I can't find how to stop TOMCAT during INITIALIZATION phase

2023-12-14 Thread Mircea Butmalai 
Hello,

I have searched inside TOMCAT (for the moment version 10.1.x but seems to be 
present in all versions) how to stop TOMCAT during INITIALIZATION phase and I 
can't find any method how to do it.

Tomcat seems to have 3 ways to stop it:
1. Sending SHUTDOWN command over the control port socket (the most traditional 
one)
2. Sending SIGTERM signal to java process because I see that 
org/apache/catalina/startup/Catalina.java registers a java shutdown hook that 
basically stop's the server container
3. calling manager jmxproxy via HTTP and invoke stop on server container

The problem of solution 1 and 2 is that these ways are available only after 
initialization of toncat is complete (the second one I never been able to use 
it but seems to me from code that is available only after initialization when 
is logged the message that says " INFO [main] 
org.apache.catalina.startup.Catalina.start Server startup in [26102] 
milliseconds").
Solution 3 is also available after initialization because manager web 
application is scheduled to startup after our web application and tomcat seems 
to pause http requests until initialization is complete.

So I am not able to send any signal to shutdown tomcat during this 
initialization phase or I can't figure out how to do it.

The reason we want this is as follows:
Our application consists of a TOMCAT instantance that run's inside our WAR web 
application together with manager, host manager and default ROOT tomcat 
delivered web applications (the root application is modified to redirect to our 
web application).
Our war application takes aprox 20 - 30 seconds to startup and the majority of 
time is spent inside few servlet context listeners and stops quickly in 
gracefull manner.

We also have some custom made wrapper bash scripts that start / stop tomcat 
like this:
- the start script delegates the start procedure to bin/catalina.sh tomcat 
script with run parameter (after setting environment and other things)
- the stop script delegates the stop procedure to bin/shutdown.sh tomcat script 
(after setting environment and other things)

Due to the fact that initialization takes a visible long time, it is possible 
to need to stop tomcat in this phase for the following reasons:
1. the administrator wishes to interrupt this initialization
2. the operating system is shutdown gracefully during initialization of tomcat 
and tomcat, like any process, need to start a shutdown during any phase

Our question is:
1. It is possible to stop tomcat during initialization phase?
2. If yes how and if not are any plans to implement it in future versions?

It seems to me that my solutions for now are:
1. sending SIGKILL signal to tomcat (this is very risky to me because stopping 
like this in the middle of something may corrupt data - but this situation is 
any way possible so I have to handle it)
2. wait for tomcat initilization procedure to finish and then trigger the 
shutdown since we can do something in our wrapper scripts
Do you see any other possible solutions?


Thanks.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Issues of Ahead of Time compilation support

2023-12-14 Thread Jun Suzuki 
Hello all,

Does anyone have experience of implementation of AOT/GraalVM by
following official documentation as below?
https://tomcat.apache.org/tomcat-9.0-doc/graal.html

I created a simple spring framework application(deployed as a war
file) which is working well under Tomcat10.x, GraalVM21 with JDK21.
Then I'm trying to transform the application into native image based
on the documentation.
I download the Tomcat Stuffed module and started to do packaging and building.
However, I encountered some issues by following the steps from the
documentation.

(1) Guidance is not so clear about following points:
Should I copy the deployed application(with or without war file?) from
existing Tomcat server webapps directory, to webapps directory of
$TOMCAT_STUFFED?
Should I copy all the files from conf directory of existing Tomcat
server, to conf directory of $TOMCAT_STUFFED?

(2) On the step of execution of "$JAVA_HOME/bin/java -Dcatalina.base=.
-Djava.util.logging.config.file=conf/logging.properties -jar
target/tomcat-stuffed-1.0.jar --catalina -generateCode src/main/java",
errors messages show as below:
...
Can't load log handler "1catalina.org.apache.juli.AsyncFileHandler"
java.lang.ClassNotFoundException: 1catalina.org.apache.juli.AsyncFileHandler
java.lang.ClassNotFoundException: 1catalina.org.apache.juli.AsyncFileHandler
at 
java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641)
at 
java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526)
...

(3) When using JDK17, the first step of maven build failed with following error:
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-compiler-plugin:3.11.0:compile
(default-compile) on project tomcat-stuffed: Fatal error compiling:
error: release version 21 not supported.
After I switched to JDK21, build completed successfully. Is the
approach only support JDK21?

Please kindly provide any insights on this.
Thank you

Jun

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [EXTERNAL] - Re: Partitioned cookies

2023-12-14 Thread André van der Lugt 
> -Original Message-
> From: Adam Warfield 
> Sent: woensdag 15 november 2023 16:49
> To: Tomcat Users List 
> Subject: Re: [EXTERNAL] - Re: Partitioned cookies
> 
> That's strange. I was not aware the proposal had expired. I've been working
> off of a few pages as it seemed Chrome/Edge were moving forward with
> Firefox at least showing positive support without committing.
> 
> https://developer.chrome.com/en/docs/privacy-sandbox/third-party-cookie-phase-out/
>   (October 2023)
>
> https://github.com/mozilla/standards-positions/issues/678  (Firefox showing 
> positive support, last updated 2022)
>
> https://developer.mozilla.org/en-US/docs/Web/Privacy/Partitioned_cookies
>
> https://github.com/privacycg/CHIPS
> 
> 
> Adam
> 
> 
> From: Chuck Caldarale 
> Sent: Wednesday, November 15, 2023 9:48 AM
> To: Tomcat Users List 
> Subject: [EXTERNAL] - Re: Partitioned cookies
> 
> CAUTION: This email originated from outside of the organization. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe. If you feel that the email is suspicious, please report it 
> using
> PhishAlarm.
> 
> 
>> On Nov 15, 2023, at 08:06, Adam Warfield
>>  wrote:
>> 
>> The Rfc6265CookieProcessor supports setting the SameSite cookie attribute
>> but starting in 2024, browsers will begin enforcing the newer "Partitioned"
>> attribute for third-party cookies. Is there a way to set this attribute 
>> within
>> Tomcat for things like the JSESSIONID and XSRF-TOKEN cookies? This affects
>> any webapps that are embedded within iframes across domains where those
>> cookies will be rejected if not partitioned.
> 
> 
> Looks like the CHIPS proposal:
> 
> https://datatracker.ietf.org/doc/draft-cutler-httpbis-partitioned-cookies/
> 
> 
> expired this past May and no updated version has been submitted to IETF. Is
> there some other active standards document describing cookie partitioning?
> 
>   - Chuck

