[Bug 63648] certificates: testsuite will break tomorrow
https://bz.apache.org/bugzilla/show_bug.cgi?id=63648 Mark Thomas changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #2 from Mark Thomas --- Fixed in: - master for 9.0.23 onwards - 8.5.x for 8.5.44 onwards - 7.0.x for 7.0.97 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 7.0.x updated: Update expiring test certs
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 7.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/7.0.x by this push: new e914985 Update expiring test certs e914985 is described below commit e914985aeaf1afc05379deb833a26c691c0ea56c Author: Mark Thomas AuthorDate: Wed Aug 7 22:11:07 2019 +0100 Update expiring test certs --- test/org/apache/tomcat/util/net/localhost-cert.pem | 160 +++-- .../org/apache/tomcat/util/net/localhost-copy1.jks | Bin 4404 -> 2737 bytes test/org/apache/tomcat/util/net/localhost-key.pem | 52 +++ test/org/apache/tomcat/util/net/localhost.jks | Bin 4404 -> 4455 bytes test/org/apache/tomcat/util/net/user1.jks | Bin 2666 -> 2717 bytes webapps/docs/changelog.xml | 5 + 6 files changed, 113 insertions(+), 104 deletions(-) diff --git a/test/org/apache/tomcat/util/net/localhost-cert.pem b/test/org/apache/tomcat/util/net/localhost-cert.pem index d8f38ba..2671d8f 100644 --- a/test/org/apache/tomcat/util/net/localhost-cert.pem +++ b/test/org/apache/tomcat/util/net/localhost-cert.pem @@ -1,105 +1,109 @@ Certificate: Data: Version: 3 (0x2) -Serial Number: 4096 (0x1000) -Signature Algorithm: sha256WithRSAEncryption +Serial Number: 4102 (0x1006) +Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=MA, L=Wakefield, O=The Apache Software Foundation, OU=Apache Tomcat PMC, CN=Apache Tomcat Test CA Validity -Not Before: Aug 8 10:41:05 2017 GMT -Not After : Aug 8 10:41:05 2019 GMT +Not Before: Aug 7 20:30:28 2019 GMT +Not After : Aug 6 20:30:28 2021 GMT Subject: C=US, ST=MA, L=Wakefield, O=The Apache Software Foundation, OU=Apache Tomcat PMC, CN=localhost Subject Public Key Info: Public Key Algorithm: rsaEncryption -Public-Key: (2048 bit) +RSA Public-Key: (2048 bit) Modulus: -00:a8:1a:8f:78:58:24:43:9d:90:e1:f2:d5:65:5d: -61:9d:0f:a8:08:20:2c:82:75:8b:b0:ce:96:ba:5b: -99:d3:6b:a2:f8:54:92:6d:07:cc:b3:66:84:8a:8b: -5f:1c:c8:53:eb:a2:c3:54:8c:ce:d0:a7:ff:11:da: -e8:78:a2:07:ea:ed:59:db:97:76:25:f7:c0:e8:6d: -43:07:fc:fe:1c:22:82:8a:5a:5c:63:82:8e:fb:53: -9b:46:47:81:34:95:79:75:15:0a:8d:c4:d8:d8:84: -df:30:53:d0:6e:40:2c:ba:3b:e2:a1:44:4d:43:de: -cf:b0:9e:44:a1:00:26:8f:ca:39:57:14:30:a7:6d: -9a:cc:e4:24:b0:44:1c:28:d3:c3:33:c1:e7:f7:0a: -2a:60:18:60:ed:34:d8:5f:86:a1:ce:c7:fe:cc:56: -b0:68:18:46:d2:a0:5a:70:2c:bd:ce:22:1b:41:05: -c7:a2:82:49:b2:85:a1:56:14:38:46:27:de:cd:f4: -fa:13:0d:9a:80:02:14:d2:1b:47:5f:2c:c9:0c:9f: -70:18:e1:bf:2f:a4:2e:73:7d:ce:0e:6e:2e:11:72: -dd:39:1a:37:29:5c:c7:4a:7b:4a:66:47:8a:70:67: -52:24:a7:6b:2a:55:ba:80:da:28:b5:8b:2f:ae:48: -d7:8b +00:cf:e2:56:a6:67:a6:e8:e7:f3:94:86:6e:f9:06: +46:cf:20:66:b5:cd:b1:c7:d6:50:ea:4d:46:44:ed: +45:65:ea:b6:9b:2e:49:a5:25:c1:8e:36:f6:2c:bc: +8e:09:35:0b:2f:43:70:73:07:47:1d:78:a1:12:e9: +56:5d:ab:84:15:16:0e:38:01:bb:81:87:2d:c4:3b: +dc:2e:4a:e1:d4:66:1b:ce:87:2c:a9:b8:e3:aa:80: +75:79:b1:98:f3:dd:df:66:d0:0d:e1:06:d8:6c:6c: +50:f0:00:80:32:70:55:7b:dd:eb:ae:f2:6a:bf:93: +3d:15:e1:25:f8:75:ce:d8:46:dc:c4:6b:ee:f9:f5: +93:39:ad:90:47:15:4b:fa:ca:5b:fe:ca:1b:29:8a: +74:19:2a:cb:1e:4f:20:d9:74:75:24:a0:06:d1:3a: +ed:9b:88:87:f3:1b:0f:a6:14:67:e9:ed:47:2e:a1: +25:6a:c2:97:04:13:f4:9f:62:38:cd:5a:e7:ad:c2: +64:2c:8f:9c:3d:04:58:12:42:e5:0c:8e:8c:ce:78: +3d:60:38:ce:06:ff:9c:ea:9c:c9:0f:73:90:b2:1a: +4a:16:99:c9:fe:95:88:7b:3c:7f:19:d0:26:27:11: +78:f9:92:5c:b4:f5:d4:cb:b0:84:0c:74:37:3d:87: +1a:0b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate -X509v3 Subject Key Identifier: -01:97:6A:CD:A4:72:D8:B4:A5:3D:A6:78:A1:63:A2:3D:BD:01:E3:22 -X509v3 Authority Key Identifier: +X509v3 Subject Key Identifier: +0D:86:88:1D:07:59:CE:14:B4:89:81:58:C6:0B:FF:4C:CA:25:52:80 +X509v3 Authority Key Identifier:
[tomcat] branch 8.5.x updated: Update expiring test certs
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new 310a791 Update expiring test certs 310a791 is described below commit 310a791090fccf5546f9403c3a539489ff64c60a Author: Mark Thomas AuthorDate: Wed Aug 7 22:11:07 2019 +0100 Update expiring test certs --- .../apache/tomcat/util/net/localhost-rsa-cert.pem | 154 +++-- .../apache/tomcat/util/net/localhost-rsa-copy1.jks | Bin 4404 -> 2737 bytes .../apache/tomcat/util/net/localhost-rsa-key.pem | 52 +++ test/org/apache/tomcat/util/net/localhost-rsa.jks | Bin 4404 -> 4455 bytes test/org/apache/tomcat/util/net/user1.jks | Bin 2666 -> 2717 bytes webapps/docs/changelog.xml | 5 + 6 files changed, 110 insertions(+), 101 deletions(-) diff --git a/test/org/apache/tomcat/util/net/localhost-rsa-cert.pem b/test/org/apache/tomcat/util/net/localhost-rsa-cert.pem index 513e86c..24bb60a 100644 --- a/test/org/apache/tomcat/util/net/localhost-rsa-cert.pem +++ b/test/org/apache/tomcat/util/net/localhost-rsa-cert.pem @@ -1,35 +1,35 @@ Certificate: Data: Version: 3 (0x2) -Serial Number: 4096 (0x1000) -Signature Algorithm: sha256WithRSAEncryption +Serial Number: 4102 (0x1006) +Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=MA, L=Wakefield, O=The Apache Software Foundation, OU=Apache Tomcat PMC, CN=Apache Tomcat Test CA Validity -Not Before: Aug 8 10:41:05 2017 GMT -Not After : Aug 8 10:41:05 2019 GMT +Not Before: Aug 7 20:30:28 2019 GMT +Not After : Aug 6 20:30:28 2021 GMT Subject: C=US, ST=MA, L=Wakefield, O=The Apache Software Foundation, OU=Apache Tomcat PMC, CN=localhost Subject Public Key Info: Public Key Algorithm: rsaEncryption -Public-Key: (2048 bit) +RSA Public-Key: (2048 bit) Modulus: -00:a8:1a:8f:78:58:24:43:9d:90:e1:f2:d5:65:5d: -61:9d:0f:a8:08:20:2c:82:75:8b:b0:ce:96:ba:5b: -99:d3:6b:a2:f8:54:92:6d:07:cc:b3:66:84:8a:8b: -5f:1c:c8:53:eb:a2:c3:54:8c:ce:d0:a7:ff:11:da: -e8:78:a2:07:ea:ed:59:db:97:76:25:f7:c0:e8:6d: -43:07:fc:fe:1c:22:82:8a:5a:5c:63:82:8e:fb:53: -9b:46:47:81:34:95:79:75:15:0a:8d:c4:d8:d8:84: -df:30:53:d0:6e:40:2c:ba:3b:e2:a1:44:4d:43:de: -cf:b0:9e:44:a1:00:26:8f:ca:39:57:14:30:a7:6d: -9a:cc:e4:24:b0:44:1c:28:d3:c3:33:c1:e7:f7:0a: -2a:60:18:60:ed:34:d8:5f:86:a1:ce:c7:fe:cc:56: -b0:68:18:46:d2:a0:5a:70:2c:bd:ce:22:1b:41:05: -c7:a2:82:49:b2:85:a1:56:14:38:46:27:de:cd:f4: -fa:13:0d:9a:80:02:14:d2:1b:47:5f:2c:c9:0c:9f: -70:18:e1:bf:2f:a4:2e:73:7d:ce:0e:6e:2e:11:72: -dd:39:1a:37:29:5c:c7:4a:7b:4a:66:47:8a:70:67: -52:24:a7:6b:2a:55:ba:80:da:28:b5:8b:2f:ae:48: -d7:8b +00:cf:e2:56:a6:67:a6:e8:e7:f3:94:86:6e:f9:06: +46:cf:20:66:b5:cd:b1:c7:d6:50:ea:4d:46:44:ed: +45:65:ea:b6:9b:2e:49:a5:25:c1:8e:36:f6:2c:bc: +8e:09:35:0b:2f:43:70:73:07:47:1d:78:a1:12:e9: +56:5d:ab:84:15:16:0e:38:01:bb:81:87:2d:c4:3b: +dc:2e:4a:e1:d4:66:1b:ce:87:2c:a9:b8:e3:aa:80: +75:79:b1:98:f3:dd:df:66:d0:0d:e1:06:d8:6c:6c: +50:f0:00:80:32:70:55:7b:dd:eb:ae:f2:6a:bf:93: +3d:15:e1:25:f8:75:ce:d8:46:dc:c4:6b:ee:f9:f5: +93:39:ad:90:47:15:4b:fa:ca:5b:fe:ca:1b:29:8a: +74:19:2a:cb:1e:4f:20:d9:74:75:24:a0:06:d1:3a: +ed:9b:88:87:f3:1b:0f:a6:14:67:e9:ed:47:2e:a1: +25:6a:c2:97:04:13:f4:9f:62:38:cd:5a:e7:ad:c2: +64:2c:8f:9c:3d:04:58:12:42:e5:0c:8e:8c:ce:78: +3d:60:38:ce:06:ff:9c:ea:9c:c9:0f:73:90:b2:1a: +4a:16:99:c9:fe:95:88:7b:3c:7f:19:d0:26:27:11: +78:f9:92:5c:b4:f5:d4:cb:b0:84:0c:74:37:3d:87: +1a:0b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: @@ -37,69 +37,73 @@ Certificate: Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: -01:97:6A:CD:A4:72:D8:B4:A5:3D:A6:78:A1:63:A2:3D:BD:01:E3:22 +0D:86:88:1D:07:59:CE:14:B4:89:81:58:C6:0B:FF:4C:CA:25:52:80 X509v3 Authority Key Identifier: keyid:00:F2:98:4D:21:2C:00:3C:40:9B:84:F4:DE:2A:F0:2
[tomcat] branch master updated: Update expiring test certs
