Participate in the ASF 25th Anniversary Campaign
Hi everyone, As part of The ASF’s 25th anniversary campaign[1], we will be celebrating projects and communities in multiple ways. We invite all projects and contributors to participate in the following ways: * Individuals - submit your first contribution: https://news.apache.org/foundation/entry/the-asf-launches-firstasfcontribution-campaign * Projects - share your public good story: https://docs.google.com/forms/d/1vuN-tUnBwpTgOE5xj3Z5AG1hsOoDNLBmGIqQHwQT6k8/viewform?edit_requested=true * Projects - submit a project spotlight for the blog: https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=278466116 * Projects - contact the Voice of Apache podcast (formerly Feathercast) to be featured: https://feathercast.apache.org/help/ * Projects - use the 25th anniversary template and the #ASF25Years hashtag on social media: https://docs.google.com/presentation/d/1oDbMol3F_XQuCmttPYxBIOIjRuRBksUjDApjd8Ve3L8/edit#slide=id.g26b0919956e_0_13 If you have questions, email the Marketing & Publicity team at mark...@apache.org. Peace, BKP [1] https://apache.org/asf25years/ [NOTE: You are receiving this message because you are a contributor to an Apache Software Foundation project. The ASF will very occasionally send out messages relating to the Foundation to contributors and members, such as this one.] Brian Proffitt VP, Marketing & Publicity VP, Conferences
Re: Tomcat/Java starts using too much memory and not by the heap or non-heap memory
Hello, It has been a long time since I received the last suggestions to my issue here on this support list. Since then I decided to stop asking for help and to "do my homework". To read, to watch YouTube presentations, to spend time on StackOverflow, etc. So I have spent a lot of time on this and I think I have learned a lot which is nice. This is what I have learned lately: I definitely don't have a leak in my code (or in the libraries I am using, as far as I understand). And my code is not creating a significant amount of objects that would use too much memory. The heap memory (the 3 G1s) and non-heap memory (3 CodeHeaps + compressed class space + metaspace) together use just using a few hundred MBs and their usage is steady and normal. I discovered the JCMD command to perform the native memory tracking. When running it, after 3-4 days since I started Tomcat, I found out that the compiler was using hundreds of MB and that is exactly why the Tomcat process starts abusing the memory! This is what I saw when executing "sudo jcmd VM.native_memory scale=MB": Compiler (reserved=3D340MB, commited=3D340MB) (arena=3D340MB #10) All the other categories (Class, Thread, Code, GC, Internal, Symbol, etc) look normal since they use a low amount of memory and they don't grow. Then I discovered the Jemalloc tool (http://jemalloc.net) and its jeprof tool, so I started launching Tomcat using it. Then, after 3-4 days after Tomcat starts I was able to create some GIF images from the dumps that Jemalloc creates. The GIF files show the problem: 75-90% of the memory is being used by some weird activity in the compiler! It seems that something called "The C2 compile/JIT compiler" starts doing something after 3-4 days, and that creates the leak. Why after 3-4 days and not sooner? I don't know. I am attaching the GIF in this email. Does anybody know how to deal with this? I have been struggling with this issue already for 3 months. At least now I know that this is a native memory leak, but at this point I feel lost. By the way, I'm running my website using Tomcat 9.0.58, Java "11.0.21+9-post-Ubuntu-0ubuntu122.04", Ubuntu 22.04.03. And I am developing using Eclipse and compiling my WAR file with a "Compiler compliance level:11". Thanks in advance! Brian On Mon, Jan 8, 2024 at 10:05 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > Brian, > > On 1/5/24 17:21, Brian Braun wrote: > > Hello Chirstopher, > > > > First of all: thanks a lot for your responses! > > > > On Wed, Jan 3, 2024 at 9:25 AM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > >> Brian, > >> > >> On 12/30/23 15:42, Brian Braun wrote: > >>> At the beginning, this was the problem: The OOM-killer (something that > I > >>> never knew existed) killing Tomcat unexpectedly and without any > >>> explanation > >> > >> The explanation is always the same: some application requests memory > >> from the kernel, which always grants the request(!). When the > >> application tries to use that memory, the kernel scrambles to physically > >> allocate the memory on-demand and, if all the memory is gone, it will > >> pick a process and kill it. > > > > Yes, that was happening to me until I set up the SWAP file and now at > least > > the Tomcat process is not being killed anymore. > > Swap can get you out of a bind like this, but it will ruin your > performance. If you care more about stability (and believe me, it's a > reasonable decision), then leave the swap on. But swap will kill (a) > performance (b) SSD lifetime and (c) storage/transaction costs depending > upon your environment. Besides, you either need the memory or you do > not. It's rare to "sometimes" need the memory. > > >> Using a swap file is probably going to kill your performance. What > >> happens if you make your heap smaller? > > > > Yes, in fact the performance is suffering and that is why I don't > consider > > the swap file as a solution. > > :D > > > I have assigned to -Xmx both small amounts (as small as 300MB) and high > > amounts (as high as 1GB) and the problem is still present (the Tomcat > > process grows in memory usage up to 1.5GB combining real memory and swap > > memory). > > Okay, that definitely indicates a problem that needs to be solved. > > I've seen things like native ZIP handling code leaking native memory, > but I know that Tomcat does not leak like that. If you do anything in > your application that might leave file handles open, it could be > contributing to the problem. > > > As I have explained in another email recently, I think that neither heap > > usage no
Re: Tomcat/Java starts using too much memory and not by the heap or non-heap memory
Hello, It has been a long time since I received the last suggestions to my issue here on this support list. Since then I decided to stop asking for help and to "do my homework". To read, to watch YouTube presentations, to spend time on StackOverflow, etc. So I have spent a lot of time on this and I think I have learned a lot which is nice. This is what I have learned lately: I definitely don't have a leak in my code (or in the libraries I am using, as far as I understand). And my code is not creating a significant amount of objects that would use too much memory. The heap memory (the 3 G1s) and non-heap memory (3 CodeHeaps + compressed class space + metaspace) together use just using a few hundred MBs and their usage is steady and normal. I discovered the JCMD command to perform the native memory tracking. When running it, after 3-4 days since I started Tomcat, I found out that the compiler was using hundreds of MB and that is exactly why the Tomcat process starts abusing the memory! This is what I saw when executing "sudo jcmd VM.native_memory scale=MB": Compiler (reserved=3D340MB, commited=3D340MB) (arena=3D340MB #10) All the other categories (Class, Thread, Code, GC, Internal, Symbol, etc) look normal since they use a low amount of memory and they don't grow. Then I discovered the Jemalloc tool (http://jemalloc.net) and its jeprof tool, so I started launching Tomcat using it. Then, after 3-4 days after Tomcat starts I was able to create some GIF images from the dumps that Jemalloc creates. The GIF files show the problem: 75-90% of the memory is being used by some weird activity in the compiler! It seems that something called "The C2 compile/JIT compiler" starts doing something after 3-4 days, and that creates the leak. Why after 3-4 days and not sooner? I don't know. I am attaching the GIF in this email. Does anybody know how to deal with this? I have been struggling with this issue already for 3 months. At least now I know that this is a native memory leak, but at this point I feel lost. By the way, I'm running my website using Tomcat 9.0.58, Java "11.0.21+9-post-Ubuntu-0ubuntu122.04", Ubuntu 22.04.03. And I am developing using Eclipse and compiling my WAR file with a "Compiler compliance level:11". Thanks in advance! Brian On Mon, Jan 8, 2024 at 10:05 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > Brian, > > On 1/5/24 17:21, Brian Braun wrote: > > Hello Chirstopher, > > > > First of all: thanks a lot for your responses! > > > > On Wed, Jan 3, 2024 at 9:25 AM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > >> Brian, > >> > >> On 12/30/23 15:42, Brian Braun wrote: > >>> At the beginning, this was the problem: The OOM-killer (something that > I > >>> never knew existed) killing Tomcat unexpectedly and without any > >>> explanation > >> > >> The explanation is always the same: some application requests memory > >> from the kernel, which always grants the request(!). When the > >> application tries to use that memory, the kernel scrambles to physically > >> allocate the memory on-demand and, if all the memory is gone, it will > >> pick a process and kill it. > > > > Yes, that was happening to me until I set up the SWAP file and now at > least > > the Tomcat process is not being killed anymore. > > Swap can get you out of a bind like this, but it will ruin your > performance. If you care more about stability (and believe me, it's a > reasonable decision), then leave the swap on. But swap will kill (a) > performance (b) SSD lifetime and (c) storage/transaction costs depending > upon your environment. Besides, you either need the memory or you do > not. It's rare to "sometimes" need the memory. > > >> Using a swap file is probably going to kill your performance. What > >> happens if you make your heap smaller? > > > > Yes, in fact the performance is suffering and that is why I don't > consider > > the swap file as a solution. > > :D > > > I have assigned to -Xmx both small amounts (as small as 300MB) and high > > amounts (as high as 1GB) and the problem is still present (the Tomcat > > process grows in memory usage up to 1.5GB combining real memory and swap > > memory). > > Okay, that definitely indicates a problem that needs to be solved. > > I've seen things like native ZIP handling code leaking native memory, > but I know that Tomcat does not leak like that. If you do anything in > your application that might leave file handles open, it could be > contributing to the problem. > > > As I have explained in another email recently, I think that neither heap >
Re: Getting Two times login page issue.
On Thu, Jan 18, 2024 at 8:08 PM Chaudhary, Mohit wrote: > Hello Team , > > We are facing a issue with the tomcat application login URL , where it is > asking twice for login to the user , with first login it will redirect > again to the login page , while reentering the credentials again , it is > successful ( with second attempt it is working ) and user will be > redirected to the next page , this issue we have encountered after a > datacenter migration for the tomcat server on Test region , the servers > were cloned from the original server to the new datacenter servers, we had > manually updated the new IP address on the configuration files related to > new servers , but with testing part we encountering this issue , > > You haven't really indicated how this is a tomcat issue. This sounds like it's either an application issue or a Lotus Domino SSO issue. However I will ask some questions that may point you in the right direction. Is the application dependent on tomcats JSession? If so , when does it determine the userPrincipal? If not then it's an application issue. How is this SSO setup? Header based? cookie based? agent based session? is Tomcat responsible for connecting to the userstore to determine who the user is? This would be done via a realm. > We had 2 servers on Test region which are load balanced where 1 server is > working fine ( with another server shutdown ) , no issue with login page on > this server , while issue happening on another server. > So are you saying it works fine with 1 server and doesn't when 2 are running? Are you sure its not a load balancing issue? How does your application handle sessions? Does it replicate them? Does the application use Affinity to keep the user going to the same server through the LB? > > The application login page resides on the Lotus Domino server and > authentication happens on Domino side and then it redirects the request to > Apache and Tomcat servers . > Please suggest on this issue . > There are a lot of different things that can go wrong here and most of them are not tomcat related. > > Thanks, > Mohit > > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: EOL - Tomcat versions
https://tomcat.apache.org/whichversion.html 10.0 is EOL but 10.1 is still getting releases. https://tomcat.apache.org/tomcat-10.0-eol.html The official end of life plan for 8.5 https://tomcat.apache.org/tomcat-85-eol.html Basically the final release will be coming out, then it will receive no more fixes. On Mon, Jan 8, 2024 at 1:47 AM i...@flyingfischer.ch wrote: > https://endoflife.date/tomcat > > Am 08.01.24 um 07:39 schrieb Deshmukh, Kedar: > > Hello, > > > > Could you please throw some light on Tomcat versions and its EOL plan? > > > > > >1. 8.5.X > >2. 9.0.X > >3. 10.0.X > >4. 10.1.X > > > > This information would be very critical for us to move forward. > > > > > > Thanks, > > Kedar > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: Tomcat/Java starts using too much memory and not by the heap or non-heap memory
Hello Chirstopher, First of all: thanks a lot for your responses! On Wed, Jan 3, 2024 at 9:25 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > Brian, > > On 12/30/23 15:42, Brian Braun wrote: > > At the beginning, this was the problem: The OOM-killer (something that I > > never knew existed) killing Tomcat unexpectedly and without any > > explanation > > The explanation is always the same: some application requests memory > from the kernel, which always grants the request(!). When the > application tries to use that memory, the kernel scrambles to physically > allocate the memory on-demand and, if all the memory is gone, it will > pick a process and kill it. > > Yes, that was happening to me until I set up the SWAP file and now at least the Tomcat process is not being killed anymore. > There are ways to prevent this from happening, but the best way to not > to over-commit your memory. > > > Not knowing how much memory would I need to satisfy the JVM, and not > > willing to migrate to more expensive Amazon instances just because I > > don't know why this is happening. And not knowing if the memory > > requirement would keep growing and growing and growing. > It might. But if your symptom is Linux oom-killer and not JVM OOME, then > the better technique is to *reduce* your heap space in the JVM. > > > Then I activated the SWAP file, and I discovered that this problem stops > at > > 1.5GB of memory used by the JVM. At least I am not getting more crashes > > anymore. But I consider the SWAP file as a palliative and I really want > to > > know what is the root of this problem. If I don't, then maybe I should > > consider another career. I don't enjoy giving up. > > Using a swap file is probably going to kill your performance. What > happens if you make your heap smaller? > > Yes, in fact the performance is suffering and that is why I don't consider the swap file as a solution. I have assigned to -Xmx both small amounts (as small as 300MB) and high amounts (as high as 1GB) and the problem is still present (the Tomcat process grows in memory usage up to 1.5GB combining real memory and swap memory). As I have explained in another email recently, I think that neither heap usage nor non-heap usage are the problem. I have been monitoring them and their requirements have always stayed low enough, so I could leave the -Xms parameter with about 300-400 MB and that would be enough. There is something else in the JVM that is using all that memory and I still don't know what it is. And I think it doesn't care about the value I give to -Xmx, it uses all the memory it wants. Doing what? I don't know. > Yes, the memory used by the JVM started to grow suddenly one day, after > > several years running fine. Since I had not made any changes to my app, I > > really don't know the reason. And I really think this should not be > > happening without an explanation. > > > > I don't have any Java OOME exceptions, so it is not that my objects don't > > fit. Even if I supply 300MB to the -Xmx parameter. In fact, as I wrote, I > > don't think the Heap and non-heap usage is the problem. I have been > > inspecting those and their usage seems to be normal/modest and steady. I > > can see that using the Tomcat Manager as well as several other tools (New > > Relic, VisualVM, etc). > > Okay, so what you've done then is to allow a very large heap that you > mostly don't need. If/when the heap grows a lot -- possibly suddenly -- > the JVM is lazy and just takes more heap space from the OS and > ultimately you run out of main memory. > > The solution is to reduce the heap size. > > Maybe I am not understanding your suggestion. I have assigned to -Xmx both small amounts (as small as 300MB) and high amounts (as high as 1GB) and the problem is still present. In fact the problem started with a low amount for -Xmx. > > Regarding the 1GB I am giving now to the -Xms parameter: I was giving > just > > a few hundreds and I already had the problem. Actually I think it is the > > same if I give a few hundreds of MBs or 1GB, the JVM still starts using > > more memory after 3-4 days of running until it takes 1.5GB. But during > the > > first 1-4 days it uses just a few hundred MBs. > > > > My app has been "static" as you say, but probably I have upgraded Tomcat > > and/or Java recently. I don't really remember. Maybe one of those > upgrades > > brought this issue as a result. Actually, If I knew that one of those > > upgrades causes this huge pike in memory consumption and there is no way > to > > avoid it, then I would accept it as a fact of life and move on. But > since I > > don't know, it really bugs
Re: Tomcat/Java starts using too much memory and not by the heap or non-heap memory
Hi Chris, Thanks a lot for your very detailed response! Here are my answers, comments and questions. At the beginning, this was the problem: The OOM-killer (something that I never knew existed) killing Tomcat unexpectedly and without any explanation, many times during the night while I should be sleeping peacefully (as long as I wear my Apnea mask). Not knowing how much memory would I need to satisfy the JVM, and not willing to migrate to more expensive Amazon instances just because I don't know why this is happening. And not knowing if the memory requirement would keep growing and growing and growing. Then I activated the SWAP file, and I discovered that this problem stops at 1.5GB of memory used by the JVM. At least I am not getting more crashes anymore. But I consider the SWAP file as a palliative and I really want to know what is the root of this problem. If I don't, then maybe I should consider another career. I don't enjoy giving up. Yes, the memory used by the JVM started to grow suddenly one day, after several years running fine. Since I had not made any changes to my app, I really don't know the reason. And I really think this should not be happening without an explanation. I don't have any Java OOME exceptions, so it is not that my objects don't fit. Even if I supply 300MB to the -Xmx parameter. In fact, as I wrote, I don't think the Heap and non-heap usage is the problem. I have been inspecting those and their usage seems to be normal/modest and steady. I can see that using the Tomcat Manager as well as several other tools (New Relic, VisualVM, etc). Regarding the 1GB I am giving now to the -Xms parameter: I was giving just a few hundreds and I already had the problem. Actually I think it is the same if I give a few hundreds of MBs or 1GB, the JVM still starts using more memory after 3-4 days of running until it takes 1.5GB. But during the first 1-4 days it uses just a few hundred MBs. My app has been "static" as you say, but probably I have upgraded Tomcat and/or Java recently. I don't really remember. Maybe one of those upgrades brought this issue as a result. Actually, If I knew that one of those upgrades causes this huge pike in memory consumption and there is no way to avoid it, then I would accept it as a fact of life and move on. But since I don't know, it really bugs me. I have the same amount of users and traffic as before. I also know how much memory a session takes and it is fine. I have also checked the HTTP(S) requests to see if somehow I am getting any attempts to hack my instance that could be the root of this problem. Yes, I get hacking attempts by those bots all the time, but I don't see anything relevant there. No news. I agree with what you say now regarding the GC. I should not need to use those switches since I understand it should work fine without using them. And I don't know how to use them. And since I have never cared about using them for about 15 years using Java+Tomcat, why should I start now? I have also checked all my long-lasting objects. I have optimized my DB queries recently as you suggest now, so they don't create huge amounts of objects in a short period of time that the GC would have to deal with. The same applies to my scheduled tasks. They all run very quickly and use modest amounts of memory. All the other default Tomcat threads create far more objects. I have already activated the GC log. Is there a tool that you would suggest to analyze it? I haven't even opened it. I suspect that the root of my problem comes from the GC process indeed. Thanks again! Brian On Sat, Dec 30, 2023 at 12:44 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Brian, > > On 12/29/23 20:48, Brian Braun wrote: > > Hello, > > > > First of all: > > Christopher Schultz: You answered an email from me 6 weeks ago. You > helped > > me a lot with your suggestions. I have done a lot of research and have > > learnt a lot since then, so I have been able to rule out a lot of > potential > > roots for my issue. Because of that I am able to post a new more specific > > email. Thanks a lot!!! > > > > Now, this is my stack: > > > > - Ubuntu 22.04.3 on x86/64 with 2GM of physical RAM that has been enough > > for years. > > - Java 11.0.20.1+1-post-Ubuntu-0ubuntu122.04 / openjdk 11.0.20.1 > 2023-08-24 > > - Tomcat 9.0.58 (JAVA_OPTS="-Djava.awt.headless=true -Xmx1000m -Xms1000m > > ..") > > - My app, which I developed myself, and has been running without any > > problems for years > > > > Well, a couple of months ago my website/Tomcat/Java started eating more > and > > more memory about after about 4-7 days. The previous days it uses just a > > few hundred MB and is very steady, but then after a few days the memory > > usage suddenly grows up to 1.5GB (and then stops growing at t
Re: Tomcat/Java starts using too much memory and not by the heap or non-heap memory
Hello Chuck, On Fri, Dec 29, 2023 at 11:00 PM Chuck Caldarale wrote: > > > On Dec 29, 2023, at 19:48, Brian Braun wrote: > > > > First of all: > > Christopher Schultz: You answered an email from me 6 weeks ago. You > helped > > me a lot with your suggestions. I have done a lot of research and have > > learnt a lot since then, so I have been able to rule out a lot of > potential > > roots for my issue. Because of that I am able to post a new more specific > > email. Thanks a lot!!! > > > > Now, this is my stack: > > > > - Ubuntu 22.04.3 on x86/64 with 2GM of physical RAM that has been enough > > for years. > > > I presume the “2GM” above should be “2GB”. > Yes, sorry, I mean to write "2GB". > > > - Java 11.0.20.1+1-post-Ubuntu-0ubuntu122.04 / openjdk 11.0.20.1 > 2023-08-24 > > - Tomcat 9.0.58 (JAVA_OPTS="-Djava.awt.headless=true -Xmx1000m -Xms1000m > > ..") > > - My app, which I developed myself, and has been running without any > > problems for years > > > > Well, a couple of months ago my website/Tomcat/Java started eating more > and > > more memory about after about 4-7 days. The previous days it uses just a > > few hundred MB and is very steady, but then after a few days the memory > > usage suddenly grows up to 1.5GB (and then stops growing at that point, > > which is interesting). Between these anomalies the RAM usage is fine and > > very steady (as it has been for years) and it uses just about 40-50% of > the > > "Max memory" (according to what the Tomcat Manager server status shows). > > The 3 components of G1GC heap memory are steady and low, before and after > > the usage grows to 1.5GB, so it is definitely not that the heap starts > > requiring more and more memory. I have been using several tools to > monitor > > that (New Relic, VisualVM and JDK Mission Control) so I'm sure that the > > memory usage by the heap is not the problem. > > The Non-heaps memory usage is not the problem either. Everything there is > > normal, the usage is humble and even more steady. > > > What does the /proc//maps file show, both before and after the > problem occurs? This should give you some idea of what .so library is > grabbing the extra memory. (I only have Tomcat installed on macOS at the > moment, so I can’t show you an example; I should be able to bring up Tomcat > on a Linux box tomorrow.) The output may be long, depending on how > fragmented the virtual memory allocations are. > > This is the first time I hear about the "/proc/id/maps" file and how to see the content with "cat". The content is very long and now I suspect that all those strange lines that don't seem to be files are the source of my problem. Are those Linux threads or something like that? At least from the point of view of the JVM there are just 67 threads which I think is normal considering that I am running "New Relic" and also JMX (and the peak was 72 threads). I have reviewed all those java threads and all of them look normal and necessary. I will paste the content at the end of this email. > > And there are no leaks, I'm sure of that. I have inspected the JVM using > > several tools. > > > > There are no peaks in the number of threads either. The peak is the same > > when the memory usage is low and when it requires 1.5GB. It stays the > same > > all the time. > > > > I have also reviewed all the scheduled tasks in my app and lowered the > > amount of objects they create, which was nice and entertaining. But that > is > > not the problem, I have analyzed the object creation by all the threads > > (and there are many) and the threads created by my scheduled tasks are > very > > humble in their memory usage, compared to many other threads. > > > > And I haven't made any relevant changes to my app in the 6-12 months > before > > this problem started occurring. It is weird that I started having this > > problem. Could it be that I received an update in the java version or the > > Tomcat version that is causing this problem? > > > > If neither the heap memory or the Non-heaps memory is the source of the > > growth of the memory usage, what could it be? Clearly something is > > happening inside the JVM that raises the memory usage. And everytime it > > grows, it doesn't decrease. It is like if something suddenly starts > > "pushing" the memory usage more and more, until it stops at 1.5GB. > > > > I think that maybe the source of the problem is the garbage collector. I > > haven't used any of the switches that we can use to optimize tha
Tomcat/Java starts using too much memory and not by the heap or non-heap memory
Hello, First of all: Christopher Schultz: You answered an email from me 6 weeks ago. You helped me a lot with your suggestions. I have done a lot of research and have learnt a lot since then, so I have been able to rule out a lot of potential roots for my issue. Because of that I am able to post a new more specific email. Thanks a lot!!! Now, this is my stack: - Ubuntu 22.04.3 on x86/64 with 2GM of physical RAM that has been enough for years. - Java 11.0.20.1+1-post-Ubuntu-0ubuntu122.04 / openjdk 11.0.20.1 2023-08-24 - Tomcat 9.0.58 (JAVA_OPTS="-Djava.awt.headless=true -Xmx1000m -Xms1000m ..") - My app, which I developed myself, and has been running without any problems for years Well, a couple of months ago my website/Tomcat/Java started eating more and more memory about after about 4-7 days. The previous days it uses just a few hundred MB and is very steady, but then after a few days the memory usage suddenly grows up to 1.5GB (and then stops growing at that point, which is interesting). Between these anomalies the RAM usage is fine and very steady (as it has been for years) and it uses just about 40-50% of the "Max memory" (according to what the Tomcat Manager server status shows). The 3 components of G1GC heap memory are steady and low, before and after the usage grows to 1.5GB, so it is definitely not that the heap starts requiring more and more memory. I have been using several tools to monitor that (New Relic, VisualVM and JDK Mission Control) so I'm sure that the memory usage by the heap is not the problem. The Non-heaps memory usage is not the problem either. Everything there is normal, the usage is humble and even more steady. And there are no leaks, I'm sure of that. I have inspected the JVM using several tools. There are no peaks in the number of threads either. The peak is the same when the memory usage is low and when it requires 1.5GB. It stays the same all the time. I have also reviewed all the scheduled tasks in my app and lowered the amount of objects they create, which was nice and entertaining. But that is not the problem, I have analyzed the object creation by all the threads (and there are many) and the threads created by my scheduled tasks are very humble in their memory usage, compared to many other threads. And I haven't made any relevant changes to my app in the 6-12 months before this problem started occurring. It is weird that I started having this problem. Could it be that I received an update in the java version or the Tomcat version that is causing this problem? If neither the heap memory or the Non-heaps memory is the source of the growth of the memory usage, what could it be? Clearly something is happening inside the JVM that raises the memory usage. And everytime it grows, it doesn't decrease. It is like if something suddenly starts "pushing" the memory usage more and more, until it stops at 1.5GB. I think that maybe the source of the problem is the garbage collector. I haven't used any of the switches that we can use to optimize that, basically because I don't know what I should do there (if I should at all). I have also activated the GC log, but I don't know how to analyze it. I have also increased and decreased the value of "-Xms" parameter and it is useless. Finally, maybe I should add that I activated 4GB of SWAP memory in my Ubuntu instance so at least my JVM would not be killed my the OS anymore (since the real memory is just 1.8GB). That worked and now the memory usage can grow up to 1.5GB without crashing, by using the much slower SWAP memory, but I still think that this is an abnormal situation. Thanks in advance for your suggestions!
