from:"\?\?\?\?"

RE: Database Connection Requests Initiated but Not Sent on the Wire (Some, Not All)

2024-05-29 Thread Eric Robinson

Hi Mark,


> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, May 29, 2024 5:35 AM
> To: users@tomcat.apache.org
> Subject: Re: Database Connection Requests Initiated but Not Sent on the Wire
> (Some, Not All)
>
> On 29/05/2024 10:26, Mark Thomas wrote:
> > On 28/05/2024 16:26, Eric Robinson wrote:
> >
> > 
> >
> >> Took a bunch of thread and heap dumps during today's painful debacle.
> >> Will send a link to those as soon as I can.
> >
> > Thanks. I have them. I have taken a look and I am starting to form a
> > theory. To help with that I have a couple of questions.
>
> Scratch that. I've found some further information in the data Eric sent me 
> off-
> list and I am now pretty sure what is going on.
>
> There are multiple web applications deployed on the servers. I assume there 
> are
> related but it actually doesn't matter.
>
> At least one application is using the "new" MySQL JDBC driver:
> com.mysql.cj.jdbc.Driver
>
> At least one application is using the "old" MySQL JDBC driver:
> com.mysql.jdbc.Driver
>
>
> (I've told Eric off-list which application is using which).
>
> There are, therefore, two drivers registered with the java.sql.DriverManager
>
>
> The web applications are not using connection pooling. Or, if they are using 
> it,
> they are using it very inefficiently. The result is that there is a high 
> volume of
> calls to create new database connections.
>
> This is problem number 1. Creating a database connection is expensive.
> That is why the concept of database connection pooling was created.
>
>
> When a new connection is created, java.sql.DriverManager iterates over the 
> list
> of registered drivers and
> - tests to see if the current class loader can see the driver
> - if yes, tests to see if that driver can service the connection url
> - if yes, use it and exit
> - go on to the next driver in the list and repeat
>
> The test to see if the current class loader can use the driver is, 
> essentially, to
> call Class.forName(driver.getClass(), true, classloader)
>
> And that is problem number 2. That check is expensive if the current class
> loader can't load that driver.
>
>
> It is also problem number 3. The reason it is expensive is that class
> loaders don't cache misses so if a web application has a large number of
> JARs, they all get scanned every time the DriverManager tries to create
> a new connection.
>
>
> The slowness occurs in the web application that depends on the second
> JDBC driver in DriverManager's list. When a request that requires a
> database connection is received, there is a short delay while the web
> application tries, and fails, to load the first JDBC driver in the list.
> Class loading is synchronized on class name being loaded so if any other
> requests also need a database connection, they have to wait for this
> request to finish the search for the JDBC driver before they can
> continue. This creates a bottleneck. Requests are essentially rate
> limited to 1 request that requires a database connection per however
> long it takes to scan every JAR in the web application for a class that
> isn't there. If the average rate of requests exceeds this rate limit
> then a queue is going to build up and it won't subside until the average
> rate of requests falls below this rate limit.
>
>
>
> Problem number 1 is an application issue. It should be using pooling. It
> seems unlikely that we'll see a solution from the application vendor and
> - even if the vendor does commit to a fix - I suspect it will take months.
>
>
> Problem number 2 is a JRE issue. I think there are potentially more
> efficient ways to perform that check but that needs research as things
> like OSGI and JPMS make class loading more complicated.
>
>
> Problem number 3 is a Tomcat issue. It should be relatively easy to
> start caching misses (i.e. this class loader cannot load this class) and
> save the time spent repeatedly scanning JARs for a class that isn't there.
>
>
> I intend to wok on a patch for Tomcat that will add caching that should
> speed things up considerably. I hope to have something for Eric to test
> today but it might take me until tomorrow as I have a few other time
> critical things fighting to get tot he top of my TODO list at the moment.
>
>
> Moving the JDBC driver JARs from WEB-INF/lib to $CATALINA_BASE/lib may
> also be a short-term fix but is likely to create problems if the same
> JAR ever exists in both locations at the same time.
>
>
> Mark
>

That's some great sleuthing and the explanation makes a ton of sense. It leaves 
me with a couple of questions.

If you are correct, then it follows that historic activity has been hovering 
dangerously near the threshold where this symptom would manifest. Within the 
past month, an unknown change in the system climate now causes an uptick in the 
number of DB requests/second at roughly the same time daily (with occasional 
exceptions) and the system begins to trip over its own feet. I haven't seen

Re: Query integrating Apache Tomcat with Azure Sentinel via a data connector on Azure Sentinel

2024-05-29 Thread Olaf Kock


Hi Kele,

On 29.05.24 13:53, Kele Masemola wrote:

Good day ,

We are trying to integrate Apache Tomcat with Azure Sentinel, we realized that 
the agent that needs to be installed on our Apache Tomcat machines will be 
deprecated in August 2024 and as such we would like to find out if there is 
another agent that will be provided to Microsoft as part of the Apache Tomcat 
data connector on Azure Sentinel?

If there will be a new agent provided, please advise on timeframes of when it 
will be available on Azure Sentinel.

If there is no new agent that will be provided from an Apache Tomcat 
perspective, could you please advise if the current available agent on Azure 
Sentinel will still be able to ingest logs accordingly after it has been 
deprecated?


The documentation
(https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/sentinel/data-connectors/apache-tomcat.md)
and your statement ("needs to be installed") looks like this is not a
Tomcat feature, but an extra plugin by Microsoft (in fact, the
documentation lists: "Supported by: Microsoft Corporation".

From that point of view, I don't expect anything to be provided "from
an Apache Tomcat perspective". It has never been provided in the first
place. You might find more information in Microsoft's statements about
the deprecation of their own component, and what they recommend to use
instead.

(Somebody correct me if I'm wrong and there's something on the roadmap,
or already in and I've missed it)

Olaf

Query integrating Apache Tomcat with Azure Sentinel via a data connector on Azure Sentinel

2024-05-29 Thread Kele Masemola

Good day ,

We are trying to integrate Apache Tomcat with Azure Sentinel, we realized that 
the agent that needs to be installed on our Apache Tomcat machines will be 
deprecated in August 2024 and as such we would like to find out if there is 
another agent that will be provided to Microsoft as part of the Apache Tomcat 
data connector on Azure Sentinel?

If there will be a new agent provided, please advise on timeframes of when it 
will be available on Azure Sentinel.

If there is no new agent that will be provided from an Apache Tomcat 
perspective, could you please advise if the current available agent on Azure 
Sentinel will still be able to ingest logs accordingly after it has been 
deprecated?

Your assistance with this will be greatly appreciated.

Regards
Kele Masemola

Re: Database Connection Requests Initiated but Not Sent on the Wire (Some, Not All)

2024-05-29 Thread Mark Thomas


On 29/05/2024 10:26, Mark Thomas wrote:

On 28/05/2024 16:26, Eric Robinson wrote:



Took a bunch of thread and heap dumps during today's painful debacle. 
Will send a link to those as soon as I can.


Thanks. I have them. I have taken a look and I am starting to form a 
theory. To help with that I have a couple of questions.


Scratch that. I've found some further information in the data Eric sent 
me off-list and I am now pretty sure what is going on.


There are multiple web applications deployed on the servers. I assume 
there are related but it actually doesn't matter.


At least one application is using the "new" MySQL JDBC driver:
com.mysql.cj.jdbc.Driver

At least one application is using the "old" MySQL JDBC driver:
com.mysql.jdbc.Driver


(I've told Eric off-list which application is using which).

There are, therefore, two drivers registered with the java.sql.DriverManager


The web applications are not using connection pooling. Or, if they are 
using it, they are using it very inefficiently. The result is that there 
is a high volume of calls to create new database connections.


This is problem number 1. Creating a database connection is expensive. 
That is why the concept of database connection pooling was created.



When a new connection is created, java.sql.DriverManager iterates over 
the list of registered drivers and

- tests to see if the current class loader can see the driver
- if yes, tests to see if that driver can service the connection url
- if yes, use it and exit
- go on to the next driver in the list and repeat

The test to see if the current class loader can use the driver is, 
essentially, to call Class.forName(driver.getClass(), true, classloader)


And that is problem number 2. That check is expensive if the current 
class loader can't load that driver.



It is also problem number 3. The reason it is expensive is that class 
loaders don't cache misses so if a web application has a large number of 
JARs, they all get scanned every time the DriverManager tries to create 
a new connection.



The slowness occurs in the web application that depends on the second 
JDBC driver in DriverManager's list. When a request that requires a 
database connection is received, there is a short delay while the web 
application tries, and fails, to load the first JDBC driver in the list. 
Class loading is synchronized on class name being loaded so if any other 
requests also need a database connection, they have to wait for this 
request to finish the search for the JDBC driver before they can 
continue. This creates a bottleneck. Requests are essentially rate 
limited to 1 request that requires a database connection per however 
long it takes to scan every JAR in the web application for a class that 
isn't there. If the average rate of requests exceeds this rate limit 
then a queue is going to build up and it won't subside until the average 
rate of requests falls below this rate limit.




Problem number 1 is an application issue. It should be using pooling. It 
seems unlikely that we'll see a solution from the application vendor and 
- even if the vendor does commit to a fix - I suspect it will take months.



Problem number 2 is a JRE issue. I think there are potentially more 
efficient ways to perform that check but that needs research as things 
like OSGI and JPMS make class loading more complicated.



Problem number 3 is a Tomcat issue. It should be relatively easy to 
start caching misses (i.e. this class loader cannot load this class) and 
save the time spent repeatedly scanning JARs for a class that isn't there.



I intend to wok on a patch for Tomcat that will add caching that should 
speed things up considerably. I hope to have something for Eric to test 
today but it might take me until tomorrow as I have a few other time 
critical things fighting to get tot he top of my TODO list at the moment.



