Windows registry entry missing on Tomcat Silent install - 9.0.20
Hi All, I am using Tomcat 9.0.20. I am installing the Tomcat silently from a PowerShell script. But after silent installation, below mentioned registry entry seems not added. I am passing a Config ini file to tomcat installer with /C option. This issue is only present when I pass the /C parameter. When I don't pass the parameter, registry entry seems to be added correctly in registry. HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Tomcat\9.0 apache-tomcat-9.0.20.exe /C=< tomcatConfig.ini file path> /S /D= Below is the entry present in tomcatConfig.ini JavaHome=$javaHomeEnv Has one any encountered this issue ? Thanks Pradeep DISCLAIMER: This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Opinions, conclusions and other information in this transmission that do not relate to the official business of QuEST Global and/or its subsidiaries, shall be understood as neither given nor endorsed by it. Any statements made herein that are tantamount to contractual obligations, promises, claims or commitments shall not be binding on the Company unless followed by written confirmation by an authorized signatory of the Company.
Re: Reg : Parameter Filters
On 05.09.2019 20:58, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Praveen, On 9/5/19 05:07, praveen kumar wrote: Hello, I am working with an application called geoserver which works on Apache Tomcat server. Just for an idea for those who donot know, geoserver is an application that serves web map services. When I am calling this service I will be providing a few parameters about the map like layer name, height, width and so on.., Now my requirement is to restrict the values passed to these parameters Like for example for WIDTH it should only consider an integer, if a request having a string for WIDTH should not reach my application. I am looking for some redirect rules but I could not succeed. It would be great if some one can help or guide me on this. LOL this service doesn't actually sanitize its input? Yikes. The good news is that you can do this in a few ways. You have 3 options that I can see: 1. Use a redirect filter 2. Use a reverse-proxy like Apache with some filtering configured 3. Write it yourself In order to use a redirect filter, you will have to: a. Choose a redirect filter (e.g. Tomcat's rewrite[1] or Tuckey's urlrewrite[2]) b. Configure it with a file. The configuration depends upon which filter you choose c. Bundle that filter+config with the application In order to use a reverse proxy, you'll need to: a. Choose a reverse proxy (e.g. Apache httpd, nginx, Squid, etc.) b. Configure it properly (which depends upon your choice in (a) above) In order to write it yourself, you will have to: a. Write a servlet filter in Java b. Package that filter into the application c. Install that filter into the filter-chain by modifying the application's WEB-INF/web.xml file Do you have a preference? - -chris +1, but I would have to add that first of all, Praveen should have a clear idea of /what he thinks should happen/, if one of the request parameters does not meet expectations. Saying that "the request should not make it to the application" is one thing, but what do you want to happen instead ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Reg : Parameter Filters
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Praveen, On 9/6/19 06:25, praveen kumar wrote: > Thanks for quick response and information. Christopher I tried the > first option you mentioned from the following reference and tried > to redirect to an customized error page instead of letting the > geoserver application spit the exception. But may be I missed > something in implementation that did not work. > > 1. Copied urlrewritefilter-4.0.3.jar to Web-inf/lib > > 2. urlrewrite.xml in web-inf directory > >operator="equal"> WIDTH=[^0-9]+ type="redirect">error.html You are mapping from an expression when this needs to map from a URL. The regex should be in the like this: WIDTH=[^0-9]+ Note that this doesn't allow the WIDTH parameter to be empty. Is that okay? It also allows (probably?) invalid input such as "WIDTH=10xyz". You will need a more complicated regular expression pattern to get the job done properly. Try changing your configuration to: WIDTH=[^0-9]+ /path/to/protected/servlet/mapping error.html > And 