Java/Tomcat is being killed by the Linux OOM killer for using a huge amount of RAM. How can I know what was going on inside my app (& Tomcat & the JVM) to make that happen?
Hello, First of all, this is my stack: - Ubuntu 22.04.3 on x86/64 with 2GM of physical RAM that has been enough for years. - Java 11.0.20.1+1-post-Ubuntu-0ubuntu122.04 / openjdk 11.0.20.1 2023-08-24 - Tomcat 9.0.58 (JAVA_OPTS="-Djava.awt.headless=true -Xmx900m -Xms16m ..") - My app, which I developed myself, and has been running without any OOM crashes for years Well, a couple of weeks ago my website started crushing about every 5-7 days. Between crashes the RAM usage is fine and very steady (as it has been for years) and it uses just about 50% of the "Max memory" (according to what the Tomcat Manager server status shows). The 3 types of G1 heap are steady and low. And there are no leaks as far as I can tell. And I haven't made any significant changes to my app in the last months. When my website crashes, I can see on the Ubuntu log that some process has invoked the "oom-killer" and that this killer investigates which process is using most of the RAM and it is Tomcat/Java so it kills it. This is what I see on the log when it was Nginx that invoked the OOM-killer: Nov 15 15:23:54 ip-172-31-89-211 kernel: [366008.597771] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=nginx.service,mems_allowed=0,global_oom,task_memcg=/system.slice/tomcat9.service,task=java,pid=470,uid=998 Nov 15 15:23:54 ip-172-31-89-211 kernel: [366008.597932] Out of memory: Killed process 470 (java) total-vm:4553056kB, anon-rss:1527944kB, file-rss:2872kB, shmem-rss:0kB, UID:998 pgtables:3628kB oom_score_adj:0 I would like to be able to know what was happening inside the JVM when it was using too much RAM and deserved to be killed. Was it a problem in Java not associated with Tomcat or my app? Was it Tomcat itself that ate too much RAM? I doubt it. Was it my application? If it was my application (and I have to assume it was), how/why was it using all that RAM? What were the objects, threads, etc that were involved in the crash? What part of the heap memory was using all that RAM? This can happen at any time, like at 4am so I can not run to the computer to see what was going on at that moment. I need some way to get a detailed log of what was going on when the crush took place. So my question is, what tool should I use to investigate these crashes? I have started trying to make "New Relic" work since it seems that this service could help me, but I am having some problems making it work and I still don't know if this would be a solution in the first place. So, while I struggle with New Relic, I would appreciate your suggestions. Thanks in advance!
WebApp Mutual TLS for connecting to thrid party REST service
Is there a way to use JSSE in tomcat to manage TLS mutual auth for when a process in tomcat is acting as a client during a REST call to use a client certificate from a keystore to authenticate to the third party? Or is this something that has to be handled at the application level? I know in Java you can specify these system settings on the commandline. -Djavax.net.ssl.keyStore=/path/to/clientkeystore.p12 \ -Djavax.net.ssl.keyStorePassword=password I was wondering if anyone else has experience with this use case. I want to be clear I am not referring to configuring tomcat to enforce mutual Authn TLS on the connectors. -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: Admin password for Tomcat
You need to build a custom realm for that if you're using tomcat to manage your user sessions and not creating your own sessions for your application. You can extend the existing one that you're using. I assume you're using the JDBC Realm since you said you have an USERS table. So you could add another field to your table and extend the JDBC class to do an additional check on your admin pwd field if you don't want them to have a second account. https://tomcat.apache.org/tomcat-9.0-doc/realm-howto.html#Standard_Realm_Implementations You will want to look at the source of the realm implementation to see how you need to extend it. So you shouldn't have to do too much to get the functionality you're looking for. On Sat, Nov 4, 2023 at 8:18 PM Jerry Malcolm wrote: > My support team needs to be able to log in to our site as various users > (on behalf of...) to be able to see exactly what they are seeing since > roles, access groups, history is different for different users. I would > like to implement an admin password where I can log in as any userId > with this password. I totally realize the security risks involved in > this. But I am handling the security risks with additional > authorizations. I simply need to make every user have two passwords... > their real personal password, and the admin password. The only > alternative I have right now is to save off the user's password hash in > the USERS table, replace it with my password hash, then restore the > user's original password when I'm done. I'm not thrilled with that > solution first because it's a pain and error prone, and also because the > user can no longer log in while their password is replaced with my > password. > > I figure this function is buried in the authenticator code somewhere. > But I'd first like to see if anybody has done anything like this > already. If not, could somebody point me in the right direction to the > tomcat source file that I'm going to need to modify and also what's > involved in making authentication use my updated class instead of the > default. > > Suggestions? > > Thx > > Jerry > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: JSF errors when upgrading Tomcat and Eclipse: com.sun.faces.config.JavaClassScanningAnnotationScanner$ConstantPoolInfo.containsAnnotation Unknow type constant pool XX at position XX
Hi, I replaced JSF 2.2.1 with 2.2.20 and the problem is gone! It seems that the old 2.2.1 JAR had some kind of old format that crushed with the way the latest Eclipse works. And since 2.2.1 to 2.2.20 is not a huge upgrade, my old JSF pages still work. Nice! Thanks! On Thu, Oct 12, 2023 at 4:35 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Brian, > > On 10/12/23 16:55, Brian Braun wrote: > > Hello, > > > > First of all, I apologize if maybe my issue is not exclusively related to > > Tomcat, but I think it is. > > > > I started my website many years ago, using Struts 1.2.4 and since then I > > have been using it. Some years after that I had the intention to migrate > to > > JSF (version 2.2.X) and combine both frameworks for a while until I > > migrated everything to JSF and Struts was gone. I started learning it, > > created a few pages on my site but then I realized that it was not the > > ideal framework for me, so I stopped creating more pages with JSF and > > continued developing my site with Struts, letting those few JSF pages > that > > work coexist with the rest of the site running using Struts. Since then, > I > > haven't touched JSF. I haven't created even one page with it, never > > upgraded its version but the JSF JAR and pages are still there. Years > > passed and nothing made me think about JSF. > > > > Now I'm using: > > - Mac with the M2 chip > > - Eclipse (ARM version) > > - Tomcat, when developing with Eclipse > > - Tomcat 9.0.58 at my production server (which runs Ubuntu 22.04, x86/64) > > - Azul's Java 11.0.19+7-LTS aarch64, when developing with Eclipse > > - Java 11.0.20.1+1-post-Ubuntu-0ubuntu122.04, at the production server > > > > Well, a few days ago I upgraded Eclipse to Version: 2023-09 (4.29.0) and > at > > the same time upgraded to Azul's Java 11.0.19+7-LTS aarch64 and to Tomcat > > 9.0.71 when developing. And since then, I get these "SEVERE" JSF error > > messages (many of them) when I start Tomcat: > > > > SEVERE [main] > > > com.sun.faces.config.JavaClassScanningAnnotationScanner$ConstantPoolInfo.containsAnnotation > > Unknow type constant pool NN at position XX > > > > Why is that? Could someone please give me a clue? I just upgraded Eclipse > > and Tomcat, didn't do anything else relevant and now I get these > messages. > > And when I create the WAR file and deploy it on my production server, I > get > > the same error messages as well over there. It seems like the class files > > that gets generated are now different, since I didn't upgrade anything on > > my production server, so it is the WAR file that gets generated with > > something problematic now. > > > > Thanks in advance! > > > > Here is the complete stuff that Tomcat shows, as a reference: > > > > 12-Oct-2023 14:47:18.676 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Server version > name: > > Apache Tomcat/9.0.71 > > 12-Oct-2023 14:47:18.678 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Server built: Jan 9 > > 2023 22:33:01 UTC > > 12-Oct-2023 14:47:18.678 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Server version > > number: 9.0.71.0 > > 12-Oct-2023 14:47:18.678 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log OS Name: Mac OS X > > 12-Oct-2023 14:47:18.678 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log OS Version: 14.0 > > 12-Oct-2023 14:47:18.678 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Architecture: > aarch64 > > 12-Oct-2023 14:47:18.678 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Java Home: > > /Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home > > 12-Oct-2023 14:47:18.678 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log JVM Version: > > 11.0.19+7-LTS > > 12-Oct-2023 14:47:18.678 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Azul > > Systems, Inc. > > 12-Oct-2023 14:47:18.678 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: > > /Users/brianbraun/BB/ACME/Programacion-Mac-Silicon/EclipseTomcat9.0.71 > > 12-Oct-2023 14:47:18.678 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: > > /Users/brianbraun/BB/ACME/Programacion-Mac-Silicon/EclipseTomcat9.0.71 > > 12-Oct-2023 14:47:18.719 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Command line &
Re: JSF errors when upgrading Tomcat and Eclipse: com.sun.faces.config.JavaClassScanningAnnotationScanner$ConstantPoolInfo.containsAnnotation Unknow type constant pool XX at position XX
Hi Chris, Its JSF version 2.2.1 What is a bytecode scanner? I will google that, I don't have any idea. And why did I start getting this problem a few days ago? The only thing that changed is Eclipse (I upgraded it to the latest) and the Tomcat that Eclipse uses to run the website everytime I run it when I'm developing. I could upgrade JSF to some other version, but would that solve the issue? I don't know. And what if the few pages that I created using JSF will not work anymore because of the upgrade? I really totally forgot about how to use JSF, so I would not like having to learn it again now just because of this obstacle! Who is doing the class scanning? Is it JSF? Is it Tomcat? I have no clue right now. The interesting thing is that in my production server i didn't change anything in the software stack, but the WAR that now arrives there causes this problems. It is like if Eclipse is creating a new type of class/JAR files with some new characteristic, in my opinion. Thanks for your help!!! On Thu, Oct 12, 2023 at 4:35 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Brian, > > On 10/12/23 16:55, Brian Braun wrote: > > Hello, > > > > First of all, I apologize if maybe my issue is not exclusively related to > > Tomcat, but I think it is. > > > > I started my website many years ago, using Struts 1.2.4 and since then I > > have been using it. Some years after that I had the intention to migrate > to > > JSF (version 2.2.X) and combine both frameworks for a while until I > > migrated everything to JSF and Struts was gone. I started learning it, > > created a few pages on my site but then I realized that it was not the > > ideal framework for me, so I stopped creating more pages with JSF and > > continued developing my site with Struts, letting those few JSF pages > that > > work coexist with the rest of the site running using Struts. Since then, > I > > haven't touched JSF. I haven't created even one page with it, never > > upgraded its version but the JSF JAR and pages are still there. Years > > passed and nothing made me think about JSF. > > > > Now I'm using: > > - Mac with the M2 chip > > - Eclipse (ARM version) > > - Tomcat, when developing with Eclipse > > - Tomcat 9.0.58 at my production server (which runs Ubuntu 22.04, x86/64) > > - Azul's Java 11.0.19+7-LTS aarch64, when developing with Eclipse > > - Java 11.0.20.1+1-post-Ubuntu-0ubuntu122.04, at the production server > > > > Well, a few days ago I upgraded Eclipse to Version: 2023-09 (4.29.0) and > at > > the same time upgraded to Azul's Java 11.0.19+7-LTS aarch64 and to Tomcat > > 9.0.71 when developing. And since then, I get these "SEVERE" JSF error > > messages (many of them) when I start Tomcat: > > > > SEVERE [main] > > > com.sun.faces.config.JavaClassScanningAnnotationScanner$ConstantPoolInfo.containsAnnotation > > Unknow type constant pool NN at position XX > > > > Why is that? Could someone please give me a clue? I just upgraded Eclipse > > and Tomcat, didn't do anything else relevant and now I get these > messages. > > And when I create the WAR file and deploy it on my production server, I > get > > the same error messages as well over there. It seems like the class files > > that gets generated are now different, since I didn't upgrade anything on > > my production server, so it is the WAR file that gets generated with > > something problematic now. > > > > Thanks in advance! > > > > Here is the complete stuff that Tomcat shows, as a reference: > > > > 12-Oct-2023 14:47:18.676 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Server version > name: > > Apache Tomcat/9.0.71 > > 12-Oct-2023 14:47:18.678 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Server built: Jan 9 > > 2023 22:33:01 UTC > > 12-Oct-2023 14:47:18.678 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Server version > > number: 9.0.71.0 > > 12-Oct-2023 14:47:18.678 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log OS Name: Mac OS X > > 12-Oct-2023 14:47:18.678 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log OS Version: 14.0 > > 12-Oct-2023 14:47:18.678 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Architecture: > aarch64 > > 12-Oct-2023 14:47:18.678 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Java Home: > > /Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home > > 12-Oct-2023 14:47:18.678 INFO [main] > >
JSF errors when upgrading Tomcat and Eclipse: com.sun.faces.config.JavaClassScanningAnnotationScanner$ConstantPoolInfo.containsAnnotation Unknow type constant pool XX at position XX
Hello, First of all, I apologize if maybe my issue is not exclusively related to Tomcat, but I think it is. I started my website many years ago, using Struts 1.2.4 and since then I have been using it. Some years after that I had the intention to migrate to JSF (version 2.2.X) and combine both frameworks for a while until I migrated everything to JSF and Struts was gone. I started learning it, created a few pages on my site but then I realized that it was not the ideal framework for me, so I stopped creating more pages with JSF and continued developing my site with Struts, letting those few JSF pages that work coexist with the rest of the site running using Struts. Since then, I haven't touched JSF. I haven't created even one page with it, never upgraded its version but the JSF JAR and pages are still there. Years passed and nothing made me think about JSF. Now I'm using: - Mac with the M2 chip - Eclipse (ARM version) - Tomcat, when developing with Eclipse - Tomcat 9.0.58 at my production server (which runs Ubuntu 22.04, x86/64) - Azul's Java 11.0.19+7-LTS aarch64, when developing with Eclipse - Java 11.0.20.1+1-post-Ubuntu-0ubuntu122.04, at the production server Well, a few days ago I upgraded Eclipse to Version: 2023-09 (4.29.0) and at the same time upgraded to Azul's Java 11.0.19+7-LTS aarch64 and to Tomcat 9.0.71 when developing. And since then, I get these "SEVERE" JSF error messages (many of them) when I start Tomcat: SEVERE [main] com.sun.faces.config.JavaClassScanningAnnotationScanner$ConstantPoolInfo.containsAnnotation Unknow type constant pool NN at position XX Why is that? Could someone please give me a clue? I just upgraded Eclipse and Tomcat, didn't do anything else relevant and now I get these messages. And when I create the WAR file and deploy it on my production server, I get the same error messages as well over there. It seems like the class files that gets generated are now different, since I didn't upgrade anything on my production server, so it is the WAR file that gets generated with something problematic now. Thanks in advance! Here is the complete stuff that Tomcat shows, as a reference: 12-Oct-2023 14:47:18.676 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/9.0.71 12-Oct-2023 14:47:18.678 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Jan 9 2023 22:33:01 UTC 12-Oct-2023 14:47:18.678 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.71.0 12-Oct-2023 14:47:18.678 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Mac OS X 12-Oct-2023 14:47:18.678 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 14.0 12-Oct-2023 14:47:18.678 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: aarch64 12-Oct-2023 14:47:18.678 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home 12-Oct-2023 14:47:18.678 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 11.0.19+7-LTS 12-Oct-2023 14:47:18.678 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Azul Systems, Inc. 12-Oct-2023 14:47:18.678 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /Users/brianbraun/BB/ACME/Programacion-Mac-Silicon/EclipseTomcat9.0.71 12-Oct-2023 14:47:18.678 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /Users/brianbraun/BB/ACME/Programacion-Mac-Silicon/EclipseTomcat9.0.71 12-Oct-2023 14:47:18.719 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/Users/brianbraun/BB/ACME/Programacion-Mac-Silicon/EclipseTomcat9.0.71 12-Oct-2023 14:47:18.719 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/Users/brianbraun/BB/ACME/Programacion-Mac-Silicon/EclipseTomcat9.0.71 12-Oct-2023 14:47:18.719 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dwtp.deploy=/Users/brianbraun/BB/ACME/Programacion-Mac-Silicon/EclipseTomcat9.0.71/webapps 12-Oct-2023 14:47:18.719 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/Users/brianbraun/BB/ACME/Programacion-Mac-Silicon/EclipseTomcat9.0.71/conf/logging.properties 12-Oct-2023 14:47:18.720 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 12-Oct-2023 14:47:18.720 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED 12-Oct-2023 14:47:18.720 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED 12-Oct-2023 14:47:18.720
Re: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)
The PKCS12 is the industry standard keystore format. Your mac should be creating it in that version. You should get familiar using the pkcs12. Its not difficult to set it up. keytool and openssl support pkcs12 and have for some time now. Its possible your older keystores are of the storetype JKS or JCEKS, JKS used to be the default I think back in Java 6. Anything newer should throw a warning telling you the industry standard is pkcs12. But you can still open older formats by specifying the "--storetype" option. Your getting that error because you probably didn't tell it what kind it is and its default assumption is wrong. Using a keystore is much better for managing your keys than using PEM files. It's best practice to have seperate stores for keys and for trust. by default java has the "cacerts" file for establishing trust. On Wed, Sep 13, 2023 at 8:16 PM James H. H. Lampert wrote: > Java Keystores work. And I don't find them especially difficult to work > with (other than new formats not being backward-compatible with older > JVMs, and as one who has made a comfortable living banging out code for > IBM Midrange boxes for over a quarter century, I am quite familiar with > a much worse variation on that theme, namely, unless you explicitly set > the TGTRLS parameter (and have the appropriate previous version compiler > installed, and don't need to go back more than it will let you), your > programs will not even *restore* onto a prior release system. > > And the one time I attempted to get anything other than a Java Keystore > to work in Tomcat, on an IBM Midrange box, I failed miserably. > > Putting shell-script wrappers around two different versions of keytool > on my work Mac, so that "keytool" launches the Java 8 version, and > "keytool-default" launches the default version (in the unlikely event > that I'd ever need it) was a relatively simple exercise. > > -- > JHHL > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: Multiple concurrent sessions
Am I understanding your use case right? You need a particular user to have multiple sessions in the same browser? or are you saying you need multiple users to be able to log into your application in the same browser? On Thu, May 25, 2023 at 12:45 PM Stephane Passignat wrote: > Hello, > > I would like to open multiple concurrent session in a web-application > for one user. As far as I understand, the sessionid is stored in the > cookie and the cookie is associated to the server (http://localhost:8080/ > ). > > So if I open a new browser window with the URL, I reach the same page > than the one in the first window, no authentication, ... I can trick > that using a private browse, but it's not convenient. > > Are there any way to have this multiple session per user ? I read a bit > session-config and tracking mode. Is it the right direction ? > > > thanks for your help > > stephane > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: AJP Connector is configured with secretRequired="true" but the secret attribute is either null
>On 20/10/2022 17:59, Paquin, Brian wrote: >> Hello, >> >> In some cases, I use mod_jk and I am able to have Apache send a “secret” to >> my Tomcat Connector. >> But in other cases, I don’t have a front end – I just use Tomcat 9.0.68 >> (with Tomcat Native 1.2.35) to host. >> In the past, I did not need to provide a “secret”, but now it appears I do >> since I get the following error in Catalina.out: >> >> >> java.lang.IllegalArgumentException: The AJP Connector is configured with >> secretRequired="true" but the secret attribute is either null or "". This >> combination is not valid. >> >> I have modified the connector in my server.xml for Tomcat to include an >> address (server IP) and secret, or try secretRequired=”false”, but the error >> still persists. >> Am I correct that I also need to add the “secret” to Tomcat Native? > No. That is for AJP connectors only. >> If yes, where do I add it? > N/A. >> If no, what else should I do? >Show us all the Connector elements in you server.xml file. Mask any sensitive information. > Mark Issue resolved. I applied the options to the wrong Connector! Thank you, Mark. Brian
AJP Connector is configured with secretRequired="true" but the secret attribute is either null
Hello, In some cases, I use mod_jk and I am able to have Apache send a “secret” to my Tomcat Connector. But in other cases, I don’t have a front end – I just use Tomcat 9.0.68 (with Tomcat Native 1.2.35) to host. In the past, I did not need to provide a “secret”, but now it appears I do since I get the following error in Catalina.out: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid. I have modified the connector in my server.xml for Tomcat to include an address (server IP) and secret, or try secretRequired=”false”, but the error still persists. Am I correct that I also need to add the “secret” to Tomcat Native? If yes, where do I add it? If no, what else should I do? Thank you for your time, Brian
Re: AW: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"
You can disable the protocols at the java level in the java.security file jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, TLSv1, TLSv1.1 On Wed, Aug 10, 2022 at 5:09 AM Thomas Hoffmann (Speed4Trade GmbH) wrote: > Hello Peter, > > > -Ursprüngliche Nachricht- > > Von: logo > > Gesendet: Mittwoch, 10. August 2022 10:22 > > An: Tomcat Users List > > Betreff: Re: AW: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I > have > > sslProtocol="TLSv1.2" > > > > Thomas, > > > > Am 2022-08-10 08:59, schrieb Thomas Hoffmann (Speed4Trade GmbH): > > > Hello, > > > > > >> -Ursprüngliche Nachricht- > > >> Von: Peter Kreuser > > >> Gesendet: Mittwoch, 10. August 2022 08:44 > > >> An: Tomcat Users List > > >> Betreff: Re: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I > > >> have sslProtocol="TLSv1.2" > > >> > > >> > > >> > > >> James, > > >> > > >> the most recent connector attribute is "protocols". The documentation > > >> is a bit vague on this saying there is an overlap between the two, > > >> yet I don't know if the overlap is there if protocols is unset and > > >> defaults to "all" > > >> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support > > >> > > >> Peter > > >> > > >> > Am 10.08.2022 um 00:15 schrieb James H. H. Lampert > > >> : > > >> > > > >> > I think this may have come up before, but I don't recall how it was > > resolved. > > >> > > > >> > On customer box #1, I have: > > >> > > protocol="org.apache.coyote.http11.Http11Protocol" > > >> address="" > > >> > maxThreads="400" SSLEnabled="true" scheme="https" > > secure="true" > > >> > keystoreFile="/tomcat/wttomcat.ks" > > >> keyAlias="" > > >> > > > >> > > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WI > > >> > > TH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" > > >> > clientAuth="false" sslProtocol="TLSv1.2" /> > > >> > > > >> > and an SSLLabs scan shows it accepting only TLSv1.2, as it should. > > >> > > > >> > But on customer box #2, I have: > > >> > > > >> > > protocol="org.apache.coyote.http11.Http11Protocol" > > >> > maxThreads="150" SSLEnabled="true" scheme="https" > > secure="true" > > >> > keystoreFile="/tomcat/wttomcat.ks" > > >> keyAlias="" > > >> > clientAuth="false" sslProtocol="TLSv1.2" /> > > >> > > > >> > and an SSLLabs scan shows it accepting TLSv1.0, TLSv1.1, and > TLSv1.2. > > >> > > > >> > What could be wrong here? I vaguely recall seeing something like > this > > before. > > >> > > > >> > -- > > >> > JHHL > > >> > > > >> > --- > > >> > -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > >> > For additional commands, e-mail: users-h...@tomcat.apache.org > > >> > > > > > > > I have configured my connector as follows: > > > > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > > > > > > > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImpleme > > ntation" > > >maxThreads="150" minSpareThreads="25" > > >URIEncoding="UTF-8" useBodyEncodingForURI="false" > > >enableLookups="false" disableUploadTimeout="true" > > >acceptCount="100" scheme="https" secure="true" > > >SSLEnabled="true" > > > compression="off" > > > > > /> > > > > > ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM- > > SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM- > > SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20- > > POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" > > > disableSessionTickets="true" > > honorCipherOrder="false" > > > protocols="+TLSv1.2,+TLSv1.3"> > > > > > certificateFile="../xx.pem" type="RSA" /> > > > > > > > > > > > > This gives a good grade when checking with ssllabs. > > > Only TLS 1.2 and 1.3 are enabled. > > > > > > > of course SSLHostConfig is the modern and preferred way. But unless you > have > > plenty of time, it's a hassle to migrate many boxes to the new way... > > > > Peter > > > > > Greetins, Thomas > > > > > The attributes are quite similar or the same, just located at other > xml-elements, so you can still use the attributes like "protocols" or > "ciphers". > Just located at different tags. > > Sooner or later the old syntax will get deprecated. So it's usually a > matter of time when you have the hassle ;) > > Greetings, Thomas > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
RE: Encryption of Tomcat AJP
TRADING PARTNER Thank you Mark, My vendor supports AJP but, I don't know if they support mod_http_proxy. This is a embedded version of Tomcat 8.5 that is tightly coupled with the vendor's software and is an installed subcomponent from the vendor. Brian Eller | Senior System Administrator bel...@guidehouse.com Ace Info Solutions (AceInfo), a Guidehouse company | aceinfosolutions.com 1200 South College Avenue, Suite 210 | Fort Collins, CO 80524 AceInfo is now a Guidehouse company -Original Message- From: Mark H. Wood Sent: Thursday, May 19, 2022 6:12 AM To: users@tomcat.apache.org Subject: Re: Encryption of Tomcat AJP On Thu, May 19, 2022 at 07:09:59AM +, Hiran CHAUDHURI wrote: > CONFIDENTIAL & RESTRICTED > > From: Mark Thomas > Subject: Re: Encryption of Tomcat AJP > > >On 19/05/2022 01:32, Brian Eller wrote: > >> TRADING PARTNER > >> > >> Hello, > >> > >> I am working on a Tomcat install embedded inside a vendor > >> product that uses Apache to pass traffic to Tomcat. My cyber security > >> group is asking if we can encrypt all connections. Does the mod_jk > >> protocol, AJP can be encrypted? > > > >No, AJP does not support encryption. > > > >If you want to encrypt traffic between the reverse proxy and the embedded > >Tomcat instance I'd recommend using mod_proxy_http and proxy everything over > >HTTPS. This requires a little more configuration to get things working. > > > >The main thing to keep in mind is to make sure that the Tomcat instance > >correctly identifies whether the client connection to the reverse proxy was > >over HTTP or HTTPS. > > > >Mark > > I totally agree this is an existing and sufficient mechanism already > available. And I see it popping up in more and more locations. > But as you point out there are some caveats that potentially open security > risks. On the contrary AJP - maybe because it cannot be configured with > encryption - looks simple and straightforward. > > Would it make sense to create a solution with less caveats and up to date > security requirements? If the OP's cyber security group insists, then maybe they would care to give him their requirements and suggestions for setting up IPSEC. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu NOTICE: This communication is from Guidehouse Inc. or one of its subsidiaries. The details of the sender are listed above. This email, including any attachments, is meant only for the intended recipient of the transmission and may contain confidential and/or privileged material. If you received this email in error, any review, distribution, dissemination or other use of this information is strictly prohibited. Please notify the sender immediately by return email and delete the messages from your systems. In addition, this communication is subject to, and incorporates by reference, additional disclaimers found in the “Disclaimers” section at www.guidehouse.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Encryption of Tomcat AJP
TRADING PARTNER Hello, I am working on a Tomcat install embedded inside a vendor product that uses Apache to pass traffic to Tomcat. My cyber security group is asking if we can encrypt all connections. Does the mod_jk protocol, AJP can be encrypted? Thank you, --Brian NOTICE: This communication is from Guidehouse Inc. or one of its subsidiaries. The details of the sender are listed above. This email, including any attachments, is meant only for the intended recipient of the transmission and may contain confidential and/or privileged material. If you received this email in error, any review, distribution, dissemination or other use of this information is strictly prohibited. Please notify the sender immediately by return email and delete the messages from your systems. In addition, this communication is subject to, and incorporates by reference, additional disclaimers found in the "Disclaimers" section at www.guidehouse.com.
