=1669(%92.877) || O-org.apache.coyote.Response.doWrite(Response.java:541) count=1669(%92.877) || O-org.apache.coyote.ajp.AjpProcessor$SocketOutputBuffer.doWrite(AjpProcessor.java:1449) count=1669(%92.877) || O-org.apache.coyote.ajp.AjpProcessor.access$900(AjpProcessor.java:54) count=1669(%92.877) ||
Re: Curl problem with reloadSslHostConfigs, Re: Let's Encrypt with Tomcat?
https://stackoverflow.com/questions/17560858/command-prompt-having-trouble-escaping-quotes-and-braces
You can use curl -g to turn off globbing:
On Tue, 7 Jan 2020, 02:11 James H. H. Lampert,
wrote:
> Dear Mr. Schultz, et al.:
>
> The manager password on this Tomcat server has an embedded curly brace,
> and an embedded question mark.
>
> If I do this (the names have been changed to protect the innocent, and
> the -k!)
>
> > curl -k "https://foo:b?a{r@localhost
> :8443/manager/jmxproxy?invoke=Catalina%3Atype%3DProtocolHandler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22=reloadSslHostConfigs"
>
> I get curl: (3) [globbing] unmatched brace in column xx
>
> If I change the curly brace to "%7B," I get:
>
> > curl -k "https://foo:b?a%7Br@localhost
> :8443/manager/jmxproxy?invoke=Catalina%3Atype%3DProtocolHandler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22=reloadSslHostConfigs"
>
> I get curl: (3) Port number ended with 'n'
>
> And if I put the user-ID and password in with a -u clause on curl,
> rather than in the URL itself, I get "Unauthorized."
>
> What is wrong here? Are there characters it simply can't tolerate in
> passwords, even if URL-escaped?
>
> Or do I need to give the manager user an additional role? Currently, I
> have:
>
>
> --
> JHHL
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Curl problem with reloadSslHostConfigs, Re: Let's Encrypt with Tomcat?
Dear Mr. Schultz, et al.:
The manager password on this Tomcat server has an embedded curly brace,
and an embedded question mark.
If I do this (the names have been changed to protect the innocent, and
the -k!)
curl -k
"https://foo:b?a{r@localhost:8443/manager/jmxproxy?invoke=Catalina%3Atype%3DProtocolHandler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22=reloadSslHostConfigs;
I get curl: (3) [globbing] unmatched brace in column xx
If I change the curly brace to "%7B," I get:
curl -k
"https://foo:b?a%7Br@localhost:8443/manager/jmxproxy?invoke=Catalina%3Atype%3DProtocolHandler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22=reloadSslHostConfigs;
I get curl: (3) Port number ended with 'n'
And if I put the user-ID and password in with a -u clause on curl,
rather than in the URL itself, I get "Unauthorized."
What is wrong here? Are there characters it simply can't tolerate in
passwords, even if URL-escaped?
Or do I need to give the manager user an additional role? Currently, I have:
--
JHHL
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Question about iptables, Re: Let's Encrypt with Tomcat?
Ladies and Gentlemen: As I said earlier today, I have # Generated by iptables-save v1.4.18 on Mon Jan 6 21:17:22 2020 *filter :INPUT ACCEPT [5018099:5766179544] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [400:2863742410] COMMIT # Completed on Mon Jan 6 21:17:22 2020 # Generated by iptables-save v1.4.18 on Mon Jan 6 21:17:22 2020 *nat :PREROUTING ACCEPT [41828:2351495] :INPUT ACCEPT [76356:4167904] :OUTPUT ACCEPT [254990:18418937] :POSTROUTING ACCEPT [254990:18418937] -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 COMMIT # Completed on Mon Jan 6 21:17:22 2020 But viewing Mr. Schultz's presentation, I see that it also calls for an output redirect. I don't have that second redirect, and yet the Tomcat server works fine. Why? Is that something to do with the "proxyPort" clause on the connector? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Breakthrough, Re: Let's Encrypt with Tomcat?
Heureka! Actually, I was thinking more "Sokath, his eyes uncovered!" And actually, at this point, I'm thinking I'm better off with Apache httpd handling port 80, since it would only be used for Let's Encrypt, and Let's Encrypt and certbot currently play much more nicely with it than with Tomcat. But that puts at least the next step of this exercise outside the scope of this List. It may be time to view Mr. Schultz's presentation again. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Breakthrough, Re: Let's Encrypt with Tomcat?
James, >> Am 06.01.2020 um 22:28 schrieb James H. H. Lampert >> : >> >> I think I found something, with the help of "MLu" on ServerFault: >> >> He advised me to try "iptables -L" and "iptables-save" again, only this time >> "sudo" them. >> >> When I did "iptables -L" under root privileges, I still only got column >> headings, but when I did "iptables-save" under root privileges, I hit what >> appears to be paydirt: >> # Generated by iptables-save v1.4.18 on Mon Jan 6 21:17:22 2020 >> *filter >> :INPUT ACCEPT [5018099:5766179544] >> :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [400:2863742410] >> COMMIT >> # Completed on Mon Jan 6 21:17:22 2020 >> # Generated by iptables-save v1.4.18 on Mon Jan 6 21:17:22 2020 >> *nat >> :PREROUTING ACCEPT [41828:2351495] >> :INPUT ACCEPT [76356:4167904] >> :OUTPUT ACCEPT [254990:18418937] >> :POSTROUTING ACCEPT [254990:18418937] >> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 >> COMMIT >> # Completed on Mon Jan 6 21:17:22 2020 > > Other than the one obvious line near the bottom, >> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 > I'm not entirely sure what all of this means, nor do I remember what I did to > set it up. Heureka! So you may add the like for Port 80 and you are set for LE! Peter > -- > JHHL > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Re: Maven Warning. Ubuntu Users
Le 06/01/2020 à 21:24, Zahid Rahman a écrit : > Don't shoot the messenger. You are not sending the message to the right list, there is nothing the Tomcat developers can do to fix this issue. This should be brought to debian-j...@lists.debian.org instead (Debian is the source of Ubuntu Java packages). But you are lucky because beside maintaining Tomcat in Debian, I also maintain Maven, and thanks to your message I've filled the bugs to address this issue [1][2]. Emmanuel Bourg [1] https://bugs.debian.org/948309 [2] https://bugs.debian.org/948310 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9 does not allow to read file in /tmp folder with 777 permission?
Well - why do you think someone is calling you names? Mark did not, right? > Am 06.01.2020 um 22:11 schrieb Zahid Rahman : > > Are you calling me names ? > > On Mon, 6 Jan 2020, 20:35 Mark Thomas, wrote: > >> On 06/01/2020 16:29, Christopher Schultz wrote: >>> You have a right to a view, and you can troll all you want. But you >>> will be ignored. >> >> Up to a point. >> >> Users that continue to troll will be unsubscribed and blocked from >> re-subscribing. >> >> As a general reminder aimed at keeping noise down on the list: >> >> Please don't feed the trolls. >> >> >> Mark >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Breakthrough, Re: Let's Encrypt with Tomcat?
I think I found something, with the help of "MLu" on ServerFault: He advised me to try "iptables -L" and "iptables-save" again, only this time "sudo" them. When I did "iptables -L" under root privileges, I still only got column headings, but when I did "iptables-save" under root privileges, I hit what appears to be paydirt: # Generated by iptables-save v1.4.18 on Mon Jan 6 21:17:22 2020 *filter :INPUT ACCEPT [5018099:5766179544] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [400:2863742410] COMMIT # Completed on Mon Jan 6 21:17:22 2020 # Generated by iptables-save v1.4.18 on Mon Jan 6 21:17:22 2020 *nat :PREROUTING ACCEPT [41828:2351495] :INPUT ACCEPT [76356:4167904] :OUTPUT ACCEPT [254990:18418937] :POSTROUTING ACCEPT [254990:18418937] -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 COMMIT # Completed on Mon Jan 6 21:17:22 2020 Other than the one obvious line near the bottom, > -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 I'm not entirely sure what all of this means, nor do I remember what I did to set it up. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9 does not allow to read file in /tmp folder with 777 permission?
Are you calling me names ? On Mon, 6 Jan 2020, 20:35 Mark Thomas, wrote: > On 06/01/2020 16:29, Christopher Schultz wrote: > > You have a right to a view, and you can troll all you want. But you > > will be ignored. > > Up to a point. > > Users that continue to troll will be unsubscribed and blocked from > re-subscribing. > > As a general reminder aimed at keeping noise down on the list: > > Please don't feed the trolls. > > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Tomcat 9 does not allow to read file in /tmp folder with 777 permission?
So people who find miserable software breakdowns and failures will be called trolls and blocked. That sound about right . On Mon, 6 Jan 2020, 20:35 Mark Thomas, wrote: > On 06/01/2020 16:29, Christopher Schultz wrote: > > You have a right to a view, and you can troll all you want. But you > > will be ignored. > > Up to a point. > > Users that continue to troll will be unsubscribed and blocked from > re-subscribing. > > As a general reminder aimed at keeping noise down on the list: > > Please don't feed the trolls. > > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Tomcat 9 does not allow to read file in /tmp folder with 777 permission?
