Job priority (AS/400s)

2016-03-30 Thread James H. H. Lampert 
Earlier this week, we noticed that the JVM job (QP0ZPWT) assocated with 
the CATALINA job of a Tomcat server runs at Priority 6. This priority 
level puts it ahead of everything but the operating system itself.


This morning, a response to a query on the Java forum at Midrange.com 
pointed me to this excerpt from catalina.sh:



if $os400; then
  # Set job priority to standard for interactive (interactive - 6) by using
  # the interactive priority - 6, the helper threads that respond to requests
  # will be running at the same priority as interactive jobs.
  COMMAND='chgjob job('$JOBNAME') runpty(6)'
  system $COMMAND

  # Enable multi threading
  export QIBM_MULTI_THREADED=Y
fi


This seems to be based on a misconception: run priority is a value from 
0 to 99, with lower numbers denoting greater importantce. 0 is reserved 
for the operating system itself, 1-15 typically also used for the 
operating system itself, 20 used for most interactive jobs, 50 and up 
used for most batch jobs (including server jobs).


Note: interactive jobs -- people signed on to physical terminals, or to 
terminal emulators -- typically run at priority 20. NOT priority 6.


By setting Tomcat's JVM job at priority 6, we are not only putting it 
ahead of interactive jobs, but also ahead of all but the most important 
system jobs.


Is there a reason for this? Or was it a simple misunderstanding of how 
priority works on AS/400s?


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Monitoring Tomcat

2016-03-30 Thread Christopher Schultz 
Anthony,

On 3/30/16 6:08 PM, Anthony Biacco wrote:
> On Wed, Mar 30, 2016 at 9:13 AM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
> 
> Edwin,
> 
> 
> For my money, I wouldn't enable JMX because, for monitoring, JMX is a
> heavy-handed protocol: you either have to maintain a persistent
> connection to the server or you need to launch a whole JVM and connect
> over JMX to get e.g. a single sample value (such as current throughput).
> 
> I would recommend enabling the JMXProxyServlet through the manager
> application, and then locking-down the manager application so you can
> only access it from localhost. Also use a non-trivial password for
> HTTP authentication for the manager.
> 
> 
>> +1
>> i was using the jmxquery jar pulled from nagios and was slooow compared to
>> the manager's jmxproxy (as would be expected).
>> i just used the the perl script from
>> https://wiki.apache.org/tomcat/FAQ/Monitoring and assigned a user to the
>> manager-jmx security role in tomcat.

Nice to see someone else is using it ;)

Feel free to contribute to it or just complain about anything you need.
I'd like for that tool to be widely-useful. I use it a lot at $work, but
it should be universally useful.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Invoker and Welcome page

2016-03-30 Thread Christopher Schultz 
Federico,

On 3/30/16 5:14 PM, Federico Alvarez wrote:
> I'm using Tomcat 6.0.44 with Invoker Servlet, I know it is a bad
> idea/decision, but by now it is not in my reach to change that.

You are at risk of attack. That may change your stance on what is within
your reach.

> I'm using the ROOT webapp.
> 
> What I need is to have a welcome page (index.htm) in the same
> directory I'm mapping with invoker.
> 
> So, my WEB.XML looks like this:
> 
> 
>   invoker
>   /*
> 

Can you enumerate the URLs you need to use the invoker with, and then
only map those using individual s? If so, then all your
problems will likely go away.

> And my folder structure looks like this:
> 
> Tomcat
> Webapps
> ROOT
>   index.htm
>   images
>  *.js, ...
>   WEB-INF
>  Web.xml
>  Classes
>*.class, ...
> 
> The idea is for a user to enter the URL:
> 
> http://myserver:8080
> 
> And have it [respond with] "index.htm", which will have a redirect to
> http://myserver:8080/loginpage.
> 
> By now http://myserver:8080/loginpage is working, but not the
> welcome page.
> 
> In Tomcat's WEB.XML the welcome page list is correctly defined, and
> removing the invoker mapping makes the welcome page work. Probably
> because it gets [handled] by the default [servlet]?

Correct.

> It seems to me that one folder can only be [handled] by one [servlet],
> and
> that the invoker cannot be used with welcome pages. But maybe I'm wrong
> and there is a workaround.

No, the DefaultServlet handles welcome-files, and the invoker does
something different. By mapping the invoker servlet to "/*", you are
essentially disabling the DefaultServlet.

> If anyone has any idea of how to have this working it will be more
> than welcome.

If you can enumerate every servlet you expect to require the use of the
invoker, then you can simply map them separately like this:


  invoker
  /com/geocomm/servlet/ServletA
  /com/geocomm/servlet/ServletB
  /com/geocomm/servlet/ServletC
  ...


This will also close the biggest security problem associated with the
invoker servlet.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: long running socketwrite

2016-03-30 Thread Rallavagu 



On 3/30/16 10:25 AM, Rallavagu wrote:



On 3/30/16 9:55 AM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rallavagu,

On 3/30/16 11:54 AM, Rallavagu wrote:

Tomcat 7.0.47, JDK 7

I have following long running socketwrite thread (more than 10
sec). Wondering what could cause this so I can further look and
investigate.