Standard or not, Google/Chrome is moving on and will (as noted above) soon 
start to gradually reject third-party cookies without the Partitioned attribute.

I'm kindly asking the experts: is Tomcat support for this feature being 
planned? If not, what can be done to modestly prioritize it?

André


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 9.0.83 addSslHostConfig JMX Operation Regression (Sample Code Attached)

2023-12-14 Thread Daniel Skiles 
Christ,
Thanks for the explanation.

The XML-based registration - is that something I would do as a user, or
something that would be changed on the Tomcat side as part of its release
bundle?

On Thu, Dec 14, 2023 at 10:17 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Daniel,
>
> On 12/14/23 09:43, Daniel Skiles wrote:
> > Do you have any pointers on how to do that using JMX?  So far as I can
> tell
> > from what little documentation I can find on the tomcat site, this is how
> > it's done.
> >
> > I'm suspicious that there might be an issue in
> > Tomcat's MbeansDescriptorsIntrospectionSource.createManagedBean(...)
> > method.  I'm not familiar with the code, but it appears that there might
> be
> > an issue with how that map is constructed.
>
> +1
>
> The operations map is keyed on method-name which means that overloads
> are not supported.
>
> I suppose it's possible that the introspecter doesn't always get the
> methods back from the reflection process in exactly the same order, and
> the last one always wins. This would explain why it sometimes works and
> sometimes does not work.
>
> The best solution would be to explicitly-define this operation in the
> MBeans XML-based registration. Then no introspection is necessary and we
> always get the right method.
>
> -chris
>
> > On Thu, Dec 14, 2023 at 4:25 AM Rémy Maucherat  wrote:
> >
> >> On Wed, Dec 13, 2023 at 9:43 PM Daniel Skiles
> >>  wrote:
> >>>
> >>> The object and operation I'm trying to address is Catalina -->
> >>> ProtocolHandler -->  -->  --> operations -->
> >> addSslHostConfig.
> >>>
> >>> The parameters are an SslHostConfig object and the boolean value
> "true".
> >>>
> >>> The operation is "addSslHostConfig".
> >>>
> >>> The code I sent in the previous message works 100% of the time in
> 9.0.82.
> >>> In 9.0.83, it works about 50% of the time.  I can always query that the
> >>> operation exists, but roughly half the time it will fail with a JMX
> >>> exception saying that the operation does not exist.
> >>>
> >>> I am not positive, but I believe the behavior in 9.0.83 might have to
> do
> >>> with the fact that the catalina java code now has a one argument and
> two
> >>> argument variant of the same method.
> >>
> >> I'm pretty sure you got the explanation right. It is very similar to
> >> using reflection here. You're doing the lookup based on the method
> >> name, which matches something. However, if you want to avoid an error,
> >> you also have to check that the arguments match, otherwise you're
> >> going to randomly pick one of the two methods and fail half the time.
> >>
> >> Rémy
> >>
> >>> On Wed, Dec 13, 2023 at 10:27 AM Christopher Schultz <
> >>> ch...@christopherschultz.net> wrote:
> >>>
>  Daniel,
> 
>  On 12/12/23 19:45, Daniel Skiles wrote:
> > I apologize for it being a bit rough - it's what I was using to
> > troubleshoot locally.
> >
> > import static java.util.Objects.nonNull;
> >
> > import java.lang.management.ManagementFactory;
> > import java.util.Arrays;
> > import java.util.HashMap;
> > import java.util.Map;
> > import java.util.Optional;
> > import java.util.function.Predicate;
> >
> > import javax.management.MBeanInfo;
> > import javax.management.MBeanOperationInfo;
> > import javax.management.MBeanServer;
> > import javax.management.ObjectName;
> >
> > import org.apache.logging.log4j.LogManager;
> > import org.apache.logging.log4j.Logger;
> > import org.apache.tomcat.util.net.SSLHostConfig;
> > import org.apache.tomcat.util.net.SSLHostConfigCertificate;
> > import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
> >
> > @javax.annotation.ManagedBean
> > public class MbeanFailure {
> > private static final Logger LOGGER = LogManager.getLogger();
> >
> > private static final String LOCALHOST = "127.0.0.1";
> > private static final String SUBTYPE = "subType";
> > private static final String ADD_SSL_HOST_CONFIG_OP =
> >> "addSslHostConfig";
> >
> > private static final Predicate NOT_LOCALHOST =
>  Predicate.not(on
> > ->
> >
> 
> >>
> Optional.ofNullable(on).map(ObjectName::getCanonicalName).orElse("").contains(LOCALHOST));
> > private static final Predicate  NOT_SUBTYPE =
>  Predicate.not(on
> > ->
> >
> 
> >>
> Optional.ofNullable(on).map(ObjectName::getCanonicalName).orElse("").contains(SUBTYPE));
> >
> > @javax.annotation.PostConstruct
> > public void run() throws Exception {
> > final MBeanServer server =
> >> ManagementFactory.getPlatformMBeanServer();
> >
> > final SSLHostConfig config = new SSLHostConfig();
> >
> > config.setProtocols("TLSv1.2");
> > config.setHostName("test.test.com");
> > config.setCiphers("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
> >
> > final SSLHostConfigCertificate cert = new
>  SSLHostConfigCertificate(config,
> >