On 06/01/2020 16:29, Christopher Schultz wrote: > You have a right to a view, and you can troll all you want. But you > will be ignored. Up to a point. Users that continue to troll will be unsubscribed and blocked from re-subscribing. As a general reminder aimed at keeping noise down on the list: Please don't feed the trolls. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Re: Maven Warning. Ubuntu Users
It was the maven team which informed me the issue is with ubuntu compiling wrong classes incorrectly as described. Now all my software is running without warnings. I can also use any jdk even the bleeding jdk version. People are using maven and jdk with Tomcat. Don't shoot the messenger. On Mon, 6 Jan 2020, 20:17 Michael Osipov, wrote: > Am 2020-01-06 um 21:13 schrieb Zahid Rahman: > > That must be the reason why Apache Netbeans is using a version from 2015 > > and Apache Struts is recommending to use jdk 8. > > > > Because there is somebody like you keeps telling people it is off topic > > and Giant IT companies are not releasing jdk further than JDK 8. > > > > The issue is a miserable and disgraceful failure in coordination by > Apache > > Foundation. > > This still has absolutely *nothing* to do with Tomcat. Complain to > Debian for modifying packages. The Maven Team rejects any kind of source > code modifications. > > > > On Mon, 6 Jan 2020, 19:45 Mark Thomas, wrote: > > > >> On 06/01/2020 18:37, Zahid Rahman wrote: > >>> To all ubuntu Maven users. > >> > >> This is off-topic for this mailing list. > >> > >> Please keep posts on this list on topic. > >> > >> Thanks, > >> > >> Mark > >> > >> > >>> > >>> Do NOT install maven using > >>> sudo apt install maven > >>> > >>> Install by direct download only from > >>> https://maven.apache.org/download.cgi > >>> > >>> BECAUSE: > >>> > >>> "I seem to remember they [ubuntu] have their own build of Maven which > >>> differs from the Apache source. > >>> > >>> ( https://bugs.launchpad.net/ubuntu/+source/maven/+bug/1754602 > suggests > >>> it's a known bug in their packaging/build? ) > >>> > >>> If you download Maven from http://maven.apache.org/download.cgi and > >> follow > >>> the instructions in http://maven.apache.org/install.html then you > >> shouldn't > >>> see those warnings. " > >>> ‐--- > >>> > >>> The Java 11 warning mentions that "/usr/share/maven/lib/guice.jar" has > a > >>> class named "com.google.inject.internal.cglib.core.$ReflectUtils$1" > >>> > >>> This looks suspect because the official Maven distribution uses the > >>> "no-AOP" version of Guice which doesn't contain any CGLIB classes. It > >>> suggests that whoever provided that copy of Maven has replaced the > >> "no-AOP" > >>> version with the "AOP" version, and this will cause warnings on Java > 11. > >>> (The "AOP" version uses CGLIB which currently relies on certain > >> reflective > >>> access that Java 11 warns about - whereas the "no-AOP" version > doesn't.) > >>> > >> > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > >> > > > > >
Re: [OT] Re: Maven Warning. Ubuntu Users
Am 2020-01-06 um 21:13 schrieb Zahid Rahman: That must be the reason why Apache Netbeans is using a version from 2015 and Apache Struts is recommending to use jdk 8. Because there is somebody like you keeps telling people it is off topic and Giant IT companies are not releasing jdk further than JDK 8. The issue is a miserable and disgraceful failure in coordination by Apache Foundation. This still has absolutely *nothing* to do with Tomcat. Complain to Debian for modifying packages. The Maven Team rejects any kind of source code modifications. On Mon, 6 Jan 2020, 19:45 Mark Thomas, wrote: On 06/01/2020 18:37, Zahid Rahman wrote: To all ubuntu Maven users. This is off-topic for this mailing list. Please keep posts on this list on topic. Thanks, Mark Do NOT install maven using sudo apt install maven Install by direct download only from https://maven.apache.org/download.cgi BECAUSE: "I seem to remember they [ubuntu] have their own build of Maven which differs from the Apache source. ( https://bugs.launchpad.net/ubuntu/+source/maven/+bug/1754602 suggests it's a known bug in their packaging/build? ) If you download Maven from http://maven.apache.org/download.cgi and follow the instructions in http://maven.apache.org/install.html then you shouldn't see those warnings. " ‐--- The Java 11 warning mentions that "/usr/share/maven/lib/guice.jar" has a class named "com.google.inject.internal.cglib.core.$ReflectUtils$1" This looks suspect because the official Maven distribution uses the "no-AOP" version of Guice which doesn't contain any CGLIB classes. It suggests that whoever provided that copy of Maven has replaced the "no-AOP" version with the "AOP" version, and this will cause warnings on Java 11. (The "AOP" version uses CGLIB which currently relies on certain reflective access that Java 11 warns about - whereas the "no-AOP" version doesn't.) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Re: Maven Warning. Ubuntu Users
That must be the reason why Apache Netbeans is using a version from 2015 and Apache Struts is recommending to use jdk 8. Because there is somebody like you keeps telling people it is off topic and Giant IT companies are not releasing jdk further than JDK 8. The issue is a miserable and disgraceful failure in coordination by Apache Foundation. On Mon, 6 Jan 2020, 19:45 Mark Thomas, wrote: > On 06/01/2020 18:37, Zahid Rahman wrote: > > To all ubuntu Maven users. > > This is off-topic for this mailing list. > > Please keep posts on this list on topic. > > Thanks, > > Mark > > > > > > Do NOT install maven using > > sudo apt install maven > > > > Install by direct download only from > > https://maven.apache.org/download.cgi > > > > BECAUSE: > > > > "I seem to remember they [ubuntu] have their own build of Maven which > > differs from the Apache source. > > > > ( https://bugs.launchpad.net/ubuntu/+source/maven/+bug/1754602 suggests > > it's a known bug in their packaging/build? ) > > > > If you download Maven from http://maven.apache.org/download.cgi and > follow > > the instructions in http://maven.apache.org/install.html then you > shouldn't > > see those warnings. " > >‐--- > > > > The Java 11 warning mentions that "/usr/share/maven/lib/guice.jar" has a > > class named "com.google.inject.internal.cglib.core.$ReflectUtils$1" > > > > This looks suspect because the official Maven distribution uses the > > "no-AOP" version of Guice which doesn't contain any CGLIB classes. It > > suggests that whoever provided that copy of Maven has replaced the > "no-AOP" > > version with the "AOP" version, and this will cause warnings on Java 11. > > (The "AOP" version uses CGLIB which currently relies on certain > reflective > > access that Java 11 warns about - whereas the "no-AOP" version doesn't.) > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > >
Re: Let's Encrypt with Tomcat?
On 1/6/20 11:29 AM, Christopher Schultz wrote: I think Route 53 always uses a load-balancer, doesn't it? No. A load balancer implies the existence of a cluster, and this is a single instance, with a fixed IP address, and that is the address in the A record under Route 53. And if a load balancer were involved, then something would show up under load balancing: either a load balancer specific to this instance, or something tying this instance to a load balancer on one of our two clusters. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[OT] Re: Maven Warning. Ubuntu Users
On 06/01/2020 18:37, Zahid Rahman wrote: > To all ubuntu Maven users. This is off-topic for this mailing list. Please keep posts on this list on topic. Thanks, Mark > > Do NOT install maven using > sudo apt install maven > > Install by direct download only from > https://maven.apache.org/download.cgi > > BECAUSE: > > "I seem to remember they [ubuntu] have their own build of Maven which > differs from the Apache source. > > ( https://bugs.launchpad.net/ubuntu/+source/maven/+bug/1754602 suggests > it's a known bug in their packaging/build? ) > > If you download Maven from http://maven.apache.org/download.cgi and follow > the instructions in http://maven.apache.org/install.html then you shouldn't > see those warnings. " >‐--- > > The Java 11 warning mentions that "/usr/share/maven/lib/guice.jar" has a > class named "com.google.inject.internal.cglib.core.$ReflectUtils$1" > > This looks suspect because the official Maven distribution uses the > "no-AOP" version of Guice which doesn't contain any CGLIB classes. It > suggests that whoever provided that copy of Maven has replaced the "no-AOP" > version with the "AOP" version, and this will cause warnings on Java 11. > (The "AOP" version uses CGLIB which currently relies on certain reflective > access that Java 11 warns about - whereas the "no-AOP" version doesn't.) > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Let's Encrypt with Tomcat?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 1/6/20 13:05, James H. H. Lampert wrote: >> $ host foo.bar.net >> >> And check the IP versus the IP of the Tomcat node? > > Doing a "host" on the domain gives me the same IP address where > the instance itself lives, which is also the address given in Route > 53. I think Route 53 always uses a load-balancer, doesn't it? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4TiowACgkQHPApP6U8 pFgiGw//bFJf2zl+A2FEDHl/vnFycLaW0VqzAkFtoG5Rwbzhim6788qTruJmzcR1 Bs/zmOVTJeoj7B8KQhmpO3+T6QLn+lrQ/Ik+AqBSZRAfTFcHEgeGQWrD8MuPadqI vzu7VdDKI5QwPVzPoJPzf6UKb2cQgOrn7PP08wpvcm97UCKATXyYS6T2KsGqpo6x nXL9BKcGcCYTDlkSK2V8f0wNLpocTVPnshm33eZz/EK6CLPbcj0A7lHBg7JscQlR Ax7prdjhD80nY+4wK9rs9nZL5JTttrKzS+CXhECJPncGE8lswTWuIvmSFqdowZfw biv6KJkiZlAdPzZthRWymt46njJzHumG7CY5WANU/Y3QezSCNmcXjG8VY8W3gWjS sMM3+tPOcnRIHX5cJGswo+0QImhQCdxmZVKBt2imaXhvLUAyzDMi6NT3RyHWQxT2 kwmqJpmPurL3UAWeZslICAqjFPql6ADeLIoXgRdIxvYD0FAKBemz220FNaG8/Dil hkitBAZf0dkdPfIYM3xLS5J2XoWxIcni3BZKXCeYYCC4sHth3SbT596N4KXeJamm NUxQh5baPydZ38CmOtcnYiy2r4j/jz20B2VaPtp67jHtBtelmFx+yaVZvNHwxZ7V tUJLvzwbcwGNMq+T2uxXM+NvDx65ruQHENtvp1lZepT2m/yCjdM= =pf56 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Maven Warning. Ubuntu Users
To all ubuntu Maven users. Do NOT install maven using sudo apt install maven Install by direct download only from https://maven.apache.org/download.cgi BECAUSE: "I seem to remember they [ubuntu] have their own build of Maven which differs from the Apache source. ( https://bugs.launchpad.net/ubuntu/+source/maven/+bug/1754602 suggests it's a known bug in their packaging/build? ) If you download Maven from http://maven.apache.org/download.cgi and follow the instructions in http://maven.apache.org/install.html then you shouldn't see those warnings. " ‐--- The Java 11 warning mentions that "/usr/share/maven/lib/guice.jar" has a class named "com.google.inject.internal.cglib.core.$ReflectUtils$1" This looks suspect because the official Maven distribution uses the "no-AOP" version of Guice which doesn't contain any CGLIB classes. It suggests that whoever provided that copy of Maven has replaced the "no-AOP" version with the "AOP" version, and this will cause warnings on Java 11. (The "AOP" version uses CGLIB which currently relies on certain reflective access that Java 11 warns about - whereas the "no-AOP" version doesn't.)
