[Tomcat Wiki] Update of "FAQ/Troubleshooting_and_Diagnostics" by KonstantinKolinko
Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification. The "FAQ/Troubleshooting_and_Diagnostics" page has been changed by KonstantinKolinko: https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics?action=diff&rev1=21&rev2=22 Comment: Add link to Security page. When the above flag is set, Tomcat recycles facades to its internal objects when request processing completes. This makes it easier to spot illegal access when it happens, instead of waiting until side effects of such access become visible.<><> This flag is also mentioned on the [[http://tomcat.apache.org/tomcat-8.5-doc/security-howto.html#System_Properties|Security Considerations]] page.<><> - The flag is `true` when Tomcat runs with enabled [[http://tomcat.apache.org/tomcat-8.5-doc/security-manager-howto.html|Java Security Manager]]. + The flag is `true` when Tomcat runs with enabled [[http://tomcat.apache.org/tomcat-8.5-doc/security-manager-howto.html|Java Security Manager]].<><> + You can also search the archives of the Tomcat users' [[http://tomcat.apache.org/lists.html|mailing lists]] for previous discussions mentioning the `RECYCLE_FACADES` flag. 2. Read about [[FAQ/KnownIssues#ImageIOIssues|Java ImageIO]] issue. + Accessing response objects after their lifetime can lead to security issues in your application, such as sending responses to wrong clients, mixing up responses. If you can reproduce the issue and the above diagnostic does not show your own bug, but a bug in Apache Tomcat, + * if the problem manifests as a security issue, see [[http://tomcat.apache.org/security.html|how to report it]]. [[CategoryFAQ]] - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "FAQ/Troubleshooting_and_Diagnostics" by KonstantinKolinko
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change
notification.
The "FAQ/Troubleshooting_and_Diagnostics" page has been changed by
KonstantinKolinko:
https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics?action=diff&rev1=20&rev2=21
Comment:
Rearrange text about Response state troubleshooting
E.g. [[https://bz.apache.org/bugzilla/show_bug.cgi?id=61289|61289]],
[[https://bz.apache.org/bugzilla/show_bug.cgi?id=58457|58457]]
- The main suspect is your own web application keeping a reference to Request /
Response objects outside of their life cycle. (*)
+ The main suspect is '''your own web application''' keeping a reference to
Request / Response objects outside of their life cycle.
+
+ {{{#!wiki note
+
+ The lifetime of the Response object is documented in the
[[Specifications|Servlet specification]]. Quoting from section "5.8 Lifetime of
the Response Object" of Servlet 4.0 specification:
+
+ "Each response object is valid only within the scope of a servlet’s service
method, or within the scope of a filter’s doFilter method, unless the
associated request object has asynchronous processing enabled for the
component. If asynchronous processing on the associated request is started,
then the response object remains valid until complete method on !AsyncContext
is called."
+
+ In case of asynchronous processing, when an error occurs Tomcat notifies all
registered `AsyncListener`s and then calls `complete()` automatically if none
of the listeners have called it yet. (Reference:
[[https://bz.apache.org/bugzilla/show_bug.cgi?id=61768#c3|61768]])
+
+ Also see sections "2.3.3.4 Thread Safety" and "3.13 Lifetime of the Request
Object" of the same specification.
+ }}}
+
+ To troubleshoot the issue:
1. Set the following
[[http://tomcat.apache.org/tomcat-8.5-doc/config/systemprops.html#Security|system
property]] in Tomcat configuration:
{{{org.apache.catalina.connector.RECYCLE_FACADES=true}}}
- When flag is set, Tomcat recycles facades to its internal objects when
request processing completes. This makes it easier to spot illegal access when
it happens, instead of waiting until side effects of such access become
visible.<><>
+ When the above flag is set, Tomcat recycles facades to its internal objects
when request processing completes. This makes it easier to spot illegal access
when it happens, instead of waiting until side effects of such access become
visible.<><>
- This flag is also mentioned on the
[[http://tomcat.apache.org/tomcat-8.5-doc/security-howto.html#System_Properties|Security
Considerations]] page. The flag is `true` when Tomcat runs with enabled
[[http://tomcat.apache.org/tomcat-8.5-doc/security-manager-howto.html|Java
Security Manager]].
+ This flag is also mentioned on the
[[http://tomcat.apache.org/tomcat-8.5-doc/security-howto.html#System_Properties|Security
Considerations]] page.<><>
+ The flag is `true` when Tomcat runs with enabled
[[http://tomcat.apache.org/tomcat-8.5-doc/security-manager-howto.html|Java
Security Manager]].