"http-bio-28080-exec-1497" daemon prio=10 tid=0x7f812c230800
nid=0x72fa runnable [0x7f80010f9000] java.lang.Thread.State:
RUNNABLE at java.net.SocketOutputStream.socketWrite0(Native
Method) at
java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:113)



at java.net.SocketOutputStream.write(SocketOutputStream.java:159)

at
org.apache.coyote.http11.InternalOutputBuffer.realWriteBytes(InternalO

utputBuffer.java:215)


  at
org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:480)



at

org.apache.coyote.http11.InternalOutputBuffer.flush(InternalOutputBuff

er.java:119)


  at
org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11

Processor.java:805)


  at org.apache.coyote.Response.action(Response.java:174) at
org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:3

66)




at

org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:333

)




at

org.apache.catalina.connector.CoyoteOutputStream.flush(CoyoteOutputStr

eam.java:101)


  at
org.springframework.security.web.context.SaveContextOnUpdateOrErrorRes

ponseWrapper$SaveContextServletOutputStream.flush(SaveContextOnUpdateOrE
rrorResponseWrapper.java:354)


  at
com.sun.jersey.spi.container.servlet.WebComponent$Writer.flush(WebComp

onent.java:308)


  at
com.sun.jersey.spi.container.ContainerResponse$CommittingOutputStream.

flush(ContainerResponse.java:146)


  at sun.nio.cs.StreamEncoder.implFlush(StreamEncoder.java:297) at
sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:141) - locked
<0x00075a610750> (a java.io.OutputStreamWriter) at
java.io.OutputStreamWriter.flush(OutputStreamWriter.java:229) at
java.io.BufferedWriter.flush(BufferedWriter.java:254) - locked
<0x00075a610750> (a java.io.OutputStreamWriter) at
com.sun.jersey.core.util.ReaderWriter.writeToAsString(ReaderWriter.jav

a:191)


  at
com.sun.jersey.core.provider.AbstractMessageReaderWriterProvider.write

ToAsString(AbstractMessageReaderWriterProvider.java:128)


  at
com.sun.jersey.core.impl.provider.entity.StringProvider.writeTo(String

Provider.java:88)


  at
com.sun.jersey.core.impl.provider.entity.StringProvider.writeTo(String

Provider.java:58)


  at
com.sun.jersey.spi.container.ContainerResponse.write(ContainerResponse

.java:302)


  at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleReque

st(WebApplicationImpl.java:1510)


  at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleReques

t(WebApplicationImpl.java:1419)


  at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleReques

t(WebApplicationImpl.java:1409)


  at
com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent

.java:409)


  at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletC

ontainer.java:558)


  at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletC

ontainer.java:733)


  at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)


This is during slow response times where many threads were opened
(Tomcat configured with 500). Also, thread dump shows that 240 of
tomcat threads are in following state which suggests that they are
idle.

"http-bio-28080-exec-1230" daemon prio=10 tid=0x7f812c361800
nid=0x29a0 waiting on condition [0x7f810a7e6000]
java.lang.Thread.State: TIMED_WAITING (parking) at
sun.misc.Unsafe.park(Native Method) - parking to wait for
<0x00071d193f50> (a
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)



at

java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:226)



at

java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.

awaitNanos(AbstractQueuedSynchronizer.java:2082)


  at
java.util.concurrent.LinkedBlockingQueue.poll(LinkedBlockingQueue.java

:467)




at org.apache.tomcat.util.threads.TaskQueue.poll(TaskQueue.java:86)

at
org.apache.tomcat.util.threads.TaskQueue.poll(TaskQueue.java:32)
at
java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.jav

a:1068)


  at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j

ava:1130)


  at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.

java:615)


  at java.lang.Thread.run(Thread.java:744)

Any clues would help. Thanks.


So ~50% of your request-processing threads are active, and at least
one of them is hanging on socket.write().

I would imagine you have a slow or unreliable client (e.g. mobile
phone with a bad connection) or the client has disappeared but the
socket hasn't closed, yet.

You can set a write timeouts on your sockets, but you might end up
with more server-side errors and

Re: Monitoring Tomcat

2016-03-30 Thread Anthony Biacco 
On Wed, Mar 30, 2016 at 9:13 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Edwin,
>
>
> For my money, I wouldn't enable JMX because, for monitoring, JMX is a
> heavy-handed protocol: you either have to maintain a persistent
> connection to the server or you need to launch a whole JVM and connect
> over JMX to get e.g. a single sample value (such as current throughput).
>
> I would recommend enabling the JMXProxyServlet through the manager
> application, and then locking-down the manager application so you can
> only access it from localhost. Also use a non-trivial password for
> HTTP authentication for the manager.
>
>
+1
i was using the jmxquery jar pulled from nagios and was slooow compared to
the manager's jmxproxy (as would be expected).
i just used the the perl script from
https://wiki.apache.org/tomcat/FAQ/Monitoring and assigned a user to the
manager-jmx security role in tomcat.

-Tony



> That ought to cover just about everything except for a local
> intrusion, in which case you've already been pwned.
>
> - -chris
>
> >  From: Leonardo
> > Santagostini  Sent: Tuesday, March 29,
> > 2016 12:20 AM To: Tomcat Users List Subject: Re: Monitoring Tomcat
> >
> > My two cents:
> >
> > You can aldo use Zabbix to Monitor your Tomcar using JMX.
> >
> > Also Zabbix is used from templates. So once you got one machine
> > monitored as you expected you can easy deployit on other your
> > machine, and the best of all, you dont nees to use apps like
> > Jolokia. But bear in mind that there are some security concerns.
> >
> > Best regards El mar 28, 2016 8:56 p.m., "Edwin Quijada"
> >  escribió:
> >
> >> Thks!
> >>
> >>  From: Mark Eggers
> >>  Sent: Monday, March 28, 2016
> >> 10:32 PM To: Tomcat Users List Subject: Re: Monitoring Tomcat
> >>
> >> https://tomcat.apache.org/tomcat-7.0-doc/monitoring.html
> >> https://wiki.apache.org/tomcat/FAQ/Monitoring
> >>
> >> Basically enable JMX, then use a wide variety of tools to query
> >> an even wider variety of information.
> >>
> >> Please note that there are security issues when enabling JMX.
> >> Read the first link above for details.
> >>
> >> . . . just my two cents /mde/
> >>
> >> On 3/28/2016 3:23 PM, Edwin Quijada wrote:
> >>> Hi! I have an app with Tomcat+Grails+Vaadin+PostgreSQL and I
> >>> wanna monitor
> >> the speed and resources of this. I add to 1024mb to Tomcat
> >> because the app and DB is in the same server.
> >>>
> >>> What application can I use to monitor performance of this
> >>> Tomcat ?
> >>>
> >>>
> >>> TIA
> >>>
> >>
> >>
> >>
> >> -
> >>
> >>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
> > -
> >
> >
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlb77QgACgkQ9CaO5/Lv0PAcOQCeMNlr+pYLD3H6Z9k/JNR4PYm/
> vSkAnRvFDAeeyrq0U/2ca04bRxcc0bfv
> =DZU7
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Invoker and Welcome page

2016-03-30 Thread Federico Alvarez 
Hi,

I'm using Tomcat 6.0.44 with Invoker Servlet, I know it is a 
bad idea/desition, but by now it is not in my reach to change that.

