Re: security headers

2017-11-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alejandro,

On 11/1/17 3:37 PM, Alejandro Vargas M. wrote:
> Hello,
> 
> I recently used on web.xml
> 
>  httpHeaderSecurity 
> org.apache.catalina.filters.HttpHeaderSecurityFilter
>
>  true 
> 
>  httpHeaderSecurity 
> /* 
> 
> to enable some security headers, but it won't enable Content
> Security Policy header. Is there anyway to enable Content Security
> Policy at top server level???

What were you expecting that Filter to generate for you? A header
which disables everything? Not terribly useful.

My recommendation would be to use something like url-rewrite[1] to add
headers to every outgoing response. url-rewrite has very similar
capabilities to httpd's mod_headers (and much more, of course).

- -chris

[1] http://tuckey.org/urlrewrite/
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8
pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE
//iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc
WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc
oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj
98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP
37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC
CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRqP3vbN/+KU1KzqZmn2Q6KoYH+
Lf+gMJjeLE/0/8X9CnTaFPkmg7VbYgGmhGzgFkD85YTswT962L8M5evG1xdHaNiM
ZZDEeYLWC/Cjdqvht3zQ0gvmI35pI1q2K/fnYb+mrV0eIi/rcosz99GQVpTTqS58
wCtIAKLChLuxuWoGp0+1+sI0ugwn9RmsIft34QBM1Us/FxGYc0Ou5VpBHE0JeYG8
G8RjZ+9eonM5ScwPrAZKZ7pd6qfCHY24/OvK6vT4HbRdqJbvWT8=
=j1H+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

security headers

2017-11-01 Thread Alejandro Vargas M. 

Hello,

    I recently used on web.xml

   
    httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter 


    true
    

    
        httpHeaderSecurity
        /*
    

to enable some security headers, but it won't enable Content Security 
Policy header. Is there anyway to enable Content Security Policy at top 
server level???


Thanks in advance.

--

Re: Beginner help setting up test vertical cluster

2017-11-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Keiichi,

On 11/1/17 3:28 AM, Keiichi Fujino wrote:
> Hi Dave.
> 
> Your Interceptor settings are as follows.
> 
> 
>>  > className="org.apache.catalina.tribes.group. 
>> interceptors.TcpFailureDetector"> > className="org.apache.catalina.tribes.group. 
>> interceptors.ThroughputInterceptor" /> > className="org.apache.catalina.tribes.group. 
>> interceptors.StaticMembershipInterceptor"> > className="org.apache. catalina.tribes.membership.StaticMember"
>> domain="clustertest" 
>> uniqueId="{0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}">
>>
>> 
> domain="clustertest" host="xxx.xxx.xxx.xxx" port="4001"
>> securePort="-1" 
>> uniqueId="{1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,0}"> 
>>  > className="org.apache.catalina.tribes.group. 
>> interceptors.DomainFilterInterceptor"> > className="org.apache.catalina.tribes.group. 
>> interceptors.MessageDispatchInterceptor">
>> 
>> 
>> 
> You specified domain="clustertest" in , but
> DomainFilterInterceptor does not have a domain setting. If you want
> to filter by domain, you have to set domain="clustertest" to 
> DomainFilterInterceptor. if you do not want to filter by domain,
> you have to remove domain="clustertest" from   or remove
> DomainFilterInterceptor.
> 
> Also, if you use DomainFilterInterceptor with static membership,
> you must list it above StaticMembershipInterceptor.
> 
> e.g. 
> TcpPingInterceptor->TcpFailureDetector->DomainFilterInterceptor->Stati
cMembershipInterceptor
>
> 
or
> DomainFilterInterceptor->TcpPingInterceptor->TcpFailureDetector->Stati
cMembershipInterceptor

Would
> 
it be appropriate for Tomcat to sanity-check some of the
settings above to catch this kind of oversight? Or are there too many
possibilities of valid configuration that it's not possible to
validate in this way?

