Re: WebSocket - Client doesn't receive server messages

[Simon De Uvarow]

To add some info, I implemented a client for browsers (HTML + javascript
client) and it's working properly. I'm receiving the messages from the
server as expected.
So, the problem is in the JAVA test, not the server.


"No olvides, no traiciones, lo que llevas bien dentro de ti. No olvides, no
traiciones, lo que siempre te ha hecho vivir."

On Mon, May 22, 2017 at 9:52 PM, Simon De Uvarow 
wrote:

> Hi, I'm having a strange issue:
>
> I'm developing a frontend with WebSockets, (my first WebSocket! ). To test
> the code I'm also developing some tests to run in Eclipse.
>
> So, I create a Client in the Test, connect to the server, and want to have
> some communication.
> I added lot of logs to debug the issue:
>
> - *WebsocketClientEndpoint*:33 - Connect to server
> - *WebsocketClientEndpoint*:41 - Before Request: Cookie, JSESSIONID=
> A65A4F5711DC8820C246DDD45A409BFA
> - WebSocketFilter:38 - Filter executing ..
> - *WebsocketClientEndpoint*:64 - opening websocket
> - WebSocketServer:59 - 1 has opened a connection
> - WebSocketServer:64 - clientIP: 127.0.0.1
> - *WebsocketClientEndpoin*t:113 - sendMessage 
> - WebSocketServer:75 - onMessage: .
> - WebSocketServer:117 - Send OK message
>
> At the end, the server sends a response ("OK"), and the client waits for
> the response of the server.
> But the client doesn't receive it, no mater how long I wait.
> I debug the Tomcats code, but couldn't find the issue.
> It's not clear for me the point where the library writes the information
> in the socket.
>
> This is how I send the response from the server:
>
> *WFMWebSocketServer*
>
>   * @OnMessage*
>public void onMessage(String message) {
>   ..
>  // Send OK response
>  try {
> logger.debug("Send OK message");
> *session.getBasicRemote().sendText("OK");*
>  } catch (IOException e) {
> e.printStackTrace();
>  }
>  .
>}
>
> The following is the @OnOpen code:
>
>*@OnOpen*
>public void onOpen(Session session) {
>
>   this.session = session;
>   logger.info(session.getId() + " has opened a connection");
>   final PrincipalWithRemoteAddress pws = ((PrincipalWithRemoteAddress)
> session.getUserPrincipal());
>   remoteAdr = pws == null ? null : pws.getRemoteAdr();
>
>   try {
> * session.getBasicRemote().sendText("OK");*
>   } catch (IOException e) {
>  e.printStackTrace();
>   }
>}
>
> Also the previous "OK" message is not received in the client, I don't see
> the log of it in the console:
>
>
> *WebsocketClientEndpoint*
>@OnMessage
>public void onMessage(String message) {
>   logger.debug("onMessage: " + message);
>
>   if (this.messageHandler != null) {
>  this.messageHandler.handleMessage(message);
>   }
>}
>
>
> Any idea why I am having just like half duplex communication ?
> Or any idea how to debug or analyze the issue in order to fix it?
>
> The version of the libraries and Tomcat I'm using is:
> 8.5.15
>
> Thanks!
>
>
> "No olvides, no traiciones, lo que llevas bien dentro de ti. No olvides,
> no traiciones, lo que siempre te ha hecho vivir."
>

Re: Tomcat 8.5: wrong classloader used during context startup?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 5/21/17 5:49 AM, Mark Thomas wrote:
> On 21/05/2017 00:30, Christopher Schultz wrote:
>> Mark,
>> 
>> On 5/19/17 3:45 PM, Mark Thomas wrote:
>>> On 19/05/2017 15:25, Christopher Schultz wrote:
> 
 Also, for an untrusted application (admittedly a minority
 use case), having Tomcat parse the app-provided XML with an 
 application-provided XML parser might have security 
 implications.
>> 
>>> I don't believe it does in this case. The file being parsed is 
>>> web.xml which is application provided anyway so any
>>> manipulation a malicious app could do via the parser could just
>>> be done directly in web.xml.
>> 
>> That's exactly my point: Tomcat is using an untrusted XML parser
>> to parse untrusted XML. If the XML parser is trusted, then
>> parsing the untrusted XML is safe(r).
> 
> I disagree.
> 
>> Take for example XML billion laughs or external entity attacks.
>> These attacks are typically prevented through disabling external
>> entities or DTDs themselves.
>> 
>> If the XML parser is provided by the application, those
>> capabilities can be left enabled even if Tomcat attempts to
>> disable them by setting the proper properties on the parser.
>> 
>> If Tomcat (or the JVM) provides the XML parser, then those
>> security precautions can be relied upon to protect the JVM from
>> such an application.
> 
> The threat being considered here is malicious application code.
> 
> The standard protection against malicious application code is
> running under a security manager. And even then, there are plenty
> of things an application can do to harm the server.
> 
> while (true) { }
> 
> being one of the simplest.
> 
> What this quickly boils down to is 'Does placing malicious code in
> the XML parser enable an attacker to do something they could not
> otherwise do?' Does it enable them to bypass any of the security
> constraints imposed by the SecurityManager? I believe the answer to
> that question is no - hence I believe that using an XML parser
> provided by the application is not a security threat.