I'm using the ROOT webapp.

What I need is to have a welcome page (index.htm) in the same 
directory I'm mapping with invoker.

So, my WEB.XML looks like this:


   invoker
   /*


And my folder structure looks like this:

Tomcat
Webapps
   ROOT
   index.htm
   images
   *.js, ...
   WEB-INF
   Web.xml
   Classes
  
*.class, ...

The idea is for a user to enter the URL:

http://myserver:8080

And have it attendend by "index.htm", which will have a 
redirect to http://myserver:8080/loginpage.

By now http://myserver:8080/loginpage is working, but not the welcome page.

In Tomcat's WEB.XML the welcome page list is correctly defined, and removing 
the invoker mapping makes the welcome page work. Probably because it gets 
attended by the default?

It seems to me that one folder can only be attended by one mapper, and that the 
invoker cannot be used with welcome pages. But maybe I'm wrong and there is a 
workarround.

If anyone has any idea of how to have this working it will be more than welcome.

Best regards,
Federico.

Re: WebEx meeting rescheduled: Introducing Apache Tomcat 8.5

2016-03-30 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mark,

On 3/25/16 6:13 PM, Mark Thomas wrote:
> Hello, Mark Thomas changed the time for this WebEx meeting.
> 
> 
> 
> *Introducing Apache Tomcat 8.5* Wednesday, 30 March 2016 20:00  |
> GMT Summer Time (London, GMT+01:00)  |  1 hr

Awesome. My inability to properly perform timezone arithmetic has
caused me to miss this presentation. :(

I had no idea there was a "GMT Summer". I thought GMT was GMT. :(

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb8Mf8ACgkQ9CaO5/Lv0PB3cQCcDY4oyldnw2syBSGDkxmJqidA
DYAAoJSWwu5/no9+VW2M/IUlSn38ZLMO
=M27Z
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: WebEx meeting rescheduled: Introducing Apache Tomcat 8.5

2016-03-30 Thread gustavo . avitabile 

I tried to join this meeting, but I got the message
Your version of Cisco WebEx does not support Windows 10
So, is it possible to attend such events if one is
running Windows 10?
Gustavo Avitabile

Quoting Mark Thomas :



Hello,

Mark Thomas changed the time for this WebEx meeting.


Introducing Apache Tomcat 8.5
Wednesday, 30 March 2016
20:00  |  GMT Summer Time (London, GMT+01:00)  |  1 hr


JOIN WEBEX MEETING
https://pivotal.webex.com/pivotal/j.php?MTID=m539c2bcd3a7c2c48a28a87bfb71d8302
Meeting number: 645 574 764


Add this meeting to your calendar (Cannot add from mobile devices):
https://pivotal.webex.com/pivotal/j.php?MTID=mc2f05eecbb3d8288cc8086fa8940c472


Can't join the meeting? Contact support here:
https://pivotal.webex.com/pivotal/mc


IMPORTANT NOTICE: Please note that this WebEx service allows audio  
and other information sent during the session to be recorded, which  
may be discoverable in a legal matter. By joining this session, you  
automatically consent to such recordings. If you do not consent to  
being recorded, discuss your concerns with the host or do not join  
the session.







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: long running socketwrite

2016-03-30 Thread Rallavagu 



On 3/30/16 9:55 AM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rallavagu,

On 3/30/16 11:54 AM, Rallavagu wrote:

Tomcat 7.0.47, JDK 7

I have following long running socketwrite thread (more than 10
sec). Wondering what could cause this so I can further look and
investigate.

"http-bio-28080-exec-1497" daemon prio=10 tid=0x7f812c230800
nid=0x72fa runnable [0x7f80010f9000] java.lang.Thread.State:
RUNNABLE at java.net.SocketOutputStream.socketWrite0(Native
Method) at
java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:113)



at java.net.SocketOutputStream.write(SocketOutputStream.java:159)

at
org.apache.coyote.http11.InternalOutputBuffer.realWriteBytes(InternalO

utputBuffer.java:215)


  at
org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:480)



at

org.apache.coyote.http11.InternalOutputBuffer.flush(InternalOutputBuff

er.java:119)


  at
org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11

Processor.java:805)


  at org.apache.coyote.Response.action(Response.java:174) at
org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:3

66)




at

org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:333

)




at

org.apache.catalina.connector.CoyoteOutputStream.flush(CoyoteOutputStr

eam.java:101)


  at
org.springframework.security.web.context.SaveContextOnUpdateOrErrorRes

ponseWrapper$SaveContextServletOutputStream.flush(SaveContextOnUpdateOrE
rrorResponseWrapper.java:354)


  at
com.sun.jersey.spi.container.servlet.WebComponent$Writer.flush(WebComp

onent.java:308)


  at
com.sun.jersey.spi.container.ContainerResponse$CommittingOutputStream.

flush(ContainerResponse.java:146)


  at sun.nio.cs.StreamEncoder.implFlush(StreamEncoder.java:297) at
sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:141) - locked
<0x00075a610750> (a java.io.OutputStreamWriter) at
java.io.OutputStreamWriter.flush(OutputStreamWriter.java:229) at
java.io.BufferedWriter.flush(BufferedWriter.java:254) - locked
<0x00075a610750> (a java.io.OutputStreamWriter) at
com.sun.jersey.core.util.ReaderWriter.writeToAsString(ReaderWriter.jav

a:191)


  at
com.sun.jersey.core.provider.AbstractMessageReaderWriterProvider.write

ToAsString(AbstractMessageReaderWriterProvider.java:128)


  at
com.sun.jersey.core.impl.provider.entity.StringProvider.writeTo(String

Provider.java:88)


  at
com.sun.jersey.core.impl.provider.entity.StringProvider.writeTo(String

Provider.java:58)


  at
com.sun.jersey.spi.container.ContainerResponse.write(ContainerResponse

.java:302)


  at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleReque

st(WebApplicationImpl.java:1510)


  at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleReques

t(WebApplicationImpl.java:1419)


  at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleReques

t(WebApplicationImpl.java:1409)


  at
com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent

.java:409)


  at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletC

ontainer.java:558)


  at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletC

ontainer.java:733)


  at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)


This is during slow response times where many threads were opened
(Tomcat configured with 500). Also, thread dump shows that 240 of
tomcat threads are in following state which suggests that they are
idle.