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new e3a59c3 Update expiring test certs e3a59c3 is described below commit e3a59c352dbeb8b0bfde3c4512d1b4ea7a0339c8 Author: Mark Thomas AuthorDate: Wed Aug 7 22:11:07 2019 +0100 Update expiring test certs --- .../apache/tomcat/util/net/localhost-rsa-cert.pem | 154 +++-- .../apache/tomcat/util/net/localhost-rsa-copy1.jks | Bin 4404 -> 2737 bytes .../apache/tomcat/util/net/localhost-rsa-key.pem | 52 +++ test/org/apache/tomcat/util/net/localhost-rsa.jks | Bin 4404 -> 4455 bytes test/org/apache/tomcat/util/net/user1.jks | Bin 2666 -> 2717 bytes webapps/docs/changelog.xml | 5 + 6 files changed, 110 insertions(+), 101 deletions(-) diff --git a/test/org/apache/tomcat/util/net/localhost-rsa-cert.pem b/test/org/apache/tomcat/util/net/localhost-rsa-cert.pem index 513e86c..24bb60a 100644 --- a/test/org/apache/tomcat/util/net/localhost-rsa-cert.pem +++ b/test/org/apache/tomcat/util/net/localhost-rsa-cert.pem @@ -1,35 +1,35 @@ Certificate: Data: Version: 3 (0x2) -Serial Number: 4096 (0x1000) -Signature Algorithm: sha256WithRSAEncryption +Serial Number: 4102 (0x1006) +Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=MA, L=Wakefield, O=The Apache Software Foundation, OU=Apache Tomcat PMC, CN=Apache Tomcat Test CA Validity -Not Before: Aug 8 10:41:05 2017 GMT -Not After : Aug 8 10:41:05 2019 GMT +Not Before: Aug 7 20:30:28 2019 GMT +Not After : Aug 6 20:30:28 2021 GMT Subject: C=US, ST=MA, L=Wakefield, O=The Apache Software Foundation, OU=Apache Tomcat PMC, CN=localhost Subject Public Key Info: Public Key Algorithm: rsaEncryption -Public-Key: (2048 bit) +RSA Public-Key: (2048 bit) Modulus: -00:a8:1a:8f:78:58:24:43:9d:90:e1:f2:d5:65:5d: -61:9d:0f:a8:08:20:2c:82:75:8b:b0:ce:96:ba:5b: -99:d3:6b:a2:f8:54:92:6d:07:cc:b3:66:84:8a:8b: -5f:1c:c8:53:eb:a2:c3:54:8c:ce:d0:a7:ff:11:da: -e8:78:a2:07:ea:ed:59:db:97:76:25:f7:c0:e8:6d: -43:07:fc:fe:1c:22:82:8a:5a:5c:63:82:8e:fb:53: -9b:46:47:81:34:95:79:75:15:0a:8d:c4:d8:d8:84: -df:30:53:d0:6e:40:2c:ba:3b:e2:a1:44:4d:43:de: -cf:b0:9e:44:a1:00:26:8f:ca:39:57:14:30:a7:6d: -9a:cc:e4:24:b0:44:1c:28:d3:c3:33:c1:e7:f7:0a: -2a:60:18:60:ed:34:d8:5f:86:a1:ce:c7:fe:cc:56: -b0:68:18:46:d2:a0:5a:70:2c:bd:ce:22:1b:41:05: -c7:a2:82:49:b2:85:a1:56:14:38:46:27:de:cd:f4: -fa:13:0d:9a:80:02:14:d2:1b:47:5f:2c:c9:0c:9f: -70:18:e1:bf:2f:a4:2e:73:7d:ce:0e:6e:2e:11:72: -dd:39:1a:37:29:5c:c7:4a:7b:4a:66:47:8a:70:67: -52:24:a7:6b:2a:55:ba:80:da:28:b5:8b:2f:ae:48: -d7:8b +00:cf:e2:56:a6:67:a6:e8:e7:f3:94:86:6e:f9:06: +46:cf:20:66:b5:cd:b1:c7:d6:50:ea:4d:46:44:ed: +45:65:ea:b6:9b:2e:49:a5:25:c1:8e:36:f6:2c:bc: +8e:09:35:0b:2f:43:70:73:07:47:1d:78:a1:12:e9: +56:5d:ab:84:15:16:0e:38:01:bb:81:87:2d:c4:3b: +dc:2e:4a:e1:d4:66:1b:ce:87:2c:a9:b8:e3:aa:80: +75:79:b1:98:f3:dd:df:66:d0:0d:e1:06:d8:6c:6c: +50:f0:00:80:32:70:55:7b:dd:eb:ae:f2:6a:bf:93: +3d:15:e1:25:f8:75:ce:d8:46:dc:c4:6b:ee:f9:f5: +93:39:ad:90:47:15:4b:fa:ca:5b:fe:ca:1b:29:8a: +74:19:2a:cb:1e:4f:20:d9:74:75:24:a0:06:d1:3a: +ed:9b:88:87:f3:1b:0f:a6:14:67:e9:ed:47:2e:a1: +25:6a:c2:97:04:13:f4:9f:62:38:cd:5a:e7:ad:c2: +64:2c:8f:9c:3d:04:58:12:42:e5:0c:8e:8c:ce:78: +3d:60:38:ce:06:ff:9c:ea:9c:c9:0f:73:90:b2:1a: +4a:16:99:c9:fe:95:88:7b:3c:7f:19:d0:26:27:11: +78:f9:92:5c:b4:f5:d4:cb:b0:84:0c:74:37:3d:87: +1a:0b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: @@ -37,69 +37,73 @@ Certificate: Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: -01:97:6A:CD:A4:72:D8:B4:A5:3D:A6:78:A1:63:A2:3D:BD:01:E3:22 +0D:86:88:1D:07:59:CE:14:B4:89:81:58:C6:0B:FF:4C:CA:25:52:80 X509v3 Authority Key Identifier: keyid:00:F2:98:4D:21:2C:00:3C:40:9B:84:F4:DE:2A:F0
[Bug 63648] certificates: testsuite will break tomorrow
https://bz.apache.org/bugzilla/show_bug.cgi?id=63648 --- Comment #1 from Mark Thomas --- Just running the tests before I commit the updated certs to make sure all is well. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311748751 ## File path: test/org/apache/catalina/realm/TestRealmBase.java ## @@ -789,4 +791,45 @@ public void testHttpConstraint() throws IOException { Assert.assertFalse(mapRealm.hasResourcePermission( request, response, constraintsDelete, null)); } + +@Test +public void testRoleMapping() throws Exception { +Context context = new TesterContext() { +private Map roleMapping = new HashMap<>(); + +public void addRoleMapping(String role, String link) { +roleMapping.put(role, link); +} + +@Override +public String findRoleMapping(String role) { +return roleMapping.get(role); +} +}; + +context.addRoleMapping(ROLE2, "very-complex-role-name"); Review comment: I will do the changes tomorrow and see how I can properly modify tests. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311748567 ## File path: test/org/apache/catalina/realm/TestRealmBase.java ## @@ -789,4 +791,45 @@ public void testHttpConstraint() throws IOException { Assert.assertFalse(mapRealm.hasResourcePermission( request, response, constraintsDelete, null)); } + +@Test +public void testRoleMapping() throws Exception { +Context context = new TesterContext() { +private Map roleMapping = new HashMap<>(); + +public void addRoleMapping(String role, String link) { +roleMapping.put(role, link); +} + +@Override +public String findRoleMapping(String role) { +return roleMapping.get(role); +} +}; + +context.addRoleMapping(ROLE2, "very-complex-role-name"); Review comment: I consider this way too inflexible, but yes -- let's discussed as soon as this one has been resolved. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311748751 ## File path: test/org/apache/catalina/realm/TestRealmBase.java ## @@ -789,4 +791,45 @@ public void testHttpConstraint() throws IOException { Assert.assertFalse(mapRealm.hasResourcePermission( request, response, constraintsDelete, null)); } + +@Test +public void testRoleMapping() throws Exception { +Context context = new TesterContext() { +private Map roleMapping = new HashMap<>(); + +public void addRoleMapping(String role, String link) { +roleMapping.put(role, link); +} + +@Override +public String findRoleMapping(String role) { +return roleMapping.get(role); +} +}; + +context.addRoleMapping(ROLE2, "very-complex-role-name"); Review comment: I will do the changes tomorrow and see how I can properly modifiy tests. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311748303 ## File path: java/org/apache/catalina/realm/RealmBase.java ## @@ -928,6 +928,15 @@ public boolean hasRole(Wrapper wrapper, Principal principal, String role) { } } +// Check for a role alias/mapping defined on context level +if (getContainer() instanceof Context) { +Context context = (Context) getContainer(); +String realRole = context.findRoleMapping(role); Review comment: Wouldn't it be confusing when `findSecurityReference()` can map a role which `findSecurityReferences()` does not contain? Why the null check? Wouldn't it be possible for a servlet security role ref to be also mapped to a technical role? My current does this. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] 01/03: Refactor Servlet 3 async timeouts to become a more generic timeout