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6Ht8ACgkQHPApP6U8
pFhr6hAAtLVR0j+C5UorKkIJv1EIBZJcTS+ZDr/69U89ELLf91OKz0K+6mqmgXl/
TGpkKjKPAhDsmR+1uGh7SR89i0jZVMc29plo1qjd0XIYMJtgViGzA841XFN53Ndh
XI2vIVh+XdunxKO4kWzWaAXdUPVmYkKiZ9A8Sc+c5hYkJA9Pa3PzMZoXWBfhcKHM
hbmGyd1wsFCN+1iWrj2Hd9QAIG9v+gNfJvRQ9e773EOorQz3YMrgjIBUSPy5amC9
E/tng/el9x6jv7FaWIHTH2a12OGZAGSldzDV25w3a3tLq5dIzBGzQytYCPUkPpVr
JOaQewjLLEGgfw39v5EwI4Z/WJAzOP+vozmdYRFyxPgvOwHOkWP7CuXEvHszZD9T
Tggir4TLninyU9Hotq6mzsYeWnaF63OHAPECowOhxro7plZjHdBEqEy+kcn2/r+F
CiGhZI4B7B+RqjK62sx2VNIxNPjiPZycSlt7zXkljkBCRQRWSip1JKcXmQjJgeCB
16mB4rYHSDsAezfvD+/3G20V0j1evl5MPSrn/f9bOj4blOIhMi48m1zEGSyihFr3
SiocXLgje+vXWRXX82IoqH6lR2rcGOwvrGfvO5qzQzT7G7OCRShMZNEBqgWclMOh
tqy/ernLtrp7BuGpJpRn0twqK8qlhGlMyr4kYZ7GIcZEdq7hG/0=
=fSTg
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: apr

2017-11-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chris,

On 10/31/17 12:18 PM, Cheltenham, Chris wrote:
> I will need some help here.
> 
> How do I generate a stack trace?

If you are getting an exception in the log file, I'd expect a stack
trace to accompany it.  Something that looks like this:

org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023:
This function has not been implemented on this platform
Caused by: java.foo.BarException
  on Foo.java line 25
  on Bar.java line 52
  ...

It's possible that this particular error doesn't generate a stack
trace. If that's the case, we might need to fix that and get you a
custom version of Tomcat that produces more information. For example,
from the error message, I have no idea what function is being
attempted by that particular part of the code.

> TCAT 8.5.23

Are you using Apache Tomcat or are you using TCAT server (a product
from MuleSoft)?

> Many times I rely on stackoverflow or some web site but too often
> they are usually half assed explanations. Or quarter assed.

Error code 70023 = APR_OS_START_ERROR (2) + APR_OS_ERRSPACE_SIZE
(5) + 23 which is likely the "real error" here[1].

APR error 23 is "APR_EABOVEROOT" which has no documentation[2], but
which points to this definition[3]:

"
#define APR_STATUS_IS_EABOVEROOT (s)  ((s) == APR_EABOVEROOT)

The given path was above the root path.
"

So... how about that  configuration?

> Listener is default assuming you are referring to server.xml.

Hmm. Maybe the problem is with a TLS-enabled  with some
paths in it? Can you please post any APR-based s you have,
with any secrets removed?

> I do not think FIPS is necessary , no.

Okay.

> I believe that is some federal govt standard?

Yes, it's a (mostly useless IMO) US federal standard that mandates the
use of certain algorithms and also requires that the code being used
be certified and self-certifying on startup. At first, I thought you
might be having a problem entering FIPS mode, but that seems unlikely
given what I uncovered above.