3. in web.xml > > PARTIAL_BUFFER_STRATEGY_SIZE > 50 > > UrlRewriteFilter > > org.tuckey.web.filters.urlrewrite.UrlRewriteFilter > > > confPath > /WEB-INF/urlrewrite.xml > > UrlRewriteFilter > /* REQUEST > FORWARD ... Consider only mapping the url-rewrite filter to those URL patterns you actually plan on protecting. This this is all very explicit, and regular expression evaluation is expensive, you only want to execute those checks on very specific URL patterns. > André Warnier I would like to redirect such invalid requests to a > dummy error page which do nothing. I hope this can be done to just > drop the invalid requests. Then I think you want: null Hope that helps, - -chris > On Fri, Sep 6, 2019 at 3:44 PM André Warnier (tomcat) > wrote: > >> On 05.09.2019 20:58, Christopher Schultz wrote: >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 >>> >>> Praveen, >>> >>> On 9/5/19 05:07, praveen kumar wrote: Hello, I am working with an application called geoserver which works on Apache Tomcat server. Just for an idea for those who donot know, geoserver is an application that serves web map services. When I am calling this service I will be providing a few parameters about the map like layer name, height, width and so on.., Now my requirement is to restrict the values passed to these parameters Like for example for WIDTH it should only consider an integer, if a request having a string for WIDTH should not reach my application. I am looking for some redirect rules but I could not succeed. It would be great if some one can help or guide me on this. >>> >>> LOL this service doesn't actually sanitize its input? Yikes. >>> >>> The good news is that you can do this in a few ways. >>> >>> You have 3 options that I can see: >>> >>> 1. Use a redirect filter 2. Use a reverse-proxy like Apache >>> with some filtering configured 3. Write it yourself >>> >>> In order to use a redirect filter, you will have to: >>> >>> a. Choose a redirect filter (e.g. Tomcat's rewrite[1] or >>> Tuckey's urlrewrite[2]) b. Configure it with a file. The >>> configuration depends upon which filter you choose c. Bundle >>> that filter+config with the application >>> >>> In order to use a reverse proxy, you'll need to: >>> >>> a. Choose a reverse proxy (e.g. Apache httpd, nginx, Squid, >>> etc.) b. Configure it properly (which depends upon your choice >>> in (a) above) >>> >>> In order to write it yourself, you will have to: >>> >>> a. Write a servlet filter in Java b. Package that filter into >>> the application c. Install that filter into the filter-chain by >>> modifying the application's WEB-INF/web.xml file >>> >>> Do you have a preference? >>> >>> - -chris >> >> +1, but I would have to add that first of all, Praveen should >> have a clear idea of /what he thinks should happen/, if one of >> the request parameters does not meet expectations. Saying that >> "the request should not make it to the application" is one thing, >> but what do you want to happen instead ? >> >> >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1yq9wACgkQHPApP6U8 pFjlKQ/8DEd0EDg3wzKMrQyP/zVnTbIyDMX+NryH9WmUDbDCdeHpv+ZwlOYG+VFf ZKFmf8TmUqu9eaF39Wcc99aHlBMgDzml08xzs8IKWo6qJZxtd7YueEiZxbAoBjsr TBNWKZ64Iq3XbqUI6Y3DitdQG1ZifpLIq54IyDOIWCoS9sqObQ2eiiMuFjZV51gW 3/frNvlZuPsprZP/FY1chLTgcvVM+mSU1woq9E0g4fFM0ov0fz1Cjz63B3nLHDNH nmMjirP+skYVqq7uhDB7+t1rgj0vqTTMVjHKZa7H8dZHYehUENluhxSc3bIO/saP hGENoU1EyTZdPvlUsUQcqZI2DgUY09d4c0NF6mWMDuq9wSbVqcNZRP0zsH9H56Rr ToV75RMveTSafLp3MgxDBsigWoEqQV2PaHFr5QMWv6/uN71gHrE2fqa/XqmCN+BQ
APR libs present but not found
Hello, I installed the following RPMs via Yum for OpenSSL support RHEL 7.4 apr.i6861.4.8-3.el7_4.1 apr.x86_64 1.4.8-3.el7_4.1 apr-devel.i6861.4.8-3.el7_4.1 apr-devel.x86_64 1.4.8-3.el7_4.1 When I test with Tomcat 7.x or 9.x the log notes the APR native libs could not be found in the java library path, when they are in the java library path located at /lib64 and /lib in the OS file system. What am I missing? Regards -John
RE: SSO fails on Tomcat 9