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit c6f5d73d438f55b8e5b2316e993ab02bb8a94495 Author: Mark Thomas AuthorDate: Wed Aug 7 18:42:44 2019 +0100 Refactor Servlet 3 async timeouts to become a more generic timeout The timeout mechanism now represents any timeout that is triggered independently from the Socket read/write timeouts. --- java/org/apache/coyote/AbstractProcessor.java | 9 - java/org/apache/coyote/AbstractProtocol.java | 13 - java/org/apache/coyote/Processor.java | 14 +- .../apache/coyote/http11/upgrade/UpgradeProcessorBase.java | 10 ++ 4 files changed, 31 insertions(+), 15 deletions(-) diff --git a/java/org/apache/coyote/AbstractProcessor.java b/java/org/apache/coyote/AbstractProcessor.java index 3e73254..d442142 100644 --- a/java/org/apache/coyote/AbstractProcessor.java +++ b/java/org/apache/coyote/AbstractProcessor.java @@ -40,7 +40,7 @@ import org.apache.tomcat.util.res.StringManager; /** * Provides functionality and attributes common to all supported protocols - * (currently HTTP and AJP). + * (currently HTTP and AJP) for processing a single request/response. */ public abstract class AbstractProcessor extends AbstractProcessorLight implements ActionHook { @@ -621,6 +621,13 @@ public abstract class AbstractProcessor extends AbstractProcessorLight implement } +/** + * {@inheritDoc} + * + * Sub-classes of this base class represent a single request/response pair. + * The timeout to be processed is, therefore, the Servlet asynchronous + * processing timeout. + */ @Override public void timeoutAsync(long now) { if (now < 0) { diff --git a/java/org/apache/coyote/AbstractProtocol.java b/java/org/apache/coyote/AbstractProtocol.java index 837f805..3f5c651 100644 --- a/java/org/apache/coyote/AbstractProtocol.java +++ b/java/org/apache/coyote/AbstractProtocol.java @@ -92,7 +92,7 @@ public abstract class AbstractProtocol implements ProtocolHandler, /** - * The async timeout thread. + * The timeout thread. */ private AsyncTimeout asyncTimeout = null; @@ -590,7 +590,7 @@ public abstract class AbstractProtocol implements ProtocolHandler, endpoint.start(); -// Start async timeout thread +// Start timeout thread asyncTimeout = new AsyncTimeout(); Thread timeoutThread = new Thread(asyncTimeout, getNameInternal() + "-AsyncTimeout"); int priority = endpoint.getThreadPriority(); @@ -725,12 +725,14 @@ public abstract class AbstractProtocol implements ProtocolHandler, processor, socket)); } -// Async timeouts are calculated on a dedicated thread and then +// Timeouts are calculated on a dedicated thread and then // dispatched. Because of delays in the dispatch process, the // timeout may no longer be required. Check here and avoid // unnecessary processing. -if (SocketEvent.TIMEOUT == status && (processor == null || -!processor.isAsync() || !processor.checkAsyncTimeoutGeneration())) { +if (SocketEvent.TIMEOUT == status && +(processor == null || +!processor.isAsync() && !processor.isUpgrade() || +processor.isAsync() && !processor.checkAsyncTimeoutGeneration())) { // This is effectively a NO-OP return SocketState.OPEN; } @@ -891,6 +893,7 @@ public abstract class AbstractProtocol implements ProtocolHandler, // to the poller if necessary. if (status != SocketEvent.OPEN_WRITE) { longPoll(wrapper, processor); +getProtocol().addWaitingProcessor(processor); } } else if (state == SocketState.SUSPENDED) { // Don't add sockets back to the poller. diff --git a/java/org/apache/coyote/Processor.java b/java/org/apache/coyote/Processor.java index 68edff5..c58431e 100644 --- a/java/org/apache/coyote/Processor.java +++ b/java/org/apache/coyote/Processor.java @@ -65,13 +65,17 @@ public interface Processor { boolean isAsync(); /** - * Check this processor to see if the async timeout has expired and process - * a timeout if that is that case. + * Check this processor to see if the timeout has expired and process a + * timeout if that is that case. + * + * Note: The name of this method originated with the Servlet 3.0 + * asynchronous processing but evolved over time to represent a timeout that + * is triggered independently of the socket read/write timeouts. * * @param now The time
[tomcat] 03/03: Improve HTTP/2 connection timeout handling
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 7943b50c241a051a49b212e90e25291d1ebcbe97 Author: Mark Thomas AuthorDate: Wed Aug 7 17:02:37 2019 +0100 Improve HTTP/2 connection timeout handling Timeouts were not always handled correctly leaving some connections open for longer than expected. --- .../apache/coyote/http2/Http2UpgradeHandler.java | 95 -- webapps/docs/changelog.xml | 4 + 2 files changed, 75 insertions(+), 24 deletions(-) diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java index e63a484..50365a9 100644 --- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java +++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java @@ -138,6 +138,9 @@ public class Http2UpgradeHandler extends AbstractStream implements InternalHttpU private volatile int newStreamsSinceLastPrune = 0; private final ConcurrentMap backLogStreams = new ConcurrentHashMap<>(); private long backLogSize = 0; +// The time at which the connection will timeout unless data arrives before +// then. -1 means no timeout. +private volatile long connectionTimeout = -1; // Stream concurrency control private int maxConcurrentStreamExecution = Http2Protocol.DEFAULT_MAX_CONCURRENT_STREAM_EXECUTION; @@ -323,8 +326,10 @@ public class Http2UpgradeHandler extends AbstractStream implements InternalHttpU case OPEN_READ: try { // There is data to read so use the read timeout while -// reading frames. - socketWrapper.setReadTimeout(getReadTimeout()); +// reading frames ... +socketWrapper.setReadTimeout(getReadTimeout()); +// ... and disable the connection timeout +setConnectionTimeout(-1); while (true) { try { if (!parser.readFrame(false)) { @@ -340,23 +345,22 @@ public class Http2UpgradeHandler extends AbstractStream implements InternalHttpU stream.close(se); } } +if (overheadCount.get() > 0) { +throw new ConnectionException( + sm.getString("upgradeHandler.tooMuchOverhead", connectionId), +Http2Error.ENHANCE_YOUR_CALM); +} } -if (overheadCount.get() > 0) { -throw new ConnectionException( -sm.getString("upgradeHandler.tooMuchOverhead", connectionId), -Http2Error.ENHANCE_YOUR_CALM); -} +// Need to know the correct timeout before starting the read +// but that may not be known at this time if one or more +// requests are currently being processed so don't set a +// timeout for the socket... +socketWrapper.setReadTimeout(-1); + +// ...set a timeout on the connection + setConnectionTimeoutForStreamCount(activeRemoteStreamCount.get()); -if (activeRemoteStreamCount.get() == 0) { -// No streams currently active. Use the keep-alive -// timeout for the connection. -socketWrapper.setReadTimeout(getKeepAliveTimeout()); -} else { -// Streams currently active. Individual streams have -// timeouts so keep the connection open. -socketWrapper.setReadTimeout(-1); -} } catch (Http2Exception ce) { // Really ConnectionException if (log.isDebugEnabled()) { @@ -377,9 +381,12 @@ public class Http2UpgradeHandler extends AbstractStream implements InternalHttpU result = SocketState.UPGRADED; break; +case TIMEOUT: +closeConnection(null); +break; + case DISCONNECT: case ERROR: -case TIMEOUT: case STOP: case CONNECT_FAIL: close(); @@ -399,9 +406,41 @@ public class Http2UpgradeHandler extends AbstractStream implements InternalHttpU } +/* + * Sets the connection timeout based on the current number of active + * streams. + */ +protected void setConnectionTimeoutForStreamCount(int streamCount) { +if (streamCount == 0) { +// No streams currently active. U
[tomcat] 02/03: Extend the timeout functionality to internal upgrade processors
