from:"Mark Thomas"

Re: Rate Limiting support in Tomcat 9.x

2023-05-23 Thread Mark Thomas


On 22/05/2023 21:16, Amit Pande wrote:

Hello,

https://tomcat.apache.org/  I see rate limiting support added in Tomcat 10.1.9 .

(Side note: The Apache Tomcat Project is proud to announce the release of 
version 10.1.8 of Apache Tomcat - I think it should be 10.1.9)


Thanks. The typo has been fixed.


Are there any plans to add this filter in 9.x? Could an enhancement request be 
raised to get this in next Tomcat 9.x release?


It is already included in 9.0.x (and 8.5.x).

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat connection pool 9.0.52 uses more then configured maxActive connections

2023-05-22 Thread Mark Thomas


On 22/05/2023 09:45, Stefan López Romero wrote:

Hello,

I have the problem that the Tomcat connection pool uses more than the 
maxActive connections. In my Dropwizard application I have configured a 
maxSize of 30, but I found the following message in the logs.


Timeout: Pool empty. Unable to fetch a connection in 15 seconds, none 
available[size:31; busy:31; idle:0; lastwait:15000]


This seems to be related to a high pressure on the DB. In the DB logs I 
also found some connection issues


The code in the PooledConnection class does not seem to be completely 
bulletproof, because there can't be only two threads that have gone 
through the first if-two, or am I wrong?


Given that size is an AtomicInteger, I don't see a sequence of calls 
from multiple threads that could result in more than maxActive 
connections being created.


Also, it would have saved me some time if you had referenced the correct 
class. The quoted code is part of ConnectionPool, not PooledConnection.



//if we get here, see if we need to create one
//this is not 100% accurate since it doesn't use a shared
//atomic variable - a connection can become idle while we are creating
//a new connection
if (size.get() < getPoolProperties().getMaxActive()) {
//atomic duplicate check
if (size.addAndGet(1) > getPoolProperties().getMaxActive()) {
//if we got here, two threads passed through the first if
size.decrementAndGet();
} else {
//create a connection, we're below the limit
return createConnection(now, con, username, password);
}
} //end if

In the end, this problem causes all my available DB connections to be 
used up and my application to fail.


Is this a known problem? Is there a workaround?


At worst, this appears to be an off-by-one error either in the error 
message or the connection counting logic. Even with that addressed, it 
looks as if either the application has a connection leak or you need a 
bigger connection pool to support the required load.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[SECURITY] CVE-2023-28709 Apache Tomcat - Fix for CVE-2023-24998 was incomplete

2023-05-22 Thread Mark Thomas


CVE-2023-28709 Apache Tomcat - Fix for CVE-2023-24998 was incomplete

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M2 to 11.0.0-M4
Apache Tomcat 10.1.5 to 10.1.7
Apache Tomcat 9.0.71 to 9.0.73
Apache Tomcat 8.5.85 to 8.5.87

Description:
The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector 
settings were used such that the maxParameterCount could be reached 
using query string parameters and a request was submitted that supplied 
exactly maxParameterCount parameters in the query string, the limit for 
uploaded request parts could be bypassed with the potential for a denial 
of service to occur.


Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M5 or later
- Upgrade to Apache Tomcat 10.1.8 or later
- Upgrade to Apache Tomcat 9.0.74 or later
- Upgrade to Apache Tomcat 8.5.88 or later

Credit:
This issue was identified by Chenwei Jiang, Chenfeng Nie and Yue Yang 
from the Huawei Nebula Security Lab


History:
2023-05-22 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
[4] https://tomcat.apache.org/security-8.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Best Practice to Upgrade Apache Tomcat from 9.0.56 to 9.0.74

2023-05-18 Thread Mark Thomas




18 May 2023 06:06:04 Meltron Kendrick :


I created a "jar" file using WinRAR -- but no go ---

Got the following error message...

"Error: Could not find or load main class
org.apache.catalina.util.ServerInfo"

Any ideas on HOW TO properly do this?


Start with an official Tomcat release that doesn't have this problem. If 
the version numbers are broken, what else is?


If you really want to continue down this path, then don't try editing the 
JAR. Rather, override the resource.


Under $CATALINA_HOME/lib create the directory structure 
org/apache/catalina/util and then extract ServerInfo.properties to that 
directory. Edit the file. Start Tomcat. Tomcat will use the extracted 
file in preference to the one in the JAR.


Mark






On Wed, May 17, 2023 at 9:58 PM Meltron Kendrick 


wrote:

I was able to DECOMPRESS the .jar file -- using 7-zip -- and edited 
the
org/apache/catalina/util/ServerInfo.properties file to the proper 
version

and date info...

Now I need to COMPRESS everything with the updated
org/apache/catalina/util/ServerInfo.properties file added back into 
the

.jar file...


On Wed, May 17, 2023 at 1:43 AM Meltron Kendrick <
meltronkendr...@gmail.com> wrote:


Thank you Chuck!

What is the best way to go about updating the 3 lines to accurately
reflect the proper version details?



On Tue, May 16, 2023 at 9:08 PM Chuck Caldarale  
wrote:




On 2023-05-16, at 17:02, Meltron Kendrick 


wrote:


I am trying to get these fields to UPDATE properly...

ESPECIALLY THESE 3 ---
(but all of them would be nice)

Server version:  Secure Web Server
Server built: Jan 01 2000 00:00:00 UTC
Server number: 1.0.0.0


This information comes from this file inside lib/catalina.jar:
    org/apache/catalina/util/ServerInfo.properties

Whoever built your Tomcat distribution changed the contents of that 
file

when constructing the package. Using an unadulterated download from
tomcat.apache.org  results in something
similar to the following when running the version command:

Server version: Apache Tomcat/11.0.0-M6
Server built:   May 3 2023 17:28:15 UTC
Server number:  11.0.0.0
OS Name:    Mac OS X
OS Version: 13.3.1
Architecture:   aarch64
JVM Version:    18.0.1.1+2-6
JVM Vendor: Oracle Corporation

  - Chuck

--

==
Blessed Regards,

Meltron Kendrick
Sr. Systems Engineer
Linux * Windows * Cloud Computing * Security

LinkedIn: http://www.linkedin.com/in/meltronkendrick

Mobile: (512) 233-9176
Email: meltronkendr...@gmail.com


--
==
Blessed Regards,

Meltron Kendrick
Sr. Systems Engineer
Linux * Windows * Cloud Computing * Security

LinkedIn: http://www.linkedin.com/in/meltronkendrick

Mobile: (512) 233-9176
Email: meltronkendr...@gmail.com


--
==
Blessed Regards,

Meltron Kendrick
Sr. Systems Engineer
Linux * Windows * Cloud Computing * Security

LinkedIn: http://www.linkedin.com/in/meltronkendrick

Mobile: (512) 233-9176> Email: meltronkendr...@gmail.com


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: unsupported source vm 17?

2023-05-17 Thread Mark Thomas


On 17/05/2023 11:58, Holger Klawitter wrote:

Hi there,

I am using tomcat 9.0.73 along with jdk 17.0.7+8.
I have set up tomcat to support jdk 17 on all jsp pages.

 
 jsp
 org.apache.jasper.servlet.JspServlet
 
 compilerSourceVM
 17
 
 
 compilerTargetVM
 17
 
 
 fork
 false
 
 
 xpoweredBy
 false
 
 3
 

In the logfiles I notice the following Warning:

17-May-2023 11:53:37.171 WARNUNG [http-nio-80-exec-10] 
org.apache.jasper.compiler.JDTCompiler.generateClass Unsupported source VM [17] 
requested, using [16]

Does this mean that tomcat/jasper is not fully supporting jdk17 at this point?


No.

Tomcat 9.0.x is required by the Servlet specification to be built for 
Java 8. Version 4.20 (also know as version 3.26.0) of the Eclipse JDT 
compiler is the latest version that works with Java 8. It supports up to 
Java 16.


If you want to use JSPs on Tomcat 9.0.x with a Java version greater than 
16 you need to replace $CATALINA_HOME/lib/ecj-4.20.jar with a newer version.


Newer JARs are available from Eclipse or Maven Central:

https://search.maven.org/artifact/org.eclipse.jdt/ecj

Tomcat 10.1.x currently ships with the latest JAR.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Java G1 GC creating less garbage and taking more time in mixed GC phase

2023-05-16 Thread Mark Thomas


On 16/05/2023 08:50, M Venkata Pratap M wrote:

Hi ,
1. Thanks for the reply , attached screenshots for 9.0.62 heapdump.


The list doesn't support attachments.

A single thread dump isn't much use.

You need to take thread dumps for each scenario and compare them. Once 
you have identified the significant differences, that should provide the 
basis for a discussion of why those differences are present and the 
impact they have.


Mark


2. http2.Stream objects is taking around 28MB. Also InputBuffer was 
occupying more memory  around 235MB. was it normal.
3. In our application we are receiving 800 json requests per second an 
average of 3KB data each request and will respond with in a second.
4. All the tomcat settings are defaults , Overall anything suspicious 
from the screenshots.

Thanks & Regards,
Venkat.

-Original Message-
From: Mark Thomas 
Sent: 16 May 2023 12:44
To: users@tomcat.apache.org
Subject: Re: Java G1 GC creating less garbage and taking more time in mixed GC 
phase



On 16/05/2023 05:12, M Venkata Pratap M wrote:

Hi,

1.  We are using Http2 , When compared to 9.0.38 tomcat version , 9.0.62 
version is creating less garbage and taking  more time(2 to 5 seconds) in 
garbage collection during mixed GC phase.
2.  Are there any recommendation GC setting. Has any one observed these 
kind of problem.


Time spent in GC is generally proportional to the size of the live objects on 
the heap. I'd suggest comparing heap dumps from 9.0.38 and
9.0.62 to see what is different.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Java G1 GC creating less garbage and taking more time in mixed GC phase

2023-05-16 Thread Mark Thomas





On 16/05/2023 05:12, M Venkata Pratap M wrote:

Hi,

   1.  We are using Http2 , When compared to 9.0.38 tomcat version , 9.0.62 
version is creating less garbage and taking  more time(2 to 5 seconds) in 
garbage collection during mixed GC phase.
   2.  Are there any recommendation GC setting. Has any one observed these kind 
of problem.


Time spent in GC is generally proportional to the size of the live 
objects on the heap. I'd suggest comparing heap dumps from 9.0.38 and 
9.0.62 to see what is different.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Setting service parameters not work in Tomcat 8.5.85+

2023-05-11 Thread Mark Thomas


On 10/05/2023 22:06, Gilles Maurice wrote:

Hello,

Our product currently uses Tomcat 8.5.83. We wanted to upgrade to Tomcat 
8.5.88 but our product fails to start up with this version.


 From my research I was able to determine the following facts:
- Upgrade to 8.5.84 works fine
- Upgrade to 8.5.85+ fails
- Our product uses "tomcat8.exe //US/vlm" to update the service 
parameters (vlm is the internal name of our product)
- with 8.5.85, calling the following command works fine: tomcat8.exe 
//US/vlm --Description myDescription
- setting java parameters don't work however, for example this command 
fails: tomcat8.exe //US/vlm --JvmMs 128
- when running the command above, tomcat8.exe does not display an error 
but the service is not updated
- the documentation at 
https://tomcat.apache.org/tomcat-8.5-doc/windows-service-howto.html 
indicates that the java update parameters are not set when in exe mode 
but ours is in jvm mode. For example, the following command will not set 
the JvmMs value: tomcat8.exe //US/vlm --Jvm auto --StartMode jvm 
--StopMode jvm --JvmMs 128


Does anyone have any info on how to get around this?


I am unable to recreate the problem described.

tomcat8.exe //US/Tomcat8 --JvmMs 128

works for me with a clean Tomcat installation.

How are you determining if the service is updated?

Otherwise, can someone direct me to the source code for tomcat8.exe so I 
can see if I can find the cause of this issue myself?


You want Commons Daemon. Tomcat 8.5.85 upgraded from 1.3.2 to 1.3.3.

https://github.com/apache/commons-daemon

Tomcat8.exe is a renamed prunsrv.exe

Tomcat8w.exe is a renamed prunmgr.exe


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[ANN] Apache Tomcat 11.0.0-M6 (alpha) available

2023-05-09 Thread Mark Thomas


The Apache Tomcat team announces the immediate availability of Apache
Tomcat 11.0.0-M6 (alpha).

Apache Tomcat 11 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
specifications.

Users of Tomcat 10 onwards should be aware that, as a result of the move
from Java EE to Jakarta EE as part of the transfer of Java EE to the
Eclipse Foundation, the primary package for all implemented APIs has
changed from javax.* to jakarta.*. This will almost certainly require
code changes to enable applications to migrate from Tomcat 9 and earlier
to Tomcat 10 and later. A migration tool is available to aid this process.

Apache Tomcat 11.0.0-M6 is a milestone release of the 11.0.x branch and 
has been made to provide users with early access to the new features in 
Apache Tomcat 11.0.x so that they may provide feedback. The notable 
changes compared to 11.0.0-M5 include:


- Various improvements to access logging.

- Remove support for the HTTP Connector settings rejectIllegalHeader and
  allowHostHeaderMismatch. These are now hard-coded to the previous
  defaults.

- Update the packaged version of the Tomcat Migration Tool for Jakarta
  EE to 1.0.7.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-11.0-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-11.cgi

Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question in regards to the Connector allowHostHeaderMismatch when it is set to "false"

2023-05-09 Thread Mark Thomas


On 08/05/2023 22:04, Christopher Schultz wrote:

On 5/8/23 10:39, Mark Thomas wrote:




The port the client connects to is irrelevant. All that matters is the 
host in the request line and the host header.


1. The host header MUST be present
2. If a host is present in the request line it MUST be identical (host 
and port) to the host header.


nb the spec says that the URL takes precedence if there is a mismatch, 
but when setting allowHostHeaderMismatch="false" (the current default), 
then Tomcat is being stricter than the spec.


That is not correct. The two requirements stated above have been RFC 
"MUST" requirements since 2014.


RFC 2616 (June 1999) stated that any host in the request line takes 
precedence.


RFC 7230 (June 2014) stated that any host in the request line MUST match 
the host header although there is also language that suggests they might 
be different.


RFC 9112 (June 2022) states that any host in the request line MUST match 
the host header.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question in regards to the Connector allowHostHeaderMismatch when it is set to "false"

2023-05-08 Thread Mark Thomas


On 08/05/2023 13:52, Alvaro Garay wrote:

Hi Mark,

In the example above...the port remains the same (8143). How is it different?


GET http://myhostname.company.com/api/v1/endpoint  HTTP/1.1

The host is "myhostname.company.com"

Host: myhostname.company.com:8143

The host is "myhostname.company.com:8143"

"myhostname.company.com" != "myhostname.company.com:8143"

The port the client connects to is irrelevant. All that matters is the 
host in the request line and the host header.


1. The host header MUST be present
2. If a host is present in the request line it MUST be identical (host 
and port) to the host header.


Mark



________
From: Mark Thomas 
Sent: Friday, May 5, 2023 4:56 PM
To: Tomcat Users List 
Subject: [EXTERNAL] Re: Question in regards to the Connector allowHostHeaderMismatch when 
it is set to "false"


5 May 2023 18:21:02 Alvaro Garay :


Hi,


Tomcat version: 9.0.73

Operating system: Unix z/OS System



I have a question in regard to the Connector attribute
allowHostHeaderMismatch=false which checks the request line is
consistent with the Host Header.

So in this scenario, I have the request line using the absolute path
with a conflicting host header. The response is 400 Bad Request from
Tomcat, which makes sense.

telnet myhostname.company.com 8143
GET http://myhostname.company.com/api/v1/endpoint  HTTP/1.1
Host: facebook.com


If I define a valid host header now, then the request is a success. So
all is good.

telnet myhostname.company.com 8143
GET http://myhostname.company.com/api/v1/endpoint  HTTP/1.1
Host: myhostname.company.com

telnet 1.1.1.1 8143
GET http://1.1.1.1/api/v1/endpoint  HTTP/1.1
Host: 1.1.1.1

However, as soon as I define a port number in the host header with
syntax : then I get 400 Bad Request from Tomcat.

telnet myhostname.company.com 8143
GET http://myhostname.company.com/api/v1/endpoint  HTTP/1.1
Host: myhostname.company.com:8143

HTTP/1.1 400
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 762
Date: Fri, 05 May 2023 15:27:09 GMT
Connection: close

HTTP Status 400 \u2013 Bad
Requestbody
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
{color:black;} .line
{height:1px;background-color:#525D76;border:none;}HTTP
Status 400 \u2013 Bad RequestType
Status ReportDescription The server cannot or will not
process the request due to something that is perceived to be a client
error (e.g., malformed request syntax, invalid request message framing,
or deceptive request routing).Apache
Tomcat/9.0.73

This request should be allowed right?


No. Different port means a different host so Tomcat correctly rejects the
request.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question in regards to the Connector allowHostHeaderMismatch when it is set to "false"

2023-05-05 Thread Mark Thomas




5 May 2023 18:21:02 Alvaro Garay :


Hi,


Tomcat version: 9.0.73

Operating system: Unix z/OS System



I have a question in regard to the Connector attribute 
allowHostHeaderMismatch=false which checks the request line is 
consistent with the Host Header.


So in this scenario, I have the request line using the absolute path 
with a conflicting host header. The response is 400 Bad Request from 
Tomcat, which makes sense.


telnet myhostname.company.com 8143
GET http://myhostname.company.com/api/v1/endpoint HTTP/1.1
Host: facebook.com


If I define a valid host header now, then the request is a success. So 
all is good.


telnet myhostname.company.com 8143
GET http://myhostname.company.com/api/v1/endpoint HTTP/1.1
Host: myhostname.company.com

telnet 1.1.1.1 8143
GET http://1.1.1.1/api/v1/endpoint HTTP/1.1
Host: 1.1.1.1

However, as soon as I define a port number in the host header with 
syntax : then I get 400 Bad Request from Tomcat.


telnet myhostname.company.com 8143
GET http://myhostname.company.com/api/v1/endpoint HTTP/1.1
Host: myhostname.company.com:8143

HTTP/1.1 400
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 762
Date: Fri, 05 May 2023 15:27:09 GMT
Connection: close

HTTP Status 400 \u2013 Bad 
Requestbody 
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b 
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2 
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a 
{color:black;} .line 
{height:1px;background-color:#525D76;border:none;}HTTP 
Status 400 \u2013 Bad RequestType 
Status ReportDescription The server cannot or will not 
process the request due to something that is perceived to be a client 
error (e.g., malformed request syntax, invalid request message framing, 
or deceptive request routing).Apache 
Tomcat/9.0.73


This request should be allowed right?