Thank you André for this analysis, I am an Oracle developer and I understand most of the reasoning in you answer, but I need to chew on it for some time and seek help in our organization for Kerberos knowledge. Our application first only had a database authentication and over time more and more customers required SSO. So I configured Tomcat with Spnego based on an Oracle blog, and that worked fine in Tomcat 7 and 8. But now some customers want to upgrade to Tomcat 9 The application only uses the HTTP variable :REMOTE_USER to decide if there is a SSO configuration present and if so links the Windows user to an application user and else de user has to login against the database to authenticate. Met vriendelijke groeten van Heidi Leerink - Duverger Technisch Consultant In business for people. Unit4 Business Software Netherlands B.V. Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T +31 88 247 1444 E heidi.duver...@unit4.com This message and any attachment(s) are intended only for the use of the named recipient and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient, please notify the sender by return e-mail and delete this message from your system. Do not disclose the contents of this document to any other persons. Violation of this notice may be unlawful. Please note that internet communications are not secure and e-mails are susceptible to change. Thank you for your cooperation. -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: vrijdag 6 september 2019 12:15 To: users@tomcat.apache.org Subject: Re: SSO fails on Tomcat 9 Hi Heidi. We have kind of a conundrum here : - Mark (who is one of the main tomcat developers) tested the SPNEGO (Kerberos) authentication under both tomcat8 and tomcat9, using the standard instructions provided in the respective on-line tomcat documentation pages, and reported that it works in both cases. - You report that your installation works with tomcat8, but not with tomcat9, and that you are using the same infrastructure and the same parameters in both cases. (Someone else also reported a case with problems with tomcat9). - The description of your problem (and the tomcat9 logfiles) seems to indicate a problem with the Kerberos "pre-authentication". (These lines of the log : >>>KRBError: ... error code is 25 error Message is Additional pre-authentication required ) And based on my own previous experience with Windows authentication in general (but not Kerberos), it is also my impression that your problem is at the Kerberos level, not really at the tomcat level. I have looked for "Kerberos Additional pre-authentication required" in the www, and despite the fact that I do not really know Kerberos, it seems that the error message above indicates that your browser and the server cannot even agree between them, to actually start exchanging Kerberos tokens (keys) between them, to complete a Kerberos authentication. (And that may be why you see a single 401 response in your logs, and why SPNEGO immediately concludes that the user is not authenticated). (There are also lines in that logfile, which seem to hint at some DNS (name resolution) issue, but that may be a false alarm or a secondary issue). One way to reconcile the above conflicting information, would be if for example some SPNEGO Valve parameter, in your configuration, would be unspecified and defaulting to some value in your case, and a different value in Mark's case. (Or vice-versa, that you are specifying a value, and Mark is using the default, and the result is not the same.) Another possibility would be that the available (or default) encryption methods are different between tomcat8 and tomcat9 (or between different browsers), and that in your case and Mark's, the browser and the server arrive at different encryption choices and cannot agree on a common one. It may be useful for you and Mark to compare in detail, the settings which you use for the SPNEGO Valve (and/or for encryption ?). Another very vague (and maybe wrong) suspicion that I would have is based on some questions : - does the tomcat hostname play a role in the Kerberos authentication ? - if yes, does the SPNEGO Valve obtain this name via some ".getServerName()"-like method, whose result may be different under tomcat8 and tomcat9 in some circumstances ? On 05.09.2019 22:10, Heidi Leerink - Duverger wrote: > Hello Mark, > > I have spent a lot of time comparing both T8 and T9 installations on de > nsl-decadetst.u4agr.com PC. > Sorry but I can't find a major difference in the conf file, apart from > differences Tomcat itself came with in the conf files. > The stdout is mainly the same and the stderr show in Tomcat 8 hduverge > authenticated and in Tomcat 9 not authenticated. > I'm lost now I have no ideas left where to look for differences or how to