- -chris

[1]
https://apr.apache.org/docs/apr/1.6/group__apr__errno.html#ga191894048b7
bd0cca3cf0bdff1eb695b
and
https://apr.apache.org/docs/apr/1.6/group__apr__errno.html#gadb8d97e6836
ccdc57b43b6119a5acccf
[2]
https://apr.apache.org/docs/apr/1.6/group___a_p_r___error.html#ga4828cc0
4f97dc7bed691456adf7c073e
[3]
https://apr.apache.org/docs/apr/1.6/group___a_p_r___s_t_a_t_u_s___i_s.ht
ml#ga641527647de2537c1946a0b2ef07e411
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6HeIACgkQHPApP6U8
pFhRcQ//VRoiHOKqltO7ePUzskqYa7T5DyQkz74OAHqoEK0CW18ktFWm/1gCkT5n
OL2SS3v6ZW56ZxpabczjMkpSy3xu0ABBbgacYg8VXGUxqyjxipf0s6jE2r2VaH4Z
eGkIWStrNe0LwgRp90MkREon+RW82JA5IQdnC2P6PZdwIA7k8JIgkmHYFyJpCDvT
raoILhaAoCFE7hMccZFqFU4T4DpH8+MMQp5obj6gkFoBQlRptSRNXIsLVEDfpHEQ
/WJ/TN040ASXLUpxy5uNx6nP7BzXtylOk3ce00zFZZUVlONZXpBmJkY27tVbfbAe
pRq4osbTSpNI7yET0NdSd5aH+Z3pcUHVD6zdellpT+gL4bRuOkhzmMZMykAYftpj
Hfh+VvdK0QqVKIy4WNHAcHPft96nFE6Cca43pwoydRc2OsstMs2fk2uekLym31KK
46b+BN+cJW4G2VLpZ0Z7H7UslZE04bn4gcX6z2Lm0Rd/+x1/07S1vWN9WcyGyGXJ
kLrriEPVLq82zBELBe/c36VADrkqzGzfzQGouBXSIBlnhGKwZ717QqeiK/3u9goP
9cuu9htXVkghx5kCEThtJIZrWDI497+4vP6KXcmrggEya6odcotljUPOlFmzH2UI
jNcu5vAPp2Yn8pPa+xv7n4MVXWNuXJLBGa/cQkFx6mLXEk2YZqA=
=xpKi
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: configuring jarscanner in 8.5 to ignore entire directory

2017-11-01 Thread Ray Holme 
Andre: cute!
As for jar scanning, I have been playing with that. I don't think you need full 
pathnames in the pattern (perhaps in the context file, but not in the 
properties file), but not sure.
I did two things and am very pleased with the result.
 a) in conf/context.xml:

   
b) in catalina.properties
   1) sorted the nasty list for TLD scans  that comes with the distribution (8) 
so I could read it and search
   and found one pattern that was off (cannot remember which one but it had 
and extra "_" before the "*", I think)   - it was a jar in the standard 
distribution .../lib/... dist.
   2) and then added all the jars I use at the end (no full path needed for 
sure)
The TLD startup time went from half a minute to under a second.
Good luck!
 

On Tuesday, October 31, 2017 4:44 PM, André Warnier (tomcat) 
 wrote:
 

 On 31.10.2017 20:16, Chris Cheshire wrote:
> PS JarScannerFilter above is a copypasta error, I do have the correct
> tag in my config with the same result
>
As, I presume, is the new Italian delicacy above ?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Logging framework !

2017-11-01 Thread Konstantin Kolinko 
2017-11-01 8:17 GMT+03:00 Utkarsh Dave :
> Hi All,
>
> I am using Tomcat 7.0.81 on centos 7.2 and using openjdk 1.7.0.141.
> The problem I am seeing recently is manager*.log and localhost*.log files
> are not created. Instead, I see the messages that were to be written into,
> manager.log are going into Catalina.out. catalina.out and
> localhost_access.log continue to work like before.
> May I know how and from where to start debugging this?
> I have verified logging.properties, there is no issue with it.
>

My guess is that "java.util.logging.manager" and
"java.util.logging.config.file" system properties are not set,
and thus java uses default implementation of java.util.logging instead
of the one provided by Tomcat's
org.apache.juli.ClassLoaderLogManager.

Those properties are usually set by catalina.sh (and there is a
comment at that top of that file).

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there any way to make a little delay or sequencing of the requests coming to tomcat.

2017-11-01 Thread Rainer Jung 

Am 01.11.2017 um 10:53 schrieb Olaf Kock:


On 01.11.2017 06:00, Chaitanya Sabbineni wrote:

I had a application where multiple requests are coming at same time
because of which 1 request is overridden by other.Is so can Any one 
let me

know if there is a way to achieve this.

Tomcat easily handles simultaneous requests - it rather looks like your 
application can't do so. A common cause for this are servlets that keep 
state in member variables.
I'd say, the way to fix it is to debug your application, not 
artificially limit the number of requests that you can accept.


