RE: Need to know about analyzing of thread dump and heap dump
Hi Koustav, I was testing out the online thread dump analysers previously and found https://fastthread.io/ and https://jstack.review/#tda_1_dump. I am not sure how safe their data policy are, but I didn't spot any sensitive data in my thread dump. Note: one of them hid part of the result as it was just a trial run. I can't remember which. Surprisingly, both analysers pointed to the same area for possible root cause. I didn't go any further but our developers analysed the thread dump and also mentioned the same area. They went one better and provided info on the related java defect and provided a workaround. Problem solved, customer happy and I'm happy. -Original Message- From: Naha, Koustav Sent: Tuesday, April 4, 2023 5:58 AM To: users@tomcat.apache.org Subject: Need to know about analyzing of thread dump and heap dump Hi all, Good day. Can someone suggest me some good tools to analyze heap dump and thread dumps which we can use in real time production environment. Also, GUI based tools will be a good one to use. Please pour in your 2 cents. Thanks and Regards, Koustav Naha DXC Technology Company -- This message is transmitted to you by or on behalf of DXC Technology Company or one of its affiliates. It is intended exclusively for the addressee. The substance of this message, along with any attachments, may contain proprietary, confidential or privileged information or information that is otherwise legally exempt from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate any part of this message. If you have received this message in error, please destroy and delete all copies and notify the sender by return e-mail. Regardless of content, this e-mail shall not operate to bind DXC Technology Company or any of its affiliates to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: Need to know about analyzing of thread dump and heap dump
Hello, > -Ursprüngliche Nachricht- > Von: Naha, Koustav > Gesendet: Montag, 3. April 2023 21:58 > An: users@tomcat.apache.org > Betreff: Need to know about analyzing of thread dump and heap dump > > Hi all, > > Good day. > > Can someone suggest me some good tools to analyze heap dump and thread > dumps which we can use in real time production environment. > Also, GUI based tools will be a good one to use. > > Please pour in your 2 cents. > > Thanks and Regards, > Koustav Naha > > I often use Eclipse Memory Analyzer for heap dumps and Samurai for thread dumps (https://samuraism.jp/samurai/en/index.html) Greetings, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need to know about analyzing of thread dump and heap dump
i use ibm's support assistant with their plugins. works pretty well, and I believe there's a standalone version... i cant find them at the moment, but I know they're out there. Kevin Huntly Email: kmhun...@gmail.com Cell: 716/424-3311 -BEGIN GEEK CODE BLOCK- Version: 1.0 GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ G++ e(+) h--- r+++ y+++* --END GEEK CODE BLOCK-- On Mon, Apr 3, 2023 at 3:59 PM Naha, Koustav wrote: > Hi all, > > Good day. > > Can someone suggest me some good tools to analyze heap dump and thread > dumps which we can use in real time production environment. > Also, GUI based tools will be a good one to use. > > Please pour in your 2 cents. > > Thanks and Regards, > Koustav Naha > > > DXC Technology Company -- This message is transmitted to you by or on > behalf of DXC Technology Company or one of its affiliates. It is intended > exclusively for the addressee. The substance of this message, along with > any attachments, may contain proprietary, confidential or privileged > information or information that is otherwise legally exempt from > disclosure. Any unauthorized review, use, disclosure or distribution is > prohibited. If you are not the intended recipient of this message, you are > not authorized to read, print, retain, copy or disseminate any part of this > message. If you have received this message in error, please destroy and > delete all copies and notify the sender by return e-mail. Regardless of > content, this e-mail shall not operate to bind DXC Technology Company or > any of its affiliates to any order or other contract unless pursuant to > explicit written agreement or government initiative expressly permitting > the use of e-mail for such purpose. >
Need to know about analyzing of thread dump and heap dump