Re: Let's Encrypt with Tomcat?
$ host foo.bar.net And check the IP versus the IP of the Tomcat node? Doing a "host" on the domain gives me the same IP address where the instance itself lives, which is also the address given in Route 53. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Tomcat 9 does not allow to read file in /tmp folder with 777 permission?
>Point The email header says I tried 777.
There are common commands used on *.nix which are never used Ms-windows.
That's one of them.
It is not rant. It is sarcasm.
I use " find" all the time when I don't ever need it on windows.
On Mon, 6 Jan 2020, 16:10 Christopher Schultz,
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Zahid,
>
> On 1/4/20 20:26, zahid wrote:
> >
> > Actually this is *one of many *punishments following the sin of
> > choosing *.nix
> >
> > and not Microsoft Windows.
> >
> > Have ever heard of "*chmod*" in windows ?
> >
> > MS windows trust you with your machine.
> >
> > You bought it , you paid for it , you own it.
> >
> >
> > although you have many ways of installing software.
> >
> > apt , apt-get yum , blah blah.
> >
> > You need to familiarise yourself with *find / -name java* * ,
> > which java* because you have no idea where the installer installed
> > the software you just installed on "your machine",
> >
> > Have ever heard of *which* or *find* in windows ?
> >
> >
> > you can be in a directory in one terminal and delete it form
> > another terminal .
> >
> > Is that linux security feature ?
> >
> > can you do the same in windows ?
> >
> > what are others benefits you can enjoy in MS Windows because of
> > this particular behaviour is not same in MS Windows ?
> >
> > After you deleted the directory you are in from somewhere else you
> > will end up in trash literally.
> >
> > why is this same unique behaviour in Unix which came after
> > Linux.
> >
> >
> > you see anything what's wrong with this ? can you see the missing
> > the /r /n
> >
> > manifest.txt
> >
> > Main-Class:/classname /
> >
> > why does manifest.text must have /r {carriage} or /n {newline}.
> >
> > Is it because jvm.dll it was written in C. C programming language
> > also has the same feature.
> >
> >
> > why is there three ways to do same thing ?
> >
> > java - cp
> >
> > java - classpath
> >
> > java - class-path
>
> LOL this is the first time I've seen a pro-MS rant saying that running
> Java on Windows is easier.
>
> I didn't understand any individual point. Just the general hatred for
> *NIX. What was the point of this post, again?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4TW/4ACgkQHPApP6U8
> pFh5/Q/+OmDmoFUvDzeA/+J57bHF+T/LHh0r0CBuZADF2m+N9OMWm6QGWsZnHtIT
> 0oL9iSnN+7UKbJa7YBCddLKl9nYJfrxEDd3GeCLgY4c9LbICcnjO4BjwEfG8/K+a
> cp7XXHQHLq+YoYJBP3U289Y6yFsVTapD8HMg9kacAtFQOgn1FUZw0TfAIlXCdBM2
> mWdJgdoXEX2s23Hz/8bUafz4Gd772gYA1j1zilhc8Cp9fDmJgf0EU1sIcUCjFRZx
> wQnETG9AJbKdt0vH6svg7ML7oP5f10bHSe+9pLuSe/tMJNgsDQTyvEkOx1H9WenP
> J8crastrKTJu5qWs4Dsu5DH+bm+Dxz5D8kCUr1wzBgrvYwPIfxs/VOo/fC0fVvk8
> v0XvNUam1V5PFLb1yE0bfVyCZtEwKaetyR46N2+EB5Kp7lz0o0RUf39G29cMu07R
> SYhgz1AjoGwpisAWMX3qCxouWIU46ouDS5w1UTR7ZvGB0d1TsHPGUikp9eRt5PdC
> xVpEMMqZ6OhJ7Y7Ei9d+Srmrye+hRArbUZxGpKQWRazjHKCN9Q+E6d1kG/sf/HJV
> jU8fjhPRnjlI8vewf1yvU9Xn4rd4SGejudaXK4hzN8d54WSzQty5c+3/ts7ckqYc
> M4SPdQeHec0RQjwYMnDAGK/4pxhVOMDwJLNwvW3bCQdebFvJe3M=
> =wN50
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Re: Let's Encrypt with Tomcat?