Moving the JDBC driver JARs from WEB-INF/lib to $CATALINA_BASE/lib may 
also be a short-term fix but is likely to create problems if the same 
JAR ever exists in both locations at the same time.



Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Database Connection Requests Initiated but Not Sent on the Wire (Some, Not All)

2024-05-29 Thread Mark Thomas


On 28/05/2024 16:26, Eric Robinson wrote:




Took a bunch of thread and heap dumps during today's painful debacle. Will send 
a link to those as soon as I can.


Thanks. I have them. I have taken a look and I am starting to form a 
theory. To help with that I have a couple of questions.


1. Could you tell me where the JDBC driver JAR is located. Is it in 
WEB-INF/lib for the web application(s) or is it in $CATALINA_BASE/lib ?


2. How big is WEB-INF/lib for the web application(s)? How many JAR files 
and what is the total size on disk of that directory?


3. Would you be prepared to run Tomcat in production with a binary patch 
(against 9.0.80). This would involve placing one or more class files in 
the right directory structure under $CATALINA_BASE/lib either to collect 
additional debug logging or to test a potential fix.




Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: PersistentManager and ClassNotFoundException

2024-05-28 Thread Christopher Schultz


Jakub,

On 5/24/24 09:31, Jakub Królikowski wrote:

On Fri, May 24, 2024 at 11:23 AM Mark Thomas  wrote:


Can you provide the simplest web application (with source) that
replications the problem?

Mark


On 23/05/2024 23:45, Jakub Królikowski wrote:

Hi,

I'm working with Tomcat 10.1.

When a user starts using the store in my web application, I save the
ShopCart object on the "cart" session attribute.
I want the "cart" attributes to return to the session after restarting

the

app.


To enable session persistence I added



to the Context. It loads the StandardManager.

And this works fine - after reload / restart the object "ShopCart" is

back

in the session.



I want to experiment with PersistentManager. Tomcat docs says: "
The persistence across restarts provided by the *StandardManager* is a
simpler implementation than that provided by the *PersistentManager*. If
robust, production quality persistence across restarts is required then

the

*PersistentManager* should be used with an appropriate configuration.

"

I hope for a Listener of deserialization of the session attributes.

The new Manager configuration looks like this:







But it doesn't work. After restart I get this exception:


java.lang.ClassNotFoundException: ShopCart

at


org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1332)


at


org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1144)


at java.base/java.lang.Class.forName0(Native Method)

at java.base/java.lang.Class.forName(Class.java:534)

at java.base/java.lang.Class.forName(Class.java:513)

at


org.apache.catalina.util.CustomObjectInputStream.resolveClass(CustomObjectInputStream.java:158)


at
java.base/java.io

.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:2061)


at
java.base/java.io

.ObjectInputStream.readClassDesc(ObjectInputStream.java:1927)


at
java.base/java.io

.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2252)


at
java.base/java.io

.ObjectInputStream.readObject0(ObjectInputStream.java:1762)


at
java.base/java.io

.ObjectInputStream.readObject(ObjectInputStream.java:540)


at
java.base/java.io

.ObjectInputStream.readObject(ObjectInputStream.java:498)


at


org.apache.catalina.session.StandardSession.doReadObject(StandardSession.java:1198)


at


org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:831)


at org.apache.catalina.session.FileStore.load(FileStore.java:203)

at

org.apache.catalina.session.StoreBase.processExpires(StoreBase.java:138)


at


org.apache.catalina.session.PersistentManagerBase.processExpires(PersistentManagerBase.java:409)


at


org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:587)


at


org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:4787)


at


org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1172)


at


org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1176)


at


org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1176)


at


org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1154)


at


java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572)






at


java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:358)


at


java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)


at


java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)


at


java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)


at


org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)


at java.base/java.lang.Thread.run(Thread.java:1583)


I guess this means that the two managers use ClassLoader differently.
How to get the PersistentManager to work in this case?

Best regards,
--
Jakub Królikowski



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




Hi Mark,
It seems to me that this can be tested on any application.
In Tomcat 10.1, if any session attribute is an instance of a new public
class (unknown to Tomcat and to Tomcat class loader), implementing
java.io.Serializable,
then on reloading the application PersistanceManager (configured as in the
first message) crashes with ClassNotFoundException. StandardManager works.
I don't know if this problem occurred in earlier versions of Tomcat.

If you fail to reproduce this bug, let me know, I will prepare a simple web
app.


Where is your  configuration located? It *should* be inside 
your  located in META-INF/context.xml in your web application. 
If it's in there, then

RE: Database Connection Requests Initiated but Not Sent on the Wire (Some, Not All)

2024-05-28 Thread Eric Robinson

Hi Mark,

See comments below.


> -Original Message-
> From: Mark Thomas 
> Sent: Tuesday, May 28, 2024 9:32 AM
> To: Tomcat Users List 
> Subject: Re: Database Connection Requests Initiated but Not Sent on the Wire
> (Some, Not All)
>
> Hi Eric,
>
> Follow-up observsations and comments in-line.
>
> >> What time does this problem start?
> >
> > It typically starts around 9:15 am EDT and goes until around 10:30 am.
>
> Does that match the time of highest request load from the customer?
> Rather than a spike, I'm wondering if the problem is triggered once load
> exceeds some threshold.
>

My nginx proxy console only shows live activity and does not keep a history, 
but I can probably script something to parse the localhost_access logs and 
graph request counts on a per-minute basis. Will work on that.

> > We finished and implemented the script yesterday, so today will be the first
> day that it produces results. It watches the catalina.out file for stuck 
> thread
> detection warnings. When the number of stuck threads exceeds a threshold,
> then it starts doing thread dumps every 60 seconds until the counts drops back
> down below the threshold. The users typically do not complain of slowness 
> until
> the stuck thread count exceeds 20, and during that time the threads often take
> up to a minute or more to complete. It's too late today to change the timings,
> but if it does not produce any actionable intel, we can adjust them tonight.
>
> Lets see what that produces and go from there.
>

Took a bunch of thread and heap dumps during today's painful debacle. Will send 
a link to those as soon as I can.

> > The vendor claims that the feature uses a different server and does not send
> requests to the slow ones, so it has been re-enabled at the customer's 
> request.
> We may ask them to disable it again until we get this issue resolved.
>
> Noted.
>
> > This customer sends about 1.5 million requests to each load-balanced
> > server during a typical production day. Most other customers send much
> > less, often only a fraction of that. However, at least one customer
> > sends about 2 million to the same server, and they don't see the
> > problem. (I will check if they have the AI feature enabled.)
>
> Hmm. Whether that other customer has the AI feature enabled would be an
> interesting data point.

I will ask them right after I send this message. They are usually a little slow 
to respond.

>
> >> Can we see the full stack trace please.
> >
> > Here's one example.
>
> 
>
> >  java.lang.Throwable
> >  at
> org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoa
> derBase.java:1252)
> >  at
> > org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClass
> > LoaderBase.java:1220)
>
> 
>
> That is *very* interesting. That is the start of a synch block in the class 
> loader. It
> should complete quickly. The full thread dump should tell us what is holding 
> the
> lock. If we are lucky we'll be able to tell why the lock is being held for so 
> long.
>
> We might need to reduce the time between thread dumps to figure out what
> the thread that is blocking everything is doing. We'll see.
>
> > The app has DB connection details in two places. First, it uses a database
> connection string in a .properties file, as follows. This string handles most
> connections to the DB.
> >
> > mobiledoc.DBUrl=jdbc:mysql://ha52a:5791
> >
> mobiledoc.DBName=mobiledoc_791?useSSL=false=rou
> nd
> >
> =false=true
> > esOnException=true=false=tru
> > e=true
> > mobiledoc.DBUser=
> > mobiledoc.DBPassword=
>
> OK. That seems unlikely to be using connection pooling although the 
> application
> might be pooling internally.
>

Based on lots of previous observation, I don't think they are. The comms 
between the app and DB are choppy, with only about 1-5 queries per TCP 
connection. If they are pooling, they are not doing it aggressively.

> > It also has second DB config specifically for a drug database.
> >
> > 
> >
> >
> >  
> >  
> >  
> >  c:\out.log
> >
> >
> >
> >
> >
> >  
> >
> INSERT_CONTEXT_FACTORY FACTORY>
> >  INSERT_JNDI_URL
> >  INSERT_USER_NAME
> >  INSERT_PASSWORD
> >  INSERT_LOOKUP_NAME
> >  com.mysql.jdbc.Driver
> >
> jdbc:mysql://dbclust54:5791/medispan?sessionVariables=wait_timeout=2
> 8800,interactive_timeout=28800
> >  redacted
> >  redacted
> >  10
> >  5000
> >
> >
> >
> >
> >  true
> >  0
> >  1800
> >
> > 
>
> Hmm. There is a pool size setting there but we can't tell if it is being used.
>
> >> Is that Tomcat 9.0.80 as provided by the ASF?
>
> An explicit answer to this question would be helpful.
>

Didn't mean to seem evasive. Yes, it's from the ASF.


> In terms of the way forward, we need to see to thread dumps when the problem
> is happening to figure out where the blockage is happening and
> (hopefully) why.
>
> Mark

Re: Database Connection Requests Initiated but Not Sent on the Wire (Some, Not All)

2024-05-28 Thread Mark Thomas

Hi Eric,

Follow-up observsations and comments in-line.

What time does this problem start?

It typically starts around 9:15 am EDT and goes until around 10:30 am.

Does that match the time of highest request load from the customer?
Rather than a spike, I'm wondering if the problem is triggered once load
exceeds some threshold.

We finished and implemented the script yesterday, so today will be the first
day that it produces results. It watches the catalina.out file for stuck thread
detection warnings. When the number of stuck threads exceeds a threshold, then
it starts doing thread dumps every 60 seconds until the counts drops back down
below the threshold. The users typically do not complain of slowness until the
stuck thread count exceeds 20, and during that time the threads often take up
to a minute or more to complete. It's too late today to change the timings, but
if it does not produce any actionable intel, we can adjust them tonight.

