Re: [EXTERNAL] RE: After Windows Server Restart, tomcat generating New JSESSIONID even with <%@ page session="false" %>

[Joey Cochran]

Coud this be the culprit ?

${CATALINA_BASE}/conf/context.xml






From: Hamdan Khan 
Sent: Tuesday, May 7, 2024 9:09 AM
To: users@tomcat.apache.org 
Subject: [EXTERNAL] RE: After Windows Server Restart, tomcat generating New 
JSESSIONID even with <%@ page session="false" %>

Thank you Mark,

We have har files when the server is in error state, it shows that the
jsessionid is sent in request.

*Is there a reverse proxy in the mix?*
No. we directly access tomcat.

*Are you using sessions at all*
Yes, we are using the default tomcat session in debugger it says
(org.apache.catalina.session.StandardSessionFacade)

*That is just a single page and any page can potentially trigger session
cre*ation.
It is a multi page application we create and maintain our UserSession
object, which is used to auth on subsequent requests. The application is
working ok on many of our servers,  but starts to generate jsessionid for
every request once the server goes in the problem state.

*It would be interesting to know if you need to clear both of these or
whether clearing just one is sufficient to resolve the issue. That might
narrow down potential root causes.*
I have requested the team to restart without removing work/temp will update
later in the week.

*You could try attaching a profiler and recording object allocations. That
should show you where/how sessions are being created.*
I don't think that is possible for a production server, but if we can get a
clue on how to reproduce this case.

We have a SessionListener, will add logging to it.

thanks,
Hamdan

Re: [EXTERNAL] Disabling OPTIONS HTTP method with * path

[Joey Cochran]

From: Oleg Frenkel 
Sent: Tuesday, April 30, 2024 1:56 PM
To: users@tomcat.apache.org 
Subject: [EXTERNAL] Disabling OPTIONS HTTP method with * path

This issue exists in 9.0.88 and 10.1.23.

I am looking to disable the following HTTP request (note 'OPTIONS *' in the 
request):

$ curl -v --request-target "*" -X OPTIONS 
http://:
* Rebuilt URL to: :/
*   Trying ...
* TCP_NODELAY set
* Connected to  () port  (#0)
> OPTIONS * HTTP/1.1
> Host: :
> User-Agent: curl/7.61.1
> Accept: */*

I don't seem to be able to disable this OPTIONS request in Tomcat.

  Perhaps a CorsFilter setup can help ?

The following configuration doesn't work either:






Available HTTP 
methods
/*
GET
POST



The above section properly disables OPTIONS request to '/' path, but not to '*' 
path. In fact, the Tomcat response is that all methods are allowed:

$ curl -v --request-target "*" -X OPTIONS 
http://:
* Rebuilt URL to: http://:/
  % Total% Received % Xferd  Average Speed   TimeTime Time  Current
 Dload  Upload   Total   SpentLeft  Speed
  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 0* 
  Trying ...
* TCP_NODELAY set
* Connected to  () port  (#0)
> OPTIONS * HTTP/1.1
> Host: :
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200
< Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
< Content-Length: 0
< Date: Tue, 30 Apr 2024 18:49:07 GMT
<
  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 0
* Connection #0 to host  left intact

Note that it is impossible to put '*' as URL pattern - Tomcat fails to start 
complaining that '*' is not a valid url pattern.

Please confirm if this is a bug in Tomcat or if I am missing something in 
Tomcat configuration.

Thanks,
Oleg Frenkel
SS Technologies Inc
Lead Software Engineer
ofren...@sscinc.com | 
www.ssctech.com

Re: [EXTERNAL] Re: Tomcat 9 returning 404 for audio files

[Joey Cochran]

Thanks for replying!!

Yes audio files are generated dynamically from DB.in a Servlet.

I've verified that audio file exists on file system before returning the
html code that contains audo control.