No. Different port means a different host so Tomcat correctly rejects the 
request.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: About StandardServer 2023-04-30 Thread Mark Thomas On 28/04/2023 08:16, 沉淀 wrote: I am reading the source code of tomcat, the version is 9.0.73. I see such a piece of code in the `await()`method in the `StandardServer`class: int expected = 1024; // Cut off to avoid DoS attack while (expected < shutdown.length()) { if (random == null) { random = new Random(); } expected += (random.nextInt() % 1024); } while (expected 0) { int ch = -1; try { ch = stream.read(); } catch (IOException e) { log.warn(sm.getString("standardServer.accept.readError"), e); ch = -1; } // Control character or EOF (-1) terminates loop if (ch < 32 || ch == 127) { break; } command.append((char) ch); expected--; } Why doesn't the `expected`here directly make it equal to `shutdown.length`? For example, the stream contains 1024 characters, `shutdown`is still its default value: SHUTDOWN, and it still needs to loop 1024 times in the second while loop. Please answer my doubts, thank you Security. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat VAPT Closure 2023-04-25 Thread Mark Thomas On 25/04/2023 12:18, PRATIK HUMNABADKAR wrote: Hi, We tried below suggestion but still receiving below errors. Please guide. Try reading the log messages. server.xml 25-Apr-2023 16:08:46.067 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib] 25-Apr-2023 16:08:46.349 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Http11AprProtocol-9090]] org.apache.catalina.LifecycleException: The configured protocol [org.apache.coyote.http11.Http11AprProtocol] requires the APR/native library which is not available at org.apache.catalina.connector.Connector.initInternal(Connector.java:1031) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1042) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:724) at org.apache.catalina.startup.Catalina.load(Catalina.java:746) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) Pick a different Connector implementation (I suggest NIO unless you have a good reason to pick something different) or, if you have a good reason for using the APR/Native connector, install the Tomcat Native library for your platform. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat Native 1.2.30 -- Windows 2016 TLSv1.3 support? 2023-04-25 Thread Mark Thomas On 24/04/2023 20:15, Ragosta, Vincent wrote: Hello all, We have an application packaged with Tomcat Native 1.2.30, which, per the following, the Windows binaries were built using OpenSSL 1.1.1k: https://www.mail-archive.com/dev@tomcat.apache.org/msg152993.html However, per Microsoft, Windows 2016 does not support TLSv1.3: https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- Do Tomcat Native or OpenSSL depend upon support for TLSv1.3 in the underlying OS? No. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Cluster Manager not working 2023-04-19 Thread Mark Thomas On 19/04/2023 12:07, Kevin Huntly wrote: I'm guessing its not possible to have the cluster setup with a session database? Correct, for out of the box options. There are 3rd party session managers that persist the data in various databases. Off the top of my head Redis and Geode provide this. I am sure there are others. Mark Kevin Huntly Email: kmhun...@gmail.com Cell: 716/424-3311 -BEGIN GEEK CODE BLOCK- Version: 1.0 GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ G++ e(+) h--- r+++ y+++* --END GEEK CODE BLOCK-- On Wed, Apr 19, 2023 at 7:00 AM Kevin Huntly wrote: Hi Mark, I found the culprit and replaced with: org.apache.catalina.ha.session.DeltaManager I'm now seeing the following: 19-Apr-2023 06:57:56.482 SEVERE [main] org.apache.tomcat.util.digester.Digester.endElement End event threw exception java.lang.NoSuchMethodException: org.apache.catalina.ha.session.DeltaManager setStore at org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:472) at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:143) at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:1033) at java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:618) at java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:184) at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1387) at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2726) at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:605) at java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:542) at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:889) at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:825) at java.xml/com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) at java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1224) at java.xml/com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:637) Kevin Huntly Email: kmhun...@gmail.com Cell: 716/424-3311 -BEGIN GEEK CODE BLOCK- Version: 1.0 GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ G++ e(+) h--- r+++ y+++* --END GEEK CODE BLOCK-- On Wed, Apr 19, 2023 at 3:14 AM Mark Thomas wrote: On 18/04/2023 15:59, Kevin Huntly wrote: Hello, I'm getting the following error message: 18-Apr-2023 10:56:55.404 INFO [main] org.apache.catalina.startup.HostConfig.deployDescriptor Deploying deployment descriptor [/opt/Apache/tomcat/apache-tomcat-9.0.74/conf/Catalina/localhost/esolutions.xml] 18-Apr-2023 10:57:05.400 WARNING [main] org.apache.catalina.ha.tcp.SimpleTcpCluster.registerManager Manager [PersistentManager[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/esolutions]]] does not implement ClusterManager, addition to cluster has been aborted. Somewhere, you have a Manager element that defines the PersistentManager. I know it was mentioned to update my context.xml, and this is it: Thanks - it isn't there. Other possible places are $CATALINA_BASE/conf/context.xml or $CATALINA_BASE/conf/server.xml I'd be tempted to do a recursive grep of the Tomcat installation directory looking for PersistentManager Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org [ANN] Apache Tomcat 11.0.0-M5 (alpha) available 2023-04-19 Thread Mark Thomas The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M5 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process. Apache Tomcat 11.0.0-M5 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 11.0.0-M4 include: - Reduce the default value of maxParameterCount from 10,000 to 1,000. - Correct a regression in the fix for bug 66442 that meant that streams without a response body did not decrement the active stream count when completing leading to ERR_HTTP2_SERVER_REFUSED_STREAM for some connections. - Expand the validation of the value of the Sec-Websocket-Key header in the HTTP upgrade request that initiates a WebSocket connection. The value is not decoded but it is checked for the correct length and that only valid characters from the base64 alphabet are used. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat 9.0.73 - Exception while accessing application 2023-04-19 Thread Mark Thomas On 19/04/2023 03:11, jonmcalexan...@wellsfargo.com.INVALID wrote: Hi Christopher , Where was this change in functionality documented, please? It was part of the fix for BZ 66196 which was documented in the change log. Mark Thank you , Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: Christopher Schultz Sent: Monday, April 17, 2023 4:48 PM To: users@tomcat.apache.org Subject: Re: Tomcat 9.0.73 - Exception while accessing application Jon, On 4/13/23 17:57, jonmcalexan...@wellsfargo.com.INVALID wrote: They are using Java 11.1 I wonder if you/they have a broken/mixed Tomcat installation. https://urldefense.com/v3/__https://github.com/apache/tomcat/blob/9.0. x/java/org/apache/catalina/core/ApplicationContext.java*L459__;Iw!!F9svG WnIaVPGSwU!ojzcWqxdHFnKdTAFNeLjjEHz- PBPgH8h0F2GT4mmGD2s0jJpNF5EqAoh0kXzJYDLbTnQIBFO8O8E8r32JZqbLCu QzDoElOv4$ does indeed reference MessageBytes.EMPTY_CHAR_ARRAY which was added a few months ago to the MessageBytes class. If you have some kind of mixed jumble of libraries from Tomcat then you could have a situation where ApplicationContext has new code but MessageBytes for some reason has old code. I would recommend repairing your Tomcat installation. -chris From: Christopher Schultz Sent: Thursday, April 13, 2023 1:11:15 PM To: users@tomcat.apache.org Subject: Re: Tomcat 9.0.73 - Exception while accessing application Jon, On 4/12/23 17:38, jonmcalexan...@wellsfargo.com.INVALID wrote: And another app, different stack-trace, same java.lang.NoSuchFieldError: EMPTY_CHAR_ARRAY What version of Java are you using? -chris 11-Apr-2023 12:38:44.264 SEVERE [https-jsse-nio-0.0.0.0-23601-exec-11] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [F5 Mo nitoring.] in context with path [/accounts] threw exception [Servlet execution threw an exception] with root cause java.lang.NoSuchFieldError: EMPTY_CHAR_ARRAY at org.apache.catalina.core.ApplicationContext.getRequestDispatcher(Applicati onContext.java:459) at org.apache.catalina.core.ApplicationContextFacade.getRequestDispatcher(A pplicationContextFacade.java:215) at com.wellsfargo.accounts.monitoring.F5Monitoring.doPost(F5Monitoring.jav a:38) at com.wellsfargo.accounts.monitoring.F5Monitoring.doGet(F5Monitoring.java :33) at javax.servlet.http.HttpServlet.service(HttpServlet.java:502) at javax.servlet.http.HttpServlet.service(HttpServlet.java:596) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFi lterChain.java:209) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChai n.java:153) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFi lterChain.java:178) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChai n.java:153) at com.wellsfargo.mwf.webappsupport.inlanguage.filter.InLanguageFilter.doFil ter(InLanguageFilter.java:49) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFi lterChain.java:178) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChai n.java:153) at com.wellsfargo.mwf.webappsupport.devicedetection.DeviceDetection.doFil ter(DeviceDetection.java:151) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFi lterChain.java:178) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChai n.java:153) at com.wellsfargo.mwf.webappsupport.security.SecurityCheck.doFilter(Securit yCheck.java:425) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFi lterChain.java:178) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChai n.java:153) at Re: Cluster Manager not working 2023-04-19 Thread Mark Thomas On 18/04/2023 15:59, Kevin Huntly wrote: Hello, I'm getting the following error message: 18-Apr-2023 10:56:55.404 INFO [main] org.apache.catalina.startup.HostConfig.deployDescriptor Deploying deployment descriptor [/opt/Apache/tomcat/apache-tomcat-9.0.74/conf/Catalina/localhost/esolutions.xml] 18-Apr-2023 10:57:05.400 WARNING [main] org.apache.catalina.ha.tcp.SimpleTcpCluster.registerManager Manager [PersistentManager[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/esolutions]]] does not implement ClusterManager, addition to cluster has been aborted. Somewhere, you have a Manager element that defines the PersistentManager. I know it was mentioned to update my context.xml, and this is it: Thanks - it isn't there. Other possible places are $CATALINA_BASE/conf/context.xml or $CATALINA_BASE/conf/server.xml I'd be tempted to do a recursive grep of the Tomcat installation directory looking for PersistentManager Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat 8.5.85 and above - Issue with file uploads 2023-04-17 Thread Mark Thomas On 17/04/2023 19:51, Mark Thomas wrote: Hi, I have tried but am unable to recreate this. Please provide the simplest possible web application (it should be possible to do this in a single Servlet) that demonstrates the issue. To give you an idea of what I mean by a single servlet, here is the test case I was using: https://github.com/markt-asf/tomcat-bugs/blob/main/src/main/java/org/apache/markt/MultiPartUpload2.java (it is the 11.0.x version of the test but the code for upload should be the same across Tomcat versions) Mark Please make sure you provide the source code for the web application. Thanks, Mark On 14/04/2023 19:40, William L. Cunningham wrote: Thanks, yes it happens with any file upload. -Original Message- From: Mark Thomas Sent: Friday, April 14, 2023 9:36 AM To: users@tomcat.apache.org Subject: Re: Tomcat 8.5.85 and above - Issue with file uploads WARNING: This email originated from an external source. Please be careful when clicking on any links in external emails. On 13/04/2023 21:40, William L. Cunningham wrote: Environment: Windows 2019 Standard with latest JDK 17 and Apache Tomcat 8.5.87. When trying to upload a file to the application running off Tomcat (custom software), we are getting the following error since 8.5.85 (works fine on 8.5.84). ERROR [2023-04-13 15:20:20]: com.company.dataimporter.servlet.FileUpload::doPost::85 Cannot delete C:\Program Files\Apache Software Foundation\Tomcat 8.5_Tomcat_Prod\work\Catalina\localhost\company\upload_1da07be9_7508_4 4d3_aee6_28d1d7989727_.tmp java.lang.IllegalStateException: Cannot delete C:\Program Files\Apache Software Foundation\Tomcat 8.5_Tomcat_Prod\work\Catalina\localhost\company\upload_1da07be9_7508_44d3_aee6_28d1d7989727_.tmp at org.apache.tomcat.util.http.fileupload.disk.DiskFileItem.delete(DiskFi leItem.java:428) ~[tomcat-coyote.jar:8.5.87] This same procedure works perfectly fine in 8.5.84. It was something introduced with 8.5.85. It also works fine on a Linux hosted version (Centos) for 8.5.84 and above. So it appears to be Windows centric. When I watch the procedure in the Catalina\localhost\company folder on 8.5.84, I see the tmp file generated and then immediately deleted (it's a small upload). On 8.5.85 and above, it's locked and can't be deleted. Thus causing the error. Anyone have any thoughts? Tomcat 8.5.85 includes an updated version of the Commons FileUpload code that throws an ISE if the temporary file can't be deleted. https://github.com/apache/tomcat/commit/8d21b9ef4ae30f6f6474f00a72887338a5b745ac It looks like this may have exposed an underlying Commons IO bug: https://issues.apache.org/jira/browse/IO-788 Do you see this problem every time you try to upload a file? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat 8.5.85 and above - Issue with file uploads 2023-04-17 Thread Mark Thomas Hi, I have tried but am unable to recreate this. Please provide the simplest possible web application (it should be possible to do this in a single Servlet) that demonstrates the issue. Please make sure you provide the source code for the web application. Thanks, Mark On 14/04/2023 19:40, William L. Cunningham wrote: Thanks, yes it happens with any file upload. -Original Message- From: Mark Thomas Sent: Friday, April 14, 2023 9:36 AM To: users@tomcat.apache.org Subject: Re: Tomcat 8.5.85 and above - Issue with file uploads WARNING: This email originated from an external source. Please be careful when clicking on any links in external emails. On 13/04/2023 21:40, William L. Cunningham wrote: Environment: Windows 2019 Standard with latest JDK 17 and Apache Tomcat 8.5.87. When trying to upload a file to the application running off Tomcat (custom software), we are getting the following error since 8.5.85 (works fine on 8.5.84). ERROR [2023-04-13 15:20:20]: com.company.dataimporter.servlet.FileUpload::doPost::85 Cannot delete C:\Program Files\Apache Software Foundation\Tomcat 8.5_Tomcat_Prod\work\Catalina\localhost\company\upload_1da07be9_7508_4 4d3_aee6_28d1d7989727_.tmp java.lang.IllegalStateException: Cannot delete C:\Program Files\Apache Software Foundation\Tomcat 8.5_Tomcat_Prod\work\Catalina\localhost\company\upload_1da07be9_7508_44d3_aee6_28d1d7989727_.tmp at org.apache.tomcat.util.http.fileupload.disk.DiskFileItem.delete(DiskFi leItem.java:428) ~[tomcat-coyote.jar:8.5.87] This same procedure works perfectly fine in 8.5.84. It was something introduced with 8.5.85. It also works fine on a Linux hosted version (Centos) for 8.5.84 and above. So it appears to be Windows centric. When I watch the procedure in the Catalina\localhost\company folder on 8.5.84, I see the tmp file generated and then immediately deleted (it's a small upload). On 8.5.85 and above, it's locked and can't be deleted. Thus causing the error. Anyone have any thoughts? Tomcat 8.5.85 includes an updated version of the Commons FileUpload code that throws an ISE if the temporary file can't be deleted. https://github.com/apache/tomcat/commit/8d21b9ef4ae30f6f6474f00a72887338a5b745ac It looks like this may have exposed an underlying Commons IO bug: https://issues.apache.org/jira/browse/IO-788 Do you see this problem every time you try to upload a file? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: How to have a custom classloader outside Tomcat's own lib-dir? 2023-04-17 Thread Mark Thomas On 16/04/2023 12:36, Thorsten Schöning wrote: Hi everyone, I have some app consisting of a directory layout with some bundled Tomcat, containing at least one exploded webapp. For various reasons, What are those reasons? I'm wondering if the reasons have any impact on the answer. that webbapp needs its own classloader, which is currently configured in context.xml of Tomcat and stored in its own lib-dir. I don't like putting custom JARs into the default deployment of Tomcat too much. So, is there some way to put the JAR elsewhere? Yes, as long as you tell Tomcat where to find it. Whatever I tested didn't work, e.g. adding the JAR to "common.loader". That should have worked and is the approach I'd recommend. Exactly what did you change when you tried this? But I must admit that I didn't fully understand if common.loader is used to load the custom loader at all or only afterwards and stuff. Or is there some way to not use Tomcat's "Loader" above and only maintain a custom, webapp-specific classloader in the one webapp needing it? No. Tomcat needs to be able to load the custom class loader in order to configure it. Mark I've searched for somethign like "setClassLoader" and found it for some servlet containers, but it doesn't seem to be standard and supported by Tomcat. Thanks for your input! Mit freundlichen Grüßen Thorsten Schöning - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat Manager App and Federation 2023-04-15 Thread Mark Thomas On 14/04/2023 16:45, Robert Hicks wrote: Does the manager app support something like Apache CXF to authenticate people to the manager application or is the manager application only accessible through username/password? The Manager web application will work with any configured Authenticator and Realm, including those provided by CXF. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Clustering issue 2023-04-15 Thread Mark Thomas On 14/04/2023 16:58, Kevin Huntly wrote: Hi Mark, My webapp context makes no mention of the Manager or any kind of session manager - it is only referenced in the global context.xml What is the Manager configuration in the global context.xml ? Mark Kevin Huntly Email: kmhun...@gmail.com Cell: 716/424-3311 -BEGIN GEEK CODE BLOCK- Version: 1.0 GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ G++ e(+) h--- r+++ y+++* --END GEEK CODE BLOCK-- On Fri, Apr 14, 2023 at 10:43 AM Mark Thomas wrote: On 13/04/2023 00:20, Kevin Huntly wrote: Hello Everyone, I setup a quick and dirty cluster following https://tomcat.apache.org/tomcat-9.0-doc/cluster-howto.html I am seeing the following: 12-Apr-2023 19:18:00.369 WARNING [main] org.apache.catalina.ha.tcp.SimpleTcpCluster.registerManager Manager [PersistentManager[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/esolutions]]] does not implement ClusterManager, addition to cluster has been aborted. You have an Context (web application deployed at /esolutions) with an explicit Manager configured. If you do that, it needs to implement ClusterManager else the Context can't be clustered. Contexts that don't have an explicit manager configured get a cluster defined default if clustering is enabled and the StandardManager if clustering is not enabled. And 12-Apr-2023 19:17:52.652 SEVERE [main] org.apache.catalina.ha.deploy.FarmWarDeployer.start FarmWarDeployer can only work as host cluster subelement! You added the cluster at the engine level so you can't use the FarmWarDeployer. You need to remove that section - or move the Cluster definition to inside the Host. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Clustering issue 2023-04-14 Thread Mark Thomas On 13/04/2023 00:20, Kevin Huntly wrote: Hello Everyone, I setup a quick and dirty cluster following https://tomcat.apache.org/tomcat-9.0-doc/cluster-howto.html I am seeing the following: 12-Apr-2023 19:18:00.369 WARNING [main] org.apache.catalina.ha.tcp.SimpleTcpCluster.registerManager Manager [PersistentManager[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/esolutions]]] does not implement ClusterManager, addition to cluster has been aborted. You have an Context (web application deployed at /esolutions) with an explicit Manager configured. If you do that, it needs to implement ClusterManager else the Context can't be clustered. Contexts that don't have an explicit manager configured get a cluster defined default if clustering is enabled and the StandardManager if clustering is not enabled. And 12-Apr-2023 19:17:52.652 SEVERE [main] org.apache.catalina.ha.deploy.FarmWarDeployer.start FarmWarDeployer can only work as host cluster subelement! You added the cluster at the engine level so you can't use the FarmWarDeployer. You need to remove that section - or move the Cluster definition to inside the Host. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat 8.5.85 and above - Issue with file uploads 2023-04-14 Thread Mark Thomas On 13/04/2023 21:40, William L. Cunningham wrote: Environment: Windows 2019 Standard with latest JDK 17 and Apache Tomcat 8.5.87. When trying to upload a file to the application running off Tomcat (custom software), we are getting the following error since 8.5.85 (works fine on 8.5.84). ERROR [2023-04-13 15:20:20]: com.company.dataimporter.servlet.FileUpload::doPost::85 Cannot delete C:\Program Files\Apache Software Foundation\Tomcat 8.5_Tomcat_Prod\work\Catalina\localhost\company\upload_1da07be9_7508_44d3_aee6_28d1d7989727_.tmp java.lang.IllegalStateException: Cannot delete C:\Program Files\Apache Software Foundation\Tomcat 8.5_Tomcat_Prod\work\Catalina\localhost\company\upload_1da07be9_7508_44d3_aee6_28d1d7989727_.tmp at org.apache.tomcat.util.http.fileupload.disk.DiskFileItem.delete(DiskFileItem.java:428) ~[tomcat-coyote.jar:8.5.87] This same procedure works perfectly fine in 8.5.84. It was something introduced with 8.5.85. It also works fine on a Linux hosted version (Centos) for 8.5.84 and above. So it appears to be Windows centric. When I watch the procedure in the Catalina\localhost\company folder on 8.5.84, I see the tmp file generated and then immediately deleted (it's a small upload). On 8.5.85 and above, it's locked and can't be deleted. Thus causing the error. Anyone have any thoughts? Tomcat 8.5.85 includes an updated version of the Commons FileUpload code that throws an ISE if the temporary file can't be deleted. https://github.com/apache/tomcat/commit/8d21b9ef4ae30f6f6474f00a72887338a5b745ac It looks like this may have exposed an underlying Commons IO bug: https://issues.apache.org/jira/browse/IO-788 Do you see this problem every time you try to upload a file? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Encountered java.sql.sqlexception "the url cannot be null" starting from tomcat 9.0.71 2023-04-14 Thread Mark Thomas On 14/04/2023 04:59, Poh Wei Xiang wrote: Hi, Am I right to say this statement in 9.0.74 changelog is referring to the fix for the below issue? Update the internal fork of Commons DBCP to f131286 (2023-03-08, 2.10.0-SNAPSHOT). This corrects a regression introduced in 9.0.71. (markt) Yes. Mark With Regards, Poh Wei Xiang Senior Engineer D: +65 6826 3865 A: 6 Serangoon North Ave 5, #03-16, Singapore 554910 W: www.nxg-c.com Service Helpdesk: +65 6842 2300 Service Email: serv...