Re: security-constraint url-pattern question

2023-12-14 Thread ResSoft 
Chris,

I figured out how to make this work.  It works in my dev dox but not in 
my prod box.  Both have the same version of tomcat.  Here is the web.xml entry. 
 I any ideas would be great.



securedapp
/*


  CONFIDENTIAL

  


 


HTTP-Protected-Resource-1
Description here
/path to directory/*
GET
POST



 

Thanks,

Kent Cole


> On Dec 14, 2023, at 10:09 AM, Christopher Schultz 
>  wrote:
> 
> Kent,
> 
> On 12/14/23 09:13, ResSoft wrote:
>> I am currently forcing my app to use https.  Here is what I have in my
>> app web.xml file and it works as intended
>> 
>>  
>>securedapp
>>/*
>>
>>
>>  CONFIDENTIAL
>>
>>  
>> I also now want to restrict the browser from pulling up files in certain =
>> directories.  Search the web I see to use the following=20
>> 
>>  
>>  =
> 
> I hope this is just a stray = added by your email program. If it's not, 
> please remove it.
> 
>> HTTP-Protected-Resource-1
>>  Description here
>>  /path to directory/path to =
>> directory/*
>>  GET
>>  POST
> 
> What about HEAD requests? Or PUT? Or maybe FOO?
> 
> Don't forget that any client can try any HTTP method verb. It doesn't have to 
> make any sense, and most code assumes GET unless it's looking for something 
> else.
> 
>>  
>>  
>> 
>> These both work independently of each other.  What I can't
>> figure out is how to make them work together.  When I try that, all
>> files are forbidden as it appears the /*
>> locks everything down.  But without it, I cannot get tomcat to force
>> http to https.
> 
> Have you set a redirectPort in your HTTP ?
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
> 
> For additional commands, e-mail: users-h...@tomcat.apache.org 
>

Re: Clarification on CVE-2023-46589

2023-12-14 Thread Mark Thomas 

On 14/12/2023 16:13, Benny Prange wrote:

Am Do., 14. Dez. 2023 um 16:51 Uhr schrieb Mark Thomas :


On 14/12/2023 15:33, Benny Prange wrote:

Hi all,

I am having trouble understanding the description of CVE-2023-46589.
Does this CVE affect scenarios where the Apache Tomcat is the reverse
proxy, or or when the Apache Tomcat is running behind a reverse proxy?
Is the Tomcat vulnerable to request smuggling, or other applications
running behind the Tomcat?


Tomcat does not provide reverse proxy configuration.

This CVE applies when Tomcat is behind a reverse proxy.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Thanks for the quick response.


I'm afraid I still can't grasp it:
 From my understanding, the trailer header is used in HTTP responses. How
can this lead to request smuggling?


Trailer headers are valid for both requests and responses.

I am not going to describe how to attack Tomcat using this CVE.


Why is it important that there is a reverse proxy in front of the Tomcat,


Request smuggling occurs when two different HTTP servers (in this case 
the reverse proxy and Tomcat) process an invalid request in different 
ways. This typically results in the invalid request incorrectly being 
treated as more than one request by one of those servers.



or would the CVE also be applicable without a reverse proxy?


No.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Clarification on CVE-2023-46589

2023-12-14 Thread Benny Prange 
Am Do., 14. Dez. 2023 um 16:51 Uhr schrieb Mark Thomas :

> On 14/12/2023 15:33, Benny Prange wrote:
> > Hi all,
> >
> > I am having trouble understanding the description of CVE-2023-46589.
> > Does this CVE affect scenarios where the Apache Tomcat is the reverse
> > proxy, or or when the Apache Tomcat is running behind a reverse proxy?
> > Is the Tomcat vulnerable to request smuggling, or other applications
> > running behind the Tomcat?
>
> Tomcat does not provide reverse proxy configuration.
>
> This CVE applies when Tomcat is behind a reverse proxy.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
> Thanks for the quick response.

I'm afraid I still can't grasp it:
>From my understanding, the trailer header is used in HTTP responses. How
can this lead to request smuggling?
Why is it important that there is a reverse proxy in front of the Tomcat,
or would the CVE also be applicable without a reverse proxy?

Thanks a lot
Benny

Re: security-constraint url-pattern question

2023-12-14 Thread ResSoft 
Chris,

Thanks for the response, but I think I explained myself wrong.  The 
http redirect to https works when I use just this entry in my web.xml



securedapp
/*


  CONFIDENTIAL

  

But if I want to force http to https and lock the second url pattern from a 
browser accessing files in that directory, it locks down the entire site based 
on the first url-patterm /* and with out the /* the http to https does not work 
at the root directory of the app.



securedapp
/*
/path to directory/*


  CONFIDENTIAL

  

I can’t figure out how to force http to https and lock down a directory from 
being browsed. 