> Did I? I don't recall recommending purchasing a certificate Purchase a domain name not certificate. On Mon, 6 Jan 2020, 16:45 Christopher Schultz, wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Zahid, > > On 1/6/20 10:08, Zahid Rahman wrote: > > 》> If, however, I do curl https://foo.bar.net from my Mac, I get a > >> response, but if I do curl https://localhost, it doesn't get > >> anywhere. > > > > This may be relevant. In the video mentioned earlier in the thread > > the let's encrypt expert says let's encrypt doesn't work on > > localhost but it only works on actual domain. > > Correct. You cannot obtain a certificate from Let's Encrypt for > "localhost"; it's got to be something Let's Encrypt can resolve and > contact from their infrastructure. For that reason, LE doesn't work > very well for internal networks. > > > He goes on to say you should purchase one "it is not very expensive > > ". > > Did I? I don't recall recommending purchasing a certificate during a > presentation on zero-cost certificates. > > I'd never bother paying for a certificate for an internal network. > Just self-sign and establish your own trust. The purpose of LE is for > environments where you need *public* trust, not private trust. Private > trust is easy to establish: you get to decide all by yourself! :) > > - -chris > > > On Mon, 6 Jan 2020, 14:57 Christopher Schultz, > > wrote: > > > > James, > > > > On 1/3/20 13:47, James H. H. Lampert wrote: > On 1/3/20 9:57 AM, Christopher Schultz wrote: > > Is perhaps the AWS firewall (which is a Load Balancer, > > right?) redirecting the port? > > > > Easy test (from the server): > > > > $ telnet localhost 443 > > I hadn't thought of that. But alas, that instance doesn't > have Telnet on it. > > > If it connects, you have something on the host making this > > work. If it fails to connect, the 443 -> 8443 magic is > > outside the host itself. > > If, however, I do curl https://foo.bar.net from my Mac, I get > a response, but if I do curl https://localhost, it doesn't > get anywhere. > > > > So your instance is indeed listening on 8443 and the host (at least > > on the loopback interface) isn't doing any port 443 > > funny-business. > > > > Note that if you are using AWS load-balancer, AWS provides > > free certificates that auto-renew; just configure them and > > you are done forever. > > > Let me know about the Load-Balancer. That's probably the > > piece of the puzzle you aren't looking at quite yet. > > No; we *have* load-balanced clusters, and they *are* (as of > last month) on AWS's certificate system, so I know what that > looks like. This is completely different; when I connect, I > see the certificate that is currently active on the Tomcat > server (and if I plug a different cert into Tomcat, I see the > change from my browser). > > > > There are also load-balancers that just move bytes and don't > > terminate TLS. It's also possible to have the same certificate > > installed in multiple places. I think you are going to have to look > > around your network a little more to figure out what's happening. > > > > Maybe simply try: > > > > $ host foo.bar.net > > > > And check the IP versus the IP of the Tomcat node? > > > > -chris > >> > >> - > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4TZB0ACgkQHPApP6U8 > pFib/A//TRP6v+GXvkDw7DXMcP3EzQSCEZ6yzdKoL4cblDLwW1Upe5TWVtEvHdiG > IoqKesMwIUQQQDlv2Z3x6N5iCe9G5cTyFsz0JlSPZxGiHNGF1viwVrH/fGSsDLbp > V2Q9HDdmp6zApl12+8HI1akCxHTPfySKg3j9NjEJlpbEA8w+Gzok+5UbjI3LzQgK > c2iCN2Uj2mLoH135jMrdBbmYOb3rD0oEiiZY/fNch5C9bVGI5hiP7APTz8EEsjiq > ei7eL4X0B/p+q6lgDSmvylD42TrTnpfESpiSitSZoFtM03alFdRm4OySzXuXK8za > tYtAIha+VQs1i3y7LdRB6mIsl5xsU1NtrqGDl9lSg5ciFjuLpIQNRFDI3kqa8KwA > FgiYOLsQZASK4bjoULQCAlcK55TBCALnbjL8PGu55YAPXO895hkeFtWokDciX+8B > RRMqRyY2OWOoUNDZKan9icEk93vArKPU4JoVGJyvH0HCFTk+HL2B9F5s2PYvc3WO > g+iVQdXBlDi4ngYsY0TXWC4GKBPgKVBuylJbAwbyBumpLYExIiYANn9ldtxtK9mr > ukdlo5fvvlGclVgfL9CygsHiGgz6+aeo/n+3VkOSBsfxRHbYuw0JERicRnVImt2r > O5ulCHoN4LwdRqhAc4BxzrnTsdrqKeyv2Qn3ANhJbpz7qNImI5o= > =kBdi > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: performance issue with Tomcat 8.5.35 in org.apache.tomcat.util.net.NioBlockingSelector.write API
On Mon, Jan 6, 2020 at 1:27 PM Rathore, Rajendra wrote: > Hi Team, > > > > We are facing performance issue during > *org.apache.tomcat.util.net.NioBlockingSelector.write > API call, *,most of our thread stuck and spending more time in that API, > you can check below screenshot for more details. > > > > > > > > > > We debug the code and found that NioChannel.write method return 0(Zero) > value, in that case our threads are stuck, Please let us know why this > happen. > As NIO is non blocking IO, 0 bytes written means there's a backlog and output will block in NioBlockingSelector since it emulates blocking IO there. It should not actually consume CPU, just wait until there's a poller event indicating writing data may continue. Rémy > > > Please let me know if you need more details. > > > > > > Thanks and Regards, > > Rajendra Rathore > > 9922701491 > > >
Re: Let's Encrypt with Tomcat?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Zahid, On 1/6/20 10:08, Zahid Rahman wrote: > 》> If, however, I do curl https://foo.bar.net from my Mac, I get a >> response, but if I do curl https://localhost, it doesn't get >> anywhere. > > This may be relevant. In the video mentioned earlier in the thread > the let's encrypt expert says let's encrypt doesn't work on > localhost but it only works on actual domain. Correct. You cannot obtain a certificate from Let's Encrypt for "localhost"; it's got to be something Let's Encrypt can resolve and contact from their infrastructure. For that reason, LE doesn't work very well for internal networks. > He goes on to say you should purchase one "it is not very expensive > ". Did I? I don't recall recommending purchasing a certificate during a presentation on zero-cost certificates. I'd never bother paying for a certificate for an internal network. Just self-sign and establish your own trust. The purpose of LE is for environments where you need *public* trust, not private trust. Private trust is easy to establish: you get to decide all by yourself! :) - -chris > On Mon, 6 Jan 2020, 14:57 Christopher Schultz, > wrote: > > James, > > On 1/3/20 13:47, James H. H. Lampert wrote: On 1/3/20 9:57 AM, Christopher Schultz wrote: > Is perhaps the AWS firewall (which is a Load Balancer, > right?) redirecting the port? > > Easy test (from the server): > > $ telnet localhost 443 I hadn't thought of that. But alas, that instance doesn't have Telnet on it. > If it connects, you have something on the host making this > work. If it fails to connect, the 443 -> 8443 magic is > outside the host itself. If, however, I do curl https://foo.bar.net from my Mac, I get a response, but if I do curl https://localhost, it doesn't get anywhere. > > So your instance is indeed listening on 8443 and the host (at least > on the loopback interface) isn't doing any port 443 > funny-business. > > Note that if you are using AWS load-balancer, AWS provides > free certificates that auto-renew; just configure them and > you are done forever. > Let me know about the Load-Balancer. That's probably the > piece of the puzzle you aren't looking at quite yet. No; we *have* load-balanced clusters, and they *are* (as of last month) on AWS's certificate system, so I know what that looks like. This is completely different; when I connect, I see the certificate that is currently active on the Tomcat server (and if I plug a different cert into Tomcat, I see the change from my browser). > > There are also load-balancers that just move bytes and don't > terminate TLS. It's also possible to have the same certificate > installed in multiple places. I think you are going to have to look > around your network a little more to figure out what's happening. > > Maybe simply try: > > $ host foo.bar.net > > And check the IP versus the IP of the Tomcat node? > > -chris >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4TZB0ACgkQHPApP6U8 pFib/A//TRP6v+GXvkDw7DXMcP3EzQSCEZ6yzdKoL4cblDLwW1Upe5TWVtEvHdiG IoqKesMwIUQQQDlv2Z3x6N5iCe9G5cTyFsz0JlSPZxGiHNGF1viwVrH/fGSsDLbp V2Q9HDdmp6zApl12+8HI1akCxHTPfySKg3j9NjEJlpbEA8w+Gzok+5UbjI3LzQgK c2iCN2Uj2mLoH135jMrdBbmYOb3rD0oEiiZY/fNch5C9bVGI5hiP7APTz8EEsjiq ei7eL4X0B/p+q6lgDSmvylD42TrTnpfESpiSitSZoFtM03alFdRm4OySzXuXK8za tYtAIha+VQs1i3y7LdRB6mIsl5xsU1NtrqGDl9lSg5ciFjuLpIQNRFDI3kqa8KwA FgiYOLsQZASK4bjoULQCAlcK55TBCALnbjL8PGu55YAPXO895hkeFtWokDciX+8B RRMqRyY2OWOoUNDZKan9icEk93vArKPU4JoVGJyvH0HCFTk+HL2B9F5s2PYvc3WO g+iVQdXBlDi4ngYsY0TXWC4GKBPgKVBuylJbAwbyBumpLYExIiYANn9ldtxtK9mr ukdlo5fvvlGclVgfL9CygsHiGgz6+aeo/n+3VkOSBsfxRHbYuw0JERicRnVImt2r O5ulCHoN4LwdRqhAc4BxzrnTsdrqKeyv2Qn3ANhJbpz7qNImI5o= =kBdi -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: performance issue with Tomcat 8.5.35 in org.apache.tomcat.util.net.NioBlockingSelector.write API