@nxg-c.com Follow us: NxGen Communications, a subsidiary of TeleChoice International Limited, a company of ST Telemedia Pte Ltd This email is intended solely for the use of the addressee and may contain information that is confidential or subject to legal professional privilege. If you receive this email in error, please immediately notify the sender and delete the email. -Original Message- From: Poh Wei Xiang Sent: Thursday, March 9, 2023 1:56 PM To: Tomcat Users List Cc: Ong Han Sheng Subject: Re: Encountered java.sql.sqlexception "the url cannot be null" starting from tomcat 9.0.71 Hi, Glad to hear that this is going to be fixed. Do you have a sample context format to work with connectionstring? Sent from Outlook for Android<https://aka.ms/AAb9ysg> ____ From: Mark Thomas Sent: Wednesday, 8 March 2023, 20:14 To: users@tomcat.apache.org Subject: Re: Encountered java.sql.sqlexception "the url cannot be null" starting from tomcat 9.0.71 On 08/03/2023 11:58, Mark Thomas wrote: Thanks, I am able to recreate that stack trace. I am looking into the root cause now. Found it. There was a change in Commons DBCP to use "connectionString" rather than url internally and this was mistakenly applied to the lookup of the "url" configuration setting in DriverAdapterCPDS. I'll get this fixed for the April round of releases. If you need a workaround, if you add a configuration setting for connectionString="..." that has the same vaue as url="..." that should get things working. Mark Mark On 08/03/2023 09:03, Poh Wei Xiang wrote: Hi, java.sql.SQLException: The url cannot be null java.sql.DriverManager.getConnection(Unknown Source) java.sql.DriverManager.getConnection(Unknown Source) org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.getPooledConnection(DriverAdapterCPDS.java:396) org.apache.tomcat.dbcp.dbcp2.datasources.InstanceKeyDataSource.testCPDS(InstanceKeyDataSource.java:1225) org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.registerPool(PerUserPoolDataSource.java:708) org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.getPooledConnectionAndInfo(PerUserPoolDataSource.java:614) org.apache.tomcat.dbcp.dbcp2.datasources.InstanceKeyDataSource.getConnection(InstanceKeyDataSource.java:206) com.avaya.sce.runtime.jdbc.Database.open(Database.java:93) org.apache.jsp.jsp.validate_002ddb_jsp._jspService(validate_002ddb_jsp.java:721) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) javax.servlet.http.HttpServlet.service(HttpServlet.java:596) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:466) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:379) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:327) javax.servlet.http.HttpServlet.service(HttpServlet.java:596) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492) org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:673) org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:389) org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926) org.apache.tomca Re: Clustering issue 2023-04-14 Thread Mark Thomas On 13/04/2023 23:28, Kevin Huntly wrote: Hi Chris, The configuration in the link I shared is what I used - copy/paste - I want to see it working before I break it =) And where in server.xml did you add that configuration? Mark Kevin Huntly Email: kmhun...@gmail.com Cell: 716/424-3311 -BEGIN GEEK CODE BLOCK- Version: 1.0 GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ G++ e(+) h--- r+++ y+++* --END GEEK CODE BLOCK-- On Thu, Apr 13, 2023 at 2:13 PM Christopher Schultz < ch...@christopherschultz.net> wrote: Kevin, On 4/12/23 19:20, Kevin Huntly wrote: I setup a quick and dirty cluster following https://tomcat.apache.org/tomcat-9.0-doc/cluster-howto.html I am seeing the following: 12-Apr-2023 19:18:00.369 WARNING [main] org.apache.catalina.ha.tcp.SimpleTcpCluster.registerManager Manager [PersistentManager[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/esolutions]]] does not implement ClusterManager, addition to cluster has been aborted. And 12-Apr-2023 19:17:52.652 SEVERE [main] org.apache.catalina.ha.deploy.FarmWarDeployer.start FarmWarDeployer can only work as host cluster subelement! Not sure what I've done wrong Cluster config? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Session loss with filter enabled 2023-04-14 Thread Mark Thomas On 13/04/2023 23:03, Kevin Huntly wrote: Hello, With this filter enabled in Tomcat's web.xml: httpHeaderSecurity org.apache.catalina.filters.HttpHeaderSecurityFilter true My sessions are being immediately lost. If I comment out the filter, everythis is fine. What does this filter actually do, https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java and is it required if the front-end webserver already handles hsts? That depends on why you added the filter. What features were you trying to enable? Mark Kevin Huntly Email: kmhun...@gmail.com Cell: 716/424-3311 -BEGIN GEEK CODE BLOCK- Version: 1.0 GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ G++ e(+) h--- r+++ y+++* --END GEEK CODE BLOCK-- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat 9.0.73 - Exception while accessing application 2023-04-14 Thread Mark Thomas On 12/04/2023 20:07, jonmcalexan...@wellsfargo.com.INVALID wrote: I have an application team that started receiving the following Exception: 11-Apr-2023 09:26:01.396 SEVERE [https-jsse-nio-0.0.0.0-11510-exec-19] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPa ge[exceptionType=java.lang.Exception, location=/jsp/sendMessage.jsp] java.lang.NoSuchFieldError: EMPTY_CHAR_ARRAY at org.apache.catalina.core.ApplicationContext.getRequestDispatcher(ApplicationContext.java:459) at org.apache.catalina.core.ApplicationContextFacade.getRequestDispatcher(ApplicationContextFacade.java:215) at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:343) at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:302) If did NOT do this with 9.0.70. We know that it may be something that changed between 9.0.70 and 9.0.73, but we don't know. The field org.apache.tomcat.util.buf.MessageBytes.EMPTY_CHAR_ARRAY was added. It looks like you are trying to use JARs from different versions of Tomcat. You can sometimes get away with doing that. This isn't one of those times. You need to fix the 9.0.73 install so it is using all the 9.0.73 JARs and none from earlier Tomcat versions. Mark So far searching the Google isn't giving us much information, so reaching out to the experts. Thanks, Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Is Microsoft's spring-cloud-azure-starter-active-directory for Spring Boot 3 / Spring 6 compatible with Tomcat 10? 2023-04-14 Thread Mark Thomas On 13/04/2023 22:48, BRUNO MELLONI wrote: After further research let me ask the question in a different way: * Tomcat 10 is configured to do log4j2 logging. * My log4j2 code works fine. * Spring-cloud-azure-starter-active-directory seems to use logback and it is incompatible with my Tomcat 10 setup. Given the above… what do I need to add to Tomcat 10 to make it handle apps that use logback for logging but still use my log4j2 Tomcat configuration for the actual logging? Whatever the logback documentation says you need to add to route logging to log4j2. I would swear that Tomcat had slf4j and other logging translation libraries built in… Nope. That has never been the case. but perhaps Tomcat 10 no longer does for some and requires adding some jars? Tomcat's internal logging routes to java.util.logging - you can re-route that if required. Follow the directions to do that provided with your logging framework of choice. Assuming you are still seeing the: "Cannot cast ch.qos.logback.classic.servlet.LogbackServletContainerInitializer to jakarta.servlet.ServletContainerInitializer" error, I'll repeat my previous question: Which version of which JAR is that ServletContainerInitializer coming from? Mark b. From: Mark Thomas Sent: Tuesday, April 11, 2023 2:41 PM To: users@tomcat.apache.org Subject: Re: Is Microsoft's spring-cloud-azure-starter-active-directory for Spring Boot 3 / Spring 6 compatible with Tomcat 10? On 11/04/2023 20: 28, BRUNO MELLONI wrote: > I was able to migrate applications to Spring Boot 3 / Spring 6 (standalone or running on Tomcat 10) so long as authentication was NOT through Azure AD. > > But when I tried to migrate applications ZjQcmQRYFpfptBannerStart CAUTION: This Message Is From an External Source This message originated outside the Chickasaw Nation. Do not click links or open attachments unless you recognize the sender and know the content is safe! Report Suspicious <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/IMeFMrRG1GeY!JdtUXLGR9ova4gOnS-0H1iEbkX_fwvLLfLoUe-WtR-fKP3iug2CA6Got_-7FykjdaEEVaYQaX_1JDstwjD_T9laTb_I1TVa4IKmJLM79$> ‌ ZjQcmQRYFpfptBannerEnd On 11/04/2023 20:28, BRUNO MELLONI wrote: I was able to migrate applications to Spring Boot 3 / Spring 6 (standalone or running on Tomcat 10) so long as authentication was NOT through Azure AD. But when I tried to migrate applications that used Microsoft's spring-cloud-azure-starter-active-directory for authentication of 2-step authenticated webapps (the preferred approach) I started to get this error during application deploy to Tomcat 10: Cannot cast ch.qos.logback.classic.servlet.LogbackServletContainerInitializer to jakarta.servlet.ServletContainerInitializer My suspicion is that Microsoft's latest implementation is not compatible with Tomcat's approach to support log4j logging (as far as I know the approach has been around since at least Tomcat 9). But of course I could be wrong. Has anybody had any success? Was there any trick to migrating to Spring Boot 3 / Spring 6 / Tomcat 10 with 2-step authentication and authorization using Azure AD? NOTE: I did succeed with 2-step auth with Azure AD when I dropped the Microsoft spring-cloud-azure-starter-active-directory dependency and instead used the raw OAuth2 approach to connect to Azure AD. The problem though is that roles defined in Azure are not coming through to the GrantedAuthorities of the SecurityContext or Principal. I know I could extract the UPN from the Principal and then define the AD Groups in the on-premises AD instead of Azure AD, but that would require code changes and what is worse it would make me hostage to the availability of sysadmins that manage our on-premises AD... meaning weeks of delay for new AD groups. It is a hack that I'd rather not use if Azure authorization can be made to work properly. Any other advice will be welcome too. No idea but some questions that might help. Some sort of Java EE / Jakarta EE conflict? A JAR present in the WAR that contains some of the Servlet API JARs? Which version of which JAR is that ServletContainerInitializer coming from? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org> For additional commands, e-mail: users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Getting started with Websocket 2023-04-12 Thread Mark Thomas On 12/04/2023 20:39, Christopher Schultz wrote: Mark, On 4/12/23 15:21, Mark Thomas wrote: On 12/04/2023 19:31, Christopher Schultz wrote: All, I'm finally dipping my toes into Websocket-based communication with my Tomcat-based applications. Is it possible to do everything with "real" code and not any annotations? I was looking for something like the Servlet Async model where you take an existing request and put it into async mode: final AsyncContext ac = request.startAsync(request, response); ac.start(new Runnable() { @Override public void run() { // Do some stuff // Write the response ac.complete(); } }); All the tutorials I see use annotations to set up the Websocket endpoint, etc. Is it possible and/or recommended to use pure-code registration of such endpoints and/or post-HTTP-request upgrade? Configure an endpoint with code: ServerContainer.addEndpoint(ServerEndpointConfig) or Upgrade an existing connection to WebSocket: ServerContainer.upgradeHttpToWebSocket(...) ACK How do I get a reference to a ServerContainer instance? ServletContext attribute: jakarta.websocket.server.ServerContainer I'm wanting to do things like verify that the request belongs to an authenticated user with certain privileges, etc. and only then allow that user to connect using Websocket to trade data across the wire. There are various ways to do that. Either the upgrade call above or a custom ServerEndpointConfig.Configurator.modifyHandshake. The former has more access to the Servlet objects so is probably what you want. I think so. How can I relate a Websocket session to an authenticated user? Can I communicate back and forth between the Websocket world and the HTTP-based world like websocket.session <-> HttpSession? Not easily. The lifecycles of the sessions diverge at the point of upgrade. It is possible for the HttpSession to expire but the WebvSocket session doesn't get notified. You really need to set up everything at the point of the upgrade including retaining a reference to the HttpSession if you wish. There are various discussions of this - and how to keep them in sync - on line. It is less than ideal but there is no simple fix. Sounds reasonable. So one thing I could to is inject a reference to the HttpSession during the upgrade process. I would just have to be very careful about accessing things in that session just in case it expires. I could also copy whatever I need. In this particular use-case, I don't actually need that, but I was curious about the future. It looks like there is a significant hole in these APIs that the WG needs to think about fixing in a generalizable way. Yes. So far the independent lifecycles have made this rather tricky. Solutions tend to require creating dependencies between the Servlet and WebSocket specs neither really wants. A lot of the discussion (or references to it) can be found at https://github.com/jakartaee/websocket/issues/175 If I want to send a fire-and-forget message to the client from the server, can I just: session.getAsyncRemote().sendText("hello world"); and ignore the Future object returned, or will I need to verify that message was sent before attempting to send another one? No. You need to make sure the previous message completed before you send the next one. So I would probably then want to use: session.getBasicRemote().sendText("hello world"); and then move-on with my life? You'd need to wait before you moved on because that blocks but yes. Note that the whole wait for the last message to finish before you send the next is a grey area that might get cleaned up in the next version of the spec. What about a ws Session which can be accessed by multiple threads that might want to write? How do I coordinate them so that they don't conflict? Would a simple: synchronized(session) { session.getBasicRemote().sendText("Message N"); } be sufficient? Sufficient? Yes. Efficient? Possibly not ;) Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Getting started with Websocket 2023-04-12 Thread Mark Thomas On 12/04/2023 19:31, Christopher Schultz wrote: All, I'm finally dipping my toes into Websocket-based communication with my Tomcat-based applications. Is it possible to do everything with "real" code and not any annotations? I was looking for something like the Servlet Async model where you take an existing request and put it into async mode: final AsyncContext ac = request.startAsync(request, response); ac.start(new Runnable() { @Override public void run() { // Do some stuff // Write the response ac.complete(); } }); All the tutorials I see use annotations to set up the Websocket endpoint, etc. Is it possible and/or recommended to use pure-code registration of such endpoints and/or post-HTTP-request upgrade? Configure an endpoint with code: ServerContainer.addEndpoint(ServerEndpointConfig) or Upgrade an existing connection to WebSocket: ServerContainer.upgradeHttpToWebSocket(...) I'm wanting to do things like verify that the request belongs to an authenticated user with certain privileges, etc. and only then allow that user to connect using Websocket to trade data across the wire. There are various ways to do that. Either the upgrade call above or a custom ServerEndpointConfig.Configurator.modifyHandshake. The former has more access to the Servlet objects so is probably what you want. How can I relate a Websocket session to an authenticated user? Can I communicate back and forth between the Websocket world and the HTTP-based world like websocket.session <-> HttpSession? Not easily. The lifecycles of the sessions diverge at the point of upgrade. It is possible for the HttpSession to expire but the WebvSocket session doesn't get notified. You really need to set up everything at the point of the upgrade including retaining a reference to the HttpSession if you wish. There are various discussions of this - and how to keep them in sync - on line. It is less than ideal but there is no simple fix. If I want to send a fire-and-forget message to the client from the server, can I just: session.getAsyncRemote().sendText("hello world"); and ignore the Future object returned, or will I need to verify that message was sent before attempting to send another one? No. You need to make sure the previous message completed before you send the next one. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Is Microsoft's spring-cloud-azure-starter-active-directory for Spring Boot 3 / Spring 6 compatible with Tomcat 10? 2023-04-11 Thread Mark Thomas On 11/04/2023 20:28, BRUNO MELLONI wrote: I was able to migrate applications to Spring Boot 3 / Spring 6 (standalone or running on Tomcat 10) so long as authentication was NOT through Azure AD. But when I tried to migrate applications that used Microsoft's spring-cloud-azure-starter-active-directory for authentication of 2-step authenticated webapps (the preferred approach) I started to get this error during application deploy to Tomcat 10: Cannot cast ch.qos.logback.classic.servlet.LogbackServletContainerInitializer to jakarta.servlet.ServletContainerInitializer My suspicion is that Microsoft's latest implementation is not compatible with Tomcat's approach to support log4j logging (as far as I know the approach has been around since at least Tomcat 9). But of course I could be wrong. Has anybody had any success? Was there any trick to migrating to Spring Boot 3 / Spring 6 / Tomcat 10 with 2-step authentication and authorization using Azure AD? NOTE: I did succeed with 2-step auth with Azure AD when I dropped the Microsoft spring-cloud-azure-starter-active-directory dependency and instead used the raw OAuth2 approach to connect to Azure AD. The problem though is that roles defined in Azure are not coming through to the GrantedAuthorities of the SecurityContext or Principal. I know I could extract the UPN from the Principal and then define the AD Groups in the on-premises AD instead of Azure AD, but that would require code changes and what is worse it would make me hostage to the availability of sysadmins that manage our on-premises AD... meaning weeks of delay for new AD groups. It is a hack that I'd rather not use if Azure authorization can be made to work properly. Any other advice will be welcome too. No idea but some questions that might help. Some sort of Java EE / Jakarta EE conflict? A JAR present in the WAR that contains some of the Servlet API JARs? Which version of which JAR is that ServletContainerInitializer coming from? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: java.lang.IllegalStateException: Unable to find match between the canonical context path 2023-04-10 Thread Mark Thomas On 09/04/2023 11:38, Chandru Mariraj wrote: I am migrating some of my spring projects from Spring 2 to spring 3.0.4. Most of them are communicating within Rest calls. I see for some requests I am getting the below error . java.lang.IllegalStateException: Unable to find match between the canonical context path [/servicename] and the URI presented by the user agent [_visitor=...] at org.apache.catalina.connector.Request.getContextPath(Request.java:2152) at org.apache.catalina.connector.RequestFacade.getContextPath(RequestFacade.java:784) at org.apache.catalina.core.ApplicationDispatcher.wrapRequest(ApplicationDispatcher.java:896) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:341) If the API is called directly (using postman) it's working. but when called through another service it fails. Tomcat version resolved is Apache Tomcat/10.1.5 Could you pls help what could be the issue? I rolled back to the previous Spring 2.* version and it works fine. I think you have hit bug 66488. An update to 10.1.7 will fix that. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Accessing Tomcat Sessions 2023-04-03 Thread Mark Thomas On 02/04/2023 13:44, Chew Kok Hoor wrote: Hi, As part of a way to prevent concurrent login, and to re-assign a session back to a request based on JWT token (for clients that cannot pass us cookies), we need to access to the 'findSession' and 'findSessions' in org.apache.catalina.Manager. Is it true the only way to get the manager using ServletContext.getManager() is by using privileged="true" in the context.xml? There is no ServletContext.getManager() method. privileged is use to control access to Servlets that implement ContainerServlet. The ContainerServlet interface is one way to access Tomcat's internals. Another option is reflection. Are there any implications in setting privileged="true" if we have full control to restrict what servlets or jsp or codes are running in our webapp? If the code is trusted then allowing setting privileged="true" does not introduce additional risk. It just makes it a little easier to do some things. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: [org.apache.jasper.JasperException: Unable to compile class for JSP] with root cause 2023-03-29 Thread Mark Thomas essClassInPackage.org.apache.jasper.runtime.*"; // Applications using WebSocket need to be able to access these packages permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server"; }; // The Manager application needs access to the following packages to support the // session display functionality. It also requires the custom Tomcat // DeployXmlPermission to enable the use of META-INF/context.xml // These settings support the following configurations: // - default CATALINA_HOME == CATALINA_BASE // - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE // - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME grant codeBase "file:${catalina.base}/webapps/manager/-" { permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; permission org.apache.catalina.security.DeployXmlPermission "manager"; }; grant codeBase "file:${catalina.home}/webapps/manager/-" { permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; permission org.apache.catalina.security.DeployXmlPermission "manager"; }; grant codeBase "file:${catalina.base}/webapps/msal4j-servlet-auth/-"{ permission java.security.AllPermission; // permission java.lang.RuntimePermission "getClassLoader"; // permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.