Thanks,

Kent Cole


> On Dec 14, 2023, at 10:09 AM, Christopher Schultz 
>  wrote:
> 
> Kent,
> 
> On 12/14/23 09:13, ResSoft wrote:
>> I am currently forcing my app to use https.  Here is what I have in my
>> app web.xml file and it works as intended
>> 
>>  
>>securedapp
>>/*
>>
>>
>>  CONFIDENTIAL
>>
>>  
>> I also now want to restrict the browser from pulling up files in certain =
>> directories.  Search the web I see to use the following=20
>> 
>>  
>>  =
> 
> I hope this is just a stray = added by your email program. If it's not, 
> please remove it.
> 
>> HTTP-Protected-Resource-1
>>  Description here
>>  /path to directory/path to =
>> directory/*
>>  GET
>>  POST
> 
> What about HEAD requests? Or PUT? Or maybe FOO?
> 
> Don't forget that any client can try any HTTP method verb. It doesn't have to 
> make any sense, and most code assumes GET unless it's looking for something 
> else.
> 
>>  
>>  
>> 
>> These both work independently of each other.  What I can't
>> figure out is how to make them work together.  When I try that, all
>> files are forbidden as it appears the /*
>> locks everything down.  But without it, I cannot get tomcat to force
>> http to https.
> 
> Have you set a redirectPort in your HTTP ?
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Re: Clarification on CVE-2023-46589

2023-12-14 Thread Mark Thomas 

On 14/12/2023 15:33, Benny Prange wrote:

Hi all,

I am having trouble understanding the description of CVE-2023-46589.
Does this CVE affect scenarios where the Apache Tomcat is the reverse
proxy, or or when the Apache Tomcat is running behind a reverse proxy?
Is the Tomcat vulnerable to request smuggling, or other applications
running behind the Tomcat?


Tomcat does not provide reverse proxy configuration.

This CVE applies when Tomcat is behind a reverse proxy.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Clarification on CVE-2023-46589

2023-12-14 Thread Benny Prange 
Hi all,

I am having trouble understanding the description of CVE-2023-46589.
Does this CVE affect scenarios where the Apache Tomcat is the reverse
proxy, or or when the Apache Tomcat is running behind a reverse proxy?
Is the Tomcat vulnerable to request smuggling, or other applications
running behind the Tomcat?

Thanks and regards
Benny

Re: 9.0.83 addSslHostConfig JMX Operation Regression (Sample Code Attached)

2023-12-14 Thread Christopher Schultz 

Daniel,

On 12/14/23 09:43, Daniel Skiles wrote:

Do you have any pointers on how to do that using JMX?  So far as I can tell
from what little documentation I can find on the tomcat site, this is how
it's done.

I'm suspicious that there might be an issue in
Tomcat's MbeansDescriptorsIntrospectionSource.createManagedBean(...)
method.  I'm not familiar with the code, but it appears that there might be
an issue with how that map is constructed.


+1

The operations map is keyed on method-name which means that overloads 
are not supported.


I suppose it's possible that the introspecter doesn't always get the 
methods back from the reflection process in exactly the same order, and 
the last one always wins. This would explain why it sometimes works and 
sometimes does not work.


The best solution would be to explicitly-define this operation in the 
MBeans XML-based registration. Then no introspection is necessary and we 
always get the right method.


-chris


On Thu, Dec 14, 2023 at 4:25 AM Rémy Maucherat  wrote:


On Wed, Dec 13, 2023 at 9:43 PM Daniel Skiles
 wrote:


The object and operation I'm trying to address is Catalina -->
ProtocolHandler -->  -->  --> operations -->

addSslHostConfig.


The parameters are an SslHostConfig object and the boolean value "true".

The operation is "addSslHostConfig".

The code I sent in the previous message works 100% of the time in 9.0.82.
In 9.0.83, it works about 50% of the time.  I can always query that the
operation exists, but roughly half the time it will fail with a JMX
exception saying that the operation does not exist.

I am not positive, but I believe the behavior in 9.0.83 might have to do
with the fact that the catalina java code now has a one argument and two
argument variant of the same method.


I'm pretty sure you got the explanation right. It is very similar to
using reflection here. You're doing the lookup based on the method
name, which matches something. However, if you want to avoid an error,
you also have to check that the arguments match, otherwise you're
going to randomly pick one of the two methods and fail half the time.

Rémy


On Wed, Dec 13, 2023 at 10:27 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Daniel,

On 12/12/23 19:45, Daniel Skiles wrote:

I apologize for it being a bit rough - it's what I was using to
troubleshoot locally.

import static java.util.Objects.nonNull;

import java.lang.management.ManagementFactory;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.function.Predicate;

import javax.management.MBeanInfo;
import javax.management.MBeanOperationInfo;
import javax.management.MBeanServer;
import javax.management.ObjectName;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;

@javax.annotation.ManagedBean
public class MbeanFailure {
private static final Logger LOGGER = LogManager.getLogger();

private static final String LOCALHOST = "127.0.0.1";
private static final String SUBTYPE = "subType";
private static final String ADD_SSL_HOST_CONFIG_OP =

"addSslHostConfig";


private static final Predicate NOT_LOCALHOST =

Predicate.not(on

->




Optional.ofNullable(on).map(ObjectName::getCanonicalName).orElse("").contains(LOCALHOST));

private static final Predicate  NOT_SUBTYPE =

Predicate.not(on

->




Optional.ofNullable(on).map(ObjectName::getCanonicalName).orElse("").contains(SUBTYPE));


@javax.annotation.PostConstruct
public void run() throws Exception {
final MBeanServer server =

ManagementFactory.getPlatformMBeanServer();


final SSLHostConfig config = new SSLHostConfig();

config.setProtocols("TLSv1.2");
config.setHostName("test.test.com");
config.setCiphers("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");

final SSLHostConfigCertificate cert = new

SSLHostConfigCertificate(config,

Type.UNDEFINED);

config.addCertificate(cert);
final Map references =

getObjectReferences(server,

"ProtocolHandler");

references.forEach((s, op) -> invoke(s, op, ADD_SSL_HOST_CONFIG_OP,

new

Object[] {config}, new String[]

{SSLHostConfig.class.getCanonicalName()}));