Hi all, Good day. Can someone suggest me some good tools to analyze heap dump and thread dumps which we can use in real time production environment. Also, GUI based tools will be a good one to use. Please pour in your 2 cents. Thanks and Regards, Koustav Naha DXC Technology Company -- This message is transmitted to you by or on behalf of DXC Technology Company or one of its affiliates. It is intended exclusively for the addressee. The substance of this message, along with any attachments, may contain proprietary, confidential or privileged information or information that is otherwise legally exempt from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate any part of this message. If you have received this message in error, please destroy and delete all copies and notify the sender by return e-mail. Regardless of content, this e-mail shall not operate to bind DXC Technology Company or any of its affiliates to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
Re: Accessing Tomcat Sessions
On 02/04/2023 13:44, Chew Kok Hoor wrote: Hi, As part of a way to prevent concurrent login, and to re-assign a session back to a request based on JWT token (for clients that cannot pass us cookies), we need to access to the 'findSession' and 'findSessions' in org.apache.catalina.Manager. Is it true the only way to get the manager using ServletContext.getManager() is by using privileged="true" in the context.xml? There is no ServletContext.getManager() method. privileged is use to control access to Servlets that implement ContainerServlet. The ContainerServlet interface is one way to access Tomcat's internals. Another option is reflection. Are there any implications in setting privileged="true" if we have full control to restrict what servlets or jsp or codes are running in our webapp? If the code is trusted then allowing setting privileged="true" does not introduce additional risk. It just makes it a little easier to do some things. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Logging
ok, can you tell me what your thoughts are? I'm always interested in new things Kevin Huntly Email: kmhun...@gmail.com Cell: 716/424-3311 -BEGIN GEEK CODE BLOCK- Version: 1.0 GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ G++ e(+) h--- r+++ y+++* --END GEEK CODE BLOCK-- On Mon, Apr 3, 2023 at 12:31 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Kevin, > > On 4/3/23 12:10, Kevin Huntly wrote: > > idk why i add the typeset, but I do everywhere just out of habit. i was > > trained that way many many moons ago. > > > > Is there anything else in my setenv that needs work? > > That mostly depends upon your environment. The only thing that stuck out > to me was the JAVA_OPTS versus CATALINA_OPTS. I didn't even notice that > all the JMX configuration would have caused port conflicts, too. So > there is another reason to only use CATALINA_OPTS for that stuff. > > Some of what you have in that script is not having any effect on Tomcat > itself. But it may be serving other purposes. > > I have some personal thoughts about things like what should be done on > OOMEs but again those are very environment-specific. > > -chris > > > On Mon, Apr 3, 2023 at 11:57 AM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > >> Kevin, > >> > >> On 4/3/23 10:07, Kevin Huntly wrote: > >>> I'm launching with startup.sh and I have a setenv: > >>> > >>> https://pastebin.com/PKRgz2y1 > >> > > >> > typeset JAVA_OPTS="-Xms4096m -Xmx4096m -Dfile.encoding=utf-8 > >> -Djava.awt.headless=true"; > >> > >> You don't want this. You want: > >> > >> typeset CATALINA_OPTS="-Xms4096m -Xmx4096m -Dfile.encoding=utf-8 > >> -Djava.awt.headless=true"; > >> > >> (I'm not sure why you are bothering with "typeset". IMHO it adds nothing > >> but extra characters to the file and or someone so say "what the hell is > >> typset?") > >> > >> CATALINA_OPTS are used when launching Tomcat. JAVA_OPTS are used when > >> launching any kind of JVM. An example is when shutting-down Tomcat. Your > >> JAVA_OPTS sets the heap size to 4 GiB, but you only need like 5MiB to > >> launch the "please shutdown" process, so a 4GiB heap for that is > overkill. > >> > >> -chris > >> > >>> > >>> > >>> Kevin Huntly > >>> Email: kmhun...@gmail.com > >>> Cell: 716/424-3311 > >>> > >>> > >>> -BEGIN GEEK CODE BLOCK- > >>> Version: 1.0 > >>> GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- > >>> W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) > >>> PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ > >>> G++ e(+) h--- r+++ y+++* > >>> --END GEEK CODE BLOCK-- > >>> > >>> > >>> On Mon, Apr 3, 2023 at 10:03 AM Christopher Schultz < > >>> ch...@christopherschultz.net> wrote: > >>> > Kevin, > > On 4/2/23 09:08, Kevin Huntly wrote: > > Couple questions: > > > > 1. Is there a way to change the default "stdout" to a different name? > e.g. > > SystemOut.log (and by extension, can syserr be printed to something > > SystemErr.log?) > > How are you launching Tomcat? > > > 2. When verbose:gc is turned on it logs a ton of stuff to stdout, can > that > > output be redirected to a different file? > > Have you tried google or "java -X"? > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > >>> > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > >
Re: Logging
Kevin, On 4/3/23 12:10, Kevin Huntly wrote: idk why i add the typeset, but I do everywhere just out of habit. i was trained that way many many moons ago. Is there anything else in my setenv that needs work? That mostly depends upon your environment. The only thing that stuck out to me was the JAVA_OPTS versus CATALINA_OPTS. I didn't even notice that all the JMX configuration would have caused port conflicts, too. So there is another reason to only use CATALINA_OPTS for that stuff. Some of what you have in that script is not having any effect on Tomcat itself. But it may be serving other purposes. I have some personal thoughts about things like what should be done on OOMEs but again those are very environment-specific. -chris On Mon, Apr 3, 2023 at 11:57 AM Christopher Schultz < ch...@christopherschultz.net> wrote: Kevin, On 4/3/23 10:07, Kevin Huntly wrote: I'm launching with startup.sh and I have a setenv: https://pastebin.com/PKRgz2y1 > > typeset JAVA_OPTS="-Xms4096m -Xmx4096m -Dfile.encoding=utf-8 -Djava.awt.headless=true"; You don't want this. You want: typeset CATALINA_OPTS="-Xms4096m -Xmx4096m -Dfile.encoding=utf-8 -Djava.awt.headless=true"; (I'm not sure why you are bothering with "typeset". IMHO it adds nothing but extra characters to the file and or someone so say "what the hell is typset?") CATALINA_OPTS are used when launching Tomcat. JAVA_OPTS are used when launching any kind of JVM. An example is when shutting-down Tomcat. Your JAVA_OPTS sets the heap size to 4 GiB, but you only need like 5MiB to launch the "please shutdown" process, so a 4GiB heap for that is overkill. -chris Kevin Huntly Email: kmhun...@gmail.com Cell: 716/424-3311 -BEGIN GEEK CODE BLOCK- Version: 1.0 GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ G++ e(+) h--- r+++ y+++* --END GEEK CODE BLOCK-- On Mon, Apr 3, 2023 at 10:03 AM Christopher Schultz < ch...@christopherschultz.net> wrote: Kevin, On 4/2/23 09:08, Kevin Huntly wrote: Couple questions: 1. Is there a way to change the default "stdout" to a different name? e.g. SystemOut.log (and by extension, can syserr be printed to something SystemErr.log?) How are you launching Tomcat? 2. When verbose:gc is turned on it logs a ton of stuff to stdout, can that output be redirected to a different file? Have you tried google or "java -X"? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Logging
idk why i add the typeset, but I do everywhere just out of habit. i was trained that way many many moons ago. Is there anything else in my setenv that needs work? Kevin Huntly Email: kmhun...@gmail.com Cell: 716/424-3311 -BEGIN GEEK CODE BLOCK- Version: 1.0 GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ G++ e(+) h--- r+++ y+++* --END GEEK CODE BLOCK-- On Mon, Apr 3, 2023 at 11:57 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > Kevin, > > On 4/3/23 10:07, Kevin Huntly wrote: > > I'm launching with startup.sh and I have a setenv: > > > > https://pastebin.com/PKRgz2y1 > > > > typeset JAVA_OPTS="-Xms4096m -Xmx4096m -Dfile.encoding=utf-8 > -Djava.awt.headless=true"; > > You don't want this. You want: > > typeset CATALINA_OPTS="-Xms4096m -Xmx4096m -Dfile.encoding=utf-8 > -Djava.awt.headless=true"; > > (I'm not sure why you are bothering with "typeset". IMHO it adds nothing > but extra characters to the file and or someone so say "what the hell is > typset?") > > CATALINA_OPTS are used when launching Tomcat. JAVA_OPTS are used when > launching any kind of JVM. An example is when shutting-down Tomcat. Your > JAVA_OPTS sets the heap size to 4 GiB, but you only need like 5MiB to > launch the "please shutdown" process, so a 4GiB heap for that is overkill. > > -chris > > > > > > > Kevin Huntly > > Email: kmhun...@gmail.com > > Cell: 716/424-3311 > > > > > > -BEGIN GEEK CODE BLOCK- > > Version: 1.0 > > GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- > > W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) > > PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ > > G++ e(+) h--- r+++ y+++* > > --END GEEK CODE BLOCK-- > > > > > > On Mon, Apr 3, 2023 at 10:03 AM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > >> Kevin, > >> > >> On 4/2/23 09:08, Kevin Huntly wrote: > >>> Couple questions: > >>> > >>> 1. Is there a way to change the default "stdout" to a different name? > >> e.g. > >>> SystemOut.log (and by extension, can syserr be printed to something > >>> SystemErr.log?) > >> > >> How are you launching Tomcat? > >> > >>> 2. When verbose:gc is turned on it logs a ton of stuff to stdout, can > >> that > >>> output be redirected to a different file? > >> > >> Have you tried google or "java -X"? > >> > >> -chris > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Logging