Re: APR libs present but not found
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 John, On 9/6/19 16:51, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote: > Hello, > > I installed the following RPMs via Yum for OpenSSL support > > RHEL 7.4 apr.i686 > 1.4.8-3.el7_4.1 apr.x86_64 > 1.4.8-3.el7_4.1 apr-devel.i686 > 1.4.8-3.el7_4.1 apr-devel.x86_64 > 1.4.8-3.el7_4.1 > > When I test with Tomcat 7.x or 9.x the log notes the APR native > libs could not be found in the java library path, when they are in > the java library path located at /lib64 and /lib in the OS file > system. > > What am I missing? Can you post the startup log where Tomcat says it "cannot find the APR library"? It should include the set of paths it's checking for those files. Note that both the APR connector AND the OpenSSL-based JSSE connector require both libtcnative and libapr in the library path. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1y0YMACgkQHPApP6U8 pFicOBAAgkpDPq3C805og14AZcCoZ/31VMT4S4YdYCfRMGabnECULuxvM015Lcdi 4o5IG1rDJVivHxyeY8PU2zLbpwL7b4nOuEDSYteJygfbb2xCEOedcSE2PeKBmyj1 nuTDj08bvtXFCN+5k8hv31/ffu2+ZjCffagfQkMxeDG7MmJuLVwN9WIfokO0pEFO Gq++EdBxTptYAB6UHKDdS9nulpSK6XU8fUP0KmYzCc6w0w2TTToAhHF0OkRiAjyq egPjBjarglhKUOJH+IADaS4g264qbEZ5Xbtgtws54jKmgEPpc9X8bcOt/EH9Tp0X 7CCCDViwVVjOxrDI7p17GYrEeTBq5qZx2QmhlGmsTTpR1O5C3BIBsPBaasioP6tC CYRJ3xX7FW+iUTQxqnU9KyzoyfnQ1C+rQjGN0q8vkx+UrmMgSW8CwQAlboiSuGIM OnqAXkOpfajNveLmBKORBcrxjzgIrHUkLiy3G3qI+qWQrHetbV6q3sE937lTFnhY lphohR55W0ZkjhWYsVbCa/zAcguKF3xIYjcY5ErD+BKDH/kRaWLKHkR8DbQkEzq5 bFNoO+v9izVMWr13qEERBYXENxQyGRnJOk9KvkW+rLeCVyKdWLHyeeuLGy91gu80 ou6Hzk5ZNwWV70E5Nl3M9I3dx+UOFlTs2YG2UpYHe5GrPmOiNW8= =PlDO -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Reg : Parameter Filters
Thanks for quick response and information. Christopher I tried the first option you mentioned from the following reference and tried to redirect to an customized error page instead of letting the geoserver application spit the exception. But may be I missed something in implementation that did not work. 1. Copied urlrewritefilter-4.0.3.jar to Web-inf/lib 2. urlrewrite.xml in web-inf directory WIDTH=[^0-9]+ error.html And 3. in web.xml PARTIAL_BUFFER_STRATEGY_SIZE 50 UrlRewriteFilter org.tuckey.web.filters.urlrewrite.UrlRewriteFilter confPath /WEB-INF/urlrewrite.xml UrlRewriteFilter /* REQUEST FORWARD ... André Warnier I would like to redirect such invalid requests to a dummy error page which do nothing. I hope this can be done to just drop the invalid requests. Thanks again On Fri, Sep 6, 2019 at 3:44 PM André Warnier (tomcat) wrote: > On 05.09.2019 20:58, Christopher Schultz wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Praveen, > > > > On 9/5/19 05:07, praveen kumar wrote: > >> Hello, I am working with an application called geoserver which > >> works on Apache Tomcat server. Just for an idea for those who donot > >> know, geoserver is an application that serves web map services. > >> When I am calling this service I will be providing a few parameters > >> about the map like layer name, height, width and so on.., Now my > >> requirement is to restrict the values passed to these parameters > >> Like for example for WIDTH it should only consider an integer, if a > >> request having a string for WIDTH should not reach my application. > >> I am looking for some redirect rules but I could not succeed. It > >> would be great if some one can help or guide me on this. > > > > LOL this service doesn't actually sanitize its input? Yikes. > > > > The good news is that you can do this in a few ways. > > > > You have 3 options that I can see: > > > > 1. Use a redirect filter > > 2. Use a reverse-proxy like Apache with some filtering configured > > 3. Write it yourself > > > > In order to use a redirect filter, you will have to: > > > > a. Choose a redirect filter (e.g. Tomcat's rewrite[1] or Tuckey's > > urlrewrite[2]) > > b. Configure it with a file. The configuration depends upon which > > filter you choose > > c. Bundle that filter+config with the application > > > > In order to use a reverse proxy, you'll need to: > > > > a. Choose a reverse proxy (e.g. Apache httpd, nginx, Squid, etc.) > > b. Configure it properly (which depends upon your choice in (a) above) > > > > In order to write it yourself, you will have to: > > > > a. Write a servlet filter in Java > > b. Package that filter into the application > > c. Install that filter into the filter-chain by modifying the > > application's WEB-INF/web.xml file > > > > Do you have a preference? > > > > - -chris > > +1, but I would have to add that first of all, Praveen should have a clear > idea of /what > he thinks should happen/, if one of the request parameters does not meet > expectations. > Saying that "the request should not make it to the application" is one > thing, but what do > you want to happen instead ? > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: SSO fails on Tomcat 9
