Setting java.protocol.handler.pkgs for Tomcat
Tomcat 9.0.71 I need to use a custom protocol handler. I set JAVA_OPTS to: -Djava.protocol.handler.pkgs=com.ibm.crypto.provider My JAVA_OPTS setting,however, is ignored. This is due to catalina.sh containing JAVA_OPTS="$JAVA_OPTS -Djava.protocol.handler.pkgs=org.apache.catalina.webresources" The result of catalina.sh is that the jvm has 2 -Djava.protocol.handler.pkgs settings - first the custom protocol then org.apache.catalina.webresources. The net result being that Tomcat is started with -Djava.protocol.handler.pkgs=org.apache.catalina.webresources. 1. What is the best way of setting java.protocol.handler.pkgs other than modifying catalina.sh 2. do i need to set java.protocol.handler.pkgs to just my custom handler or should it be set to a concatenation of custom + org.apache.catalina.webresources 3. if a concatenation of handlers is required what is the syntax thank you Dave Breeze Linkedin:https://uk.linkedin.com/in/dabreeze
Re: Setting java.protocol.handler.pkgs for Tomcat
Many thanks Mark for the answers - appreciated. Just to be clear I am running 9.0.71 simply by invoking startup.sh (currently testing). I am not running embedded. I am not too sure therefore about the "Call org.apache.catalina.webresources.TomcatURLStreamHandlerFactory#addUserFactory(URLStreamHandlerFactory)" Could you please explain further thanks again Dave Breeze Linkedin:https://uk.linkedin.com/in/dabreeze Dave Breeze Linkedin:https://uk.linkedin.com/in/dabreeze On Fri, 20 Jan 2023 at 11:01, Mark Thomas wrote: > > On 20/01/2023 09:53, Dave Breeze wrote: > > Tomcat 9.0.71 > > > > I need to use a custom protocol handler. I set JAVA_OPTS to: > > > > -Djava.protocol.handler.pkgs=com.ibm.crypto.provider > > > > My JAVA_OPTS setting,however, is ignored. This is due to catalina.sh > > containing > > > > JAVA_OPTS="$JAVA_OPTS > > -Djava.protocol.handler.pkgs=org.apache.catalina.webresources" > > > > The result of catalina.sh is that the jvm has > > 2 -Djava.protocol.handler.pkgs settings - first the custom protocol > > then org.apache.catalina.webresources. The net result being that Tomcat is > > started with -Djava.protocol.handler.pkgs=org.apache.catalina.webresources. > > > > > > 1. What is the best way of setting java.protocol.handler.pkgs other than > > modifying catalina.sh > > Call > org.apache.catalina.webresources.TomcatURLStreamHandlerFactory#addUserFactory(URLStreamHandlerFactory) > > to add your custom handler. > > > 2. do i need to set java.protocol.handler.pkgs to just my custom handler > > or should it be set to a concatenation of > > custom + org.apache.catalina.webresources > > If you do it that way, it needs to be both. > > > 3. if a concatenation of handlers is required what is the syntax > > | delimited > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting java.protocol.handler.pkgs for Tomcat
Thanks again Mark I have no access to the source for the webapp. what I was think was that if in catalina.sh the line: JAVA_OPTS="$JAVA_OPTS -Djava.protocol.handler.pkgs=org.apache.catalina.webresources" was simply re-ordered to JAVA_OPTS="-Djava.protocol.handler.pkgs=org.apache.catalina.webresources $JAVA_OPTS " then users could use JAVA_OPTS to set the value. thanks Dave Breeze Linkedin:https://uk.linkedin.com/in/dabreeze On Fri, 20 Jan 2023 at 12:17, Mark Thomas wrote: > > On 20/01/2023 11:18, Dave Breeze wrote: > > Many thanks Mark for the answers - appreciated. > > > > Just to be clear I am running 9.0.71 simply by invoking startup.sh > > (currently testing). I am not running embedded. I am not too sure > > therefore about the "Call > > org.apache.catalina.webresources.TomcatURLStreamHandlerFactory#addUserFactory(URLStreamHandlerFactory)" > > Could you please explain further > > You'd need to call it from your application code (probably a > ServletContextListener). > > Alternatively, you could write a Tomcat level LifecycleListener to add > it if the JAR with the handler is in $CATALINA_BASE/lib > > Hmm. It looks like we can remove this in Tomcat 10 onwards and use the > ServiceLoader mechanism. (OK, may