users@tomcat.apache.org

2018-04-04 Thread Philip Rego 
http://24.0.5.14:8081/manager/html


*tomcat-users.xml*
http://tomcat.apache.org/xml";
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
  xsi:schemaLocation="http://tomcat.apache.org/xml
tomcat-users.xsd"
  version="1.0">
  
  
  
  
  
  
  
  
  


(I followed this  so I
believe anyone could have access.)

Why can't I log in? I get a 401 error when I try with any these users. Do I
have them set correctly? The 401 error said I can get access by adding the
user "tomcat" like I so. I also read the documentation

but
I must not understand. I tried running tomcat on my windows computer and
got a similar 403 error. I originally had this issue when I was trying to
integrate my Spring Boot app in Jenkins and got error

org.codehaus.cargo.container.tomcat.internal.TomcatManagerException:
The username and password you provided are not correct (error 401).

(I know it's not safe giving out passwords like this but there's
nothing on the machine I care about, and want to have the issue
resolved)

DirectJDKLog overriding formatter

2018-04-04 Thread Clément Guillaume 
Hi,

I was wondering why DirectJDKLog was overriding the Formatter of the
Console appender when the default java logging.properties file was used.

I see that this is documented at
https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html#Logging
but I would prefer to configure the logging with the file rather that with
system property.

I see that this have been in tomcats for ages
http://fisheye.apache.org:8060/changelog/tomcat?cs=329053

Thank you.

PS: also wondered what was DirectJDKLog.SIMPLE_CFG for

Re: Manager connector status

2018-04-04 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 4/4/18 9:52 AM, Mark Thomas wrote:
> On 04/04/18 14:29, Christopher Schultz wrote:
>> All,
>> 
>> I'm running 8.5.29 and I'm looking at the manager application, 
>> specifically at the Connectors list on the "Server Status" page.
>> 
>> I have two connectors:
>> 
>> 1. ajp-nio-8215
>> 
>> 2. http-nio-127.0.0.1-8217
>> 
>> The server is idle (it's my own desktop) and I loaded the Server 
>> Status page over the HTTP connector. However, both connectors say
>> that the "Current thread busy" count is "1". Why is the AJP
>> connector "using" a thread? It should be doing nothing, right?
> 
> I don't see this on a clean install.
> 
> I do see this if I configure both the AJP and HTTP connector to use
> a shared executor. In this case, the thread stats reported are for
> the executor.

Right, because none of the Connectors in the default configuration use
an Executor.

But what about the "1 thread always being used" thing?

>> Another odd thing is that the connector says the "Max Threads" is
>> -1. That may be true for the connector itself because I'm using
>> an Executor. But the executor does have a thread-limit and that's
>> not being shown.
>> 
>> The current thread count and current thread busy counts are sane 
>> values, so those must be coming from the Executor. Why not the
>> "max threads" value?
> 
> That would need some svn archaeology. From memory there have been
> some changes around this area over the years as various edge cases
> emerge.
> 
> Ah. And there you have the answer: 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=60319
> 
> Because the Connector and Executor have separate attributes for 
> maxThreads, minSpareThreads and threadPriority the getters and
> setters were providing inconsistent / misleading values. Returning
> -1 was an attempt to indicate that the attribute was not being used
> and that you should look elsewhere for the value.
> 
> The dynamic stats (current thread-pool size, active threads, etc.)
> can be provided in a consistent manner so don;t need this
> treatment.

That's what I figured, but there is no information about Executors in
the manager.

Would it be better to introduce more information about Executors in
the Manager, or to change the Manager to show the Executor information
when one is in use?