"http-bio-28080-exec-1230" daemon prio=10 tid=0x7f812c361800
nid=0x29a0 waiting on condition [0x7f810a7e6000]
java.lang.Thread.State: TIMED_WAITING (parking) at
sun.misc.Unsafe.park(Native Method) - parking to wait for
<0x00071d193f50> (a
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)



at

java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:226)



at

java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.

awaitNanos(AbstractQueuedSynchronizer.java:2082)


  at
java.util.concurrent.LinkedBlockingQueue.poll(LinkedBlockingQueue.java

:467)




at org.apache.tomcat.util.threads.TaskQueue.poll(TaskQueue.java:86)

at
org.apache.tomcat.util.threads.TaskQueue.poll(TaskQueue.java:32)
at
java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.jav

a:1068)


  at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j

ava:1130)


  at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.

java:615)


  at java.lang.Thread.run(Thread.java:744)

Any clues would help. Thanks.


So ~50% of your request-processing threads are active, and at least
one of them is hanging on socket.write().

I would imagine you have a slow or unreliable client (e.g. mobile
phone with a bad connection) or the client has disappeared but the
socket hasn't closed, yet.

You can set a write timeouts on your sockets, but you might end up
with more server-side errors and cranky clients getting connections
dropped.

Re: long running socketwrite

2016-03-30 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rallavagu,

On 3/30/16 11:54 AM, Rallavagu wrote:
> Tomcat 7.0.47, JDK 7
> 
> I have following long running socketwrite thread (more than 10
> sec). Wondering what could cause this so I can further look and
> investigate.
> 
> "http-bio-28080-exec-1497" daemon prio=10 tid=0x7f812c230800 
> nid=0x72fa runnable [0x7f80010f9000] java.lang.Thread.State:
> RUNNABLE at java.net.SocketOutputStream.socketWrite0(Native
> Method) at 
> java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:113)
>
> 
at java.net.SocketOutputStream.write(SocketOutputStream.java:159)
> at 
> org.apache.coyote.http11.InternalOutputBuffer.realWriteBytes(InternalO
utputBuffer.java:215)
>
>  at 
> org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:480)
>
> 
at
> org.apache.coyote.http11.InternalOutputBuffer.flush(InternalOutputBuff
er.java:119)
>
>  at 
> org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11
Processor.java:805)
>
>  at org.apache.coyote.Response.action(Response.java:174) at 
> org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:3
66)
>
> 
at
> org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:333
)
>
> 
at
> org.apache.catalina.connector.CoyoteOutputStream.flush(CoyoteOutputStr
eam.java:101)
>
>  at 
> org.springframework.security.web.context.SaveContextOnUpdateOrErrorRes
ponseWrapper$SaveContextServletOutputStream.flush(SaveContextOnUpdateOrE
rrorResponseWrapper.java:354)
>
>  at 
> com.sun.jersey.spi.container.servlet.WebComponent$Writer.flush(WebComp
onent.java:308)
>
>  at 
> com.sun.jersey.spi.container.ContainerResponse$CommittingOutputStream.
flush(ContainerResponse.java:146)
>
>  at sun.nio.cs.StreamEncoder.implFlush(StreamEncoder.java:297) at
> sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:141) - locked
> <0x00075a610750> (a java.io.OutputStreamWriter) at
> java.io.OutputStreamWriter.flush(OutputStreamWriter.java:229) at
> java.io.BufferedWriter.flush(BufferedWriter.java:254) - locked
> <0x00075a610750> (a java.io.OutputStreamWriter) at 
> com.sun.jersey.core.util.ReaderWriter.writeToAsString(ReaderWriter.jav
a:191)
>
>  at 
> com.sun.jersey.core.provider.AbstractMessageReaderWriterProvider.write
ToAsString(AbstractMessageReaderWriterProvider.java:128)
>
>  at 
> com.sun.jersey.core.impl.provider.entity.StringProvider.writeTo(String
Provider.java:88)
>
>  at 
> com.sun.jersey.core.impl.provider.entity.StringProvider.writeTo(String
Provider.java:58)
>
>  at 
> com.sun.jersey.spi.container.ContainerResponse.write(ContainerResponse
.java:302)
>
>  at 
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleReque
st(WebApplicationImpl.java:1510)
>
>  at 
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleReques
t(WebApplicationImpl.java:1419)
>
>  at 
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleReques
t(WebApplicationImpl.java:1409)
>
>  at 
> com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent
.java:409)
>
>  at 
> com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletC
ontainer.java:558)
>
>  at 
> com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletC
ontainer.java:733)
>
>  at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> 
> 
> This is during slow response times where many threads were opened 
> (Tomcat configured with 500). Also, thread dump shows that 240 of
> tomcat threads are in following state which suggests that they are
> idle.
> 
> "http-bio-28080-exec-1230" daemon prio=10 tid=0x7f812c361800 
> nid=0x29a0 waiting on condition [0x7f810a7e6000] 
> java.lang.Thread.State: TIMED_WAITING (parking) at
> sun.misc.Unsafe.park(Native Method) - parking to wait for
> <0x00071d193f50> (a 
> java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)
>
> 
at
> java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:226)
>
> 
at
> java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.
awaitNanos(AbstractQueuedSynchronizer.java:2082)
>
>  at 
> java.util.concurrent.LinkedBlockingQueue.poll(LinkedBlockingQueue.java
:467)
>
> 
at org.apache.tomcat.util.threads.TaskQueue.poll(TaskQueue.java:86)
> at
> org.apache.tomcat.util.threads.TaskQueue.poll(TaskQueue.java:32) 
> at 
> java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.jav
a:1068)
>
>  at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j
ava:1130)
>
>  at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.
java:615)
>
>  at java.lang.Thread.run(Thread.java:744)
> 
> Any clues would help. Thanks.