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git commit 07aa80d35052314ea4e2169c49b9c95254bbbe1f Author: Mark Thomas AuthorDate: Wed Aug 7 18:59:07 2019 +0100 Extend the timeout functionality to internal upgrade processors --- .../apache/coyote/http11/upgrade/InternalHttpUpgradeHandler.java| 2 ++ java/org/apache/coyote/http11/upgrade/UpgradeProcessorInternal.java | 6 ++ java/org/apache/coyote/http2/Http2UpgradeHandler.java | 6 ++ java/org/apache/tomcat/websocket/server/WsHttpUpgradeHandler.java | 6 ++ .../apache/coyote/http11/upgrade/TestUpgradeInternalHandler.java| 5 + 5 files changed, 25 insertions(+) diff --git a/java/org/apache/coyote/http11/upgrade/InternalHttpUpgradeHandler.java b/java/org/apache/coyote/http11/upgrade/InternalHttpUpgradeHandler.java index 936784e..426b1bd 100644 --- a/java/org/apache/coyote/http11/upgrade/InternalHttpUpgradeHandler.java +++ b/java/org/apache/coyote/http11/upgrade/InternalHttpUpgradeHandler.java @@ -32,6 +32,8 @@ public interface InternalHttpUpgradeHandler extends HttpUpgradeHandler { SocketState upgradeDispatch(SocketEvent status); +void timeoutAsync(long now); + void setSocketWrapper(SocketWrapperBase wrapper); void setSslSupport(SSLSupport sslSupport); diff --git a/java/org/apache/coyote/http11/upgrade/UpgradeProcessorInternal.java b/java/org/apache/coyote/http11/upgrade/UpgradeProcessorInternal.java index 6397a72..f0f5460 100644 --- a/java/org/apache/coyote/http11/upgrade/UpgradeProcessorInternal.java +++ b/java/org/apache/coyote/http11/upgrade/UpgradeProcessorInternal.java @@ -73,6 +73,12 @@ public class UpgradeProcessorInternal extends UpgradeProcessorBase { } +@Override +public void timeoutAsync(long now) { +internalHttpUpgradeHandler.timeoutAsync(now); +} + + // --- AutoCloseable methods @Override diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java index 30f603f..e63a484 100644 --- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java +++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java @@ -399,6 +399,12 @@ public class Http2UpgradeHandler extends AbstractStream implements InternalHttpU } +@Override +public void timeoutAsync(long now) { +// TODO: Implement improved connection timeouts +} + + ConnectionSettingsRemote getRemoteSettings() { return remoteSettings; } diff --git a/java/org/apache/tomcat/websocket/server/WsHttpUpgradeHandler.java b/java/org/apache/tomcat/websocket/server/WsHttpUpgradeHandler.java index a1b82ea..84b70c6 100644 --- a/java/org/apache/tomcat/websocket/server/WsHttpUpgradeHandler.java +++ b/java/org/apache/tomcat/websocket/server/WsHttpUpgradeHandler.java @@ -191,6 +191,12 @@ public class WsHttpUpgradeHandler implements InternalHttpUpgradeHandler { @Override +public void timeoutAsync(long now) { +// NO-OP +} + + +@Override public void pause() { // NO-OP } diff --git a/test/org/apache/coyote/http11/upgrade/TestUpgradeInternalHandler.java b/test/org/apache/coyote/http11/upgrade/TestUpgradeInternalHandler.java index cd2535e..84b64ae 100644 --- a/test/org/apache/coyote/http11/upgrade/TestUpgradeInternalHandler.java +++ b/test/org/apache/coyote/http11/upgrade/TestUpgradeInternalHandler.java @@ -255,6 +255,11 @@ public class TestUpgradeInternalHandler extends TomcatBaseTest { } @Override +public void timeoutAsync(long now) { +// NO-OP +} + +@Override public void setSocketWrapper(SocketWrapperBase wrapper) { this.wrapper = wrapper; } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated (6459a20 -> 7943b50)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git. from 6459a20 BZ 63627: Implement more fine-grained handling in RealmBase#authenticate(GSSContext, boolean) new c6f5d73 Refactor Servlet 3 async timeouts to become a more generic timeout new 07aa80d Extend the timeout functionality to internal upgrade processors new 7943b50 Improve HTTP/2 connection timeout handling The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: java/org/apache/coyote/AbstractProcessor.java | 9 +- java/org/apache/coyote/AbstractProtocol.java | 13 +-- java/org/apache/coyote/Processor.java | 14 +-- .../http11/upgrade/InternalHttpUpgradeHandler.java | 2 + .../http11/upgrade/UpgradeProcessorBase.java | 10 ++- .../http11/upgrade/UpgradeProcessorInternal.java | 6 ++ .../apache/coyote/http2/Http2UpgradeHandler.java | 99 +- .../websocket/server/WsHttpUpgradeHandler.java | 6 ++ .../http11/upgrade/TestUpgradeInternalHandler.java | 5 ++ webapps/docs/changelog.xml | 4 + 10 files changed, 130 insertions(+), 38 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311742634 ## File path: webapps/docs/changelog.xml ## @@ -47,6 +47,10 @@ + +63636: Context.findRoleMapping() never called +in RealmBase#hasRole(). (michaelo) + Review comment: Alright, will do. I will probably need to fix the rest I have merged already. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311742634 ## File path: webapps/docs/changelog.xml ## @@ -47,6 +47,10 @@ + +63636: Context.findRoleMapping() never called +in RealmBase#hasRole(). (michaelo) + Review comment: Alright, will do. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63648] New: certificates: testsuite will break tomorrow
https://bz.apache.org/bugzilla/show_bug.cgi?id=63648 Bug ID: 63648 Summary: certificates: testsuite will break tomorrow Product: Tomcat 8 Version: 8.5.x-trunk Hardware: PC OS: All Status: NEW Severity: major Priority: P2 Component: Util Assignee: dev@tomcat.apache.org Reporter: b...@beuc.net Target Milestone: $ cd test/org/apache/tomcat/util/net/ $ openssl x509 -dates -noout < localhost-rsa-cert.pem notBefore=Aug 8 10:41:05 2017 GMT notAfter=Aug 8 10:41:05 2019 GMT I need working certificates to build&test a Debian Tomcat security update, please renew :) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot success in on tomcat-trunk
The Buildbot has detected a restored build on builder tomcat-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-trunk/builds/4536 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' triggered this build Build Source Stamp: [branch master] 5d7f2eac857cc75757cfc58d003fbf17a23c2720 Blamelist: Mark Thomas Build succeeded! Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
markt-asf commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311727060 ## File path: webapps/docs/changelog.xml ## @@ -47,6 +47,10 @@ + +63636: Context.findRoleMapping() never called +in RealmBase#hasRole(). (michaelo) + Review comment: BZ issues should appear in order so the entry for BZ 63636 should appear after BZ 63608. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
markt-asf commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311726365 ## File path: test/org/apache/catalina/realm/TestRealmBase.java ## @@ -789,4 +791,45 @@ public void testHttpConstraint() throws IOException { Assert.assertFalse(mapRealm.hasResourcePermission( request, response, constraintsDelete, null)); } + +@Test +public void testRoleMapping() throws Exception { +Context context = new TesterContext() { +private Map roleMapping = new HashMap<>(); + +public void addRoleMapping(String role, String link) { +roleMapping.put(role, link); +} + +@Override +public String findRoleMapping(String role) { +return roleMapping.get(role); +} +}; + +context.addRoleMapping(ROLE2, "very-complex-role-name"); Review comment: I was thinking more: `` but that is a discussion better suited to BZ 55477 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
markt-asf commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311725976 ## File path: java/org/apache/catalina/realm/RealmBase.java ## @@ -928,6 +928,15 @@ public boolean hasRole(Wrapper wrapper, Principal principal, String role) { } } +// Check for a role alias/mapping defined on context level +if (getContainer() instanceof Context) { +Context context = (Context) getContainer(); +String realRole = context.findRoleMapping(role); Review comment: `findSecurityReference()` != `findSecurityReferences()` `findSecurityReference()` is the method that tries to map a single role and should be changed. `findSecurityReferences()` is closer to a getter for the current settings for the Wrapper and should be unchanged. So: ``` @Override public String findSecurityReference(String name) { String reference; // First check the Wrapper referencesLock.readLock().lock(); try { reference = references.get(name); } finally { referencesLock.readLock().unlock(); } // If not specified on the Wrapper, check the Context if (reference == null && getParent() instanceof Context) { reference = ((Context) getParent()).findRoleMapping(name); } return reference; } ``` This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Improve HTTP/2 connection timeout handling