Hello Mark, That helps somewhat, my browser now shows the login page for our application, BUT I do not get my username in HTTP variable REMOTE_USER but the principal keytab related name. So instead of hduverge I get HTTP/nlsl-decadetst.u4agr.com@U$AGR.COM To be complete this I the keytab creation statement issued by our AD admin: ktpass /out c:\Temp\tomcat.keytab /mapuser decade_sso...@u4agr.com /princ HTTP/nlsl-decadetst.u4agr@u4agr.com /pass "" /kvno 0 -ptype KRB5_NT_PRINCIPAL Met vriendelijke groeten van Heidi Leerink - Duverger Technisch Consultant In business for people. Unit4 Business Software Netherlands B.V. Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T +31 88 247 1444 E heidi.duver...@unit4.com This message and any attachment(s) are intended only for the use of the named recipient and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient, please notify the sender by return e-mail and delete this message from your system. Do not disclose the contents of this document to any other persons. Violation of this notice may be unlawful. Please note that internet communications are not secure and e-mails are susceptible to change. Thank you for your cooperation. -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: vrijdag 6 september 2019 11:55 To: users@tomcat.apache.org Subject: Re: SSO fails on Tomcat 9 On 05/09/2019 21:10, Heidi Leerink - Duverger wrote: > Hello Mark, > > I have spent a lot of time comparing both T8 and T9 installations on de > nsl-decadetst.u4agr.com PC. > Sorry but I can't find a major difference in the conf file, apart from > differences Tomcat itself came with in the conf files. > The stdout is mainly the same and the stderr show in Tomcat 8 hduverge > authenticated and in Tomcat 9 not authenticated. > I'm lost now I have no ideas left where to look for differences or how to > find a solution for this major issue. > Attached once again the files from our Tomcat 8 and Tomcat 9 installation. I took another look and I think the issue is with the JAASRealm configuration rather than with SPNEGO. I think you have been caught out by this change: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Ftomcat%2Fcommit%2Fb5ca3e08b8cdd998e22f486293bca6b89e2644e3data=01%7C01%7Cheidi.duverger%40unit4.com%7C1d4983f01ef74742b7fe08d732b03c7d%7Cee137cc45d4343cf9da5f75728b8d21f%7C1sdata=oHIwRhtka1MiYOIAYg5okvI3BRC0IFNCWaE2oNR%2FZd4%3Dreserved=0 Try adding: userClassNames="javax.security.auth.kerberos.KerberosPrincipal" to your JAASRealm configuration in apex42a.xml Mark > > Met vriendelijke groeten van > Heidi Leerink - Duverger > Technisch Consultant > > Met vriendelijke groeten van > Heidi Leerink - Duverger > Technisch Consultant > > > In business for people. > Unit4 Business Software Netherlands B.V. > Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T +31 88 247 1444 E > heidi.duver...@unit4.com This message and any attachment(s) are > intended only for the use of the named recipient and may contain information > that is privileged, confidential or otherwise exempt from disclosure under > applicable law. If you are not the intended recipient, please notify the > sender by return e-mail and delete this message from your system. Do not > disclose the contents of this document to any other persons. Violation of > this notice may be unlawful. Please note that internet communications are not > secure and e-mails are susceptible to change. Thank you for your cooperation. > > -Original Message- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: woensdag 4 september 2019 11:09 > To: users@tomcat.apache.org > Subject: Re: SSO fails on Tomcat 9 > > Heidi, > > I have just completed the tests and SPNEGO works as expected with both Tomcat > 8.5.x and 9.0.x. > > The test environment was as per: > https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftomca > t.apache.org%2Ftomcat-9.0-doc%2Fwindows-auth-howto.htmldata=01%7C > 01%7Cheidi.duverger%40unit4.com%7C1d4983f01ef74742b7fe08d732b03c7d%7Ce > e137cc45d4343cf9da5f75728b8d21f%7C1sdata=K4sjAdNob45pzLu6Y3TqQf6S > nd%2BeKdzhwaEVhwSY37g%3Dreserved=0 > > with the following changes: > - Updated the Domain Controller and Tomcat instance with all the latest > patches from Windows update > - Oracle Java 1.8.0u162 / Adopt OpenJDK Java 11.0.4_11 (tested Tomcat > running under both) > - Tomcat 8.5.x, Tomcat 9.0.x (current HEAD at the time of writing), > 9.0.24 (from the tag) > > The test environment uses separate CATALINA_HOME / CATALINA_BASE so the > Tomcat instance configuration (CATALINA_BASE) is guaranteed to be identical > while I vary the Tomcat binary (CATALINA_HOME) to use. > > > It looks like there is something not quite right with the Tomcat 9 > configuration. > > You could try adding: > >
Re: SSO fails on Tomcat 9
On 05/09/2019 21:10, Heidi Leerink - Duverger wrote: > Hello Mark, > > I have spent a lot of time comparing both T8 and T9 installations on de > nsl-decadetst.u4agr.com PC. > Sorry but I can't find a major difference in the conf file, apart from > differences Tomcat itself came with in the conf files. > The stdout is mainly the same and the stderr show in Tomcat 8 hduverge > authenticated and in Tomcat 9 not authenticated. > I'm lost now I have no ideas left where to look for differences or how to > find a solution for this major issue. > Attached once again the files from our Tomcat 8 and Tomcat 9 installation. I took another look and I think the issue is with the JAASRealm configuration rather than with SPNEGO. I think you have been caught out by this change: https://github.com/apache/tomcat/commit/b5ca3e08b8cdd998e22f486293bca6b89e2644e3 Try adding: userClassNames="javax.security.auth.kerberos.KerberosPrincipal" to your JAASRealm configuration in apex42a.xml Mark > > Met vriendelijke groeten van > Heidi Leerink - Duverger > Technisch Consultant > > Met vriendelijke groeten van > Heidi Leerink - Duverger > Technisch Consultant > > > In business for people. > Unit4 Business Software Netherlands B.V. > Papendorpseweg 100, 3710 BJ Utrecht, Netherlands > T +31 88 247 1444 > E heidi.duver...@unit4.com > This message and any attachment(s) are intended only for the use of the named > recipient and may contain information that is privileged, confidential or > otherwise exempt from disclosure under applicable law. If you are not the > intended recipient, please notify the sender by return e-mail and delete this > message from your system. Do not disclose the contents of this document to > any other persons. Violation of this notice may be unlawful. Please note that > internet communications are not secure and e-mails are susceptible to change. > Thank you for your cooperation. > > -Original Message- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: woensdag 4 september 2019 11:09 > To: users@tomcat.apache.org > Subject: Re: SSO fails on Tomcat 9 > > Heidi, > > I have just completed the tests and SPNEGO works as expected with both Tomcat > 8.5.x and 9.0.x. > > The test environment was as per: > https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftomcat.apache.org%2Ftomcat-9.0-doc%2Fwindows-auth-howto.htmldata=01%7C01%7Cheidi.duverger%40unit4.com%7Cc8223b9bd1f34f08008608d731178dde%7Cee137cc45d4343cf9da5f75728b8d21f%7C1sdata=I%2BJLU837vV78VExqcHdf5Z5MYat2HDEPbNKvpsmq6%2FE%3Dreserved=0 > > with the following changes: > - Updated the Domain Controller and Tomcat instance with all the latest > patches from Windows update > - Oracle Java 1.8.0u162 / Adopt OpenJDK Java 11.0.4_11 (tested Tomcat > running under both) > - Tomcat 8.5.x, Tomcat 9.0.x (current HEAD at the time of writing), > 9.0.24 (from the tag) > > The test environment uses separate CATALINA_HOME / CATALINA_BASE so the > Tomcat instance configuration (CATALINA_BASE) is guaranteed to be identical > while I vary the Tomcat binary (CATALINA_HOME) to use. > > > It looks like there is something not quite right with the Tomcat 9 > configuration. > > You could try adding: > > -Dsun.security.spnego.debug=true > > in setenv.bat. That might provide some insight although I've had mixed > experience using that to debug SPNEGO issues in the