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rajendra, On 1/6/20 07:26, Rathore, Rajendra wrote: > We are facing performance issue during > *org.apache.tomcat.util.net.NioBlockingSelector.write API call, > *,most of our thread stuck and spending more time in that API, you > can check below screenshot for more details. Your screenshot has been stripped by the mailing list. Can you please find a way to describe the problem using text? > We debug the code and found that NioChannel.write method return > 0(Zero) value, in that case our threads are stuck, Please let us > know why this happen. > > Please let me know if you need more details. A stack trace of where the problem happens would be good. Are you using "normal" web requests, or Websocket? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4TYxcACgkQHPApP6U8 pFgA9xAAtbmUXr+zs+pimA1cipbyge/3Peabm/lh6XrWwA6p9sVqmkFeH67skm38 2kZAHjiQ49Am91kEcrYJvOxmfVQ0qYnIILNYNhsnNEw9kM1F1YJ7qspr4FgnaAK5 8lsVzllTnT8/6IqZg9t0sBuuHcfavEl/DGahCUa03EffsApx8KN48/hctD9g/YND 730R6fR6uf4bMbOPJeftPGJm9cAQDc6R/xf7+iO93++fRtxsPz3OKaVWkJDpchYu YLlnwJHusEjDPzcFpc1IvFyLnjyRyFZGwydPY5SUvYuOYmY4utjIdJ6nFnz4HvdZ ZDS5D5ih7KuXgj8zSgQ12vzFhohDO6uEFGIuWf06eK95jE1XiSvrus+g2BJZ4kJL zWSlbEC0a0TNLRheJUPxjTJsXnTYuCJ/bKXiWk+THtLwSTN+lVVm8hmTUSk+EA9j 1zuoWyGesR6Nby0jhk/wSSr5wa2ZCf8q/KPWY/QtRYEWNEqYQ/DA7dUC7lKC8U7K WT9Hw9vcBLS1rt87DMYUaA/bbtBfdsB9RU11a5lvtCq1oAeGj00emXm2WRokNLvR g0ry48XdT5s0hoCezhFD9U6QmlKXjsH1PmWxgOQiP0kIrua9Sqaw+9LeQ/JBpNlL rTQf+IYlcp8g5VEYZvO1BPMafUV7yplpK8gWyxTonDkfMTM4q5o= =JzaR -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Ignore duplicate HTTP headers in Tomcat 8.5.50-0+deb9u1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dennia, On 1/6/20 07:09, Dennis Rech wrote: > we have an application where HTTP clients have a kind of unclean > way of submitting HTTP POST requests to our tomcat server for data > upload: The |POST| and |Host: xxx| part appears twice in the > request. Yuck. You mean like this? POST /foo HTTP/1.1 POST /foo HTTP/1.1 Host: foo.com Host: foo.com Content-Type: application/x-www-url-encoded Content-Length: 13 q=Hello World ? > Until now this didn't cause any problems with tomcat, but since > the latest release, Tomcat refuses to accept this message and > returns a 400 bad request immediately. Having two "host" headers should be okay. But repeating the request line is a clear violation of the HTTP spec that will be difficult to get over. I can't believe Tomcat ever allowed that, though it may have done so. > Unfortunately we'll not be able to change the client-side code. Is > there any way to tell the tomcat connector "ignore duplicate > headers" or so to make it work again? I guess the rewrite filters > for tomcat won't help as tomcat probably discards the incoming > message before handing it over to rewrite. Tomcat is responsible for reading the request line and routing the request to an application. If the request is broken badly enough, it won't be able to route. Headers are parsed as a part of that, and: POST /foo HTTP/1.1 is not a valid header for at least two reasons: 1. There is no : character (required, even when the header has no value) 2. There are spaces in the "name" (the name is everything before colon ) > Example request: > > |POST /data/upload/test HTTP/1.1 Host: www.myhost.de:8180 POST > /data/upload/test HTTP/1.1 Host: www.myhost.de:8180 [...rest of > the request is ok...] | This got word-wrapped. Was this? > POST /data/upload/test HTTP/1.1 Host: www.myhost.de:8180 POST > /data/upload/test HTTP/1.1 Host: www.myhost.de:8180 [...rest of the > request is ok...] ? Yikes. What kind of client is this? > I wonder if there is a parameter for the |Connector| part in > server.xml or so to workaround this problem and restore the old > behaviour without downgrading. The good news is that the second POST could theoretically be considered to be a "broken" header and ignored. But Tomcat has been getting progressively more strict about what it will accept. There are all kinds of nasty ways to use malformed messages like this to confuse environments where e.g. a reverse-proxy and the origin server behave differently when they see requests like those above. It's better to just fail and fix the software. Why can't you fix the clients? Is this another case of internet-of-things garbage that can't practically be repaired? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4TYrsACgkQHPApP6U8 pFjNyRAAnebbKRBT99Zgk8vfnW4gUOGXYlgX8Xk2W8bUI7UPfqpphS6+t6Lwjti1 SBnS2qKuUXELMI7fca5Iq2NhKD9cCxZhuWrRQ6+jSZESaT6EEGeKYFaJ3Jtn5Dv6 ll6JKASuNTZtaDo+df0xYnDUvk6kT99aM3GY4FwYNLl/FIxv58D6YbUXN0TYLJQy 0IrnalQEQO8b8SiZcOPPAeA8ODZJQ37egAe3kP3xyWQPMl2u/966c0b711qZJ8JY D9JaR0fnVTZMHCHQmK9xLQKqra4T7uOv0UslQVheq47+SuXJea+qz1AmSJf3CU57 bL4zD7XVKkcC/bsOu1uWUSaKjN0KRnIqwxwo2trpPyoMpKJBGY26GdekpM/jeLdU eyh4I8f8fJkJ7GerLZrZSGxKIlTs86fzM96wr/P4pgSclBjgCO3RMf9phl7URmgp rIqT/xjwjIyLWqASWhXUyT7F5EHbZLSvPRbvklAib2pwQU2taaeT4cZaWGB4wfWw +CXQgGj7E4bWmTeq4LsG3skJEVcYcVN/AHSsgWQ5MFsjKx5pxJjq++P+ZooTqQOr GNexi9KVFilovrf1iStoP4OgdPcf2o1l0PXCpbKf5i2woJgRpFS/oSlOno0KQaol hvddVhzgL8PYrcWywdGEIbzI/9eQm54nqOAMRlpOCTOaDPzbeLc= =vIL0 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9 does not allow to read file in /tmp folder with 777 permission?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Zahid, On 1/6/20 04:55, zahid wrote: > 00h > >>> Have ever heard of *which* in windows ? Yea, no "which" - but >>> have you tried "where" on Win? Could also use a "for" in Win >>> (if you understand how to do it). >> >> kub18@UB18:~$ which java /usr/bin/java kub18@UB18:~$ whereis >> java java: /usr/bin/java /usr/share/java >> /usr/share/man/man1/java.1.gz kub18@UB18:~$ > >> There is no "which", "whereis" or "find" because window users I >> have file explorer, it is a GUI, It makes use of the screen >> attached to the computer.Kubuntu , KDE are catching up with MS >> windows. Ummm. Linux came *after* Unix. > > there is a rumour flying around that Linus Torvalds stole the > kernel source code. > > I guess the chicken had to come first to lay the egg , for an egg > thief to steal the egg. Easily debunked by looking at the source code of both. Linux looks like Linux. BSD looks like UNIX. I can start a rumor that Linux Torvalds stole the code to the Windows kernel. >> Okay, no "find" but have you tried: dir /s \ ? > > windows explorer is another name for GUI no command line tries > needed. Let's agree that you like Windows and others do not. This is not an argument worth having here. >> Because it's terse (BTW, the dash is supposed to be connected to >> "cp", as "-cp") > I use the compiler as a spell checker or as some refer to it as > syntax checker. If I do not leave a space between - and cp then the > syntax checker would have nothing to do .. you could try > grammarly maybe. > > -cp -classpath > --class-path > A : separated > list of directories, JAR archives, and ZIP archives to search for > class files. > >> You missed one - the CLASSPATH environment variable Rwong - >> Class-Path is used in the Manifest. > > No MR R."WONG" you missed all the points. Put a dot in your > CLASSPATH > >> Because it's descriptive and self-commenting > I guess all those *.nix argument flags like ls -a -A -b -B are > examples of Software Engineering Naming Conventions at its best. Have a look at Powershell and all the command-lets or whatever. They are moving toward UNIX-style command-line power because Windows administrators have been complaining since the beginning that Windows is a PITA to use. Most UNIX-style programs have a short option (for brevity) and a long option (for readability). When you type an option on the command-line, you don't want to have to type forever. You learn the shortcuts. Nobody wants to type "ls --display-long-output-format" so we do "ls - -l". Similar to "DIR" on MS-DOS/Windows CLI. Look at all those single-letter options, there. > java -cp was too hard to figure out so you had to have a more > description version java -classpath. I thought maybe it was because > you want to get paid by the number of letters you type. > >> No, but that's because the security model in Windows is >> *different* > "chmod" is like taking the house keys away from house owner, > strange idea of security. I would argue the opposite: it's handing them the keys. > That is my view. I hope you appreciate I have a right to a view > point. You have a right to a view, and you can troll all you want. But you will be ignored. > You could always chmod 777 * and you will have MS WINDOWS friendly > user experience. There is no need to execute a TXT file. Why make the file executable? What about a .EXE file that you deem dangerous? Maybe it's a trojan or whatever. You need the file around for some reason but don't want anyone to execute it? Or the opposite? You want to be able to execute a .py file. AFAIK, you can't do that on Windows. You have to run "python foo.py". It's convenient to both be able to enable and disable executability on a file, not based upon its file extension but some arbitrary criteria you decide. - -chris > On 06/01/2020 08:57, calder wrote: > >> On Sat, Jan 4, 2020 at 7:26 PM zahid >> wrote: >> >>> Have ever heard of "*chmod*" in windows ? >> No, but that's because the security model in Windows is >> *different* than for *nix OSes. On Win, there's attrib, xcacls, >> cacls, and icacls, but none of those truly match was chmod does. >> So, one needs to understand the underlying models for *nix and >> Windows to properly describe the differences. >> >>> Have ever heard of *which* in windows ? >> Yea, no "which" - but have you tried "where" on Win? Could also >> use a "for" in Win (if you understand how to do it). >> >>> or *find* in windows ? >> Okay, no "find" but have you tried: dir /s \ ? >> >>> why is this same unique behaviour in Unix which came after >>> Linux. >> Ummm. Linux came *after* Unix. >> >>> why is there three ways to do same thing ? java - cp >> Because it's terse (BTW, the dash is supposed to be connected to >> "cp", as "-cp") >> >>> java - classpath >> Because it's descriptive and self-commenting (BTW, the dash is >> supposed to be connected to "classpath", as "-classpath") >>
Re: Tomcat 9 does not allow to read file in /tmp folder with 777 permission?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Zahid,
On 1/5/20 20:44, zahid wrote:
> Why will MS Windows users will never have to deal with issue of
> *chmod* ?