Kevin, On 4/3/23 10:07, Kevin Huntly wrote: I'm launching with startup.sh and I have a setenv: https://pastebin.com/PKRgz2y1 > > typeset JAVA_OPTS="-Xms4096m -Xmx4096m -Dfile.encoding=utf-8 -Djava.awt.headless=true"; You don't want this. You want: typeset CATALINA_OPTS="-Xms4096m -Xmx4096m -Dfile.encoding=utf-8 -Djava.awt.headless=true"; (I'm not sure why you are bothering with "typeset". IMHO it adds nothing but extra characters to the file and or someone so say "what the hell is typset?") CATALINA_OPTS are used when launching Tomcat. JAVA_OPTS are used when launching any kind of JVM. An example is when shutting-down Tomcat. Your JAVA_OPTS sets the heap size to 4 GiB, but you only need like 5MiB to launch the "please shutdown" process, so a 4GiB heap for that is overkill. -chris Kevin Huntly Email: kmhun...@gmail.com Cell: 716/424-3311 -BEGIN GEEK CODE BLOCK- Version: 1.0 GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ G++ e(+) h--- r+++ y+++* --END GEEK CODE BLOCK-- On Mon, Apr 3, 2023 at 10:03 AM Christopher Schultz < ch...@christopherschultz.net> wrote: Kevin, On 4/2/23 09:08, Kevin Huntly wrote: Couple questions: 1. Is there a way to change the default "stdout" to a different name? e.g. SystemOut.log (and by extension, can syserr be printed to something SystemErr.log?) How are you launching Tomcat? 2. When verbose:gc is turned on it logs a ton of stuff to stdout, can that output be redirected to a different file? Have you tried google or "java -X"? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Logging
Kevin, On 4/3/23 10:07, Kevin Huntly wrote: I'm launching with startup.sh and I have a setenv: bin/startup.sh calls bin/catalina.sh. Have a look at the top few pages of catalina.sh to see what environment variables can be used to customize stuff like log file names. https://pastebin.com/PKRgz2y1 It looks like you are already setting CATALINA_OUT. You should just be able to change the value to use a different file name. The existing catalina.sh does not allow separate stdout and stderr streams. You could modify catalina.sh to easily redirect stderr to a different file if you wanted to. -chris Kevin Huntly Email: kmhun...@gmail.com Cell: 716/424-3311 -BEGIN GEEK CODE BLOCK- Version: 1.0 GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ G++ e(+) h--- r+++ y+++* --END GEEK CODE BLOCK-- On Mon, Apr 3, 2023 at 10:03 AM Christopher Schultz < ch...@christopherschultz.net> wrote: Kevin, On 4/2/23 09:08, Kevin Huntly wrote: Couple questions: 1. Is there a way to change the default "stdout" to a different name? e.g. SystemOut.log (and by extension, can syserr be printed to something SystemErr.log?) How are you launching Tomcat? 2. When verbose:gc is turned on it logs a ton of stuff to stdout, can that output be redirected to a different file? Have you tried google or "java -X"? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [org.apache.jasper.JasperException: Unable to compile class for JSP] with root cause
Kesavan,
On 4/3/23 10:53, Kesavan, Suresh Prabhu (Fed) wrote:
Thanks, can you tell me how to enable all security in tomcat
Catalina.policy.
Just turn off the security manager if you are going to allow all
privilieges.
Having it enabled without any enforcement means you get zero security
controls and performance penalties all over the place.
-chris
-Original Message-
From: Mark Thomas
Sent: Wednesday, March 29, 2023 8:37 PM
To: users@tomcat.apache.org
Subject: Re: [org.apache.jasper.JasperException: Unable to compile class for
JSP] with root cause
Hi,
I am unable to reproduce this with a clean build of the current 9.0.x source.
I built the sample application without configuring the connection to Azure.
Once deployed, it failed with a security permissions error. This has fixed by
adding the following to the web application permissions:
permission java.util.PropertyPermission "com.ctc.wstx.returnNullForDefaultNamespace",
"read";
No other changes were made compared to the default.
The index page then showed correctly.