need to deprecate this in 10 and > remove it in Tomcat 11). > > Mark > > > > > > thanks again > > Dave Breeze > > Linkedin:https://uk.linkedin.com/in/dabreeze > > > > Dave Breeze > > Linkedin:https://uk.linkedin.com/in/dabreeze > > > > > > On Fri, 20 Jan 2023 at 11:01, Mark Thomas wrote: > >> > >> On 20/01/2023 09:53, Dave Breeze wrote: > >>> Tomcat 9.0.71 > >>> > >>> I need to use a custom protocol handler. I set JAVA_OPTS to: > >>> > >>>-Djava.protocol.handler.pkgs=com.ibm.crypto.provider > >>> > >>> My JAVA_OPTS setting,however, is ignored. This is due to catalina.sh > >>> containing > >>> > >>> JAVA_OPTS="$JAVA_OPTS > >>> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources" > >>> > >>> The result of catalina.sh is that the jvm has > >>> 2 -Djava.protocol.handler.pkgs settings - first the custom protocol > >>> then org.apache.catalina.webresources. The net result being that Tomcat is > >>> started with > >>> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources. > >>> > >>> > >>> 1. What is the best way of setting java.protocol.handler.pkgs other > >>> than > >>> modifying catalina.sh > >> > >> Call > >> org.apache.catalina.webresources.TomcatURLStreamHandlerFactory#addUserFactory(URLStreamHandlerFactory) > >> > >> to add your custom handler. > >> > >>> 2. do i need to set java.protocol.handler.pkgs to just my custom > >>> handler > >>> or should it be set to a concatenation of > >>> custom + org.apache.catalina.webresources > >> > >> If you do it that way, it needs to be both. > >> > >>> 3. if a concatenation of handlers is required what is the syntax > >> > >> | delimited > >> > >> Mark > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat client certicate authentication
Thanks Chris the application is requesting certificate authentication - and this is working - it is just the mapping of users to roles that is not happening I implemented an org.apache.catalina.realm.X509UsernameRetriever and configured using X509UsernameRetrieverClassName but it was never called. In my servlet, however, I can retrieve the certificates. thanks for your help Dave Breeze Linkedin:https://uk.linkedin.com/in/dabreeze On Sun, 29 Jan 2023 at 22:21, Christopher Schultz wrote: > > Dave, > > On 1/28/23 09:28, Dave Breeze wrote: > > this is Tomcat 9.0 running embedded > > > > I am trying to authorize access by client certificate. I want the > > servlet response to be tailored to the user's role. In other words I > > am not looking to deny access by role. > > > > The connector has sslCon.setProperty("clientAuth", "required"); > > The context has a config file set > > serverAppContext.setConfigFile(contextURL); > > The config file contains > > > > > > > > > debug="9" > > pathname="/var/CartS3Server/cartapp/users.xml"/> > > > > > > users.xml contains > > > > > > > > > > > > > > > roles="cart-admin"/> > > > > > > > > Certificates are imported into the browser and the browser prompts for > > cert selection. > > > > There are no security constraints on the apps web.xml. > > > > In the servlet there is a test of httpReq.isUserInRole("cart-admin"). > > This always fails. Also a req.getUserPrincipal() call always returns > > null. The request does not seem to be authenticated. > > > > Further in the servlet a X509Certificate[] certs = (X509Certificate[]) > > req.getAttribute("javax.servlet.request.X509Certificate") correctly > > returns both the certificate from the browser plus the Cert Auth. A > > getSubjectX500Principal().getName() call on the browser certificate > > returns the cn/o/ou setting that should match with users.xml. > > > > What am I missing here? > > If the application does not request authentication, Tomcat will not > perform if on behalf of the application. If you want a Principal and to > be able to check roles, etc. then you'll need to request CLIENT-CERT > authentication in web.xml (or the embedded equivalent). > > -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat client certicate authentication