Tomcat Native on M1 Macs
After compiling Tomcat Native (that comes with Tomcat 9.0.62, version 1.2.32) on a (ARM) M1 Mac (with Amazon Coretto 11 JDK, APR, and OpenSSL 1.1.1n), I get the following error in Catalina.out: 05-Apr-2022 11:10:32.307 WARNING [main] org.apache.catalina.core.AprLifecycleListener.init The Apache Tomcat Native library failed to load. The error reported was [/Library/Java/Extensions/libtcnative-1.0.dylib: dlopen(/Library/Java/Extensions/libtcnative-1.0.dylib, 0x0001): tried: '/Library/Java/Extensions/libtcnative-1.0.dylib' (mach-o file, but is an incompatible architecture (have 'arm64', need 'x86_64')), '/usr/lib/libtcnative-1.0.dylib' (no such file)] java.lang.UnsatisfiedLinkError: /Library/Java/Extensions/libtcnative-1.0.dylib: dlopen(/Library/Java/Extensions/libtcnative-1.0.dylib, 0x0001): tried: '/Library/Java/Extensions/libtcnative-1.0.dylib' (mach-o file, but is an incompatible architecture (have 'arm64', need 'x86_64')), '/usr/lib/libtcnative-1.0.dylib' (no such file) Note: After I compiled Native, I did the following (we did this in the past but I don’t know if it is still required): 1. cp /usr/local/tomcat/bin/tomcat-native-1.2.32-src/native/.libs/libtcnative-1.0.dylib /Library/Java/Extensions 2. cd /Library/Java/Extensions 3. ln -sfhv libtcnative-1.0.dylib libtcnative-1.dylib 4. ln -sfhv libtcnative-1.dylib libtcnative-1.jnilib (Not sure if this is needed anymore…) Does anyone have instructions for compiling Native on an ARM-based Mac? Or suggestions around this issue? Thank you, Brian
Re: Tomcat is hanging up when I try to access local host:8080
netstat -plunet will show you what ports are in use and what processes are using them On Thu, Jan 27, 2022 at 11:43 AM Neil Aggarwal wrote: > Jim: > > > java.net.BindException: Address already in use > > This means there is some other process which has already > grabbed port 8080 so your Tomcat can't get it. > > Make sure you have nothing else running that will compete > for the port. > > Thank you, > Neil > > -- > Neil Aggarwal, (972) 834-1565, http://www.propfinancing.com > We offer 30 year loans on single family houses! > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: Performance Tuning Tomcat 9
There are a number of tools out there that can load test your site. Most companies use something like loadrunner, jmeter, or https://gatling.io. I personally use jmeter due to licensing and ease of use. On Thu, Jan 13, 2022 at 11:17 AM Campbell, Lance wrote: > For Tomcat 9.x is there a particular website you have found to be helpful > for performance tuning Tomcat 9? > > Thanks, > > Lance > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: When does tomcat 7.0.76 determine it needs to redeploy the war file?
Thx mark. that was helpful On Mon, Jul 12, 2021 at 2:38 PM Mark Thomas wrote: > On 12/07/2021 19:21, Brian Wolfe wrote: > > Hi, > > As the subject asks, when does tomcat decide that it needs to redeploy > the > > war file? I know the usual one where the app folder does not exist. > > > > Basically I have an app where some changes were made to the webapp > folder, > > but were not made in the accompanied war file. Then we updated the > web.xml > > and restarted tomcat. some of those changes were overwritten with older > > versions. So we think tomcat may have redeployed on startup. > > http://tomcat.apache.org/tomcat-7.0-doc/config/automatic-deployment.html > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
When does tomcat 7.0.76 determine it needs to redeploy the war file?
Hi, As the subject asks, when does tomcat decide that it needs to redeploy the war file? I know the usual one where the app folder does not exist. Basically I have an app where some changes were made to the webapp folder, but were not made in the accompanied war file. Then we updated the web.xml and restarted tomcat. some of those changes were overwritten with older versions. So we think tomcat may have redeployed on startup. -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: 500 instances of tomcat on the same server
I tend to agree with the initial assessment from Mark, your only issue would be on the OS level. # of file descriptors for connections. That many tomcat servers and your gonna start using a lot of ports and push the OS limits on file read/write capabilities. >From an architecture perspective you should probably work on moving to a more modern deployment model of containerization of these apps. You would be better served by containerizing each customer deployment and running them on a kubernetes cluster. you can avoid the need for having large machines and scale more appropriately. and moving between hardware would be as simple as adding/removing nodes to your cluster. It sounds like the apps must be simple to be able to scale it to different clients like that. just my 2 cents. On Mon, Jun 28, 2021 at 1:12 PM Eric Robinson wrote: > > > > > > -Original Message- > > From: Mark Thomas > > Sent: Monday, June 28, 2021 9:04 AM > > To: users@tomcat.apache.org > > Subject: Re: 500 instances of tomcat on the same server > > > > On 28/06/2021 14:53, Christopher Schultz wrote: > > > Eric, > > > > > > On 6/25/21 22:58, Eric Robinson wrote: > > >> We can run 75 to 125 instances of tomcat on a single Linux server > > >> with > > >> 12 cores and 128GB RAM. It works great. CPU is around 25%, our JVMs > > >> are not throwing OOMEs, iowait is minimal, and network traffic is > > >> about 30Mbps. We're happy with the results. > > >> > > >> Now we're upping the ante. We have a 48-core server with 1TB RAM, and > > >> we're planning to run 600+ tomcat instances on it simultaneously. > > >> What caveats or pitfalls should we watch out for? Are there any hard > > >> limits that would prevent this from working as expected? > > > If you have the resources, I see no reason why this would present any > > > problems. > > > > > > On the other hand, what happens when you need to upgrade the OS on > > > this beast? You are now talking about disturbing not 72-125 clients, > > > but 600 of them. > > > > > > If I had a beast like this, I'd run VMWare (or similar) on it, carve > > > it up into virtual machines, and run fewer clients on each just > > > for the sheer flexibility of it. > > That just moves the goal posts. You'll have the same issue when the > > hypervisor needs updating (which admittedly may need a reboot less often > > than the OS). > > > > > If this is already a virtualized/cloud environment, then I think > > > you're doing it wrong: don't provision one huge instance and use it > > > for multiple clients. Instead, provision lots of small instances and > > > use them for fewer (or even 1) at a time. > > > > But it adds the overhead of an OS for each instance. And costs if you > have to > > pay for that OS instance. > > > > The overhead issue is an important factor. The other is the fact that it's > a canned app, supported by the publisher, and doing it our way pays big > dividends in terms of that workflow. > > > As always there are trade-offs to be made and the "right" answer will > vary > > based on circumstances and what you are trying to optimize for. I do > agree > > that, generally, more smaller instances will be a closer fit to more use > cases > > but that is only a general answer. > > > > Generally, I'd agree too. We are considering using containers, but I'm not > yet sure what that buys us in terms of stability. > > > Mark > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > Disclaimer : This email and any files transmitted with it are confidential > and intended solely for intended recipients. If you are not the named > addressee you should not disseminate, distribute, copy or alter this email. > Any views or opinions presented in this email are solely those of the > author and might not represent those of Physician Select Management. > Warning: Although Physician Select Management has taken reasonable > precautions to ensure no viruses are present in this email, the company > cannot accept responsibility for any loss or damage arising from the use of > this email or attachments. > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: Again with the missing headers
So i'm not too familiar with tomcat 9. However, I did notice that maxHttpHeaderSize default is supposed to be 8KB in 9. That is set on the connector. Which affects both request and response headers. https://tomcat.apache.org/tomcat-9.0-doc/config/http.html Did you try that? If i'm not mistaken about a stream of content. the response headers should be the first thing that is received by the client. Then the body can be split and transmitted along the connection. On Sat, Apr 10, 2021 at 10:06 PM Rob Sargent wrote: > I saw this mentioned a couple years ago, on tomcat 7, but don't see > anything recent on this topic and I'm using 9.0.43. Of 59 separate > requests to same servlet three repeatedly do not have the header entry > added by the servlet to the response. The remaining 56 all have the > header/value. The three consistently lose the header. > > Size matters? The 56 which succeed are on average 203 units in payload > size while the bad boys are 7K,10K,13K units. (And I'm guessing about > 100 bytes per unit) > > The clients streams the payload from the response, and I've tried > getting the header both before and after the stream has been read. > > Any clues as to where the missing header goes? Does the servlet not > send it or is it in some /other/ response? > > Thanks, > rjs > > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: JNDI ldaps Problem with SSO
Seems there might be some debug you can turn on. I haven't tried it myself. But Look at this for reference. https://ldapwiki.com/wiki/Tomcat%20And%20LDAP On Thu, Feb 25, 2021 at 11:18 AM wrote: > Dear Brian > > Thank you for your reply > > We can see the successful handshake with the LDAP Server. > We think, after that, some more data goes back and forth and then the > connection is closed. We can't see, what is exactly happening - its TLSv1.3 > When using ldap with port 3268 - its all good. > So the search itself seems to be fine. > > Only ldaps with port 3269 fails > > Is there maybe another debug Option for the ldap? > > Thank you > > Susan > > > > > -Original Message- > > From: Brian Wolfe > > Sent: Donnerstag, 25. Februar 2021 17:00 > > To: Tomcat Users List > > Subject: Re: JNDI ldaps Problem with SSO > > > > if you define the truststore on the command line it will ignore the > cacerts file. > > Also looks like you're trying to connect to AD over the catalog port. > > I would suggest using the LDAPS port 636. The GC port is used to search > > things within the forest that may not be in the domain. small change but > > shouldn't cause a connection issue if you're using the catalog port. > > > > You shouldn't have to configure any additional SSL stuff on the realm. > As long > > as your JNDI url is ldaps it should know to use SSL. Java will negotiate > the SSL > > for you. > > > > One thing you can do is turn on SSL debug and look at the negotiation to > see > > if it is negotiating SSL. > > *-Djavax.net.debug=ssl* > > You should see it negotiate with the ldap server on startup. You will > also be > > able to see the whole SSL handshake and see if it's failing. > > > > On Thu, Feb 25, 2021 at 10:35 AM wrote: > > > > > Hi Bill > > > > > > Thank you for your fast reply > > > > > > We are using RHEL7 > > > > > > The JAVA is using it's default cacerts which includes all ROOT CA's of > > > the LDAP Server. > > > We also added another Trusstore in the JAVA OPTS of the Tomcat JVM, > > > which also includes the whole chain of the LDAP Server Cert: > > > > > > tomcat 21503 1 2 Feb16 ?05:32:41 > /usr/java/latest/bin/java > > > -Djava.util.logging.config.file=/opt/tomcat/tomcat8_app1/conf/logging. > > > properties > > > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > > > -Djavax.net.ssl.trustStore=/etc/pki/tls/certs/RootCore.jks > > > -Djavax.net.ssl.trustStorePassword=xxx > > > -Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities > > > -Dnm.data.home=/opt/tomcat/data > > > -Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf > > > -Djava.security.krb5.conf=/opt/tomcat/tomcat8_app1/conf/krb5.conf > > > -Djavax.security.auth.useSubjectCredsOnly=false > > > -Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin > > > -Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed > > > -classpath > > > /opt/tomcat/apache-tomcat- > > 8.0.36/bin/bootstrap.jar:/opt/tomcat/apache- > > > tomcat-8.0.36/bin/tomcat-juli.jar > > > -Dcatalina.base=/opt/tomcat/tomcat8_appway1 > > > -Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36 > > > -Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp > > > org.apache.catalina.startup.Bootstrap start > > > > > > Our server.xml only contains the ldap realm and database realm. > > > Could it be, that a ssl config is necessary too? > > > > > > Thank you > > > > > > Susan > > > > > > > -Original Message- > > > > From: Bill Stewart > > > > Sent: Donnerstag, 25. Februar 2021 16:04 > > > > To: Tomcat Users List > > > > Subject: Re: JNDI ldaps Problem with SSO > > > > > > > > On Thu, Feb 25, 2021 at 2:31 AM wrote: > > > > > > > > We are having a problem with our Single sign On config. > > > > > When using ldap - all works well. > > > > > > > > > > When switiching to ldaps , the User loses to connection all > > > > > together (Server not reachable) > > > > > > > > > > server.xml > > > > > > > > > > Good: > > > > > > > > >connectionURL="ldap://x..com:3268; > > > > >userBase="DC=XXXINTRA,DC=CH"
Re: JNDI ldaps Problem with SSO
if you define the truststore on the command line it will ignore the cacerts
file. Also looks like you're trying to connect to AD over the catalog port.
I would suggest using the LDAPS port 636. The GC port is used to search
things within the forest that may not be in the domain. small change but
shouldn't cause a connection issue if you're using the catalog port.
You shouldn't have to configure any additional SSL stuff on the realm. As
long as your JNDI url is ldaps it should know to use SSL. Java will
negotiate the SSL for you.
One thing you can do is turn on SSL debug and look at the negotiation to
see if it is negotiating SSL.
*-Djavax.net.debug=ssl*
You should see it negotiate with the ldap server on startup. You will also
be able to see the whole SSL handshake and see if it's failing.
On Thu, Feb 25, 2021 at 10:35 AM wrote:
> Hi Bill
>
> Thank you for your fast reply
>
> We are using RHEL7
>
> The JAVA is using it's default cacerts which includes all ROOT CA's of the
> LDAP Server.
> We also added another Trusstore in the JAVA OPTS of the Tomcat JVM, which
> also includes the whole chain of the LDAP Server Cert:
>
> tomcat 21503 1 2 Feb16 ?05:32:41 /usr/java/latest/bin/java
> -Djava.util.logging.config.file=/opt/tomcat/tomcat8_app1/conf/logging.properties
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> -Djavax.net.ssl.trustStore=/etc/pki/tls/certs/RootCore.jks
> -Djavax.net.ssl.trustStorePassword=xxx
> -Djdk.tls.ephemeralDHKeySize=2048 -Xmx12G -XX:+UseThreadPriorities
> -Dnm.data.home=/opt/tomcat/data
> -Djava.security.auth.login.config=/opt/tomcat/data/conf/jaas.conf
> -Djava.security.krb5.conf=/opt/tomcat/tomcat8_app1/conf/krb5.conf
> -Djavax.security.auth.useSubjectCredsOnly=false
> -Dsun.security.krb5.debug=false -Duser.timezone=Europe/Berlin
> -Djava.endorsed.dirs=/opt/tomcat/apache-tomcat-8.0.36/endorsed -classpath
> /opt/tomcat/apache-tomcat-8.0.36/bin/bootstrap.jar:/opt/tomcat/apache-tomcat-8.0.36/bin/tomcat-juli.jar
> -Dcatalina.base=/opt/tomcat/tomcat8_appway1
> -Dcatalina.home=/opt/tomcat/apache-tomcat-8.0.36
> -Djava.io.tmpdir=/opt/tomcat/tomcat8_appway1/temp
> org.apache.catalina.startup.Bootstrap start
>
> Our server.xml only contains the ldap realm and database realm.
> Could it be, that a ssl config is necessary too?
>
> Thank you
>
> Susan
>
> > -Original Message-
> > From: Bill Stewart
> > Sent: Donnerstag, 25. Februar 2021 16:04
> > To: Tomcat Users List
> > Subject: Re: JNDI ldaps Problem with SSO
> >
> > On Thu, Feb 25, 2021 at 2:31 AM wrote:
> >
> > We are having a problem with our Single sign On config.
> > > When using ldap - all works well.
> > >
> > > When switiching to ldaps , the User loses to connection all together
> > > (Server not reachable)
> > >
> > > server.xml
> > >
> > > Good:
> > > > >connectionURL="ldap://x..com:3268;
> > >userBase="DC=XXXINTRA,DC=CH"
> > >userSubtree="true"
> > >userSearch="(sAMAccountName={0})"
> > >userRoleName="memberOf"
> > >
> > >
> > > roleBase="OU=PF00_App-
> > Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU
> > > =PF00,DC=XXXINTRA,DC=ch
> > > "
> > >roleName="CN"
> > >roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > >roleSubtree="true"
> > >roleNested="true" />
> > >
> > > bad:
> > >
> > > > >connectionURL="ldaps://x..com:3269"
> > >userBase="DC=XXXINTRA,DC=CH"
> > >userSubtree="true"
> > >userSearch="(sAMAccountName={0})"
> > >userRoleName="memberOf"
> > >
> > > roleBase="OU=PF00_App-
> > Access,OU=PF00_App,OU=PF00_Server,OU=PF00_Res,OU=PF00,DC=XXXINT
> > RA,DC=ch"
> > >roleName="CN"
> > >roleSearch="(member:1.2.840.113556.1.4.1941:={0})"
> > >roleSubtree="true"
> > >roleNested="true" />
> > >
> >
> > If you are running Tomcat on Windows, my question is whether the Java
> > running your Tomcat server trusts the Windows certificate store for the
> > secure LDAP.
> >
> > If you are running Tomcat on Windows, try adding the following parameter
> to
> > the Java command line for your application:
> >
> > -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT
> >
> > (If you are using procrun which is likely on Windows, this means to go
> to the
> > "Java" tab for the Tomcat service configuration and add the above line
> to the
> > "Java Options" text box.)
> >
> > Bill
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
--
Thanks,
Brian Wolfe
https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: Out of memory exception
ing list because I was responsible for > > Tomcat servers running apps developed in-house, and every once in a > > while, I needed to ask something tomcat-specific. > > > > Thanks, > > Shawn > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: Tomcat SSO valve implementation
Most apps I have seen implement it themselves using a SAML framework like spring. usually they build the functionality into their App. I suppose you could build a tomcat implementation, Tomcat supports J2EE so you could leverage those mechanisms to get the tomcat session. I don't think there is anything OOTB for tomcat SAML. Essentially you need to create a couple endpoints, One for SAML metadata retrieval/generation and one for parsing an incoming SAML assertion. assuming your providing a service with your App. You would also want a logout endpoint. You will also need to figure out login as your App needs to redirect to the IDP in the event an user does not have a session. Some SPs have a local login and IDP login. So you would have to implement that. in my quick google searching there seems to be a tool called PicketLink that might do some of this for you. This seems to be a decent write up although I haven't used it. https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink On Tue, Dec 22, 2020 at 12:04 PM Steve Sanders wrote: > Just to add on to the options already listed (which I'm sure work just > great!), we used openSAML and wrote our own valve fairly painlessly and > have been having really good success with it. > > Steve Sanders > > On Mon, Dec 21, 2020 at 1:17 PM George Stanchev < > george.stanc...@microfocus.com> wrote: > > > We use spring-security-saml for application-level SP implementation and > it > > works pretty good too. The project is in the process of being rewritten > > from scratch though with 2.0 in milestone builds. No direct integration > > with Tomcat though but on application level. > > > > George > > > > -Original Message- > > From: André Warnier (tomcat/perl) > > Sent: Thursday, December 17, 2020 8:42 AM > > To: users@tomcat.apache.org > > Subject: Re: Tomcat SSO valve implementation > > > > On 16.12.2020 19:39, Kevin Oxley wrote: > > > We are trying to support SSO SAML 2.0 for user authentication in Tomcat > > > (9.0.22). Can anybody provide a reference to a pre-integrated SAML > SSO > > > valve implementation that you've had a good experience with? > > > > > > > searching Google for "SAML SP for servlet engine" gives a few links, > among > > them this one : > > > https://dzone.com/articles/saml-single-sign-on-with-tomcat-and-picketlink > > > > I haven't tried it myself. In my cases, I always use an Apache httpd > > front-end, which does the authentication prior to proxying to a back-end > > tomcat (with the Connector attribute ' > > tomcatAuthentication="false" '). In the front-end Apache2 httpd then, we > > use Shibboleth as the SAML SP side. > > That works perfectly. > > > > ----- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: ANN: Bill Stewart's Apache Tomcat Setup for Windows [9.0.40]
Rob, It looks like this installer is specific to windows and from a brief glance at documentation it mostly helps setting it up as a windows service and helps with upgrades. As far as linux distributions go installation and upgrade via the rpm packages should take care of most of that. At least setting up the systemctl services and the user/groups necessary for it to run. I'm not sure I see a need for something similar for linux. Anything more would be specific to your use case. On Tue, Dec 1, 2020 at 6:08 PM Rob Sargent wrote: > Is there something similar for embedded tomcat on linux? > > On 12/1/20 3:58 PM, Bill Stewart wrote: > > Documentation and installer source: > > > > https://github.com/Bill-Stewart/ApacheTomcatSetup > > > > Download installer: > > > > https://github.com/Bill-Stewart/ApacheTomcatSetup/releases > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: mod_jk "Can not determine the proper size for pid_t" on macOS 10.15.7
Chris, > On Oct 27, 2020, at 12:31 PM, Christopher Schultz > wrote: > > Brian > > On 10/26/20 15:33, Paquin, Brian wrote: >> I’m trying to build httpd and mod_jk for the first time on a macOS 10.15.7 >> box. XCode 12.1 is installed and I was able to compile OpenSSL 1.1.1g. >> I got an error “Can not determine the proper size for pid_t” when compiling >> httpd (v2.4.46) with included apr (v1.7.0). >> This issue >> https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbz.apache.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D64753data=04%7C01%7Cbrian.paquin%40yale.edu%7C4a009b9f4c19439afc4708d87a95d92e%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C637394131299938700%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=WdzfXIIBvFQzON0aA2Q3EHqNyHK2bFqXpGYm2aEyi1A%3Dreserved=0 >> provided a diff patch that adds “#include ” in a number of >> locations. >> Applying this patch allowed me to compile httpd! > > Weird. pid_it is defined in and yet the patch adds > to fix it. > > I don't have access to my Catalina machine right now, but my clang-based > Mojave machine still says to use when you "man getpid": > > " > GETPID(2) BSD System Calls Manual > > NAME > getpid, getppid -- get parent or calling process identification > > SYNOPSIS > #include > > pid_t > getpid(void); > " > > $ cc --version > Apple LLVM version 10.0.1 (clang-1001.0.46.4) > Target: x86_64-apple-darwin18.7.0 > Thread model: posix > InstalledDir: /Library/Developer/CommandLineTools/usr/bin > >> Now I am trying to compile mod_jk (v1.2.48), and I get the same error. >> Does someone have a patch file I can use to get around this issue? >> $ ./configure CFLAGS='-arch x86_64' APXSLDFLAGS='-arch x86_64' >> --with-apxs=/usr/local/apache2/bin/apxs >> >> $ make >> >> Making all in common >> /usr/local/apache-2.4.46/build/libtool --silent --mode=compile gcc -I. >> -I/usr/local/apache-2.4.46/include -arch x86_64 -DHAVE_CONFIG_H -arch x86_64 >> -DHAVE_APR -I/usr/local/apache-2.4.46/include >> -I/usr/local/apache-2.4.46/include -arch x86_64 -DHAVE_CONFIG_H -DDARWIN >> -DSIGPROCMASK_SETS_THREAD_MASK -DDARWIN_10 -c jk_ajp12_worker.c -o >> jk_ajp12_worker.lo >> In file included from jk_ajp12_worker.c:25: >> In file included from ./jk_ajp12_worker.h:26: >> In file included from ./jk_logger.h:26: >> In file included from ./jk_global.h:340: >> ./jk_types.h:56:2: error: Can not determine the proper size for pid_t >> #error Can not determine the proper size for pid_t >> ^ >> ./jk_types.h:62:2: error: Can not determine the proper size for pthread_t >> #error Can not determine the proper size for pthread_t >> ^ >> 2 errors generated. >> make[1]: *** [jk_ajp12_worker.lo] Error 1 >> make: *** [all-recursive] Error 1 >> $ > > I'm sorry, I have no idea how configure does its magic. The auto-generated > jk_types.h looks like a hand-wavy template to me. > > You can probably hack it briefly by running "configure" (which you already > did) and then hand-editing include/jk_types.h (ignoring the warning NOT to > hand-edit it!) and manually adding: > > #include > > to the top. I added the line above to ./tomcat-connectors-1.2.48-src/native/common/jk_types.h and tried running make again but got the same error. I do not have an include directory in ./tomcat-connectors-1.2.48-src/native/. Any other suggestions? I really appreciate your help! Brian > Give that a try and see if it works. > > -chris > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
mod_jk "Can not determine the proper size for pid_t" on macOS 10.15.7
I’m trying to build httpd and mod_jk for the first time on a macOS 10.15.7 box. XCode 12.1 is installed and I was able to compile OpenSSL 1.1.1g. I got an error “Can not determine the proper size for pid_t” when compiling httpd (v2.4.46) with included apr (v1.7.0). This issue https://bz.apache.org/bugzilla/show_bug.cgi?id=64753 provided a diff patch that adds “#include ” in a number of locations. Applying this patch allowed me to compile httpd! Now I am trying to compile mod_jk (v1.2.48), and I get the same error. Does someone have a patch file I can use to get around this issue? $ ./configure CFLAGS='-arch x86_64' APXSLDFLAGS='-arch x86_64' --with-apxs=/usr/local/apache2/bin/apxs $ make Making all in common /usr/local/apache-2.4.46/build/libtool --silent --mode=compile gcc -I. -I/usr/local/apache-2.4.46/include -arch x86_64 -DHAVE_CONFIG_H -arch x86_64 -DHAVE_APR -I/usr/local/apache-2.4.46/include -I/usr/local/apache-2.4.46/include -arch x86_64 -DHAVE_CONFIG_H -DDARWIN -DSIGPROCMASK_SETS_THREAD_MASK -DDARWIN_10 -c jk_ajp12_worker.c -o jk_ajp12_worker.lo In file included from jk_ajp12_worker.c:25: In file included from ./jk_ajp12_worker.h:26: In file included from ./jk_logger.h:26: In file included from ./jk_global.h:340: ./jk_types.h:56:2: error: Can not determine the proper size for pid_t #error Can not determine the proper size for pid_t ^ ./jk_types.h:62:2: error: Can not determine the proper size for pthread_t #error Can not determine the proper size for pthread_t ^ 2 errors generated. make[1]: *** [jk_ajp12_worker.lo] Error 1 make: *** [all-recursive] Error 1 $ Brian
Re: 400 error when upgrading tomcat
Thanks Christopher. You just nailed it buddy. I changed them all to \r\n
and it got a 200. I was completely overlooking that as it had never caused
a problem before. Something in 8.5.51 would not allow that anymore.