Lets see what that produces and go from there.

The vendor claims that the feature uses a different server and does not send
requests to the slow ones, so it has been re-enabled at the customer's request.
We may ask them to disable it again until we get this issue resolved.

Noted.

This customer sends about 1.5 million requests to each load-balanced server
during a typical production day. Most other customers send much less, often
only a fraction of that. However, at least one customer sends about 2 million
to the same server, and they don't see the problem. (I will check if they have
the AI feature enabled.)

Hmm. Whether that other customer has the AI feature enabled would be an
interesting data point.

Can we see the full stack trace please.

Here's one example.

java.lang.Throwable
at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1252)
at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1220)

That is *very* interesting. That is the start of a synch block in the
class loader. It should complete quickly. The full thread dump should
tell us what is holding the lock. If we are lucky we'll be able to tell
why the lock is being held for so long.

We might need to reduce the time between thread dumps to figure out what
the thread that is blocking everything is doing. We'll see.

The app has DB connection details in two places. First, it uses a database
connection string in a .properties file, as follows. This string handles most
connections to the DB.

mobiledoc.DBUrl=jdbc:mysql://ha52a:5791
mobiledoc.DBName=mobiledoc_791?useSSL=false=round=false=true=true=false=true=true
mobiledoc.DBUser=
mobiledoc.DBPassword=

OK. That seems unlikely to be using connection pooling although the
application might be pooling internally.

It also has second DB config specifically for a drug database.

c:\out.log

INSERT_CONTEXT_FACTORY
INSERT_JNDI_URL
INSERT_USER_NAME
INSERT_PASSWORD
INSERT_LOOKUP_NAME
com.mysql.jdbc.Driver

jdbc:mysql://dbclust54:5791/medispan?sessionVariables=wait_timeout=28800,interactive_timeout=28800
redacted
redacted
10
5000

true
0
1800

Hmm. There is a pool size setting there but we can't tell if it is being
used.

Is that Tomcat 9.0.80 as provided by the ASF?

An explicit answer to this question would be helpful.

In terms of the way forward, we need to see to thread dumps when the
problem is happening to figure out where the blockage is happening and
(hopefully) why.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Database Connection Requests Initiated but Not Sent on the Wire (Some, Not All)

2024-05-28 Thread Eric Robinson

Hi Mark,

> -Original Message-
> From: Mark Thomas 
> Sent: Tuesday, May 28, 2024 3:42 AM
> To: users@tomcat.apache.org
> Subject: Re: Database Connection Requests Initiated but Not Sent on the Wire
> (Some, Not All)
>
> Hi Eric,
>
> I have a some follow-up questions in-line. I have also read the other 
> messages in
> this thread and added a couple of additional questions based on what I read in
> those threads.
>
>
> On 26/05/2024 02:58, Eric Robinson wrote:
> > One of our hosting customers is a medical practice using a commercial EMR
> running on tomcat+mysql. It has operated well for over a year, but users have
> suddenly begun experiencing slowness for about an hour at the same time
> every day.
>
> What time does this problem start?
>

It typically starts around 9:15 am EDT and goes until around 10:30 am.

> Does it occur every day of the week including weekends?
>

Most weekdays. There have been 1 or 2 weekdays when it seems that symptom 
inexplicably did not appear. I'm not sure about weekends, as the medical 
practice does not work on those days.

> How does the slowness correlate to:
> - request volume
> - requests to any particular URL(s)?
> - requests from any particular client IP?
> - any other attribute of the request?
>

> (I'm trying to see if there is something about the requests that triggers the
> issue.)
>

We have not seen anything stand out. There are no apparent spikes in request 
volume. The slowness appears to impact all parts of the system (meaning all 
URLs). It manifests for the customer, but we have also seen it when we connect 
to the app internally, behind the firewall and reverse proxy, directly to the 
tomcat server from a workstation connected to the same switch.

> > During the slow times, we've done all the usual troubleshooting to catch the
> problem in the act. The servers have plenty of power and are not overworked.
> There are no slow database queries. Network connectivity is solid. Tomcat has
> plenty of memory. The numbers of database connections, threads, questions,
> queries, etc., remain steady, without spikes. There is no unusual disk 
> latency.
> We have not found any maintenance tasks running during that timeframe.
>
> I would usually suggest taking three thread dumps approximately 5s apart and
> then diffing them to try and spot "slow moving" threads.
>

> I see you have scripted trigger a thread dump when the slowness hits. If you
> haven't already, please configure it to capture (at least) 3 dumps
> ~5 seconds apart.
>
> (If we can spot the slow moving threads we might be able to identify what it 
> is
> that makes them slow moving.)
>

We finished and implemented the script yesterday, so today will be the first 
day that it produces results. It watches the catalina.out file for stuck thread 
detection warnings. When the number of stuck threads exceeds a threshold, then 
it starts doing thread dumps every 60 seconds until the counts drops back down 
below the threshold. The users typically do not complain of slowness until the 
stuck thread count exceeds 20, and during that time the threads often take up 
to a minute or more to complete. It's too late today to change the timings, but 
if it does not produce any actionable intel, we can adjust them tonight.

> > The customer has another load-balanced tomcat instance on a different
> physical server, and the problem happens on that one, too. The servers were
> upgraded with a new kernel and packages on 4/5/24, but the issue did not
> appear until 5/6/24. The vendor enabled a new feature in the customer's
> software, and the problem appeared the next day, but they subsequently
> disabled the feature, and (reportedly) the problem did not go away.
>
> Have you confirmed that the feature really is disabled? Or was it just hidden?
>

The vendor claims that the feature uses a different server and does not send 
requests to the slow ones, so it has been re-enabled at the customer's request. 
We may ask them to disable it again until we get this issue resolved.

> Has this feature been enabled for any other customers? If yes, have they
> experienced similar issues?
>

> (It is suspicious that the issue occurred after the feature was disabled. I 
> wonder
> if some elements of that change (e.g. a database
> change) are still in place and causing issues.)
>

We agree that it is suspicious, but at this point we are forced to give it the 
side-eye. We're not aware of other customers being impacted, but (a) it's a new 
AI-based feature, so not many other customers have it, (b) it is enabled by the 
vendor directly, so we are not in the notification loop, and (c) the problem 
customer is large, with about 800 staff, whereas most other customers are much 
and might not trigger the symptom. Bottom line, we're not *sure*, but we think 
the feature is unrelated, but we'll ask them to disable it anyway.

> > It is worth mentioning that the servers are multi-tenanted, with other
> customers running the same medical

Re: Database Connection Requests Initiated but Not Sent on the Wire (Some, Not All)

2024-05-28 Thread Mark Thomas

Hi Eric,

I have a some follow-up questions in-line. I have also read the other
messages in this thread and added a couple of additional questions based
on what I read in those threads.

On 26/05/2024 02:58, Eric Robinson wrote:

One of our hosting customers is a medical practice using a commercial EMR
running on tomcat+mysql. It has operated well for over a year, but users have
suddenly begun experiencing slowness for about an hour at the same time every
day.

What time does this problem start?

Does it occur every day of the week including weekends?

How does the slowness correlate to:
- request volume
- requests to any particular URL(s)?
- requests from any particular client IP?
- any other attribute of the request?

(I'm trying to see if there is something about the requests that
triggers the issue.)

During the slow times, we've done all the usual troubleshooting to catch the
problem in the act. The servers have plenty of power and are not overworked.
There are no slow database queries. Network connectivity is solid. Tomcat has
plenty of memory. The numbers of database connections, threads, questions,
queries, etc., remain steady, without spikes. There is no unusual disk latency.
We have not found any maintenance tasks running during that timeframe.

I would usually suggest taking three thread dumps approximately 5s apart
and then diffing them to try and spot "slow moving" threads.

I see you have scripted trigger a thread dump when the slowness hits. If
you haven't already, please configure it to capture (at least) 3 dumps
~5 seconds apart.

(If we can spot the slow moving threads we might be able to identify
what it is that makes them slow moving.)

The customer has another load-balanced tomcat instance on a different physical
server, and the problem happens on that one, too. The servers were upgraded
with a new kernel and packages on 4/5/24, but the issue did not appear until
5/6/24. The vendor enabled a new feature in the customer's software, and the
problem appeared the next day, but they subsequently disabled the feature, and
(reportedly) the problem did not go away.

Have you confirmed that the feature really is disabled? Or was it just
hidden?

Has this feature been enabled for any other customers? If yes, have they
experienced similar issues?

(It is suspicious that the issue occurred after the feature was
disabled. I wonder if some elements of that change (e.g. a database
change) are still in place and causing issues.)

It is worth mentioning that the servers are multi-tenanted, with other
customers running the same medical application, but the others do not
experience the slowdowns, even though they are on the same servers.

How does this customer compare, in terms of volume of requests, to other
customers that are not experiencing this issue.

Is there anything unique or special about the customer experiencing the
issue? Do they have some custom settings no-one else uses?

(I am trying to figure out if the issue is load related, customer
specific or something else).

There are no unusual errors in the tomcat or database server logs, EXCEPT this
one: Java.sql.DriverManager.getConnection

Can we see the full stack trace please.

During the periods of slowness, we see lots of those errors along with a large
spike in the number of stuck tomcat threads (from 1 or 2 to as high as 100). It
seems obvious that the threads are stuck because tomcat is waiting on a
connection to the database. However, tcpdump shows that connectivity to the
database is perfect at the network and application layers. There are no
unanswered SYNs, no retransmissions, no half-open connections, no failures to
allocate TCP ports, no conntrack messages, and no other indications of system
resource exhaustion. Every time tomcat requests a connection to the DB, it
completes in less than 1 ms. Ten thousand connection attempts completed
successfully in about 15 seconds, with zero failures.

It sounds like things might be getting stuck somewhere in or near the
JDBC driver.