So ~50% of your request-processing threads are active, and at least
one of them is hanging on socket.write().

I would imagine you have a slow or unreliable client (e.g. mobile
phone with a bad connection) or the client has disappeared but the
socket hasn't closed, yet.

You can set a write timeouts on your sockets,

Re: AW: AW: OpenID Connect with Tomcat 8

2016-03-30 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sebastian,

On 3/30/16 12:06 PM, Sebastian Trost wrote:
> This is an OpenID Connect implementation for tomcat 8: 
> https://github.com/boylesoftware/tomcat8-oidcauth
> 
> And as far as I know (I'm very new to this, so please correct me
> if I'm wrong) the Valve redirects the user to the OIDC provider
> before he reaches the login form of the tomcat. The Valve also
> sends a redirect_uri to the OIDC provider which he then uses to
> redirect the user back to the tomcat's j_security_check after a
> successfully authentication. This redirect contains a token and a
> token id which contains information of the user in JSON format. If
> something went wrong with the authentication on the OIDC provider's
> side, the user will be redirected to the form - I think.
> 
> If I would only use a realm I couldn't redirect the user before he 
> reaches the login form. I think.

Yep, anything that interacts with the request/response needs to be in
Valve format. You probably need to implement the Authenticator
interface, otherwise Tomcat will add an authenticator for you into
your valve chain unless you specify "NONE" as your application's
auth-method.

- -chris

> -Ursprüngliche Nachricht- Von: Christopher Schultz 
> [mailto:ch...@christopherschultz.net] Gesendet: Mittwoch, 30. März 
> 2016 17:03 An: Tomcat Users List 
> Betreff: Re: AW: OpenID Connect with Tomcat 8
> 
> Sebastian,
> 
> On 3/30/16 4:42 AM, Sebastian Trost wrote:
>> Well, it seems that I will have to use a Valve + Realm 
>> combination. Thanks!
> 
> What does the Valve add?
> 
> -chris
> 
>> -Ursprüngliche Nachricht- Von: Christopher Schultz 
>> [mailto:ch...@christopherschultz.net] Gesendet: Dienstag, 29.
>> März 2016 19:57 An: Tomcat Users List  
>> Betreff: Re: OpenID Connect with Tomcat 8
> 
>> Sebastien,
> 
>> On 3/29/16 12:57 PM, Sebastian Trost wrote:
>>> Hi,
> 
>>> I am looking for a way to use OpenID Connect (authentication
>>> AND authorization) with Tomcat 8. I found two ways to get 
>>> authentication working, but not authorization. Here's what I 
>>> tested so far:
> 
>>> Tomcat 8 + https://github.com/boylesoftware/tomcat8-oidcauth
>>> This extension works very well for authentication. It isn't
>>> possible to authorize users, though. You can configure a realm
>>> which authorizes the user against LDAP or a database.
> 
>>> Apache HTTPD + https://github.com/pingidentity/mod_auth_openidc
>>> + Tomcat 8 This mod works pretty well, too. But the AJP
>>> Connector doesn't seem to receive the roles from the web server
>>> and also relies on the realm to fetch the roles for each user.
> 
>>> With both methods I failed to read the roles OpenID Connect 
>>> supplies with the id token.
> 
>>> I experimented a bit with botching around in tomcat8-oidcauth.
>>> I removed the authenticate()-call and instead built the 
>>> GenericPrincipal object with hard-coded roles on my own. That 
>>> seems to work. But is this safe? Can I just read the token id 
>>> and assume that it is correct and set the roles in the 
>>> GenericPrincipal? Are there any other methods to use both 
>>> authentication AND authorization with tomcat 8?
> 
>> I haven't looked at any of the above projects but if you want to
>>  authenticate and authorize against a different type of backing 
>> database, then you need to create your own Realm. RealmBase 
>> provides some nice utilities, but you aren't required to actually
>>  extend it.
> 
>> The Realm has complete control over how the Principal objects are
>>  created, so if you have a way to identify the user and their
>> roles, then you can simply create a GenericPrincipal and return
>> that on login, and its roles will be used for authentication
>> later.
> 
>> Hope that helps, -chris
> 
>> -
>
>>
>> 
> 
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
>> -
>
>>
>> 
> 
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
>
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
>
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb8BH8ACgkQ9CaO5/Lv0PA/wwCdHiaFYSiRNzm/27N3y9Wl1gPB
SBIAoKWypSpPnR36o3Sq3Sv0hoXlCS08
=Gkmy
-END PGP SIGNATURE-

AW: AW: OpenID Connect with Tomcat 8

2016-03-30 Thread Sebastian Trost 
Hi Chris,

This is an OpenID Connect implementation for tomcat 8: 
https://github.com/boylesoftware/tomcat8-oidcauth

And as far as I know (I'm very new to this, so please correct me if I'm wrong) 
the Valve redirects the user to the OIDC provider before he reaches the login 
form of the tomcat. The Valve also sends a redirect_uri to the OIDC provider 
which he then uses to redirect the user back to the tomcat's j_security_check 
after a successfully authentication. This redirect contains a token and a token 
id which contains information of the user in JSON format. If something went 
wrong with the authentication on the OIDC provider's side, the user will be 
redirected to the form - I think. 

If I would only use a realm I couldn't redirect the user before he reaches the 
login form. I think. 