}

public Map getObjectReferences(final

MBeanServer

server, final String discriminator) {

final  Map results = new HashMap<>();

final Predicate extendedFilters =
NOT_LOCALHOST.and(NOT_SUBTYPE);

final Optional candidate = server.queryNames(null,
null).stream()
.filter(on -> nonNull(on.getCanonicalName()))
.filter(on -> on.getCanonicalName().contains(discriminator))
.filter(extendedFilters)
.findAny();

candidate.ifPresent(on -> results.put(server, on));

return Map.copyOf(results);
}

public Object invoke(final MBeanServer server, final ObjectName

objectName,

final String method, final Object[] params, final String[]

signature) {

try {
//This should return

Re: 9.0.83 addSslHostConfig JMX Operation Regression (Sample Code Attached)

2023-12-14 Thread Christopher Schultz 

Daniel,

On 12/13/23 15:42, Daniel Skiles wrote:

The object and operation I'm trying to address is Catalina -->
ProtocolHandler -->  -->  --> operations --> addSslHostConfig.

The parameters are an SslHostConfig object and the boolean value "true".

The operation is "addSslHostConfig".

The code I sent in the previous message works 100% of the time in 9.0.82.
In 9.0.83, it works about 50% of the time.  I can always query that the
operation exists, but roughly half the time it will fail with a JMX
exception saying that the operation does not exist.

I am not positive, but I believe the behavior in 9.0.83 might have to do
with the fact that the catalina java code now has a one argument and two
argument variant of the same method.


This is what I was trying to get you to say out loud, just so you know 
this was a potential issue.


I'm not sure why, but Tomcat's introspecter seems to be only registering 
one of those two methods. The one-argument method still exists... it 
simply calls the two-argument variant with the value of replace=value.


It's very surprising to me that this works 50% of the time. The JMX bean 
has exactly one operation defined: the two-argument version. So I'm not 
sure how you are ever able to invoke this operation with only a single 
argument.


-chris


On Wed, Dec 13, 2023 at 10:27 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Daniel,

On 12/12/23 19:45, Daniel Skiles wrote:

I apologize for it being a bit rough - it's what I was using to
troubleshoot locally.

import static java.util.Objects.nonNull;

import java.lang.management.ManagementFactory;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.function.Predicate;

import javax.management.MBeanInfo;
import javax.management.MBeanOperationInfo;
import javax.management.MBeanServer;
import javax.management.ObjectName;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;

@javax.annotation.ManagedBean
public class MbeanFailure {
private static final Logger LOGGER = LogManager.getLogger();

private static final String LOCALHOST = "127.0.0.1";
private static final String SUBTYPE = "subType";
private static final String ADD_SSL_HOST_CONFIG_OP = "addSslHostConfig";

private static final Predicate NOT_LOCALHOST =

Predicate.not(on

->


Optional.ofNullable(on).map(ObjectName::getCanonicalName).orElse("").contains(LOCALHOST));

private static final Predicate  NOT_SUBTYPE =

Predicate.not(on

->


Optional.ofNullable(on).map(ObjectName::getCanonicalName).orElse("").contains(SUBTYPE));


@javax.annotation.PostConstruct
public void run() throws Exception {
final MBeanServer server = ManagementFactory.getPlatformMBeanServer();

final SSLHostConfig config = new SSLHostConfig();

config.setProtocols("TLSv1.2");
config.setHostName("test.test.com");
config.setCiphers("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");

final SSLHostConfigCertificate cert = new

SSLHostConfigCertificate(config,

Type.UNDEFINED);

config.addCertificate(cert);
final Map references =

getObjectReferences(server,

"ProtocolHandler");

references.forEach((s, op) -> invoke(s, op, ADD_SSL_HOST_CONFIG_OP, new
Object[] {config}, new String[]

{SSLHostConfig.class.getCanonicalName()}));

}

public Map getObjectReferences(final MBeanServer
server, final String discriminator) {

final  Map results = new HashMap<>();

final Predicate extendedFilters =
NOT_LOCALHOST.and(NOT_SUBTYPE);

final Optional candidate = server.queryNames(null,
null).stream()
.filter(on -> nonNull(on.getCanonicalName()))
.filter(on -> on.getCanonicalName().contains(discriminator))
.filter(extendedFilters)
.findAny();

candidate.ifPresent(on -> results.put(server, on));

return Map.copyOf(results);
}

public Object invoke(final MBeanServer server, final ObjectName

objectName,

final String method, final Object[] params, final String[] signature) {
try {
//This should return addSslHostConfig(SSLHostConfig, boolean)
final MBeanInfo info = server.getMBeanInfo(objectName);

final MBeanOperationInfo methodInfo = Arrays.stream(info.getOperations())
.filter(i -> i.getName().equals(method))
.findAny()
.orElseThrow(() -> new RuntimeException("Could not find method  named" +
method));

LOGGER.error("Found available operation {}", methodInfo);

final Object result = server.invoke(objectName, method, params,

signature);

return result;
} catch (final Exception e) {
throw new RuntimeException("Error invoking " + method + " with params " +
Arrays.toString(params) + " and signature " + Arrays.toString(signature),
e);
}
}
}


What objctName do you think you are addressing, here? What parameters
are you passing it and what types? What parameters and types are
expected by the operation you are trying to invoke?

-chris


On Fri, Dec 8, 2023

Re: security-constraint url-pattern question

2023-12-14 Thread Christopher Schultz 

Kent,

On 12/14/23 09:13, ResSoft wrote:

I am currently forcing my app to use https.  Here is what I have in my
app web.xml file and it works as intended



securedapp
/*


  CONFIDENTIAL

  

I also now want to restrict the browser from pulling up files in certain =
directories.  Search the web I see to use the following=20



=


I hope this is just a stray = added by your email program. If it's not, 
please remove it.