I do NOT see this as a server side issue.
This reads like a client/DOM cache of resource issue with the HTML5 audio 
control.
simple fix could be (on the return/callback handler) to either refresh/reload 
just that tag on the DOM or even throw a whole DOM reload (more than one way to 
accomplish these, hence keeping it a pseudo code response)  -Hope this helps!
-Joey

On Mon, Mar 11, 2024, 5:22 a.m. Mark Thomas  wrote:

> On 11/03/2024 02:21, Sam wrote:
> > I just upgraded a legacy application from Tomcat 7 to Tomcat 9. It's
> > deployed as a war file. I'm facing a weird issue with audio files
> playback.
> >
> > When loading a page that contains an audio file. First time Tomcat
> returns
> > 404 error but if reloading the page, audio file is loaded properly and no
> > error from Tomcat.
> >
> > I'm using html 5 audio control to display the file.
> >
> > All other static resources(images, css and js files) are working without
> > any issues. Only audio files are having this issue.
> >
> > I enabled the logs for DefaultServlet in Tomcat. Follwong is the log
> entry
> > when I try to open the audio file first time. I can see 404 being
> returned
> > from server in Chrome dev tools.
> >
> >
> > *09-Mar-2024 20:12:50.747 INFO DefaultServlet.serveResource: Serving
> > resource '/wav/2B916004DFE94FA40446429E1671C893_0001053.mp3' headers and
> > data*
> > Following is the log for 2nd attempt. This time audio is available and
> > playable in browser. *09-Mar-2024 20:13:00.371 INFO
> > DefaultServlet.serveResource: Serving resource
> > '/wav/2B916004DFE94FA40446429E1671C893_0001053.mp3' headers and data *
> > *09-Mar-2024 20:13:01.372 INFO DefaultServlet.serveFile:
> > contentType='audio/mpeg'*
>
> Are the audio files generated dynamically on request?
>
> Mark
>
>
> >
> > Here is the audio control code:
> >
> > 
> >  >>
> >
> >   > type="audio/mpeg" >
> >
> > 
> > 
> > I've tried relative path and full path but result is the same in both
> cases.
> >
> > I've spent days trying to solve this but no luck :(
> >
> > I would really appreciate any guidance to solve this issue.
> >
> > Thanks!
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade

[Joey Cochran]

Angela,
You might still have a passphrase on the private key that is different from the 
passphrase on the keystore.
I generally do without passwords on the private key, or make sure the key 
passwords and store passwords are the same.
The store password will be tried/used (when needed) on nested passphrases.  
When it is different, this exception or one similar can be thrown.

After that, my next try would be without explicitly setting ciphers.

   

Joey Cochran • Middle Tennessee State University • Information Technology 
Division • Systems Administrator II • office: (615) 898-2714

-Original Message-
From: Cantor, Angela T.  
Sent: Wednesday, November 16, 2022 7:28 PM
To: Tomcat Users List 
Subject: RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK 
upgrade

Thanks to Joey and Chris for responding.

Joey had said
>Jump through the hoop of rebuilding the keystore with the current java
>   I believe this is what we did that made the difference I am not 
> familiar with PKCS11
>   we use Http11Nio2Protocol with PKCS12 for complete chain bundling.

Chris had some questions about my PKCS11 setup, but I'm taking a left turn and 
changing to PKCS12, since java.security now has fips.keystore.type=pkcs12 and 
this community seems to know more about it.