On Thu, Sep 10, 2020 at 4:07 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Brian,
>
> On 9/10/20 13:13, Brian Harris wrote:
> > We’re having an issue when upgrading Tomcat from 8.5.50 to 8.5.51.
> > Since moving to this version, requests sent to the http port are
> > failing with a 400 error code(bad request). The server.xml is
> > configured to redirect the http port to the https port. This has
> > worked for years and did not start failing until the upgrade.
> > Below is the connector config and the java class used to send a
> > test transaction to the server.
> >
> > I’ve searched the change log and the only change I can see that
> > might cause this is the Bug fix for bug 63966 – Charset of TLS
> > message is hard coded to ISO-8859-1. This bug fix was introduced
> > into 8.5.51. The reason I believe this might be the reason is when
> > we would send this request to tomcat 8.5.50 the reply Content-Type
> > would look like this:
> >
> >
> >
> > Content-Type: text/plain;charset=ISO-8859-1
> >
> >
> >
> > With tomcat 8.5.51, I get this:
> >
> > Content-Type: text/html;charset=utf-8
> >
> >
> >
> > Any ideas why I’m getting the 400 error when upgrading to 8.5.51
> > and beyond ?
> >
> >
> >
> > Connector config:
> >
> >
> >
> > >
> > connectionTimeout="2"
> >
> > redirectPort=""
> >
> > />
> >
> >
> >
> > >
> > scheme="https" secure="true"
> > ciphers="TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_
> GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_
> GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AE
> S_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_
> AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECD
> SA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECD
> HE_RSA_WITH_AES_256_GCM_SHA384"
> >
> > clientAuth="false" sslProtocol="TLS"
> > sslEnabledProtocols="TLSv1.2"
> >
> > keyAlias="myKey"
> >
> > keystore="NONE"
> >
> > keystorePass="password"
> >
> > keystoreType="PKCS11"
> >
> > keystoreProvider="myprovider"
> >
> > enableLookups="false"
> >
> > server="server"
> >
> > "/>
> >
> >
> >
> >
> >
> > Java class used to send the test transaction:
> >
> >
> >
> > package com.testing;
> >
> >
> >
> > import java.io.*;
> >
> > import java.net.*;
> >
> > import java.util.Date;
> >
> > import java.text.DateFormat;
> >
> > import java.text.SimpleDateFormat;
> >
> >
> >
> > public class RunTestTran{
> >
> >
> >
> > public RunTestTran() {
> >
> > }
> >
> >
> >
> > public static void main(String [] args){
> >
> > RunTestTran recordProcessorTest = new RunTestTran();
> >
> > recordProcessorTest.runTran("localhost", ,
> > "/requestProcessor/rp");
> >
> > }
> >
> >
> >
> > private void runTran(String ip, int port, String appName){
> >
> > Socket socket = null;
> >
> > PrintWriter out = null;
> >
> > BufferedReader in = null;
> >
> > String dataToSend = "";
> >
> >
> >
> > //Create socket connection
> >
> > try {
> >
> > socket = new Socket(ip, port);
> >
> > out = new PrintWriter(socket.getOutputStream(), true);
> >
> > in = new BufferedReader(new
> > InputStreamReader(socket.getInputStream()));
> >
> > } catch (Exception e) {
> >
> > System.out.println("Exception:" + e.toString() );
> >
> > System.exit(1);
> >
> > }
> >
> >
> >
> > DateFormat dateFormat = new SimpleDateFormat("MMddHHmmsss");
> >
> > //get current date time with Date() to create a 11 digit tran id
> >
> > Date date = new Date();
> >
> > String tranId = date
400 error when upgrading tomcat
We’re having an issue when upgrading Tomcat from 8.5.50 to 8.5.51. Since
moving to this version, requests sent to the http port are failing with a
400 error code(bad request). The server.xml is configured to redirect the
http port to the https port. This has worked for years and did not start
failing until the upgrade. Below is the connector config and the java
class used to send a test transaction to the server.
I’ve searched the change log and the only change I can see that might cause
this is the Bug fix for bug 63966 – Charset of TLS message is hard coded to
ISO-8859-1. This bug fix was introduced into 8.5.51. The reason I believe
this might be the reason is when we would send this request to tomcat
8.5.50 the reply Content-Type would look like this:
Content-Type: text/plain;charset=ISO-8859-1
With tomcat 8.5.51, I get this:
Content-Type: text/html;charset=utf-8
Any ideas why I’m getting the 400 error when upgrading to 8.5.51 and beyond
?
Connector config:
Java class used to send the test transaction:
package com.testing;
import java.io.*;
import java.net.*;
import java.util.Date;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
public class RunTestTran{
public RunTestTran() {
}
public static void main(String [] args){
RunTestTran recordProcessorTest = new RunTestTran();
recordProcessorTest.runTran("localhost", ,
"/requestProcessor/rp");
}
private void runTran(String ip, int port, String appName){
Socket socket = null;
PrintWriter out = null;
BufferedReader in = null;
String dataToSend = "";
//Create socket connection
try {
socket = new Socket(ip, port);
out = new PrintWriter(socket.getOutputStream(),
true);
in = new BufferedReader(new
InputStreamReader(socket.getInputStream()));
} catch (Exception e) {
System.out.println("Exception:" + e.toString() );
System.exit(1);
}
DateFormat dateFormat = new SimpleDateFormat("MMddHHmmsss");
//get current date time with Date() to create a 11 digit
tran id
Date date = new Date();
String tranId = dateFormat.format(date);
String PRIMER_TRAN = " V " + tranId +
"990JANE DOE 100 Redwood Shores
Pkwy Redwood City CA94065000 PRIMER TRAN";
try{
dataToSend = URLEncoder.encode("inputRecord",
"UTF-8") + "=" + URLEncoder.encode(PRIMER_TRAN, "UTF-8");
}catch(Exception e){
System.out.println("Exception caught!" +
e.toString());
}
// send message
StringBuffer sb = new StringBuffer();
sb.append("POST /" + appName + "/wrp HTTP/1.1\r\n");
// Try connection close-- see if it does close
sb.append("Connection: close\r\n");
sb.append("Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel,
application/msword\n");
sb.append("Accept-Language: en-us\n");
sb.append("Accept-Encoding: gzip, deflate\n");
sb.append("User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.0)\n");
// Authorization
sb.append("Authorization: Basic
DK34a3RvbWVydGVzddkK7WCx\n");
sb.append("Host: " + ip + ":" + port + "\n");
sb.append("Content-Length: " + dataToSend.length() +
"\r\n");
sb.append("Content-Type:
application/x-www-form-urlencoded\r\n");
sb.append("\r\n");
sb.append(dataToSend);
// Send data
String text = sb.toString();
out.println(text);
System.out.println("\nText sent " + text.length() + "
bytes:");
System.out.println(text + "\n\n");
try{
String gotBack1 = in.readLine();
System.out.println("Text received:" + gotBack1 );
String gotBack = null;
while ( (gotBack = in.readLine()) != null){
System.out.println("Text received:" +
gotBack );
if ( (gotBack.indexOf("TQ!") != -1)){
break;
}
}
} catch (Exception e){
System.out.println("Read failed! " + e.toString());
System.exit(1);
}
}
Native question (using Tomcat 8.5 and 9.0 on the same machine)
I have a macOS device with Tomcat 8.5 and Native 1.2.23. I have been asked to add Tomcat 9.0 which has Native 1.2.24. In my setup documents, I copy “.libs/libtcnative-1.0.dylib” to /Library/Java/Extensions/ after compiling Native. When running Tomcat 8.5 and 9.0 on the same device, are there any issues using the newer dylib from Native 1.2.24 with the older Tomcat instances? Brian
Re: File "catalina.out" not being created/populated when using Tomcat 9.0.31 + Ubuntu 20.04, and content goes to the Ubuntu syslog instead?
-Original Message- From: Emmanuel Bourg Reply-To: Tomcat Users List Date: Tuesday, June 23, 2020 at 20:01 To: "users@tomcat.apache.org" Subject: Re: File "catalina.out" not being created/populated when using Tomcat 9.0.31 + Ubuntu 20.04, and content goes to the Ubuntu syslog instead? Le 24/06/2020 à 02:35, Brian a écrit : > Good news: I updated "/etc/tmpfiles.d/tomcat9.conf" (the file I created) with the new value of 2770. Deleted all the logs inside "/val/log/tomcat9" and restarted Ubuntu. "catalina.out" got created and populated. > Bad news: Then I deleted all the logs inside "/val/log/tomcat9" and just restarted Tomcat (which is something I do sometimes, in production). "catalina.out" didn't get created this time. > > Just to confirm, again I deleted all the logs inside "/val/log/tomcat9" and restarted Ubuntu. "catalina.out" got created and populated again. > > Any ideas? The catalina.out file is held by rsyslogd and isn't recreated unless you restart rsyslogd. Try this when you clean the logs and restart Tomcat: systemctl restart rsyslog tomcat9 Hi, I just realized that when the "bad news" experiment took place, in the syslog there was NOT another of those " file '/var/log/tomcat9/catalina.out': open error: Permission denied.." errors, so I guess it was not a permissions issue anymore, which makes me think that the "2770" value finally solved that issue. That is nice, thanks! OK, I restarted rsyslog and the started again Tomcat as you adviced and... you are right, the catalina.out file got created again. So I think you are right about rsyslogd still holding the log file. To be honest with you, I'm happy about the catalina.out file finally getting created and I really appreciate your kind help, I really do. But I'm not really happy about having to restart rsyslog before every time I need to restart Tomcat. It is weird, and I guess a lot of users will never imagine that they have to do that and they will not feel very pleased when they realize that the catalina.out file doesn't get created after restarting Tomcat. And probably most of them will not even notice that the Tomcat log is being added to the syslog, for that matter. This whole new relation between syslog and Tomcat is really weird and I don't think the users are being warned about it. I have used Tomcat+Ubuntu for several years and I haven't seen this complication before. If there is an advantage about this relation between syslog and Tomcat, I really can't see it. Thanks again! Brian
Re: File "catalina.out" not being created/populated when using Tomcat 9.0.31 + Ubuntu 20.04, and content goes to the Ubuntu syslog instead?
-Original Message- From: Emmanuel Bourg Reply-To: Tomcat Users List Date: Tuesday, June 23, 2020 at 19:02 To: "users@tomcat.apache.org" Subject: Re: File "catalina.out" not being created/populated when using Tomcat 9.0.31 + Ubuntu 20.04, and content goes to the Ubuntu syslog instead? Le 23/06/2020 à 19:48, Brian a écrit : > It seems that rsyslogd is still unable to deal with "/var/log/tomcat9/catalina.out". > What could be wrong now? Do you have any ideas? I got the permissions wrong, the adm group is now allowed to write to /var/log/tomcat9 but not to enter it. Try 2770 instead of 2760. Emmanuel Bourg Hi Emmanuel, Good news: I updated "/etc/tmpfiles.d/tomcat9.conf" (the file I created) with the new value of 2770. Deleted all the logs inside "/val/log/tomcat9" and restarted Ubuntu. "catalina.out" got created and populated. Bad news: Then I deleted all the logs inside "/val/log/tomcat9" and just restarted Tomcat (which is something I do sometimes, in production). "catalina.out" didn't get created this time. Just to confirm, again I deleted all the logs inside "/val/log/tomcat9" and restarted Ubuntu. "catalina.out" got created and populated again. Any ideas? Brian
Re: File "catalina.out" not being created/populated when using Tomcat 9.0.31 + Ubuntu 20.04, and content goes to the Ubuntu syslog instead?
-Original Message- From: Emmanuel Bourg Date: Monday, June 22, 2020 at 18:14 To: Tomcat Users List , Brian Subject: Re: File "catalina.out" not being created/populated when using Tomcat 9.0.31 + Ubuntu 20.04, and content goes to the Ubuntu syslog instead? Le 22/06/2020 à 18:43, Brian a écrit : > I'm not really an expert with Linux. It would seem to me that the "adm" group (to which syslog seems to belong) lacks a write permission Indeed, rsyslog in Ubuntu runs as syslog:adm and needs special permissions to write to /var/log/tomcat9. This issue should be reported to Ubuntu. The tomcat9 package in Debian isn't affected by this issue because rsyslogd runs as root. > OK, I did it and the write permission was added to the adm group. I restarted Tomcat and it worked, the catalina.out file got created! However, after I restarted the whole Ubuntu, I discovered that the permissions went back to how there were (not write for adm). Why is that? The permissions on this directory are managed by systemd-tmpfiles. The tomcat9 package defines the expected permissions in /usr/lib/tmpfiles.d/tomcat9.conf and the permissions are enforced when the system starts. It's possible to override the default settings, you have to copy the configuration file to /etc/tmpfiles.d/ and change the permissions on /var/log/tomcat9 from 2750 to 2760: cp /usr/lib/tmpfiles.d/tomcat9.conf /etc/tmpfiles.d/ sed -i s/2750/2760/ /etc/tmpfiles.d/tomcat9.conf The write permissions for the adm group will then be persistent. Hi Emmanuel, Thanks a lot for your help, but unfortunately I think that something is still not working. I copied the file running the cp command, and then edited the created file to replace "2750" with "2760", then restarted Ubuntu But I still have the same problem, catalina.out never gets created. Then I tried editing the original file (/usr/lib/tmpfiles.d/tomcat9.conf) replacing "2750" with "2760", then restarted Ubuntu But I still have the same problem. I verified that the permissions stay correct, I mean giving write permission to the adm group after I restart Ubuntu, and that DOES work! When I perform a "ls -l /var/log/", this is what I see for the "tomcat9" directory: drwxrwS--- 3 tomcatadm4096 Jun 23 11:31 tomcat9 Finally, I checked the syslog and this is what I found: Jun 23 12:27:43 ip-172-31-92-155 systemd[1]: Starting Apache Tomcat 9 Web Application Server... Jun 23 12:27:43 ip-172-31-92-155 systemd[1]: Started Apache Tomcat 9 Web Application Server. Jun 23 12:27:43 ip-172-31-92-155 tomcat9[594]: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED Jun 23 12:27:43 ip-172-31-92-155 rsyslogd: file '/var/log/tomcat9/catalina.out': open error: Permission denied [v8.2001.0 try https://www.rsyslog.com/e/2433 ] Jun 23 12:27:44 ip-172-31-92-155 tomcat9[594]: Jun 23, 2020 12:27:44 PM org.apache.catalina.startup.VersionLoggerListener log Jun 23 12:27:44 ip-172-31-92-155 tomcat9[594]: INFO: Server version name: Apache Tomcat/9.0.31 (Ubuntu) . It seems that rsyslogd is still unable to deal with "/var/log/tomcat9/catalina.out". What could be wrong now? Do you have any ideas? Brian Emmanuel Bourg - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: File "catalina.out" not being created/populated when using Tomcat 9.0.31 + Ubuntu 20.04, and content goes to the Ubuntu syslog instead?
-Original Message- From: Emmanuel Bourg Reply-To: Tomcat Users List Date: Monday, June 22, 2020 at 15:36 To: "users@tomcat.apache.org" Subject: Re: File "catalina.out" not being created/populated when using Tomcat 9.0.31 + Ubuntu 20.04, and content goes to the Ubuntu syslog instead? Le 22/06/2020 à 20:03, Christopher Schultz a écrit : > It looks like whoever is responsible for packing Tomcat for Ubuntu has > something missing, there. I suggest you file a bug with Ubuntu. That must be me :) I'll get a look. Emmanuel Bourg Hi Emmanuel, Please do! It definitely looks like a bug. I just reported the bug here: https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1884591 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: File "catalina.out" not being created/populated when using Tomcat 9.0.31 + Ubuntu 20.04, and content goes to the Ubuntu syslog instead?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Brian, On 6/22/20 02:04, Brian wrote: > Hello, > > I have been using Tomcat for about 18 years. As far as I can > remember, everything that I leave on the log with > System.out.println() has been found inside the file "catalina.out" > which has been nice. However, this seems to have changed. I just > migrated to Ubuntu 20.04 + Tomcat 9.0.31, and installed Tomcat > doing a "sudo apt install tomcat9". Now I see that the file > "catalina.out" never gets created, and that everything that had > been sent there is now being sent to the Ubuntu/Linux/Debian log > "syslog". I don't like that, I want to keep having a > separate/dedicated log for Tomcat (which is something I check very > often) and not havoing to search for it inside syslog (which is > something I rarely inspect). > > I have done some research, and this is what I have discovered (if I > understood everything correctly): > > - Tomcat now runs as a service inside something called "systemsd" - > For some reason, the people at Ubuntu/Debian/Linux decided that > Tomcat's log should be found inside syslog, instead of staying > independent inside "catalina.out". Why is that? I don't know and I > don't like it! - The other files inside /var/log/tomcat get > created, including the "catalina.-MM-DD.log" files. But I dont' > find my "System.out.println()" messages there, which has always > been the case. - I have found, however, that syslog tries to create > and populate the "catalina.out" file as well, since I have found an > error inside syslog that says something like "rsyslogd: file > '/var/log/tomcat9/catalina.out': open error: Permission denied". - > I have also found a file "/etc/rsyslog.d/tomcat9.conf" which, > indeed, seams to indicate syslog that the file > "/var/log/tomcat9/catalina.out" must be populated. Which makes > sense and should solve my needs. - Considering the "Permission > denied" error message, I started playing with the permissions > (something that I really don't have much experience with). If I > remember correctly, I created the file "catalina.out" manually, and > the modified its properties so the owners are "tomcat/adm", since > the "syslog" process/user seems to be inside the "adm" group. > Restarted everything... and the "catalina.out" file got created and > populated!!! So it seems that the main obstacle here is a lack of > correct permissions so syslog can do what has been told and > populate the "catalina.out" file. Did I get it right? - However, > when I delete all the log files (which I do every once in a while), > the permissions that I assigned get lost and the file doesn't get > created anymore. > > What are we supposed to do to deal with this problem? Can/should we > do something so the Tomcat log doesn't go to syslog? If not, and > considering that it seems that syslog is trying to populate the > "catalina.out" file as it has been told, what should we do to > correct the permissions problem? What are the permissions of the /var/log/tomcat directory? Hello Chris, I did a "ls -l /var/log/". According to that, this is what I see for "/var/log/tomcat9": drwxr-s--- 3 tomcatadm4096 Jun 22 10:51 tomcat9 I'm not really an expert with Linux. It would seem to me that the "adm" group (to which syslog seems to belong) lacks a write permission, but in my old instance (Tomcat 8.5.39 + Ubuntu 18.04) the "catalina.out" file works perfectly (gets created and populated) and this is what I see there, it doesn't seem to me that the adm group has a write permission there either: drwxr-x--- 3 tomcat8 adm 4096 Jun 22 10:00 tomcat8 Perhaps you need to chmod g+w /var/log/tomcat ? - -chris OK, I did it and the write permission was added to the adm group. I restarted Tomcat and it worked, the catalina.out file got created! However, after I restarted the whole Ubuntu, I discovered that the permissions went back to how there were (not write for adm). Why is that? In fact, now I remember that I tried this before, but since I restarted the whole Ubuntu instead of just Tomcat, I never saw any progress. I didn't notice that it would have worked if I just restarted Tomcat. In any case, why is this permission required in my new VPS, if the old one lacks it and catalina.out works perfectly?
File "catalina.out" not being created/populated when using Tomcat 9.0.31 + Ubuntu 20.04, and content goes to the Ubuntu syslog instead?
Hello, I have been using Tomcat for about 18 years. As far as I can remember, everything that I leave on the log with System.out.println() has been found inside the file "catalina.out" which has been nice. However, this seems to have changed. I just migrated to Ubuntu 20.04 + Tomcat 9.0.31, and installed Tomcat doing a "sudo apt install tomcat9". Now I see that the file "catalina.out" never gets created, and that everything that had been sent there is now being sent to the Ubuntu/Linux/Debian log "syslog". I don't like that, I want to keep having a separate/dedicated log for Tomcat (which is something I check very often) and not havoing to search for it inside syslog (which is something I rarely inspect). I have done some research, and this is what I have discovered (if I understood everything correctly): - Tomcat now runs as a service inside something called "systemsd" - For some reason, the people at Ubuntu/Debian/Linux decided that Tomcat's log should be found inside syslog, instead of staying independent inside "catalina.out". Why is that? I don't know and I don't like it! - The other files inside /var/log/tomcat get created, including the "catalina.-MM-DD.log" files. But I dont' find my "System.out.println()" messages there, which has always been the case. - I have found, however, that syslog tries to create and populate the "catalina.out" file as well, since I have found an error inside syslog that says something like "rsyslogd: file '/var/log/tomcat9/catalina.out': open error: Permission denied". - I have also found a file "/etc/rsyslog.d/tomcat9.conf" which, indeed, seams to indicate syslog that the file "/var/log/tomcat9/catalina.out" must be populated. Which makes sense and should solve my needs. - Considering the "Permission denied" error message, I started playing with the permissions (something that I really don't have much experience with). If I remember correctly, I created the file "catalina.out" manually, and the modified its properties so the owners are "tomcat/adm", since the "syslog" process/user seems to be inside the "adm" group. Restarted everything... and the "catalina.out" file got created and populated!!! So it seems that the main obstacle here is a lack of correct permissions so syslog can do what has been told and populate the "catalina.out" file. Did I get it right? - However, when I delete all the log files (which I do every once in a while), the permissions that I assigned get lost and the file doesn't get created anymore. What are we supposed to do to deal with this problem? Can/should we do something so the Tomcat log doesn't go to syslog? If not, and considering that it seems that syslog is trying to populate the "catalina.out" file as it has been told, what should we do to correct the permissions problem? Thanks in advance! Brian
Re: JNDI match of LDAP hashed passwords fail against cleartext
On 17/4/20 10:28 pm, Mark Thomas wrote:
On 16/04/2020 09:56, Brian Burch wrote:
On 15/4/20 6:24 am, Mark Thomas wrote:
I'd expect you to see an error message if your server.xml isn't quite
right although that is what this looks like.
There was no error message. I think my xml was syntax-free, but it did
not reflect my intent.
Can you provide before and after extracts from server.xml. I'm not 100%
what your non-working configuration looked like. I'll see if we can do
anything to highlight the configuration issue.
My Realm definitions are always nested inside the https Connector and
its Engine definition.
Here is the definitions of the two Realms for tc 7.0.52, which
successfully authenticated the browser-supplied cleartext passwords
against the SHA hashes from my LDAP server.
connectionName="uid=tomcatAuthenticate,ou=Special
Users,o=pingtoo.com"
connectionPassword=""
connectionURL="ldap://ldap.pingtoo.com:10389;
userBase="ou=people,o=pingtoo.com"
userSubtree="false"
userSearch="(uid={0})"
userRoleName="tomcatRole"
userPassword="userPassword"
digest="SHA" />
The JNDIRealm is nested properly inside the LockoutRealm.
This server.xml could not authenticate users under tomcat 8.54,
presumably because the Realm algorithm parameter had been deprecated.
The following Realm definition caused JNDIRealm to call
MessageDigestCredentialHandler.matches, which called its own
getAlgorithm method, which returned null (not SHA-1).
connectionName="uid=tomcatAuthenticate,ou=Special
Users,o=pingtoo.com"
connectionPassword=""
connectionURL="ldap://ldap.pingtoo.com:10389;
userBase="ou=people,o=pingtoo.com"
userSubtree="false"
userSearch="(uid={0})"
userRoleName="tomcatRole"
userPassword="userPassword" />
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="MD5" />
My mistake was to Nest JNDIRealm properly, but code it as
self-terminating. I guess the CredentialHandler was associated with the
LockoutRealm, rather than the JNDIRealm.
--
Just to finish the story, here's the properly nested version which works
with SHA-1 and LDAP password hashes prefixed with {SHA}.
connectionName="uid=tomcatAuthenticate,ou=Special
Users,o=pingtoo.com"
connectionPassword=""
connectionURL="ldap://ldap.pingtoo.com:10389;
userBase="ou=people,o=pingtoo.com"
userSubtree="false"
userSearch="(uid={0})"
userRoleName="tomcatRole"
userPassword="userPassword" >
className="org.apache.catalina.realm.MessageDigestCredentialHandler"
algorithm="SHA-1" />
Thanks for your help getting me this far!