HTTP-Protected-Resource-1
Description here
/path to directory/path to =
directory/*
GET
POST


What about HEAD requests? Or PUT? Or maybe FOO?

Don't forget that any client can try any HTTP method verb. It doesn't 
have to make any sense, and most code assumes GET unless it's looking 
for something else.







These both work independently of each other.  What I can't
figure out is how to make them work together.  When I try that, all
files are forbidden as it appears the /*
locks everything down.  But without it, I cannot get tomcat to force
http to https.


Have you set a redirectPort in your HTTP ?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [EXT] Datadog _ JMX Integration facing connection issues.

2023-12-14 Thread Christopher Schultz 

Sai Vamsi,

On 12/14/23 00:26, Bodavula, Sai Vamsi Mohan Krishna (TR Technology) wrote:

Hai Chuck.,
Thanks for jumping in.,

thats what my concern is.
as previously added by Chris, I have added my annotations in Catalina_opts ., 
Which is preferred by Java_Process for adding the annotations., But Here by 
using catalina_opts., they are not reflecting.

where as adding them in java-tool-options., Makes a process with Tomcat and a 
process that listens on the mentioned port., but throws port is already 
binded., as its an environment variable, its already looking for a port, where 
as its already created., throws binding error.

Yesterday ., I thought of adding both the formats, adding java_tool_opts and 
Catalina opts., inorder to utilize the previous thigns., as below

- name: JAVA_TOOL_OPTIONS
   value: {{ .Values.deployment.javaVMMemoryArgument }}

 - name: POD_IP
   valueFrom:
 fieldRef:
   fieldPath: status.podIP
 - name: CATALINA_OPTS
   value: >-
 -Dcom.sun.management.jmxremote
 -Dcom.sun.management.jmxremote.port=49151
 -Djava.rmi.server.hostname=$POD_IP
 -Dcom.sun.management.jmxremote.authenticate=false
 -Dcom.sun.management.jmxremote.ssl=false
 -Dcom.sun.management.jmxremote.local.only=false
 -Xms2048M -Xmx10240M

Java_tool_opts are as : -XX:+UseStringDeduplication -XX:+UseContainerSupport 
-Dcom.sun.management.jmxremote

just added to initiate a JMX process.,

but nothing is working out.,
I would like to request you for further inputs


How are you launching Tomcat itself? Are you using catalina.sh or 
something similar, or do you use some kind of embedded-launch?


It sounds to me like using CATALINA_OPTS is causing Tomcat not to start 
at all. If you use JAVA_TOOL_OPTIONS (which Tomcat ignores), Tomcat will 
start but won't initialize JMX in the way you want it to.


The solution is to look at the log files that are produced when Tomcat 
launches (or fails to launch). Are you able to observe those?


It would be great to see the exact command Helm (or whatever) uses to 
attempt to launch Tomcat, and then the stdout/stderr of that attempt.


The diagnostic messages shown when a JVM refuses to start are usually 
pretty good. Same thing with Tomcat, though Tomcat usually starts even 
if e.g. no connectors are successfully started because there is no 
actual requirement for Tomcat to listen to any ports.


-chris



From: Chuck Caldarale 
Sent: Thursday, December 14, 2023 00:28
To: Tomcat Users List 
Subject: Re: [EXT] Datadog _ JMX Integration facing connection issues.



On Dec 13, 2023, at 10:36, Bodavula, Sai Vamsi Mohan Krishna (TR Technology) 
 wrote:

as you just asked .,
I do have a process with Catalina.

root@lab1workflow4scalsvc2zus1-deployment-659dd79df7-wg59g:/# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address   Foreign Address State   
PID/Program name
tcp6   0  0 :::34753:::*LISTEN  
1/java
tcp6   0  0 :::9109 :::*LISTEN  
1/java
tcp6   0  0 :::10109:::*LISTEN  
1/java
root@lab1workflow4scalsvc2zus1-deployment-659dd79df7-wg59g:/# ^C
root@lab1workflow4scalsvc2zus1-deployment-659dd79df7-wg59g:/# ps aux | grep 
catalina
root 744  0.0  0.0   6460   680 pts/1S+   11:47   0:00 grep 
--color=auto catalina
root@lab1workflow4scalsvc2zus1-deployment-659dd79df7-wg59g:/#



That shows only the grep process looking for catalina, not anything using 
catalina. If Tomcat were actually running, you’d see something like this 
(slightly reformatted for clarity):

chuck@Chuck-MacBookPro apache-tomcat-9.0.83 > ps aux | grep catalina
chuck16879   0.0  0.0 408626896   1376 s000  S+   12:53PM   0:00.00 
grep catalina
chuck16874   0.0  0.9 415316912 153296 s000  S12:53PM   0:02.66 
/Library/Java/JavaVirtualMachines/temurin-21.jdk/Contents/Home/bin/java
-Djava.util.logging.config.file=/Users/chuck/Downloads/apache-tomcat-9.0.83/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-Dtest_port=9090
-Dignore.endorsed.dirs=
-classpath
/Users/chuck/Downloads/apache-tomcat-9.0.83/bin/bootstrap.jar:/Users/chuck/Downloads/apache-tomcat-9.0.83/bin/tomcat-juli.jar
-Dcatalina.base=/Users/chuck/Downloads/apache-tomcat-9.0.83
-Dcatalina.home=/Users/chuck/Downloads/apache-tomcat-9.0.83
-Djava.io.tmpdir=/Users/chuck/Downloads/apache-tomcat-9.0.83/temp 
org.apache.catalina.startup.Bootstrap
start


   - Chuck

Re: 9.0.83 addSslHostConfig JMX Operation Regression (Sample Code Attached)

2023-12-14 Thread Daniel Skiles 
Do you have any pointers on how to do that using JMX?  So far as I can tell
from what little documentation I can find on the tomcat site, this is how
it's done.