Mark
On 27/03/2023 16:47, Kesavan, Suresh Prabhu (Fed) wrote:
Hi Mark,
Sure, below is the policy file
*/_catalina.policy_/*
// Licensed to the Apache Software Foundation (ASF) under one or more
// contributor license agreements. See the NOTICE file distributed
with // this work for additional information regarding copyright ownership.
// The ASF licenses this file to You under the Apache License, Version
2.0 // (the "License"); you may not use this file except in compliance
with // the License. You may obtain a copy of the License at //
//
https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.apache.org%2Flicenses%2FLICENSE-2.0=05%7C01%7Csureshprabhu.kesavan%40nist.gov%7C0fae3558eb82448fe0f408db30b6dbe9%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638157334161987625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=1MXkLyzwJ0d9CWADPfIAjbvaGHlX2whCFY7iPYR3sdM%3D=0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
==
== // catalina.policy - Security Policy Permissions for Tomcat //
// This file contains a default set of security policies to be
enforced (by the // JVM) when Catalina is executed with the
"-security" option. In addition // to the permissions granted here,
the following additional permissions are // granted to each web application:
//
// * Read access to the web application's document root directory // *
Read, write and delete access to the web application's working
directory //
==
==
// == SYSTEM CODE PERMISSIONS
=
// These permissions apply to javac
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission; };
// These permissions apply to all shared system extensions grant
codeBase "file:${java.home}/jre/lib/ext/-" {
permission java.security.AllPermission; };
// These permissions apply to javac when ${java.home} points at
$JAVA_HOME/jre grant codeBase "file:${java.home}/../lib/-" {
permission java.security.AllPermission; };
// These permissions apply to all shared system extensions when //
${java.home} points at $JAVA_HOME/jre grant codeBase
"file:${java.home}/lib/ext/-" {
permission java.security.AllPermission; };
// This permission is required when using javac to compile JSPs on
Java 9 // onwards grant codeBase "jrt:/jdk.compiler" {
permission java.security.AllPermission; };
// == CATALINA CODE PERMISSIONS ===
// These permissions apply to the daemon code
grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the logging API
// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home},
// update this section accordingly.
// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.io.FilePermission
"${java.home}${file.separator}lib${file.separator}logging.properties",
"read";
permission java.io.FilePermission
"${catalina.base}${file.separator}conf${file.separator}logging.properties",
"read";
permission java.io.FilePermission
"${catalina.base}${file.separator}logs", "read, write";
permission java.io.FilePermission
"${catalina.base}${file.separator}logs${file.separator}*", "read, write,
delete";
RE: [org.apache.jasper.JasperException: Unable to compile class for JSP] with root cause
Hi Mark,
Thanks, can you tell me how to enable all security in tomcat Catalina.policy.
Thanks,
Suresh Kesavan
OISM/ASD
National Institute of Standards and Technology
Office:- 301-975-6973
-Original Message-
From: Mark Thomas
Sent: Wednesday, March 29, 2023 8:37 PM
To: users@tomcat.apache.org
Subject: Re: [org.apache.jasper.JasperException: Unable to compile class for
JSP] with root cause
Hi,
I am unable to reproduce this with a clean build of the current 9.0.x source.
I built the sample application without configuring the connection to Azure.
Once deployed, it failed with a security permissions error. This has fixed by
adding the following to the web application permissions:
permission java.util.PropertyPermission
"com.ctc.wstx.returnNullForDefaultNamespace", "read";
No other changes were made compared to the default.
The index page then showed correctly.
Mark
On 27/03/2023 16:47, Kesavan, Suresh Prabhu (Fed) wrote:
> Hi Mark,
>
> Sure, below is the policy file
>
> */_catalina.policy_/*
>
> // Licensed to the Apache Software Foundation (ASF) under one or more
> // contributor license agreements. See the NOTICE file distributed
> with // this work for additional information regarding copyright ownership.
> // The ASF licenses this file to You under the Apache License, Version
> 2.0 // (the "License"); you may not use this file except in compliance
> with // the License. You may obtain a copy of the License at //
> //
> https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.apache.org%2Flicenses%2FLICENSE-2.0=05%7C01%7Csureshprabhu.kesavan%40nist.gov%7C0fae3558eb82448fe0f408db30b6dbe9%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638157334161987625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=1MXkLyzwJ0d9CWADPfIAjbvaGHlX2whCFY7iPYR3sdM%3D=0
> //
> // Unless required by applicable law or agreed to in writing, software
> // distributed under the License is distributed on an "AS IS" BASIS,
> // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> // See the License for the specific language governing permissions and
> // limitations under the License.