Can you provide the exact version of the JDBC driver you are using?

Can you provide the full database configuration from context.xml (or
wherever it is configured). Please redact sensitive information such as
passwords.

We are forced to conclude that some database connection requests are being
initiated but are not being sent on the wire. The problem seems to be in the
interaction between tomcat and the database driver, or in the driver itself.

I agree.

Unfortunately, the application vendor is taking the "it's your infrastructure"
position without providing any evidence or offering suggestions for configuration changes,

I'm sorry to hear that. We'll do what we can to help.

other than to deploy more tomcat instances, which is just shooting in the dark.
They don't know why the software is throwing
java.sql.DriverManager.getConnection errors (even though it's their code), and

RE: Database Connection Requests Initiated but Not Sent on the Wire (Some, Not All)

2024-05-26 Thread Eric Robinson

Hi Chuck,

> -Original Message-
> From: Chuck Caldarale 
> Sent: Sunday, May 26, 2024 2:21 PM
> To: Tomcat Users List 
> Subject: Re: Database Connection Requests Initiated but Not Sent on the Wire
> (Some, Not All)
>
>
> > On May 25, 2024, at 20:58, Eric Robinson  wrote:
> >
> > One of our hosting customers is a medical practice using a commercial EMR
> running on tomcat+mysql. It has operated well for over a year, but users have
> suddenly begun experiencing slowness for about an hour at the same time
> every day. During the slow times, we've done all the usual troubleshooting to
> catch the problem in the act. The servers have plenty of power and are not
> overworked. There are no slow database queries. Network connectivity is solid.
> Tomcat has plenty of memory. The numbers of database connections, threads,
> questions, queries, etc., remain steady, without spikes. There is no unusual 
> disk
> latency. We have not found any maintenance tasks running during that
> timeframe.
>
>
> 
>
>
> > There are no unusual errors in the tomcat or database server logs, EXCEPT
> this one: Java.sql.DriverManager.getConnection
>
>
> 
>
>
> > During the periods of slowness, we see lots of those errors along with a 
> > large
> spike in the number of stuck tomcat threads (from 1 or 2 to as high as 100). 
> It
> seems obvious that the threads are stuck because tomcat is waiting on a
> connection to the database.
>
>
> 
>
>
> > We are forced to conclude that some database connection requests are being
> initiated but are not being sent on the wire.
>
>
> Could the DB server be out of ports? (Seems unlikely, based on your debugging
> so far.)
>

We have not seen any indication of that.

> Any chance that the Tomcat process is running out of file descriptors? Or 
> ports?
>

Likewise, no indications of that.

> Can you force a garbage collection (e.g., with jconsole or similar tool) 
> during a
> slow period? If there is some limit on an OS-level resource that’s being 
> reached,
> a GC may be able to delete the Java objects that are tying up the underlying
> resources.

GC is on my list of things to try.

>
>   - Chuck
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Disclaimer : This email and any files transmitted with it are confidential and 
intended solely for intended recipients. If you are not the named addressee you 
should not disseminate, distribute, copy or alter this email. Any views or 
opinions presented in this email are solely those of the author and might not 
represent those of Physician Select Management. Warning: Although Physician 
Select Management has taken reasonable precautions to ensure no viruses are 
present in this email, the company cannot accept responsibility for any loss or 
damage arising from the use of this email or attachments.

RE: Database Connection Requests Initiated but Not Sent on the Wire (Some, Not All)

2024-05-26 Thread Eric Robinson

Hi Thomas,


> -Original Message-
> From: Thomas Hoffmann (Speed4Trade GmbH)
> 
> Sent: Sunday, May 26, 2024 3:30 PM
> To: Tomcat Users List 
> Subject: AW: Database Connection Requests Initiated but Not Sent on the Wire
> (Some, Not All)
>
> Hello,
>
> > -Ursprüngliche Nachricht-
> > Von: Chuck Caldarale 
> > Gesendet: Sonntag, 26. Mai 2024 21:21
> > An: Tomcat Users List 
> > Betreff: Re: Database Connection Requests Initiated but Not Sent on
> > the Wire (Some, Not All)
> >
> >
> > > On May 25, 2024, at 20:58, Eric Robinson 
> wrote:
> > >
> > > One of our hosting customers is a medical practice using a
> > > commercial EMR
> > running on tomcat+mysql. It has operated well for over a year, but
> > users have suddenly begun experiencing slowness for about an hour at
> > the same time every day. During the slow times, we've done all the
> > usual troubleshooting to catch the problem in the act. The servers
> > have plenty of power and are not overworked. There are no slow database
> queries. Network connectivity is solid.
> > Tomcat has plenty of memory. The numbers of database connections,
> > threads, questions, queries, etc., remain steady, without spikes.
> > There is no unusual disk latency. We have not found any maintenance
> > tasks running during that timeframe.
> >
> >
> > 
> >
> >
> > > There are no unusual errors in the tomcat or database server logs,
> > > EXCEPT
> > this one: Java.sql.DriverManager.getConnection
> >
> >
> > 
> >
> >
> > > During the periods of slowness, we see lots of those errors along
> > > with a large
> > spike in the number of stuck tomcat threads (from 1 or 2 to as high as
> > 100). It seems obvious that the threads are stuck because tomcat is
> > waiting on a connection to the database.
> >
> >
> > 
> >
> >
> > > We are forced to conclude that some database connection requests are
> > > being
> > initiated but are not being sent on the wire.
> >
> >
> > Could the DB server be out of ports? (Seems unlikely, based on your
> > debugging so far.)
> >
> > Any chance that the Tomcat process is running out of file descriptors? Or
> ports?
> >
> > Can you force a garbage collection (e.g., with jconsole or similar
> > tool) during a slow period? If there is some limit on an OS-level
> > resource that’s being reached, a GC may be able to delete the Java
> > objects that are tying up the underlying resources.
> >
> >   - Chuck
> >
>
>
> On the client side, the TCP connections are kept in a wait-state for usually 2
> minutes as far as I know.
> Maybe you can check how many are in this state.
>

On our server, we set things much lower to allow faster recycling of TCP 
connections...

net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_tw_reuse = 1

> If the application doesn’t use connection pooling, then this can be the 
> problem
> itself too.

During peak production, there are a total of around 20,000 connections in 
various states, mostly TIME_WAIT. The port range is 5000-6.
Dmesg, journalcrl, and the messages file don't show any errors about running 
out of ports or file handles.


> TCP handshakes and logon process take a while and for performance reasons,
> DB connections are usually pooled.
>
> A stacktrace might help to see what java is doing when it enters this blocking
> state.
> Maybe you can provide a stack when the app starts blocking.
>

We are writing a script to watch for stuck threads to exceed a threshold, and 
do a thread dump when that happens.

> Greetings,
> Thomas
Disclaimer : This email and any files transmitted with it are confidential and 
intended solely for intended recipients. If you are not the named addressee you 
should not disseminate, distribute, copy or alter this email. Any views or 
opinions presented in this email are solely those of the author and might not 
represent those of Physician Select Management. Warning: Although Physician 
Select Management has taken reasonable precautions to ensure no viruses are 
present in this email, the company cannot accept responsibility for any loss or 
damage arising from the use of this email or attachments.

AW: Database Connection Requests Initiated but Not Sent on the Wire (Some, Not All)

2024-05-26 Thread Thomas Hoffmann (Speed4Trade GmbH)

Hello,

> -Ursprüngliche Nachricht-
> Von: Chuck Caldarale 
> Gesendet: Sonntag, 26. Mai 2024 21:21
> An: Tomcat Users List 
> Betreff: Re: Database Connection Requests Initiated but Not Sent on the Wire
> (Some, Not All)
> 
> 
> > On May 25, 2024, at 20:58, Eric Robinson  wrote:
> >
> > One of our hosting customers is a medical practice using a commercial EMR
> running on tomcat+mysql. It has operated well for over a year, but users have
> suddenly begun experiencing slowness for about an hour at the same time
> every day. During the slow times, we've done all the usual troubleshooting to
> catch the problem in the act. The servers have plenty of power and are not
> overworked. There are no slow database queries. Network connectivity is solid.
> Tomcat has plenty of memory. The numbers of database connections, threads,
> questions, queries, etc., remain steady, without spikes. There is no unusual 
> disk
> latency. We have not found any maintenance tasks running during that
> timeframe.
> 
> 
> 
> 
> 
> > There are no unusual errors in the tomcat or database server logs, EXCEPT
> this one: Java.sql.DriverManager.getConnection
> 
> 
> 
> 
> 
> > During the periods of slowness, we see lots of those errors along with a 
> > large
> spike in the number of stuck tomcat threads (from 1 or 2 to as high as 100). 
> It
> seems obvious that the threads are stuck because tomcat is waiting on a
> connection to the database.
> 
> 
> 
> 
> 
> > We are forced to conclude that some database connection requests are being
> initiated but are not being sent on the wire.
> 
> 
> Could the DB server be out of ports? (Seems unlikely, based on your debugging
> so far.)
> 
> Any chance that the Tomcat process is running out of file descriptors? Or 
> ports?
> 
> Can you force a garbage collection (e.g., with jconsole or similar tool) 
> during a
> slow period? If there is some limit on an OS-level resource that’s being 
> reached,
> a GC may be able to delete the Java objects that are tying up the underlying
> resources.
> 
>   - Chuck
> 


On the client side, the TCP connections are kept in a wait-state for usually 2 
minutes as far as I know.
Maybe you can check how many are in this state.

If the application doesn’t use connection pooling, then this can be the problem 
itself too.
TCP handshakes and logon process take a while and for performance reasons, DB 
connections are usually pooled.

A stacktrace might help to see what java is doing when it enters this blocking 
state.
Maybe you can provide a stack when the app starts blocking.