So I changed back to using PKCS12.  I recreated the keystore from my key and 
signed cert using openssl and switched to using Http11Nio2Protocol.  Now the 
connector is this:



This produced the following error:
16-Nov-2022 14:54:58.858 SEVERE [main] 
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to 
initialize component 
[Connector[org.apache.coyote.http11.Http11Nio2Protocol-8843]]
   org.apache.catalina.LifecycleException: Protocol handler initialization 
failed
  at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1051)
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
  at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
  at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045)
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
  at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
  at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method)
  at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
  at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  at java.base/java.lang.reflect.Method.invoke(Method.java:568)
  at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
   Caused by: java.lang.IllegalArgumentException: keystore password was 
incorrect
  at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
  at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
  at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:145)
  at 
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
  at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
  at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606)
  at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77)
  at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1048)
  ... 13 more
   Caused by: java.io.IOException: keystore password was incorrect
  at 
java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
  at 
java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
  at java.base/java.security.KeyStore.load(KeyStore.java:1473)
  at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:67)
  at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217)
  at 
org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207)
  at 
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283)
  at 
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
  at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
  ... 20 more
   Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe 
contents entry: java.security.NoSuchAlgorithmException: Cannot find any 
provider supporting PBEWithS

RE: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK upgrade

[Joey Cochran]

Angela,
I have seen this before when changing java sources, in our case 7 to 8.
Jump through the hoop of rebuilding the keystore with the current java
I believe this is what we did that made the difference
I am not familiar with PKCS11
we use Http11Nio2Protocol with PKCS12 for complete chain bundling.
Hope this helps.
-Joey

-Original Message-
From: Cantor, Angela T.  
Sent: Monday, November 14, 2022 10:56 AM
To: users@tomcat.apache.org
Subject: tomcat and FIPS - PKCS11 CKR_SESSION_READ_ONLY error after OpenJDK 
upgrade

Hi all,

We have
- tomcat 9.0.68
- RHEL 8.6 with FIPS
- OpenJDK 17.0.5.0.8-2.el8_6

We just upgraded OpenJDK from 17.0.4.0.8-2.el8_6 to the above version.  Now 
tomcat won't listen on the desired port.  Something is wonky with it accessing 
the keystore.  If you all see anything obvious, could you please advise?  
Especially if it involves switching to a pkcs12 keystore (which I tried but 
that also failed - I am no expert on setting up either type so maybe I did 
something wrong.)  Nothing other than the OpenJDK version seems to matter - if 
we downgrade it back to 17.0.4.0.8, tomcat once again works fine.  Note that 
17.0.4.1.1-2.el8_6 also caused the same problem.

Tomcat with this connector worked fine with OpenJDK 17.0.4:

   
  
   


java.security for 17.0.5 has these entries for FIPS:
fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
fips.provider.2=SUN
fips.provider.3=SunEC
fips.provider.4=SunJSSE
fips.provider.5=SunJCE
fips.provider.6=SunRsaSign
...
fips.keystore.type=pkcs12



nss.fips.cfg is this:
name = NSS-FIPS
nssLibraryDirectory = /usr/lib64
nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips

attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }



Upon starting tomcat, we get this:
14-Nov-2022 11:24:21.174 INFO [main] org.apache.coyote.AbstractProtocol.init 
Initializing ProtocolHandler ["https-jsse-nio-8843"]
14-Nov-2022 11:24:21.431 SEVERE [main] 
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to 
initialize component [Connector[HTTP/1.1-8843]]
   org.apache.catalina.LifecycleException: Protocol handler initialization 
failed
  at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1051)
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
  at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
 at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
  at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045)
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
  at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
  at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method)
  at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
  at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  at java.base/java.lang.reflect.Method.invoke(Method.java:568)
  at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
   Caused by: java.lang.IllegalArgumentException: 
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY
  at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
  at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
  at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:235)
  at 
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
  at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
  at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606)
  at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77)
  at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1048)
  ... 13 more
   Caused by: java.security.KeyStoreException: 
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY
  at 
jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1113)
  at 
jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetKeyEntry(P11KeyStore.java:458)
  at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1167)
  at 
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:366)
  at 
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
  at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
  ... 20 more
   Caused by: 

RE: Error during startup

[Joey Cochran]

Make sure /bin/tomcat-juli.jar is set to 755 (chmod 755 tomcat-juli.jar)

-Original Message-
From: Mohan T  
Sent: Monday, August 8, 2022 2:26 AM
To: Tomcat Users List 
Subject: [EXTERNAL] RE: Error during startup

We have added the contents under grant section.