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new 5d7f2ea Improve HTTP/2 connection timeout handling 5d7f2ea is described below commit 5d7f2eac857cc75757cfc58d003fbf17a23c2720 Author: Mark Thomas AuthorDate: Wed Aug 7 17:02:37 2019 +0100 Improve HTTP/2 connection timeout handling Timeouts were not always handled correctly leaving some connections open for longer than expected. --- .../coyote/http2/Http2AsyncUpgradeHandler.java | 6 +- .../apache/coyote/http2/Http2UpgradeHandler.java | 93 -- webapps/docs/changelog.xml | 4 + 3 files changed, 77 insertions(+), 26 deletions(-) diff --git a/java/org/apache/coyote/http2/Http2AsyncUpgradeHandler.java b/java/org/apache/coyote/http2/Http2AsyncUpgradeHandler.java index 3115eda..92ad29c 100644 --- a/java/org/apache/coyote/http2/Http2AsyncUpgradeHandler.java +++ b/java/org/apache/coyote/http2/Http2AsyncUpgradeHandler.java @@ -210,7 +210,7 @@ public class Http2AsyncUpgradeHandler extends Http2UpgradeHandler { header[4] = FLAG_END_OF_STREAM; stream.sentEndOfStream(); if (!stream.isActive()) { -activeRemoteStreamCount.decrementAndGet(); + setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet()); } } if (writeable) { @@ -309,7 +309,7 @@ public class Http2AsyncUpgradeHandler extends Http2UpgradeHandler { header[4] = FLAG_END_OF_STREAM; sendfile.stream.sentEndOfStream(); if (!sendfile.stream.isActive()) { -activeRemoteStreamCount.decrementAndGet(); + setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet()); } } if (writeable) { @@ -370,7 +370,7 @@ public class Http2AsyncUpgradeHandler extends Http2UpgradeHandler { header[4] = FLAG_END_OF_STREAM; sendfile.stream.sentEndOfStream(); if (!sendfile.stream.isActive()) { -activeRemoteStreamCount.decrementAndGet(); + setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet()); } } if (writeable) { diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java index a19ba6c..f27a79e 100644 --- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java +++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java @@ -132,6 +132,9 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH private volatile int newStreamsSinceLastPrune = 0; private final Map backLogStreams = new ConcurrentHashMap<>(); private long backLogSize = 0; +// The time at which the connection will timeout unless data arrives before +// then. -1 means no timeout. +private volatile long connectionTimeout = -1; // Stream concurrency control private AtomicInteger streamConcurrency = null; @@ -315,8 +318,10 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH case OPEN_READ: try { // There is data to read so use the read timeout while -// reading frames. +// reading frames ... socketWrapper.setReadTimeout(protocol.getReadTimeout()); +// ... and disable the connection timeout +setConnectionTimeout(-1); while (true) { try { if (!parser.readFrame(false)) { @@ -332,23 +337,22 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH stream.close(se); } } +if (overheadCount.get() > 0) { +throw new ConnectionException( + sm.getString("upgradeHandler.tooMuchOverhead", connectionId), +Http2Error.ENHANCE_YOUR_CALM); +} } -if (overheadCount.get() > 0) { -throw new ConnectionException( -sm.getString("upgradeHandler.tooMuchOverhead", connectionId), -Http2Error.ENHANCE_YOUR_CALM); -} +// Need to know the correct timeout before starting the read +// but that may not be known at this time if one or more +// requests are currently being processed
[GitHub] [tomcat] michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311703087 ## File path: java/org/apache/catalina/realm/RealmBase.java ## @@ -928,6 +928,15 @@ public boolean hasRole(Wrapper wrapper, Principal principal, String role) { } } +// Check for a role alias/mapping defined on context level +if (getContainer() instanceof Context) { +Context context = (Context) getContainer(); +String realRole = context.findRoleMapping(role); Review comment: Just take your time to describe how you image that, I do not fully understand it. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311702448 ## File path: test/org/apache/catalina/realm/TestRealmBase.java ## @@ -789,4 +791,45 @@ public void testHttpConstraint() throws IOException { Assert.assertFalse(mapRealm.hasResourcePermission( request, response, constraintsDelete, null)); } + +@Test +public void testRoleMapping() throws Exception { +Context context = new TesterContext() { +private Map roleMapping = new HashMap<>(); + +public void addRoleMapping(String role, String link) { +roleMapping.put(role, link); +} + +@Override +public String findRoleMapping(String role) { +return roleMapping.get(role); +} +}; + +context.addRoleMapping(ROLE2, "very-complex-role-name"); Review comment: You probably want a `` with custom attributes. What makes it different to a listener? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in on tomcat-trunk
The Buildbot has detected a new failure on builder tomcat-trunk while building tomcat. Full details are available at: https://ci.apache.org/builders/tomcat-trunk/builds/4535 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' triggered this build Build Source Stamp: [branch master] 863b18e34f12085820ad02e86ca0ef7e961bb471 Blamelist: Mark Thomas BUILD FAILED: failed compile_1 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Extend the timeout functionality to internal upgrade processors
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new 863b18e Extend the timeout functionality to internal upgrade processors 863b18e is described below commit 863b18e34f12085820ad02e86ca0ef7e961bb471 Author: Mark Thomas AuthorDate: Wed Aug 7 18:59:07 2019 +0100 Extend the timeout functionality to internal upgrade processors --- .../apache/coyote/http11/upgrade/InternalHttpUpgradeHandler.java| 2 ++ java/org/apache/coyote/http11/upgrade/UpgradeProcessorInternal.java | 6 ++ java/org/apache/coyote/http2/Http2UpgradeHandler.java | 6 ++ java/org/apache/tomcat/websocket/server/WsHttpUpgradeHandler.java | 6 ++ .../apache/coyote/http11/upgrade/TestUpgradeInternalHandler.java| 5 + 5 files changed, 25 insertions(+) diff --git a/java/org/apache/coyote/http11/upgrade/InternalHttpUpgradeHandler.java b/java/org/apache/coyote/http11/upgrade/InternalHttpUpgradeHandler.java index 8c5ce39..e7d3453 100644 --- a/java/org/apache/coyote/http11/upgrade/InternalHttpUpgradeHandler.java +++ b/java/org/apache/coyote/http11/upgrade/InternalHttpUpgradeHandler.java @@ -32,6 +32,8 @@ public interface InternalHttpUpgradeHandler extends HttpUpgradeHandler { SocketState upgradeDispatch(SocketEvent status); +void timeoutAsync(long now); + void setSocketWrapper(SocketWrapperBase wrapper); void setSslSupport(SSLSupport sslSupport); diff --git a/java/org/apache/coyote/http11/upgrade/UpgradeProcessorInternal.java b/java/org/apache/coyote/http11/upgrade/UpgradeProcessorInternal.java index 6397a72..f0f5460 100644 --- a/java/org/apache/coyote/http11/upgrade/UpgradeProcessorInternal.java +++ b/java/org/apache/coyote/http11/upgrade/UpgradeProcessorInternal.java @@ -73,6 +73,12 @@ public class UpgradeProcessorInternal extends UpgradeProcessorBase { } +@Override +public void timeoutAsync(long now) { +internalHttpUpgradeHandler.timeoutAsync(now); +} + + // --- AutoCloseable methods @Override diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java index 41c620d..a19ba6c 100644 --- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java +++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java @@ -391,6 +391,12 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH } +@Override +public void timeoutAsync(long now) { +// TODO: Implement improved connection timeouts +} + + ConnectionSettingsRemote getRemoteSettings() { return remoteSettings; } diff --git a/java/org/apache/tomcat/websocket/server/WsHttpUpgradeHandler.java b/java/org/apache/tomcat/websocket/server/WsHttpUpgradeHandler.java index a1b82ea..84b70c6 100644 --- a/java/org/apache/tomcat/websocket/server/WsHttpUpgradeHandler.java +++ b/java/org/apache/tomcat/websocket/server/WsHttpUpgradeHandler.java @@ -191,6 +191,12 @@ public class WsHttpUpgradeHandler implements InternalHttpUpgradeHandler { @Override +public void timeoutAsync(long now) { +// NO-OP +} + + +@Override public void pause() { // NO-OP } diff --git a/test/org/apache/coyote/http11/upgrade/TestUpgradeInternalHandler.java b/test/org/apache/coyote/http11/upgrade/TestUpgradeInternalHandler.java index aaee563..f436240 100644 --- a/test/org/apache/coyote/http11/upgrade/TestUpgradeInternalHandler.java +++ b/test/org/apache/coyote/http11/upgrade/TestUpgradeInternalHandler.java @@ -259,6 +259,11 @@ public class TestUpgradeInternalHandler extends TomcatBaseTest { } @Override +public void timeoutAsync(long now) { +// NO-OP +} + +@Override public void setSocketWrapper(SocketWrapperBase wrapper) { this.wrapper = wrapper; } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch master updated: Refactor Servlet 3 async timeouts to become a more generic timeout