I see this as a minor bug since you can't see the "max threads" for a
Connector when an Executor is in play.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlrFC+4ACgkQHPApP6U8
pFi1rg//VecfQAkDqyIEMcBsbNm/F4vqnTrJ5HYj80yGI4mEtuFmA9Nz9VaVqUHa
ZKFYRd8NS1+cphLQNBrfkEQTcd+K4JYkhGgCpSapR04nXhKVc7pUiWk+C/qWbdCV
r3IrJM3EY+3IUHzQDLzige6dMpTFT4lsNKQGPSaOEFaeuHzO2wL2is067fGVf8qN
MZ2c3HKhac4TRC6Ytg4lOF+hNhhYsnVIOA5LpVtZ7rBcVBl3HPCI/Qm2VC5L5LrO
RbuRje6qCbtFtiTM0Zd9eKxPuc8ObS6NhHLeC0HJkOiCCkq361DZDBzXaMpSzqHN
nr5S9sviozbh8QfCN0IgxqYpdB6hHpUtYrxSOOTi0TUvcJEgoD0Ne5daDGSrHp2O
/ZgFCAxWRRLBsccVaeRXyCcZ8zVF47eXfIH5I52ACNh0LOHJu6rC3jlZnfa43TOO
qjobAjFlSQi6AHAc4xFK/AFvEl65rDHTBQgY3fi53SFAFOH65K7bH6fvCBRMvkuu
MYKG161ukl5GvoWWTIWMhfuQCw+elC4eYPLqclpBkwlwnaDymOwDf5uAcEHTdr/d
XjQ+6yau6G+KFV/64haRYNjB+RtGz8U+CPG6XJkpqXen2ywq/XvgA/5zLQyjNMjT
SAQCEnpn69bXUOkjRru9Q8cYiN+QlGFl6X22I7Cvx50fwOekblg=
=qni4
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Connection closed error and certificateVerification="required"

2018-04-04 Thread Mark Thomas 
On 26/03/18 08:25, Richard Tearle wrote:



> I've uploaded a ZIP with my test "UI" code (standalone java program),
> and the "ESB"
> code which goes into tomcat.
> 
> https://www.dropbox.com/s/nhfx7va4uzkr728/Source.zip?dl=0
> 
> In the support folder within the ZIP are updated scripts to create the
> certificates - which
> now includes generating the client certificate as well. Also in there
> are the server.xml
> and other tomcat configuration files that are changed as part of our
> installation process
> - although these are the same as I'd included in the previous ZIP.
> 
> Also included is a very simple shell script I use to call the UI.
> Usually setting the ESB
> delay to 5 seconds causes the connection closed error to occur in
> around 5 minutes of
> running the program.

Thanks. I've got the test application and UI running but I haven't yet
reproduced the problem. What parameters are you calling run-test.sh with?

I'll continue to try and reproduce the issue but I think it makes sense
to try and generate some debug data on your system as you can reproduce it.

The first step is to move to testing on a Tomcat instance built from
source. This will enable me to add additional debug logging as we go to
try and narrow down the root cause. The build process is fairly simple.
You'll need to check out https://svn.apache.org/repos/asf/tomcat/trunk/
and follow the instructions in BUILDING.txt. You won't need a release
build. The default ant deploy should be fine.

Assuming you can still repeat this on a build from trunk, please enable
the following logging:
- SSL debug logging on client and server via -Djavax.net.debug=ssl
- Tomcat I/O layer debug logging by adding the following to
  conf/logging.properties:
  org.apache.tomcat.util.net.level = FINE

If you can repeat the issue with the above debug logging enabled, if you
can provide the logs for the 30s or so before the error occurs hopefully
there will be some clues in there as to what is going wrong.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Manager connector status

2018-04-04 Thread Mark Thomas 
On 04/04/18 14:29, Christopher Schultz wrote:
> All,
> 
> I'm running 8.5.29 and I'm looking at the manager application,
> specifically at the Connectors list on the "Server Status" page.
> 
> I have two connectors:
> 
> 1. ajp-nio-8215
> 
> 2. http-nio-127.0.0.1-8217
> 
> The server is idle (it's my own desktop) and I loaded the Server
> Status page over the HTTP connector. However, both connectors say that
> the "Current thread busy" count is "1". Why is the AJP connector
> "using" a thread? It should be doing nothing, right?

I don't see this on a clean install.

I do see this if I configure both the AJP and HTTP connector to use a
shared executor. In this case, the thread stats reported are for the
executor.

> Another odd thing is that the connector says the "Max Threads" is -1.
> That may be true for the connector itself because I'm using an
> Executor. But the executor does have a thread-limit and that's not
> being shown.
> 
> The current thread count and current thread busy counts are sane
> values, so those must be coming from the Executor. Why not the "max
> threads" value?

That would need some svn archaeology. From memory there have been some
changes around this area over the years as various edge cases emerge.