I will reply to the later points in your last post in subsequent emails.
Brian
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDI match of LDAP hashed passwords fail against cleartext
On 15/4/20 6:24 am, Mark Thomas wrote:
On 14/04/2020 07:34, Brian Burch wrote:
I searched for usages of MessageDigestCredentialHandler.setAlgorithm,
but only found it used once - within TestJNDIRealm. I did not find any
occurrences within tomcat mainline code, but would not be surprised if
the algorithm was intended to be set within code which used
introspection at runtime.
Correct. During the parsing of server.xml
My initial code inspection makes me strongly suspect tomcat does not
initialise JNDIRealm and a nested CredentialHandler properly during
startup. However, I am not smart enough to attach my debugger to the
tomcat jvm until it is too late.
I had a smart idea... at a breakpoint I changed the value of the
algorithm instance variable from null to "SHA" before the comparison,
but I was slapped down with the following Exception:-
If you had tried "SHA-1" here it should have worked.
Noted, but see later.
So, if anyone has read this far, perhaps you can suggest my next best
course of action. Does this seem to be a bug in tomcat processing of
server.xml and initialisation of the JNDIReal nested CredentialHandler's
algorithm attribute? Is there a smart way to catch the tc8 startup
process and catch it early enough in my remote debugger?
Are the classes org.apache.catalina.storeconfig.RealmSF and
CredentialHandlerSF where I should be looking for a bug?
No. That is to do with writing out server.xml. You can ignore them in
this context. If it were a Tomcat bug I'd start looking around
RealmRuleSet or CredentialHandlerRuleSet
Thanks very much for your tip. I successfully stopped tomcat
initialisation and stepped through the latter two classes.
Or perhaps I
have just coded my server.xml badly and the algorithm is being silently
ignored?
Very interesting! There were no error messages and without your comments
I would have trusted my server.xml based on the "working" tomcat7 version.
I stared hard at the xml and eventually realised I had not got the
correct syntax in the tc7 Realm section. Inadvertently, my coding had
NOT nested the JNDIRealm below the LockoutRealm. However, because the
algorithm attribute was associated with the JNDIRealm section,
everything /appeared/ to be working OK.
Once I had converted the file for tc8, I properly nested the
CredentialHandler within JNDIRealm, but JNDIRealm was not nested within
LockoutRealm. The peculiar resulting data structure meant that the
CredentialHandler was not initialised properly with /any/ algorithm.
Once I fixed my server.xml, authentication succeeds when algorithm ==
SHA-1 BUT the LDAP hash must be prefixed {SHA} (see below).
I'd expect you to see an error message if your server.xml isn't quite
right although that is what this looks like.
There was no error message. I think my xml was syntax-free, but it did
not reflect my intent.
My tomcat users are in transition. Many still have SHA-1 LDAP hashes,
but for non-tomcat reasons they need to be migrated to SHA-256 fairly soon.
Having stepped through MessageDigestCredentialHandler.matches I am
surprised it makes an explicit test for
storedCredentials.startsWith("{SHA}"). This means the code is too
simplistic to recognise al LDAP hash of {SHA-1}. It certainly can't
recognise {SHA256} from the directory.
https://docs.oracle.com/javase/7/docs/api/java/security/MessageDigest.html
states the jvm is required to support the MD5, SHA-1 and SHA-256
algorithms, but I can't see how to coerce MessageDigestCredentialHandler
to recognise and match SHA-256 hashes.
Do you agree with my analysis? Should I just hack the code and see what
happens?
Also, given the LDAP mixture of SHA-1 and SHA-256 hashes, do you think
it is worth me trying to nest two CredentialHandlers within the single
JNDIRealm?
Brian
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDI match of LDAP hashed passwords fail against cleartext
On 14/4/20 8:05 pm, Brian Burch wrote: On 14/4/20 6:53 pm, logo wrote: Brian, see down below Am 2020-04-14 08:34, schrieb Brian Burch: My initial code inspection makes me strongly suspect tomcat does not initialise JNDIRealm and a nested CredentialHandler properly during startup. However, I am not smart enough to attach my debugger to the tomcat jvm until it is too late. >> set in bin/setenv.sh export JPDA_SUSPEND=y this will stop tomcat startup until debugger is attached. Wow! That is a neat trick. I will try it tomorrow and see what I can intercept. Thanks very much for the tip, Brian Thanks again. I tried your setenv.sh export, but my systemd start of the tomcat service failed without a meaningful error message. My installation is a hybrid. I use the standard ubuntu systemd setup of tomcat and then subsequently move the content from my source build over the top of it. The ubuntu setup installs /etc/default/tomcat8. This file includes a line to export the JAVA_OPTS environment variable if you wish the server to run under the jvm debugger. The default definition includes the parameter:- -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n ... so I changed the suspend option to "y" and everything worked well. Tomcat startup waited until I attached a remote debugger session, then it started and hit my first breakpoint. Now I need to find out what happens to the JNDIRealm and nested CredentialHandler initialisation process. Regards, Brian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDI match of LDAP hashed passwords fail against cleartext
On 14/4/20 6:53 pm, logo wrote:
Brian,
see down below
Am 2020-04-14 08:34, schrieb Brian Burch:
I thought it would be helpful to start this issue on the users list
because it will contain a lot of helpful search terms.
I am upgrading a stable production tomcat 7.0.52 system to tomcat
8.5.54. Both were built from source code (tc8 cloned from git) and
compiled under openjdk8.
Many users have pre-hashed SHA-1 passwords stored in the LDAP
directory. My SSO login jsp uses Form authentication. Because the only
Connector services https on port 443, there is no security exposure
from sending the user-entered cleartext password "over the wire" to
tomcat.
The working tomcat 7 Engine has the following Realm definition:-
ldap://ldap.pingtoo.com:10389;
userBase="ou=people,o=pingtoo.com"
userSubtree="false"
userSearch="(uid={0})"
userRoleName="tomcatRole"
userPassword="userPassword"
digest="SHA" />
... and the Host has the following:-
className="org.apache.catalina.valves.ExtendedAccessLogValve"
directory="logs"
prefix="access." suffix=".txt"
pattern="c-ip x-H(authType) x-H(remoteUser) date time
cs-method cs-uri sc-status bytes"
resolveHosts="false"/>
className="org.apache.catalina.authenticator.SingleSignOn"/>
As I said earlier, but without sounding like I am complaining, this
environment worked as intended (by me, the webadmin) with
tomcat7.0.52.
I am aware of the following information on the tomcat 8 Documentation:-
https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html
and
https://tomcat.apache.org/tomcat-8.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
It states the "algorithm attribute is deprecated. Set the algorithm on
a nested CredentialHandler element instead."
I deleted the algorithm attribute from the tomcat8 JNDIRealm
definition, and nested three different versions for different test
runs:-
It made no difference whether I used "SHA-1" or "SHA-256".
Under a netbeans remote debugging session with the tomcat8 server, I
initially set a breakpoint in FormAuthenticator.doAuthenticate, then
instruction stepped to drill down into the JNDI authentication logic.
JNDIREalm.compareCredentials executes:-
return getCredentialHandler().matches(credentials, password);
.. where the calling parameters are the {SHA} password from
the LDAP directory and the cleartext password string from the logon
Form.
MessageDigestCredentialHandler.matches immediately calls its own
getAlgorithm method, which returns null. Without a correct digest
handler, the two password parameters are compared as simple strings.
This means the authentication fails!
To prove my point, I pasted the hashed copy of the LDAP userpassword
(as plain text) into the FormAuthenticator field. Naturally, without a
valid hash algorithm the authentication is successful simply because
the two strings match exactly.
I searched for usages of MessageDigestCredentialHandler.setAlgorithm,
but only found it used once - within TestJNDIRealm. I did not find any
occurrences within tomcat mainline code, but would not be surprised if
the algorithm was intended to be set within code which used
introspection at runtime.
My initial code inspection makes me strongly suspect tomcat does not
initialise JNDIRealm and a nested CredentialHandler properly during
startup. However, I am not smart enough to attach my debugger to the
tomcat jvm until it is too late.
I had a smart idea... at a breakpoint I changed the value of the
algorithm instance variable from null to "SHA" before the comparison,
but I was slapped down with the following Exception:-
BB 2020-04-14T15:22:44,257 ERROR
[org.apache.catalina.core.ContainerBase.[Catalina].[www2.pingtoo.com]]
Exception Processing /staticPingToo/restricted/j_security_check
java.lang.IllegalStateException: Must call init() first
at
org.apache.tomcat.util.security.ConcurrentMessageDigest.digest(ConcurrentMessageDigest.java:71)
~[tomcat-util.jar:8.5.54]
at
org.apache.tomcat.util.security.ConcurrentMessageDigest.digest(ConcurrentMessageDigest.java:63)
~[tomcat-util.jar:8.5.54]
at
org.apache.catalina.realm.MessageDigestCredentialHandler.matches(MessageDigestCredentialHandler.java:114)
~[catalina.jar:8.5.54]
at
org.apache.catalina.realm.JNDIRealm.compareCredentials(JNDIRealm.java:1822)
~[catalina.jar:8.5.54]
at
org.apache.catalina.realm.JNDIRealm.checkCredentials(JNDIRealm.java:1782)
~[catalina.jar:8.5.54]
at
org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1427)
~[catalina.jar:8.5.54]
JNDI match of LDAP hashed passwords fail against cleartext
r:8.5.54] at org.apache.catalina.realm.JNDIRealm.checkCredentials(JNDIRealm.java:1782) ~[catalina.jar:8.5.54] at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1427) ~[catalina.jar:8.5.54] at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1304) ~[catalina.jar:8.5.54] at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:197) ~[catalina.jar:8.5.54] at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:159) ~[catalina.jar:8.5.54] at org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate(FormAuthenticator.java:243) ~[catalina.jar:8.5.54] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:633) ~[catalina.jar:8.5.54] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [catalina.jar:8.5.54] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [catalina.jar:8.5.54] at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:240) [catalina.jar:8.5.54] at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690) [catalina.jar:8.5.54] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [catalina.jar:8.5.54] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [catalina.jar:8.5.54] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:615) [tomcat-coyote.jar:8.5.54] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-coyote.jar:8.5.54] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818) [tomcat-coyote.jar:8.5.54] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1627) [tomcat-coyote.jar:8.5.54] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:8.5.54] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_242] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_242] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.54] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_242] Obviously, my smart idea wasn't smart enough!!! So, if anyone has read this far, perhaps you can suggest my next best course of action. Does this seem to be a bug in tomcat processing of server.xml and initialisation of the JNDIReal nested CredentialHandler's algorithm attribute? Is there a smart way to catch the tc8 startup process and catch it early enough in my remote debugger? Are the classes org.apache.catalina.storeconfig.RealmSF and CredentialHandlerSF where I should be looking for a bug? Or perhaps I have just coded my server.xml badly and the algorithm is being silently ignored? Hopefully... Brian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Tomcat Wiki Source Code Download
On 25/3/20 8:09 am, Mark Thomas wrote: On 24/03/2020 22:00, Christopher Schultz wrote: On 3/24/20 17:54, Brian Burch wrote: So I had the source all along, but never thought to look there! Seems like another case where the documentation is misleading to someone who isn't familiar with the current situation. (I'm used to two other apache projects where all their web site and wiki source is in one place, although updating it isn't trivial either!) Does that project maintain 4 separate simultaneous releases? :) No, perhaps two, and not all the time! I had also completely forgotten that tomcat provides its own local documentation web pages during installation. If I had remembered, and if I had fully appreciated that the pages were release-dependent, then I would have realised why the apache tomcat online source needs to be segmented. By way of excuse, I've not needed to work seriously on tomcat for several years and at my age stuff just slips away with time! Thanks for making this clear to me. I really appreciate the considerable patient help from my old-time acquaintances! Few do but we could still update the source page to make it clearer that the tomcat-X.Y-docs pages are copies of the documentation web app from the most recent X.Y release. Leave it to me. I'll work on a couple of changes and post some diffs to the dev list soon (days, not weeks, I hope). After that, I'll get back to the logging documentation changes. Brian Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Wiki Source Code Download
On 25/3/20 7:41 am, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Brian, Sorry about this semi-top-post! Thanks very much Konstantin and Chris for pointing me in the correct direction. The external url is:- https://tomcat.apache.org/tomcat-8.0-doc/logging.html#Using_Log4j Sure enough, this was successful:_ brian@schizo:~/sandboxApache/TOMCAT_8_5_53-dev/tomcat$ find . -iname "*.xml" | grep -i logging ./webapps/docs/logging.xml So I had the source all along, but never thought to look there! Seems like another case where the documentation is misleading to someone who isn't familiar with the current situation. (I'm used to two other apache projects where all their web site and wiki source is in one place, although updating it isn't trivial either!) I'll get back to my main task now... Brian On 3/24/20 03:11, Brian Burch wrote: I'm quite baffled! http://tomcat.apache.org/source.html gives me the url:- http://svn.apache.org/repos/asf/tomcat/site I made a clean "svn checkout" and referred to the README.txt about the source files being xml formatted. I have all the html files, but the instructions tell me the real source is the xml. There are a lot of xml files, but not for Logging. Unfortunately, even after trying:- svn update --set-depth infinity xdocs jk-xdocs native-xdocs The directory tree does contain several xml files related to logging with Tomcat 5, but not the page I want to update. When I browse:- http://svn.apache.org/repos/asf/tomcat/site/trunk/xdocs/ There are quite a few xml files, but not the one I would like to modify - Logging.xml. The site project is just the basic site. The release-specific files for the Tomcat user's guide are in the individual branches which are in git. If you do a git-clone of e.g. tomcat-9.0.x you'll find logging.xml here: tomcat-9.0.x$ ls -l webapps/xdocs/logging.xml - -rw-r--r-- 1 bburch staff 18996 Feb 24 11:29 webapps/docs/logging.xml - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl56fnQACgkQHPApP6U8 pFi3eg/+MO9GKrcIrlesvTE+SMokOoLjpTonABTjdr+GS9524TpXQlT4e5T3unKA MjXKlF63kzrrsqpDPXhMBOzaXN83N98XTSWPiP33NNmT375pq9c/ussxR/ECq/mI pTbbjoFYYvvySp3S1WJHZKvFpCkWCzkZuGTqNzgoQ/LsKzIZ4uSSN5iDDvIINFoD iT2bGEoE+XcRYgw0XGKs1b9idCewUXpfcPPiUW4Fh9AU1+DDBVFpl7cLKj5d0aD9 7/fAxuGundxzRWiX0PgnNxHX4Byd9iPgFtkvfWrzIkADv6gHu0wQzDlVr6k9xr18 5x+8reQKJlzIq+SfYBFXm5UZMSjjgI+ugKBoZ29X6mrLxk/+ug07Q/dJB3iFWMnX 1/zhm9PACufbaszYWOOBLmQ6xk7R3tImwZgJ/99GE+vpjeapulGhXNwzS/35roTz P8dKMed1l+U6KdsFZKxZhHSOXvepiplSIYNmF3B25LfvtTXMC22CykAh2HmJAOl8 JeERxbbW0IV2jL47TeQpVTdMR8wDtIcNSUBbC6/5D69VGiwU4dorsnAiuiAQlTOv pD6fGCaSQs9I2Ql98vW43H059fKg814XcnB2m3xzOl0iOpVLXiC6xiUIisws82on /BACVOCnhS0WTd4Tq55/ZyZMw3M19+Bo3DFHXQ8vIeyvx4aLxHk= =8OqE -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Wiki Source Code Download
On 24/3/20 5:45 pm, Martin Grigorov wrote: Hi, On Tue, Mar 24, 2020 at 9:12 AM Brian Burch wrote: I'm quite baffled! http://tomcat.apache.org/source.html gives me the url:- http://svn.apache.org/repos/asf/tomcat/site I made a clean "svn checkout" and referred to the README.txt about the source files being xml formatted. I have all the html files, but the instructions tell me the real source is the xml. There are a lot of xml files, but not for Logging. Unfortunately, even after trying:- svn update --set-depth infinity xdocs jk-xdocs native-xdocs The directory tree does contain several xml files related to logging with Tomcat 5, but not the page I want to update. When I browse:- http://svn.apache.org/repos/asf/tomcat/site/trunk/xdocs/ There are quite a few xml files, but not the one I would like to modify - Logging.xml. What have I misunderstood? $ grep -rnH 'Apache Tomcat uses JULI' . ./docs/tomcat-9.0-doc/logging.html:38: The internal logging for Apache Tomcat uses JULI, a packaged renamed fork ./docs/tomcat-8.5-doc/logging.html:38: The internal logging for Apache Tomcat uses JULI, a packaged renamed fork ./docs/tomcat-10.0-doc/logging.html:38: The internal logging for Apache Tomcat uses JULI, a packaged renamed fork ./docs/tomcat-8.0-doc/logging.html:38: The internal logging for Apache Tomcat uses JULI, a packaged renamed fork grep also does not find the text in any .xml file. Only in .html. Thanks for looking, Martin. Here is a direct quote from the site (trunk) README.txt:- ***NOTE*** DO NOT EDIT THE .html files in the docs directory. Please follow the directions below for updating the website. ***NOTE*** The Tomcat web site is based on .xml files which are transformed into .html files using XSLT and Ant. So where are the xml files, I wonder? Brian Martin Brian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Wiki Source Code Download
I'm quite baffled! http://tomcat.apache.org/source.html gives me the url:- http://svn.apache.org/repos/asf/tomcat/site I made a clean "svn checkout" and referred to the README.txt about the source files being xml formatted. I have all the html files, but the instructions tell me the real source is the xml. There are a lot of xml files, but not for Logging. Unfortunately, even after trying:- svn update --set-depth infinity xdocs jk-xdocs native-xdocs The directory tree does contain several xml files related to logging with Tomcat 5, but not the page I want to update. When I browse:- http://svn.apache.org/repos/asf/tomcat/site/trunk/xdocs/ There are quite a few xml files, but not the one I would like to modify - Logging.xml. What have I misunderstood? Brian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fwd: Advice please for Tomcat 8.5.53-dev with log4j2
On 18/3/20 5:54 pm, Luis Rodríguez Fernández wrote: Grande Brian, congrats! Sorry, I've just read your message, a bit late to the party: time ago I had cooked a tomcat9 container + log4j2 with a sample spring-boot app deployed. You can have a look here [1] Thanks very much, Luis. Although just too late to help me, I was pleased to discover it confirmed Mark's advice and my own experience. I guess I missed it from my own searches because I was focussed on the major logging transition between tomcat 7 and the early tomcat 8 version, but your post was prominently identified with tomcat 9. I have a busy weekend with non-self-isolating(!) family and friends, but I have a strong intention to draft an update to the tc8 wiki next week to match the current facts. Probably it will prove trivial for someone to port my change to the tc9 pages. Thanks again for your thoughts, Brian Cheers, Luis [1] https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2019-03-keeping-your-logs-clean-apache-tomcat-9-log4j2-and-spring-boot El mié., 18 mar. 2020 a las 8:44, Brian Burch () escribió: On 18/3/20 5:18 pm, Brian Burch wrote: Could resist tinkering a bit more, but I'll be in trouble because I'm late for dinner!! Success! I have just created the catalina.log file formatted according to my own log4j2.xml. Yes, it was my stupid mistake, but I'll write tomorrow about what it did to make it work. Thanks for listening and advising. It really helped a lot and I wouldn't have cracked it on my own. Brian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fwd: Advice please for Tomcat 8.5.53-dev with log4j2
On 18/3/20 5:18 pm, Brian Burch wrote: Could resist tinkering a bit more, but I'll be in trouble because I'm late for dinner!! Success! I have just created the catalina.log file formatted according to my own log4j2.xml. Yes, it was my stupid mistake, but I'll write tomorrow about what it did to make it work. Thanks for listening and advising. It really helped a lot and I wouldn't have cracked it on my own. Brian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fwd: Advice please for Tomcat 8.5.53-dev with log4j2
On 18/3/20 2:57 pm, Brian Burch wrote:
I have done quite a lot of experiments, but I will stick to the case
which appears to have produced the most encouraging(!) results.
I stumbled across
https://logging.apache.org/log4j/2.x/log4j-appserver/index.html.
This short page has significant overlap with your suggestions, but there
are differences too. I'll compare both before I say much more.
Your setenv puts log4j-api-2.13.1.jar on the classpath, but this file
does not exist in my log4j2 binary download.
Following their advice, I first tried replacing it with
log4j-appserver-2.13.1.jar, but startup failed with ClassNotFoundException.
Then I added (not replaced) log4j-1.2-api-2.13.1.jar, which seemed to be
a good guess. That failed as follows:
Exception in thread "main" java.lang.ExceptionInInitializerError
Caused by: org.apache.juli.logging.LogConfigurationException:
java.lang.reflect.InvocationTargetException
at
org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:136)
at
org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:153)
at org.apache.juli.logging.LogFactory.getLog(LogFactory.java:208)
at
org.apache.catalina.startup.Bootstrap.(Bootstrap.java:51)
Caused by: java.lang.reflect.InvocationTargetException
at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:134)
... 3 more
Caused by: java.lang.NoClassDefFoundError:
org/apache/logging/log4j/LogManager
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:756)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:468)
at java.net.URLClassLoader.access$100(URLClassLoader.java:74)
at java.net.URLClassLoader$1.run(URLClassLoader.java:369)
at java.net.URLClassLoader$1.run(URLClassLoader.java:363)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:362)
at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352)
at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
at
org.apache.logging.log4j.appserver.tomcat.TomcatLogger.(TomcatLogger.java:67)
... 8 more
However, I suspected my "current best effort" had disabled the internal
tomcat logging (juli) but failed to enable log4j2. The message I quoted
from catalina.out looked suspiciously like it had been handled by the
jvm Logger, which is consistent with your suggestion
> I tried building log4j2 from source and gave up. It is a bit of a
nuisance that my development system uses both OpenJDK 8 and 11 because I
keep forgetting which is required by my different projects. The log4j2
toolchains requirement for java 9 was just too much to contemplate!
Clearly, adding log4j-1.2-api-2.13.1.jar did something significant, but
I guess the jar is incompatible in some manner?
I recall the log4j2 pom.xml has a java.target of 1.7, as well as its
toolchain requirement for java 9. I'm doing my very best to build and
run tomcat under java 8. Is this relevant, or just a red herring?
I downloaded the apache-log4j-2.13.1 binaries, so I will deploy those
jars in my tests.
I needed to make some minor tweaks to your setenv.bat before I had a
syntax-free setenv.sh. Of course, I also replaced your ${CATALINA_BASE}
with ${CATALINA_HOME} because that's where I'm currently putting the
logging jars.
That bootstrap directory also has a copy of tomcat-juli from my java 8
build from 5.8.53-dev source:-
-rw-r--r-- 1 tomcat8 tomcat8 51224 Mar 9 17:24 tomcat-juli.jar
I also noted from the web advice above that log4j2 looks for it's
configuration file under the name log4j2-tomcat.xml, not log4j2.xml. I'm
not keen on the advice to deploy the jars to new tomcat directories
called catalina.home/log4j2/lib and ./log4j2/conf, so I favour your
suggestion of using catalina.home/bin for my first tests.
Oh yes...
It didn't make any difference whether I called my configuration file
conf/log4j2.xml or conf/log4j2-tomcat.xml.
I don't think it should matter that the default conf/logging.properties
does not exist... wdyt?
I really appreciate your thoughtful advice. It would be useful for me to
pare the advice down to its essentials and then update the tomcat 8 wiki
advice.
So, to summarise, I've eliminated a lot of possible solutions a
Fwd: Advice please for Tomcat 8.5.53-dev with log4j2
Thanks very much for your speedy and helpful reply, Mark. Stupidly, I had forgotten to re-subscribe to the mailing list, so I found your reply in the archive and cannot reply to it in-line! not really! I stumbled across https://logging.apache.org/log4j/2.x/log4j-appserver/index.html. This short page has significant overlap with your suggestions, but there are differences too. I'll compare both before I say much more. However, I suspected my "current best effort" had disabled the internal tomcat logging (juli) but failed to enable log4j2. The message I quoted from catalina.out looked suspiciously like it had been handled by the jvm Logger, which is consistent with your suggestion. I tried building log4j2 from source and gave up. It is a bit of a nuisance that my development system uses both OpenJDK 8 and 11 because I keep forgetting which is required by my different projects. The log4j2 toolchains requirement for java 9 was just too much to contemplate! I downloaded the apache-log4j-2.13.1 binaries, so I will deploy those jars in my tests. I also noted from the web advice above that log4j2 looks for it's configuration file under the name log4j2-tomcat.xml, not log4j2.xml. I'm not keen on the advice to deploy the jars to new tomcat directories called catalina.home/log4j2/lib and ./log4j2/conf, so I favour your suggestion of using catalina.home/bin for my first tests. I really appreciate your thoughtful advice. It would be useful for me to pare the advice down to its essentials and then update the tomcat 8 wiki advice. Brian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Advice please for Tomcat 8.5.53-dev with log4j2
I have a very frozen and stable tomcat 7.0.68 system with a lot of apps.
It was build from source and uses the extras tomcat-juli.jar with
log4j-1.2.17.jar.
Both tomcat and my webapps log successfully via log4j (except, of
course, the access log valve).
The time has come to bring the whole system up to date, but I don't want
to jump too far in a single leap, so I am trying to port the production
environment to a new server image. (The old system is ubuntu 16.04.6 LTS
32-bit. The new system is 18.04.3 LTS 64-bit).
I have read (very carefully) the tomcat8 logging.html,
extras.html#Full_commons-logging_implementation and
class-loader-howto.html. I am aware of
https://bz.apache.org/bugzilla/show_bug.cgi?id=58588. They have confused
me, even though I've read them a lot in the past!
I have built tomcat 8.5.53-dev under OpenJDK 1.8.0_232 (64 bit), and
also the extras. tomcat also executes under jdk8.
Extras no longer builds the full logging jar, so I am apparently forced
to use the tomcat-juli.jar from the main build. log4j has moved from
version 1 to 2, with quite a few changes, so I decided to implement
log4j2 right from the start.