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/master by this push: new d3a5b1c Refactor Servlet 3 async timeouts to become a more generic timeout d3a5b1c is described below commit d3a5b1cf5c60e6acea61286eb050e54f05d193ff Author: Mark Thomas AuthorDate: Wed Aug 7 18:42:44 2019 +0100 Refactor Servlet 3 async timeouts to become a more generic timeout The timeout mechanism now represents any timeout that is triggered independently from the Socket read/write timeouts. --- java/org/apache/coyote/AbstractProcessor.java | 9 +- java/org/apache/coyote/AbstractProtocol.java | 34 +- java/org/apache/coyote/Processor.java | 14 + .../http11/upgrade/UpgradeProcessorBase.java | 10 --- 4 files changed, 44 insertions(+), 23 deletions(-) diff --git a/java/org/apache/coyote/AbstractProcessor.java b/java/org/apache/coyote/AbstractProcessor.java index d94a8e4..1affefa 100644 --- a/java/org/apache/coyote/AbstractProcessor.java +++ b/java/org/apache/coyote/AbstractProcessor.java @@ -39,7 +39,7 @@ import org.apache.tomcat.util.res.StringManager; /** * Provides functionality and attributes common to all supported protocols - * (currently HTTP and AJP). + * (currently HTTP and AJP) for processing a single request/response. */ public abstract class AbstractProcessor extends AbstractProcessorLight implements ActionHook { @@ -628,6 +628,13 @@ public abstract class AbstractProcessor extends AbstractProcessorLight implement } +/** + * {@inheritDoc} + * + * Sub-classes of this base class represent a single request/response pair. + * The timeout to be processed is, therefore, the Servlet asynchronous + * processing timeout. + */ @Override public void timeoutAsync(long now) { if (now < 0) { diff --git a/java/org/apache/coyote/AbstractProtocol.java b/java/org/apache/coyote/AbstractProtocol.java index 174c899..d95d425 100644 --- a/java/org/apache/coyote/AbstractProtocol.java +++ b/java/org/apache/coyote/AbstractProtocol.java @@ -96,9 +96,9 @@ public abstract class AbstractProtocol implements ProtocolHandler, Collections.newSetFromMap(new ConcurrentHashMap()); /** - * Controller for the async timeout scheduling. + * Controller for the timeout scheduling. */ -private ScheduledFuture asyncTimeoutFuture = null; +private ScheduledFuture timeoutFuture = null; private ScheduledFuture monitorFuture; public AbstractProtocol(AbstractEndpoint endpoint) { @@ -595,17 +595,22 @@ public abstract class AbstractProtocol implements ProtocolHandler, } +/** + * Note: The name of this method originated with the Servlet 3.0 + * asynchronous processing but evolved over time to represent a timeout that + * is triggered independently of the socket read/write timeouts. + */ protected void startAsyncTimeout() { -if (asyncTimeoutFuture == null || (asyncTimeoutFuture != null && asyncTimeoutFuture.isDone())) { -if (asyncTimeoutFuture != null && asyncTimeoutFuture.isDone()) { +if (timeoutFuture == null || (timeoutFuture != null && timeoutFuture.isDone())) { +if (timeoutFuture != null && timeoutFuture.isDone()) { // There was an error executing the scheduled task, get it and log it try { -asyncTimeoutFuture.get(); +timeoutFuture.get(); } catch (InterruptedException | ExecutionException e) { getLog().error(sm.getString("abstractProtocolHandler.asyncTimeoutError"), e); } } -asyncTimeoutFuture = getUtilityExecutor().scheduleAtFixedRate( +timeoutFuture = getUtilityExecutor().scheduleAtFixedRate( new Runnable() { @Override public void run() { @@ -619,9 +624,9 @@ public abstract class AbstractProtocol implements ProtocolHandler, } protected void stopAsyncTimeout() { -if (asyncTimeoutFuture != null) { -asyncTimeoutFuture.cancel(false); -asyncTimeoutFuture = null; +if (timeoutFuture != null) { +timeoutFuture.cancel(false); +timeoutFuture = null; } } @@ -664,7 +669,7 @@ public abstract class AbstractProtocol implements ProtocolHandler, monitorFuture = null; } stopAsyncTimeout(); -// Timeout any pending async request +// Timeout any waiting processor for (Processor processor : waitingProcessors) { processor.timeoutAsync(-1); } @@ -770,12 +775,14 @@ public abstract class AbstractProtocol implements ProtocolHandle
Re: h2 priorities
Just a quick update. I started to make some progress but I have been side-tracked by the HTTP/2 timeout issue raised on users. I've been able to get the clean-up in but the priority changes aren't going to make the next set of releases. Mark On 01/08/2019 09:19, Mark Thomas wrote: > Hi all, > > One of the things that I took away from the HTTP workshop was that we > weren't doing as much with h2 priorities as we could. > > If the connection window is at capacity, the code does a reasonable job > of allocating any additional capacity to waiting streams based on the h2 > priority tree. > > However, if the connection window is not at capacity, Tomcat essentially > ignores the priority tree. I'd like to see if I can improve this. > > My general thinking is some sort of priority manager where multiple > implementations are available. Something like: > - NO-OP (current behaviour) > - dependencies only (takes account of dependencies for write > ordering but not weights > - full (takes account of dependencies and weights for write ordering) > > I'm not sure the 'full' implementation is viable for a Servlet > container. What is doable for a single thread managing the writes for > multiple static resources gets a lot more complicated when you have one > thread per resource generating those resources dynamically. > > I am currently still trying to get my head around various locking / > ordering / synchronization issues and I don't yet have anything that > works. I have stumbled across a couple of places where the code could be > usefully cleaned up. I'll try and extract those into separate commits > and get them applied. Hopefully this week but certainly before I tag. > > If I can solve this fairly quickly, my plan is to have the "NO-OP" > implementation as the default for now so there should be no change in > behaviour. > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311490843 ## File path: java/org/apache/catalina/realm/RealmBase.java ## @@ -928,6 +928,15 @@ public boolean hasRole(Wrapper wrapper, Principal principal, String role) { } } +// Check for a role alias/mapping defined on context level +if (getContainer() instanceof Context) { +Context context = (Context) getContainer(); +String realRole = context.findRoleMapping(role); Review comment: So, if I understand your request properly, this should not be part of `RealmBase` at all, but has to be implemented in `StandardWrapper`, namely `findSecurityReference()` whre it queries `getParent()#findRoleMapping()` if it is not found in `references`?. So `findSecurityReferences()` have to be changed as well? But not `removeSecurityReference()`? though, `getParent()` must be still of type `Context` (`instanceof` check)? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311513232 ## File path: java/org/apache/catalina/realm/RealmBase.java ## @@ -928,6 +928,15 @@ public boolean hasRole(Wrapper wrapper, Principal principal, String role) { } } +// Check for a role alias/mapping defined on context level +if (getContainer() instanceof Context) { +Context context = (Context) getContainer(); +String realRole = context.findRoleMapping(role); Review comment: Both > Consider moving this to Wrapper.findSecurityReference and > findSecurityReferences() should be unchanged. seem to be a contradiction. Do you want me to change the `Wrapper` interface and all of its implementors? That would still mean that I need to change `RealmBase` anyway?! This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63646] IOException when default CATALINA_TMPDIR directory doesn't exist