The reason I think it's a security threat is because, when Tomcat
calls the XML parser, the XML parser is being run with elevated
(Tomcat) privileges instead of with the privileges normally associated
with the application (that is, restricted privileges).

The billion laughs example was just an illustration. If running under
a SecurityManager, the application (usually) couldn't open the
/etc/passwd file, but if the app provides an XML parser
implementation, then it can get Tomcat to read that file for it...
again perhaps using XML entities.

A slightly more concrete example: ;
the WEB-INF/web.xml file contains an entity reference to /etc/passwd;
Tomcat loads the web.xml file and replaces the entity with
/etc/passwd, then writes the effective web.xml to the logger. The
application presumably has access to its own logs (even after the
fact) and the application owner has read a file they ought not to have
access to.

> Keep in mind that this parser is only used for this application and
> is only used for web.xml (and fragments).
> 
> If there was a single parser shared between all applications then
> this would be an issue. We'd have a memory leak as well as the
> potential for information disclosure across the web application
> boundary. We have had issues like that in the past (CVE-2009-0783)
> but this bug is not the same.
> 
> Note that the previous XXE issues were possible partly because
> there was a single container level web.xml parser that executed
> with container permissions.

What do you mean by "single" here? Do you mean that the parser wasn't
being re-initialized (or, better yet, re-constructed) and so there may
have been some carry-over from a previous parse() call?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIyBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlkket4ACgkQHPApP6U8
pFg0Cg/4pQwjYsJI/VREZMtJ2kUgL9B2k3f6HI0xFGQWL8+tnHSo+3EI+4TGf8p+
/K3Ea8basxkJYSNOeFuGVMtEEjZJpjsu3enwOxJ0WPFN8DrS6L13xRNrhBTk+cfa
d8TiboR1TgE8fa7rX1tEOgZEQ+Om/3vBbMjVYrsuQqsbsfdLaik7QTNZEFsMrnth
B6fHHjj7JvGM91g7jNcQXLd87vMAE7yW8NWYK1YJ5Hqgb9vzGpMTVJpJpP0dIEDC
qx+2gQLZHNdI0MoJtQIxwYg/MZtOfcu6iT8OPj0KZXJixwZ8uUK7y9VClMdvr/pr
nGe0+MCelaHD5eUqXYxGnWmj8noxoD62oPQFlTb1rfwM8LCnQZz4KwAX7jkzx1tJ
gQspDsjS4qgcKM0mX9T0cNziTjlUN/lmMC1rSz6zLTxm4nVhXmskJltPWm3xDETv
NIqM05hvDcQkpD1Nj+BkDQ/lVb2U1EY0+j6Nt+eCTnpjbdtGL3JxPuQQwA9dnfGx
lyidNf3sNVbB7lfDQYOLpo3UAXY4U7uCpT1/gj83TBm5mZaQrgUnv7/LFWZjiLI5
Je0DTAg86GuAHxuJ+0OeSuvG52Z9Gyg4YblBS05M1KOwFq6HZF9DeJb70vLRE7G3
hjN6a6CnMSXxAcrpkMxaT0lKeSPhV9Ozt7GmUX4ox8l5pOYBGA==
=ninR
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Getting list of session for different contexts

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Harshit,

On 5/22/17 8:04 PM, Daga, Harshit wrote:
> I am trying to do the following. As part of the tomcat startup I 
> have added a listener. This listener starts a thread and that
> thread will open a socket connection. I am doing so to record the
> time taken to access and get the information from the tomcat
> server. If I use Jmx it is taking slightly more time, thus I am
> experimenting using direct socket connection.