Greetings, 
Thomas

Re: Database Connection Requests Initiated but Not Sent on the Wire (Some, Not All)

2024-05-26 Thread Chuck Caldarale



> On May 25, 2024, at 20:58, Eric Robinson  wrote:
> 
> One of our hosting customers is a medical practice using a commercial EMR 
> running on tomcat+mysql. It has operated well for over a year, but users have 
> suddenly begun experiencing slowness for about an hour at the same time every 
> day. During the slow times, we've done all the usual troubleshooting to catch 
> the problem in the act. The servers have plenty of power and are not 
> overworked. There are no slow database queries. Network connectivity is 
> solid. Tomcat has plenty of memory. The numbers of database connections, 
> threads, questions, queries, etc., remain steady, without spikes. There is no 
> unusual disk latency. We have not found any maintenance tasks running during 
> that timeframe.





> There are no unusual errors in the tomcat or database server logs, EXCEPT 
> this one: Java.sql.DriverManager.getConnection





> During the periods of slowness, we see lots of those errors along with a 
> large spike in the number of stuck tomcat threads (from 1 or 2 to as high as 
> 100). It seems obvious that the threads are stuck because tomcat is waiting 
> on a connection to the database.





> We are forced to conclude that some database connection requests are being 
> initiated but are not being sent on the wire.


Could the DB server be out of ports? (Seems unlikely, based on your debugging 
so far.)

Any chance that the Tomcat process is running out of file descriptors? Or ports?

Can you force a garbage collection (e.g., with jconsole or similar tool) during 
a slow period? If there is some limit on an OS-level resource that’s being 
reached, a GC may be able to delete the Java objects that are tying up the 
underlying resources.

  - Chuck


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Database Connection Requests Initiated but Not Sent on the Wire (Some, Not All)

2024-05-26 Thread Eric Robinson

Hi Thomas,


> -Original Message-
> From: Thomas Hoffmann (Speed4Trade GmbH)
> 
> Sent: Sunday, May 26, 2024 2:52 AM
> To: Tomcat Users List 
> Subject: AW: Database Connection Requests Initiated but Not Sent on the Wire
> (Some, Not All)
>
> Hello Eric,
>
> > -Ursprüngliche Nachricht-
> > Von: Eric Robinson 
> > Gesendet: Sonntag, 26. Mai 2024 03:59
> > An: users@tomcat.apache.org
> > Betreff: Database Connection Requests Initiated but Not Sent on the
> > Wire (Some, Not All)
> >
> > One of our hosting customers is a medical practice using a commercial
> > EMR running on tomcat+mysql. It has operated well for over a year, but
> > users have suddenly begun experiencing slowness for about an hour at
> > the same time every day. During the slow times, we've done all the
> > usual troubleshooting to catch the problem in the act. The servers
> > have plenty of power and are not overworked. There are no slow database
> queries. Network connectivity is solid.
> > Tomcat has plenty of memory. The numbers of database connections,
> > threads, questions, queries, etc., remain steady, without spikes.
> > There is no unusual disk latency. We have not found any maintenance
> > tasks running during that timeframe.
> >
> > The customer has another load-balanced tomcat instance on a different
> > physical server, and the problem happens on that one, too. The servers
> > were upgraded with a new kernel and packages on 4/5/24, but the issue
> > did not appear until 5/6/24. The vendor enabled a new feature in the
> > customer's software, and the problem appeared the next day, but they
> > subsequently disabled the feature, and (reportedly) the problem did
> > not go away. It is worth mentioning that the servers are
> > multi-tenanted, with other customers running the same medical
> > application, but the others do not experience the slowdowns, even though
> they are on the same servers.
> >
> > There are no unusual errors in the tomcat or database server logs,
> > EXCEPT this
> > one: Java.sql.DriverManager.getConnection
> >
> > During the periods of slowness, we see lots of those errors along with
> > a large spike in the number of stuck tomcat threads (from 1 or 2 to as
> > high as 100). It seems obvious that the threads are stuck because
> > tomcat is waiting on a connection to the database. However, tcpdump
> > shows that connectivity to the database is perfect at the network and
> > application layers. There are no unanswered SYNs, no retransmissions,
> > no half-open connections, no failures to allocate TCP ports, no
> > conntrack messages, and no other indications of system resource
> > exhaustion. Every time tomcat requests a connection to the DB, it
> > completes in less than 1 ms. Ten thousand connection attempts completed
> successfully in about 15 seconds, with zero failures.
> >
> > We are forced to conclude that some database connection requests are
> > being initiated but are not being sent on the wire. The problem seems
> > to be in the interaction between tomcat and the database driver, or in the
> driver itself.
> > Unfortunately, the application vendor is taking the "it's your 
> > infrastructure"
> > position without providing any evidence or offering suggestions for
> > configuration changes, other than to deploy more tomcat instances,
> > which is just shooting in the dark. They don't know why the software
> > is throwing java.sql.DriverManager.getConnection errors (even though
> > it's their code), and they've relegated the investigation to us.
> >
> > Any advice from the community would be greatly appreciated.
> >
> > RHEL 8.9, kernel 4.18.0-513.18.1.el8_9.x86_64 Apache Tomcat/9.0.80,
> > JVM
> > 1.8.0_372-b07
> >
> > (The tomcat and JVM versions are the ones recommended by the vendor.)
> >
> > We're standing by to provide whatever other information the community
> > may need.
> >
> > Thanks tons!
> >
> > -Eric
>
> The database connections are usually pooled.
> If the pool is exhausted, the thread will wait till a connection is returned 
> to the
> pool which can be reused.
> Do you use connection pooling?
> How does the configuration look like?
> Do you monitor the pool usage?
>
> In general, it doesn’t look like a Tomcat issue per sé.
>
> Greetings,
> Thomas
>

I have asked the vendor that question several times, but their technicians have 
never provided a clear answer. Most of the time they have not even understood 
the question. If pooling were enabled, I would expect to see maxTotal or 
maxIdle tags in a context.xml or web.xml file somewhere in the system, but they 
are not there. The database connection details are stored in a file named 
myapp.properties (renamed here to protect the identity of the vendor, as I 
imagine they visit this forum). The string looks like this:

myapp.DBName=mydb?useSSL=false=round=false=true=true=false=true=true

In WireShark, I see thousands of connections, and from 1 to several SQL queries 
being issued over the same connection before it closes.

AW: Database Connection Requests Initiated but Not Sent on the Wire (Some, Not All)

2024-05-26 Thread Thomas Hoffmann (Speed4Trade GmbH)

Hello Eric,

> -Ursprüngliche Nachricht-
> Von: Eric Robinson 
> Gesendet: Sonntag, 26. Mai 2024 03:59
> An: users@tomcat.apache.org
> Betreff: Database Connection Requests Initiated but Not Sent on the Wire
> (Some, Not All)
> 
> One of our hosting customers is a medical practice using a commercial EMR
> running on tomcat+mysql. It has operated well for over a year, but users have
> suddenly begun experiencing slowness for about an hour at the same time
> every day. During the slow times, we've done all the usual troubleshooting to
> catch the problem in the act. The servers have plenty of power and are not
> overworked. There are no slow database queries. Network connectivity is solid.
> Tomcat has plenty of memory. The numbers of database connections, threads,
> questions, queries, etc., remain steady, without spikes. There is no unusual 
> disk
> latency. We have not found any maintenance tasks running during that
> timeframe.
> 
> The customer has another load-balanced tomcat instance on a different
> physical server, and the problem happens on that one, too. The servers were
> upgraded with a new kernel and packages on 4/5/24, but the issue did not
> appear until 5/6/24. The vendor enabled a new feature in the customer's
> software, and the problem appeared the next day, but they subsequently
> disabled the feature, and (reportedly) the problem did not go away. It is 
> worth
> mentioning that the servers are multi-tenanted, with other customers running
> the same medical application, but the others do not experience the slowdowns,
> even though they are on the same servers.
> 
> There are no unusual errors in the tomcat or database server logs, EXCEPT this
> one: Java.sql.DriverManager.getConnection
> 
> During the periods of slowness, we see lots of those errors along with a large
> spike in the number of stuck tomcat threads (from 1 or 2 to as high as 100). 
> It
> seems obvious that the threads are stuck because tomcat is waiting on a
> connection to the database. However, tcpdump shows that connectivity to the
> database is perfect at the network and application layers. There are no
> unanswered SYNs, no retransmissions, no half-open connections, no failures to
> allocate TCP ports, no conntrack messages, and no other indications of system
> resource exhaustion. Every time tomcat requests a connection to the DB, it
> completes in less than 1 ms. Ten thousand connection attempts completed
> successfully in about 15 seconds, with zero failures.
> 
> We are forced to conclude that some database connection requests are being
> initiated but are not being sent on the wire. The problem seems to be in the
> interaction between tomcat and the database driver, or in the driver itself.
> Unfortunately, the application vendor is taking the "it's your infrastructure"
> position without providing any evidence or offering suggestions for
> configuration changes, other than to deploy more tomcat instances, which is
> just shooting in the dark. They don't know why the software is throwing
> java.sql.DriverManager.getConnection errors (even though it's their code), and
> they've relegated the investigation to us.
> 
> Any advice from the community would be greatly appreciated.
> 
> RHEL 8.9, kernel 4.18.0-513.18.1.el8_9.x86_64 Apache Tomcat/9.0.80, JVM
> 1.8.0_372-b07
> 
> (The tomcat and JVM versions are the ones recommended by the vendor.)
> 
> We're standing by to provide whatever other information the community may
> need.
> 
> Thanks tons!
> 
> -Eric

The database connections are usually pooled.
If the pool is exhausted, the thread will wait till a connection is returned to 
the pool which can be reused.
Do you use connection pooling?
How does the configuration look like?
Do you monitor the pool usage?

In general, it doesn’t look like a Tomcat issue per sé.