https://bz.apache.org/bugzilla/show_bug.cgi?id=63646 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |WONTFIX --- Comment #1 from Mark Thomas --- The necessary directories are created when Tomcat is installed. You can't delete directories and/or files from that installation and expect Tomcat to continue to work normally or recover so it can do so. While Tomcat could recover from some deletions, it can recover in all scenarios so we don't handle any of them. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
markt-asf commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311499556 ## File path: java/org/apache/catalina/realm/RealmBase.java ## @@ -928,6 +928,15 @@ public boolean hasRole(Wrapper wrapper, Principal principal, String role) { } } +// Check for a role alias/mapping defined on context level +if (getContainer() instanceof Context) { +Context context = (Context) getContainer(); +String realRole = context.findRoleMapping(role); Review comment: `findSecurityReferences()` should be unchanged. Parent of a Wrapper should only ever be a Context but an `instance of` check is probably prudent. It would also protect against nulls (may be possible during shutdown - I didn't check). This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311490843 ## File path: java/org/apache/catalina/realm/RealmBase.java ## @@ -928,6 +928,15 @@ public boolean hasRole(Wrapper wrapper, Principal principal, String role) { } } +// Check for a role alias/mapping defined on context level +if (getContainer() instanceof Context) { +Context context = (Context) getContainer(); +String realRole = context.findRoleMapping(role); Review comment: So, if I understand your request properly, this should not be part of `RealmBase` at all, but has to be implemented in `StandardWrapper`, namely `findSecurityReference()` whre it queries `getParent()#findRoleMapping() if it is not found in `references`?. So `findSecurityReferences()` have to be changed as well? But not `removeSecurityReference()`? though, `getParent()` must be still of type `Context` (`instanceof` check)? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311491516 ## File path: test/org/apache/catalina/realm/TestRealmBase.java ## @@ -789,4 +791,45 @@ public void testHttpConstraint() throws IOException { Assert.assertFalse(mapRealm.hasResourcePermission( request, response, constraintsDelete, null)); } + +@Test +public void testRoleMapping() throws Exception { +Context context = new TesterContext() { +private Map roleMapping = new HashMap<>(); + +public void addRoleMapping(String role, String link) { +roleMapping.put(role, link); +} + +@Override +public String findRoleMapping(String role) { +return roleMapping.get(role); +} +}; + +context.addRoleMapping(ROLE2, "very-complex-role-name"); Review comment: That would OK, as long as it is an interface. I don't want to hardcore those into my `context.xml`, but have them in a properties file. It could also be potentionally a database or something else. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311490843 ## File path: java/org/apache/catalina/realm/RealmBase.java ## @@ -928,6 +928,15 @@ public boolean hasRole(Wrapper wrapper, Principal principal, String role) { } } +// Check for a role alias/mapping defined on context level +if (getContainer() instanceof Context) { +Context context = (Context) getContainer(); +String realRole = context.findRoleMapping(role); Review comment: So, if I understand your request properly, this should not be part of `RealmBase` at all, but has to be implemented in `StandardWrapper`, namely `findSecurityReference()` whre it queries `getParent()#findRoleMapping() if it is not found in `references`?. So `findSecurityReferences()` have to be changed as well? But not `removeSecurityReference()`? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63641] Tomcat Manager Server Status Errors After updating from 8.5.19 to 8.5.40. javax.management.AttributeNotFoundException: Cannot find attribute maxThreads for org.apache.tomcat.util.net.Sock
https://bz.apache.org/bugzilla/show_bug.cgi?id=63641 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |WORKSFORME --- Comment #9 from Mark Thomas --- Tested a clean build of 8.5.x (latest HEAD as of this comment) and 8.5.36 and no error is shown. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311483465 ## File path: webapps/docs/changelog.xml ## @@ -47,6 +47,10 @@ + +63636: Context.findRoleMapping() never called +in RealmBase#hasRole(). (michaelo) + Review comment: Pardon, I did not notice this. Will change, no issue. So this one should be after 63550? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311483465 ## File path: webapps/docs/changelog.xml ## @@ -47,6 +47,10 @@ + +63636: Context.findRoleMapping() never called +in RealmBase#hasRole(). (michaelo) + Review comment: Pardon, I did not notice this. Will change, no issue. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63625] Unable to start Tomcat 7.0.96 (stop by 0xc0000005)
https://bz.apache.org/bugzilla/show_bug.cgi?id=63625 --- Comment #14 from Norimasa Yamamoto --- I thought a concept how to fix this issue. (If prnsrv.exe really need to change jvm.dll's environment block.) Before look a concept, important thing should be known. - Where is a environment block (compiled with shared C runtime)? compiled by MSVS 2015-2019 MODULE(exe, dll, so, ...) _wputenv() ==> api-ms-win-crt-environment-l1-1-0.dll!_wputenv (forwarder) ==> ucrtbase.dll!_wputenv (HERE!) compiled by MSVC 7 to 12 MODULE _wputenv() ==> msvcrXXX.dll!_wputenv (HERE!) (XXX is one of 70, 80, 90, 100, 110, 120 (release) or with postfix "d" (debug)) Other compilers... compiled by MSVC 6, MinGW w32api+GCC held in "msvcrt.dll" compiled by compiled by Enbarcadero/Borland C++ Builder held in "ccYYXXXmt.dll" compiled by Cygwin held in "cygwin1.dll" : On the other hand, without shared C runtime, every modules hold in itself. compiled by any compiler (include MSVS 2015-2019) MODULE (HERE! (=builtin)) _wputenv If MODULE did not export _wputenv or similar function, it is impossible to change from OUTER MODULEs. If OUTER MODULEs knew its address, it may can change but it is very danger way. -- end of section Because prunsrv.exe is currently static linked with C runtime, prunsrv.exe does not depending any shared C runtime. So jvm.dll was loaded in prunsrv.exe process, prunsrv.exe can guess jvm.dll's C runtime by GetModuleHandle. (If prunsrv.exe were compiled with shared C runtime, prunsrv.exe may parse jvm.dll's Import Table in PE section, use CreateToolhelp32Snapshot related funtions to find loaded snapshot, ... From my experience, these are hard.) (concept code) - before hmodUcrt = LoadLibraryExA("ucrtbase.dll", NULL, LOAD_LIBRARY_SEARCH_SYSTEM32); if (hmodUcrt != NULL) { wputenv_ucrt = (WPUTENV) GetProcAddress(hmodUcrt, "_wputenv"); } - after // jvm.dll should be loaded at this point. // Guess jvm.dll was compiled by known compilers. putenv_ucrt = NULL; if ( ((hmodUcrt = GetModuleHandle("ucrtbase.dll")) != NULL) // MSVC 14.0x-14.2x || ((hmodUcrt = GetModuleHandle("msvcr120.dll")) != NULL) // MSVC 12.0 || ((hmodUcrt = GetModuleHandle("msvcr110.dll")) != NULL) // MSVC 10.0 || ((hmodUcrt = GetModuleHandle("msvcr100.dll")) != NULL) // MSVC 10.0 : (...) || ((hmodUcrt = GetModuleHandle("msvcrt.dll")) != NULL) // MSVC 6.0, GCC ) { putenv_ucrt = (WPUTENV) GetProcAddress(hmodUcrt, "_wputenv"); } else { // jvm.dll was not compiled by known compilers. } -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311483465 ## File path: webapps/docs/changelog.xml ## @@ -47,6 +47,10 @@ + +63636: Context.findRoleMapping() never called +in RealmBase#hasRole(). (michaelo) + Review comment: Pardo, I did not notice this. Will change, no issue. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Proposal: use Files.move instead of File.renameTo in FarmWarDeployer