Can you explain this in a little more detail? You want higher
performance, so you are not using HTTP? Or you want higher performance
so you are not using JMX (protocol)?

> Now I want to get the list of sessions from different contexts. 
> Kindly, let me know how can I get list of sessions for different 
> contexts?
> 
> I guess I can get the list of sessions from StandarManager class
> but how to get the instant of this class for different contexts?

You can get it through local JMX if you wish. Fire-up VisualVM, connect
to the instance, and find the name of the SessionManager that you want.
Then, write a small bit of Java code in your TCP connection-handler that
fetches that JMX bean and call the the appropriate method (or fetches
the appropriate property value).

- -chris

-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlkkePgACgkQHPApP6U8
pFjCvA//QRpKran2I6EvMpIdvj/NBFCNvnnlvhSeHy8sa1qUf7/mC+TVTpvUXF9A
bWp6hl0hzZwdlV2LOlycdMrTvr2+hpLmX6RmgusbAmDfB5ECRTtRC/gnwaIa47Ph
ZwrNtylFeHqNR0HgV4b5PwMThr23FgQTMvQJuLYHmZPKBoFjCn6XMBp3gvWSKk4w
C5WrQaLyQK6hg+jeayo9RNJOm61yKvnyizUaEAZnLfLPtdySlDdvaAcVGvlFcuYF
4zuTOYEMjOzVqIMFzPNyOPA+rt+DyhT9PSYQ7vG6wgB0AOMbExBayHXyicuJSqsb
CJVkwmLF/UJvJQDQVxa8kfNiE7vm/wmL0hOGNOh4YcAdCa+93Ulvt41VONUwfcAC
c0jGZvANqNAZHGgTl82fOWDXWbKWsZhkUQnTDzec8CQmIhgBL3cMijVvGMeI/x5D
vVbV1oDmsx8/1suLinfQ87xcmTXE7qmhyVegesAmHg/9EmdlAdH5Lrx7baBJgolM
0nQhQiAqU0ZVsSSY585ukhAheGIc/Bsdnro68oIxmQBj6wU8uIji7YqFNzoNtBJl
nzubdGsbGA9pHeYW9XEZn8/MI9KOdDX0WAPT3CM/BX0ummQWY/z5gP5KaHgDUDWJ
Qmb1ZV5b+y/+f/wNgMl2fKUAsZJJe4F5eoRiGafuW4ocekiej/g=
=0Iqf
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: how to upgrade tomcat 8.5.x?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 5/21/17 8:34 PM, Mark Eggers wrote:
> I developed my own [build and deployment scripts]. I use the Ant 
> scripts just for customizing Tomcat installations.> I do have one
> slight issue with my current Ant scripts. The link task isn't
> supposed to create a link if it already exists, but it does, and 
> actually creates a link inside of the existing link. This means
> that I have a manual cleanup step to do, which is annoying.
> 
> Also, the Ant xml task doesn't handle namespaces well. I'll have
> to figure out how to mangle tomcat-users.xml in a better fashion
> for the 8.x series.

Which XML task? We use XSLT to for example customize the manager.xml
deployment file that comes with a stock Tomcat to deploy a manager
with our protections enabled.

> I use a custom-built init script for starting, stopping, querying,
> and getting the version of a Tomcat services. I'll have to build
> something soon to handle systemd.
> 
> I use Maven, the Tomcat Maven plugin, and Jenkins to customize a
> WAR file for a particular environment. Coupled with parallel
> deployments, this basically allows us to update with no downtime.

Nice!

I'd love to see a TomcatCon presentation from the community about
blue/green deployments with Tomcat. :)