To simplify my conversion effort, I decided to get tomcat itself logging
via laog4j2 before I converted any of the webapps. That has been a
frustrating and unsuccessful task so far!
I can confirm the experience of others - unless tomcat-juli.jar is in
the same directory as bootstrap.jar (catalina.home/bin), startup fails
with ClassNotFoundException.
I do NOT have a logging.properties file in conf.
catalina.base/lib has my log4j2.xml, along with log4j-api.jar,
log4j-core.jar and log4j-jul.jar. I have tried them in a lot of places,
including catalina.home/bin, catalina.base/system, common and server,
but nothing seems to improve.
/var/log/tc8/catalina.out reports (apologies for nasty line breaks):
Mar 17, 2020 8:45:34 AM
org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument:
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
But there are no initialisation messages from log4j2.
The log4j2 Root Logger has AppenderRef to a RollingFileAppender with
fileName="${logdir}/catalina.log" (where logdir resolves to
/var/log/tomcat/).
I am not convinced catalina.out is being handled by log4j2 at all!
I would be very grateful for any advice to make my tomcat8 use log4j2. I
hope this advice will permit me to recommend some improvements to the
relevant pages of the tomcat wiki...
Thanks in anticipation,
Brian
(back on the list after nearly 4 years away!)
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS support: consider bundling native libs in JARs
Hi Mark, Christopher, On Thu, Oct 19, 2017 at 7:32 PM, Christopher Schultz <ch...@christopherschultz.net> wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Mark, > > On 10/19/17 1:22 PM, Mark Thomas wrote: > > On 19/10/17 16:56, Mark Thomas wrote: > >> On 19 October 2017 15:11:19 BST, Brian Clozel > >> <bclo...@pivotal.io> wrote: > >>> Hi, > >>> > >>> More and more servers are choosing to make available one or > >>> more solutions to use TLS native stacks by shipping them as > >>> JARs: > >>> > >>> * Netty has quite a few options there > >>> http://netty.io/wiki/forked-tomcat-native.html * Jetty is now > >>> shipping a conscrypt support as well > >>> https://webtide.com/conscrypting-native-ssl-for-jetty/ > >>> > >> > >> How does shipping a native library in a JAR work? What makes it > >> simpler than building from source? > > > > Found the answer to my own question. Netty unpacks the native > > library into a temporary directory and loads it from there. > > > > Packaging in a JAR is simply a convenience to enable end users to > > use their build tool of choice to pull in the library. > > ... and completely unnecessary for users using a packaged Tomcat, > since part of the "installation process" (either .exe "installer" for > Windows, or unzip/untar for anyone else) drops any packaged binaries > in the right place already. The problem is lack of binaries. > > > For Tomcat, this would be useful for the embedded scenario. > > Yes. The problem with Tomcat self-extracting a native library would be > that an embedded environment could have all kinds of problems with > that. If Tomcat extracted a native library to $TMPDIR and then allowed > the JVM to load from there, wouldn't that scare the hell out of a > developer or end-user who wasn't expecting that kind of thing? If > embedded users (developers) want to package Tomcat in that way, that's > fine, but Tomcat doing it without instructions seems like a horrible > mistake. > > There is room for improving support for such a thing, but having > Tomcat provide a magic JAR file is something I'm very much -1 on doing. > Indeed, it's mostly useful for the embedded scenario, even more for a 12 factor app deployed on a PaaS (disclaimer: I'm a Spring Boot team member). In those cases, the typical application is an uber JAR that you expect to be deployed in many environments - and you can't really expect that infrastructure to peek into your app and guess which version of libtcnative/openssl it should install. In my opinion, dealing with native libraries "manually" is harder than using a server that uses the bootclasspath/java agent trick to support ALPN. Of course, that's if your primary goal is to support http/2 on JDK8. Netty, Conscrypt and others extract libs to a temp folder, and from a Java server application point of view, I don't see how it changes the trust relationship you already have with the host operating system. At least doing so would save a lot of pain to all embedded users (setting up the native libs, choosing the right version set, reproducing the same conditions on their laptop). You can then run applications without worrying about the Tomcat version and locally compiled libraries. > > The full binary distributions could leverage the same mechanism or > > they could do something different. That would increase the number > > of binary builds we needed to do for a release. > > ... and therein lies the challenge. We intentionally stopped > publishing binaries because it's such a PITA. We only produce binaries > for Microsoft Windows because (a) most Windows environment don't have > access to a compiler (sadly) and (b) there are only two artifacts to > produce: amd32 and amd64 builds. > > If someone wants to volunteer to build every combination of > architecture, OS, and web server out there, I'm sure we'd appreciate > the contribution. Just be aware that it is a slippery slope. Next > thing you know, James Lampert will be asking us to produce AS/400 > builds. (*ducks*) > > - -chris Now I totally get how this can turn into a distribution nightmare. I can also see the irony in asking **you** to deal with a build nightmare when it's **us** being too lazy to compile things :-) Worse, I'm wondering if packing openssl in a JAR could somehow link a tomcat version with openssl CVEs... Would supporting Conscrypt then could be an option? As an external, optional dependency, you wouldn't have to deal with all of this - "just" coding against their JSSE provider. Of course, I have zero idea about the efforts required for that - I vagu
TLS support: consider bundling native libs in JARs
Hi, More and more servers are choosing to make available one or more solutions to use TLS native stacks by shipping them as JARs: * Netty has quite a few options there http://netty.io/wiki/forked-tomcat-native.html * Jetty is now shipping a conscrypt support as well https://webtide.com/conscrypting-native-ssl-for-jetty/ I know there are other solutions for that, like changing the boot classpath or installing native libraries directly on the host operating system. But those solutions aren't always super easy to achieve in cloud environments; there are also questions on this mailing list around tomcat+tcnative+openssl versions compatibility. Would the Tomcat community consider shipping JARs (with classifier and uber JARs) containing the required native libraries (libtcnative + openssl + apr)? Bonus question: would you consider supporting boringssl or libressl? Thanks, -- Brian Clozel
Re: Embedded tomcat does not find web-fragment in jars outside web-inf\lib continued...
Jetty also makes it very easy to scan jar for @WebServlet, @WebFilter, @WebListener via AnnotationConfiguration. http://www.eclipse.org/jetty/documentation/9.4.x/configuring-webapps.html On Wed, Oct 4, 2017 at 12:53 AM, Brian Toal <brian.t...@gmail.com> wrote: > The chain [1] left of with: > "The relevant language is in section 8.2.1 > > > If a framework wants its META-INF/web-fragment.xml honored in such a way > that it augments a web application's web.xml, the framework must be bundled > within the web application's WEB-INF/lib directory > > > Therefore, Tomcat 8.0 looks to be doing the right thing." > > Which I think is fine for the case where the container is augmenting a > existing web.xml. > > However the spec also says "If a framework is packaged as a jar file and > has metadata information in the form of deployment descriptor then the > web-fragment.xml descriptor must be in the META-INF/ directory of the jar > file." > > I'm not interested in augmenting a existing web.xml, nor my embedded app > is using WEB-INF/lib, which seems not to meet the eligibility critieria for > adding the jar to WEB-INF/lib , tomcat should honor > META-INF/web-fragment.xml in jars in the absence of web.xml, to determine > if the Servlet 3.0 annotations are going to be scanned. This is the > problem I'm having after fixing the classloading issues in [2]. > > Thoughts? > > > [1] - https://marc.info/?l=tomcat-user=149443917508077=2 > [2] - https://marc.info/?l=tomcat-user=150701409822162=2 > > >
Embedded tomcat does not find web-fragment in jars outside web-inf\lib continued...
The chain [1] left of with: "The relevant language is in section 8.2.1 If a framework wants its META-INF/web-fragment.xml honored in such a way that it augments a web application's web.xml, the framework must be bundled within the web application's WEB-INF/lib directory Therefore, Tomcat 8.0 looks to be doing the right thing." Which I think is fine for the case where the container is augmenting a existing web.xml. However the spec also says "If a framework is packaged as a jar file and has metadata information in the form of deployment descriptor then the web-fragment.xml descriptor must be in the META-INF/ directory of the jar file." I'm not interested in augmenting a existing web.xml, nor my embedded app is using WEB-INF/lib, which seems not to meet the eligibility critieria for adding the jar to WEB-INF/lib , tomcat should honor META-INF/web-fragment.xml in jars in the absence of web.xml, to determine if the Servlet 3.0 annotations are going to be scanned. This is the problem I'm having after fixing the classloading issues in [2]. Thoughts? [1] - https://marc.info/?l=tomcat-user=149443917508077=2 [2] - https://marc.info/?l=tomcat-user=150701409822162=2
Tomcat 9.0.1 - StandardJarScanner only scanning for HandlesTypes due to classloader issues
In my embedded tomcat app, StandardJarScanner is doing a minimal Servlet
3.0 annotation scanning, specifically only HandlesTypes. After digging in,
it appears that because the classloader that loaded StandardJarScanner is
the same that loaded StandardContext and ContextConfig
StandardJarScanner.isWebappClassLoader always returns false. Then
StandardJarScanner.scan will set htOnly to true since fragment.getWebappJar
is false.
// Only need to scan for @HandlesTypes matches if any of the
// following are true:
// - it has already been determined only @HandlesTypes is
required
// (e.g. main web.xml has metadata-complete="true"
// - this fragment is for a container JAR (Servlet 3.1 section
8.1)
// - this fragment has metadata-complete="true"
boolean htOnly = handlesTypesOnly || !fragment.getWebappJar() ||
fragment.isMetadataComplete();
My embedded app looks as follows:
Tomcat tomcat = new Tomcat();
File docBase = new File(System.getProperty("java.io.tmpdir"));
tomcat.setBaseDir(docBase.getAbsolutePath());
tomcat.setSilent(false);
tomcat.setPort(8080);
// init http connector
tomcat.getConnector();
logger.info("Class loader = " +
Thread.currentThread().getContextClassLoader());
Context ctx = tomcat.addContext("", docBase.getAbsolutePath());
((StandardJarScanner) ctx.getJarScanner()).setScanClassPath(true);
((StandardJarScanner) ctx.getJarScanner()).setScanAllDirectories(true);
((StandardJarScanner) ctx.getJarScanner()).setScanAllFiles(true);
ContextConfig contextConfig = new ContextConfig();
ctx.addLifecycleListener(contextConfig);
contextConfig.setDefaultWebXml(Constants.NoDefaultWebXml);
tomcat.start();
tomcat.getServer().await();
} catch (LifecycleException e) {
throw new RuntimeException("Unable to launch tomcat ", e);
}
What do I need to do, in order to have StandardJarScanner loaded by a
seperate loader than the classes that are loaded when tomcat.start() so
that StandardJarScanner will honor searching for the remaining Servlet 3.0
annotations?
Setting up Embedded Tomcat to honor Servlet 3.0 Annotations
I want to decouple my solution from web.xml completely, so the goal is to
have the container to scan all jars on the classpath and look for Servlet
3.0 annotations and do the necessary (register servlet context listeners,
filters, servlets, etc). In the code below, the container starts, but none
of the corresponding annotations are processed. I have various jars on the
classpath that contain implementations of the Servlet 3.0 annotation. I'm
most certain I'm missing the configuration that is required to get Tomcat
to do the scanning and processing, but i'm not aware of what that would
be. What code do I need to add to get the container to scan all jars on
the classpath for Servlet 3.0 annotations and register the various found
artifacts with the container?
Here's a snippet of what my code looks like so far. See [1] for full
source.
public void start(ApplicationContext acac) {
try {
Tomcat tomcat = new Tomcat();
tomcat.setPort(8080);
// init http connector
tomcat.getConnector();
File base = new File(".");
Context ctx = tomcat.addContext("", base.getAbsolutePath());
ServletContext servletContext = ctx.getServletContext();
tomcat.start();
tomcat.getServer().await();
} catch (LifecycleException e) {
throw new RuntimeException("Unable to launch tomcat ", e);
}
} [1] - https://github.com/toaler/container/blob/master/
container-webapp-tomcat/src/main/java/container/webapp/
tomcat/TomcatWebContainer.java
Re: Building a uber/fat jar
thanks John,
I want to decouple my solution from web.xml completely, so the goal is to
have the container to scan all jars on the classpath and look for Servlet
3.0 annotations and do the necessary (register servlet context listeners,
filters, servlets, etc). The container starts, but none of the
corresponding annotations are processed. I have various jars on the
classpath that contain implementations of the Servlet 3.0 annotation. I'm
most certain I'm missing the configuration that is required to get Tomcat
to do the scanning and processing, but i'm not aware of what that would
be. Any ideas what that would I would need to add?
Here's a snippet of what my code looks like so far. See [1] for full
source.
public void start(ApplicationContext acac) {
try {
Tomcat tomcat = new Tomcat();
tomcat.setPort(8080);
// init http connector
tomcat.getConnector();
File base = new File(".");
Context ctx = tomcat.addContext("", base.getAbsolutePath());
ServletContext servletContext = ctx.getServletContext();
tomcat.start();
tomcat.getServer().await();
} catch (LifecycleException e) {
throw new RuntimeException("Unable to launch tomcat ", e);
}
} [1] -
https://github.com/toaler/container/blob/master/container-webapp-tomcat/src/main/java/container/webapp/tomcat/TomcatWebContainer.java
On Sat, Sep 30, 2017 at 5:50 AM, John D. Ament <johndam...@apache.org>
wrote:
> I use Maven for the actual build. I use these dependencies (with
> 9.0.0.M26):
>
>
> org.apache.tomcat.embed
> tomcat-embed-core
>
>
> org.apache.tomcat.embed
> tomcat-embed-el
>
>
> org.apache.tomcat
> tomcat-juli
>
>
> org.apache.tomcat.embed
> tomcat-embed-websocket
>
>
> And use the Capsule Maven Plugin to build the actual runtime (better
> isolation than a shaded JAR):
>
>
> com.github.chrisdchristo
> capsule-maven-plugin
> ${capsule.maven.plugin.version}
>
>
>
> build
>
>
> your.main.class.here
> fat
>
>
>
>
>
> And then the actual bootstrap would look like this:
> https://paste.apache.org/vVNs (I put it in a paste since it's pretty
> long).
>
> On Sat, Sep 30, 2017 at 4:51 AM Brian Toal <brian.t...@gmail.com> wrote:
>
> > Can someone point me to a example of how to run Tomcat as a embedded
> > application, packaged in a uber jar? I'm not interested in running via a
> > war. I've struggled to find a example.
> >
>
Building a uber/fat jar
Can someone point me to a example of how to run Tomcat as a embedded application, packaged in a uber jar? I'm not interested in running via a war. I've struggled to find a example.
Re: Tomcat Native compile can't find jni_md.h
> On Oct 27, 2016, at 11:53 AM, Christopher Schultz > <ch...@christopherschultz.net> wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Brian, > > On 10/27/16 11:47 AM, Paquin, Brian wrote: >> I’m trying to compile Tomcat Native (1.2.10 that comes with >> 8.5.6), and get the error “Cannot find jni_md.h” In >> /usr/lib/jvm/[openjdk-1.8.0_111]/jre/ I have bin and lib but not >> include… I downloaded oracle’s 1.8.0_112 JDK and have the same >> structure (no include). >> >> I haven’t found anything on the web that helps me get the headers >> back and was hoping someone here could help. > > It looks like you have a JRE and you need a JDK to build tcnative. > > The JDK contains a jre/ directory and you're right, it has no include/ > subdir. But if you back-out one directory to JAVA_HOME, you should > have an include/ directory there. > > When I unpack the jdk1.8 archive, I get these files: > > drwxr-xr-x 2 uucp 143 4096 Jun 22 21:53 bin > - -r--r--r-- 1 uucp 143 3244 Jun 22 21:53 COPYRIGHT > drwxr-xr-x 4 uucp 143 4096 Jun 22 21:53 db > drwxr-xr-x 3 uucp 143 4096 Jun 22 21:53 include > - -rwxr-xr-x 1 uucp 143 5091318 Jun 22 11:58 javafx-src.zip > drwxr-xr-x 5 uucp 143 4096 Jun 22 21:53 jre > drwxr-xr-x 5 uucp 143 4096 Jun 22 21:53 lib > - -r--r--r-- 1 uucp 143 40 Jun 22 21:53 LICENSE > drwxr-xr-x 4 uucp 143 4096 Jun 22 21:53 man > - -r--r--r-- 1 uucp 143 159 Jun 22 21:53 README.html > - -rw-r--r-- 1 uucp 143 526 Jun 22 21:53 release > - -rw-r--r-- 1 uucp 143 21109887 Jun 22 21:53 src.zip > - -rwxr-xr-x 1 uucp 143 110114 Jun 22 11:58 > THIRDPARTYLICENSEREADME-JAVAFX.txt > - -r--r--r-- 1 uucp 143 177094 Jun 22 21:53 THIRDPARTYLICENSEREADME.txt > > - -chris That did it! Thank you!! (my “find / -name jni” only returned 3 items in Tomcat) Much appreciated, Brian
Tomcat Native compile can't find jni_md.h
I’m trying to compile Tomcat Native (1.2.10 that comes with 8.5.6), and get the error “Cannot find jni_md.h” In /usr/lib/jvm/[openjdk-1.8.0_111]/jre/ I have bin and lib but not include… I downloaded oracle’s 1.8.0_112 JDK and have the same structure (no include). I haven’t found anything on the web that helps me get the headers back and was hoping someone here could help. Brian
HTTP/2 PushBuilder.push() synchronous?
Hi, Looking at previous Servlet 4.0 EG e-mails [1] and the PushBuilder.push() API [2], it seems the current version returns true if the PUSH_PROMISE frame + headers were sent, meaning the client can still reset that stream and refuse to receive the response that goes with it. Now looking at former EG e-mails, it seems that a previous version of the spec stated that push "returns immediately without blocking" [3]. But this API, and the implementation as far as I understand things [4], seems synchronous. Or does that writing does not happen directly on the actual socket but is later dispatched on another thread? In general, I'm trying to understand how I can use that API in an async, non-blocking way and if the application really needs to know if the Push promise "happened" or not... Cheers, [1] https://java.net/projects/servlet-spec/lists/jsr369- experts/archive/2016-03/message/0 [2] https://github.com/apache/tomcat/blob/trunk/java/javax/s ervlet/http/PushBuilder.java#L161-L178 [3] https://java.net/projects/servlet-spec/lists/jsr369-expe rts/archive/2015-12/message/8 [4] https://github.com/apache/tomcat/blob/trunk/java/org/apa che/coyote/http2/Http2UpgradeHandler.java#L1036 -- Brian Clozel
Re: Using hashes in tomcat-users.xml
> On Sep 27, 2016, at 4:38 PM, Christopher Schultz > <ch...@christopherschultz.net> wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Brian, > > Your email was tough to parse-out of the thread, so I'm going to > heavily edit-down the text. I hope I didn't miss anything. > > On 9/25/16 9:06 PM, Paquin, Brian wrote: >> I tried using the following in server.xml: > className="org.apache.catalina.realm.UserDatabaseRealm" >> resourceName="UserDatabase"> > className="org.apache.catalina.realm.MessageDigestCredentialHandler" >> algorithm="SHA-256" iterations=“24680" saltLength="18" /> >> >> And then using: /usr/local/tomcat/bin/digest.sh -a SHA-256 -i 24680 >> -s 18 secret_password >> >> And got back: >> secret_password:9618b621a88fcee9c44aa93f39ddb063$58761$8ga9a0896a10f1b > 26w91729qfc3786d74ac95223e092faf996500dc532a74905 >> >> I then added that to my tomcat-users.xml: > username=“my_username" >> password="9618b621a88fcee9c44aa93f39ddb063$58761$8ga9a0896a10f1b26w917 > 29qfc3786d74ac95223e092faf996500dc532a74905" >> roles=“manager-gui,admin,admin-gui”/> >> >> After stopping and starting Tomcat, manager asks for credentials >> but does not accept them. What have I got wrong? > > Is it still accepting them if you put the plaintext version of the > password into tomcat-users.xml? I was able to get SHA-256 (with salt and iterations) working today - I had nested realms that were not working correctly. > >> (I was hoping to use PBKDF2 but it did not appear that digest.sh >> would accept PBKDF2 as an algorithm.) > > Try using "PBKDF2WithHmacSHA1" as the algorithm. To be clear - I use PBKDF2WithHmacSHA1 in both server.xml and in the digest.sh, right? Thank you, Brian > > [1] > https://tomcat.apache.org/tomcat-8.0-doc/config/credentialhandler.html#S > ecretKeyCredentialHandler > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJX6tjUAAoJEBzwKT+lPKRYMDUP/jLzRdR2tjsYAE5oRF87gtq7 > AJpxY19s2phoUFq9r5fMX4TL5eKCTqzonvqkwA6PcyOPjqK47lubnJWrHXEnyEFR > JCv0HM/8gYuKc5TJBbM2uOMJJhhXlOjmrQNHtwjCNU/pCzHtPfJdmiKDbtG39r/T > pWqG/SZrxmxupgPDnGeEEnp4azc5Wml0UP1KEHr+M2OCR2DZugRUi10MoDwPD+uV > WQ0suCztjYCU0MB98b6EHTZogl9xpRZaSj4MyAqmzQIr3bbuFAL5R886UEHMrJ0Z > ncbt8IqvyBoY6RFN8gqZDzRlCUjYB7mDz0swzU4Qptfvft51qQwgQp1LmZ9TZSfv > HKNMp8LOMIigzTwWxX/VrRksXlV+itl94IbbgVOrBLQ3sRMq+bg8uwmgZCY0Q46O > AgY4wEra5K4JJntJTSx0ttCrpgwP1r1MNdg8D2dQAPh7QBJ3X0NLApZ5aAnfpYJy > ar4iSSEx90meCrsukZcmOicqxaJ63vXbUqYuTTVlVm1N48J61wRMmQuNS2tPoMgH > nrPl/67xNwA+4iSe1pu1Hu0GVBPTGdWTgO4tOSupVhjS63OqXDxPOTlANgqGM7xW > PCk/gjtwRR4VK3caV7T+hZiHbyGZqyRlAVwA6J9cw0ASS4+1ZQYLwbBB0jOE4y0y > akjETJUf5x+5qyq0BWqA > =g6Ib > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
Re: Using hashes in tomcat-users.xml
On Sep 14, 2016, at 5:37 PM, Christopher Schultz <ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Brian, On 9/14/16 3:40 PM, Paquin, Brian wrote: I was able to setup Tomcat 8.0.35 to use a SHA hashed password in tomcat-users.xml (trying to secure the Manager app a bit more), but the same setup does not work on 8.5.5. Is there something I need to change to get this to work again? Yes. server.xml engine: Command to generate hash that was used as the user’s password in tomcat-users.xml: /usr/local/tomcat/bin/digest.sh -a SHA my_password In 8.5.5, I can login to Manager if I replace the SHA hash with the plaintext version of the password… I read through https://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html, but still can’t get it to work. Have a look at http://tomcat.apache.org/migration-85.html, specifically http://tomcat.apache.org/migration-85.html#Internal_APIs Note that SHA passwords are no better than plaintext passwords. If you want to *actually* add some security, you need to at least use salted passwords. Better yet, use a PBKDF. I tried using the following in server.xml: And then using: /usr/local/tomcat/bin/digest.sh -a SHA-256 -i 24680 -s 18 secret_password And got back: secret_password:9618b621a88fcee9c44aa93f39ddb063$58761$8ga9a0896a10f1b26w91729qfc3786d74ac95223e092faf996500dc532a74905 I then added that to my tomcat-users.xml: After stopping and starting Tomcat, manager asks for credentials but does not accept them. What have I got wrong? (I was hoping to use PBKDF2 but it did not appear that digest.sh would accept PBKDF2 as an algorithm.) Brian You might want to have a look at this presentation: http://people.apache.org/~schultz/ApacheCon%20NA%202016/Seamless%20Upgra des%20for%20Credential%20Security%20in%20Apache%20Tomcat.pdf - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org<http://gpgtools.org/> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJX2cL/AAoJEBzwKT+lPKRYm7AP/jW9ux3JM/zsSJjPymE/xPMw /mpI1Jh2kCViRA+wF9vWcuuHN/T/ib5MwinYdZnqwvtddRQUoBY5jKKcjieJWhFo UwdSZGmXGHOtJMyB+9DPIo17HuuSmxMNXDILCAaMd8pXvKZgsPJv4x9/lPC5uHyJ SpSJ9vcc6NKDzQq8AV/F9Q17HCaGPkl1Vi2d+Sbpvcm5vdqgKcDlGcOe6exUlIWP pMiOkvo+hEG77WpGKz1E2C0gBz3O1vs2AKwzWP3gmh10NinUNvfzPY9iqAylFNAq c5Mk+rvliCcQWss+O54IfbVO2dYElbcy3hktn4X7h1UOxSuw6qGJ3HeKsUBKlIho 5rL9J8nwkF+lechxVgdh4Q8CWJVZ5AsicmwMnd88o00TG8fO0XAb3oM496I0meLg xeiOTexg8S0RPLVFnCQ8mckaeTVzooLzuezJLAXO4YUnEZJHPrehR+ZL8Oblk6Fa 102AA+LFpCkW1L0JEFMrpCzmEc3Ue6VMVPeNorfTv/u2MBFfM+hpR0kmeDURUoA8 C+i0Z4GHxRVL7M96ba2Irxs4eNkCV2v9IvCsgnz3LTXKuAggd/6dCTEPYEkE2sTO Tju+To9xWVudj6gwmya7SfNeKxb4PECBP4NgD5uRoljNDJNW1Eu80m7C2cxRGao8 LXmKRsuWXsrTt6OOA9wZ =2Z2D -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org> For additional commands, e-mail: users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> [Yale Pathology Logo] Brian Paquin Help Desk Support Yale Pathology ITS --- 310 Cedar St. BML B50 New Haven, CT 06520 203-785-3691-office 203-785-2403-fax
Using hashes in tomcat-users.xml
I was able to setup Tomcat 8.0.35 to use a SHA hashed password in tomcat-users.xml (trying to secure the Manager app a bit more), but the same setup does not work on 8.5.5. Is there something I need to change to get this to work again? server.xml engine: Command to generate hash that was used as the user’s password in tomcat-users.xml: /usr/local/tomcat/bin/digest.sh -a SHA my_password In 8.5.5, I can login to Manager if I replace the SHA hash with the plaintext version of the password… I read through https://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html, but still can’t get it to work. Thank you, Brian
Tomcat Native install on Mac OS X 10.11
I have used http://www.malisphoto.com/tips/tomcatonosx.html#Anchor-Native to setup Native with Tomcat successfully. Specifically, I create /usr/lib/java and then do: # Copy the native library to /usr/lib/java sudo cp .libs/libtcnative-1.0.dylib /usr/lib/java # Create a symbolic link in /usr/lib/java to the native library cd /usr/lib/java sudo ln -sfhv libtcnative-1.0.dylib libtcnative-1.dylib sudo ln -sfhv libtcnative-1.dylib libtcnative-1.jnilib This has worked up to 10.10, but NOT in 10.11 - Apple uses SIP to block changes to /usr/lib/ (and removes /usr/lib/java during an OS upgrade!). Is there a newer way (not modifying /usr/lib) that I can use to get Native to work with 10.11? (I understand I can disable SIP with “csrutil”, but I would like to keep SIP enabled) [Yale Pathology Logo] Brian Paquin Help Desk Support Yale Pathology ITS --- 310 Cedar St. BML B50 New Haven, CT 06520 203-785-3691-office 203-785-2403-fax
Re: Tomcat Native install on Mac OS X 10.11
On Feb 12, 2016, at 10:20 AM, Paquin, Brian <brian.paq...@yale.edu<mailto:brian.paq...@yale.edu>> wrote: I have used https://urldefense.proofpoint.com/v2/url?u=http-3A__www.malisphoto.com_tips_tomcatonosx.html-23Anchor-2DNative=AwIGaQ=-dg2m7zWuuDZ0MUcV7Sdqw=jc-EqZyK6fWys6oTdMgtt9CjzHj-k5sGu3EHT7qx4Jg=0LOe6lb2cVwrFRRSnpEUFLkVSolnvDja54Q61QvEv88=Kp0e2ukimi9fwrD-pru-iYltyR8cNbD68Wi3Gcmh3c8= to setup Native with Tomcat successfully. Specifically, I create /usr/lib/java and then do: # Copy the native library to /usr/lib/java sudo cp .libs/libtcnative-1.0.dylib /usr/lib/java # Create a symbolic link in /usr/lib/java to the native library cd /usr/lib/java sudo ln -sfhv libtcnative-1.0.dylib libtcnative-1.dylib sudo ln -sfhv libtcnative-1.dylib libtcnative-1.jnilib This has worked up to 10.10, but NOT in 10.11 - Apple uses SIP to block changes to /usr/lib/ (and removes /usr/lib/java during an OS upgrade!). Is there a newer way (not modifying /usr/lib) that I can use to get Native to work with 10.11? (I understand I can disable SIP with “csrutil”, but I would like to keep SIP enabled) Solved. Used /Library/Java/Extensions instead of /usr/lib/java. Brian Paquin [Yale Pathology Logo] Brian Paquin Help Desk Support Yale Pathology ITS --- 310 Cedar St. BML B50 New Haven, CT 06520 203-785-3691-office 203-785-2403-fax
Re: Tomcat Native install on Mac OS X 10.11
> On Feb 12, 2016, at 12:06 PM, Mark Thomas <ma...@apache.org> wrote: > > On 12/02/2016 16:14, Paquin, Brian wrote: >> On Feb 12, 2016, at 10:20 AM, Paquin, Brian >> <brian.paq...@yale.edu<mailto:brian.paq...@yale.edu>> wrote: >> >> I have used >> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.malisphoto.com_tips_tomcatonosx.html-23Anchor-2DNative=AwIGaQ=-dg2m7zWuuDZ0MUcV7Sdqw=jc-EqZyK6fWys6oTdMgtt9CjzHj-k5sGu3EHT7qx4Jg=0LOe6lb2cVwrFRRSnpEUFLkVSolnvDja54Q61QvEv88=Kp0e2ukimi9fwrD-pru-iYltyR8cNbD68Wi3Gcmh3c8= >> to setup Native with Tomcat successfully. >> Specifically, I create /usr/lib/java and then do: >> >> # Copy the native library to /usr/lib/java >> sudo cp .libs/libtcnative-1.0.dylib /usr/lib/java >> >> # Create a symbolic link in /usr/lib/java to the native library >> cd /usr/lib/java >> sudo ln -sfhv libtcnative-1.0.dylib libtcnative-1.dylib >> sudo ln -sfhv libtcnative-1.dylib libtcnative-1.jnilib >> >> This has worked up to 10.10, but NOT in 10.11 - Apple uses SIP to block >> changes to /usr/lib/ (and removes /usr/lib/java during an OS upgrade!). >> >> Is there a newer way (not modifying /usr/lib) that I can use to get Native >> to work with 10.11? >> (I understand I can disable SIP with “csrutil”, but I would like to keep SIP >> enabled) >> >> >> Solved. Used /Library/Java/Extensions instead of /usr/lib/java. > > You can install the library anywhere. You just need to tell Tp,cat where > it is. Personally I build in the the same location I store all the > various JARs I have downloaded. (~/libs) > > Mark What file do I modify? Thank you, Brian Paquin
Re: questions about tomcat 7 executor with rest services
Thanks > On Oct 12, 2015, at 5:01 PM, Mark Thomas <ma...@apache.org> wrote: > > On 12 October 2015 21:26:30 BST, Brian Millett <bmill...@gmail.com> wrote: >> I’m looking for some insight / info into using executor thread pool for >> a tomcat 7 server that handles many REST services. >> Wondering if a large maxThreads in an Executor would have better >> through put than the same maxThreads for a normal connector? > > Nope. Internally the Connector uses an executor. > >> What scenario would encourage the use of an Executor over a normal >> connector? > > Sharing a common thread pool between multiple connectors. Usually when you > want to limit concurrent requests across http and http. > > Mark > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
questions about tomcat 7 executor with rest services
I’m looking for some insight / info into using executor thread pool for a tomcat 7 server that handles many REST services. Wondering if a large maxThreads in an Executor would have better through put than the same maxThreads for a normal connector? What scenario would encourage the use of an Executor over a normal connector? Thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
ServletRequest.getRemoteHost() not working when Tomcat is behind Nginx (Nginx as a reverse proxy)
Hi,
First of all, I'm using:
- Tomcat 7.0.50
- Nginx 1.4.7
When I use Tomcat alone, ServletRequest.getRemoteHost()
(http://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#getRe
moteHost()
<http://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#getRe
moteHost())> ) works fine. But when Tomcat is behind Nginx (Nginx acting
as a reverse proxy), it does not.