On 06/08/2019 21:05, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > All, > > Someone recently had a problem where the FarmWarDeployer wouldn't work > on a secondary node because File.renameTo was failing -- likely due to > the underlying Java/OS refusing to re-name a file across filesystems. > > I propose that we switch to using Files.move which will either re-name > or move depending upon what is necessary. It also throws an exception > if it can't do its work, rather than failing and returning false. > > Code patch below. I would also remove all of the > "farmWarDeployer.renameFail" error message keys from the resource bundle > s. +1. Might be worth a wider review of where else File.renameTo() is used. This is Java 7 so it can also be back-ported to 8.5.x. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
markt-asf commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311472300 ## File path: test/org/apache/catalina/realm/TestRealmBase.java ## @@ -789,4 +791,45 @@ public void testHttpConstraint() throws IOException { Assert.assertFalse(mapRealm.hasResourcePermission( request, response, constraintsDelete, null)); } + +@Test +public void testRoleMapping() throws Exception { +Context context = new TesterContext() { +private Map roleMapping = new HashMap<>(); + +public void addRoleMapping(String role, String link) { +roleMapping.put(role, link); +} + +@Override +public String findRoleMapping(String role) { +return roleMapping.get(role); +} +}; + +context.addRoleMapping(ROLE2, "very-complex-role-name"); Review comment: I was thinking more along the lines of a nested element in the Context as they would be consistent with other Tomcat configuration. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
michael-o commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311466031 ## File path: test/org/apache/catalina/realm/TestRealmBase.java ## @@ -789,4 +791,45 @@ public void testHttpConstraint() throws IOException { Assert.assertFalse(mapRealm.hasResourcePermission( request, response, constraintsDelete, null)); } + +@Test +public void testRoleMapping() throws Exception { +Context context = new TesterContext() { +private Map roleMapping = new HashMap<>(); + +public void addRoleMapping(String role, String link) { +roleMapping.put(role, link); +} + +@Override +public String findRoleMapping(String role) { +return roleMapping.get(role); +} +}; + +context.addRoleMapping(ROLE2, "very-complex-role-name"); Review comment: I use my fabulous [`PropertiesRoleMappingListener`](http://mo-tomcat-ext.sourceforge.net/xref/net/sf/michaelo/tomcat/extras/listeners/PropertiesRoleMappingListener.html#PropertiesRoleMappingListener) for this. I absolutely don't mind to amalgamate it into upstream somehow. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
markt-asf commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311457083 ## File path: test/org/apache/catalina/realm/TestRealmBase.java ## @@ -789,4 +791,45 @@ public void testHttpConstraint() throws IOException { Assert.assertFalse(mapRealm.hasResourcePermission( request, response, constraintsDelete, null)); } + +@Test +public void testRoleMapping() throws Exception { +Context context = new TesterContext() { +private Map roleMapping = new HashMap<>(); + +public void addRoleMapping(String role, String link) { +roleMapping.put(role, link); +} + +@Override +public String findRoleMapping(String role) { +return roleMapping.get(role); +} +}; + +context.addRoleMapping(ROLE2, "very-complex-role-name"); Review comment: The only way to add these Context mappings (currently) is via code. There is no mechanism to do this via configuration. Possibly as a separate enhancement, consider adding such an option. See https://bz.apache.org/bugzilla/show_bug.cgi?id=55477 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55477] Add a solution to map an realm name to a security role
https://bz.apache.org/bugzilla/show_bug.cgi?id=55477 --- Comment #10 from Mark Thomas --- Context.addRoleMapping() does most of what is required (at least it will after bug 63636 is fixed). Just need a way to add the roles via configuration rather than JMX / code. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
markt-asf commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311451173 ## File path: java/org/apache/catalina/realm/RealmBase.java ## @@ -928,6 +928,15 @@ public boolean hasRole(Wrapper wrapper, Principal principal, String role) { } } +// Check for a role alias/mapping defined on context level +if (getContainer() instanceof Context) { +Context context = (Context) getContainer(); +String realRole = context.findRoleMapping(role); Review comment: The above code is only used when the Realm is defined at the Context level. That isn't what is required here. The role mappings need to be checked for the current Context irrespective of where the Realm is defined. Something like: `Context context = (Context) wrapper.getParent();` A similar change would also need to be made to `UserDatabaseRealm` and potentially other sub-classes. Consider moving this to `Wrapper.findSecurityReference`. i.e. Look up Wrapper references first and if none found try the Context. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] markt-asf commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
markt-asf commented on a change in pull request #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#discussion_r311445088 ## File path: webapps/docs/changelog.xml ## @@ -47,6 +47,10 @@ + +63636: Context.findRoleMapping() never called +in RealmBase#hasRole(). (michaelo) + Review comment: Please see the notes at the top of this file regarding the ordering of sections and the ordering of elements in each section. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 63646] New: IOException when default CATALINA_TMPDIR directory doesn't exist
https://bz.apache.org/bugzilla/show_bug.cgi?id=63646 Bug ID: 63646 Summary: IOException when default CATALINA_TMPDIR directory doesn't exist Product: Tomcat 9 Version: unspecified Hardware: All OS: Linux Status: NEW Severity: normal Priority: P2 Component: Util Assignee: dev@tomcat.apache.org Reporter: qudongf...@gmail.com Target Milestone: - There will be an IOException when createTempDirectory(Path,String,FileAttribute[]) is invoked if the directory CATALINA_TMPDIR point to does not exist. CATALINA_TMPDIR defaults to $CATALINA_BASE/temp and It seems that no one is there to make sure the directory exists. [1] https://github.com/apache/tomcat/blob/b724612ef327f1e3c493de44b29ae24e1d757d0f/bin/catalina.sh#L43 [2] http://hg.openjdk.java.net/jdk/jdk/file/f81dbe27a7b1/src/java.base/share/classes/java/nio/file/Files.java#l964 [3] http://hg.openjdk.java.net/jdk/jdk/file/f81dbe27a7b1/src/java.base/share/classes/java/nio/file/TempFileHelper.java -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat] michael-o commented on issue #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole()
michael-o commented on issue #186: BZ 63636: Context#findRoleMapping() never called in RealmBase#hasRole() URL: https://github.com/apache/tomcat/pull/186#issuecomment-518968325 Tests for master and 8.5.x pass. Ready to merge. Will then backport to 7.0.x if possible. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org