Still we are getting the error message.

Error in Full Agent Registration Info Resolver reading environment 
variable/system property
java.security.AccessControlException: access denied 
("java.lang.RuntimePermission" "getenv.")
at 
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at 
java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.System.getenv(System.java:894)
at 
com.singularity.ee.util.system.SystemUtils.getenv(SystemUtils.java:49)
at 
com.singularity.ee.agent.resolver.ADefaultResolver.getProperty(ADefaultResolver.java:44)
at 
com.singularity.ee.agent.resolver.FullAgentRegistrationInfoResolver.shouldCreateAgentInfoIfMissing(FullAgentRegistrationInfoResolver.java:83)
at 
com.singularity.ee.agent.resolver.FullAgentRegistrationInfoResolver.(FullAgentRegistrationInfoResolver.java:72)
at 
com.singularity.ee.agent.resolver.FullAgentRegistrationInfoResolver.(FullAgentRegistrationInfoResolver.java:60)
at 
com.singularity.ee.agent.appagent.kernel.AppTierNodeDeterminerDelegate.executeGenericFunction(AppTierNodeDeterminerDelegate.java:260)
at 
com.singularity.ee.agent.appagent.kernel.AppTierNodeDeterminer.executeGenericFunction(AppTierNodeDeterminer.java:128)
at 
com.singularity.ee.agent.appagent.AgentEntryPoint.getAppTierNodeFromLib(AgentEntryPoint.java:1735)
at 
com.singularity.ee.agent.appagent.AgentEntryPoint.determineAppAgentVersionToUse(AgentEntryPoint.java:1549)
at 
com.singularity.ee.agent.appagent.AgentEntryPoint.premain(AgentEntryPoint.java:557)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:386)
at 
sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:401)
Full Agent Registration Info Resolver found system property 
[appdynamics.agent.nodeName] for node name [Tomcat_iaasa7924_base0]
Full Agent Registration Info Resolver using selfService [false]
Full Agent Registration Info Resolver using selfService [false]
Full Agent Registration Info Resolver using ephemeral node setting [false]
Full Agent Registration Info Resolver using application name 
[ILAS-NonProd_34995]
Error in Full Agent Registration Info Resolver reading environment 
variable/system property
java.security.AccessControlException: access denied 
("java.lang.RuntimePermission" "getenv.")
at 
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at 
java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.System.getenv(System.java:894)
at 
com.singularity.ee.util.system.SystemUtils.getenv(SystemUtils.java:49)
at 
com.singularity.ee.agent.resolver.ADefaultResolver.getProperty(ADefaultResolver.java:44)
at 
com.singularity.ee.agent.resolver.FullAgentRegistrationInfoResolver.getNodeNameFromJavaAgentArg(FullAgentRegistrationInfoResolver.java:387)
at 
com.singularity.ee.agent.resolver.FullAgentRegistrationInfoResolver.run(FullAgentRegistrationInfoResolver.java:252)
at 
com.singularity.ee.agent.appagent.kernel.AppTierNodeDeterminerDelegate.getAppTierNode(AppTierNodeDeterminerDelegate.java:150)
at 
com.singularity.ee.agent.appagent.kernel.AppTierNodeDeterminer.getAppTierNode(AppTierNodeDeterminer.java:83)
at 
com.singularity.ee.agent.appagent.AgentEntryPoint.getAppTierNodeFromLib(AgentEntryPoint.java:1751)
at 
com.singularity.ee.agent.appagent.AgentEntryPoint.determineAppAgentVersionToUse(AgentEntryPoint.java:1549)
at 
com.singularity.ee.agent.appagent.AgentEntryPoint.premain(AgentEntryPoint.java:557)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:386)
at