Greetings,
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Database Connection Requests Initiated but Not Sent on the Wire (Some, Not All)

2024-05-25 Thread Eric Robinson

One of our hosting customers is a medical practice using a commercial EMR 
running on tomcat+mysql. It has operated well for over a year, but users have 
suddenly begun experiencing slowness for about an hour at the same time every 
day. During the slow times, we've done all the usual troubleshooting to catch 
the problem in the act. The servers have plenty of power and are not 
overworked. There are no slow database queries. Network connectivity is solid. 
Tomcat has plenty of memory. The numbers of database connections, threads, 
questions, queries, etc., remain steady, without spikes. There is no unusual 
disk latency. We have not found any maintenance tasks running during that 
timeframe.

The customer has another load-balanced tomcat instance on a different physical 
server, and the problem happens on that one, too. The servers were upgraded 
with a new kernel and packages on 4/5/24, but the issue did not appear until 
5/6/24. The vendor enabled a new feature in the customer's software, and the 
problem appeared the next day, but they subsequently disabled the feature, and 
(reportedly) the problem did not go away. It is worth mentioning that the 
servers are multi-tenanted, with other customers running the same medical 
application, but the others do not experience the slowdowns, even though they 
are on the same servers.

There are no unusual errors in the tomcat or database server logs, EXCEPT this 
one: Java.sql.DriverManager.getConnection

During the periods of slowness, we see lots of those errors along with a large 
spike in the number of stuck tomcat threads (from 1 or 2 to as high as 100). It 
seems obvious that the threads are stuck because tomcat is waiting on a 
connection to the database. However, tcpdump shows that connectivity to the 
database is perfect at the network and application layers. There are no 
unanswered SYNs, no retransmissions, no half-open connections, no failures to 
allocate TCP ports, no conntrack messages, and no other indications of system 
resource exhaustion. Every time tomcat requests a connection to the DB, it 
completes in less than 1 ms. Ten thousand connection attempts completed 
successfully in about 15 seconds, with zero failures.

We are forced to conclude that some database connection requests are being 
initiated but are not being sent on the wire. The problem seems to be in the 
interaction between tomcat and the database driver, or in the driver itself. 
Unfortunately, the application vendor is taking the "it's your infrastructure" 
position without providing any evidence or offering suggestions for 
configuration changes, other than to deploy more tomcat instances, which is 
just shooting in the dark. They don't know why the software is throwing 
java.sql.DriverManager.getConnection errors (even though it's their code), and 
they've relegated the investigation to us.

Any advice from the community would be greatly appreciated.

RHEL 8.9, kernel 4.18.0-513.18.1.el8_9.x86_64
Apache Tomcat/9.0.80, JVM 1.8.0_372-b07

(The tomcat and JVM versions are the ones recommended by the vendor.)

We're standing by to provide whatever other information the community may need.

Thanks tons!

-Eric



Disclaimer : This email and any files transmitted with it are confidential and 
intended solely for intended recipients. If you are not the named addressee you 
should not disseminate, distribute, copy or alter this email. Any views or 
opinions presented in this email are solely those of the author and might not 
represent those of Physician Select Management. Warning: Although Physician 
Select Management has taken reasonable precautions to ensure no viruses are 
present in this email, the company cannot accept responsibility for any loss or 
damage arising from the use of this email or attachments.

Re: Deployment using directory

2024-05-25 Thread Mark Thomas


On 24/05/2024 19:28, Brandie Nickey wrote:

Hi all,

I am curious if there are any cons to deploying a webapp without using a war 
file.


None.

If you deploy a WAR Tomcat will (by default) unpack it and run it from 
the unpacked directory anyway. If you configure Tomcat to run from the 
packed WAR you will get a small performance hit.



 Our web app has just always traditionally been 'unzipped' as a set of folders 
within the Tomcat/webapps/ROOT directory.  However I have been doing some 
troubleshooting using procmon.exe from Sysinternals and it appears that tomcat 
is constantly looking for Root.war file.


Define constantly. I'd expect Tomcat to be checking for a WAR file every 
~15s if autodeploy is enabled.



Not sure if I have something misconfigured or this behavior is just normal?  
The app will start up but does have some issues with loading all features  
(takes 2+ hours) .


If the app is taking 2 hours to start then the app has some serious issues.


Running Tomcat 8.0.43.


Tomcat 8.0.x reached end of support on 30 June 2018.

Tomcat 8.5.x (that replaced 8.0.x) reached end of life on 31 March 2024.

You need to upgrade to at least 9.0.x ASAP. I'd suggest a quick upgrade 
to 9.0.x and then start looking at moving to 10.1.x or even 11.0.x but 
that is a bigger job due to the Java EE -> Jskarta EE repackaging.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: PersistentManager and ClassNotFoundException

2024-05-25 Thread Mark Thomas


On 24/05/2024 14:31, Jakub Królikowski wrote:




Hi Mark,
It seems to me that this can be tested on any application.
In Tomcat 10.1, if any session attribute is an instance of a new public
class (unknown to Tomcat and to Tomcat class loader), implementing
java.io.Serializable,
then on reloading the application PersistanceManager (configured as in the
first message) crashes with ClassNotFoundException. StandardManager works.
I don't know if this problem occurred in earlier versions of Tomcat.

If you fail to reproduce this bug, let me know, I will prepare a simple web
app.

Best regards,

Jakub


Jakub,

The chances of a committer looking at the issue you are seeing are 
significantly higher if you provide a test case that demonstrates the 
issue rather than expecting a committer to write a test case for you 
based on your description.


Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

2024-05-25 Thread Andy Arismendi

Hi Michael,

After re-reading my previous message, I realized it might have been ambiguous 
regarding whether I observed caCertificatePath working with or without your 
first posted file set from 
http://home.apache.org/~michaelo/issues/tomcat/openssl-crash/. To clarify, it 
was indeed your first posted file set that made it work.

The issue I initially encountered on my end was due to some unnecessary copies 
of the original OpenSSL binaries elsewhere in the system path. These copies 
were likely causing different results as they were being loaded without my 
awareness. After removing them I observed Tomcat startup with caCertificatePath 
in server.xml without JVM crash using the original binaries you provided.

I hope this clears up any ambiguity from my previous message.

Thanks!
-Andy

Deployment using directory

2024-05-24 Thread Brandie Nickey

Hi all,

I am curious if there are any cons to deploying a webapp without using a war 
file.  Our web app has just always traditionally been 'unzipped' as a set of 
folders within the Tomcat/webapps/ROOT directory.  However I have been doing 
some troubleshooting using procmon.exe from Sysinternals and it appears that 
tomcat is constantly looking for Root.war file.  Not sure if I have something 
misconfigured or this behavior is just normal?  The app will start up but does 
have some issues with loading all features  (takes 2+ hours) .

Running Tomcat 8.0.43.

Thank you,
Brandie




Regeneron - Internal

 
This e-mail and any attachment hereto, is intended only for use by the 
addressee(s) named above and may contain legally privileged and/or confidential 
information. If you are not the intended recipient of this e-mail, any 
dissemination, distribution or copying of this email, or any attachment hereto, 
is strictly prohibited. If you receive this email in error please immediately 
notify me by return electronic mail and permanently delete this email and any 
attachment hereto, any copy of this e-mail and of any such attachment, and any 
printout thereof. Finally, please note that only authorized representatives of 
Regeneron Pharmaceuticals, Inc. have the power and authority to enter into 
business dealings with any third party.

Re: PersistentManager and ClassNotFoundException

2024-05-24 Thread Jakub Królikowski

On Fri, May 24, 2024 at 11:23 AM Mark Thomas  wrote:

> Can you provide the simplest web application (with source) that
> replications the problem?
>
> Mark
>
>
> On 23/05/2024 23:45, Jakub Królikowski wrote:
> > Hi,
> >
> > I'm working with Tomcat 10.1.
> >
> > When a user starts using the store in my web application, I save the
> > ShopCart object on the "cart" session attribute.
> > I want the "cart" attributes to return to the session after restarting
> the
> > app.
> >
> >
> > To enable session persistence I added
> >
> > 
> >
> > to the Context. It loads the StandardManager.
> >
> > And this works fine - after reload / restart the object "ShopCart" is
> back
> > in the session.
> >
> >
> >
> > I want to experiment with PersistentManager. Tomcat docs says: "
> > The persistence across restarts provided by the *StandardManager* is a
> > simpler implementation than that provided by the *PersistentManager*. If
> > robust, production quality persistence across restarts is required then
> the
> > *PersistentManager* should be used with an appropriate configuration.
> >
> > "
> >
> > I hope for a Listener of deserialization of the session attributes.
> >
> > The new Manager configuration looks like this:
> >
> >  > maxActiveSessions="2" saveOnRestart="true">
> >
> >  > "c:\tomcat10\sessionperm"/>
> >
> > 
> >
> > But it doesn't work. After restart I get this exception:
> >
> >
> > java.lang.ClassNotFoundException: ShopCart
> >
> > at
> >
> org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1332)
> >
> > at
> >
> org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1144)
> >
> > at java.base/java.lang.Class.forName0(Native Method)
> >
> > at java.base/java.lang.Class.forName(Class.java:534)
> >
> > at java.base/java.lang.Class.forName(Class.java:513)
> >
> > at
> >
> org.apache.catalina.util.CustomObjectInputStream.resolveClass(CustomObjectInputStream.java:158)
> >
> > at
> > java.base/java.io
> .ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:2061)
> >
> > at
> > java.base/java.io
> .ObjectInputStream.readClassDesc(ObjectInputStream.java:1927)
> >
> > at
> > java.base/java.io
> .ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2252)
> >
> > at
> > java.base/java.io
> .ObjectInputStream.readObject0(ObjectInputStream.java:1762)
> >
> > at
> > java.base/java.io
> .ObjectInputStream.readObject(ObjectInputStream.java:540)
> >
> > at
> > java.base/java.io
> .ObjectInputStream.readObject(ObjectInputStream.java:498)
> >
> > at
> >
> org.apache.catalina.session.StandardSession.doReadObject(StandardSession.java:1198)
> >
> > at
> >
> org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:831)
> >
> > at org.apache.catalina.session.FileStore.load(FileStore.java:203)
> >
> > at
> org.apache.catalina.session.StoreBase.processExpires(StoreBase.java:138)
> >
> > at
> >
> org.apache.catalina.session.PersistentManagerBase.processExpires(PersistentManagerBase.java:409)
> >
> > at
> >
> org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:587)
> >
> > at
> >
> org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:4787)
> >
> > at
> >
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1172)
> >
> > at
> >
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1176)
> >
> > at
> >
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1176)
> >
> > at
> >
> org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1154)
> >
> > at
> >
> java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572)
>