Regards
Sebastian


-Ursprüngliche Nachricht-
Von: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Gesendet: Mittwoch, 30. März 2016 17:03
An: Tomcat Users List 
Betreff: Re: AW: OpenID Connect with Tomcat 8

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sebastian,

On 3/30/16 4:42 AM, Sebastian Trost wrote:
> Well, it seems that I will have to use a Valve + Realm combination.
> Thanks!

What does the Valve add?

- -chris

> -Ursprüngliche Nachricht- Von: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Gesendet: Dienstag, 29. März
> 2016 19:57 An: Tomcat Users List  Betreff:
> Re: OpenID Connect with Tomcat 8
> 
> Sebastien,
> 
> On 3/29/16 12:57 PM, Sebastian Trost wrote:
>> Hi,
> 
>> I am looking for a way to use OpenID Connect (authentication AND 
>> authorization) with Tomcat 8. I found two ways to get 
>> authentication working, but not authorization. Here's what I
>> tested so far:
> 
>> Tomcat 8 + https://github.com/boylesoftware/tomcat8-oidcauth
>> This extension works very well for authentication. It isn't
>> possible to authorize users, though. You can configure a realm
>> which authorizes the user against LDAP or a database.
> 
>> Apache HTTPD + https://github.com/pingidentity/mod_auth_openidc
>> + Tomcat 8 This mod works pretty well, too. But the AJP
>> Connector doesn't seem to receive the roles from the web server
>> and also relies on the realm to fetch the roles for each user.
> 
>> With both methods I failed to read the roles OpenID Connect 
>> supplies with the id token.
> 
>> I experimented a bit with botching around in tomcat8-oidcauth. I 
>> removed the authenticate()-call and instead built the 
>> GenericPrincipal object with hard-coded roles on my own. That
>> seems to work. But is this safe? Can I just read the token id and
>> assume that it is correct and set the roles in the
>> GenericPrincipal? Are there any other methods to use both
>> authentication AND authorization with tomcat 8?
> 
> I haven't looked at any of the above projects but if you want to 
> authenticate and authorize against a different type of backing 
> database, then you need to create your own Realm. RealmBase
> provides some nice utilities, but you aren't required to actually
> extend it.
> 
> The Realm has complete control over how the Principal objects are 
> created, so if you have a way to identify the user and their
> roles, then you can simply create a GenericPrincipal and return
> that on login, and its roles will be used for authentication
> later.
> 
> Hope that helps, -chris
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb76p8ACgkQ9CaO5/Lv0PABXwCgvEX9iIRA9n9IOdqpOtEgYQ4y
358An08Itleb8FBUrjkpQdenC6HYBP7R
=E8GZ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

long running socketwrite

2016-03-30 Thread Rallavagu 

Tomcat 7.0.47, JDK 7

I have following long running socketwrite thread (more than 10 sec). 
Wondering what could cause this so I can further look and investigate.


"http-bio-28080-exec-1497" daemon prio=10 tid=0x7f812c230800 
nid=0x72fa runnable [0x7f80010f9000]

   java.lang.Thread.State: RUNNABLE
at java.net.SocketOutputStream.socketWrite0(Native Method)
at 
java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:113)

at java.net.SocketOutputStream.write(SocketOutputStream.java:159)
at 
org.apache.coyote.http11.InternalOutputBuffer.realWriteBytes(InternalOutputBuffer.java:215)
at 
org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:480)
at 
org.apache.coyote.http11.InternalOutputBuffer.flush(InternalOutputBuffer.java:119)
at 
org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11Processor.java:805)

at org.apache.coyote.Response.action(Response.java:174)
at 
org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:366)
at 
org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:333)
at 
org.apache.catalina.connector.CoyoteOutputStream.flush(CoyoteOutputStream.java:101)
at 
org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper$SaveContextServletOutputStream.flush(SaveContextOnUpdateOrErrorResponseWrapper.java:354)
at 
com.sun.jersey.spi.container.servlet.WebComponent$Writer.flush(WebComponent.java:308)
at 
com.sun.jersey.spi.container.ContainerResponse$CommittingOutputStream.flush(ContainerResponse.java:146)

at sun.nio.cs.StreamEncoder.implFlush(StreamEncoder.java:297)
at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:141)
- locked <0x00075a610750> (a java.io.OutputStreamWriter)
at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:229)
at java.io.BufferedWriter.flush(BufferedWriter.java:254)
- locked <0x00075a610750> (a java.io.OutputStreamWriter)
at 
com.sun.jersey.core.util.ReaderWriter.writeToAsString(ReaderWriter.java:191)
at 
com.sun.jersey.core.provider.AbstractMessageReaderWriterProvider.writeToAsString(AbstractMessageReaderWriterProvider.java:128)
at 
com.sun.jersey.core.impl.provider.entity.StringProvider.writeTo(StringProvider.java:88)
at 
com.sun.jersey.core.impl.provider.entity.StringProvider.writeTo(StringProvider.java:58)
at 
com.sun.jersey.spi.container.ContainerResponse.write(ContainerResponse.java:302)
at 
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1510)
at 
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419)
at 
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409)
at 
com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:409)
at 
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:558)
at 
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:733)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)


This is during slow response times where many threads were opened 
(Tomcat configured with 500). Also, thread dump shows that 240 of tomcat 
threads are in following state which suggests that they are idle.


"http-bio-28080-exec-1230" daemon prio=10 tid=0x7f812c361800 
nid=0x29a0 waiting on condition [0x7f810a7e6000]

   java.lang.Thread.State: TIMED_WAITING (parking)
at sun.misc.Unsafe.park(Native Method)
- parking to wait for  <0x00071d193f50> (a 
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)
at 
java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:226)
at 
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:2082)
at 
java.util.concurrent.LinkedBlockingQueue.poll(LinkedBlockingQueue.java:467)

at org.apache.tomcat.util.threads.TaskQueue.poll(TaskQueue.java:86)
at org.apache.tomcat.util.threads.TaskQueue.poll(TaskQueue.java:32)
at 
java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1068)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

at java.lang.Thread.run(Thread.java:744)

Any clues would help. Thanks.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Monitoring Tomcat

2016-03-30 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Edwin,

On 3/29/16 2:32 PM, Edwin Quijada wrote:
> I am seeing Zabbix but about the secutiry problems with JMX

The "security problems" with JMX mostly have to do with it being very
easy to configure a server stupidly.