2. Read about [[FAQ/KnownIssues#ImageIOIssues|Java ImageIO]] issue.
- (*) '''Note'''
-
- The lifetime of the Response object is documented in the
[[Specifications|Servlet specification]]. Quoting from section "5.8 Lifetime of
the Response Object" of Servlet 4.0 specification:
-
- || Each response object is valid only within the scope of a servlet’s service
method, or within the scope of a filter’s doFilter method, unless the
associated request object has asynchronous processing enabled for the
component. If asynchronous processing on the associated request is started,
then the response object remains valid until complete method on AsyncContext is
called. ||
-
- In case of asynchronous processing, when an error occurs Tomcat notifies all
registered `AsyncListener`s and then calls `complete()` automatically if none
of the listeners have called it yet. (Reference:
[[https://bz.apache.org/bugzilla/show_bug.cgi?id=61768#c3|61768]])
-
- Also see sections "2.3.3.4 Thread Safety" and "3.13 Lifetime of the Request
Object" of the same specification.
[[CategoryFAQ]]
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "FAQ/Troubleshooting_and_Diagnostics" by KonstantinKolinko
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change
notification.
The "FAQ/Troubleshooting_and_Diagnostics" page has been changed by
KonstantinKolinko:
https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics?action=diff&rev1=19&rev2=20
Comment:
Document what is the lifetime of Request/Response objects. Reference the
specification.
E.g. [[https://bz.apache.org/bugzilla/show_bug.cgi?id=61289|61289]],
[[https://bz.apache.org/bugzilla/show_bug.cgi?id=58457|58457]]
- The main suspect is your own web application keeping a reference to Request /
Response objects outside of their life cycle.
+ The main suspect is your own web application keeping a reference to Request /
Response objects outside of their life cycle. (*)
1. Set the following
[[http://tomcat.apache.org/tomcat-8.5-doc/config/systemprops.html#Security|system
property]] in Tomcat configuration:
{{{org.apache.catalina.connector.RECYCLE_FACADES=true}}}
- This flag instructs Tomcat to recycle facades to its internal objects, so
that it is easier to spot illegal access when it happens, instead of waiting
until internal state of referenced object becomes corrupted from concurrent
access.
+ When flag is set, Tomcat recycles facades to its internal objects when
request processing completes. This makes it easier to spot illegal access when
it happens, instead of waiting until side effects of such access become
visible.<><>
+ This flag is also mentioned on the
[[http://tomcat.apache.org/tomcat-8.5-doc/security-howto.html#System_Properties|Security
Considerations]] page. The flag is `true` when Tomcat runs with enabled
[[http://tomcat.apache.org/tomcat-8.5-doc/security-manager-howto.html|Java
Security Manager]].
2. Read about [[FAQ/KnownIssues#ImageIOIssues|Java ImageIO]] issue.
+
+ (*) '''Note'''
+
+ The lifetime of the Response object is documented in the
[[Specifications|Servlet specification]]. Quoting from section "5.8 Lifetime of
the Response Object" of Servlet 4.0 specification:
+
+ || Each response object is valid only within the scope of a servlet’s service
method, or within the scope of a filter’s doFilter method, unless the
associated request object has asynchronous processing enabled for the
component. If asynchronous processing on the associated request is started,
then the response object remains valid until complete method on AsyncContext is
called. ||
+
+ In case of asynchronous processing, when an error occurs Tomcat notifies all
registered `AsyncListener`s and then calls `complete()` automatically if none
of the listeners have called it yet. (Reference:
[[https://bz.apache.org/bugzilla/show_bug.cgi?id=61768#c3|61768]])
+
+ Also see sections "2.3.3.4 Thread Safety" and "3.13 Lifetime of the Request
Object" of the same specification.
[[CategoryFAQ]]
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "FAQ/Troubleshooting_and_Diagnostics" by KonstantinKolinko
Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification. The "FAQ/Troubleshooting_and_Diagnostics" page has been changed by KonstantinKolinko: https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics?action=diff&rev1=18&rev2=19 Comment: Change section title * A good place for a breakpoint is `org.apache.catalina.connector.CoyoteAdapter.service()` method. That is the entry point from Tomcat connectors and into the Servlet engine. At that place your request has already been received and its processing starts. - == Troubleshooting Response State Problems == + == Troubleshooting unexpected Response state problems == - If you encounter problems that manifest themselves as accessing a request / response that is an inconsistent state. + If you encounter problems that manifest themselves as accessing a request or response that is an inconsistent state. E.g. [[https://bz.apache.org/bugzilla/show_bug.cgi?id=61289|61289]], [[https://bz.apache.org/bugzilla/show_bug.cgi?id=58457|58457]] - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "FAQ/Troubleshooting_and_Diagnostics" by KonstantinKolinko
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change
notification.
The "FAQ/Troubleshooting_and_Diagnostics" page has been changed by
KonstantinKolinko:
https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics?action=diff&rev1=17&rev2=18
Comment:
Add a section on RECYCLE_FACADES
* A good place for a breakpoint is
`org.apache.catalina.connector.CoyoteAdapter.service()` method. That is the
entry point from Tomcat connectors and into the Servlet engine. At that place
your request has already been received and its processing starts.
+ == Troubleshooting Response State Problems ==
+
+ If you encounter problems that manifest themselves as accessing a request /
response that is an inconsistent state.
+
+ E.g. [[https://bz.apache.org/bugzilla/show_bug.cgi?id=61289|61289]],
[[https://bz.apache.org/bugzilla/show_bug.cgi?id=58457|58457]]
+
+ The main suspect is your own web application keeping a reference to Request /
Response objects outside of their life cycle.