hi this is Tomcat 9.0 running embedded I am trying to authorize access by client certificate. I want the servlet response to be tailored to the user's role. In other words I am not looking to deny access by role. The connector has sslCon.setProperty("clientAuth", "required"); The context has a config file set serverAppContext.setConfigFile(contextURL); The config file contains users.xml contains Certificates are imported into the browser and the browser prompts for cert selection. There are no security constraints on the apps web.xml. In the servlet there is a test of httpReq.isUserInRole("cart-admin"). This always fails. Also a req.getUserPrincipal() call always returns null. The request does not seem to be authenticated. Further in the servlet a X509Certificate[] certs = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate") correctly returns both the certificate from the browser plus the Cert Auth. A getSubjectX500Principal().getName() call on the browser certificate returns the cn/o/ou setting that should match with users.xml. What am I missing here? Dave Breeze Linkedin:https://uk.linkedin.com/in/dabreeze - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting java.protocol.handler.pkgs for Tomcat
thanks i have just done a quick and dirty test - I found a tomcat launcher code I did as an exercise - quickly modified it to set the handler to a concatenation. Tomcat launches correctly and uses the ibm safkeyring thanks again Dave Breeze Linkedin:https://uk.linkedin.com/in/dabreeze On Fri, 20 Jan 2023 at 15:55, Thomas Meyer wrote: > The reason was class loader issues > > Am 20. Januar 2023 13:37:11 MEZ schrieb Mark Thomas : > >From memory, there is a reason the Tomcat handler has to be first. I > forget exactly why that is. I'd need to dig into this some more (and I have > my hands full working on the RFC 9128 implementation at the moment). > > > >In your case, it looks like a custom LifecycleListener would work. In > terms of changes to Tomcat, I'd lean more towards a Tomcat specific system > property you could use instead of java.protocol.handler.pkgs > >for Tomcat 8.5.x - 10.1x with the whole lot being replaced by a > ServiceLoader in 11.0.x > > > >Mark > > > > > >On 20/01/2023 12:28, Dave Breeze wrote: > >> Thanks again Mark > >> I have no access to the source for the webapp. > >> what I was think was that if in catalina.sh the line: > >> > >> JAVA_OPTS="$JAVA_OPTS > >> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources" > >> > >> was simply re-ordered to > >> > >> JAVA_OPTS="-Djava.protocol.handler.pkgs=org.apache.catalina.webresources > >> $JAVA_OPTS " > >> > >> then users could use JAVA_OPTS to set the value. > >> > >> thanks > >> > >> Dave Breeze > >> Linkedin:https://uk.linkedin.com/in/dabreeze > >> > >> On Fri, 20 Jan 2023 at 12:17, Mark Thomas wrote: > >>> > >>> On 20/01/2023 11:18, Dave Breeze wrote: > >>>> Many thanks Mark for the answers - appreciated. > >>>> > >>>> Just to be clear I am running 9.0.71 simply by invoking startup.sh > >>>> (currently testing). I am not running embedded. I am not too sure > >>>> therefore about the "Call > >>>> > org.apache.catalina.webresources.TomcatURLStreamHandlerFactory#addUserFactory(URLStreamHandlerFactory)" > >>>> Could you please explain further > >>> > >>> You'd need to call it from your application code (probably a > >>> ServletContextListener). > >>> > >>> Alternatively, you could write a Tomcat level LifecycleListener to add > >>> it if the JAR with the handler is in $CATALINA_BASE/lib > >>> > >>> Hmm. It looks like we can remove this in Tomcat 10 onwards and use the > >>> ServiceLoader mechanism. (OK, may need to deprecate this in 10 and > >>> remove it in Tomcat 11). > >>> > >>> Mark > >>> > >>> > >>>> > >>>> thanks again > >>>> Dave Breeze > >>>> Linkedin:https://uk.linkedin.com/in/dabreeze > >>>> > >>>> Dave Breeze > >>>> Linkedin:https://uk.linkedin.com/in/dabreeze > >>>> > >>>> > >>>> On Fri, 20 Jan 2023 at 11:01, Mark Thomas wrote: > >>>>> > >>>>> On 20/01/2023 09:53, Dave Breeze wrote: > >>>>>> Tomcat 9.0.71 > >>>>>> > >>>>>> I need to use a custom protocol handler. I set JAVA_OPTS to: > >>>>>> > >>>>>> -Djava.protocol.handler.pkgs=com.ibm.crypto.provider > >>>>>> > >>>>>> My JAVA_OPTS setting,however, is ignored. This is due to catalina.sh > >>>>>> containing > >>>>>> > >>>>>> JAVA_OPTS="$JAVA_OPTS > >>>>>> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources" > >>>>>> > >>>>>> The result of catalina.sh is that the jvm has > >>>>>> 2 -Djava.protocol.handler.pkgs settings - first the custom > protocol > >>>>>> then org.apache.catalina.webresources. The net result being that > Tomcat is > >>>>>> started with > -Djava.protocol.handler.pkgs=org.apache.catalina.webresources. > >>>>>> > >>>>>> > >>>>>> 1. What is the best way of setting java.protocol.handler.pkgs > other than > >>>>>> modifying catalina.sh > >>>>> > >>>>
Re: Tomcat client certicate authentication
Chris thanks for your mail Apologies for confusion. Yes I am requesting certificates - sslCon.setProperty("clientAuth", "required") and a user can only connect by supplying a valid certificate. I removed constraints from the web.xml as I did not want access to a servlet restricted to a role - I need the servlet to respond differently based on role. what I have decided to do in the servlet is to retrieve the user-id from the certificate and determine their role by using a security product native to the platform on which Tomcat is running Thanks for your help. Dave Breeze Linkedin:https://uk.linkedin.com/in/dabreeze On Mon, 30 Jan 2023 at 15:41, Christopher Schultz < ch...@christopherschultz.net> wrote: > Dave, > > On 1/30/23 04:21, Dave Breeze wrote: > > Thanks Chris > > the application is requesting certificate authentication - and this is > > working - it is just the mapping of users to roles that is not > > happening > > No, the server is requesting the certificate information; the > application is not. From your original posting: > > > On 1/28/23 09:28, Dave Breeze wrote: > > There are no security constraints on the apps web.xml. > > With no security constraints, the application is not requesting > authentication. Tomcat therefore does not provide any "authentication > information" to the application. If the client sends a certificate > (which is happening at the request of the /server/), then Tomcat will > forward that certificate information to the application. But it will not > use it for any kind of authentication or authorization. > > > I implemented an org.apache.catalina.realm.X509UsernameRetriever and > > configured using X509UsernameRetrieverClassName but it was never > > called. In my servlet, however, I can retrieve the certificates. > > That's consistent with your configuration IMO. > > You will have to tell your application to use CLIENT-CERT authentication > if you want Tomcat to parse that cert chain for you, populate the user > principal, etc. > > -chris > > > On Sun, 29 Jan 2023 at 22:21, Christopher Schultz > > wrote: > >> > >> Dave, > >> > >> On 1/28/23 09:28, Dave Breeze wrote: > >>> this is Tomcat 9.0 running embedded > >>> > >>> I am trying to authorize access by client certificate. I want the > >>> servlet response to be tailored to the user's role. In other words I > >>> am not looking to deny access by role. > >>> > >>> The connector has sslCon.setProperty("clientAuth", "required"); > >>> The context has a config file set > serverAppContext.setConfigFile(contextURL); > >>> The config file contains > >>> > >>> > >>> > >>> >>>debug="9" > >>>pathname="/var/CartS3Server/cartapp/users.xml"/> > >>> > >>> > >>> users.xml contains > >>> > >>> > >>> > >>> > >>> > >>> roles="cart-user"/> > >>> roles="cart-admin"/> > >>> > >>> > >>> > >>> Certificates are imported into the browser and the browser prompts for > >>> cert selection. > >>> > >>> There are no security constraints on the apps web.xml. > >>> > >>> In the servlet there is a test of httpReq.isUserInRole("cart-admin"). > >>> This always fails. Also a req.getUserPrincipal() call always returns > >>> null. The request does not seem to be authenticated. > >> > > >>> Further in the servlet a X509Certificate[] certs = (X509Certificate[]) > >>> req.getAttribute("javax.servlet.request.X509Certificate") correctly > >>> returns both the certificate from the browser plus the Cert Auth. A > >>> getSubjectX500Principal().getName() call on the browser certificate > >>> returns the cn/o/ou setting that should match with users.xml. > >>> > >>> What am I missing here? > >> > >> If the application does not request authentication, Tomcat will not > >> perform if on behalf of the application. If you want a Principal and to > >> be able to check roles, etc. then you'll need to request CLIENT-CERT > >> authentication in web.xml (or the embedded equivalent). > >> > >> -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Embedded Tomcat common classloader