For example, opening a JMX port with no required authentication to the
whole Internet is, of course, tremendously stupid. But people do
stupid things like that all the time.

For my money, I wouldn't enable JMX because, for monitoring, JMX is a
heavy-handed protocol: you either have to maintain a persistent
connection to the server or you need to launch a whole JVM and connect
over JMX to get e.g. a single sample value (such as current throughput).

I would recommend enabling the JMXProxyServlet through the manager
application, and then locking-down the manager application so you can
only access it from localhost. Also use a non-trivial password for
HTTP authentication for the manager.

That ought to cover just about everything except for a local
intrusion, in which case you've already been pwned.

- -chris

>  From: Leonardo
> Santagostini  Sent: Tuesday, March 29,
> 2016 12:20 AM To: Tomcat Users List Subject: Re: Monitoring Tomcat
> 
> My two cents:
> 
> You can aldo use Zabbix to Monitor your Tomcar using JMX.
> 
> Also Zabbix is used from templates. So once you got one machine
> monitored as you expected you can easy deployit on other your
> machine, and the best of all, you dont nees to use apps like
> Jolokia. But bear in mind that there are some security concerns.
> 
> Best regards El mar 28, 2016 8:56 p.m., "Edwin Quijada"
>  escribió:
> 
>> Thks!
>> 
>>  From: Mark Eggers
>>  Sent: Monday, March 28, 2016
>> 10:32 PM To: Tomcat Users List Subject: Re: Monitoring Tomcat
>> 
>> https://tomcat.apache.org/tomcat-7.0-doc/monitoring.html 
>> https://wiki.apache.org/tomcat/FAQ/Monitoring
>> 
>> Basically enable JMX, then use a wide variety of tools to query
>> an even wider variety of information.
>> 
>> Please note that there are security issues when enabling JMX.
>> Read the first link above for details.
>> 
>> . . . just my two cents /mde/
>> 
>> On 3/28/2016 3:23 PM, Edwin Quijada wrote:
>>> Hi! I have an app with Tomcat+Grails+Vaadin+PostgreSQL and I
>>> wanna monitor
>> the speed and resources of this. I add to 1024mb to Tomcat
>> because the app and DB is in the same server.
>>> 
>>> What application can I use to monitor performance of this
>>> Tomcat ?
>>> 
>>> 
>>> TIA
>>> 
>> 
>> 
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb77QgACgkQ9CaO5/Lv0PAcOQCeMNlr+pYLD3H6Z9k/JNR4PYm/
vSkAnRvFDAeeyrq0U/2ca04bRxcc0bfv
=DZU7
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: OpenID Connect with Tomcat 8

2016-03-30 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sebastian,

On 3/30/16 4:42 AM, Sebastian Trost wrote:
> Well, it seems that I will have to use a Valve + Realm combination.
> Thanks!

What does the Valve add?

- -chris

> -Ursprüngliche Nachricht- Von: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Gesendet: Dienstag, 29. März
> 2016 19:57 An: Tomcat Users List  Betreff:
> Re: OpenID Connect with Tomcat 8
> 
> Sebastien,
> 
> On 3/29/16 12:57 PM, Sebastian Trost wrote:
>> Hi,
> 
>> I am looking for a way to use OpenID Connect (authentication AND 
>> authorization) with Tomcat 8. I found two ways to get 
>> authentication working, but not authorization. Here's what I
>> tested so far:
> 
>> Tomcat 8 + https://github.com/boylesoftware/tomcat8-oidcauth
>> This extension works very well for authentication. It isn't
>> possible to authorize users, though. You can configure a realm
>> which authorizes the user against LDAP or a database.
> 
>> Apache HTTPD + https://github.com/pingidentity/mod_auth_openidc
>> + Tomcat 8 This mod works pretty well, too. But the AJP
>> Connector doesn't seem to receive the roles from the web server
>> and also relies on the realm to fetch the roles for each user.
> 
>> With both methods I failed to read the roles OpenID Connect 
>> supplies with the id token.
> 
>> I experimented a bit with botching around in tomcat8-oidcauth. I 
>> removed the authenticate()-call and instead built the 
>> GenericPrincipal object with hard-coded roles on my own. That
>> seems to work. But is this safe? Can I just read the token id and
>> assume that it is correct and set the roles in the
>> GenericPrincipal? Are there any other methods to use both
>> authentication AND authorization with tomcat 8?
> 
> I haven't looked at any of the above projects but if you want to 
> authenticate and authorize against a different type of backing 
> database, then you need to create your own Realm. RealmBase
> provides some nice utilities, but you aren't required to actually
> extend it.
> 
> The Realm has complete control over how the Principal objects are 
> created, so if you have a way to identify the user and their
> roles, then you can simply create a GenericPrincipal and return
> that on login, and its roles will be used for authentication
> later.
> 
> Hope that helps, -chris
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb76p8ACgkQ9CaO5/Lv0PABXwCgvEX9iIRA9n9IOdqpOtEgYQ4y
358An08Itleb8FBUrjkpQdenC6HYBP7R
=E8GZ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: WebEx meeting rescheduled: Introducing Apache Tomcat 8.5

2016-03-30 Thread Mark Thomas 
On 30/03/2016 10:03, Johan Compagner wrote:
> I guess i have to wait for the youtube:
> 
>  Support Not Available
> Your version of Cisco WebEx does not support Windows 10. If you want to use
> WebEx on Windows 10, contact your administrator for more information.