+
+ 1. Set the following
[[http://tomcat.apache.org/tomcat-8.5-doc/config/systemprops.html#Security|system
property]] in Tomcat configuration:
+
+ {{{org.apache.catalina.connector.RECYCLE_FACADES=true}}}
+
+ This flag instructs Tomcat to recycle facades to its internal objects, so
that it is easier to spot illegal access when it happens, instead of waiting
until internal state of referenced object becomes corrupted from concurrent
access.
+
+ 2. Read about [[FAQ/KnownIssues#ImageIOIssues|Java ImageIO]] issue.
+
[[CategoryFAQ]]
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "FAQ/Troubleshooting_and_Diagnostics" by KonstantinKolinko
Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification. The "FAQ/Troubleshooting_and_Diagnostics" page has been changed by KonstantinKolinko: https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics?action=diff&rev1=14&rev2=15 Comment: Add note on IPv4 vs IPv6. 1. Look into [[HowTo#How_do_I_log_requests_.3F|Tomcat access log]] (the log file generated by AccessLogValve). * If your request is not listed there, then it has not been processed by Tomcat. You need to look elsewhere (e.g. at your firewall). + * You will see what IP address your client is using, and whether it is using an IPv4 (`127.0.0.1`) or IPv6 address (`0:0:0:0:0:0:0:1`). Modern operating systems can use IPv6 addresses for localhost / local network access, while external network is still using IPv4. 2. [[HowTo#How_do_I_obtain_a_heap_dump.3F|Take a thread dump]]. This way you will find out what Tomcat is actually doing. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "FAQ/Troubleshooting_and_Diagnostics" by KonstantinKolinko
Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification. The "FAQ/Troubleshooting_and_Diagnostics" page has been changed by KonstantinKolinko: https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics?action=diff&rev1=13&rev2=14 Comment: Add a TOC Troubleshooting and Diagnostics techniques. + + <> == Techniques & Reference == * [[HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F| How To: Capture a thread dump]] - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "FAQ/Troubleshooting_and_Diagnostics" by KonstantinKolinko
Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification. The "FAQ/Troubleshooting_and_Diagnostics" page has been changed by KonstantinKolinko: https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics?action=diff&rev1=12&rev2=13 Comment: Add some common troubleshooting scenario From Java 6 a process needn't have the management agent enabled when it starts, as the Attach API permits the management agent to be activated on demand. + == Common Troubleshooting Scenario == + + If you ''have already looked into Tomcat logs'', there are no error messages, and you just want to find out what is going on, you may try the following + + 1. Look into [[HowTo#How_do_I_log_requests_.3F|Tomcat access log]] (the log file generated by AccessLogValve). + + * If your request is not listed there, then it has not been processed by Tomcat. You need to look elsewhere (e.g. at your firewall). + + 2. [[HowTo#How_do_I_obtain_a_heap_dump.3F|Take a thread dump]]. This way you will find out what Tomcat is actually doing. + + * If you are troubleshooting some process that takes noticeable time, take several (three) thread dumps with some interval between them. This way you will see if there are any changes, any progress. + + 3. Try [[FAQ/Developing#Debugging|debugging]]. + + * A good place for a breakpoint is `org.apache.catalina.connector.CoyoteAdapter.service()` method. That is the entry point from Tomcat connectors and into the Servlet engine. At that place your request have already been received and its processing starts. + [[CategoryFAQ]] - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "FAQ/Troubleshooting_and_Diagnostics" by KonstantinKolinko
Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification. The "FAQ/Troubleshooting_and_Diagnostics" page has been changed by KonstantinKolinko: https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics?action=diff&rev1=11&rev2=12 Comment: Add category link. From Java 6 a process needn't have the management agent enabled when it starts, as the Attach API permits the management agent to be activated on demand. + + [[CategoryFAQ]] + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "FAQ/Troubleshooting_and_Diagnostics" by KonstantinKolinko
Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification. The "FAQ/Troubleshooting_and_Diagnostics" page has been changed by KonstantinKolinko: https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics?action=diff&rev1=10&rev2=11 Comment: Add link to FAQ/Developing page - Page stub for Troubleshooting and Diagnostics techniques. + Troubleshooting and Diagnostics techniques. == Techniques & Reference == * [[HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F| How To: Capture a thread dump]] * [[HowTo#How_do_I_obtain_a_heap_dump.3F| How To: Capture a heap dump]] * [[HowTo#How_do_I_read_a_stack_trace.3F| How To: Examine a Stacktrace]] * [[HowTo#How_do_I_debug_a_Tomcat_application.3F| How To: Configure Tomcat for debugging]] + * [[FAQ/Developing| FAQ: Developing]] * [[FAQ/Memory| FAQ: Memory]] * [[MemoryLeakProtection| Tomcat Memory Leak Protection]] * [[http://java.sun.com/developer/technicalArticles/J2SE/monitoring/| Sun Technical Article: Monitoring and Managing Java SE 6 Platform Applications]] - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