Ah. And there you have the answer:
https://bz.apache.org/bugzilla/show_bug.cgi?id=60319

Because the Connector and Executor have separate attributes for
maxThreads, minSpareThreads and threadPriority the getters and setters
were providing inconsistent / misleading values. Returning -1 was an
attempt to indicate that the attribute was not being used and that you
should look elsewhere for the value.

The dynamic stats (current thread-pool size, active threads, etc.) can
be provided in a consistent manner so don;t need this treatment.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Manager connector status

2018-04-04 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

I'm running 8.5.29 and I'm looking at the manager application,
specifically at the Connectors list on the "Server Status" page.

I have two connectors:

1. ajp-nio-8215

2. http-nio-127.0.0.1-8217

The server is idle (it's my own desktop) and I loaded the Server
Status page over the HTTP connector. However, both connectors say that
the "Current thread busy" count is "1". Why is the AJP connector
"using" a thread? It should be doing nothing, right?

Another odd thing is that the connector says the "Max Threads" is -1.
That may be true for the connector itself because I'm using an
Executor. But the executor does have a thread-limit and that's not
being shown.

The current thread count and current thread busy counts are sane
values, so those must be coming from the Executor. Why not the "max
threads" value?

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlrE01YACgkQHPApP6U8
pFhlGBAAoYr3VzqHYR/KAi36bnOzEtB203QEakMw6qu9dg+dh3auSg/4dA2O1jB6
vgzdg6VbskN4Wq1csV2Ji3byl2DA9UkRhdniscFMKXKESOkNyRRDMWu4gqgSPxt5
qSDsDgoiAnj/YirXQfdXYTHhCIUTxtb+1LTfnEatFa2WylimSglEFGtVk1Du+n2q
FQP+5R7tEuuweeb8ROcB8gE8P9tsGvn9Nn+i0JgW36uG8Zibv5oRR0jSoPcJmZR4
TyK36jCk3M16ln4cfaZX4eQ/qkCUWG/0kVXYNPXKs+9m1TmkfVApJT48m0S33O29
g1FBPUKon4ZE9K0hGQDBLb3z7QL5ljhpKxG5PQnmNZG9eCQI/a6fRQ6PYv5cGwv/
HulxTn/Cl2N/xqSr7RuLrpGkiplJw9VFhOW0Q0uBoDYk4GASON2j6Z6DnYZcWsOo
gTM8yZlX5/pgRae7R9LBIaxe+E9DynHXwKeJ0VTElahWoKFOpX1xr2JxTHlwLz1m
Fn8xZbLZ1gnHrHCpJbBVQie8UxmDN9UIs2/zubvGvr0rMScAFuyFvZNt7Ml5TvUI
z5OhYEJlJWWLN2Bst1mqg3IY3yQ5tiJdKJi81E1YSq1ltNHdFd/56QtLF8k+Cphc
PKIHtrPKQsssn11B1JAG4slH6/z8i9MSbqXBq39ujq5/cEvEi6Q=
=G30n
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: List Ciphers - 500 Error

2018-04-04 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jason,

On 4/3/18 12:00 PM, Jason Vo wrote:
> Version Apache Tomcat/8.0.32

Can you please try with latest 8.0.50? 8.0.32 is 2 years old at this
point, and has many security problems (some classified as "important")
that should be fixed.

> When trying to view the list of ciphers configured using
> http://localhost:8080/manager/text/sslConnectorCipher i get the
> below 500 error
> 
> HTTP/1.1 500 Internal Server Error Server: Apache-Coyote/1.1 
> Cache-Control: private Expires: Thu, 01 Jan 1970 01:00:00 GMT 
> Content-Type: text/plain;charset=utf-8 Date: Tue, 03 Apr 2018
> 14:58:59 GMT Connection: close Content-Length: 41
> 
> If I attempt to do this via the Manger GUI
> (http://localhost:8080/manager/html/list) I get the below 500 error
> -
> 
> HTTP Status 500 - type Exception report message description The
> server encountered an internal error that prevented it from
> fulfilling this request. exception java.lang.NullPointerException 
> org.apache.catalina.manager.ManagerServlet.getConnectorCiphers(Manager
Servlet.java:1664)

The
> 
code in ManagerServlet has definitely changed since 8.0.32.