Just to make myself clear, this is the architecture I'm talking about:
Client -> Nginx (as a reverse proxy) -> Tomcat.
The problem is that ServletRequest.getRemoteHost() gives me the hostname of
the proxy itself (meaning Nginx) and not that of the client.
I was able to get the IP address of the visitor (and not that of the host
where Nginx is running) doing this on Nginx:
server {
listen 80;
server_name www.acme.com acme.com;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
<--- This line did the trick
proxy_set_header Host $http_host;
proxy_pass http://152.53.163.220:80/;
}
}
And then inspecting the content of the "X-Forwarded-For" header in my java
programming. But what do I do to obtain the remote hostname? I guess it is
something similar, but I haven't found a solution. What I want to know is:
- Exactly what configuration do I need in Nginx
- Exactly what do I do from Java to obtain the value.
Thanks in advance,
Brian
RE: ServletRequest.getRemoteHost() not working when Tomcat is behind Nginx (Nginx as a reverse proxy)
Hello José,
That’s a nice idea indeed (A VERY NICE ONE!), but an extra work because of the
networking effort. I'm talking about a site that can get hundreds of requests
per second.
Since Nginx has access to this information, I bet there must be a way to pass
it to Tomcat the same way the IP address can be passed! But for some reason I
can't find it and I have spent quite some time looking for it.
Thanks a lot!
> -Original Message-
> From: Jose María Zaragoza [mailto:demablo...@gmail.com]
> Sent: martes, 08 de septiembre de 2015 02:58 p.m.
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: ServletRequest.getRemoteHost() not working when Tomcat is
> behind Nginx (Nginx as a reverse proxy)
>
> 2015-09-08 21:22 GMT+02:00 Brian <brian...@emailbb.com>:
> > Hi,
> >
> >
> >
> > First of all, I'm using:
> >
> > - Tomcat 7.0.50
> >
> > - Nginx 1.4.7
> >
> >
> >
> > When I use Tomcat alone, ServletRequest.getRemoteHost()
> >
> (http://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#getRe
> > moteHost()
> >
> <http://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#getRe
> > moteHost())> ) works fine. But when Tomcat is behind Nginx (Nginx acting
> > as a reverse proxy), it does not.
> >
> > Just to make myself clear, this is the architecture I'm talking about:
> >
> >
> >
> > Client -> Nginx (as a reverse proxy) -> Tomcat.
> >
> >
> >
> > The problem is that ServletRequest.getRemoteHost() gives me the hostname of
> > the proxy itself (meaning Nginx) and not that of the client.
> >
> >
> >
> > I was able to get the IP address of the visitor (and not that of the host
> > where Nginx is running) doing this on Nginx:
> >
> >
> >
> > server {
> >
> > listen 80;
> >
> > server_name www.acme.com acme.com;
> >
> > location / {
> >
> > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> > <--- This line did the trick
> >
> > proxy_set_header Host $http_host;
> >
> > proxy_pass http://152.53.163.220:80/;
> >
> > }
> >
> > }
> >
> >
> >
> > And then inspecting the content of the "X-Forwarded-For" header in my java
> > programming. But what do I do to obtain the remote hostname? I guess it is
> > something similar, but I haven't found a solution. What I want to know is:
> >
> > - Exactly what configuration do I need in Nginx
> >
> > - Exactly what do I do from Java to obtain the value.
>
> Why not do you perform a reverse DNS lookup by code ? Something like :
>
> InetAddress addr = InetAddress.getByName("xx.xx.xx.xx");
> String host = addr.getCanonicalHostName();
> System.out.println(host);
>
> You only need to extract 'X-Forwarded-For' header from request and
> execute that piece of code
>
>
> Regards
>
> >
> >
> >
> > Thanks in advance,
> >
> >
> >
> > Brian
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: ServletRequest.getRemoteHost() not working when Tomcat is behind Nginx (Nginx as a reverse proxy)
mm..
... Well, so far I have always assumed that Tomcat itself has always made this
effort (assuming that it is enabled to do so in the connector), so that when I
execute the method I'm just retrieving the value. I'm I wrong?
In this case when using Nginx+Tomcat, I assume that Nginx already made the
effort to get the remoteHost value as well, so Tomcat just receives it and I
just need to invoke the method to get it. Maybe I'm wrong here.
I really appreciate your help!
> -Original Message-
> From: Jose María Zaragoza [mailto:demablo...@gmail.com]
> Sent: martes, 08 de septiembre de 2015 03:59 p.m.
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: ServletRequest.getRemoteHost() not working when Tomcat is
> behind Nginx (Nginx as a reverse proxy)
>
> 2015-09-08 22:10 GMT+02:00 Brian <brian...@emailbb.com>:
> > Hello Jos�,
> >
> > That�s a nice idea indeed (A VERY NICE ONE!), but an extra work because of
> the networking effort. I'm talking about a site that can get hundreds of
> requests
> per second.
>
> But you would want to execute ServletRequest.getRemoteHost() in every
> request , right ? That was your question.
> I don't know how is the Tomcat 6's ServletRequest.getRemoteHost()
> implementation , but I guess it's not very different to my code
>
> Regards
>
>
>
>
> >
> > Since Nginx has access to this information, I bet there must be a way to
> > pass it
> to Tomcat the same way the IP address can be passed! But for some reason I
> can't find it and I have spent quite some time looking for it.
> >
> > Thanks a lot!
> >
> >
> >> -Original Message-
> >> From: Jose Mar�a Zaragoza [mailto:demablo...@gmail.com]
> >> Sent: martes, 08 de septiembre de 2015 02:58 p.m.
> >> To: Tomcat Users List <users@tomcat.apache.org>
> >> Subject: Re: ServletRequest.getRemoteHost() not working when Tomcat is
> >> behind Nginx (Nginx as a reverse proxy)
> >>
> >> 2015-09-08 21:22 GMT+02:00 Brian <brian...@emailbb.com>:
> >> > Hi,
> >> >
> >> >
> >> >
> >> > First of all, I'm using:
> >> >
> >> > - Tomcat 7.0.50
> >> >
> >> > - Nginx 1.4.7
> >> >
> >> >
> >> >
> >> > When I use Tomcat alone, ServletRequest.getRemoteHost()
> >> >
> >>
> (http://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#getRe
> >> > moteHost()
> >> >
> >>
> <http://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#getRe
> >> > moteHost())> ) works fine. But when Tomcat is behind Nginx (Nginx
> >> > acting
> >> > as a reverse proxy), it does not.
> >> >
> >> > Just to make myself clear, this is the architecture I'm talking about:
> >> >
> >> >
> >> >
> >> > Client -> Nginx (as a reverse proxy) -> Tomcat.
> >> >
> >> >
> >> >
> >> > The problem is that ServletRequest.getRemoteHost() gives me the
> hostname of
> >> > the proxy itself (meaning Nginx) and not that of the client.
> >> >
> >> >
> >> >
> >> > I was able to get the IP address of the visitor (and not that of the host
> >> > where Nginx is running) doing this on Nginx:
> >> >
> >> >
> >> >
> >> > server {
> >> >
> >> > listen 80;
> >> >
> >> > server_name www.acme.com acme.com;
> >> >
> >> > location / {
> >> >
> >> > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> >> > <--- This line did the trick
> >> >
> >> > proxy_set_header Host $http_host;
> >> >
> >> > proxy_pass http://152.53.163.220:80/;
> >> >
> >> > }
> >> >
> >> > }
> >> >
> >> >
> >> >
> >> > And then inspecting the content of the "X-Forwarded-For" header in my
> >> > java
> >> > programming. But what do I do to obtain the remote hostname? I guess it
> >> > is
> >> > something similar, but I haven't found a solution. What I want to know
> >> > is:
> >> >
> >> > - Exactly what configuration do I need in Nginx
> >> >
> >> > - Exactly what do I do from
An incompatible version of APR based Apache Tomcat Native library is installed.
I tried upgrading from Tomcat 8.0.14 to 8.0.24 over the weekend and could not get it working (using Tomcat Native)… Here is what I see in catalina.out: ——— SEVERE [main] org.apache.catalina.core.AprLifecycleListener.init An incompatible version 1.1.31 of the APR based Apache Tomcat Native library is installed, while Tomcat requires version 1.1.32 SEVERE [main] org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore Failed to load keystore type JKS with path /var/root/.keystore due to /var/root/.keystore (No such file or directory) java.io.FileNotFoundException: /var/root/.keystore (No such file or directory) SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler [http-nio-8443] java.io.FileNotFoundException: /var/root/.keystore (No such file or directory) SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] ——— Here are the steps I performed in the upgrade (Mac running OS 10.9.5): ### upgrade APR cd /usr/local/src/apr-1.5.2 ./configure make sudo make install ### upgrade OpenSSL cd /usr/local/src/openssl-1.0.1p ./configure darwin64-x86_64-cc make make test sudo make install openssl version ### compile Native cd /usr/local/apache-tomcat-8.0.24/bin/ tar -xvf tomcat-native.tar.gz cd tomcat-native-1.1.33-src/jni/native/ ./configure --with-apr=/usr/local/apr --with-ssl=/usr/local/ssl/ --with-java-home=/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home make sudo make install Did not see any errors in the compiling that stopped the build of APR, OpenSSL, or Native… Copied server.xml, tomcat-users.xml, setenv.sh, 2 libraries for db access, and SSL certificates over to the new Tomcat instance. Started new Tomcat instance. Opened browser and connected to Manager. Deployed WAR files. Upon opening an application that needed SSL, the browser just stalled. Looking in catalina.out, I saw the errors posted above… Thoughts? Brian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Help with overriding default cookie name
Chris, Thanks for getting back to me. I did end up solving the problem, and it was not a bug or related in any way to what Tomcat is doing. It ended up being a (very buried) property setting of the application that is not documented anywhere. A lot of grep-ing lead me to the realization. After setting the property, Tomcat behaves as expected and obeys the application's desired cookie name. Thanks again for letting me bounce my ideas off you, much appreciated! Cheers, Brian Jones Programmer/Analyst Information Technology Services Support Services Building, Suite 4300 Western University (519) 661-2111 x86969 bjone...@uwo.ca On 2015-04-29 05:18 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Brian, On 4/21/15 3:21 PM, Brian Jones wrote: Chris, thanks for getting back to me! I'm trying to override the default cookie name (JSESSIONID) for one of my Tomcat7 instances. I put the following in $catalina_home/conf/context.xml: Context sessionCookieName=MyCookie That will change the session cookie name for all applications deployed on the server, and not just one web application. Is that what you wanted ? Yes, this is what I'm after. I'm working on an enterprise application which is comprised of over 70 webapps all working together. I need to change it for everything, as they all obey a single cookie. However, after restarting Tomcat, the setting isn't being applied; the cookie always remains as JSESSIONID rather than MyCookie. My environment is: tomcat 7.0.39, java 1.7.0_79, kubuntu 14.10. Can anyone shed some light on how/where $catalina_home/conf/context.xml is loaded? Or any ideas, suggestions, etc are appreciated. I would have expected what you did to work. Do you have a separate CATALINA_BASE as well as a CATALINA_HOME? If so, the CATALINA_BASE/conf/context.xml will *completely override* the one in CATALINA_HOME/conf/context.xml. I don't believe so, output from ./shutdown.sh: Using CATALINA_BASE: /opt/apache-tomcat-7.0.39 Using CATALINA_OWL: /opt/apache-tomcat-7.0.39 Using CATALINA_TMPDIR: /opt/apache-tomcat-7.0.39/temp Using JRE_HOME: /usr/lib/jvm/java-7-openjdk-amd64 Using CLASSPATH: /opt/apache-tomcat-7.0.39/bin/bootstrap.jar:/opt/apache-tomcat-7.0.39/ bin/tomcat-juli.jar It would probably be better to set the configuration in your web application's META-INF/context.xml file. Give that a try and see if it gives you the desired effect. The problem with doing this, is that as the application is open source, modifying each subtool's context.xml would fork me from the community. The only reason I'm trying to accomplish this, is because I have two versions of the application running in two different Tomcats; one is the community version, one is my institution's localized/modifyied version. I need to be able to run both simultaneously for comparison purposes. However, because both Tomcats/applications are using the same JSESSIONID as the cookie name, if I start a session on one Tomcat, it invalidates the session on the other. Anything else you can think of? Do you perhaps know how/where Tomcat is loading up the $catalina_home/conf/context.xml file? If that is known, I can perhaps modify (hack) it to point explicitly to the context.xml file that I have the sessionCookieName set. Sorry for the delayed response. I just wanted you to try to configure using META-INF/context.xml to see if that made the difference. That test will determine whether this is a bug in Tomcat (the feature doesn't work) or if Tomcat does not allow certain things to be overridden locally (e.g. the cookie name) and therefore this is an enhancement. I rather think that your expectations are reasonable, so assuming it's not a bug, I'm +1 for supporting site-wide cookie-name changes. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQUq/AAoJEBzwKT+lPKRYYroP/Ao8Vdb2eL5ExJruAZdS/xKt dzd2pVn4UTFXc1Pl8j7ShmlnBgm9VK6ls8NyGQTtshsNjO0/NaYof6mrBgiwZdAU cnZci10Oz1er3qLHY5kBC1gnWajba3pg37hMPYWvwLTNvypnPwpCotBAnzHRbDDO rU+MoGwxyi54YgAF26ewC2WUd9dy8kbLZdBis3PfE+bVNt8Ao/iA+8u9vjFzOfRv nYaY0HxnV8VbiE54kLTdmbBQtfA3YpTyzxNZCEb5XP0AZvhQazqUQSmw773UBW2c p9ovKirJ1axahdMfqYQ12HWE7ajeiONU9Q3PatVjC5fy+/uNMiGKm77cq9gr6MGG JDe+PTcNNpsKVwyz+h5RzjnJALrW1GuUaxMb5NhgRMEHK6Vgo37lmkN2Db4f494Q WkFkdjV03+ylQ88M8M+s+ubDKNVmZ0WalJsQrhePa9Q3LjTD8W71jSe5IMJT2MwP 8SEP4o4MPORaH9BlJJVYHBVYHgfuFnhXV2zqaOKph1fTvuczKjuL9LXmOlpalNsv N0FPo/1X4NkMGf2tNAO1UzF5xc/FMSllH6wuFKC3cmTHvxaqwUdcZeV0vWxbIo1c HLwhCxCPaYDuA5xgIS3JCr1HXlXY1bAQHsCWCFwbcc1C73me5qAsF0UliEC9h5mZ Sh0kPbkRrI0bJA6Kcm0v =jK03 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
Help with overriding default cookie name
Hello, I'm trying to override the default cookie name (JSESSIONID) for one of my Tomcat7 instances. I put the following in $catalina_home/conf/context.xml: Context sessionCookieName=MyCookie However, after restarting Tomcat, the setting isn't being applied; the cookie always remains as JSESSIONID rather than MyCookie. My environment is: tomcat 7.0.39, java 1.7.0_79, kubuntu 14.10. Can anyone shed some light on how/where $catalina_home/conf/context.xml is loaded? Or any ideas, suggestions, etc are appreciated. Cheers, Brian Jones Programmer/Analyst Information Technology Services Support Services Building, Suite 4300 Western University (519) 661-2111 x86969 bjone...@uwo.ca - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Help with overriding default cookie name
Chris, thanks for getting back to me! I'm trying to override the default cookie name (JSESSIONID) for one of my Tomcat7 instances. I put the following in $catalina_home/conf/context.xml: Context sessionCookieName=MyCookie That will change the session cookie name for all applications deployed on the server, and not just one web application. Is that what you wanted ? Yes, this is what I'm after. I'm working on an enterprise application which is comprised of over 70 webapps all working together. I need to change it for everything, as they all obey a single cookie. However, after restarting Tomcat, the setting isn't being applied; the cookie always remains as JSESSIONID rather than MyCookie. My environment is: tomcat 7.0.39, java 1.7.0_79, kubuntu 14.10. Can anyone shed some light on how/where $catalina_home/conf/context.xml is loaded? Or any ideas, suggestions, etc are appreciated. I would have expected what you did to work. Do you have a separate CATALINA_BASE as well as a CATALINA_HOME? If so, the CATALINA_BASE/conf/context.xml will *completely override* the one in CATALINA_HOME/conf/context.xml. I don't believe so, output from ./shutdown.sh: Using CATALINA_BASE: /opt/apache-tomcat-7.0.39 Using CATALINA_OWL: /opt/apache-tomcat-7.0.39 Using CATALINA_TMPDIR: /opt/apache-tomcat-7.0.39/temp Using JRE_HOME:/usr/lib/jvm/java-7-openjdk-amd64 Using CLASSPATH: /opt/apache-tomcat-7.0.39/bin/bootstrap.jar:/opt/apache-tomcat-7.0.39/bin/tomcat-juli.jar It would probably be better to set the configuration in your web application's META-INF/context.xml file. Give that a try and see if it gives you the desired effect. The problem with doing this, is that as the application is open source, modifying each subtool's context.xml would fork me from the community. The only reason I'm trying to accomplish this, is because I have two versions of the application running in two different Tomcats; one is the community version, one is my institution's localized/modifyied version. I need to be able to run both simultaneously for comparison purposes. However, because both Tomcats/applications are using the same JSESSIONID as the cookie name, if I start a session on one Tomcat, it invalidates the session on the other. Anything else you can think of? Do you perhaps know how/where Tomcat is loading up the $catalina_home/conf/context.xml file? If that is known, I can perhaps modify (hack) it to point explicitly to the context.xml file that I have the sessionCookieName set. Thanks again, Brian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
1st time user
I am wanting to set up Tomcat on my windows 2008 server and utilize it with my page running on IIS. However I don't event know where to begin. Can anyone help me out?