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlkkd38ACgkQHPApP6U8
pFioNw/9FfT9G2reCKNLsArC07X8cW4gY6XOO2sZ4YNFJyhPq/sBrzPEpMaD9Zst
GBiygl9mMPKBb15LnD+fsW39mfmIWODdXUM5t/1wuRruMYLF1dzS0F/0Pok5Egy8
CNYP7TwRKZKAWmGePUG+58k6p2CgJgDKJjz4zfEjA4SBjCO3vLZ+In4HfDrkuk2R
0AYcnC5Y9DymLHIJHGYHJNWz2k5uRm3vkfBRaSLWZ3CAR7qGm4bTHKc3D7Cg30Th
e9bJ8EHdAmnNlAfDs4ovE+rt4b/QAk3zY46iEH/9HHhVmtDYK5DprSGdPm6k8kQl
e1W/CegzxcbCY8lBG64zIZcxkUPtnwxCyLydUdjl3P5PN2gcAwBMDglVVEC87dZB
GZJ/Uu8b6Oxj5T1DalU8PGDzBKziTLxlfYwIW/fFJZkEclGZk/mxY5nOIq1EHbKG
21aEmuvOOgQIaWiGy5PKOkXXstTWyxTUJehU6LVb1tlmIHIAZ5d3kFXWWqwTrnjn
jS9N9TSG42dwlKyrUygfy0hUYIlUYynAm+xbzybHhMCp9aPUvAbKZfa6PTlBQpDt
DC5YJQkqXiRb/iQWa0MstA5Iq5t+nT/SrW7f9fLeRFdB0zbOPSaS45v5V69rRTsV
O4M88UZ+UGWEzYAzdTzWV1FKRX6gv81ZHwMWXF5o+imML9jJy7E=
=pxvz
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question about Tomcat Virtual Host to prevent Improper-Input-Handling attack

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

André,

On 5/22/17 3:19 PM, André Warnier (tomcat) wrote:
> On 22.05.2017 20:35, Cai, Charles [COMRES/RTC/RTC] wrote:
>> Here attached is my server.xml host configure: 
>> _
___
>>
>>
>> 

>> > unpackWARs="true" autoDeploy="false" deployOnStartup="true">
>> 
>> > directory="logs" prefix="localhost_access_log." suffix=".txt" 
>> pattern="%h %l %u %t %r %s %b" /> 
>> 
>>   
>> _
___
>>
>
>> 
> With the above configuration, this is what happens :
> 
> 1) Any request coming in to your server, which has a Host: HTTP
> header which is not "recognised" by Tomcat, will be processed by
> this "defaultlocalhost" virtual Host. See : 
> http://tomcat.apache.org/tomcat-7.0-doc/config/engine.html#Attributes
>
>  2) this default virtual Host, as defined above, has an 
> appBase="webapps", just like the other Host which you defined. That
> is because "webapps" is the *default* value for this attribute,
> and you did not specify it otherwise in your "defaultlocalhost". 
> See :
> http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Attributes

+1
> 
this is most likely the problem here.

Try  or something similar.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlkkdt8ACgkQHPApP6U8
pFhxfA//UqEK1RpuKiLi8YiwLGzIuwVXOUF4uCYC+gq9P6DbxqDWYcKMdqFaXULo
4NowG1hO1IoW2+Kd8ilH44ip5/DoZu8v+4Ir1NYIEmNlXQ3IvNcLuZGlLHVH7QaJ
7ES3tOrR+vcoP+kdE7hbsWu1Oz1Kyns3fuL2v9lxiCRX22RQGrznsx1dJbuJCpIs
nvmjvONxyGRSRHV88qGX+WymCkdGmhr0x1pN59JzqptCh9yqxg3aPmYA0Z1vvMQe
uSUfWBZw5K0G/h/A7jGPpwI33PZqNI5AnIJg0qFizto5B+EnMtQOHgi5Nac7oBey
SeA84bopU1zMzSf+g4HGsqO7iVqENp9ZPCg3eZ4SpXajV4d39L928eCCH7n0qPlm
ppOEuBlt/w2DTwyo0i5Wa0hbBdjPttFiQ07/H5nGkYWphAno6qwn7FwPkBCT1IlQ
DHeVkJ7am96yPZF0WPuIypd3gdsvzWAZJQsnjYEvysMNBQx2Nihfh+LgKV47Ft+M
GAPpTz6yHvi0NpaAGMnvzh4khZFVoRB1A0B4GoV05xNxidHuGnXAHoVMBCuUl9gD
I80IOCLonzCjOofHO9TK6zDHdusKFQPFMsBPEmFVOVbl7KGy+7Dx7RZRt9SfTMfY
JSU18NYB1JuO/FFnygB8jm8kYw1Ng5uLV8ZXNFeHN1/pFa5eFt4=
=bSQc
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Question about Tomcat Virtual Host to prevent Improper-Input-Handling attack

[Cai, Charles [COMRES/RTC/RTC]]