Yes, I should have also said that. You can limit concurrency, but 
concurrency is how you typically achieve performance and is something 
not to prevent, but to make it work instead.


So in this case the semaphore valve is just a dirty workaround, not the 
solution you should aim for.


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there any way to make a little delay or sequencing of the requests coming to tomcat.

2017-11-01 Thread Olaf Kock 


On 01.11.2017 06:00, Chaitanya Sabbineni wrote:

I had a application where multiple requests are coming at same time
because of which 1 request is overridden by other.Is so can Any one let me
know if there is a way to achieve this.

Tomcat easily handles simultaneous requests - it rather looks like your 
application can't do so. A common cause for this are servlets that keep 
state in member variables.
I'd say, the way to fix it is to debug your application, not 
artificially limit the number of requests that you can accept.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there any way to make a little delay or sequencing of the requests coming to tomcat.

2017-11-01 Thread Rainer Jung 

Am 01.11.2017 um 06:00 schrieb Chaitanya Sabbineni:


I had a application where multiple requests are coming at same time
because of which 1 request is overridden by other.Is so can Any one let me
know if there is a way to achieve this.


Maybe this:

https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Semaphore_Valve

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Cannot start TomCat on Windows10

2017-11-01 Thread Olaf Kock 

On 01.11.2017 05:21,  wrote:

Hello,
?0?2 ?0?2 ?0?2 I've been using eclipse neon to run a j2ee project on Tomcat 
Server, but I can't start the Tomcat, and I google the errors but no 
solutions to it. And I've set the environment variables. Please help 
me, thank you. The attache is error log.


As attachment are stripped by the list software, please describe your 
configuration and give steps to reproduce. Reduce the error log to 
relevant portions and copy/paste them into the mail.


Olaf

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Logging framework !

2017-11-01 Thread tomcat 

On 01.11.2017 06:17, Utkarsh Dave wrote:

Hi All,

I am using Tomcat 7.0.81 on centos 7.2 and using openjdk 1.7.0.141.
The problem I am seeing recently is manager*.log and localhost*.log files
are not created. Instead, I see the messages that were to be written into,
manager.log are going into Catalina.out. catalina.out and
localhost_access.log continue to work like before.
May I know how and from where to start debugging this?
I have verified logging.properties, there is no issue with it.

Any help will be appreciable.



The first question here is : where does that tomcat 7.0.81 come from ?
If it is the "vanilla" tomcat from the tomcat website, then chances are that we can help 
you. If it is from a centos packaged version of tomcat, then there are less chances that 
we can help you, because we do not know exactly how the packagers of centos have set this up.


You probably need to start in that case by looking at the startup script(s) of tomcat, in 
/etc/init.d or similar, to find out what happens in terms of redirection of logfiles etc.


The people who create the tomcat packaged versions for the different Linux/Unix/Windows 
etc. distributions, each have their own logic about this kind of thing. Their intent is 
usually to try to "force" the tomcat logging to happen according to the general 
conventions on their particular platform, which can be quite different from the standard 
logging conventions of the various pieces of software that should run on each platform.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Beginner help setting up test vertical cluster

2017-11-01 Thread Keiichi Fujino 
Hi Dave.

Your Interceptor settings are as follows.


> 
> 
> 
> 
>uniqueId="{0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}">
>className="org.apache.catalina.tribes.membership.StaticMember"
> domain="clustertest" host="xxx.xxx.xxx.xxx" port="4001" securePort="-1"
> uniqueId="{1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,0}">
> 
> 
> 
>
>
>
You specified domain="clustertest" in , but DomainFilterInterceptor
does not have a domain setting.
If you want to filter by domain, you have to set domain="clustertest" to
DomainFilterInterceptor.
if you do not want to filter by domain, you have to remove
domain="clustertest" from   or remove DomainFilterInterceptor.

Also, if you use DomainFilterInterceptor with static membership, you must
list it above StaticMembershipInterceptor.

e.g.
TcpPingInterceptor->TcpFailureDetector->DomainFilterInterceptor->StaticMembershipInterceptor
or
DomainFilterInterceptor->TcpPingInterceptor->TcpFailureDetector->StaticMembershipInterceptor


-- 
Keiichi.Fujino