*"; permission java.io.FilePermission "<>", "read, write, delete"; permission java.util.PropertyPermission "java.io.tmpdir", "readi, write"; }; // The Host Manager application needs the custom Tomcat DeployXmlPermission to // enable the use of META-INF/context.xml // These settings support the following configurations: // - default CATALINA_HOME == CATALINA_BASE // - CATALINA_HOME != CATALINA_BASE, per instance Host Manager in CATALINA_BASE // - CATALINA_HOME != CATALINA_BASE, shared Host Manager in CATALINA_HOME grant codeBase "file:${catalina.base}/webapps/host-manager/-" { permission org.apache.catalina.security.DeployXmlPermission "host-manager"; }; grant codeBase "file:${catalina.home}/webapps/host-manager/-" { permission org.apache.catalina.security.DeployXmlPermission "host-manager"; }; // You can assign additional permissions to particular web applications by // adding additional "grant" entries here, based on the code base for that // application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files. // // Different permissions can be granted to JSP pages, classes loaded from // the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ // directory, or even to individual jar files in the /WEB-INF/lib/ directory. // // For instance, assume that the standard "examples" application // included a JDBC driver that needed to establish a network connection to the // corresponding database and used the scrape taglib to get the weather from // the NOAA web server. You might create a "grant" entries like this: // // The permissions granted to the context root directory apply to JSP pages. // grant codeBase "file:${catalina.base}/webapps/examples/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; // // The permissions granted to the context WEB-INF/classes directory // grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" { // }; // // The permission granted to your JDBC driver // grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // }; // The permission granted to the sc Re: Can't get RemoteIpValve to work 2023-03-28 Thread Mark Thomas On 28/03/2023 21:08, Leon Rosenberg wrote: Sorry it took a little longer. Turns out that the actual RemoteIpValve works correctly, but the *Access Log Valve *doesn't. We were primarily looking into the localhost_access*logs, hence the confusion: Headers with RemoteIpValue on: header: host; value: api.myhost.com header: user-agent; value: PostmanRuntime/7.29.2 header: accept; value: */* header: postman-token; value: 16abea85-a8de-44d2-8885-c92e0eed7d9f header: accept-encoding; value: gzip, deflate, br header: cookie; value: JSESSIONID=5F8CF7FE92569665C1F1BD08FBEC3F22 header: x-forwarded-host; value: api.myhost.com header: x-forwarded-server; value: api.myhost.com header: connection; value: Keep-Alive remote host: 77.178.32.184 remote ip: 77.178.32.184 Headers with RemoteIpValue off: header: host; value: api.myhost.com header: user-agent; value: PostmanRuntime/7.29.2 header: accept; value: */* header: postman-token; value: a3e6b8cc-d2e2-45b7-86d7-2f0d4ce16c96 header: accept-encoding; value: gzip, deflate, br header: cookie; value: JSESSIONID=A76B5E16C7566DFFF764C43CF34742ED header: x-forwarded-for; value: 77.178.32.184 header: x-forwarded-host; value: api.myhost.com header: x-forwarded-server; value: api.myhost.com header: connection; value: Keep-Alive remote host: 10.138.0.3 remote ip: 10.138.0.3 however, the AccessLogValue, which is configured as: Prints the local address as %a. We added %{X-Forwarded-For}i as workaround, so it works for now, but I'd expect %a to print the 'real' ip address instead of the local one. Same config works on 8.5 interestingly enough. I think Konstantin mentioned this earlier in the thread. Look at the requestAttributesEnabled attribute for the AccessLogValve https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Access_Log_Valve Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Question regarding config.ini 'answer file' 2023-03-28 Thread Mark Thomas On 28/03/2023 20:49, Jason Murray | ROI Solutions wrote: Hello, Apologies if my this my first post is misdirected. It isn't. All is good but thanks for checking. In a nutshell: my goal is to automate Tomcat 8.5 upgrades on Windows Server as much as possible. More specifically, I have been looking to create a config.ini 'answer' file for installing Tomcat 8.5.x as a service on a Windows Server system. The installer Tomcat provides for Windows might not be the best way to do this. Splitting CATALINA_HOME and CATALINA_BASE (see "Advanced Configuration - Multiple Tomcat Instances" in RUNNING.txt) and using service.bat might be a simpler option. Specifically, the values I am looking to set are: * Server Shutdown Port * HTTP/1.1 Connector Port * Windows Service Name * Roles * Java path I couldn't locate them, are they listed anywhere? https://tomcat.apache.org/tomcat-8.5-doc/setup.html HTH, Mark The install path is also needed, but as I understand it, this is set with the /D flag while running the tomcat installer exe, eg: .\apache-tomcat-8.5.87.exe /S /D={install_directory} /C=config.ini Thanks for any guidance! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: [org.apache.jasper.JasperException: Unable to compile class for JSP] with root cause 2023-03-27 Thread Mark Thomas Hi, The mailing lists strips attachments so please provide the contents of your catalina.policy file in-line. Thanks, Mark On 27/03/2023 12:59, Kesavan, Suresh Prabhu (Fed) wrote: Hi There, I am new to this forum, please correct me if this is not the right place to ask below question. */_Problem Description_/* I have tomcat9/OpenJDK17 with RHEL 8.7 container image deployed on AWS EKS/EC2 worker nodes. This image has FIPS compliance validation done at OS/OpenJDK and at tomcat level using the configurations. I am able to successfully deploy our application (has JSP’s) in this container but when I deploy the SSO application (using MSAL4J and can be found at https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/1-Authentication/sign-in ) encountering below Jasper exception. Please be advised Tomcat is started with security manager and attaching the Catalina.policy used. */_Environment:_/* o EKS 1.24 o EC2 worker node with RHEL 8.7 o Container image with RHEL 8.7 and FIPS validation enabled o Tomcat 9.0.73 o openjdk version "17.0.6" 2023-01-17 LTS */_Observation_/* o My team member has deployed msal4j on same tomcat 9.0.73 without FIPS and tomcat security manager, it works fine. o I assume the index.jsp has something that is not having permission (due to tomcat started with security manager) to compile in runtime o When I access https://localhost:8643/msal4j-servlet-auth its returning 302 . This is expected o When I access https://localhost:8643/msal4j-servlet-auth/ it returns 500 and throws below exception */_Question_/* Can you help me identify what the issue is */_Error:_/* [tomcat@c793762ed6ee logs]$ cat localhost.2023-03-24.log 24-Mar-2023 13:46:19.866 SEVERE [https-jsse-nio-8643-exec-4] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [jsp] in context with path [/msal4j-servlet-auth] threw exception [org.apache.jasper.JasperException: Unable to compile class for JSP] with root cause java.lang.NullPointerException: Cannot invoke "java.io.InputStream.close()" because the return value of "java.net.URLConnection.getInputStream()" is null at org.apache.jasper.JspCompilationContext.getLastModified(JspCompilationContext.java:408) at org.apache.jasper.JspCompilationContext.getLastModified(JspCompilationContext.java:368) at org.apache.jasper.compiler.Compiler.compile(Compiler.java:391) at org.apache.jasper.compiler.Compiler.compile(Compiler.java:368) at org.apache.jasper.compiler.Compiler.compile(Compiler.java:352) at org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:603) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:399) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:379) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:327) at javax.servlet.http.HttpServlet.service(HttpServlet.java:596) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) at java.base/java.security.AccessController.doPrivileged(AccessController.java:712) at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:221) at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145) at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) at Re: Requirements to support HTTPS 2023-03-25 Thread Mark Thomas On 25/03/2023 14:16, Blake McBride wrote: Greetings, I wanted to confirm my suspicions regarding packages needed in tomcat to support HTTPS. The config I am using is: No. For that configuration you can use Tomcat Native 1.2.x or 2.0.x. Tomcat Native depends on OpenSSL and APR. Whether you need to provide those dependencies explicitly will depend on how you have obtained Tomcat Native. The Windows binaries include all dependencies via static linking. Most (all?) Linux distributions use dynamic linking and should have the correct dependencies set so installed Tomcat Native installs the dependencies. Or just use JSSE which is a pure Java solution. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: UnsatisfiedLinkError 2023-03-25 Thread Mark Thomas You are using Tomcat Native 2.0.3. That does not support the HTTP APR/native connector (nor the AJP/native connector). You need to use Tomcat Native 1.2.x or switch to the HTTP NIO or HTTP NIO2 connector. Mark On 25/03/2023 01:13, Blake McBride wrote: Greetings, I am getting an unsatisfied link error when I start up tomcat. Here are some of the specifics: System: Ubuntu 20.04 Tomcat: 9.0.73 APR: 1.7.2 OpenSSL: 3.1.0 Any help you can offer is greatly appreciated! Blake McBride Here is catalina.out: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED 24-Mar-2023 19:51:56.377 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/9.0.73 24-Mar-2023 19:51:56.381 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Feb 27 2023 15:33:40 UTC 24-Mar-2023 19:51:56.381 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.73.0 24-Mar-2023 19:51:56.381 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux 24-Mar-2023 19:51:56.381 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 5.4.0-144-generic 24-Mar-2023 19:51:56.381 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64 24-Mar-2023 19:51:56.381 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /usr/lib/jvm/java-17-openjdk-amd64 24-Mar-2023 19:51:56.381 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 17.0.6+10-Ubuntu-0ubuntu120.04.1 24-Mar-2023 19:51:56.381 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Private Build 24-Mar-2023 19:51:56.381 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /home/arahant/tomcat 24-Mar-2023 19:51:56.382 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /home/arahant/tomcat 24-Mar-2023 19:51:56.393 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED 24-Mar-2023 19:51:56.393 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED 24-Mar-2023 19:51:56.393 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util=ALL-UNNAMED 24-Mar-2023 19:51:56.393 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util.concurrent=ALL-UNNAMED 24-Mar-2023 19:51:56.394 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED 24-Mar-2023 19:51:56.394 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/home/arahant/tomcat/conf/logging.properties 24-Mar-2023 19:51:56.394 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 24-Mar-2023 19:51:56.394 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048 24-Mar-2023 19:51:56.395 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources 24-Mar-2023 19:51:56.396 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 24-Mar-2023 19:51:56.396 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xms256M 24-Mar-2023 19:51:56.396 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xmx4524M 24-Mar-2023 19:51:56.396 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -XX:+UseZGC 24-Mar-2023 19:51:56.396 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -XX:-ZUncommit 24-Mar-2023 19:51:56.396 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.library.path=/usr/local/apr/lib 24-Mar-2023 19:51:56.396 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs= 24-Mar-2023 19:51:56.396 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/home/arahant/tomcat 24-Mar-2023 19:51:56.396 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/home/arahant/tomcat 24-Mar-2023 19:51:56.396 INFO [main] Re: Can't get RemoteIpValve to work 2023-03-24 Thread Mark Thomas And if you dump out the headers and the value of ServletRequest.getRemoteAddr() with (and without for completeness) the RemoteIpValve ? Mark On 24/03/2023 14:09, Leon Rosenberg wrote: Full log output (dumping out headers, without the valve): 6049752 2023-03-24 14:07:59,749 [http-apr-8080-exec-13] INFO n.a.c.extapi.ping.PingResource:38 - key: host; value: api.myhost.net 6049752 2023-03-24 14:07:59,749 [http-apr-8080-exec-13] INFO n.a.c.extapi.ping.PingResource:38 - key: user-agent; value: Wget/1.21.3 6049754 2023-03-24 14:07:59,751 [http-apr-8080-exec-13] INFO n.a.c.extapi.ping.PingResource:38 - key: accept; value: */* 6049754 2023-03-24 14:07:59,751 [http-apr-8080-exec-13] INFO n.a.c.extapi.ping.PingResource:38 - key: accept-encoding; value: identity 6049755 2023-03-24 14:07:59,752 [http-apr-8080-exec-13] INFO n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-for; value: 217.110.113.178 6049756 2023-03-24 14:07:59,753 [http-apr-8080-exec-13] INFO n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-host; value: api.myhost.net 6049757 2023-03-24 14:07:59,754 [http-apr-8080-exec-13] INFO n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-server; value: api.myhost.net 6049758 2023-03-24 14:07:59,755 [http-apr-8080-exec-13] INFO n.a.c.extapi.ping.PingResource:38 - key: connection; value: Keep-Alive 217.110.113.178 is my ip, so the value is correct. On Fri, Mar 24, 2023 at 3:07 PM Leon Rosenberg wrote: yeah, interestingly enough removing ipvalve and adding access log magic, puts the X-Forwarded-For in the localhost_access.log ... but strange nevertheless. On Fri, Mar 24, 2023 at 11:44 AM Mark Thomas wrote: Maybe try commenting out the RemoteIpValve in Tomcat and retest so you can see exactly what headers Tomcat is seeing. Alternatively, since this is over http, Wireshark or similar could help. Mark On 24/03/2023 10:29, Leon Rosenberg wrote: Hi, we have following setup apache 2.4 on a ubuntu host, in front of docker-container with tomcat9 (on same host). Connection is via apache mod_http/proxy. Internal IP of the host is 10.138.0.3 (where httpd and docker are running). In localhost_access log we see always 10.138.0.3 address. If going through port 8080 directly, without httpd, we see the correct IP-Address. We have added RemoteIpValve to server xml. http config also has ProxyAddHeaders on, also I understand that to be default anyway: ProxyPass / http://10.138.0.3:8080/ ProxyPassReverse / http://10.138.0.3:8080/ ProxyErrorOverride Off ProxyAddHeaders On Require all granted ProxyAddHeaders On When we print out all headers in a request, the X-Forwarded-For is missing, so obviously tomcat does something with it, but doesn't trust the httpd? So probably the line internalProxies="10\.138\.0\.3" is wrong, bug I can't get my head around it. any help would be highly appreciated kr Leon - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Can't get RemoteIpValve to work 2023-03-24 Thread Mark Thomas Maybe try commenting out the RemoteIpValve in Tomcat and retest so you can see exactly what headers Tomcat is seeing. Alternatively, since this is over http, Wireshark or similar could help. Mark On 24/03/2023 10:29, Leon Rosenberg wrote: Hi, we have following setup apache 2.4 on a ubuntu host, in front of docker-container with tomcat9 (on same host). Connection is via apache mod_http/proxy. Internal IP of the host is 10.138.0.3 (where httpd and docker are running). In localhost_access log we see always 10.138.0.3 address. If going through port 8080 directly, without httpd, we see the correct IP-Address. We have added RemoteIpValve to server xml. http config also has ProxyAddHeaders on, also I understand that to be default anyway: ProxyPass / http://10.138.0.3:8080/ ProxyPassReverse / http://10.138.0.3:8080/ ProxyErrorOverride Off ProxyAddHeaders On Require all granted ProxyAddHeaders On When we print out all headers in a request, the X-Forwarded-For is missing, so obviously tomcat does something with it, but doesn't trust the httpd? So probably the line internalProxies="10\.138\.0\.3" is wrong, bug I can't get my head around it. any help would be highly appreciated kr Leon - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: service() failed with http error 502 2023-03-23 Thread Mark Thomas You have a mismatch between this attribute on the workers: max_packet_size It isn't set so the default of 8192 is used. And this attribute on the AJP connector: packetSize="65536" Those attributes need to match on all workers and the AJP connector. Mark On 23/03/2023 18:19, Luis Ramos wrote: Hi, worker.list=tomcat01,tomcat02 worker.tomcat01.type=ajp13 worker.tomcat01.host=::1 worker.tomcat01.port=8009 worker.tomcat01.secret=namnetiq1 worker.tomcat01.ping_timeout=1000 worker.tomcat01.connect_timeout=1 worker.tomcat01.prepost_timeout=1 worker.tomcat01.socket_timeout=10 worker.tomcat01.connection_pool_timeout=60 worker.tomcat01.connection_pool_size=90 worker.tomcat01.retries=2 worker.tomcat01.reply_timeout=30 worker.tomcat02.type=ajp13 worker.tomcat02.host=::1 worker.tomcat02.port=8009 worker.tomcat02.secret=namnetiq1 worker.tomcat02.ping_timeout=1000 worker.tomcat02.connect_timeout=1 worker.tomcat02.prepost_timeout=1 worker.tomcat02.socket_timeout=10 worker.tomcat02.connection_pool_timeout=60 worker.tomcat02.connection_pool_size=90 worker.tomcat02.retries=2 worker.tomcat02.reply_timeout=30 Luis J Ramos CNT Infotech Corp. (www.cntinfotech.com) 646.452.9349 - Original Message ----- From: "Mark Thomas" To: "users" Sent: Thursday, March 23, 2023 12:51:59 PM Subject: Re: service() failed with http error 502 And the workers.properties file? Mark On 23/03/2023 16:13, Luis Ramos wrote: Hi Apache Tomcat/9.0.65 from server.xml Luis J Ramos CNT Infotech Corp. (www.cntinfotech.com) 646.452.9349 - Original Message - From: "Mark Thomas" To: "users" Sent: Thursday, March 23, 2023 4:09:41 AM Subject: Re: service() failed with http error 502 On 22/03/2023 19:20, Luis Ramos wrote: Hi List. In and around last windows updates for our WIN2019 box, our tomcat connector start to fail with the below error message. Setup is IIS 10->ISAPI connector => Tomcat 9 -> https://tomcat.apache.org/connectors-doc/webserver_howto/iis.html Has someone seen this behaivor? To be able to open the system I am bypassing the connector and listening in port 443 in server.xml directly. What Tomcat version are you using? Has there been any change in Tomcat version in the same time frame? If so, please provide exact version information. Please provide the AJP connector configuration from Tomcat's server.xml [Wed Mar 22 15:08:46.746 2023] [10780:14112] [error] ajp_connection_tcp_get_message::jk_ajp_common.c (1408): (tomcat01) wrong message size 18441 8192 from ::1:8009 This suggests that Tomcat is configured with a different maximum AJP message size than IIS. Please provide your workers.properties file. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This e-mail message, including any attachment(s), is confidential and may also be legally privileged. It is intended solely for the addresse(s) and others authorized to receive it. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this email is strictly prohibited and may be unlawful. If you have received this e-mail in error you are requested to delete it from your system and to notify us by replying to this message immediately. CNT Infotech is not liable for the improper transmission of this message nor for any damage sustained as a result of this message. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This e-mail message, including any attachment(s), is confidential and may also be legally privileged. It is intended solely for the addresse(s) and others authorized to receive it. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this email is strictly prohibited and may be unlawful. If you have received this e-mail in error you are requested to delete it from your system and to notify us by replying to this message immediately. CNT Infotech is not liable for the improper transmission of this message nor for any damage sustained as a result of this message. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: use Re: service() failed with http error 502 2023-03-23 Thread Mark Thomas And the workers.properties file? Mark On 23/03/2023 16:13, Luis Ramos wrote: Hi Apache Tomcat/9.0.65 from server.xml Luis J Ramos CNT Infotech Corp. (www.cntinfotech.com) 646.452.9349 - Original Message - From: "Mark Thomas" To: "users" Sent: Thursday, March 23, 2023 4:09:41 AM Subject: Re: service() failed with http error 502 On 22/03/2023 19:20, Luis Ramos wrote: Hi List. In and around last windows updates for our WIN2019 box, our tomcat connector start to fail with the below error message. Setup is IIS 10->ISAPI connector => Tomcat 9 -> https://tomcat.apache.org/connectors-doc/webserver_howto/iis.html Has someone seen this behaivor? To be able to open the system I am bypassing the connector and listening in port 443 in server.xml directly. What Tomcat version are you using? Has there been any change in Tomcat version in the same time frame? If so, please provide exact version information. Please provide the AJP connector configuration from Tomcat's server.xml [Wed Mar 22 15:08:46.746 2023] [10780:14112] [error] ajp_connection_tcp_get_message::jk_ajp_common.c (1408): (tomcat01) wrong message size 18441 8192 from ::1:8009 This suggests that Tomcat is configured with a different maximum AJP message size than IIS. Please provide your workers.properties file. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This e-mail message, including any attachment(s), is confidential and may also be legally privileged. It is intended solely for the addresse(s) and others authorized to receive it. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this email is strictly prohibited and may be unlawful. If you have received this e-mail in error you are requested to delete it from your system and to notify us by replying to this message immediately. CNT Infotech is not liable for the improper transmission of this message nor for any damage sustained as a result of this message. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: service() failed with http error 502 2023-03-23 Thread Mark Thomas On 22/03/2023 19:20, Luis Ramos wrote: Hi List. In and around last windows updates for our WIN2019 box, our tomcat connector start to fail with the below error message. Setup is IIS 10->ISAPI connector => Tomcat 9 -> https://tomcat.apache.org/connectors-doc/webserver_howto/iis.html Has someone seen this behaivor? To be able to open the system I am bypassing the connector and listening in port 443 in server.xml directly. What Tomcat version are you using? Has there been any change in Tomcat version in the same time frame? If so, please provide exact version information. Please provide the AJP connector configuration from Tomcat's server.xml [Wed Mar 22 15:08:46.746 2023] [10780:14112] [error] ajp_connection_tcp_get_message::jk_ajp_common.c (1408): (tomcat01) wrong message size 18441 8192 from ::1:8009 This suggests that Tomcat is configured with a different maximum AJP message size than IIS. Please provide your workers.properties file. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org [SECURITY] CVE-2023-28708 Apache Tomcat - Information Disclosure 2023-03-22 Thread Mark Thomas CVE-2023-28708 Apache Tomcat - Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M2 Apache Tomcat 10.1.0-M1 to 10.1.5 Apache Tomcat 9.0.0-M1 to 9.0.71 Apache Tomcat 8.5.0 to 8.5.85 Description: When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M3 or later - Upgrade to Apache Tomcat 10.1.6 or later - Upgrade to Apache Tomcat 9.0.72 or later - Upgrade to Apache Tomcat 8.5.86 or later History: 2023-03-22 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: tag files compiled in wrong encoding? 