on loader not finding this class? many thanks Dave Breeze Linkedin:https://uk.linkedin.com/in/dabreeze - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Embedded Tomcat common classloader
Thanks Mark appreciate that the url was for 8.0 With regards to classpath that was my first attempt - unfortunately it would seem that Tomcat does not support wildcards in the classpath - for example dirpath/lib/*.jar - at least in version 9. Dave Breeze Linkedin:https://uk.linkedin.com/in/dabreeze On Thu, 6 Jun 2024 at 17:23, Mark Thomas wrote: > > On 06/06/2024 17:52, Dave Breeze wrote: > > I have an issue with embedded Tomcat and classloaders. > > > > I have a java servlet application that runs in an embedded > > Tomcat(9.0.70) instance. > > > > > https://tomcat.apache.org/tomcat-8.0-doc/class-loader-howto.html > > Those are the Tomcat 8.0.x docs. You are using Tomcat 9.0.x. > > Tomcat embedded does not set up the class loader structure you get with > a standard Tomcat instance. Tomcat just uses the classpath. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Embedded Tomcat common classloader
hi first thank you for the insights. I did not realise that the wildcard was expanded by the shell. I thought this was handled by java itself. However in my instance the jvm is not being created by a shell but by a JNI wrapper. Originally this JNI wrapper included myDir/lib/*.jar in the classpath setting - this caused org.apache.tomcat.util.compat.JreCompat.jarFileNewInstance to attempt to unzip a file of myDir/lib/*.jar - and caused a FileNotFoundException. in response to your update I changed the wrapper to navigate through myDir and construct a classpath containing every jar (approx 100 files). This enabled the embedded Tomcat instance to resolve all referenced classes thanks again Dave Breeze Linkedin:https://uk.linkedin.com/in/dabreeze On Fri, 7 Jun 2024 at 15:02, Chuck Caldarale wrote: > > > > On Jun 7, 2024, at 08:11, Christopher Schultz > > wrote: > > > > On 6/7/24 01:49, Mark Thomas wrote: > >> On 06/06/2024 18:48, Dave Breeze wrote: > >>> Thanks Mark > >>> appreciate that the url was for 8.0 > >>> > >>> With regards to classpath that was my first attempt - unfortunately it > >>> would seem that Tomcat does not support wildcards in the classpath - > >>> for example dirpath/lib/*.jar - at least in version 9. > >> The requirements for setting the class path are set by the JVM, not by > >> Tomcat. If you want all the JARs in a directory to be included in the > >> class path then you should add dirpath/lib/* to the class path. > > > > I think you'd have to specifically mention every .jar file in that > > directory in the classpath, right? I've never known Java to bother > > resolving glob patterns on its own. This is usually the responsibility of > > the command shell. > > > As Mark stated, you can use an asterisk appended to a directory path in the > CLASSPATH value to add all of the jars in that directory to the classpath. > (It’s been that way since Java 6.) This works even without shell expansion. > For example, > > java -cp mylib/* ClassName > > does use shell expansion, but will fail if there is more than one file in > mylib, since the shell doesn’t generate path separators. > > These constructs: > > java -cp .:mylib/* ClassName[works in bash, zsh will complain] > java -cp ‘mylib/*’ ClassName > > do not use shell expansion, since a Linux/UNIX shell is put off by the colon > or apostrophes. > > - Chuck > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org