RE: 1st time user
I haven’t done much of anything. I downloaded what I think is the appropriate versions of tomcat 8 for my server, other than that I'm incredibly lost. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, February 27, 2015 11:02 AM To: Tomcat Users List Subject: Re: 1st time user -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Brian, On 2/27/15 11:32 AM, Brian V. Casteel wrote: I am wanting to set up Tomcat on my windows 2008 server and utilize it with my page running on IIS. However I don't event know where to begin. Can anyone help me out? Do you have an application you want to deploy, or do you just want to use Tomcat as a web server? Getting started is pretty easy. What have you read/done already? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJU8KL8AAoJEBzwKT+lPKRYwswP/3G7H/COUPVl758SVBJ94Egn 4tPBJGPQyZ8G1EFd3vjgsqJ8Din5AvXwrcIG7yR/cbPOjTYlWSlKFDXQdYW/TVc8 ahnaTKpfmbBYZl0PspSd8qcIuaZocuqJY3rXmX6sMr4aljOq/QM7nc8qkzvG8ix1 H8OLDM9ehCFCdTVVrteyoMmD8K5710al1Bb+ZCdsaIemkooB9JhsB6FGeCYR/Jy3 JmRmLwY+zxx9iIctsLUc5VqP5ACEUfpsWKsmcw5UuYKsfPkFcyOwHjeWSIoZu7wj TO7Z8Iwa/i4KQ8sJ03gykQ9tlPNYLb1VTZSkHBJWe/42X4KEiL8q+NqqzmG5pQuD MuzY4uFGVd6MCUzO78TpuwF8HyFD7OgcHUywJeKXYVAxX3CAxaLvTgFj7+TvwyVI iFycTsXhUbCaaGFzwwHgoc661cyD9aqaGhW11n27Hj9FlKOvQTEc5jW3wVXQ1fdr CUFlgGeQpfe42LmIOHcj73vBaeWUw0xM3viZlQs4+QR73hru0FhEYiYIsQKDSjrS Ad7FuS4l8VpcLU9hLT5W6mAE8sODPm6tYNoozvKswDE52MsjuAe0F/z5vPj6Y8ut mSmJcsvPoqZXBd2jF/8CE7IDcp/w/NfvZxnAoyKdQ9LOwahz4yw64Bj1CQ5VZrQe 47/a2Gq8vZZuQBdutTaN =IAZV -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: 1st time user
And in response to the first half that message I have at least one Java script I want to have on my webpage that is currently served up by IIS -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, February 27, 2015 11:02 AM To: Tomcat Users List Subject: Re: 1st time user -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Brian, On 2/27/15 11:32 AM, Brian V. Casteel wrote: I am wanting to set up Tomcat on my windows 2008 server and utilize it with my page running on IIS. However I don't event know where to begin. Can anyone help me out? Do you have an application you want to deploy, or do you just want to use Tomcat as a web server? Getting started is pretty easy. What have you read/done already? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJU8KL8AAoJEBzwKT+lPKRYwswP/3G7H/COUPVl758SVBJ94Egn 4tPBJGPQyZ8G1EFd3vjgsqJ8Din5AvXwrcIG7yR/cbPOjTYlWSlKFDXQdYW/TVc8 ahnaTKpfmbBYZl0PspSd8qcIuaZocuqJY3rXmX6sMr4aljOq/QM7nc8qkzvG8ix1 H8OLDM9ehCFCdTVVrteyoMmD8K5710al1Bb+ZCdsaIemkooB9JhsB6FGeCYR/Jy3 JmRmLwY+zxx9iIctsLUc5VqP5ACEUfpsWKsmcw5UuYKsfPkFcyOwHjeWSIoZu7wj TO7Z8Iwa/i4KQ8sJ03gykQ9tlPNYLb1VTZSkHBJWe/42X4KEiL8q+NqqzmG5pQuD MuzY4uFGVd6MCUzO78TpuwF8HyFD7OgcHUywJeKXYVAxX3CAxaLvTgFj7+TvwyVI iFycTsXhUbCaaGFzwwHgoc661cyD9aqaGhW11n27Hj9FlKOvQTEc5jW3wVXQ1fdr CUFlgGeQpfe42LmIOHcj73vBaeWUw0xM3viZlQs4+QR73hru0FhEYiYIsQKDSjrS Ad7FuS4l8VpcLU9hLT5W6mAE8sODPm6tYNoozvKswDE52MsjuAe0F/z5vPj6Y8ut mSmJcsvPoqZXBd2jF/8CE7IDcp/w/NfvZxnAoyKdQ9LOwahz4yw64Bj1CQ5VZrQe 47/a2Gq8vZZuQBdutTaN =IAZV -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: 1st time user
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, February 27, 2015 11:32 AM To: Tomcat Users List Subject: Re: 1st time user -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Brian, Please bottom-post or mix your responses inside of the original message. It's much easier to read and the convention on this mailing list. I've re-formatted your message slightly. Please see below. On 2/27/15 12:12 PM, Brian V. Casteel wrote: -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, February 27, 2015 11:02 AM To: Tomcat Users List Subject: Re: 1st time user Brian, On 2/27/15 11:32 AM, Brian V. Casteel wrote: I am wanting to set up Tomcat on my windows 2008 server and utilize it with my page running on IIS. However I don't event know where to begin. Can anyone help me out? Do you have an application you want to deploy, or do you just want to use Tomcat as a web server? Getting started is pretty easy. What have you read/done already? I haven’t done much of anything. I downloaded what I think is the appropriate versions of tomcat 8 for my server, other than that I'm incredibly lost. You have a few options. For Windows users, perhaps the Windows Installer (one of the .exe downloads) is probably the easiest to use: you'll get everything installed in a standard place (C:\Program Files) and it will also install the Windows Service that you can use to start/stop Tomcat. If you download one of the ZIP packages, you can unzip it anywhere you want. Launching Tomcat from the command-line is often a little easier to troubleshoot when you are getting started. I can't remember if the startup scripts are or are not included in the .exe packages; I seem to remember them being missing in the past. I'm not prepared to download and install the .exe package right now just to check, though. And in response to the first half that message I have at least one Java script I want to have on my webpage that is currently served up by IIS. Would you like to connect IIS to Tomcat, or do you want to use Tomcat instead? I was hoping to connect IIS to Tomcat rather than migrate my pages The thing that's usually most confusing to new users is that Tomcat isn't a traditional web server where you just point it at a directory (DocumentRoot in Apache httpd's parlance, not sure what it's called in IIS) and serve files from it. Instead, everything is a web application which can be very simple -- just having a few .html files or whatever -- or it can have servlets, JSPs, and all kinds of other things that are more interesting than just static files. Unfortunately, the getting started documentation in the Users' Guide is not great. There are whole sections of your local public library or bookstore devoted to the basics of Java web applications, so repeating all that stuff in Tomcat's documentation is kind of ... repetitive. Understanding what a web application is, in terms of structure, is probably going to be the best time spent as you get started, here. Do a little bit of Googling and maybe to get a book on Java web applications and read some of the introductory sections. O'Reilly's Tomcat: The Definitive Guide is fairly good, though it's based upon Tomcat 6 and so some of the specific configurations are a bit out of date, but if you are okay with a loose interpretation of those specifics, it's worth the read. The book is HUGE, so don't try to go read the whole thing before getting started. Wrox's Professional Java for Web Applications is also good, though it moves very quickly and goes from covering the basics to ... well, everything else under the sun. It's also enormous, so don't think you have to read the whole thing. The authors of both of those books do lurk on this mailing list, and no, I don't get paid if you buy their books (though I should consider asking for some consideration!). So do a bit of reading and ask whatever questions you have, here. But don't ask this community to teach you how to write web applications because that will become tiresome for them. :) Welcome to the community. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJU8KoFAAoJEBzwKT+lPKRY1sQQAI3qHSgZgYA2YfHVnnYC4oGG NIZI5YZnVU9pHR29DlhEjobUkFhXTKFCHGikcuUId6RWvv6FNFq9h3eCZwIE11WN 1EQ7qxzllY8b66lQr28GMRKwXpPZns74IFHBbCNS9jPef5hfzvnC+XIVMxP5vWOJ BNOCpn1O1rGvFTfbkGQET5VSTKlql23owCz6hRTwpVSHYn/Te7vKuZI1aIPiGOzI YCPFjIvPVtnbgnDa+98Ax/K58rgP/Pp72Z458xn6totqr88VfqqweVTiLFLxJ7jh YwQ1yI6+BQSLQ2vYPkFuuVJ6cjOV2N0FjpW90zaedsvdDwxwmLwnVVefNf8kdAkH HzhB71WEqtt59SuZQqS7WpDvNWK8CvBBE2yV2iUAX7uUHIP8sZeOHZydsVQKmlz/ oKQ6S8CXiJ3YlwIUMnn4GSGM0ebLkhKhn0brtVT+4baVgofRw+Gzcoe2eGL/VSC/ 4yalMtpZLOZELjDDa7b/8tTeHr1U1+/RCex3uNaM+UK57Ego+gli8Ew5ZUq8RyDu 3suSZaZqWICjFZEZxamxCbkv/NrVuHTTmDms3D4hFq/iLx01h8kvhPjDd+VNxDyH
RE: 1st time user
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, February 27, 2015 11:32 AM To: Tomcat Users List Subject: Re: 1st time user -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Brian, Please bottom-post or mix your responses inside of the original message. It's much easier to read and the convention on this mailing list. I've re-formatted your message slightly. Please see below. On 2/27/15 12:12 PM, Brian V. Casteel wrote: -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, February 27, 2015 11:02 AM To: Tomcat Users List Subject: Re: 1st time user Brian, On 2/27/15 11:32 AM, Brian V. Casteel wrote: I am wanting to set up Tomcat on my windows 2008 server and utilize it with my page running on IIS. However I don't event know where to begin. Can anyone help me out? Do you have an application you want to deploy, or do you just want to use Tomcat as a web server? Getting started is pretty easy. What have you read/done already? I haven’t done much of anything. I downloaded what I think is the appropriate versions of tomcat 8 for my server, other than that I'm incredibly lost. You have a few options. For Windows users, perhaps the Windows Installer (one of the .exe downloads) is probably the easiest to use: you'll get everything installed in a standard place (C:\Program Files) and it will also install the Windows Service that you can use to start/stop Tomcat. If you download one of the ZIP packages, you can unzip it anywhere you want. Launching Tomcat from the command-line is often a little easier to troubleshoot when you are getting started. I can't remember if the startup scripts are or are not included in the .exe packages; I seem to remember them being missing in the past. I'm not prepared to download and install the .exe package right now just to check, though. And in response to the first half that message I have at least one Java script I want to have on my webpage that is currently served up by IIS. Would you like to connect IIS to Tomcat, or do you want to use Tomcat instead? The thing that's usually most confusing to new users is that Tomcat isn't a traditional web server where you just point it at a directory (DocumentRoot in Apache httpd's parlance, not sure what it's called in IIS) and serve files from it. Instead, everything is a web application which can be very simple -- just having a few .html files or whatever -- or it can have servlets, JSPs, and all kinds of other things that are more interesting than just static files. Unfortunately, the getting started documentation in the Users' Guide is not great. There are whole sections of your local public library or bookstore devoted to the basics of Java web applications, so repeating all that stuff in Tomcat's documentation is kind of ... repetitive. Understanding what a web application is, in terms of structure, is probably going to be the best time spent as you get started, here. Do a little bit of Googling and maybe to get a book on Java web applications and read some of the introductory sections. O'Reilly's Tomcat: The Definitive Guide is fairly good, though it's based upon Tomcat 6 and so some of the specific configurations are a bit out of date, but if you are okay with a loose interpretation of those specifics, it's worth the read. The book is HUGE, so don't try to go read the whole thing before getting started. Wrox's Professional Java for Web Applications is also good, though it moves very quickly and goes from covering the basics to ... well, everything else under the sun. It's also enormous, so don't think you have to read the whole thing. The authors of both of those books do lurk on this mailing list, and no, I don't get paid if you buy their books (though I should consider asking for some consideration!). So do a bit of reading and ask whatever questions you have, here. But don't ask this community to teach you how to write web applications because that will become tiresome for them. :) Welcome to the community. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJU8KoFAAoJEBzwKT+lPKRY1sQQAI3qHSgZgYA2YfHVnnYC4oGG NIZI5YZnVU9pHR29DlhEjobUkFhXTKFCHGikcuUId6RWvv6FNFq9h3eCZwIE11WN 1EQ7qxzllY8b66lQr28GMRKwXpPZns74IFHBbCNS9jPef5hfzvnC+XIVMxP5vWOJ BNOCpn1O1rGvFTfbkGQET5VSTKlql23owCz6hRTwpVSHYn/Te7vKuZI1aIPiGOzI YCPFjIvPVtnbgnDa+98Ax/K58rgP/Pp72Z458xn6totqr88VfqqweVTiLFLxJ7jh YwQ1yI6+BQSLQ2vYPkFuuVJ6cjOV2N0FjpW90zaedsvdDwxwmLwnVVefNf8kdAkH HzhB71WEqtt59SuZQqS7WpDvNWK8CvBBE2yV2iUAX7uUHIP8sZeOHZydsVQKmlz/ oKQ6S8CXiJ3YlwIUMnn4GSGM0ebLkhKhn0brtVT+4baVgofRw+Gzcoe2eGL/VSC/ 4yalMtpZLOZELjDDa7b/8tTeHr1U1+/RCex3uNaM+UK57Ego+gli8Ew5ZUq8RyDu 3suSZaZqWICjFZEZxamxCbkv/NrVuHTTmDms3D4hFq/iLx01h8kvhPjDd+VNxDyH yn6tl6dp3e00QBUGqg5rdx0JkhOTkZCaE3nIKFbwBtijKyRO8LQ3zKIlvfL3b2Ac cnDvvX9Sm5VVx7NGfoKa =Qj8R -END
RE: 1st time user
-Original Message- From: Hassan Schroeder [mailto:hassan.schroe...@gmail.com] Sent: Friday, February 27, 2015 2:21 PM To: Tomcat Users List Subject: Re: 1st time user On Fri, Feb 27, 2015 at 12:07 PM, Brian V. Casteel brian.cast...@ilhcgh.org wrote: But when how do I make my java on my HTML page from IIS run it? Could you translate that into English? My Gibberish is rusty. -- Hassan Schroeder hassan.schroe...@gmail.com http://about.me/hassanschroeder twitter: @hassan Consulting Availability : Silicon Valley or remote - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Sorry, Meant to ask how do I make my HTML page that is served using IIS display my java script. Hope that clarifies a bit my snark to sarcasm is a bit rusty. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: 1st time user
-Original Message- From: David kerber [mailto:dcker...@verizon.net] Sent: Friday, February 27, 2015 2:45 PM To: Tomcat Users List Subject: Re: 1st time user On 2/27/2015 3:38 PM, Brian V. Casteel wrote: -Original Message- From: David kerber [mailto:dcker...@verizon.net] Sent: Friday, February 27, 2015 2:36 PM To: Tomcat Users List Subject: Re: 1st time user On 2/27/2015 3:25 PM, Brian V. Casteel wrote: -Original Message- From: David kerber [mailto:dcker...@verizon.net] Sent: Friday, February 27, 2015 2:24 PM To: Tomcat Users List Subject: Re: 1st time user On 2/27/2015 3:07 PM, Brian V. Casteel wrote: -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, February 27, 2015 11:32 AM To: Tomcat Users List Subject: Re: 1st time user ... OK I have Tomcat installed. But when how do I make my java on my HTML page from IIS run it? Java, or JavaScript? They are two very different animals. I have a bit of javascipt I want to run on a page hosted from my IIS server. Javascript is normally run in the client browser, not on the server. There is also some server-side javascript, but I doubt that is what you're referring to. Even so, that would normally be done by your IIS, rather than tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org At this point I am lost and confused. I have a page. I have a bit of java that I want to display on that page and do its little java thing. However as of right now my page is showing up as blank. It's javascript, not Java. They have no connection to each other, despite the name. For what you're trying to do here, tomcat is just an extra complication, with no advantages over just using IIS. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Thank you. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: 1st time user
-Original Message- From: David kerber [mailto:dcker...@verizon.net] Sent: Friday, February 27, 2015 2:24 PM To: Tomcat Users List Subject: Re: 1st time user On 2/27/2015 3:07 PM, Brian V. Casteel wrote: -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, February 27, 2015 11:32 AM To: Tomcat Users List Subject: Re: 1st time user ... OK I have Tomcat installed. But when how do I make my java on my HTML page from IIS run it? Java, or JavaScript? They are two very different animals. I have a bit of javascipt I want to run on a page hosted from my IIS server. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: 1st time user
-Original Message- From: David kerber [mailto:dcker...@verizon.net] Sent: Friday, February 27, 2015 2:36 PM To: Tomcat Users List Subject: Re: 1st time user On 2/27/2015 3:25 PM, Brian V. Casteel wrote: -Original Message- From: David kerber [mailto:dcker...@verizon.net] Sent: Friday, February 27, 2015 2:24 PM To: Tomcat Users List Subject: Re: 1st time user On 2/27/2015 3:07 PM, Brian V. Casteel wrote: -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, February 27, 2015 11:32 AM To: Tomcat Users List Subject: Re: 1st time user ... OK I have Tomcat installed. But when how do I make my java on my HTML page from IIS run it? Java, or JavaScript? They are two very different animals. I have a bit of javascipt I want to run on a page hosted from my IIS server. Javascript is normally run in the client browser, not on the server. There is also some server-side javascript, but I doubt that is what you're referring to. Even so, that would normally be done by your IIS, rather than tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org At this point I am lost and confused. I have a page. I have a bit of java that I want to display on that page and do its little java thing. However as of right now my page is showing up as blank. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat CORS Filter: Why is the default list of headers in Access-Control-Allow-Headers so arbitrarily limited?
Hi, Tomcat brings a special filter that implements the CORS specification. In this filter, the default list of allowed headers is the following: Origin Accept X-Requested-With Content-Type Access-Control-Request-Method Access-Control-Request-Headers I know that I can replace that list by using the filter parameter cors.allowed.headers and specify my own list of headers. I know that. But I have the following questions: - When this filter was created, why was the list filled with this -abritrarily- short list of headers? Why these headers and not others? Why, for example, isn't the cache-control header in the list? How was this list chosen? - If I want to define a more complete list, which headers should I include? There are some many headers to think about! - Can I use a * instead of specifying a list? Is that something that the CORS specs allows? - I know that the CORS specs defined this kind of list, but. Why is that necessary? Why can't we just accept any header in the pre-flight OPTIONS step, instead of returning a 403 (Forbiden) if at least one of the headers requested by the client is not in the list of allowed headers? - Why isn't there an option in the filter to do something like this: response.setHeader(Access-Control-Allow-Headers, request.getHeader(Access-Control-Request-Headers) ? I'm puzzled. One of the users of my API sent the cache-control header in the in the Access-Control-Request-Headers list during the pre-flight step, and received an HTTP 403 error status. I can add this header to the list (using the cors.allowed.headers filter parameter). But what about next time some client sends another header that is not in the list? Brian
RE: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens?
Hello Mark, 1- No authentication at all, since the user authenticates sending a parameter in the query string. 2- I have two filters: org.tuckey.web.filters.urlrewrite.UrlRewriteFilter (which has been working fine for years now) and CORS, yes!!! Actually, the CORS filter (org.apache.catalina.filters.CorsFilter) is the first filter in my web.xml file, so it is the first to run. This is the way I have configured it: filter filter-nameCorsFilter/filter-name filter-classorg.apache.catalina.filters.CorsFilter/filter-class init-param param-namecors.allowed.origins/param-name param-value*/param-value /init-param init-param param-namecors.support.credentials/param-name param-valuefalse/param-value /init-param /filter filter-mapping filter-nameCorsFilter/filter-name url-pattern/*/url-pattern /filter-mapping I added the CORS filter probably two months ago, and probably I have started seen the 403 errors since then, yes! And now that I think about it, probably it is the CORS filter the reason of the 403 indeed, since my API is being called not only from servers but also from Javascript running in all kind of browsers and maybe some of them don't deal with CORS properly. That would explain why the 403s happens ocasionally. In fact, I see this 403 ocurring in most of the cases by one specific user (authenticated by a parameter in the query string) that calls my API from javacript! In what conditions does this filter return a 403 error? What are the Headers involved when that happens? How can I avoid this problem? Where (on the internet) can I learn more about this specific problem? Thanks Mark! -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: viernes, 06 de febrero de 2015 04:47 a.m. To: Tomcat Users List Subject: Re: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens? On 05/02/2015 23:14, Brian wrote: Hello David, Not, it is not the case. No exceptions whatsoever. And about 1/100 (or less) of the requests return a 403 to the users, and all those requests are doing the same thing. Thanks a lot for your help! Is any authentication configured for this web application? What filters are configured (the CORS filter might return a 403 for example)? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens?
Hi, I have a Restful service that receives a huge amount of HTTP requests per day. In some of these requests, Tomcat returns an HTTP 403 error status. This should never happen as far as I can tell because the resource is open, and is very sporadic but yet very critical because it makes my service unreliable. When this happens, it does for the same resource that would otherwise return a succesful response. I'm sure this is happening, because my users have reported me the issue, and because I can clearly see that in our Tomcat log, as follows: localhost - - [04/Feb/2015:01:11:06 -0500] GET /location/v1.7/locateip?key=abc123ip=182.68.243.178format=JSON HTTP/1.0 403 - - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36 localhost - - [04/Feb/2015:01:12:24 -0500] GET /location/v1.8/locateip?key=abc123ip=local-ipformat=jsoncapacity=6X HTTP/1.0 403 - - Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36 localhost - - [04/Feb/2015:01:18:06 -0500] GET /location/v1.8/locateip?key=abc123ip=local-ipformat=jsoncapacity=6X HTTP/1.0 403 - - Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36 Is there a way to show in the log why the 403s took place? How do I debug these events? I'm using Tomcat 7.0.50. By the way: I don't know if this is relevant, but this is the complete stack of software between the user and my Java App: - The request first goes through a Amazon AWS load balancer - Then it enters my Linux instance (Ubuntu 12.04.3) - Then it arrives to Nginx (v1.4.7), that runs a module that deals with abuses (when there are too many requests) - Then it hits Tomcat (7.0.50) - Then it finally hits my java servlet. Thanks in advance, Brian
RE: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens?
Hello David, Not, it is not the case. No exceptions whatsoever. And about 1/100 (or less) of the requests return a 403 to the users, and all those requests are doing the same thing. Thanks a lot for your help! -Original Message- From: David Bullock [mailto:david.bull...@machaira.com.au] Sent: jueves, 05 de febrero de 2015 06:04 p.m. To: Tomcat Users List Subject: Re: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens? On 6 February 2015 at 02:42, Brian brian...@emailbb.com wrote: Hi, I have a Restful service that receives a huge amount of HTTP requests per day. In some of these requests, Tomcat returns an HTTP 403 error status. Your servlet does something which throws a java.lang.Security exception (which is a runtime exception), and Tomcat is translating it into a 403 for you? (I didn't test it, but it might be a reasonable thing for a servlet-container to do). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Annotation scanning problem with Tomcat 8 and Java 8
I'm running into a startup problem using Tomcat 8 and Java 8 during annotation scanning. I get many error messages similar to these two: Jun 30, 2014 12:44:26 PM org.apache.catalina.startup.ContextConfig processAnnotationsWebResource SEVERE: Unable to process web resource [/WEB-INF/classes/com/foo/printer/GPrinter.class] for annotations org.apache.tomcat.util.bcel.classfile.ClassFormatException: Expected class `CONSTANT_Utf8' at index 283 and got [7] at org.apache.tomcat.util.bcel.classfile.ConstantPool.getConstant(ConstantPool.java:207) at org.apache.tomcat.util.bcel.classfile.Attribute.readAttribute(Attribute.java:83) at org.apache.tomcat.util.bcel.classfile.FieldOrMethod.init(FieldOrMethod.java:76) at org.apache.tomcat.util.bcel.classfile.ClassParser.readMethods(ClassParser.java:226) at org.apache.tomcat.util.bcel.classfile.ClassParser.parse(ClassParser.java:101) at org.apache.catalina.startup.ContextConfig.processAnnotationsStream(ContextConfig.java:1987) at org.apache.catalina.startup.ContextConfig.processAnnotationsWebResource(ContextConfig.java:1897) at org.apache.catalina.startup.ContextConfig.processAnnotationsWebResource(ContextConfig.java:1892) at org.apache.catalina.startup.ContextConfig.processAnnotationsWebResource(ContextConfig.java:1892) at org.apache.catalina.startup.ContextConfig.processAnnotationsWebResource(ContextConfig.java:1892) at org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1135) at org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:767) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:302) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5083) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:724) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:700) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:714) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:581) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1686) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Jun 30, 2014 12:44:26 PM org.apache.catalina.startup.ContextConfig processAnnotationsWebResource SEVERE: Unable to process web resource [/WEB-INF/classes/com/foo/printer/impl/GTile.class] for annotations java.io.EOFException at java.io.DataInputStream.readUnsignedShort(DataInputStream.java:340) at org.apache.tomcat.util.bcel.classfile.Utility.swallowMethodParameters(Utility.java:188) at org.apache.tomcat.util.bcel.classfile.Attribute.readAttribute(Attribute.java:159) at org.apache.tomcat.util.bcel.classfile.FieldOrMethod.init(FieldOrMethod.java:76) at org.apache.tomcat.util.bcel.classfile.ClassParser.readMethods(ClassParser.java:226) at org.apache.tomcat.util.bcel.classfile.ClassParser.parse(ClassParser.java:101) at org.apache.catalina.startup.ContextConfig.processAnnotationsStream(ContextConfig.java:1987) at org.apache.catalina.startup.ContextConfig.processAnnotationsWebResource(ContextConfig.java:1897) at org.apache.catalina.startup.ContextConfig.processAnnotationsWebResource(ContextConfig.java:1892) at org.apache.catalina.startup.ContextConfig.processAnnotationsWebResource(ContextConfig.java:1892) at org.apache.catalina.startup.ContextConfig.processAnnotationsWebResource(ContextConfig.java:1892) at org.apache.catalina.startup.ContextConfig.processAnnotationsWebResource(ContextConfig.java:1892) at org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1135) at org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:767) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:302) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5083) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:724) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:700) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:714) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:581) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1686) at
Re: Configuration of Default Servlet for a single Container?
On 31/01/14 13:27, Brian Burch wrote: On 31/01/14 12:48, Mark Thomas wrote: On 31/01/2014 12:42, Brian Burch wrote: Have I overlooked a configuration trick that would allow me to use the webapp without a symlink, but still have the Default Servlet access external static content as if it were internal? http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes aliases? Thanks very much, as always, for your rapid response. I will follow that link with interest. If you switch to Tomcat 8, you get a cleaner implementation and much more control with the new resources implementation. I'll get back to you if I don't understand, but otherwise, thanks very much, This task finally arrived near the top of my list. I started by looking at org.apache.catalina.core.TestStandardContextAliases, which was very helpful. So was the javadoc for org.apache.catalina.core.StandardContext.setAliases(String). I then thought about extending my existing logic to support both the existing internal and the new external directory trees. I thought I had a viable approach, but have hit an implementation issue that does not seem to have an elegant, lightweight solution. JSPWiki is not intended to be dependent on tomcat, so it should only use services defined in the sevlet api. My existing plugin currently follows this constraint, and I would like to do the same with my enhancement. Unfortunately, the setAliases method is not inherited from javax.servlet.ServletContext and I couldn't find any reference to aliases in the Servlet 3.0 api docs. Am I correct in concluding it is a tomcat-only feature? If it is tomcat-only, then my enhancement would not be available under any other flavour of webapp container. Worse still, I can't simply cast the execution Context to a StandardContext. I'll have to write introspection code to avoid a ClassNotFoundException when the plugin is loaded during deployment of the JSPWiki war... Does that sound about right, Mark? I am prepared to go ahead implementing a tomcat-only feature, but I would like to be sure it is the only or best solution before doing a lot of work. Thanks... Brian Brian Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