past. > > > >>> Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more >>> strict than the Tomcat 8 implementation was... > I haven't found any evidence to support the above conclusion at this point. > All the evidence so far (diff of the relevant code and my own test > environment) points to a configuration difference in your Tomcat 9 > installation. > > You mentioned starting and stopping services. I wondered if the change of > default user from "Local System" to "Local Service" had triggered this issue > but that makes no difference. > > Looking at your log files in more detail, I do notice a few things: > > -Djava.security.krb5.ini=... > > The above system property is incorrect. It should be: > > -Djava.security.krb5.conf=... > > It won't impact your environment because it appears to be set to the default. > This affects both Tomcat 8 and Tomcat 9. > > The conf\krb5.ini does not specify the keytab file. In the config files in > the Tomcat docs this looks like: > default_keytab_name = FILE:c:\apache-tomcat-9.0.x\conf\tomcat.keytab > > The debug logs for the authentication processes look very different. > That strongly suggests that the configurations are not the same. I would > concentrated on comparing the configuration of the two systems. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > >
Re: SSO fails on Tomcat 9
Hi Heidi. We have kind of a conundrum here : - Mark (who is one of the main tomcat developers) tested the SPNEGO (Kerberos) authentication under both tomcat8 and tomcat9, using the standard instructions provided in the respective on-line tomcat documentation pages, and reported that it works in both cases. - You report that your installation works with tomcat8, but not with tomcat9, and that you are using the same infrastructure and the same parameters in both cases. (Someone else also reported a case with problems with tomcat9). - The description of your problem (and the tomcat9 logfiles) seems to indicate a problem with the Kerberos "pre-authentication". (These lines of the log : >>>KRBError: ... error code is 25 error Message is Additional pre-authentication required ) And based on my own previous experience with Windows authentication in general (but not Kerberos), it is also my impression that your problem is at the Kerberos level, not really at the tomcat level. I have looked for "Kerberos Additional pre-authentication required" in the www, and despite the fact that I do not really know Kerberos, it seems that the error message above indicates that your browser and the server cannot even agree between them, to actually start exchanging Kerberos tokens (keys) between them, to complete a Kerberos authentication. (And that may be why you see a single 401 response in your logs, and why SPNEGO immediately concludes that the user is not authenticated). (There are also lines in that logfile, which seem to hint at some DNS (name resolution) issue, but that may be a false alarm or a secondary issue). One way to reconcile the above conflicting information, would be if for example some SPNEGO Valve parameter, in your configuration, would be unspecified and defaulting to some value in your case, and a different value in Mark's case. (Or vice-versa, that you are specifying a value, and Mark is using the default, and the result is not the same.) Another possibility would be that the available (or default) encryption methods are different between tomcat8 and tomcat9 (or between different browsers), and that in your case and Mark's, the browser and the server arrive at different encryption choices and cannot agree on a common one. It may be useful for you and Mark to compare in detail, the settings which you use for the SPNEGO Valve (and/or for encryption ?). Another very vague (and maybe wrong) suspicion that I would have is based on some questions : - does the tomcat hostname play a role in the Kerberos authentication ? - if yes, does the SPNEGO Valve obtain this name via some ".getServerName()"-like method, whose result may be different under tomcat8 and tomcat9 in some circumstances ? On 05.09.2019 22:10, Heidi Leerink - Duverger wrote: Hello Mark, I have spent a lot of time comparing both T8 and T9 installations on de nsl-decadetst.u4agr.com PC. Sorry but I can't find a major difference in the conf file, apart from differences Tomcat itself came with in the conf files. The stdout is mainly the same and the stderr show in Tomcat 8 hduverge authenticated and in Tomcat 9 not authenticated. I'm lost now I have no ideas left where to look for differences or how to find a solution for this major issue. Attached once again the files from our Tomcat 8 and Tomcay 9 installation. Met vriendelijke groeten van Heidi Leerink - Duverger Technisch Consultant Met vriendelijke groeten van Heidi Leerink - Duverger Technisch Consultant In business for people. Unit4 Business Software Netherlands B.V. Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T +31 88 247 1444 E heidi.duver...@unit4.com This message and any attachment(s) are intended only for the use of the named recipient and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient, please notify the sender by return e-mail and delete this message from your system. Do not disclose the contents of this document to any other persons. Violation of this notice may be unlawful. Please note that internet communications are not secure and e-mails are susceptible to change. Thank you for your cooperation. -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: woensdag 4 september 2019 11:09 To: users@tomcat.apache.org Subject: Re: SSO fails on Tomcat 9 Heidi, I have just completed the tests and SPNEGO works as expected with both Tomcat 8.5.x and 9.0.x. The test environment was as per: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftomcat.apache.org%2Ftomcat-9.0-doc%2Fwindows-auth-howto.htmldata=01%7C01%7Cheidi.duverger%40unit4.com%7Cc8223b9bd1f34f08008608d731178dde%7Cee137cc45d4343cf9da5f75728b8d21f%7C1sdata=I%2BJLU837vV78VExqcHdf5Z5MYat2HDEPbNKvpsmq6%2FE%3Dreserved=0 with the following changes: - Updated the Domain Controller and Tomcat instance with all the latest
Re: Tomcat doesn't refreshes and still gives me an old error again and again
On Thursday, September 5, 2019, 9:47:40 PM GMT+8, Mark Thomas wrote: Personally, I gave up on using Tomcat and Eclipse in this way a long time ago. It is a little more work but I run a completely separate Tomcat instance and then use the "Export...", "WAR file" option to deploy the latest version of my webapp to the external Tomcat instance and then let Tomcat's auto-deploy take care of things. Hi Mark, This is completely new to me. When you said use the "Export" are you referrring to the Export inside Eclipse? How do you debug without Eclipse then ? Apart from those times where I've managed to export to the wrong Tomcat instance (entirely my own fault) I've never had an issue. As an added bonus it makes it easy to debug into the Tomcat code when I need to but I accept that that is something a Tomcat developer is going to want to do rather more frequently than someone developing a web app. Mark > Karen, > > On 9/4/19 10:45, Karen Goh wrote: >> On Wednesday, September 4, 2019, 9:32:43 PM GMT+8, Dave Thorn >> wrote: > > >> On Wed, Sep 04, 2019 at 01:21:11PM +, Karen Goh wrote: > > >>> I am facing this problem - that Tomcat - 9.0.24 doesn't >>> refreshes and it will give ma an error, even after I commented >>> out a line. But, after several cleaning - using Tomcat Directory >>> clean, right-click on the project in Eclipse and do a run maven >>> force update and project built, it will still give me an error >>> that point out to a commented out line. > > >> Do you have a tomcat/work directory? ISTR sometimes having to > >> rm -rf /var/cache/tomcat/work/Catalina/localhost/{webappname} > >> Could you let me know how to do it Windows 10 way? Sorry for the >> trouble cos basically most of my stuff is still using Windows >> 10 > > C:> DEL /S %CATALINA_BASE%\work\Catalina\localhost\{webappname} > > Or just navigate Windows Explorer to the "work" directory and press > the "DELETE" key on your keyboard. > > Hi Chris, > > Just to clarify, so instead of doing the clean, I will have to to to this > place - C:\Program Files\Apache\apache-tomcat-9.0.24\webapps\webappname and > delete weappname ? > > I happened to read this > https://stackoverflow.com/questions/763693/where-is-the-work-directory-located-for-a-tomcat-instance-running-in-eclipse > > I checked the location when I right-clicked the Tomcat instance, it says meta > data, so should I delete the metadata one ? My Tomcat configuration is take > control of Tomcat installation. > > Kindly advise. And thanks for your help. > > > > > -chris > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org