Even if it's just in a test environment, please re-test with 8.0.50.
If the error is still present, please paste the new stack trace and
your  configuration back to the list.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlrE0MkACgkQHPApP6U8
pFgSoRAAvPf+xACZmJJPQOeqd0c3FUhNJZMRYY6j7VxCJdRPcQ0uoXP4GTCVrUaA
VuE03wLxA7Wflp764Jq7b7cu9rwjLV6mnjmtW/kDvqRW3mTfNq31lL9pFwOg9MlD
IHXUz8rzdY42tdUJrLIyObVZ9szvOzAjQIaJ1OAavaWkExWzmqZnbwyaF5fIinif
vOFEO7KlCa7otzTD28DVYkNfTFJwvnu68AFkSg0VNiq3e8nY4lj+iFh401PrhadF
nKKm5CiaU1X0S2u2V15ruaxYTj7q4PFoisEzmk3TndRUBI0DKHprgWu8GUV5lGJq
4OttOhkCXJOg/je/yRvPLF5cmGv9C9ENc1TKAH4/oruOHDqykzoYDFSkuSQ8zIhT
bTwD9bLQEEjOtqwXUKzSdauns81Rf98ohUiib/GN5lBDpzCq1diLAjo4sKgDCzjw
CHAQPuy9h0ov9Vi1Lh0sANHG/aoWQDjxaZrW9qOr5Swgf6yzzcdTRt50cRlJoBZo
+dQOYIbGKOnAKAUrI6aGBxq5pZSBlJw/6UwoE7yEaUIWWU7AWIItryMGBILnpZqr
ZCEiNt4R4f+02TjBagdqmZVO4bPkO7g0zih7WedHYk99/dHeG43UoFYgnIVge8CL
j5fUnl32z+jGESBli9HYHPKQIQoFM+1/4FvKpUG2wdg4XYLKRCw=
=POq1
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Is tomcat6.0 impacted with these vulnerabilities (CVE-2018-1304, CVE-2018-1305)?

2018-04-04 Thread Venkata Reddy (Trianz) 
Both the vulnerabilities are not impacted on tomcat6.0.x.
Thanks a lot Mark and  Rémy for providing the quick information. 

-Original Message-
From: Rémy Maucherat [mailto:r...@apache.org] 
Sent: 04 April 2018 17:32
To: Tomcat Users List
Subject: Re: Is tomcat6.0 impacted with these vulnerabilities (CVE-2018-1304, 
CVE-2018-1305)?

On Wed, Apr 4, 2018 at 1:02 PM, Mark Thomas  wrote:

> On 04/04/18 11:54, Rémy Maucherat wrote:
> > On Wed, Apr 4, 2018 at 12:05 PM, Venkata Reddy (Trianz) < 
> > venkata.re...@trianz.com> wrote:
> >
> >> Hi Team,
> >>
> >> Could you please help me on whether tomcat6.0.53 version is also
> impacted
> >> with these vulnerabilities (CVE-2018-1304,
> >
> >
> > Yes.
>
> I thought root context mapping was introduced in Servlet 3.0 (Tomcat 7).
> Did we back-port it?
>

Ok, I think you are right as the text on the "special" - it doesn't look so 
spacial to me, as it's an exact path - "" path seems to be added in Servlet 
3.0. It's a situation where I don't really know what it does in Tomcat 6.0.
On the other one, I know for sure there's no ServletSecurity annotation :)

Rémy


>
> Mark
>
>
> >
> >
> >> CVE-2018-1305)?
> >>
> >
> > No.
> >
> > Rémy
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
**This mail has been sent from an external source**

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is tomcat6.0 impacted with these vulnerabilities (CVE-2018-1304, CVE-2018-1305)?

2018-04-04 Thread Rémy Maucherat 
On Wed, Apr 4, 2018 at 1:02 PM, Mark Thomas  wrote:

> On 04/04/18 11:54, Rémy Maucherat wrote:
> > On Wed, Apr 4, 2018 at 12:05 PM, Venkata Reddy (Trianz) <
> > venkata.re...@trianz.com> wrote:
> >
> >> Hi Team,
> >>
> >> Could you please help me on whether tomcat6.0.53 version is also
> impacted
> >> with these vulnerabilities (CVE-2018-1304,
> >
> >
> > Yes.
>
> I thought root context mapping was introduced in Servlet 3.0 (Tomcat 7).
> Did we back-port it?
>