> >
> > at
> >
> java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:358)
> >
> > at
> >
> java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
> >
> > at
> >
> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
> >
> > at
> >
> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
> >
> > at
> >
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
> >
> > at java.base/java.lang.Thread.run(Thread.java:1583)
> >
> >
> > I guess this means that the two managers use ClassLoader differently.
> > How to get the PersistentManager to work in this case?
> >
> > Best regards,
> > --
> > Jakub Królikowski
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Hi Mark,
It seems to me that this can be tested on any application.
In Tomcat 10.1, if any session attribute is an instance of a new public
class (unknown to Tomcat and to

Re: PersistentManager and ClassNotFoundException

2024-05-24 Thread Mark Thomas

Can you provide the simplest web application (with source) that 
replications the problem?


Mark


On 23/05/2024 23:45, Jakub Królikowski wrote:

Hi,

I'm working with Tomcat 10.1.

When a user starts using the store in my web application, I save the
ShopCart object on the "cart" session attribute.
I want the "cart" attributes to return to the session after restarting the
app.


To enable session persistence I added



to the Context. It loads the StandardManager.

And this works fine - after reload / restart the object "ShopCart" is back
in the session.



I want to experiment with PersistentManager. Tomcat docs says: "
The persistence across restarts provided by the *StandardManager* is a
simpler implementation than that provided by the *PersistentManager*. If
robust, production quality persistence across restarts is required then the
*PersistentManager* should be used with an appropriate configuration.

"

I hope for a Listener of deserialization of the session attributes.

The new Manager configuration looks like this:







But it doesn't work. After restart I get this exception:


java.lang.ClassNotFoundException: ShopCart

at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1332)

at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1144)

at java.base/java.lang.Class.forName0(Native Method)

at java.base/java.lang.Class.forName(Class.java:534)

at java.base/java.lang.Class.forName(Class.java:513)

at
org.apache.catalina.util.CustomObjectInputStream.resolveClass(CustomObjectInputStream.java:158)

at
java.base/java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:2061)

at
java.base/java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1927)

at
java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2252)

at
java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1762)

at
java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:540)

at
java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:498)

at
org.apache.catalina.session.StandardSession.doReadObject(StandardSession.java:1198)

at
org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:831)

at org.apache.catalina.session.FileStore.load(FileStore.java:203)

at org.apache.catalina.session.StoreBase.processExpires(StoreBase.java:138)

at
org.apache.catalina.session.PersistentManagerBase.processExpires(PersistentManagerBase.java:409)

at
org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:587)

at
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:4787)

at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1172)

at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1176)

at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1176)

at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1154)

at
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572)

at
java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:358)

at
java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)

at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)

at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)

at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)

at java.base/java.lang.Thread.run(Thread.java:1583)


I guess this means that the two managers use ClassLoader differently.
How to get the PersistentManager to work in this case?

Best regards,
--
Jakub Królikowski



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Security Constraints and Session Timeout

2024-05-24 Thread Mark Thomas


On 23/05/2024 17:01, Jerry Malcolm wrote:
I have some servlets that I can't put security constraints on at the 
web.xml level.  However, deep down in the code there are some places 
that I need a user to be logged in.  My overall UI ensures this all 
works by having certain JSPs with constraints that force the user to log 
in before getting to the servlet.  But if the user spends too much time 
interacting with the servlet and not reloading one of the pages that 
require a login, the session will timeout, and the user is now buried in 
one of the servlets, and I've lost the session/userprincipal.  It 
appears that interacting with a servlet that has no constraints does not 
reset the session timer.  Is that correct, or am I seeing it wrong?  I 
know the easy answer would be to add a constraint requiring login to 
access the servlet.  But with the current design, that's not going to 
work. Is there something I can do in the servlet and/or servlet config 
in web.xml to force servlet access to keep resetting the session timer 
so it won't expire without having to put role constraints directly on 
the servlet?


Just calling HttpServletRequest.getSession(false) from the Servlet 
should be sufficient.


Note you can monitor the expiration time for sessions using the Manager 
application. That might be helpful in testing.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

PersistentManager and ClassNotFoundException

2024-05-23 Thread Jakub Królikowski

Hi,

I'm working with Tomcat 10.1.

When a user starts using the store in my web application, I save the
ShopCart object on the "cart" session attribute.
I want the "cart" attributes to return to the session after restarting the
app.


To enable session persistence I added



to the Context. It loads the StandardManager.

And this works fine - after reload / restart the object "ShopCart" is back
in the session.



I want to experiment with PersistentManager. Tomcat docs says: "
The persistence across restarts provided by the *StandardManager* is a
simpler implementation than that provided by the *PersistentManager*. If
robust, production quality persistence across restarts is required then the
*PersistentManager* should be used with an appropriate configuration.

"

I hope for a Listener of deserialization of the session attributes.

The new Manager configuration looks like this:







But it doesn't work. After restart I get this exception:


java.lang.ClassNotFoundException: ShopCart

at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1332)

at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1144)

at java.base/java.lang.Class.forName0(Native Method)

at java.base/java.lang.Class.forName(Class.java:534)

at java.base/java.lang.Class.forName(Class.java:513)

at
org.apache.catalina.util.CustomObjectInputStream.resolveClass(CustomObjectInputStream.java:158)

at
java.base/java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:2061)

at
java.base/java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1927)

at
java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2252)

at
java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1762)

at
java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:540)

at
java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:498)

at
org.apache.catalina.session.StandardSession.doReadObject(StandardSession.java:1198)

at
org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:831)

at org.apache.catalina.session.FileStore.load(FileStore.java:203)

at org.apache.catalina.session.StoreBase.processExpires(StoreBase.java:138)

at
org.apache.catalina.session.PersistentManagerBase.processExpires(PersistentManagerBase.java:409)

at
org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:587)

at
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:4787)

at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1172)

at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1176)

at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1176)

at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1154)

at
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572)

at
java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:358)

at
java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)

at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)

at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)

at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)

at java.base/java.lang.Thread.run(Thread.java:1583)


I guess this means that the two managers use ClassLoader differently.
How to get the PersistentManager to work in this case?

Best regards,
--
Jakub Królikowski

Security Constraints and Session Timeout

2024-05-23 Thread Jerry Malcolm

I have some servlets that I can't put security constraints on at the 
web.xml level.  However, deep down in the code there are some places 
that I need a user to be logged in.  My overall UI ensures this all 
works by having certain JSPs with constraints that force the user to log 
in before getting to the servlet.  But if the user spends too much time 
interacting with the servlet and not reloading one of the pages that 
require a login, the session will timeout, and the user is now buried in 
one of the servlets, and I've lost the session/userprincipal.  It 
appears that interacting with a servlet that has no constraints does not 
reset the session timer.  Is that correct, or am I seeing it wrong?  I 
know the easy answer would be to add a constraint requiring login to 
access the servlet.  But with the current design, that's not going to 
work. Is there something I can do in the servlet and/or servlet config 
in web.xml to force servlet access to keep resetting the session timer 
so it won't expire without having to put role constraints directly on 
the servlet?


Thx

Jerry


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Re: Tomcat Console - 401 Unauthorized

2024-05-23 Thread Garber, Frank

And the winner is: Chuck 

I tried Chrome (instead of the Corporate mandated browser Edge) and I was right 
away challenged for credentials.

Thanks for all those who responded.

From: Chuck Caldarale 
Sent: Wednesday, May 22, 2024 4:36 PM
To: Tomcat Users List 
Subject: {EXTERNAL} Re: Tomcat Console - 401 Unauthorized

> On May 22, 2024, at 13: 31, Garber, Frank  com. INVALID> wrote: > > Not knowing how it’s supposed to behave, here’s 
> another clue. When I click on the “Server Status” button, I never get prompted

> On May 22, 2024, at 13:31, Garber, Frank 
> mailto:francis.gar...@elevancehealth.com.INVALID>>
>  wrote:

>

> Not knowing how it’s supposed to behave, here’s another clue. When I click on 
> the “Server Status” button, I never get prompted for credentials.

This sounds like a browser configuration problem. On the first attempt to 
access a protected resource, the server will return a 401 status with a 
WWW-Authenticate header listing the acceptable authentication mechanisms; for 
Tomcat, "Basic" is the default. The browser is then supposed to take the 
specified action to determine the credentials - for Basic, that’s the typical 
dialog box prompt.

If you’re using Edge (my condolences if so), go to edge://policy and look at 
the AuthSchemes entry; if it doesn’t include “basic”, you’ll never get the 
prompt.

Can you correct the Edge config or try a different browser?

  - Chuck

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

Re: Tomcat Console - 401 Unauthorized

2024-05-22 Thread Chuck Caldarale

> On May 22, 2024, at 13:31, Garber, Frank 
>  wrote:
> 
> Not knowing how it’s supposed to behave, here’s another clue. When I click on 
> the “Server Status” button, I never get prompted for credentials.

This sounds like a browser configuration problem. On the first attempt to 
access a protected resource, the server will return a 401 status with a 
WWW-Authenticate header listing the acceptable authentication mechanisms; for 
Tomcat, "Basic" is the default. The browser is then supposed to take the 
specified action to determine the credentials - for Basic, that’s the typical 
dialog box prompt.