On Windows, it's called ATTRIB.EXE:
C:\> ATTRIB
A SH C:\pagefile.sys
A SH C:\swapfile.sys
Those are separate from the NT ACL, of course. Plus, you can
right-click and edit the permissions of any file. But in Windows, how
do you for example remove the "archive" bit on all TXT files in a
hierarchy? Right-click a million times and make your hand go numb.
- From the CLI, it's a single command.
Some people like clicking. I like typing. *shrug*
> also keep in mind why java command line have three different
> options to do the same thing ?
>
> java -cp
>
> java -classpath
Long and short options. This isn't a *NIX thing (it's Java), but it
does hand a long history on *NIX. Although *NIX programs typically use
- --option for long-options, otherwise they don't make any sense when
mixed-together with short ones.
> java class-path
This is "java --class-path" which is a proper long-option.
- -chris
>
> On 06/01/2020 01:21, Guang Chao wrote:
>> On Sun, Jan 5, 2020 at 9:26 AM zahid
>> wrote:
>>
>>> Actually this is *one of many *punishments following the sin of
>>> choosing *.nix
>>>
>>> and not Microsoft Windows.
>>>
>> Why is it Linux fault?
>>
>>
>>> Have ever heard of "*chmod*" in windows ?
>>>
>>> MS windows trust you with your machine.
>>>
>>> You bought it , you paid for it , you own it.
>>>
>>>
>>> although you have many ways of installing software.
>>>
>>> apt , apt-get yum , blah blah.
>>>
>>> You need to familiarise yourself with *find / -name java* * ,
>>> which java* because you have no idea where the installer
>>> installed the software you just installed on "your machine",
>>>
>>> Have ever heard of *which* or *find* in windows ?
>>>
>>>
>>> you can be in a directory in one terminal and delete it form
>>> another terminal .
>>>
>>> Is that linux security feature ?
>>>
>>> can you do the same in windows ?
>>>
>>> what are others benefits you can enjoy in MS Windows because of
>>> this particular behaviour is not same in MS Windows ?
>>>
>>> After you deleted the directory you are in from somewhere else
>>> you will end up in trash literally.
>>>
>>> why is this same unique behaviour in Unix which came after
>>> Linux.
>>>
>>>
>>> you see anything what's wrong with this ? can you see the
>>> missing the /r /n
>>>
>>> manifest.txt
>>>
>>> Main-Class:/classname /
>>>
>>> why does manifest.text must have /r {carriage} or /n
>>> {newline}.
>>>
>>> Is it because jvm.dll it was written in C. C programming
>>> language also has the same feature.
>>>
>>>
>>> why is there three ways to do same thing ?
>>>
>>> java - cp
>>>
>>> java - classpath
>>>
>>> java - class-path
>>>
>>>
>>>
>>> www.backbutton.co.uk ¯\_(ツ)_/¯ Marry loose with tight coupling
>>> = healthy applications
>>>
>>> On 04/01/2020 22:51, Emmanuel Bourg wrote:
Le 04/01/2020 à 16:06, Pham Huu Bang a écrit :
> Thanks for this link
>
>>> https://salsa.debian.org/java-team/tomcat9/blob/master/debian/README
.Debian
>>>
>>>
>>>
.
> But I cannot *read* the file from /tmp (not *write* file to
> /tmp). The strange thing is, it can read another file from
> another location, e.g in /opt/:
The tomcat9 service is configured with a private /tmp
directory (using the 'PrivateTmp=yes' systemd directive). So
Tomcat can't see what other applications write to /tmp, and
temporary files written by Tomcat are out of reach from the
other applications.
This is a security hardening setting that can be overridden
as described in the README file Olaf mentioned.
Emmanuel Bourg
---
- --
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:
users-h...@tomcat.apache.org
>>> -- www.backbutton.co.uk ¯\_(ツ)_/¯ Marry loose with tight
>>> coupling = healthy applications
>>>
>>>
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4TXekACgkQHPApP6U8
pFgM2hAAtbhH+QpOYePOu1iOWOOxQ2x40oOfz0enD18J6E7/uGA8Sm1331SKyvJ0
amU+C1faX7srin5EHvzFizDRicKzLGRonClypdqbezZ/grLQATMVBEbl4AnEvvPu
rOEOe+dwZ57l38/39qY3RQjDF67zqEsUb2mACH1oq5QemjRKLcEiXIlPAqzzGu/L
8I/nz0ibnp5sQAAxvuG1qYfNCoN8d/PO9KyJHIFGSEnKzaJcYewX/KZGX7CHNEHT
wHuxPiKAbwORELmVEsiQI/d5dL3nqnpDu/tEUzvpjVUILLSRTk51mCR20t+zfeNO
3YpCbWPQNGEcqgg3DDqSyUtOpnSt1xE35wII1Zfq9M94tqP2cCFYKYOMEvTUKIGU
Fg8xENrdV5OvVr9eHls7FV32pQ4ZnH4/BdmsoAhL1+UZmysSPBJgyz9ySok0cFXU
SJ/eF8iFZktglWncf9PliuRtL5G3eVvpZR3XlKC9Bz3WrQuL9LPLGmbh19WL0/hB
G2grN+HLSBPqJbqY9c3qymfQX+pYeSl8R5ZkTzCP7DG+SJ+wosVARrggAYBveR8E
bGWQGw1NlyEuMKlPOvkSc946cB2Syg8OdvRfmw8OSHYD7QEEv/cOVen15/a6FQiT
jAV/yrsxH8lPfWlCSJl9POq0gGQ7euyZSiDhy/MjulyatP/ZX6s=
=V6a2
-END
Re: [OT] Tomcat 9 does not allow to read file in /tmp folder with 777 permission?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Zahid,
On 1/4/20 20:26, zahid wrote:
>
> Actually this is *one of many *punishments following the sin of
> choosing *.nix
>
> and not Microsoft Windows.
>
> Have ever heard of "*chmod*" in windows ?
>
> MS windows trust you with your machine.
>
> You bought it , you paid for it , you own it.
>
>
> although you have many ways of installing software.
>
> apt , apt-get yum , blah blah.
>
> You need to familiarise yourself with *find / -name java* * ,
> which java* because you have no idea where the installer installed
> the software you just installed on "your machine",
>
> Have ever heard of *which* or *find* in windows ?
>
>
> you can be in a directory in one terminal and delete it form
> another terminal .
>
> Is that linux security feature ?
>
> can you do the same in windows ?
>
> what are others benefits you can enjoy in MS Windows because of
> this particular behaviour is not same in MS Windows ?
>
> After you deleted the directory you are in from somewhere else you
> will end up in trash literally.
>
> why is this same unique behaviour in Unix which came after
> Linux.
>
>
> you see anything what's wrong with this ? can you see the missing
> the /r /n
>
> manifest.txt
>
> Main-Class:/classname /
>
> why does manifest.text must have /r {carriage} or /n {newline}.
>
> Is it because jvm.dll it was written in C. C programming language
> also has the same feature.
>
>
> why is there three ways to do same thing ?
>
> java - cp
>
> java - classpath
>
> java - class-path
LOL this is the first time I've seen a pro-MS rant saying that running
Java on Windows is easier.
I didn't understand any individual point. Just the general hatred for
*NIX. What was the point of this post, again?
- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4TW/4ACgkQHPApP6U8
pFh5/Q/+OmDmoFUvDzeA/+J57bHF+T/LHh0r0CBuZADF2m+N9OMWm6QGWsZnHtIT
0oL9iSnN+7UKbJa7YBCddLKl9nYJfrxEDd3GeCLgY4c9LbICcnjO4BjwEfG8/K+a
cp7XXHQHLq+YoYJBP3U289Y6yFsVTapD8HMg9kacAtFQOgn1FUZw0TfAIlXCdBM2
mWdJgdoXEX2s23Hz/8bUafz4Gd772gYA1j1zilhc8Cp9fDmJgf0EU1sIcUCjFRZx
wQnETG9AJbKdt0vH6svg7ML7oP5f10bHSe+9pLuSe/tMJNgsDQTyvEkOx1H9WenP
J8crastrKTJu5qWs4Dsu5DH+bm+Dxz5D8kCUr1wzBgrvYwPIfxs/VOo/fC0fVvk8
v0XvNUam1V5PFLb1yE0bfVyCZtEwKaetyR46N2+EB5Kp7lz0o0RUf39G29cMu07R
SYhgz1AjoGwpisAWMX3qCxouWIU46ouDS5w1UTR7ZvGB0d1TsHPGUikp9eRt5PdC
xVpEMMqZ6OhJ7Y7Ei9d+Srmrye+hRArbUZxGpKQWRazjHKCN9Q+E6d1kG/sf/HJV
jU8fjhPRnjlI8vewf1yvU9Xn4rd4SGejudaXK4hzN8d54WSzQty5c+3/ts7ckqYc
M4SPdQeHec0RQjwYMnDAGK/4pxhVOMDwJLNwvW3bCQdebFvJe3M=
=wN50
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] JDBC connection pooling maxActive or MaxTotal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Zahid, On 1/3/20 18:50, zahid wrote: > Is commons-dbcp-2.x a Database pooling component for any > container Jetty,Jboss tomcat etc. ? Yes. Tomcat ships with a shaded (package-renamed) version of commons-dbcp as well as tomcat-pool, a separate connection-pool implementation. > is commons-dbcp-2.x a third option, separate option from the two > pooling options [tomcat-pool and commons-pool] you mentioned ? No, I misspoke and said commons-pool. commons-dbcp is based upon commons-pool which is a generic pooling framework. The "dbcp" flavor provides pooling (unsurprisingly) of JDBC connections. The commons-pool reference was meant to be the bundled version of commons-dbcp that Tomcat already provides. Thanks, - -chris > On 03/01/2020 23:21, Dave Bothwell wrote: >> Chris, >> >> That was very helpful. >> >> Thank you Dave >> >> >> >> On Fri, Jan 3, 2020 at 5:29 PM Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> > Dave, > > On 1/3/20 13:47, Dave Bothwell wrote: > I am using Tomcat 8.5.11 with JDBC connection pooling. > Based on the documentation it is clear that DBCP pooling > has changed the maxActive attribute to maxTotal. However it > is unclear, based on this document > https://tomcat.apache.org/tomcat-8.5-doc/jdbc-pool.html, if > JDBC pooling has also changed maxActive to maxTotal. > > my question is which attribute should I be using? > Are you asking about the difference between configurations for > tomcat-pool and commons-pool? > > commons-pool (which is the default connection-pool in Tomcat) uses > maxTotal. > > tomcat-pool (which is NOT the default connection-pool in Tomcat) > uses maxActive. > > Also, I am currently using both attributes maxActive and > maxTotal in my current server.xml file, which does not > appear to be causing any issues. > If you use both, you should be all set for whichever pool you use > at runtime. Note that you will have to specifically enable > tomcat-pool, so it's unlikely that the pooling-library in use will > be a surprise. > > If you look in your log file, you will notice that when Tomcat > starts up it will give you a warning that one of the two > configuration options failed to apply to whichever pool you are > using. It is a warning, not an error, so you can ignore it. But it > will show up in your log file every time. > > -chris >>> >>> - - >>> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4TWrkACgkQHPApP6U8 pFibBw/+Mpzeueng9m+w+T19rZM3TG8MCToGHY1oqzrC59p3dIogcFW8qneEQhqd +Ah3Fz7G8aclSuWdJYLoqXm3vnmyWlfUM7qlDKIVyIb1AyWfdP0OqmWU2ze4WFLn jUmwVyX4F0K0AcnzFLxfQpZHK/0LS17tgig6ZwVZW1Wwu8zULOKavfnuDTl4mMwK qqJznL3wMLvU2mTWlWEKWIhCusLi2xmHWTh/rT0hl4r+WqhRDVyFEzC4Yl1XJTFJ IvyZcvSYPpHfvqg5OR15SlOwJbGxIhn1lyP5KrjciIy6zir4MdFp/8WsCKPF9MBW 7vxXf1fzoahGWkmbo6hgfpWnw7jOjq+bvAFGp6k287dXpJO6duIvqkIjfosZUTsU 0MoWtug3CTWz0E5bYLDZ4zo7+qyFVYzccUcSdXtjwUOmg+ln0VzXbPxpCB62Fk+/ SK7/ukHC9Ovy3upf5aMLSNDCDrl1/3I0tSuXz1lfObxqto0HZH3gho4mzKt1vnVc iECw0NBGD53lBC5FQ/KuUgn24DGgQlrU171KQV8h/YGrdj+PxYKDwsAdP7i00bzg 7upQ2oMdG4tzsFI7kXD178bVZgqUHLJ+1j5yI0nFGx3cRc47K79IRQj5Sxp4gw0W /0iRr9zhRWWvKsvICNyU86o269gPAuHbc1bGLOtV26DoKORaH1g= =RY/K -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Let's Encrypt with Tomcat?
》> If, however, I do curl https://foo.bar.net from my Mac, I get a > response, but if I do curl https://localhost, it doesn't get > anywhere. This may be relevant. In the video mentioned earlier in the thread the let's encrypt expert says let's encrypt doesn't work on localhost but it only works on actual domain. He goes on to say you should purchase one "it is not very expensive ". On Mon, 6 Jan 2020, 14:57 Christopher Schultz, wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > James, > > On 1/3/20 13:47, James H. H. Lampert wrote: > > On 1/3/20 9:57 AM, Christopher Schultz wrote: > >> Is perhaps the AWS firewall (which is a Load Balancer, right?) > >> redirecting the port? > >> > >> Easy test (from the server): > >> > >> $ telnet localhost 443 > > > > I hadn't thought of that. But alas, that instance doesn't have > > Telnet on it. > > > >> If it connects, you have something on the host making this work. > >> If it fails to connect, the 443 -> 8443 magic is outside the host > >> itself. > > > > If, however, I do curl https://foo.bar.net from my Mac, I get a > > response, but if I do curl https://localhost, it doesn't get > > anywhere. > > So your instance is indeed listening on 8443 and the host (at least on > the loopback interface) isn't doing any port 443 funny-business. > > >> Note that if you are using AWS load-balancer, AWS provides free > >> certificates that auto-renew; just configure them and you are > >> done forever. > > > >> Let me know about the Load-Balancer. That's probably the piece of > >> the puzzle you aren't looking at quite yet. > > > > No; we *have* load-balanced clusters, and they *are* (as of last > > month) on AWS's certificate system, so I know what that looks like. > > This is completely different; when I connect, I see the certificate > > that is currently active on the Tomcat server (and if I plug a > > different cert into Tomcat, I see the change from my browser). > > There are also load-balancers that just move bytes and don't terminate > TLS. It's also possible to have the same certificate installed in > multiple places. I think you are going to have to look around your > network a little more to figure out what's happening. > > Maybe simply try: > > $ host foo.bar.net > > And check the IP versus the IP of the Tomcat node? > > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4TSsMACgkQHPApP6U8 > pFgvHw//fBItKsqFiCNeA5lLwo6hi6tZaZY6BxC24SQfMPFe4TaQKkvl/ziGdvpc > E7afIiahzkksZ5Afeq08xx5yE16XVWNDfXy005x5TjosK9tq+msYQU0RUXiHolPo > iTNMfVAi7vHx4OYciJzDzV34vb8pF4Xl4AlMj/ESh38BUPsZWQtcpzmMi9Nf9+/q > grQonVVKHBIydBSbygpiHBGcPesJX0kRUtpArVIWJZdw+V+lKApeo32Xw1Y+Dm0q > 1knwGFzHYGdxROCCpez8dq83ABI5l4tmVMPYpTZsTxBrebZxXxy2GUfrRHTH8UaC > E1ew1jHhYwyPWIUQjEAWynKqVZ8OFcBlRN3DwFvNCGMyd5c9vyE50qfRwzYqeQMk > tEnNafRgWGdsiw0El79m6Xl3LVOd9psSYTgvobqICPk27YhPbpk7izR5td2stvxu > wnmfgxBJd9lL/ckwkvQfKgsdQSnCx8ULJgNUWyCv/gKrhBuBK1gkRrHj3MbJM5Cf > A7fquztvXVZdTnAuEBLvAhKdmIYX6k7W/TnX1kvJcBQ0AN1WhcbmnxQhcww2bn5s > LB2VA91XKg8BaNItodEx03EsUEpbjIvxmnBoCbTgYxcVaKs76qxzP9DENZmGNV/b > JTSEo7xAyGnRQ42l4pm1Lxj/8kAZLrZ5VfNK2DBmmDTeZ8eCUAI= > =372g > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Let's Encrypt with Tomcat?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 1/3/20 13:47, James H. H. Lampert wrote: > On 1/3/20 9:57 AM, Christopher Schultz wrote: >> Is perhaps the AWS firewall (which is a Load Balancer, right?) >> redirecting the port? >> >> Easy test (from the server): >> >> $ telnet localhost 443 > > I hadn't thought of that. But alas, that instance doesn't have > Telnet on it. > >> If it connects, you have something on the host making this work. >> If it fails to connect, the 443 -> 8443 magic is outside the host >> itself. > > If, however, I do curl https://foo.bar.net from my Mac, I get a > response, but if I do curl https://localhost, it doesn't get > anywhere. So your instance is indeed listening on 8443 and the host (at least on the loopback interface) isn't doing any port 443 funny-business. >> Note that if you are using AWS load-balancer, AWS provides free >> certificates that auto-renew; just configure them and you are >> done forever. > >> Let me know about the Load-Balancer. That's probably the piece of >> the puzzle you aren't looking at quite yet. > > No; we *have* load-balanced clusters, and they *are* (as of last > month) on AWS's certificate system, so I know what that looks like. > This is completely different; when I connect, I see the certificate > that is currently active on the Tomcat server (and if I plug a > different cert into Tomcat, I see the change from my browser). There are also load-balancers that just move bytes and don't terminate TLS. It's also possible to have the same certificate installed in multiple places. I think you are going to have to look around your network a little more to figure out what's happening. Maybe simply try: $ host foo.bar.net And check the IP versus the IP of the Tomcat node? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4TSsMACgkQHPApP6U8 pFgvHw//fBItKsqFiCNeA5lLwo6hi6tZaZY6BxC24SQfMPFe4TaQKkvl/ziGdvpc E7afIiahzkksZ5Afeq08xx5yE16XVWNDfXy005x5TjosK9tq+msYQU0RUXiHolPo iTNMfVAi7vHx4OYciJzDzV34vb8pF4Xl4AlMj/ESh38BUPsZWQtcpzmMi9Nf9+/q grQonVVKHBIydBSbygpiHBGcPesJX0kRUtpArVIWJZdw+V+lKApeo32Xw1Y+Dm0q 1knwGFzHYGdxROCCpez8dq83ABI5l4tmVMPYpTZsTxBrebZxXxy2GUfrRHTH8UaC E1ew1jHhYwyPWIUQjEAWynKqVZ8OFcBlRN3DwFvNCGMyd5c9vyE50qfRwzYqeQMk tEnNafRgWGdsiw0El79m6Xl3LVOd9psSYTgvobqICPk27YhPbpk7izR5td2stvxu wnmfgxBJd9lL/ckwkvQfKgsdQSnCx8ULJgNUWyCv/gKrhBuBK1gkRrHj3MbJM5Cf A7fquztvXVZdTnAuEBLvAhKdmIYX6k7W/TnX1kvJcBQ0AN1WhcbmnxQhcww2bn5s LB2VA91XKg8BaNItodEx03EsUEpbjIvxmnBoCbTgYxcVaKs76qxzP9DENZmGNV/b JTSEo7xAyGnRQ42l4pm1Lxj/8kAZLrZ5VfNK2DBmmDTeZ8eCUAI= =372g -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