Charles Cai | T +1 440 329 4888

-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Monday, May 22, 2017 3:19 PM
To: users@tomcat.apache.org
Subject: Re: Question about Tomcat Virtual Host to prevent 
Improper-Input-Handling attack

On 22.05.2017 20:35, Cai, Charles [COMRES/RTC/RTC] wrote:
> Hi there,
>
> __
> __
> Server Specs:
> Server version: Apache Tomcat/7.0.54
> Server built:   May 19 2014 10:26:15
> Server number:  7.0.54.0
> OS Name:Windows Server 2012
> OS Version: 6.2
> Architecture:   amd64
> JVM Version:1.8.0_121-b13
> JVM Vendor: Oracle Corporation
> __
> __
>
> I'm currently on the process of trying fix a site vulnerability, basically it 
> is one type of the "Improper Input Handling" attack.
>
> Let's say my website is www.mywebsite.com and there is hacker's 
> website www.hacker.com
>
> whenever there is a request send to www.mywebsite.com with modified "Host" 
> header point to www.hacker.com, my site will create a redirect to 
> www.mywebsite.com along with whatever the url it was. e.g.
>
> Normal:
> Host: www.mywebsite.com
> GET  www.mywebsite.com/get/some/resources/
> Response 200 ok
>
> Hack:
> Host: www.hacker.com (#been manually modified) GET  
> www.mywebsite.com/get/some/resources/
> Response 302
> Send another Redirect to www.hacker.com/get/some/resources My website 
> is running on Tomcat 7, I tried some solution with set up the virtual host by 
> point the unknown host to a defaultlocalhost which supposed to do nothing. 
> but it still send the redirect for some reason.
>
> Here attached is my server.xml host configure:
> __
> __  jvmRoute="jvm1">   unpackWARs="true" autoDeploy="false" deployOnStartup="true">
>
>   directory="logs"
> prefix="localhost_access_log." suffix=".txt"
> pattern="%h %l %u %t %r %s %b" />
>
>
>
>
> __
> __ So, my question is, Am I on the right track to prevent this 
> kind of attack ? If yes, what I did wrong that still not working? (The 
> ultimate goal is, if it is not the legit Host that been passed in, the 
> request should be discard/ignored/return 404 but not redirect with 
> 302)
>

Hi.
The first thing is, as far as I know, Tomcat *by itself* will not generate this 
redirect response.
But an application deployed inside Tomcat might do that, perhaps.

With the above configuration, this is what happens :

 > 

 >
 >

1) Any request coming in to your server, which has a Host: HTTP header which is 
not "recognised" by Tomcat, will be processed by this "defaultlocalhost" 
virtual Host.
See :  http://tomcat.apache.org/tomcat-7.0-doc/config/engine.html#Attributes

2) this default virtual Host, as defined above, has an appBase="webapps", just 
like the other Host which you defined.
That is because "webapps" is the *default* value for this attribute, and you 
did not specify it otherwise in your "defaultlocalhost".
See : http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Attributes

3) thus, if your normal application corresponding to the URI 
get/some/resources/) is deployed under (tomcat_dir)/webapps, then your 
application will be called when anyone sends the following HTTP request to your 
server :

GET get/some/resources/ HTTP/1.1
Host: evil.hackers.com (or whatever is not "www.mywebsite.com")

What your application then does with this call, is up to your application.
If it is some kind of framework, it might very well decide to return a redirect 
response.
But that is not tomcat code.

If you want to protect against this, then you should provide your 
"defaultlocalhost" with a real appBase, different from the standard "webapps", 
and maybe put a default application there which returns a lit cluster bomb to 
the evil hacker.
(or more reasonably, a "not found" response; which tomcat will do by itself if 
there is nothing there that matches the request URI).

Note that in addition, with your above configuration, there should be warnings 
in the tomcat logfile, because your application will be deployed twice : once 
for the "defaultlocalhost" Host, and once for the "www.mywebsite.com" Host.



> Thank you in advance.
>
> More references about the attack here :
> http://www.skeletonscribe.net/2013/05/practical-http-host-header-attac
> ks.html 
> http://projects.webappsec.org/w/page/13246933/Improper%20Input%20Handl
> ing
>
> Original Post on stackoverflow:  
> https://stackoverflow.com/questions/44054591/tomcat-virtual-host-to-pr
> event-improper-input-handling-attack
>
> Charles Cai | Web Application Developer | RIDGID Emerson Commercial & 
> Residential Solutions | charles@emerson.com
>
>
>