2023-03-21 Thread Mark Thomas On 21/03/2023 09:17, Holger Klawitter wrote: Hi there, I am investigating an encoding problem in the compiler for tag files: the following tag file (WEB-INF/tag/umlaut.tag): <%@tag trimDirectiveWhitespaces="true" pageEncoding="UTF-8" %> <%= "ü does not work" %> // bytes c3 bc (the file is in utf-8) compiles into umlaut_tag.java in which the umlaut is doubly utf-8 encoded like this: out.print( "Ã¼ does not work" ); // bytes c3 83 c2 bc String literals in jsp files work just fine, so I assume that the basic encoding setup is correct. Is this a jasper problem? Looks like it at this point. Where can I report this (which component in bz)? Jasper. Or am I missing some peculiarities regarding tags files? Nothing comes to mind although it is a while since I delved into the details of tag files. If you create the bug with the simplest example that creates the problem someone will take a look. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: GoDaddy SSL certificate not working with Tomcat9 2023-03-21 Thread Mark Thomas On 21/03/2023 01:09, Ralph Grove wrote: I'm having a problem installing a new SSL certificate on a GoDaddy-hosted server running Tomcat. Any suggestions for resolving it would be appreciated. I set up the server last year and installed the SSL certificate with no problem. This year, after the original certificate expired, I downloaded the new certificate provided by GoDaddy, removed the old certificate files from the keystore, and installed the new ones. Now Tomcat is throwing a "java.io.IOException: jsse.alias_no_key_entry" exception when it tries to open the HTTPS connector. I also tried rebuilding the keystore from scratch and requesting a new certificate, but am getting the same exception with that certificate. These are the commands I used to obtain and install the certificate: sudo keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks sudo keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore.jks (--request and obtain certificate files from GoDaddy--) Did you run the commands below on the same keystore file you created in the first command above? sudo keytool -import -alias root -keystore keystore.jks -trustcacerts -file gdcerts/gdroot-g2.crt sudo keytool -import -alias inter -keystore keystore.jks -trustcacerts -file gdcerts/gd_bundle-g2-g1.crt sudo keytool -import -alias tomcat -keystore keystore.jks -file gdcerts/.crt What is the output of: keytool -list -v -keystore keystore.jks And this is the Tomcat configuration for the connector: The connector configuration looks OK. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: how to make tomcat 9 remember which application where stopped before shutdown 2023-03-20 Thread Mark Thomas On 20/03/2023 10:09, Ivano Luberti wrote: Hi all , I would like to find a way to start tomcat with all the application stopped except the manager. My colleagues made a test manually stopping an application and restarting tomcat. After the service restarted the application was up and running. Is there a way to make Tomcat remember which application were stopped at shutdown and keep them stopped at restart? No. What you can do is set deployOnStartup="false" on the Host. But to have the Manager app always start, you'd have to define the Manager Context in server.xml which means any changes to the Manager configuration would require a full Tomcat restart. What problem are you trying to solve? There may be other options available. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat 9.0.72 Firefox issue with 204 response (Empty Body) 2023-03-18 Thread Mark Thomas om/ <https://chart.apis.google.com/> https://export.highcharts.com/ <https://export.highcharts.com/>; style-src 'self' 'unsafe-inline' data: " + "https://maps.googleapis.com/maps/api/geocode/json <https://maps.googleapis.com/maps/api/geocode/json> https://*.tile.openstreetmap.org <http://tile.openstreetmap.org> " + "https://fonts.googleapis.com/ <https://fonts.googleapis.com/> https://export.highcharts.com/ <https://export.highcharts.com/> " + "https://code.highcharts.com/;form-action <https://code.highcharts.com/;form-action> 'self'; https:; block-all-mixed-content; connect-src 'self' wss://self:6080 data: https://maps.googleapis.com <https://maps.googleapis.com> https://*.tile.openstreetmap.org/ <http://tile.openstreetmap.org/> https://ipapi.co <https://ipapi.co> https://oauth2.googleapis.com/token <https://oauth2.googleapis.com/token> https://dialogflow.googleapis.com <https://dialogflow.googleapis.com>"; public void doGet(HttpServletRequest req,HttpServletResponse resp)throws ServletException,IOException { resp.setStatus(204); resp.setHeader(CSP_HEADER,CSP_HEADER_POLICY); } } On Wed, Mar 15, 2023 at 11:30 AM Bhavesh Mistry mailto:mistry.p.bhav...@gmail.com>> wrote: Hi Mark and Tomcat Team, We have been using tomcat 9 from version 0 to 70 and no issues so far with our application and firefox. We also tried to upgrade to 9.0.73, and show the same issue: As you can see from Devtools it is missing Protocol HTTP2 and is hung there. image.png [04/Mar/2023:00:40:47 +] 10.40.207.127 - https-jsse-nio-127.0.0.1-8443-exec-54 Administrator "GET /versa/ncs-services/vnms/analyticgroup/all *HTTP/2.0*" 204 - 148ms 148ms Any clue you have in the filter or why it might be 204 response caused firefox to be hung? we have added a custom header to the response that is all. I remove them still same issue. Any theory or clue you have further to debug this notorious issue? Thanks, Bhavesh On Thu, Mar 9, 2023 at 11:54 AM Mark Thomas mailto:ma...@apache.org>> wrote: On 09/03/2023 18:19, Bhavesh Mistry wrote: > Hi Mark, > > Your sample application worked 204 Firefox and our application does not > work. That leads me to believe *Application Filter *is an issue. But > should tomcat throw an exception if the response is already committed? A call to setStatus() after the response has been committed will be a NO-OP. > I > will try to see if I can reproduce it using a filter with the sample app > you gave me. Only one line change (streamOutputBuffer.closed = true) > would make our application work. So it seems to me that the application > filter is writing something after the stream is closed and this may lead to > this behavior. I will try to reproduce using this app. Do still consider > this application bug or a tomcat platform bug? Definitely an application bug. Mark > > Thank you so far for your excellent support and quick responses. > > Thanks, > > Bhavesh > > > > On Thu, Mar 9, 2023 at 1:14 AM Mark Thomas mailto:ma...@apache.org>> wrote: > >> On 08/03/2023 21:32, Bhavesh Mistry wrote: >>> Hi Mark, >>> >>> We have a NAT rule that forwards 443 to 8443. >> >> OK. That explains the change in port. >> >>> Trust me on that, we have a >>> direct connection. To rule out any networking layer issues, I did >>> direct ssh -L 8443:localhost:8443 admin@10.40.207.140 <mailto:admin@10.40.207.140> and created a >> tunnel >>> (https://localhost:8443/ <https://localhost:8443/>) to bypass port 443. Yet, the issue is still >>> reproducible. So there is *NOTHING* in the middle that could cause this >>> issue. >> >> There must be. Could be a FireFox plugin, a Filter used by the web >> application, a Valve for a third-party authentication module, etc. >> >> Try deploying this war: >> https://people.apache.org/~markt/dev/no-content-test.war <https://people.apache.org/~markt/dev/no-content-test.war> >> >> It contains 2 JSPs. > Re: AW: Unable to start application 2023-03-18 Thread Mark Thomas On 18/03/2023 10:43, Thomas Hoffmann (Speed4Trade GmbH) wrote: Hello, -Ursprüngliche Nachricht- Von: Kevin Huntly Gesendet: Samstag, 18. März 2023 11:10 An: Tomcat Users List Betreff: Re: Unable to start application Here are the logs - https://drive.google.com/file/d/1jBsNaW_bQJ4KcDSvucJ5QWo642He6bgb/view ?usp=sharing The JDBC driver is located under /opt/mysql/, and I added that path to catalina.properties under the common loader. I did try to move it into ${catalina.home}/lib, this did not change anything. This message looks strange: 18-Mar-2023 06:06:13.305 WARNING [main] org.apache.catalina.startup.ClassLoaderFactory.validateFile Problem with JAR file [/opt/Apache/Tomcat/apache-tomcat-9.0.73/lib/mysql-connector-j-8.0.32.jar], exists: [true], canRead: [false] It seems that it cant load the jdbc driver from that path. Could you download the jar again from the mysql website and replace it? Can you open/unpack the jar without errors? More likely a permissions problem. That warning is generated before Tomcat tries loading the file. It means a call to java.io.File.canRead() returned false. Mark Greetings, Thomas -BEGIN GEEK CODE BLOCK- Version: 1.0 GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ G++ e(+) h--- r+++ y+++* --END GEEK CODE BLOCK-- On Sat, Mar 18, 2023 at 3:16 AM Mark Thomas wrote: On 17/03/2023 23:18, John Dale (DB2DOM) wrote: ok - "mnet" should be "ment" From the logs excerpt I saw earlier in the thread, that needs fixing (although it was only a test element). I don't think it will break anything else but better to remove the noise from the logs. I figured I'd spell that out and behave like a compiler. :) I would also move that configuration into server.xml (it's a major difference between your configuration and mine). That configuration style is NOT recommended. It means you have no choice but to restart Tomcat if you change the Context configuration. If it is in a separate Context file, Tomcat will reload the web application automatically if you change the Context file. Stick with: /opt/Apache/Tomcat/apache-tomcat-9.0.73/conf/Catalina/localhost/esolut ions.xml Do NOT specify a path attribute for the Context. It will be ignored. Where is the JDBC driver located? It needs to be in ${CATALINA_BASE}/lib and not part of the WAR. Can we see the full logs from a clean start-up please? Mark Lastly, maybe to help debug a future issue, did you compile your project files against the tomcat libs included with your distribution, or did you drop them into this version of tomcat from another version? Probably won't matter since you should be coded to the interfaces, but one never knows. John On 3/17/23, Kevin Huntly wrote: no I think it has something to do with it but I'm not sure. I'll try taking out the environment values and see what happens On Fri, Mar 17, 2023, 19:11 John Dale (DB2DOM) wrote: In the log you sent below, I see a typo: Context/Environmnet Does that have something to do with it, or is this a typo in tomcat logging? On 3/17/23, Kevin Huntly wrote: yes, under Catalina/localhost On Fri, Mar 17, 2023, 19:07 John Dale (DB2DOM) wrote: Are you modifying a context.xml file in the conf folder? On 3/17/23, Kevin Huntly wrote: Also of note: 17-Mar-2023 17:25:42.113 INFO [main] org.apache.catalina.startup.HostConfig.deployDescriptor Deploying deployment descriptor [/opt/Apache/Tomcat/apache-tomcat-9.0.73/conf/Catalina/localhost/esolu tions.xml] 17-Mar-2023 17:25:42.174 WARNING [main] org.apache.tomcat.util.digester.Digester.endElement No rules found matching [Context/Environmnet] Kevin Huntly Email: kmhun...@gmail.com Cell: 716/424-3311 -BEGIN GEEK CODE BLOCK- Version: 1.0 GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ G++ e(+) h--- r+++ y+++* --END GEEK CODE BLOCK-- On Fri, Mar 17, 2023 at 5:24 PM Kevin Huntly wrote: Here's my santized server.xml and context.xml server.xml -> https://pastebin.com/Bj6Wh0qU context.xml -> https://pastebin.com/Z3dBf3eK - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- --- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: us Re: Unable to start application 2023-03-18 Thread Mark Thomas On 17/03/2023 23:18, John Dale (DB2DOM) wrote: ok - "mnet" should be "ment" From the logs excerpt I saw earlier in the thread, that needs fixing (although it was only a test element). I don't think it will break anything else but better to remove the noise from the logs. I figured I'd spell that out and behave like a compiler. :) I would also move that configuration into server.xml (it's a major difference between your configuration and mine). That configuration style is NOT recommended. It means you have no choice but to restart Tomcat if you change the Context configuration. If it is in a separate Context file, Tomcat will reload the web application automatically if you change the Context file. Stick with: /opt/Apache/Tomcat/apache-tomcat-9.0.73/conf/Catalina/localhost/esolutions.xml Do NOT specify a path attribute for the Context. It will be ignored. Where is the JDBC driver located? It needs to be in ${CATALINA_BASE}/lib and not part of the WAR. Can we see the full logs from a clean start-up please? Mark Lastly, maybe to help debug a future issue, did you compile your project files against the tomcat libs included with your distribution, or did you drop them into this version of tomcat from another version? Probably won't matter since you should be coded to the interfaces, but one never knows. John On 3/17/23, Kevin Huntly wrote: no I think it has something to do with it but I'm not sure. I'll try taking out the environment values and see what happens On Fri, Mar 17, 2023, 19:11 John Dale (DB2DOM) wrote: In the log you sent below, I see a typo: Context/Environmnet Does that have something to do with it, or is this a typo in tomcat logging? On 3/17/23, Kevin Huntly wrote: yes, under Catalina/localhost On Fri, Mar 17, 2023, 19:07 John Dale (DB2DOM) wrote: Are you modifying a context.xml file in the conf folder? On 3/17/23, Kevin Huntly wrote: Also of note: 17-Mar-2023 17:25:42.113 INFO [main] org.apache.catalina.startup.HostConfig.deployDescriptor Deploying deployment descriptor [/opt/Apache/Tomcat/apache-tomcat-9.0.73/conf/Catalina/localhost/esolutions.xml] 17-Mar-2023 17:25:42.174 WARNING [main] org.apache.tomcat.util.digester.Digester.endElement No rules found matching [Context/Environmnet] Kevin Huntly Email: kmhun...@gmail.com Cell: 716/424-3311 -BEGIN GEEK CODE BLOCK- Version: 1.0 GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E--- W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+) PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++ G++ e(+) h--- r+++ y+++* --END GEEK CODE BLOCK-- On Fri, Mar 17, 2023 at 5:24 PM Kevin Huntly wrote: Here's my santized server.xml and context.xml server.xml -> https://pastebin.com/Bj6Wh0qU context.xml -> https://pastebin.com/Z3dBf3eK - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: health check return 404 after upgrade from 70 to tomcat 9.0.71 2023-03-17 Thread Mark Thomas On 17/03/2023 14:27, Rui wrote: Hi user group: I added some debug info to the 9.0.71 baseline from the logs it hit this (supposed not inn 9.0.70) https://github.com/apache/tomcat/blob/9.0.71/java/org/apache/catalina/connector/CoyoteAdapter.java#L677 That suggests you are using the Rewrite Valve? Is that correct? If so, that suggests that whatever is going wrong, is going wrong in that Valve. If not, it is likely that your debugging is corrupting the state of the MessageByte instances. You need to be really careful when logging values from them. Mark means undecodedURI type is T_CHARS or T_STR, however, decodedURI type is T_NULL at this time, so decodedURI.toChars(); actually will recycle its buffer. I can reproduce it locally with debug mode, but don't know how reproduce it in the company EKS cluster thanks. Zhou Rui On Fri, 17 Mar 2023 at 00:50, Rui wrote: I did some tests with several different commits in 9.0.71, I think my issue is caused by this https://github.com/apache/tomcat/commit/10a1a6d46d952bab4dfde44c3c0de12b0330da79 the "toBytesSimple" change has not been added to the repo yet, so the change in 9.073 doesn't solve the problem. Next I will go through these codes, but any clue? thanks Zhou Rui On Tue, 7 Mar 2023 at 00:34, Mark Thomas wrote: On 25/02/2023 17:57, Mark Thomas wrote: On 25/02/2023 15:47, Rui wrote: Hi recently upgraded tomcat to 9.0.71 from 9.0.70 but saw 404 in our EKS cluster(with istio installed) Received [GET /actuator HTTP/1.1 Host: x:8079 User-Agent: kube-probe/1.23+ Accept: */* Connection: close Accept-Encoding: gzip ] Incoming request /health with originalRemoteAddr in 9.0.70 I can see the below following message but not in 9.0.71 o.a.c.authenticator.AuthenticatorBase: Security checking request GET /health seems the processing has stopped somewhere and the pod health check didn't pass. I also noticed there was also a 404 issue but don't know if it is relevant. https://lists.apache.org/thread/gr814rmrlbk9rrqxqjrh4p3x0bfvv1g9 I have tested it locally with curl or jmeter, but can't reproduce the problem. but when I step by step debug the spring app, I found the undecodedURI type is T_STR in CoyoteAdapter.java(in 70 it supposed to be T_BYTES), then decodedURI is uninitialized and the uri can't find the mapping in internalMap of Mapper.java, which will cause 404(guess it thinks the uri is malformed) MessageBytes decodedURI = req.decodedURI(); if (undecodedURI.getType() == MessageBytes.T_BYTES) { // Copy the raw URI to the decodedURI decodedURI.duplicate(undecodedURI); 404 example: (when I debug step by step to check unndecodedURI) curl http://localhost:8080/actuator HTTP Status 404 – Not Foundbody {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line </pre></blockquote></blockquote><pre style="margin: 0em;"> {height:1px;background-color:#525D76;border:none;}HTTP Status 404 – Not Found% However, it runs well without breakpoint! I am quite confused...my intellij has problem? but anyway, summary: 9.0.69 and 70 are good in the AWS/EKS(kubernetes) cluster with istio 9.0.71 and 72 return 404 when health check by the EKS cluster. Looks like an instance of: https://bz.apache.org/bugzilla/show_bug.cgi?id=66488 If not that then maybe https://bz.apache.org/bugzilla/show_bug.cgi?id=66512 Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat 9.0.72 and New Relic APM java agent issues 2023-03-17 Thread Mark Thomas On 17/03/2023 14:02, Roe, Jennifer L wrote: Hi, We have opened a case with New Relic. The behavior exists with the 7.11.1 and 8.0.1 java agents per multiple applications teams. [The behavior was first noticed with Tomcat 9.0.72; Tomcat 9.0.73 which was released shortly after 9.0.72 also experiences this behavior.] The app teams stated disabling the java agent allows the application to function as expected. However, without the agent our observability and monitoring of the applications takes a hit as metrics are not available. Could this be related to fix 66441? Fix:66441 : Make imports of static fields in JSPs visible to any EL expressions used on the page. (markt) On one hand that is one of only two code changes (the other changes for formatting and/or comments) in the org.apache.jasper packages between 9.0.71 and 9.0.72 so it seems possible. On the other hand, I'm struggling to see how either of those code changes could cause the sort of corruption being observed. I'm be interested in hearing New Relic's explanation for this. Mark Regards, Joel Nationwide is on your side. *Jennifer Roe* Consultant, Technology Engineer Proud Nationwide Member Middleware Technology ro...@nationwide.com /FORTUNE® and Time Inc. are not affiliated with, and do not endorse the products or services of, Nationwide Mutual Insurance Company./ *From:* Thomas Meyer *Sent:* Friday, March 17, 2023 9:27 AM *To:* Tomcat Users List ; Roe, Jennifer L *Cc:* Whitesel, Joel M ; Adcock, Troy Allen ; Abbott, William H (Bill) *Subject:* [EXTERNAL] Re: Tomcat 9.0.72 and New Relic APM java agent issues *Nationwide Information Security Warning: **This is an **EXTERNALemail. *Use *CAUTIONbefore clicking on links, opening attachments, or responding.*(*Sender:*tho...@m3y3r.de ) Hi, We may see something similar with tomcat 9.0.73 and jsp pages. Need to test with newrelic app disabled. Did you already create a case with newrelic with this problem? Mfg Thomas Am 13. März 2023 20:18:12 MEZ schrieb "Roe, Jennifer L" mailto:ro...@nationwide.com>>: We are using 9.0.73 Tomcat version and New Relic APM java agent 7.11.0, it seems we are missing the injected New Relic script and the DOM looks much different than in 9.0.71. Looks as though it's incorrectly escaping certain html tags as if they're text (EG: changing < to "/") In our application login page is not fully displayed and we see the following at the bottom: This field is required.", }, "j_password": { required: "This field is required.", }, }, showErrors: function (errorMap, errorList) { var numOfInvalids = this.numberOfInvalids(); if (numOfInvalids != 0) { $("#loginErrorSummary").html(" Version 9.0.72 is when this was first noticed, nothing seemed to change with .73 and the New Relic version has remained the same 7.11.0. We have run a test with New Relic 8.01 agent with the same results System details: Ubuntu 20.04.5 LTS OpenJDK Runtime Environment Temurin-17.0.6+10 Example of where it seems to be doing an incorrect escape on the html produced from our .jsp Working page 9.0.71 Not working 9.0.73 "/ Thanks Nationwide is on your side. *Jennifer Roe* Consultant, Technology Engineer Proud Nationwide Member Middleware Technology ro...@nationwide.com /FORTUNE® and Time Inc. are not affiliated with, and do not endorse the products or services of, Nationwide Mutual Insurance Company./ -- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: CVE-2023-24998 : Apache Denial of Service 2023-03-16 Thread Mark Thomas On 16/03/2023 05:33, S Abirami wrote: Hi All, Currently, In our product we are using 9.0.65 version of Tomcat. We are not using FileUpload option in any of our application and in Servlet. We don't have any config to limit the file uploads also. Whether our attacker still able to perform a malicious upload to our server via url. Please let me know you input regarding this CVE-2023-24998 vulnerability. Whether our application is vulnerable (or) not. If the application has not enabled Tomcat's built-in support for processing request bodies with content type "multipart/form-data" then the application is not exposed to CVE-2023-24998. Applications enable this support via the "@MultipartConfig" annotation and/or the "multipart-config" element in web.xml Note that any frameworks you may be using may enable this processing. Check the documentation for the framework. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Excluded service.bat From Maven Artefact 2023-03-16 Thread Mark Thomas On 16/03/2023 04:01, LANDER Tim wrote: Hi, I've noticed that service.bat and Tomcat.exe (Actually all exe's: https://github.com/apache/tomcat/blob/6de806a21adc68a23aa4043c67c0d80bbab1c458/build.xml#L2825-L2828) are excluded from the tomcat maven artefact (org.apache.tomcat:tomcat). What's the reason for this? I couldn't find it documented anywhere. That is the platform neutral zip distro, so the Windows specific files are excluded. The Windows specific distributions are created by the target that follows that. This makes it a bit annoying trying to add tomcat to a (Windows) installer. I know I can download and extract those files from archieve.apache.org, but it makes automating this process unnecessarily annoying. It looks to be possible to add the Windows specific binaries. They'll need their own artifact IDs - something like "tomcat-windows-x86" and "tomcat-windows-x64" - but the rest of the necessary plumbing is already in place. Please open an enhancement request if you'd like to see this in Tomcat. If you want to provide a patch as well, even better. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: HTTP2: How to check if the client aborted a request 2023-03-14 Thread Mark Thomas On 14/03/2023 09:00, Robin Stevens wrote: Does anybody has a pointer on how to obtain this info through official APIs, or to some documentation related to this that I might have missed ? The short answer is that there is no way do this via the Servlet API that doesn't involved trying to do I/O and then reacting to any error that is received. This is an open issue for the Servlet spec. There have been a few discussions and proposals but no consensus so far. Servlet issue #433 is probably the best place to start reading up on what has been discussed so far: https://github.com/jakartaee/servlet/issues/433 I currently think it is more likely than not that something to help with this will be introduced in the next iteration of the Servlet spec. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: OT: Disabling Stack Traces 2023-03-14 Thread Mark Thomas On 13/03/2023 19:22, jonmcalexan...@wellsfargo.com.INVALID wrote: Hello everyone, I know that we can put the following in the section in the server.xml, but is there a way that we can force this setting in the catalina.properties, or some other way? Sorry, no. Mark Thanks, Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: connecting tomcat server to eclipse java ee 2023-03-10 Thread Mark Thomas This idiot has been unsubscribed from the mailing list and blocked from re-subscribing. Mark On 10/03/2023 03:03, Veliz Broncano wrote: Hi! You are very pretty - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: HTTP Error 414. The request URL is too long. 2023-03-09 Thread Mark Thomas On 09/03/2023 20:59, Seth Mayers wrote: I am running Apache Tomcat Version 9.0.48. If I post a transaction that is very large, I get the "414; The request URL is too long". I have tried adding a bunch of parameters to my server.xml file but none of them seem to work. I have tried: maxHttpHeaderSize="262144" maxSavePostSize="-1" maxPostSize="-1" maxHttpRequestHeaderSize="262144" I have someone that was able to resolve the same issue running Tomcat 8.5 but his solution (maxhttpheadersize) did not work for me. Did something change between 8.5 and 9.0.48 that might affect things? Is something involved beyond just server.xml? Tomcat 9.0.x never returns a 414 status code. Wherever that status code is originating, it isn't Tomcat. It must be in the application or in a component before Tomcat. Mark SAMPLE POST (the one that fails is FAR larger than this) http://servername/gatewayAdminTest/GatewayClient?OutputType=1=1= LSF 01092390 02 test_promo_freeProduct DROP 01092391 WEB001232 O 39012621 1.0 BAG =xxx -- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat 9.0.72 Firefox issue with 204 response (Empty Body) 2023-03-09 Thread Mark Thomas On 09/03/2023 18:19, Bhavesh Mistry wrote: Hi Mark, Your sample application worked 204 Firefox and our application does not work. That leads me to believe *Application Filter *is an issue. But should tomcat throw an exception if the response is already committed? A call to setStatus() after the response has been committed will be a NO-OP. I will try to see if I can reproduce it using a filter with the sample app you gave me.Only one line change (streamOutputBuffer.closed = true) would make our application work. So it seems to me that the application filter is writing something after the stream is closed and this may lead to this behavior. I will try to reproduce using this app. Do still consider this application bug or a tomcat platform bug? Definitely an application bug. Mark Thank you so far for your excellent support and quick responses. Thanks, Bhavesh On Thu, Mar 9, 2023 at 1:14 AM Mark Thomas wrote: On 08/03/2023 21:32, Bhavesh Mistry wrote: Hi Mark, We have a NAT rule that forwards 443 to 8443. OK. That explains the change in port. Trust me on that, we have a direct connection. To rule out any networking layer issues, I did direct ssh -L 8443:localhost:8443 admin@10.40.207.140 and created a tunnel (https://localhost:8443/) to bypass port 443. Yet, the issue is still reproducible. So there is *NOTHING* in the middle that could cause this issue. There must be. Could be a FireFox plugin, a Filter used by the web application, a Valve for a third-party authentication module, etc. Try deploying this war: https://people.apache.org/~markt/dev/no-content-test.war It contains 2 JSPs. index.jsp has a link to no-content.jsp no-content.jsp just returns a 204 This works as expected, with no errors with the latest 9.0.x code, 9.0.72, Chrome and FireFox. If it works when deployed to your server, that points to something in the web application. If it doesn't work, that points to something in the network and/or browser. Mark * Is publicly exposing tomcat enough for debugging *or do you still need an independent application? I can have SSH open but you will have to give me your private email to email credentials and public IP. sudo iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination VNMS all -- anywhere anywhere Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:8000 Chain DOCKER (0 references) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:8000 to:172.17.0.2:8000 Chain VNMS (1 references) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:http to:127.0.0.1:8080 *DNAT tcp -- anywhere anywhere tcp dpt:https to:127.0.0.1:8443 <http://127.0.0.1:8443>// this rule Fowards it to the 8443.* admin@SDWAN-VOAE1:~$ On Wed, Mar 8, 2023 at 12:29 PM Mark Thomas wrote: On 08/03/2023 19:52, Bhavesh Mistry wrote: Hi Mark, It is a *direct connection* with no proxy or no reverse proxy or no load balancer in the middle. We have a web app (UI) that make backend call and return 204 with no content and send it to the browser. An interesting fact is very thing works on Chrome but not with firefox. We have tried everything and we looked tomcat code and we see a change log around this area. That data you provided previously is not consistent with that statement. Tomcat is listening on port 8443. Firefox is connecting to port 443. I have no doubt the Tomcat change to 204 handling triggered the change in behavior you are seeing. It appears to have exposed a HTTP/2 bug somewhere in your system. It is hard to come up with a sample, but I will try it. I am just trying to give clue which code or line causing the problem to narrow down the issue, but it is not helping. Tomcat isn't the root cause. A simple test here with an index JSP and a JSP that just returns a 204 works as expected with Chrome and FireFox. All the indications are that there is an additional component in the system you are testing that can't handle an HTTP/2 204 response without a body. Mark Thanks, Bhavesh On Wed, Mar 8, 2023 at 11:43 AM Mark Thomas wrote: On 08/03/2023 19:38, Bhavesh Mistry wrote: I will see if I can give a sample. But after removing JUST ONE LINE ( streamOutputBuffer.closed = true;) Everything seems to work. Somehow, firefox does not like an active stream being closed (I am not 100% what close does). I will try to work on a sample to reproduce this. I hope the above can give you some clue as to where the Re: Tomcat 9.0.72 Firefox issue with 204 response (Empty Body) 2023-03-09 Thread Mark Thomas On 08/03/2023 21:32, Bhavesh Mistry wrote: Hi Mark, We have a NAT rule that forwards 443 to 8443. OK. That explains the change in port. Trust me on that, we have a direct connection. To rule out any networking layer issues, I did direct ssh -L 8443:localhost:8443 admin@10.40.207.140 and created a tunnel (https://localhost:8443/) to bypass port 443. Yet, the issue is still reproducible. So there is *NOTHING* in the middle that could cause this issue. There must be. Could be a FireFox plugin, a Filter used by the web application, a Valve for a third-party authentication module, etc. Try deploying this war: https://people.apache.org/~markt/dev/no-content-test.war It contains 2 JSPs. index.jsp has a link to no-content.jsp no-content.jsp just returns a 204 This works as expected, with no errors with the latest 9.0.x code, 9.0.72, Chrome and FireFox. If it works when deployed to your server, that points to something in the web application. If it doesn't work, that points to something in the network and/or browser. Mark * Is publicly exposing tomcat enough for debugging *or do you still need an independent application? I can have SSH open but you will have to give me your private email to email credentials and public IP. sudo iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination VNMS all -- anywhere anywhere Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:8000 Chain DOCKER (0 references) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:8000 to:172.17.0.2:8000 Chain VNMS (1 references) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:http to:127.0.0.1:8080 *DNAT tcp -- anywhere anywhere tcp dpt:https to:127.0.0.1:8443 <http://127.0.0.1:8443>// this rule Fowards it to the 8443.* admin@SDWAN-VOAE1:~$ On Wed, Mar 8, 2023 at 12:29 PM Mark Thomas wrote: On 08/03/2023 19:52, Bhavesh Mistry wrote: Hi Mark, It is a *direct connection* with no proxy or no reverse proxy or no load balancer in the middle. We have a web app (UI) that make backend call and return 204 with no content and send it to the browser. An interesting fact is very thing works on Chrome but not with firefox. We have tried everything and we looked tomcat code and we see a change log around this area. That data you provided previously is not consistent with that statement. Tomcat is listening on port 8443. Firefox is connecting to port 443. I have no doubt the Tomcat change to 204 handling triggered the change in behavior you are seeing. It appears to have exposed a HTTP/2 bug somewhere in your system. It is hard to come up with a sample, but I will try it. I am just trying to give clue which code or line causing the problem to narrow down the issue, but it is not helping. Tomcat isn't the root cause. A simple test here with an index JSP and a JSP that just returns a 204 works as expected with Chrome and FireFox. All the indications are that there is an additional component in the system you are testing that can't handle an HTTP/2 204 response without a body. Mark Thanks, Bhavesh On Wed, Mar 8, 2023 at 11:43 AM Mark Thomas wrote: On 08/03/2023 19:38, Bhavesh Mistry wrote: I will see if I can give a sample. But after removing JUST ONE LINE ( streamOutputBuffer.closed = true;) Everything seems to work. Somehow, firefox does not like an active stream being closed (I am not 100% what close does). I will try to work on a sample to reproduce this. I hope the above can give you some clue as to where the issue is. Wherever the issue is, it isn't with Tomcat and it isn't with Firefox. I've tested them locally and they work correctly. Might you have a reverse proxy between Firefox and Tomcat? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Encountered java.sql.sqlexception "the url cannot be null" starting from tomcat 9.0.71 2023-03-09 Thread Mark Thomas On 09/03/2023 05:55, Poh Wei Xiang wrote: Hi, Glad to hear that this is going to be fixed. Do you have a sample context format to work with connectionstring? You just duplicate the current setting for url to connectionString. So the configuration at the start of this thread becomes: Mark Sent from Outlook for Android<https://aka.ms/AAb9ysg> From: Mark Thomas Sent: Wednesday, 8 March 2023, 20:14 To: users@tomcat.apache.org Subject: Re: Encountered java.sql.sqlexception "the url cannot be null" starting from tomcat 9.0.71 On 08/03/2023 11:58, Mark Thomas wrote: Thanks, I am able to recreate that stack trace. I am looking into the root cause now. Found it. There was a change in Commons DBCP to use "connectionString" rather than url internally and this was mistakenly applied to the lookup of the "url" configuration setting in DriverAdapterCPDS. I'll get this fixed for the April round of releases. If you need a workaround, if you add a configuration setting for connectionString="..." that has the same vaue as url="..." that should get things working. Mark Mark On 08/03/2023 09:03, Poh Wei Xiang wrote: Hi, java.sql.SQLException: The url cannot be null java.sql.DriverManager.getConnection(Unknown Source) java.sql.DriverManager.getConnection(Unknown Source) org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.getPooledConnection(DriverAdapterCPDS.java:396) org.apache.tomcat.dbcp.dbcp2.datasources.InstanceKeyDataSource.testCPDS(InstanceKeyDataSource.java:1225) org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.registerPool(PerUserPoolDataSource.java:708) org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.getPooledConnectionAndInfo(PerUserPoolDataSource.java:614) org.apache.tomcat.dbcp.dbcp2.datasources.InstanceKeyDataSource.getConnection(InstanceKeyDataSource.java:206) com.avaya.sce.runtime.jdbc.Database.open(Database.java:93) org.apache.jsp.jsp.validate_002ddb_jsp._jspService(validate_002ddb_jsp.java:721) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) javax.servlet.http.HttpServlet.service(HttpServlet.java:596) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:466) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:379) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:327) javax.servlet.http.HttpServlet.service(HttpServlet.java:596) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492) org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:673) org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:389) org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926) org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791) org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) java.lang.Thread.run(Unknown Source) With Regards, Poh Wei Xiang Senior Engineer D: +65 6826 3865 A: 6 Serangoon North Ave 5, #03-16, Singapore 554910 W: www.nxg-c.com<http://www.nxg-c.com> Service Helpdesk: +65 6842 2300 Service Email: serv...@nxg-c.com Follow us: NxGen Communications, a subsidiary of TeleChoice International Limited, a company of ST Telemedia Pte Ltd This email is intended solely for the use of the addressee and may contain information that is confidential or subject to le Re: Tomcat 9.0.72 Firefox issue with 204 response (Empty Body) 2023-03-08 Thread Mark Thomas On 08/03/2023 19:52, Bhavesh Mistry wrote: Hi Mark, It is a *direct connection* with no proxy or no reverse proxy or no load balancer in the middle. We have a web app (UI) that make backend call and return 204 with no content and send it to the browser. An interesting fact is very thing works on Chrome but not with firefox. We have tried everything and we looked tomcat code and we see a change log around this area. That data you provided previously is not consistent with that statement. Tomcat is listening on port 8443. Firefox is connecting to port 443. I have no doubt the Tomcat change to 204 handling triggered the change in behavior you are seeing. It appears to have exposed a HTTP/2 bug somewhere in your system. It is hard to come up with a sample, but I will try it. I am just trying to give clue which code or line causing the problem to narrow down the issue, but it is not helping. Tomcat isn't the root cause. A simple test here with an index JSP and a JSP that just returns a 204 works as expected with Chrome and FireFox. All the indications are that there is an additional component in the system you are testing that can't handle an HTTP/2 204 response without a body. Mark Thanks, Bhavesh On Wed, Mar 8, 2023 at 11:43 AM Mark Thomas wrote: On 08/03/2023 19:38, Bhavesh Mistry wrote: I will see if I can give a sample. But after removing JUST ONE LINE ( streamOutputBuffer.closed = true;) Everything seems to work. Somehow, firefox does not like an active stream being closed (I am not 100% what close does). I will try to work on a sample to reproduce this. I hope the above can give you some clue as to where the issue is. Wherever the issue is, it isn't with Tomcat and it isn't with Firefox. I've tested them locally and they work correctly. Might you have a reverse proxy between Firefox and Tomcat? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat 9.0.72 Firefox issue with 204 response (Empty Body) 2023-03-08 Thread Mark Thomas On 08/03/2023 19:38, Bhavesh Mistry wrote: I will see if I can give a sample. But after removing JUST ONE LINE ( streamOutputBuffer.closed = true;) Everything seems to work. Somehow, firefox does not like an active stream being closed (I am not 100% what close does). I will try to work on a sample to reproduce this. I hope the above can give you some clue as to where the issue is. Wherever the issue is, it isn't with Tomcat and it isn't with Firefox. I've tested them locally and they work correctly. Might you have a reverse proxy between Firefox and Tomcat? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Connector definitions, Re: Tomcat 8 impending EOL -- what's the minimum Java for Tomcat 9? 2023-03-08 Thread Mark Thomas On 08/03/2023 17:24, James H. H. Lampert wrote: Curious about one thing: on our IBM Midrange installations, log entries go into catalina.out. On our Cloud Linux installations, catalina.out is almost always completely empty, and I have to go into the dated catalina log files to see any entries. Does anybody have an explanation for this difference? Check logging.properties and/or how you have stdout redirected in your start-up scripts. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat 9.0.72 Firefox issue with 204 response (Empty Body) 2023-03-08 Thread Mark Thomas On 08/03/2023 19:05, Bhavesh Mistry wrote: *Then, *I build 9.0.72 src code *without HTTP2 no Content commit, and firefox worked ( I just replace tomcat-coyote.jar) . What is your suggestion we do next? * Again, if you can provide a simple test case (with source code - should be no more than two very simple servlets or JSPs) we can look at this further. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Encountered java.sql.sqlexception "the url cannot be null" starting from tomcat 9.0.71 2023-03-08 Thread Mark Thomas On 08/03/2023 11:58, Mark Thomas wrote: Thanks, I am able to recreate that stack trace. I am looking into the root cause now. Found it. There was a change in Commons DBCP to use "connectionString" rather than url internally and this was mistakenly applied to the lookup of the "url" configuration setting in DriverAdapterCPDS. I'll get this fixed for the April round of releases. If you need a workaround, if you add a configuration setting for connectionString="..." that has the same vaue as url="..." that should get things working. Mark Mark On 08/03/2023 09:03, Poh Wei Xiang wrote: Hi, java.sql.SQLException: The url cannot be null java.sql.DriverManager.getConnection(Unknown Source) java.sql.DriverManager.getConnection(Unknown Source) org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.getPooledConnection(DriverAdapterCPDS.java:396) org.apache.tomcat.dbcp.dbcp2.datasources.InstanceKeyDataSource.testCPDS(InstanceKeyDataSource.java:1225) org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.registerPool(PerUserPoolDataSource.java:708) org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.getPooledConnectionAndInfo(PerUserPoolDataSource.java:614) org.apache.tomcat.dbcp.dbcp2.datasources.InstanceKeyDataSource.getConnection(InstanceKeyDataSource.java:206) com.avaya.sce.runtime.jdbc.Database.open(Database.java:93) org.apache.jsp.jsp.validate_002ddb_jsp._jspService(validate_002ddb_jsp.java:721) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) javax.servlet.http.HttpServlet.service(HttpServlet.java:596) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:466) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:379) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:327) javax.servlet.http.HttpServlet.service(HttpServlet.java:596) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492) org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:673) org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:389) org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926) org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791) org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) java.lang.Thread.run(Unknown Source) With Regards, Poh Wei Xiang Senior Engineer D: +65 6826 3865 A: 6 Serangoon North Ave 5, #03-16, Singapore 554910 W: www.nxg-c.com Service Helpdesk: +65 6842 2300 Service Email: serv...@nxg-c.com Follow us: NxGen Communications, a subsidiary of TeleChoice International Limited, a company of ST Telemedia Pte Ltd This email is intended solely for the use of the addressee and may contain information that is confidential or subject to legal professional privilege. If you receive this email in error, please immediately notify the sender and delete the email. -Original Message- From: Mark Thomas Sent: Wednesday, 8 March 2023 4:35 pm To: users@tomcat.apache.org Subject: Re: Encountered java.sql.sqlexception "the url cannot be null" starting from tomcat 9.0.71 On 08/03/2023 03:50, Poh Wei Xiang wrote: Hi, I am encountering an issue validating my application database connectivity, it throws java.sql.SQLException: The url cannot be null upon validation. Full stack trace please. Mark The application is developed using Avaya’s Orchestration designer (E Re: Encountered java.sql.sqlexception "the url cannot be null" starting from tomcat 9.0.71 2023-03-08 Thread Mark Thomas Thanks, I am able to recreate that stack trace. I am looking into the root cause now. Mark On 08/03/2023 09:03, Poh Wei Xiang wrote: Hi, java.sql.SQLException: The url cannot be null java.sql.DriverManager.getConnection(Unknown Source) java.sql.DriverManager.getConnection(Unknown Source) org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.getPooledConnection(DriverAdapterCPDS.java:396) org.apache.tomcat.dbcp.dbcp2.datasources.InstanceKeyDataSource.testCPDS(InstanceKeyDataSource.java:1225) org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.registerPool(PerUserPoolDataSource.java:708) org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.getPooledConnectionAndInfo(PerUserPoolDataSource.java:614) org.apache.tomcat.dbcp.dbcp2.datasources.InstanceKeyDataSource.getConnection(InstanceKeyDataSource.java:206) com.avaya.sce.runtime.jdbc.Database.open(Database.java:93) org.apache.jsp.jsp.validate_002ddb_jsp._jspService(validate_002ddb_jsp.java:721) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) javax.servlet.http.HttpServlet.service(HttpServlet.java:596) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:466) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:379) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:327) javax.servlet.http.HttpServlet.service(HttpServlet.java:596) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492) org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:673) org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:389) org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926) org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791) org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) java.lang.Thread.run(Unknown Source) With Regards, Poh Wei Xiang Senior Engineer D: +65 6826 3865 A: 6 Serangoon North Ave 5, #03-16, Singapore 554910 W: www.nxg-c.com Service Helpdesk: +65 6842 2300 Service Email: serv...