If you’re using Edge (my condolences if so), go to edge://policy and look at 
the AuthSchemes entry; if it doesn’t include “basic”, you’ll never get the 
prompt.

Can you correct the Edge config or try a different browser?

  - Chuck

RE: Re: Tomcat Console - 401 Unauthorized

2024-05-22 Thread Garber, Frank

Not knowing how it’s supposed to behave, here’s another clue. When I click on 
the “Server Status” button, I never get prompted for credentials. Is it a 
permissions problem on the server itself. Like the server doesn’t have rights 
to the HTML pages?

Thanks in advance,

From: Garber, Frank
Sent: Wednesday, May 22, 2024 2:26 PM
To: Tomcat Users List 
Subject: RE: {EXTERNAL} Re: Tomcat Console - 401 Unauthorized

I’m not sure how the URLs got munged up.

What I have on my side is valid XML, so I’m not worried about that. I’m really 
just concerned that the following isn’t working:

Thanks in advance,

From: Chuck Caldarale mailto:n82...@gmail.com>>
Sent: Wednesday, May 22, 2024 2:16 PM
To: Tomcat Users List mailto:users@tomcat.apache.org>>
Subject: {EXTERNAL} Re: Tomcat Console - 401 Unauthorized

> On May 22, 2024, at 10: 51, Garber, Frank  com. INVALID> wrote: > > I've just installed Tomcat 9. 0. 89.  > 
> Tomcat runs, and I can get to the console at https: //urldefense. 
> com/v3/__http: //localhost: 
> 8080/__;!!IZ3lH8c!yts7ZdG2lLWkLHZXnQFxUeyJeHbX_NxqieI-zv0Ui8nBlMzfnQ_mbT_M5evoEof6o-OZ5azA1nAyFvzyQAcQ$

> On May 22, 2024, at 10:51, Garber, Frank 
> mailto:francis.gar...@elevancehealth.com.INVALID>>
>  wrote:

>

> I've just installed Tomcat 9.0.89.

> Tomcat runs, and I can get to the console at 
> https://urldefense.com/v3/__http://localhost:8080/__;!!IZ3lH8c!yts7ZdG2lLWkLHZXnQFxUeyJeHbX_NxqieI-zv0Ui8nBlMzfnQ_mbT_M5evoEof6o-OZ5azA1nAyFvzyQAcQ$
>  but, when I click on "Server Status" I get the 401 Unauthorized page.

> I've been editing the conf\tomcat-users.xml file and have tried MANY 
> different combinations of entries but, can't get past the 401 problem.

> Here's my current file contents:

>

> 

>

>  xmlns=https://urldefense.com/v3/__http://tomcat.apache.org/xml__;!!IZ3lH8c!yts7ZdG2lLWkLHZXnQFxUeyJeHbX_NxqieI-zv0Ui8nBlMzfnQ_mbT_M5evoEof6o-OZ5azA1nAyFqswncMY$

>  xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance

>  xsi:schemaLocation=http://tomcat.apache.org/xml 
> tomcat-users.xsd>

>  version="1.0">

If the above is what you actually have in the .xml file, you should also be 
seeing parsing errors in the catalina.out log file, since it’s not valid XML. 
Once corrected to the following, access to the server status pages worked 
properly.

https://urldefense.com/v3/__http://tomcat.apache.org/xml__;!!IZ3lH8c!yts7ZdG2lLWkLHZXnQFxUeyJeHbX_NxqieI-zv0Ui8nBlMzfnQ_mbT_M5evoEof6o-OZ5azA1nAyFqswncMY$"

  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;

  xsi:schemaLocation="http://tomcat.apache.org/xml 
tomcat-users.xsd"

  version="1.0">

Note the missing quotes and seriously munged-up xsi:schemaLocation attribute in 
your posting.

If you’re using an editor that thinks it’s clever to convert http:// references 
into HTML, get a better editor.

  - Chuck

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

RE: Re: Tomcat Console - 401 Unauthorized

2024-05-22 Thread Garber, Frank

I’m not sure how the URLs got munged up.

What I have on my side is valid XML, so I’m not worried about that. I’m really 
just concerned that the following isn’t working:

Thanks in advance,

From: Chuck Caldarale 
Sent: Wednesday, May 22, 2024 2:16 PM
To: Tomcat Users List 
Subject: {EXTERNAL} Re: Tomcat Console - 401 Unauthorized

> On May 22, 2024, at 10: 51, Garber, Frank  com. INVALID> wrote: > > I've just installed Tomcat 9. 0. 89.  > 
> Tomcat runs, and I can get to the console at https: //urldefense. 
> com/v3/__http: //localhost: 
> 8080/__;!!IZ3lH8c!yts7ZdG2lLWkLHZXnQFxUeyJeHbX_NxqieI-zv0Ui8nBlMzfnQ_mbT_M5evoEof6o-OZ5azA1nAyFvzyQAcQ$

> On May 22, 2024, at 10:51, Garber, Frank 
> mailto:francis.gar...@elevancehealth.com.INVALID>>
>  wrote:

>

> I've just installed Tomcat 9.0.89.

> Tomcat runs, and I can get to the console at 
> https://urldefense.com/v3/__http://localhost:8080/__;!!IZ3lH8c!yts7ZdG2lLWkLHZXnQFxUeyJeHbX_NxqieI-zv0Ui8nBlMzfnQ_mbT_M5evoEof6o-OZ5azA1nAyFvzyQAcQ$
>  but, when I click on "Server Status" I get the 401 Unauthorized page.

> I've been editing the conf\tomcat-users.xml file and have tried MANY 
> different combinations of entries but, can't get past the 401 problem.

> Here's my current file contents:

>

> 

>

>  xmlns=https://urldefense.com/v3/__http://tomcat.apache.org/xml__;!!IZ3lH8c!yts7ZdG2lLWkLHZXnQFxUeyJeHbX_NxqieI-zv0Ui8nBlMzfnQ_mbT_M5evoEof6o-OZ5azA1nAyFqswncMY$

>  xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance

>  xsi:schemaLocation=http://tomcat.apache.org/xml 
> tomcat-users.xsd>

>  version="1.0">

If the above is what you actually have in the .xml file, you should also be 
seeing parsing errors in the catalina.out log file, since it’s not valid XML. 
Once corrected to the following, access to the server status pages worked 
properly.

https://urldefense.com/v3/__http://tomcat.apache.org/xml__;!!IZ3lH8c!yts7ZdG2lLWkLHZXnQFxUeyJeHbX_NxqieI-zv0Ui8nBlMzfnQ_mbT_M5evoEof6o-OZ5azA1nAyFqswncMY$"

  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;

  xsi:schemaLocation="http://tomcat.apache.org/xml 
tomcat-users.xsd"

  version="1.0">

Note the missing quotes and seriously munged-up xsi:schemaLocation attribute in 
your posting.

If you’re using an editor that thinks it’s clever to convert http:// references 
into HTML, get a better editor.

  - Chuck

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

Re: Tomcat Console - 401 Unauthorized

2024-05-22 Thread Chuck Caldarale

> On May 22, 2024, at 10:51, Garber, Frank 
>  wrote:
> 
> I've just installed Tomcat 9.0.89.

> Tomcat runs, and I can get to the console at http://localhost:8080/ but, when 
> I click on "Server Status" I get the 401 Unauthorized page.

> I've been editing the conf\tomcat-users.xml file and have tried MANY 
> different combinations of entries but, can't get past the 401 problem.

> Here's my current file contents:
> 
> 
> 
> http://tomcat.apache.org/xml
>  xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance
>  xsi:schemaLocation=http://tomcat.apache.org/xml 
> tomcat-users.xsd
>  version="1.0">

If the above is what you actually have in the .xml file, you should also be 
seeing parsing errors in the catalina.out log file, since it’s not valid XML. 
Once corrected to the following, access to the server status pages worked 
properly.

http://tomcat.apache.org/xml;
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
  xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
  version="1.0">

Note the missing quotes and seriously munged-up xsi:schemaLocation attribute in 
your posting.

If you’re using an editor that thinks it’s clever to convert http:// references 
into HTML, get a better editor.

  - Chuck

Tomcat Console - 401 Unauthorized

2024-05-22 Thread Garber, Frank

Hello Group,

I've just installed Tomcat 9.0.89.

First a the first few lines on the Catalina log:
NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED 
--add-opens=java.base/java.io=ALL-UNNAMED 
--add-opens=java.base/java.util=ALL-UNNAMED 
--add-opens=java.base/java.util.concurrent=ALL-UNNAMED 
--add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [ 
-nonaming ] [ -generateCode [ {pathname} ] ] [ -useGeneratedCode ] { -help | 
start | stop }
22-May-2024 11:16:47.794 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server version name:   
Apache Tomcat/9.0.89

Tomcat runs, and I can get to the console at http://localhost:8080/ but, when I 
click on "Server Status" I get the 401 Unauthorized page.

I've been editing the conf\tomcat-users.xml file and have tried MANY different 
combinations of entries but, can't get past the 401 problem. I know editing the 
correct file as I see Tomcat logging:
22-May-2024 11:30:00.479 INFO [Catalina-utility-1] 
org.apache.catalina.users.MemoryUserDatabase.backgroundProcess Reloading memory 
user database [UserDatabase] from updated source 
[file:/C:/myProgs/apache-tomcat-9.0.89/conf/tomcat-users.xml]

Regardless, I stop and restart Tomcat to make sure it's picking up the changes.

Here's my current file contents:



http://tomcat.apache.org/xml
  xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance
  xsi:schemaLocation=http://tomcat.apache.org/xml 
tomcat-users.xsd
  version="1.0">

  
  

   




Thanks in advance,
F

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

1 2 3 4 5 6 7 8 9 10 >

1 - 100 of 137175 matches

Mail list logo