I'm suspicious that there might be an issue in
Tomcat's MbeansDescriptorsIntrospectionSource.createManagedBean(...)
method.  I'm not familiar with the code, but it appears that there might be
an issue with how that map is constructed.

On Thu, Dec 14, 2023 at 4:25 AM Rémy Maucherat  wrote:

> On Wed, Dec 13, 2023 at 9:43 PM Daniel Skiles
>  wrote:
> >
> > The object and operation I'm trying to address is Catalina -->
> > ProtocolHandler -->  -->  --> operations -->
> addSslHostConfig.
> >
> > The parameters are an SslHostConfig object and the boolean value "true".
> >
> > The operation is "addSslHostConfig".
> >
> > The code I sent in the previous message works 100% of the time in 9.0.82.
> > In 9.0.83, it works about 50% of the time.  I can always query that the
> > operation exists, but roughly half the time it will fail with a JMX
> > exception saying that the operation does not exist.
> >
> > I am not positive, but I believe the behavior in 9.0.83 might have to do
> > with the fact that the catalina java code now has a one argument and two
> > argument variant of the same method.
>
> I'm pretty sure you got the explanation right. It is very similar to
> using reflection here. You're doing the lookup based on the method
> name, which matches something. However, if you want to avoid an error,
> you also have to check that the arguments match, otherwise you're
> going to randomly pick one of the two methods and fail half the time.
>
> Rémy
>
> > On Wed, Dec 13, 2023 at 10:27 AM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > > Daniel,
> > >
> > > On 12/12/23 19:45, Daniel Skiles wrote:
> > > > I apologize for it being a bit rough - it's what I was using to
> > > > troubleshoot locally.
> > > >
> > > > import static java.util.Objects.nonNull;
> > > >
> > > > import java.lang.management.ManagementFactory;
> > > > import java.util.Arrays;
> > > > import java.util.HashMap;
> > > > import java.util.Map;
> > > > import java.util.Optional;
> > > > import java.util.function.Predicate;
> > > >
> > > > import javax.management.MBeanInfo;
> > > > import javax.management.MBeanOperationInfo;
> > > > import javax.management.MBeanServer;
> > > > import javax.management.ObjectName;
> > > >
> > > > import org.apache.logging.log4j.LogManager;
> > > > import org.apache.logging.log4j.Logger;
> > > > import org.apache.tomcat.util.net.SSLHostConfig;
> > > > import org.apache.tomcat.util.net.SSLHostConfigCertificate;
> > > > import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
> > > >
> > > > @javax.annotation.ManagedBean
> > > > public class MbeanFailure {
> > > > private static final Logger LOGGER = LogManager.getLogger();
> > > >
> > > > private static final String LOCALHOST = "127.0.0.1";
> > > > private static final String SUBTYPE = "subType";
> > > > private static final String ADD_SSL_HOST_CONFIG_OP =
> "addSslHostConfig";
> > > >
> > > > private static final Predicate NOT_LOCALHOST =
> > > Predicate.not(on
> > > > ->
> > > >
> > >
> Optional.ofNullable(on).map(ObjectName::getCanonicalName).orElse("").contains(LOCALHOST));
> > > > private static final Predicate  NOT_SUBTYPE =
> > > Predicate.not(on
> > > > ->
> > > >
> > >
> Optional.ofNullable(on).map(ObjectName::getCanonicalName).orElse("").contains(SUBTYPE));
> > > >
> > > > @javax.annotation.PostConstruct
> > > > public void run() throws Exception {
> > > > final MBeanServer server =
> ManagementFactory.getPlatformMBeanServer();
> > > >
> > > > final SSLHostConfig config = new SSLHostConfig();
> > > >
> > > > config.setProtocols("TLSv1.2");
> > > > config.setHostName("test.test.com");
> > > > config.setCiphers("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
> > > >
> > > > final SSLHostConfigCertificate cert = new
> > > SSLHostConfigCertificate(config,
> > > > Type.UNDEFINED);
> > > >
> > > > config.addCertificate(cert);
> > > > final Map references =
> > > getObjectReferences(server,
> > > > "ProtocolHandler");
> > > >
> > > > references.forEach((s, op) -> invoke(s, op, ADD_SSL_HOST_CONFIG_OP,
> new
> > > > Object[] {config}, new String[]
> > > {SSLHostConfig.class.getCanonicalName()}));
> > > > }
> > > >
> > > > public Map getObjectReferences(final
> MBeanServer
> > > > server, final String discriminator) {
> > > >
> > > > final  Map results = new HashMap<>();
> > > >
> > > > final Predicate extendedFilters =
> > > > NOT_LOCALHOST.and(NOT_SUBTYPE);
> > > >
> > > > final Optional candidate = server.queryNames(null,
> > > > null).stream()
> > > > .filter(on -> nonNull(on.getCanonicalName()))
> > > > .filter(on -> on.getCanonicalName().contains(discriminator))
> > > > .filter(extendedFilters)
> > > > .findAny();
> > > >
> > > > candidate.ifPresent(on -> results.put(server, on));
> > > >
> > > > return Map.copyOf(results);
> > > > }
> > > >
> > > > public Object invoke(final

security-constraint url-pattern question

2023-12-14 Thread ResSoft 
I am currently forcing my app to use https.  Here is what I have in my =
app web.xml file and it works as intended



   securedapp
   /*
   
   
 CONFIDENTIAL
   
 

I also now want to restrict the browser from pulling up files in certain =
directories.  Search the web I see to use the following=20



=
HTTP-Protected-Resource-1
Description here
/path to directory/path to =
directory/*
GET
POST




These both work independently of each other.  What I can=E2=80=99t =
figure out is how to make them work together.  When I try that, all =
files are forbidden as it appears the /* =
locks everything down.  But without it, I cannot get tomcat to force =
http to https.