@nxg-c.com Follow us: NxGen Communications, a subsidiary of TeleChoice International Limited, a company of ST Telemedia Pte Ltd This email is intended solely for the use of the addressee and may contain information that is confidential or subject to legal professional privilege. If you receive this email in error, please immediately notify the sender and delete the email. -Original Message- From: Mark Thomas Sent: Wednesday, 8 March 2023 4:35 pm To: users@tomcat.apache.org Subject: Re: Encountered java.sql.sqlexception "the url cannot be null" starting from tomcat 9.0.71 On 08/03/2023 03:50, Poh Wei Xiang wrote: Hi, I am encountering an issue validating my application database connectivity, it throws java.sql.SQLException: The url cannot be null upon validation. Full stack trace please. Mark The application is developed using Avaya’s Orchestration designer (Eclipse) and database validation works until 9.0.70. I hope someone can shed some light on how to resolve this issue as from time to time, the customer will require us to upgrade tomcat to resolve vulnerability issues. Below is the context file for the application. Sent from Mail<https://go.microsoft.com/fwlink/? Re: Tomcat 9.0.72 Firefox issue with 204 response (Empty Body) 2023-03-08 Thread Mark Thomas On 08/03/2023 03:07, Bhavesh Mistry wrote: Hi Mark Thomas and Tomcat Team, We have a strange issue with Tomcat 9.0.72. All 204 response does not complete in firefox. It works in the Chrome browser. If we downgrade the tomcat version is less than .72. Everything works on all browsers. https://github.com/apache/tomcat/commit/b7a21f2d6fa73f932e9d01874936e5b6b32503fb <https://github.com/apache/tomcat/commit/b7a21f2d6fa73f932e9d01874936e5b6b32503fb> Tomcat Change Log: 66442 <https://bz.apache.org/bugzilla/show_bug.cgi?id=66442>: When an HTTP/2 response must not include a body, ensure that the end of stream flag is set on the headers frame and that no data frame is sent. (markt) You can see the fist request does not complete at all: image.png Can you please check this in firefox 2? We tried the older version of firefox 2 same issue. Tested in Chrome and Firefox. Both work as expected with HTTP/2 requests that return a 204 response. If you can provide a simple test case (with source code - should be no more than two very simple servlets or JSPs) we can look at this further. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: sslHostConfig and ciphers 2023-03-08 Thread Mark Thomas On 08/03/2023 07:45, l...@kreuser.name wrote: Beware Jon, Am 08.03.2023 um 07:56 schrieb jonmcalexan...@wellsfargo.com.invalid : Fwiw, this is happening in an outbound connection originated by a springboot app hosted in Tomcat. Any known issues with this and handshake issues? What is happening? I have re-read the thread several times and can't find a description of what isn't working. Then the tomcat sslHostConfig does not matter at all, only the one on the java options (or security config) "jdk.tls.client.cipherSuites". That is likely the one to allok at although be aware limiting the TLS protocol versions will also limit the available cipher suites. Mark Peter Thanks, Sent with BlackBerry Work (www.blackberry.com) From: jonmcalexan...@wellsfargo.com.INVALID Sent: Mar 4, 2023 3:08 AM To: users@tomcat.apache.org Subject: RE: sslHostConfig and ciphers Thank you!!! Thanks, Sent with BlackBerry Work (https://urldefense.com/v3/__http://www.blackberry.com__;!!F9svGWnIaVPGSwU!sOH_wTKBGJ6Btc-RekE10jWwQ85jkQkEltIWa0AaoIbooX5UMGSH88GoLuiVcjYRxEg9wZBM3INUA8zBXKbc56z70yYUpimTy-zbVbi6bbQ$ ) From: "Thomas Hoffmann (Speed4Trade GmbH)" Sent: Mar 4, 2023 1:22 AM To: Tomcat Users List Subject: AW: sslHostConfig and ciphers Hello, this message originates from your used java. It's not from tomcat. Java doesn't know this cipher-suite or is disabled in java.security You can list the supported ciphers via some code lines like https://urldefense.com/v3/__https://stackoverflow.com/questions/9333504/how-can-i-list-the-available-cipher-algorithms__;!!F9svGWnIaVPGSwU!ok1eVR9QoczE-D4sspGE5zZh3h7aTnNIrKfVfkKUC4CSWI-99BHQNKZNO1VwWMhDzKjxpRQIsilgijmwV8_swl6-GicjRiAnIId8fctCkh9Xjg$ Greetings, Thomas -Ursprüngliche Nachricht- Von: jonmcalexan...@wellsfargo.com.INVALID Gesendet: Freitag, 3. März 2023 18:38 An: users@tomcat.apache.org Betreff: sslHostConfig and ciphers Ok, I don't know if I'm doing something wrong, or if I'm just not reading the output correctly. I have JSSE connector using sslHostConfig and in there I have defined ciphers, as below: However, if I enable ssl debugging, I am getting the following messages in my catalina.out file. 03-Mar-2023 16:43:22.120 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-9443"] javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.146 UTC|SSLContextImpl.java:425|System property jdk.tls.client.cipherSuites is set to 'null' javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.150 UTC|SSLContextImpl.java:425|System property jdk.tls.server.cipherSuites is set to 'null' javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.161 UTC|SSLCipher.java:438|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472 javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.201 UTC|SSLContextImpl.java:399|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA javax.net.ssl|ALL|01|main|2023-03-03 16:43:22.201 UTC|SSLContextImpl.java:408|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.202 UTC|SSLContextImpl.java:399|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA javax.net.ssl|ALL|01|main|2023-03-03 16:43:22.202 UTC|SSLContextImpl.java:408|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.202 UTC|SSLContextImpl.java:399|Ignore disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA javax.net.ssl|ALL|01|main|2023-03-03 16:43:22.202 UTC|SSLContextImpl.java:408|Ignore unsupported cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.203 UTC|SSLContextImpl.java:399|Ignore disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA javax.net.ssl|ALL|01|main|2023-03-03 16:43:22.212 UTC|SSLContextImpl.java:408|Ignore unsupported cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.212 UTC|SSLContextImpl.java:399|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA javax.net.ssl|ALL|01|main|2023-03-03 16:43:22.213 UTC|SSLContextImpl.java:408|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.213 UTC|SSLContextImpl.java:399|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA javax.net.ssl|ALL|01|main|2023-03-03 16:43:22.213 UTC|SSLContextImpl.java:408|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.213 UTC|SSLContextImpl.java:399|Ignore disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA javax.net.ssl|ALL|01|main|2023-03-03 16:43:22.214 UTC|SSLContextImpl.java:408|Ignore unsupported cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA javax.net.ssl|FINE|01|main|2023-03-03 16:43:22.221 UTC|SSLContextImpl.java:399|Ignore disabled Re: Encountered java.sql.sqlexception "the url cannot be null" starting from tomcat 9.0.71 2023-03-08 Thread Mark Thomas On 08/03/2023 03:50, Poh Wei Xiang wrote: Hi, I am encountering an issue validating my application database connectivity, it throws java.sql.SQLException: The url cannot be null upon validation. Full stack trace please. Mark The application is developed using Avaya’s Orchestration designer (Eclipse) and database validation works until 9.0.70. I hope someone can shed some light on how to resolve this issue as from time to time, the customer will require us to upgrade tomcat to resolve vulnerability issues. Below is the context file for the application. Sent from Mail for Windows - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Connector definitions, Re: Tomcat 8 impending EOL -- what's the minimum Java for Tomcat 9? 2023-03-08 Thread Mark Thomas On 07/03/2023 21:09, James H. H. Lampert wrote: Dear Mesrs. Thomas, Schultz, et al.: Changing it to "org.apache.coyote.http11.Http11NioProtocol" did the trick. The Tomcat 9 server launched, on our cloud Midrange box, and both it and the webapp contexts we have running seem to be working. It will, of course, require a bit more exercise before we start switching customer installations over to it. Tomcat 8.5 gives a warning message: 15-Nov-2022 14:12:55.341 WARNING [main] org.apache.coyote.http11.Http11Protocol. The HTTP BIO connector has been removed in Tomcat 8.5.x onwards. The HTTP BIO connector configuration has been automatically switched to use the HTTP NIO connector instead. and so I'm taking that to mean that 8.5 did automatically what I had to do by manually changing the configuration file. Correct. Looking at the comparison chart on the protocols, I don't see any difference between NIO and NIO2. Could somebody point me to an explanation of what the difference is between BIO, NIO, and NIO2? BIO uses blocking IO so it doesn't scale that well. You need one thread per current connection (including idle connections kept open with keep-alive). NIO and NIO2 use non-blocking IO. It scales better as you need one thread per currently active connection. NIO and NIO2 just use different ways of doing the same thing. Experience to date is that there isn't much difference between them. Mark (I have the general impression that APR is not an option on IBM Midrange boxes, but I could be mistaken.) -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Connector definitions, Re: Tomcat 8 impending EOL -- what's the minimum Java for Tomcat 9? 2023-03-07 Thread Mark Thomas On 06/03/2023 23:58, James H. H. Lampert wrote: On 03/03/2023 17:44, I wrote: Ok, another question: will Tomcat 9 accept a "legacy" connector definition in the form as shown below? protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/foo/tomcat/bar.ks" keyAlias="baz" clientAuth="false" sslProtocol="TLS" /> To which Mark Thomas replied: Yes. This afternoon, I realized that I had a guinea pig available for testing our webapp under Tomcat 9, on an IBM Midrange box. With a connector defined according to the above form, I tried launching, and got this: 06-Mar-2023 18:42:08.677 SEVERE [main] org.apache.catalina.connector.Connector. Protocol handler instantiation failed java.lang.ClassNotFoundException: org.apache.coyote.http11.Http11Protocol at java.lang.Class.forNameImpl(Native Method) at java.lang.Class.forName(Class.java:339) at org.apache.coyote.ProtocolHandler.create(ProtocolHandler.java:260) . . . So I'm guessing I need to change the class given in the protocol clause. To what? Sorry, I didn't check the values provided in the example. I was just looking at the overall style. You need one of the following: org.apache.coyote.http11.Http11NioProtocol org.apache.coyote.http11.Http11Nio2Protocol org.apache.coyote.http11.Http11AprProtocol See the protocol attribute here: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#Standard_Implementation Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: health check return 404 after upgrade from 70 to tomcat 9.0.71 2023-03-06 Thread Mark Thomas On 25/02/2023 17:57, Mark Thomas wrote: On 25/02/2023 15:47, Rui wrote: Hi recently upgraded tomcat to 9.0.71 from 9.0.70 but saw 404 in our EKS cluster(with istio installed) Received [GET /actuator HTTP/1.1 Host: x:8079 User-Agent: kube-probe/1.23+ Accept: */* Connection: close Accept-Encoding: gzip ] Incoming request /health with originalRemoteAddr in 9.0.70 I can see the below following message but not in 9.0.71 o.a.c.authenticator.AuthenticatorBase : Security checking request GET /health seems the processing has stopped somewhere and the pod health check didn't pass. I also noticed there was also a 404 issue but don't know if it is relevant. https://lists.apache.org/thread/gr814rmrlbk9rrqxqjrh4p3x0bfvv1g9 I have tested it locally with curl or jmeter, but can't reproduce the problem. but when I step by step debug the spring app, I found the undecodedURI type is T_STR in CoyoteAdapter.java(in 70 it supposed to be T_BYTES), then decodedURI is uninitialized and the uri can't find the mapping in internalMap of Mapper.java, which will cause 404(guess it thinks the uri is malformed) MessageBytes decodedURI = req.decodedURI(); if (undecodedURI.getType() == MessageBytes.T_BYTES) { // Copy the raw URI to the decodedURI decodedURI.duplicate(undecodedURI); 404 example: (when I debug step by step to check unndecodedURI) curl http://localhost:8080/actuator HTTP Status 404 – Not Foundbody {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 </pre><tt>{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a </tt><tt>{color:black;} </tt><pre style="margin: 0em;"> .line {height:1px;background-color:#525D76;border:none;}HTTP Status 404 – Not Found% However, it runs well without breakpoint! I am quite confused...my intellij has problem? but anyway, summary: 9.0.69 and 70 are good in the AWS/EKS(kubernetes) cluster with istio 9.0.71 and 72 return 404 when health check by the EKS cluster. Looks like an instance of: https://bz.apache.org/bugzilla/show_bug.cgi?id=66488 If not that then maybe https://bz.apache.org/bugzilla/show_bug.cgi?id=66512 Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org [ANN] Apache Tomcat 11.0.0-M4 (alpha) available 2023-03-06 Thread Mark Thomas The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M4 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is under development to aid this process. Apache Tomcat 11.0.0-M4 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to 11.0.0-M3 include: - Revert the switch to using the ServiceLoader mechanism to load the custom URL protocol handlers that Tomcat uses. The original system property based approach has been restored. - Provide an implementation of the sub-set of JavaBeans support that does not depend on the java.beans package. This for use by Expression Language when the java.desktop module (which is where the java.beans package resides) is not available. - Restore inline state after async operation in NIO2, to account the fact that unexpected exceptions are sometimes thrown by the implementation. Patch submitted by zhougang. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-11.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-11.cgi Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: 9.0.73 change log 2023-03-06 Thread Mark Thomas Please don't hijack threads. To continue a previous thread, reply to the most recent message from that thread. Mark On 06/03/2023 12:32, Rui wrote: Hi Mark just tested the 9.0.73 but we still got 404 for health check can you please share how to reproduce this problem locally? thanks zhou rui On Sat, 4 Mar 2023 at 16:38, Mark Thomas wrote: Fixed. Thanks for letting us know. Mark On 03/03/2023 22:56, Adam Rauch wrote: Thanks, Tomcat team, for cranking out another release! I noticed a minor discrepancy on the main website home page (https://tomcat.apache.org/). In the "Tomcat 9.0.73 Released" section, "Tomcat 9 changelog" links to the 9.0.71 bookmark ("#Tomcat_9.0.71_(remm)") instead of the 9.0.73 bookmark. Thanks, Adam - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: [10.1.4] Dots in URL 2023-03-06 Thread Mark Thomas On 06/03/2023 12:24, Martynas Jusevičius wrote: Hi, I have a JAX-RS application deployed on Tomcat. When a URL contains dots, I get a 422 Unprocessable Entity response which looks like it's coming from Tomcat. When I remove the dots, the request works fine and reaches my application. Is that Tomcat's behavior? No. The Tomcat code never returns a 422 response. It must be coming from the application or some other component in the stack (e..g a reverse proxy). Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat 9.0.71 Anomalies 2023-03-04 Thread Mark Thomas On 03/03/2023 20:19, jonmcalexan...@wellsfargo.com.INVALID wrote: Hi Mark, On the slowness, this is when they are retrieving random .js files from the exploded war file after deployment. To clarify, these are .js files loaded directly from the file system? They are not packaged in a JAR file? It's taking an a long amount of time. Some of these are quite large, like 2MB or more. When the issue shows, doing a curl we get to here and then it pauses for some time before it feeds back the data. * Trying **.**.**.**:8443... * TCP_NODELAY set * Connected to server port 8443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / * ALPN, server accepted to use http/1.1 * Server certificate: * subject: * start date: * expire date: * issuer: * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. GET HTTP/1.1 Host: User-Agent: curl/7.65.3 Accept: */* And it just hangs out here before finally getting the requested file. How repeatable is this? How long does it hang before delivering content? Is it always the same or does it vary. Which connector are you using? What Tomcat version did you upgrade from? How does the problem before the upgrade compare to the problem after the upgrade? What component is serving the content? Is it Tomcat's default servlet or is it something else? When it happens, take 3 thread dumps a few seconds apart. The aim is to figure out why it is hanging. In looking at the catalina.out log file, I am not seeing any errors/stack-traces. Any ideas as to what may be causing this? Not at the moment. The information requested above should at least narrow down which parts we need to think about. Mark Thank you, Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: Mark Thomas Sent: Friday, March 3, 2023 1:32 AM To: users@tomcat.apache.org Subject: Re: Tomcat 9.0.71 Anomalies On 02/03/2023 21:54, jonmcalexan...@wellsfargo.com.INVALID wrote: Hello gentle beings, I have a couple of application teams having issues since getting upgraded to Tomcat 9.0.71. Upgrading from which Tomcat version? The main one has to do with an application that has run fine in the past is now exceeding max cursors with their Oracle Database datasource. They are using spring framework to control the Database operations. Here is what their resource looks like: type="javax.sql.DataSource" maxTotal="100" maxIdle="30" maxWaitMillis="15000" username="${datasource.fm.username}" password="${datasource.fm.password}" driverClassName="oracle.jdbc.OracleDriver" url="jdbc:oracle:thin:@(Description=(CONNECT_TIMEOUT=10)(RETRY_COUN T=3)(ADDRESS_LIST=(LOAD_BALANCE=on)(FAILOVER=ON)(ADDRESS=(PROT OCOL=tcp)(HOST=***)(PORT=3203))(ADDRESS=(PROTOCOL= tcp)(HOST=*)(PORT=3203)))(CONNECT_DATA=(SERVICE _NAME=ceofm_u)))"/> Here is an error from the log file: [‎3/‎2/‎2023 1:50 PM] Burgos, Maria D.: here is the error in catalina.out 02-Mar-2023 13:05:30.944 SEVERE [https-jsse-nio-28443-exec-8] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [f***servlet] in context with path [/f***] threw exception [Request processing failed; nested exception is com.wellsfargo.fms.common.exception.FMSException] with root cause com.wellsfargo.f**.common.exception.F**Exception at org.springframework.jdbc.core.JdbcTemplate.translateException(JdbcTempl ate.java:1542) at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:66 7) Any chance we can see a root cause for that? Something from the JDBC driver? The other team is havi Re: 9.0.73 change log 2023-03-04 Thread Mark Thomas Fixed. Thanks for letting us know. Mark On 03/03/2023 22:56, Adam Rauch wrote: Thanks, Tomcat team, for cranking out another release! I noticed a minor discrepancy on the main website home page (https://tomcat.apache.org/). In the "Tomcat 9.0.73 Released" section, "Tomcat 9 changelog" links to the 9.0.71 bookmark ("#Tomcat_9.0.71_(remm)") instead of the 9.0.73 bookmark. Thanks, Adam - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Connector definitions, Re: Tomcat 8 impending EOL -- what's the minimum Java for Tomcat 9? 2023-03-03 Thread Mark Thomas On 03/03/2023 17:44, James H. H. Lampert wrote: On 3/2/23 3:50 PM, jonmcalexan...@wellsfargo.com.INVALID wrote: Yes, Tomcat9 runs under Java8 and above. Ok, another question: will Tomcat 9 accept a "legacy" connector definition in the form as shown below? protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/foo/tomcat/bar.ks" keyAlias="baz" clientAuth="false" sslProtocol="TLS" /> Yes. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat 9 crashes because of a Windows update 2023-03-03 Thread Mark Thomas On 03/03/2023 07:57, Katie S wrote: Mark, The logs say the following: [2023-03-03 08:25:59] [info] [ 6836] Apache Commons Daemon procrun (1.2.1.0 64-bit) started. [2023-03-03 08:25:59] [info] [ 6836] Running Service 'BOEXI40Tomcat'... [2023-03-03 08:25:59] [info] [ 7696] Starting service... [2023-03-03 08:26:00] [info] [ 7696] Service started in 1187 milliseconds. [2023-03-03 08:27:53] [info] [ 6836] Run service finished. [2023-03-03 08:27:53] [info] [ 6836] Apache Commons Daemon procrun finished. 08:25 was the time I've run Tomcat and 08:27 was the time Tomcat stopped working by himself. OK that looks normal. I've enclosed the stderr.log to this email. The mailing list strips attachments. You either need to paste the contents in the body of the email or use a file sharing service (that doesn't require an account to read the files). We need to see the rest of the log files. I suggest the following: - delete (or move) all the existing logs - configure Commons Daemon for debug logging - start the Tomcat service - wait for the service to stop Provide us with all the logs. Thanks, Mark - Katie Le jeu. 2 mars 2023 à 15:09, Mark Thomas <mailto:ma...@apache.org>> a écrit : On 02/03/2023 13:59, Katie S wrote: > I'm using the Central Configuration Manager from Business Objects 4.0. > I start Apache Tomcat for BI4, it says "running" and then after a > few minutes and without any action, the status becomes "stopped". OK. What do the logs show? Mark > > - Katie > > Le jeu. 2 mars 2023 à 11:10, Mark Thomas mailto:ma...@apache.org>> a écrit : > >> On 02/03/2023 08:49, Katie S wrote: >>> Sorry for being unclear and thank you for your answer. >>> >>> I can start Tomcat but after a few minutes it stops working. And >> everytime >>> I restart it, the behavior is the same. >> >> Again, define "stops working". >> >> Mark >> >>> >>> - Katie >>> >>> Le jeu. 2 mars 2023 à 09:39, Mark Thomas mailto:ma...@apache.org>> a écrit : >>> >>>> On 02/03/2023 08:28, Katie S wrote: >>>>> Hello, >>>>> >>>>> Do you have any information on Tomcat 9 not working after some Windows >>>>> Updates ? >>>>> We have installed the KB5022838 on our Windows Server 2016 Standard and >>>>> since this we can restart Tomcat but it stops working after only few >>>>> minutes. >>>> >>>> Define "stops working". The subject says "crashes". We need specifics. >>>> >>>>> We are sure about the fact that the Windows update is guilty as it >> worked >>>>> properly when we restored the VMware snapshot. >>>> >>>> That is a useful data point. >>>> >>>> Mark >>>> >>>> - >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org <mailto:users-unsubscr...@tomcat.apache.org> >>>> For additional commands, e-mail: users-h...@tomcat.apache.org <mailto:users-h...@tomcat.apache.org> >>>> >>>> >>> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org <mailto:users-unsubscr...@tomcat.apache.org> >> For additional commands, e-mail: users-h...@tomcat.apache.org <mailto:users-h...@tomcat.apache.org> >> >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org <mailto:users-unsubscr...@tomcat.apache.org> For additional commands, e-mail: users-h...@tomcat.apache.org <mailto:users-h...@tomcat.apache.org> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat 9.0.71 Anomalies 2023-03-02 Thread Mark Thomas On 02/03/2023 21:54, jonmcalexan...@wellsfargo.com.INVALID wrote: Hello gentle beings, I have a couple of application teams having issues since getting upgraded to Tomcat 9.0.71. Upgrading from which Tomcat version? The main one has to do with an application that has run fine in the past is now exceeding max cursors with their Oracle Database datasource. They are using spring framework to control the Database operations. Here is what their resource looks like: Here is an error from the log file: [‎3/‎2/‎2023 1:50 PM] Burgos, Maria D.: here is the error in catalina.out 02-Mar-2023 13:05:30.944 SEVERE [https-jsse-nio-28443-exec-8] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [f***servlet] in context with path [/f***] threw exception [Request processing failed; nested exception is com.wellsfargo.fms.common.exception.FMSException] with root cause com.wellsfargo.f**.common.exception.F**Exception at org.springframework.jdbc.core.JdbcTemplate.translateException(JdbcTemplate.java:1542) at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:667) Any chance we can see a root cause for that? Something from the JDBC driver? The other team is having performance issues when using static .jar resources in their war file. One part of the app, on the browser side measurements, is taking 2.2 minutes to load. This started getting worse after moving to 9.0.71. Are there any known issues that could be causing this? Currently waiting for 9.0.73 to get release. :) Do you mean static resources stored in a JAR's META-INF/resources directory? Is the WAR deployed in packed or unpacked form? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Unpackwar 2023-03-02 Thread Mark Thomas On 02/03/2023 14:43, Christopher Schultz wrote: Mark, On 3/2/23 09:39, Mark Thomas wrote: On 02/03/2023 14:20, Devatha Naga Puneeth wrote: Hi, I checked the documentation and only understood that if unpackwar enabled then contents of the application will be extracted in the appBase. What is the use of UnpackWar to false ? When to prefer true and false ? Generally, unpacked web applications are going to be faster. I can't think of a really good reason to run from a packed WAR file off-hand. Read-only filesystem / directory. Not a "really good reason", but a potential one. One could make a claim that Tomcat is less vulnerable if it (including its deployed web applications) cannot write to any place on the disk where code can be executed. But you can copy the unpacked web application to such a file system just as easily as you can copy a single WAR file. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Unpackwar 2023-03-02 Thread Mark Thomas On 02/03/2023 14:20, Devatha Naga Puneeth wrote: Hi, I checked the documentation and only understood that if unpackwar enabled then contents of the application will be extracted in the appBase. What is the use of UnpackWar to false ? When to prefer true and false ? Generally, unpacked web applications are going to be faster. I can't think of a really good reason to run from a packed WAR file off-hand. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat 9 crashes because of a Windows update 2023-03-02 Thread Mark Thomas On 02/03/2023 13:59, Katie S wrote: I'm using the Central Configuration Manager from Business Objects 4.0. I start Apache Tomcat for BI4, it says "running" and then after a few minutes and without any action, the status becomes "stopped". OK. What do the logs show? Mark - Katie Le jeu. 2 mars 2023 à 11:10, Mark Thomas a écrit : On 02/03/2023 08:49, Katie S wrote: Sorry for being unclear and thank you for your answer. I can start Tomcat but after a few minutes it stops working. And everytime I restart it, the behavior is the same. Again, define "stops working". Mark - Katie Le jeu. 2 mars 2023 à 09:39, Mark Thomas a écrit : On 02/03/2023 08:28, Katie S wrote: Hello, Do you have any information on Tomcat 9 not working after some Windows Updates ? We have installed the KB5022838 on our Windows Server 2016 Standard and since this we can restart Tomcat but it stops working after only few minutes. Define "stops working". The subject says "crashes". We need specifics. We are sure about the fact that the Windows update is guilty as it worked properly when we restored the VMware snapshot. That is a useful data point. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat 9 crashes because of a Windows update 2023-03-02 Thread Mark Thomas On 02/03/2023 08:49, Katie S wrote: Sorry for being unclear and thank you for your answer. I can start Tomcat but after a few minutes it stops working. And everytime I restart it, the behavior is the same. Again, define "stops working". Mark - Katie Le jeu. 2 mars 2023 à 09:39, Mark Thomas a écrit : On 02/03/2023 08:28, Katie S wrote: Hello, Do you have any information on Tomcat 9 not working after some Windows Updates ? We have installed the KB5022838 on our Windows Server 2016 Standard and since this we can restart Tomcat but it stops working after only few minutes. Define "stops working". The subject says "crashes". We need specifics. We are sure about the fact that the Windows update is guilty as it worked properly when we restored the VMware snapshot. That is a useful data point. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat 9 crashes because of a Windows update 2023-03-02 Thread Mark Thomas On 02/03/2023 08:28, Katie S wrote: Hello, Do you have any information on Tomcat 9 not working after some Windows Updates ? We have installed the KB5022838 on our Windows Server 2016 Standard and since this we can restart Tomcat but it stops working after only few minutes. Define "stops working". The subject says "crashes". We need specifics. We are sure about the fact that the Windows update is guilty as it worked properly when we restored the VMware snapshot. That is a useful data point. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: CVE2023-24998 configuration 2023-02-28 Thread Mark Thomas The default (limit of 10,000 for combined total of query parameters and upload parts) should be sufficient to mitigate the issue. You can, of course, set the limit lower if you like (maxParameterCount on the Connector(s) in server.xml). Mark On 28/02/2023 16:24, A Name wrote: Just to confirm - I saw you incorporated fixes for that CVE into recent Tomcats. Is there a setting in Server or Web.xml for these or do they need to be set programmatically within an application using the functions in Commons-FileUpload? Abt - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Log rotation issue 2023-02-28 Thread Mark Thomas On 28/02/2023 03:40, Ragavendhiran Bhiman (rabhiman) wrote: Hi Mark Tomcat version 9.0.54 Operating system? Linux- RedHat Do you mean intermittent rather than intermediate? Yes Intermittent if many errors or too much errors are getting dumped. Usually when the same exception occurs multiple times. This problem is seen. What is writing to stdout? The "right" way to fix this is to stop whatever is writing to stdout from doing that. Mostly I think the exceptions and errors etc., My question was more "What component is generating the output?". Is it the application? It shouldn't be Tomcat. Can you provide a few examples? Mark From: Mark Thomas Date: Monday, 27 February 2023 at 11:17 PM To: users@tomcat.apache.org Subject: Re: Log rotation issue On 27/02/2023 02:28, Ragavendhiran Bhiman (rabhiman) wrote: Hi we are facing log rotation issue in apache tomcat. Our configurations like below handlers = 1catalina.org.apache.juli.AsyncFileHandler, 2localhost.org.apache.juli.AsyncFileHandler, 3manager.org.apache.juli.AsyncFileHandler, 4host-manager.org.apache.juli.AsyncFileHandler .handlers = 1catalina.org.apache.juli.AsyncFileHandler # Handler specific properties. # Describes specific configuration info for Handlers. 1catalina.org.apache.juli.AsyncFileHandler.level = FINE 1catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs 1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina. 1catalina.org.apache.juli.AsyncFileHandler.rotatable = false 2localhost.org.apache.juli.AsyncFileHandler.level = FINE 2localhost.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs 2localhost.org.apache.juli.AsyncFileHandler.prefix = localhost. 2localhost.org.apache.juli.AsyncFileHandler.rotatable = false 3manager.org.apache.juli.AsyncFileHandler.level = FINE 3manager.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs 3manager.org.apache.juli.AsyncFileHandler.prefix = manager. 4admin.org.apache.juli.FileHandler.level = FINE 4admin.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 4admin.org.apache.juli.FileHandler.prefix = admin. 5host-manager.org.apache.juli.FileHandler.level = FINE 5host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 5host-manager.org.apache.juli.FileHandler.prefix = host-manager. java.util.logging.ConsoleHandler.level = FINE java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter # Facility specific properties. # Provides extra control for each logger. org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.AsyncFileHandler org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.AsyncFileHandler org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.AsyncFileHandler # For example, set the org.apache.catalina.util.LifecycleBase logger to log # each component that extends LifecycleBase changing state: #org.apache.catalina.util.LifecycleBase.level = FINE # To see debug messages in TldLocationsCache, uncomment the following line: #org.apache.jasper.compiler.TldLocationsCache.level = FINE It is an intermediate issue that the Catalina.out some times goes in GBs. How to control that? Tomcat version? Operating system? Do you mean intermittent rather than intermediate? What is writing to stdout? The "right" way to fix this is to stop whatever is writing to stdout from doing that. Short-term workarounds will depend on what operating system you are using. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Log rotation issue 2023-02-27 Thread Mark Thomas On 27/02/2023 02:28, Ragavendhiran Bhiman (rabhiman) wrote: Hi we are facing log rotation issue in apache tomcat. Our configurations like below handlers = 1catalina.org.apache.juli.AsyncFileHandler, 2localhost.org.apache.juli.AsyncFileHandler, 3manager.org.apache.juli.AsyncFileHandler, 4host-manager.org.apache.juli.AsyncFileHandler .handlers = 1catalina.org.apache.juli.AsyncFileHandler # Handler specific properties. # Describes specific configuration info for Handlers. 1catalina.org.apache.juli.AsyncFileHandler.level = FINE 1catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs 1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina. 1catalina.org.apache.juli.AsyncFileHandler.rotatable = false 2localhost.org.apache.juli.AsyncFileHandler.level = FINE 2localhost.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs 2localhost.org.apache.juli.AsyncFileHandler.prefix = localhost. 2localhost.org.apache.juli.AsyncFileHandler.rotatable = false 3manager.org.apache.juli.AsyncFileHandler.level = FINE 3manager.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs 3manager.org.apache.juli.AsyncFileHandler.prefix = manager. 4admin.org.apache.juli.FileHandler.level = FINE 4admin.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 4admin.org.apache.juli.FileHandler.prefix = admin. 5host-manager.org.apache.juli.FileHandler.level = FINE 5host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 5host-manager.org.apache.juli.FileHandler.prefix = host-manager. java.util.logging.ConsoleHandler.level = FINE java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter # Facility specific properties. # Provides extra control for each logger. org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.AsyncFileHandler org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.AsyncFileHandler org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.AsyncFileHandler # For example, set the org.apache.catalina.util.LifecycleBase logger to log # each component that extends LifecycleBase changing state: #org.apache.catalina.util.LifecycleBase.level = FINE # To see debug messages in TldLocationsCache, uncomment the following line: #org.apache.jasper.compiler.TldLocationsCache.level = FINE It is an intermediate issue that the Catalina.out some times goes in GBs. How to control that? Tomcat version? Operating system? Do you mean intermittent rather than intermediate? What is writing to stdout? The "right" way to fix this is to stop whatever is writing to stdout from doing that. Short-term workarounds will depend on what operating system you are using. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat V8.5.85 2023-02-27 Thread Mark Thomas On 27/02/2023 17:27, jonmcalexan...@wellsfargo.com.INVALID wrote: Will this result in a quick move to 8.5.87 to replace 8.5.86? Yes. Tag expected later today. (9.0.x release vote is already in progress). Mark Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: Mark Thomas Sent: Saturday, February 25, 2023 11:56 AM To: users@tomcat.apache.org Subject: Re: Tomcat V8.5.85 On 24/02/2023 18:50, Nitish Khune wrote: HI, Since I upgraded from 8.5.84 to 8.5.85 or later, Any REST API with below header throws a context mismatch exception Sample header : --header 'Cookie: JSESSIONID=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VyX3Byb2ZpbGUi OiJ7XCJfcGVybWFuZW50XCI6dHJ1ZSxcInV1aWRcIjpcIjg5MjM1MmZm’ Exception : SEVERE: Servlet.service() for servlet [CXFServlet] in context with path [/Pteway] threw exception java.lang.IllegalStateException: Unable to find match between the canonical context path [/Pteway] and the URI presented by the user agent [SIONID=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni] at org.apache.catalina.connector.Request.getContextPath(Request.java:2192) at org.apache.catalina.connector.RequestFacade.getContextPath(RequestFaca de.java:605) at javax.servlet.http.HttpServletRequestWrapper.getContextPath(HttpServlet RequestWrapper.java:137) at javax.servlet.http.HttpServletRequestWrapper.getContextPath(HttpServlet RequestWrapper.java:137) at org.springframework.security.web.authentication.logout.LogoutFilter$Filter ProcessUrlRequestMatcher.matches(LogoutFilter.java:167) at org.springframework.security.web.authentication.logout.LogoutFilter.requir esLogout(LogoutFilter.java:122) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilt er(LogoutFilter.java:94) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilt er(FilterChainProxy.java:342) at org.springframework.security.web.context.request.async.WebAsyncManag erIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java: 50) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerReq uestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilt er(FilterChainProxy.java:342) at org.springframework.security.web.authentication.preauth.AbstractPreAuth enticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter. java:94) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilt er(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter .doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilt er(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterCh ainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProx y.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(Deleg atingFilterProxy.java:347) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilt erProxy.java:263) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFi lterChain.java:181) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChai n.java:156) I could not find any information related to above exception. Any workaround to fix the issue ? Looks like an instance of: https://urldefense.com/v3/__https://bz.apache.org/bugzilla/show_bug.cgi? id=66488__;!!F9svGWnIaVPGSwU!rc- _ZhQ5dTLOhNb2u6vh_7lKW63Ycnx0H4qZCbKEk3IGcLofoON- YaHgRRKhPeFjL7ApDp70Ty1hZMGs_ZX6cw$ No work-around. I expect the March releases to have a fix for this. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org Re: 9.0.70 / 9.0.71 regression? 2023-02-27 Thread Mark Thomas Looks like this is the issue: https://bz.apache.org/bugzilla/show_bug.cgi?id=66488 That you only see the problem when using the SSO layer is consistent with our understanding of that bug. Mark On 16/02/2023 08:37, Mark Thomas wrote: On 16/02/2023 00:42, Dan Armbrust wrote: Are there any known regressions / open issues with 9.0.70 or 9.0.71 that could cause something like the below? The closest I can think of is this: https://bz.apache.org/bugzilla/show_bug.cgi?id=66388 but it is fixed in 9.0.71 and I'd expect it to impact resource lookup (i.e.finding files on disk) but not the request URI since the URL class isn't used got processing the request URI. It would be good to track this down ASAP as we are about to start the next round of releases. Mark We encountered a very odd issue today, where after upgrading the version of spring-boot for one of our rest microservices (and getting a newer tomcat) it stopped processing our calls properly. But only when it was deployed in an env where the requests were going thru a SSO authentication layer first, and having a number of extra headers added to the request. When we tested locally, in an env without the SSO filtering, we didn't see the issue. It was a very odd problem, it presented to the end user as simply getting 404 errors back from the service. Tomcat was indeed sending 404 errors - but our integrated monitoring (datadog) was not even showing us the proper requests coming in - instead, each request that arrived came across with some partial (random) URL, which then didn't match any of our services, and was sent back as a 404. We haven't yet done any further debugging about where in the tomcat stack the request was being completely corrupted. I also haven't isolated if it was 9.0.71 or 9.0.70 - 9.0.69 works, and 9.0.71 fails. Thanks, Dan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: How to update tomcat to user different version of commons-fileupload 2023-02-25 Thread Mark Thomas On 25/02/2023 17:28, Ph. Dinh wrote: Hi, Is there a way to try different versions of commons-fileupload (i.e 1.3, 1.4, and 1.5) on a Tomcat server (either 9.0 or 10.x)? Drop the necessary JARs (commons-dbcp, commons-pool) into $CATALINA_BASE/lib and then configure your DataSource Resource to use the appropriate factory rather than the default. fileUpload package paths shipped with Tomcat seems to be different with the paths in commons-fileupload so I don't think the class-loader technique here https://tomcat.apache.org/tomcat-9.0-doc/class-loader-howto.html "Advanced configuration" section will work. If not possible, is there a version of Tomcat that has the latest security fix in commons-fileupload 1.5? https://lists.apache.org/thread/hfq0okgjr4h5qkjzp009jn8v1hs0430k Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: health check return 404 after upgrade from 70 to tomcat 9.0.71 2023-02-25 Thread Mark Thomas On 25/02/2023 15:47, Rui wrote: Hi recently upgraded tomcat to 9.0.71 from 9.0.70 but saw 404 in our EKS cluster(with istio installed) Received [GET /actuator HTTP/1.1 Host: x:8079 User-Agent: kube-probe/1.23+ Accept: */* Connection: close Accept-Encoding: gzip ] Incoming request /health with originalRemoteAddr in 9.0.70 I can see the below following message but not in 9.0.71 o.a.c.authenticator.AuthenticatorBase: Security checking request GET /health seems the processing has stopped somewhere and the pod health check didn't pass. I also noticed there was also a 404 issue but don't know if it is relevant. https://lists.apache.org/thread/gr814rmrlbk9rrqxqjrh4p3x0bfvv1g9 I have tested it locally with curl or jmeter, but can't reproduce the problem. but when I step by step debug the spring app, I found the undecodedURI type is T_STR in CoyoteAdapter.java(in 70 it supposed to be T_BYTES), then decodedURI is uninitialized and the uri can't find the mapping in internalMap of Mapper.java, which will cause 404(guess it thinks the uri is malformed) MessageBytes decodedURI = req.decodedURI(); if (undecodedURI.getType() == MessageBytes.T_BYTES) { // Copy the raw URI to the decodedURI decodedURI.duplicate(undecodedURI); 404 example: (when I debug step by step to check unndecodedURI) curl http://localhost:8080/actuator HTTP Status 404 – Not Foundbody {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}HTTP Status 404 – Not Found% However, it runs well without breakpoint! I am quite confused...my intellij has problem? but anyway, summary: 9.0.69 and 70 are good in the AWS/EKS(kubernetes) cluster with istio 9.0.71 and 72 return 404 when health check by the EKS cluster. Looks like an instance of: https://bz.apache.org/bugzilla/show_bug.cgi?id=66488 Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat V8.5.85 2023-02-25 Thread Mark Thomas On 24/02/2023 18:50, Nitish Khune wrote: HI, Since I upgraded from 8.5.84 to 8.5.85 or later, Any REST API with below header throws a context mismatch exception Sample header : --header 'Cookie: JSESSIONID=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VyX3Byb2ZpbGUiOiJ7XCJfcGVybWFuZW50XCI6dHJ1ZSxcInV1aWRcIjpcIjg5MjM1MmZm’ Exception : SEVERE: Servlet.service() for servlet [CXFServlet] in context with path [/Pteway] threw exception java.lang.IllegalStateException: Unable to find match between the canonical context path [/Pteway] and the URI presented by the user agent [SIONID=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni] at org.apache.catalina.connector.Request.getContextPath(Request.java:2192) at org.apache.catalina.connector.RequestFacade.getContextPath(RequestFacade.java:605) at javax.servlet.http.HttpServletRequestWrapper.getContextPath(HttpServletRequestWrapper.java:137) at javax.servlet.http.HttpServletRequestWrapper.getContextPath(HttpServletRequestWrapper.java:137) at org.springframework.security.web.authentication.logout.LogoutFilter$FilterProcessUrlRequestMatcher.matches(LogoutFilter.java:167) at org.springframework.security.web.authentication.logout.LogoutFilter.requiresLogout(LogoutFilter.java:122) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:94) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:94) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156) I could not find any information related to above exception. Any workaround to fix the issue ? Looks like an instance of: https://bz.apache.org/bugzilla/show_bug.cgi?id=66488 No work-around. I expect the March releases to have a fix for this. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: emulate slowloris DoS attack on apache-tomcat-9.0.71 2023-02-24 Thread Mark Thomas On 24/02/2023 05:57, Manohar Mikkili wrote: I am trying to emulate the slowloris DoS attack on Tomcat v9.0.71 Despite much deliberation, I failed to achieve this. Since this CVE is a pretty old one(circa 2012) my guess is that the same has been taken care of in the subsequent Tomcat releases. I could not find any documented evidence that google has presented so far. Can you someone from this august forum pls advise/validate my presumptions about this? This is CVE-2012-5568 (which should not have been allocated but that is a different topic). See: https://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat https://tomcat.apache.org/security-impact.html Newer version of Tomcat will be less susceptible to this attack since they use non-blocking I/O. That said, servers are always going to have a connection limit somewhere and if an attacker can consume most/all of those connections with traffic that appears to be legitimate you are going to see a DoS. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Re: Tomcat 7.0.54 2023-02-24 Thread Mark Thomas On 23/02/2023 21:41, a.grub...@bluewin.ch wrote: Hi all Can you tell me if there is a difference between Tomcat 7.0.54 with Oracle JRE 1.8.0_221 and OpenJDK 1.8.0_342 from a functional perspective? Tomcat should behave exactly the same way with either of those JVMs. However, the Tomcat project can't guarantee that. Further, given that Tomcat 7.0.x reached end of life almost 2 years ago, if you do find a difference in behaviour, you are unlikely to get a Tomcat committer interested in investigating and fixing the issue unless it also occurs on a currently supported Tomcat version. And even if you manage that, you are almost certainly not going to get a fix for Tomcat 7.0.x. Can it be, that certain DB transactions are handled different between these two java versions? Again, they should be but the Tomcat project can't guarantee that. Mark Yes, I know, Tomcat 7.0.54 is . old, legacy, vulnerable - but still, if someone knows, I would appreciate the reply. Thanks for your feedback. Alexander - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org < 1 2 3 4 5 6 7 8 9 10 >

< 1 2 3 4 5 6 7 8 9 10 >

301 - 400 of 8820 matches

Mail list logo