performance issue with Tomcat 8.5.35 in org.apache.tomcat.util.net.NioBlockingSelector.write API
Hi Team, We are facing performance issue during org.apache.tomcat.util.net.NioBlockingSelector.write API call, ,most of our thread stuck and spending more time in that API, you can check below screenshot for more details. [cid:image002.jpg@01D5C4BA.A1BBFAB0] We debug the code and found that NioChannel.write method return 0(Zero) value, in that case our threads are stuck, Please let us know why this happen. Please let me know if you need more details. Thanks and Regards, Rajendra Rathore 9922701491
Ignore duplicate HTTP headers in Tomcat 8.5.50-0+deb9u1
Hi and happy new year, we have an application where HTTP clients have a kind of unclean way of submitting HTTP POST requests to our tomcat server for data upload: The |POST| and |Host: xxx| part appears twice in the request. Until now this didn't cause any problems with tomcat, but since the latest release, Tomcat refuses to accept this message and returns a 400 bad request immediately. Unfortunately we'll not be able to change the client-side code. Is there any way to tell the tomcat connector "ignore duplicate headers" or so to make it work again? I guess the rewrite filters for tomcat won't help as tomcat probably discards the incoming message before handing it over to rewrite. Example request: |POST /data/upload/test HTTP/1.1 Host: www.myhost.de:8180 POST /data/upload/test HTTP/1.1 Host: www.myhost.de:8180 [...rest of the request is ok...] | I wonder if there is a parameter for the |Connector| part in server.xml or so to workaround this problem and restore the old behaviour without downgrading. Greetings, Dennis - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9 does not allow to read file in /tmp folder with 777 permission?
00h > Have ever heard of *which* in windows ? >Yea, no "which" - but have you tried "where" on Win? > Could also use a "for" in Win (if you understand how to do it). kub18@UB18:~$ which java /usr/bin/java kub18@UB18:~$ whereis java java: /usr/bin/java /usr/share/java /usr/share/man/man1/java.1.gz kub18@UB18:~$ There is no "which", "whereis" or "find" because window users I have file explorer, it is a GUI, It makes use of the screen attached to the computer.Kubuntu , KDE are catching up with MS windows. > Ummm. Linux came *after* Unix. there is a rumour flying around that Linus Torvalds stole the kernel source code. I guess the chicken had to come first to lay the egg , for an egg thief to steal the egg. > Okay, no "find" but have you tried: dir /s \ ? windows explorer is another name for GUI no command line tries needed. Because it's terse (BTW, the dash is supposed to be connected to "cp", as "-cp") I use the compiler as a spell checker or as some refer to it as syntax checker. If I do not leave a space between - and cp then the syntax checker would have nothing to do .. you could try grammarly maybe. -cp -classpath --class-path A : separated list of directories, JAR archives, and ZIP archives to search for class files. You missed one - the CLASSPATH environment variable Rwong - Class-Path is used in the Manifest. No MR R."WONG" you missed all the points. Put a dot in your CLASSPATH Because it's descriptive and self-commenting I guess all those *.nix argument flags like ls -a -A -b -B are examples of Software Engineering Naming Conventions at its best. java -cp was too hard to figure out so you had to have a more description version java -classpath. I thought maybe it was because you want to get paid by the number of letters you type. No, but that's because the security model in Windows is *different* "chmod" is like taking the house keys away from house owner, strange idea of security. That is my view. I hope you appreciate I have a right to a view point. You could always chmod 777 * and you will have MS WINDOWS friendly user experience. On 06/01/2020 08:57, calder wrote: On Sat, Jan 4, 2020 at 7:26 PM zahid wrote: Have ever heard of "*chmod*" in windows ? No, but that's because the security model in Windows is *different* than for *nix OSes. On Win, there's attrib, xcacls, cacls, and icacls, but none of those truly match was chmod does. So, one needs to understand the underlying models for *nix and Windows to properly describe the differences. Have ever heard of *which* in windows ? Yea, no "which" - but have you tried "where" on Win? Could also use a "for" in Win (if you understand how to do it). or *find* in windows ? Okay, no "find" but have you tried: dir /s \ ? why is this same unique behaviour in Unix which came after Linux. Ummm. Linux came *after* Unix. why is there three ways to do same thing ? java - cp Because it's terse (BTW, the dash is supposed to be connected to "cp", as "-cp") java - classpath Because it's descriptive and self-commenting (BTW, the dash is supposed to be connected to "classpath", as "-classpath") java - class-path Rwong - Class-Path is used in the Manifest. You missed one - the CLASSPATH environment variable -- www.backbutton.co.uk ¯\_(ツ)_/¯ ♡۶ java cp classpath class-path Marriage of loose and tight coupling -> healthy applications - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9 does not allow to read file in /tmp folder with 777 permission?
>What "user account" is Tomcat executing as? tomcat user. To fix the problem, I had to change /lib/systemd/system/tomcat9.service PrivateTmp=yes to PrivateTmp=no Then, sudo systemctl daemon-reload sudo service tomcat9 restart On Mon, 6 Jan 2020 at 09:58, calder wrote: > On Sat, Jan 4, 2020 at 8:36 AM bphamhuu wrote: > > I have a java web application by Tomcat 9 servlet container which tries > to > > read a file in /tmp folder with 777 permission on Ubuntu 18.04 > > > > ls -ltr /tmp/test.txt > > -rwxrwxrwx 1 vagrant vagrant 10 Jan 3 17:03 /tmp/test.txt > [snip] > > > # Cannot read file. Reason: File '/tmp/test.txt' does not exist > > What "user account" is Tomcat executing as? > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- *Bang Pham Huu * *-* *Master of Science - Research Assistant at Field Monitoring Center - 4 F, E3 BuildingViet Nam - Ha Noi National University - University of Engineering and Technology* *Email: a09...@gmail.com - Tel: +84 164.6339.217* *“Life is like riding a bicycle. To keep your balance, you must keep moving.”― Albert Einstein*
Re: Tomcat 9 does not allow to read file in /tmp folder with 777 permission?
On Sat, Jan 4, 2020 at 8:36 AM bphamhuu wrote: > I have a java web application by Tomcat 9 servlet container which tries to > read a file in /tmp folder with 777 permission on Ubuntu 18.04 > > ls -ltr /tmp/test.txt > -rwxrwxrwx 1 vagrant vagrant 10 Jan 3 17:03 /tmp/test.txt [snip] > # Cannot read file. Reason: File '/tmp/test.txt' does not exist What "user account" is Tomcat executing as? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9 does not allow to read file in /tmp folder with 777 permission?
On Sat, Jan 4, 2020 at 7:26 PM zahid wrote: > Have ever heard of "*chmod*" in windows ? No, but that's because the security model in Windows is *different* than for *nix OSes. On Win, there's attrib, xcacls, cacls, and icacls, but none of those truly match was chmod does. So, one needs to understand the underlying models for *nix and Windows to properly describe the differences. > Have ever heard of *which* in windows ? Yea, no "which" - but have you tried "where" on Win? Could also use a "for" in Win (if you understand how to do it). > or *find* in windows ? Okay, no "find" but have you tried: dir /s \ ? > why is this same unique behaviour in Unix which came after Linux. Ummm. Linux came *after* Unix. > why is there three ways to do same thing ? > java - cp Because it's terse (BTW, the dash is supposed to be connected to "cp", as "-cp") > java - classpath Because it's descriptive and self-commenting (BTW, the dash is supposed to be connected to "classpath", as "-classpath") > java - class-path Rwong - Class-Path is used in the Manifest. You missed one - the CLASSPATH environment variable - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