Ok, I think you are right as the text on the "special" - it doesn't look so
spacial to me, as it's an exact path - "" path seems to be added in Servlet
3.0. It's a situation where I don't really know what it does in Tomcat 6.0.
On the other one, I know for sure there's no ServletSecurity annotation :)

Rémy


>
> Mark
>
>
> >
> >
> >> CVE-2018-1305)?
> >>
> >
> > No.
> >
> > Rémy
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: A tomcat log output problem

2018-04-04 Thread Simon De Uvarow 
On Mon, Apr 2, 2018 at 9:41 AM 张钧荣 <1024238...@qq.com> wrote:

> Hello !
> My project reported an error related to tomcat logging module. The
> exception information is as follows:
> Apr  2 11:31:27 knowledgebase java: Exception in thread "main"
> java.lang.reflect.InvocationTargetException
> Apr  2 11:31:27 knowledgebase java: Caused by:
> java.lang.ClassNotFoundException:
> org.apache.logging.log4j.core.impl.ThrowableProxy
> Apr  2 11:39:44 knowledgebase java: Exception in thread "Thread-4"
> java.lang.NoClassDefFoundError: org/apache/catalina/Lifecycle$SingleUse
> Apr  2 15:26:49 knowledgebase java: Exception in thread "Thread-4"
> java.lang.NoClassDefFoundError: org/apache/catalina/Lifecycle$SingleUse
> Apr  2 15:55:18 knowledgebase java: Exception in thread "Thread-4"
> java.lang.NoClassDefFoundError: org/apache/catalina/Lifecycle$SingleUse
> Apr  2 16:29:52 knowledgebase java: Exception in thread
> "http-nio-8082-exec-8" java.lang.NoClassDefFoundError:
> org/apache/logging/log4j/core/impl/ThrowableProxy
> Apr  2 16:29:56 knowledgebase java: Exception in thread "Thread-4"
> java.lang.NoClassDefFoundError: org/apache/catalina/Lifecycle$SingleUse
> Apr  2 17:08:29 knowledgebase java: Exception in thread "Thread-4"
> java.lang.NoClassDefFoundError: org/apache/catalina/Lifecycle$SingleUse
> How can I fix it?
>
> Best wishes,
> zjr
>
> 发送自 Windows 10 版邮件应用
>

Hello,
You have to add the missing dependency, either in the tomcat/lib folder or
in the [tomcat/webapps/]/WEB-INF/lib folder.
The missing dependency is the log4j.jar , and it is not part of Tomcat.
It's a library you are using in your app/apps.

Re: Is tomcat6.0 impacted with these vulnerabilities (CVE-2018-1304, CVE-2018-1305)?

2018-04-04 Thread Mark Thomas 
On 04/04/18 11:54, Rémy Maucherat wrote:
> On Wed, Apr 4, 2018 at 12:05 PM, Venkata Reddy (Trianz) <
> venkata.re...@trianz.com> wrote:
> 
>> Hi Team,
>>
>> Could you please help me on whether tomcat6.0.53 version is also impacted
>> with these vulnerabilities (CVE-2018-1304,
> 
> 
> Yes.

I thought root context mapping was introduced in Servlet 3.0 (Tomcat 7).
Did we back-port it?

Mark


> 
> 
>> CVE-2018-1305)?
>>
> 
> No.
> 
> Rémy
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is tomcat6.0 impacted with these vulnerabilities (CVE-2018-1304, CVE-2018-1305)?

2018-04-04 Thread Rémy Maucherat 
On Wed, Apr 4, 2018 at 12:05 PM, Venkata Reddy (Trianz) <
venkata.re...@trianz.com> wrote:

> Hi Team,
>
> Could you please help me on whether tomcat6.0.53 version is also impacted
> with these vulnerabilities (CVE-2018-1304,


Yes.


> CVE-2018-1305)?
>

No.

Rémy

Is tomcat6.0 impacted with these vulnerabilities (CVE-2018-1304, CVE-2018-1305)?

2018-04-04 Thread Venkata Reddy (Trianz) 
Hi Team,

Could you please help me on whether tomcat6.0.53 version is also impacted with 
these vulnerabilities (CVE-2018-1304, CVE-2018-1305)?

This information is very critical for us.

Unfortunately we are still on the process of migrating our current tomcat6.0.x 
version usage to tomcat8.5.x.

Thanks in advance.