>
> //
> ==
> == // catalina.policy - Security Policy Permissions for Tomcat //
> // This file contains a default set of security policies to be
> enforced (by the // JVM) when Catalina is executed with the
> "-security" option. In addition // to the permissions granted here,
> the following additional permissions are // granted to each web application:
> //
> // * Read access to the web application's document root directory // *
> Read, write and delete access to the web application's working
> directory //
> ==
> ==
>
>
> // == SYSTEM CODE PERMISSIONS
> =
>
>
> // These permissions apply to javac
> grant codeBase "file:${java.home}/lib/-" {
> permission java.security.AllPermission; };
>
> // These permissions apply to all shared system extensions grant
> codeBase "file:${java.home}/jre/lib/ext/-" {
> permission java.security.AllPermission; };
>
> // These permissions apply to javac when ${java.home} points at
> $JAVA_HOME/jre grant codeBase "file:${java.home}/../lib/-" {
> permission java.security.AllPermission; };
>
> // These permissions apply to all shared system extensions when //
> ${java.home} points at $JAVA_HOME/jre grant codeBase
> "file:${java.home}/lib/ext/-" {
> permission java.security.AllPermission; };
>
> // This permission is required when using javac to compile JSPs on
> Java 9 // onwards grant codeBase "jrt:/jdk.compiler" {
> permission java.security.AllPermission; };
>
>
> // == CATALINA CODE PERMISSIONS
> ===
>
> // These permissions apply to the daemon code
> grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
> permission java.security.AllPermission;
> };
>
> // These permissions apply to the logging API
> // Note: If tomcat-juli.jar is in ${catalina.base} and not in
> ${catalina.home},
> // update this section accordingly.
> // grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
> grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
> permission java.io.FilePermission
>
> "${java.home}${file.separator}lib${file.separator}logging.properties", "read";
>
> permission java.io.FilePermission
>
> "${catalina.base}${file.separator}conf${file.separator}logging.properties",
> "read";
> permission java.io.FilePermission
> "${catalina.base}${file.separator}logs", "read, write";
> permission java.io.FilePermission
> "${catalina.base}${file.separator}logs${file.separator}*", "read,
>
Re: DBAs?
I tried there no one answered LOL I ended up figuring out my issue though. Maybe not the best way, but it works Kevin Huntly Email: kmhun...@gmail.com Cell: 716/424-3311 -BEGIN GEEK CODE BLOCK- Version: 1.0 GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ G++ e(+) h--- r+++ y+++* --END GEEK CODE BLOCK-- On Mon, Apr 3, 2023 at 10:07 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > Kevin, > > On 4/2/23 16:39, Kevin Huntly wrote: > > Are there any DBAs in here? If so, are you aware of a MySQL user mailing > > list? I'm having an issue with some stored procedures and need some help > > dba.stackexchange.com is fairly decent in my experience. > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Logging
I'm launching with startup.sh and I have a setenv: https://pastebin.com/PKRgz2y1 Kevin Huntly Email: kmhun...@gmail.com Cell: 716/424-3311 -BEGIN GEEK CODE BLOCK- Version: 1.0 GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ G++ e(+) h--- r+++ y+++* --END GEEK CODE BLOCK-- On Mon, Apr 3, 2023 at 10:03 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > Kevin, > > On 4/2/23 09:08, Kevin Huntly wrote: > > Couple questions: > > > > 1. Is there a way to change the default "stdout" to a different name? > e.g. > > SystemOut.log (and by extension, can syserr be printed to something > > SystemErr.log?) > > How are you launching Tomcat? > > > 2. When verbose:gc is turned on it logs a ton of stuff to stdout, can > that > > output be redirected to a different file? > > Have you tried google or "java -X"? > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: DBAs?
Kevin, On 4/2/23 16:39, Kevin Huntly wrote: Are there any DBAs in here? If so, are you aware of a MySQL user mailing list? I'm having an issue with some stored procedures and need some help dba.stackexchange.com is fairly decent in my experience. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Logging
Kevin, On 4/2/23 09:08, Kevin Huntly wrote: Couple questions: 1. Is there a way to change the default "stdout" to a different name? e.g. SystemOut.log (and by extension, can syserr be printed to something SystemErr.log?) How are you launching Tomcat? 2. When verbose:gc is turned on it logs a ton of stuff to stdout, can that output be redirected to a different file? Have you tried google or "java -X"? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