That isn't great. I'll see what I can do about that. Meanwhile, the
recording should be on YouTube tomorrow.

mark


> 
> 
> 
> On 25 March 2016 at 23:13, Mark Thomas  wrote:
> 
>> Hello,
>> Mark Thomas changed the time for this WebEx meeting.
>>
>> *Introducing Apache Tomcat 8.5*
>> Wednesday, 30 March 2016
>> 20:00  |  GMT Summer Time (London, GMT+01:00)  |  1 hr
>>
>> *Join WebEx meeting*
>> 
>> Meeting number: 645 574 764
>>
>> Add this meeting
>> 
>> to your calendar. (Cannot add from mobile devices.)
>>
>> Can't join the meeting? Contact support.
>> 
>>
>> IMPORTANT NOTICE: Please note that this WebEx service allows audio and
>> other information sent during the session to be recorded, which may be
>> discoverable in a legal matter. By joining this session, you automatically
>> consent to such recordings. If you do not consent to being recorded,
>> discuss your concerns with the host or do not join the session.
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
> 
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: WebEx meeting rescheduled: Introducing Apache Tomcat 8.5

2016-03-30 Thread Johan Compagner 
I guess i have to wait for the youtube:

 Support Not Available
Your version of Cisco WebEx does not support Windows 10. If you want to use
WebEx on Windows 10, contact your administrator for more information.



On 25 March 2016 at 23:13, Mark Thomas  wrote:

> Hello,
> Mark Thomas changed the time for this WebEx meeting.
>
> *Introducing Apache Tomcat 8.5*
> Wednesday, 30 March 2016
> 20:00  |  GMT Summer Time (London, GMT+01:00)  |  1 hr
>
> *Join WebEx meeting*
> 
> Meeting number: 645 574 764
>
> Add this meeting
> 
> to your calendar. (Cannot add from mobile devices.)
>
> Can't join the meeting? Contact support.
> 
>
> IMPORTANT NOTICE: Please note that this WebEx service allows audio and
> other information sent during the session to be recorded, which may be
> discoverable in a legal matter. By joining this session, you automatically
> consent to such recordings. If you do not consent to being recorded,
> discuss your concerns with the host or do not join the session.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>



-- 
Johan Compagner
Servoy

AW: OpenID Connect with Tomcat 8

2016-03-30 Thread Sebastian Trost 
Hi Chris,

Well, it seems that I will have to use a Valve + Realm combination. Thanks!

Regards
Sebastian

-Ursprüngliche Nachricht-
Von: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Gesendet: Dienstag, 29. März 2016 19:57
An: Tomcat Users List 
Betreff: Re: OpenID Connect with Tomcat 8

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sebastien,

On 3/29/16 12:57 PM, Sebastian Trost wrote:
> Hi,
> 
> I am looking for a way to use OpenID Connect (authentication AND
> authorization) with Tomcat 8. I found two ways to get
> authentication working, but not authorization. Here's what I tested
> so far:
> 
> Tomcat 8 + https://github.com/boylesoftware/tomcat8-oidcauth This
> extension works very well for authentication. It isn't possible to
> authorize users, though. You can configure a realm which authorizes
> the user against LDAP or a database.
> 
> Apache HTTPD + https://github.com/pingidentity/mod_auth_openidc +
> Tomcat 8 This mod works pretty well, too. But the AJP Connector
> doesn't seem to receive the roles from the web server and also
> relies on the realm to fetch the roles for each user.
> 
> With both methods I failed to read the roles OpenID Connect
> supplies with the id token.
> 
> I experimented a bit with botching around in tomcat8-oidcauth. I
> removed the authenticate()-call and instead built the
> GenericPrincipal object with hard-coded roles on my own. That seems
> to work. But is this safe? Can I just read the token id and assume
> that it is correct and set the roles in the GenericPrincipal? Are
> there any other methods to use both authentication AND
> authorization with tomcat 8?

I haven't looked at any of the above projects but if you want to
authenticate and authorize against a different type of backing
database, then you need to create your own Realm. RealmBase provides
some nice utilities, but you aren't required to actually extend it.

The Realm has complete control over how the Principal objects are
created, so if you have a way to identify the user and their roles,
then you can simply create a GenericPrincipal and return that on
login, and its roles will be used for authentication later.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb6wd4ACgkQ9CaO5/Lv0PDbYwCaAwKxMmUKPQWU9Vz/86xio4T2
/FwAn3kmrN6wJY1Fik4/Vcp6K62AF/tt
=30NH
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 8 Connection Reset Issue

2016-03-30 Thread Theo Sweeny 
Hi Chris,

From: Christopher Schultz 
Sent: 29 March 2016 16:48
To: Tomcat Users List
Subject: Re: Tomcat 8 Connection Reset Issue

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Theo,

On 3/29/16 2:55 AM, Theo Sweeny wrote:
> Yes - that does look like a spring connect timeout - which then
> passes back to java.net.SocketException: Connection reset. So
> either the client or the server is resetting before the connection
> can complete.
>
> The only system change to coincide with these connection resets is
> the new connection pool config as listed above. This implies that
> there is some conflict within the datasource config.

I don't believe that's the case, unless you are using the same port
numbers for both your JDBC connections and whatever other component is
failing. Have you tried reverting the JNDI configuration only?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb6o84ACgkQ9CaO5/Lv0PC75QCgiNExQYWamSs9kmnZIoEZEnMP
3FcAoLIBEzB9NpLbvbjwqHH5wdQ/CIe7
=X5ZC
-END PGP SIGNATURE-

Yes I rolled back the datasource configs but the problem persisted.

The issue resides with the F5 firewall hanging every other request. When the F5 
is removed from the network routing, the connection reset issue resolves itself.

Thanks for the help!

Theo

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Avios Group (AGL) Ltd is a limited company registered in England (registered 
number 2260073 and VAT number 512566754) whose registered address is Astral 
Towers, Betts Way, London Road, Crawley, West Sussex RH10 9XY . Avios Group 
(AGL) Limited is part of the IAG group of companies This email and any files 
transmitted with it are confidential and intended solely for the use of the 
individual or entity to whom they are addressed. If you have received this 
email in error please notify the system manager.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org