Can anyone help with this?

Thanks,

Kent Cole

Re: 9.0.83 addSslHostConfig JMX Operation Regression (Sample Code Attached)

2023-12-14 Thread Rémy Maucherat 
On Wed, Dec 13, 2023 at 9:43 PM Daniel Skiles
 wrote:
>
> The object and operation I'm trying to address is Catalina -->
> ProtocolHandler -->  -->  --> operations --> addSslHostConfig.
>
> The parameters are an SslHostConfig object and the boolean value "true".
>
> The operation is "addSslHostConfig".
>
> The code I sent in the previous message works 100% of the time in 9.0.82.
> In 9.0.83, it works about 50% of the time.  I can always query that the
> operation exists, but roughly half the time it will fail with a JMX
> exception saying that the operation does not exist.
>
> I am not positive, but I believe the behavior in 9.0.83 might have to do
> with the fact that the catalina java code now has a one argument and two
> argument variant of the same method.

I'm pretty sure you got the explanation right. It is very similar to
using reflection here. You're doing the lookup based on the method
name, which matches something. However, if you want to avoid an error,
you also have to check that the arguments match, otherwise you're
going to randomly pick one of the two methods and fail half the time.

Rémy

> On Wed, Dec 13, 2023 at 10:27 AM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> > Daniel,
> >
> > On 12/12/23 19:45, Daniel Skiles wrote:
> > > I apologize for it being a bit rough - it's what I was using to
> > > troubleshoot locally.
> > >
> > > import static java.util.Objects.nonNull;
> > >
> > > import java.lang.management.ManagementFactory;
> > > import java.util.Arrays;
> > > import java.util.HashMap;
> > > import java.util.Map;
> > > import java.util.Optional;
> > > import java.util.function.Predicate;
> > >
> > > import javax.management.MBeanInfo;
> > > import javax.management.MBeanOperationInfo;
> > > import javax.management.MBeanServer;
> > > import javax.management.ObjectName;
> > >
> > > import org.apache.logging.log4j.LogManager;
> > > import org.apache.logging.log4j.Logger;
> > > import org.apache.tomcat.util.net.SSLHostConfig;
> > > import org.apache.tomcat.util.net.SSLHostConfigCertificate;
> > > import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
> > >
> > > @javax.annotation.ManagedBean
> > > public class MbeanFailure {
> > > private static final Logger LOGGER = LogManager.getLogger();
> > >
> > > private static final String LOCALHOST = "127.0.0.1";
> > > private static final String SUBTYPE = "subType";
> > > private static final String ADD_SSL_HOST_CONFIG_OP = "addSslHostConfig";
> > >
> > > private static final Predicate NOT_LOCALHOST =
> > Predicate.not(on
> > > ->
> > >
> > Optional.ofNullable(on).map(ObjectName::getCanonicalName).orElse("").contains(LOCALHOST));
> > > private static final Predicate  NOT_SUBTYPE =
> > Predicate.not(on
> > > ->
> > >
> > Optional.ofNullable(on).map(ObjectName::getCanonicalName).orElse("").contains(SUBTYPE));
> > >
> > > @javax.annotation.PostConstruct
> > > public void run() throws Exception {
> > > final MBeanServer server = ManagementFactory.getPlatformMBeanServer();
> > >
> > > final SSLHostConfig config = new SSLHostConfig();
> > >
> > > config.setProtocols("TLSv1.2");
> > > config.setHostName("test.test.com");
> > > config.setCiphers("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
> > >
> > > final SSLHostConfigCertificate cert = new
> > SSLHostConfigCertificate(config,
> > > Type.UNDEFINED);
> > >
> > > config.addCertificate(cert);
> > > final Map references =
> > getObjectReferences(server,
> > > "ProtocolHandler");
> > >
> > > references.forEach((s, op) -> invoke(s, op, ADD_SSL_HOST_CONFIG_OP, new
> > > Object[] {config}, new String[]
> > {SSLHostConfig.class.getCanonicalName()}));
> > > }
> > >
> > > public Map getObjectReferences(final MBeanServer
> > > server, final String discriminator) {
> > >
> > > final  Map results = new HashMap<>();
> > >
> > > final Predicate extendedFilters =
> > > NOT_LOCALHOST.and(NOT_SUBTYPE);
> > >
> > > final Optional candidate = server.queryNames(null,
> > > null).stream()
> > > .filter(on -> nonNull(on.getCanonicalName()))
> > > .filter(on -> on.getCanonicalName().contains(discriminator))
> > > .filter(extendedFilters)
> > > .findAny();
> > >
> > > candidate.ifPresent(on -> results.put(server, on));
> > >
> > > return Map.copyOf(results);
> > > }
> > >
> > > public Object invoke(final MBeanServer server, final ObjectName
> > objectName,
> > > final String method, final Object[] params, final String[] signature) {
> > > try {
> > > //This should return addSslHostConfig(SSLHostConfig, boolean)
> > > final MBeanInfo info = server.getMBeanInfo(objectName);
> > >
> > > final MBeanOperationInfo methodInfo = Arrays.stream(info.getOperations())
> > > .filter(i -> i.getName().equals(method))
> > > .findAny()
> > > .orElseThrow(() -> new RuntimeException("Could not find method  named" +
> > > method));
> > >
> > > LOGGER.error("Found available operation {}", methodInfo);
> > >
> > > final Object result = server.invoke(objectName, method, params,
> > signature);
> > > return result;
> > > }