Tomcat shutdown behaviour
Hi, I am using tomcat-6 on my Ubuntu 13.10 desktop. My question is :- When i run shutdown script of tomcat , does tomcat wait for currently running threads to complete before shutting down ? -- Thanks and Regards, Vimal Jain
RE: Tomcat config question: 'compression' versus 'SSLDisableCompression'
as earlier mentioned chrome is the only browser that supports compression on SSL streams Martin __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. > Date: Thu, 8 Aug 2013 17:47:36 -0400 > Subject: Re: Tomcat config question: 'compression' versus > 'SSLDisableCompression' > From: dlan...@gmail.com > To: users@tomcat.apache.org > > On Thu, Aug 8, 2013 at 5:19 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > > > ... and the SSLDisableCompression setting (when set to "false") is > > intended to mitigate the CRIME attack against SSL/TLS compression. > > Feel free to read online all about the CRIME attack. > > > > That was what I was hoping it did when I asked the original question :) > > > > I haven't really done any analysis of SSL compression (that is, > > compression as implemented by the TLS/SSL layer) alone versus > > compression-less-SSL + gzip, but I suspect that any combination of > > compression and encryption can lead to CRIME-like attacks ... > > > That seems to be true since there is now the BREACH attack: > > http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/ > > which (I think) is compression-less-SSL + gzip.
Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'
On Thu, Aug 8, 2013 at 5:19 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > > ... and the SSLDisableCompression setting (when set to "false") is > intended to mitigate the CRIME attack against SSL/TLS compression. > Feel free to read online all about the CRIME attack. > That was what I was hoping it did when I asked the original question :) > I haven't really done any analysis of SSL compression (that is, > compression as implemented by the TLS/SSL layer) alone versus > compression-less-SSL + gzip, but I suspect that any combination of > compression and encryption can lead to CRIME-like attacks ... That seems to be true since there is now the BREACH attack: http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/ which (I think) is compression-less-SSL + gzip.
Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 8/8/13 12:45 PM, Mark Thomas wrote: > On 08/08/2013 18:14, David Landis wrote: >> Hi, >> >> I was wondering if someone could clarify the difference between >> the configuration parameters mentioned in the subject of this >> email or point me to some documentation that explains it? >> >> Do they both refer to the same type of compression? > > No. > >> Based on the Tomcat docs I know the former controls whether or >> not the connector uses gzip compression. Regarding the latter, >> the Tomcat docs say: "Disables compression if set to true and >> OpenSSL supports disabling compression.". Is that referring to a >> different type of compression? > > Yes. > > The Tomcat connector implements compression. > > The SSL/TLS protocol has a separate compression implementation. ... and the SSLDisableCompression setting (when set to "false") is intended to mitigate the CRIME attack against SSL/TLS compression. Feel free to read online all about the CRIME attack. > I'd guess (no testing to back this up) that you'd be better off > with using the connector compression as you can tailor that to the > correct mime-types. I tend to agree. You can also disable compression on files that are small enough that compression doesn't really buy you anything. > I'd also guess that if you have one, enabling the other doesn't buy > you much. +1 I haven't really done any analysis of SSL compression (that is, compression as implemented by the TLS/SSL layer) alone versus compression-less-SSL + gzip, but I suspect that any combination of compression and encryption can lead to CRIME-like attacks ... which by the way requires the attacker to basically have remote-control access to the user's client (to force it to make requests to the server) and also be able to sniff the encrypted packets at the same time (which is of course quite a bit easier to do than client-control). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSBAtXAAoJEBzwKT+lPKRYk3UP/jEcRvBxDLvdDT+4YGWVStmY IQ/cjla4La2betDx6pNTXokYD9en8yFJ7hqPk0c/CyCXgzw7mH6FGjAsjKkHhGFg m9XEkclWJ+T+uaGO9S/0wcsZ8iSs3luRhSF3qqsGnyuk2HlSSTw5nkpm22Wv1Rit jb9iLqAzU2K9aKuZJson/xiva/0iOQuJknu9zD3MzvMxfSPB8bpUwkq/T77jFkU+ COZ+pfLYU9NbyURKNW2EREfbRYYTKQQ7WEHwVVPPrSxRlBM0lnnRaqxKoFHVR1rK P0wRPqr4bAFAbTtQ+ylZUsInUcStAyuHkEwFzHRpWkfcEuu+uQKzDimukY7PG4d0 llblQ67KYLad+VahA6JIMZV1evuAgL9PsMaCNvOFZloxwz+1Sxnf2olk6RR6w8Ge q/Y7K9MtTiSAkA+i0DH9Wr43RpjfR2d8LjP4IZXAaiAAEO3AXfHXX/KOJJ/px9k8 mo0eBsPxr1WRYbECxuozKf9kYjQEaw15nGtWCnTWZ4O5oPepppu2hd8GERqUIAln 9HR6NozOnPvrEGEhvjy1GG/pMfUZGKf9a/foZbjl2/ZrlQGaj+EXkDceX6DWXXrC meQT4RmyX4SqHvYaiy2Hu8E/i9/JZM3xdccjWafO4oz6Z7olISVHM3l9PCUrjq6q QHrVkwxu3OJeBBteSyNe =uc9W -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Any concrete timeline for JSR-356 in Tomcat 7?
> -Original Message- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Wednesday, August 07, 2013 1:40 PM > To: Tomcat Users List > Subject: Re: Any concrete timeline for JSR-356 in Tomcat 7? > > On 07/08/2013 18:59, Bob DeRemer wrote: > > Hi Mark, > > > > This is a follow-up to my previous question about the tomcat 7 servlet > > websocket deprecation: > > http://marc.info/?l=tomcat-user&m=137580047908854&w=2 > > > > We've discussed this internally and believe we need to look at switching to > the JSR-based server-side implementation. How we approach this will be > determined by when JSR-356 will be ready. Can you comment on the > following: > > > > > > 1) When do you expect to have JSR-356 released on Tomcat 7? > > Early September. Once bug 55314 has been solved, I plan to start the back-port > to 7.0.x. > > > 2) How long do you anticipate the release cycle to be for Tomcat 8 - > > from > the recent initial alpha release until it's GA? > > Based on past experience, 6-9 months. However, a lot of that is out of our > control. What will really drive this is user uptake of Tomcat 8 and folks > creating > bug reports for issues they find (like the issue Dan Mikusa reported a little > earlier). > > > > Our assumption is that JSR-356 will be ready in Tomcat 7 long before Tomcat > 8 is GA. > > Agreed. > > > The critical factor for us will be WHEN that happens. We're tentatively > looking at a release in October that will have websocket support. As a > result, if > Tomcat 7 JSR support is ready in September, we could begin work on Tomcat 8 > RC1, then back-port our JSR server code to Tomcat 7 and release on time with > the new implementation. If, however, Tomcat 7 JSR support won't be ready > until October, then we'll have to plan on releasing with the existing Servlet > implementation. > > > > I understand dates constantly change based on priorities, but if you can > provide any clarification that would be great. > > Hope the above helps. > > Mark > Thanks, Mark - very helpful! > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Any concrete timeline for JSR-356 in Tomcat 7?
> -Original Message- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Wednesday, August 07, 2013 6:35 PM > To: Tomcat Users List > Subject: Re: Any concrete timeline for JSR-356 in Tomcat 7? > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Bob, > > On 8/7/13 1:40 PM, Mark Thomas wrote: > > On 07/08/2013 18:59, Bob DeRemer wrote: > >> Hi Mark, > >> > >> This is a follow-up to my previous question about the tomcat 7 > >> servlet websocket deprecation: > >> http://marc.info/?l=tomcat-user&m=137580047908854&w=2 > >> > >> We've discussed this internally and believe we need to look at > >> switching to the JSR-based server-side implementation. How we > >> approach this will be determined by when JSR-356 will be ready. > >> Can you comment on the following: > >> > >> > >> 1) When do you expect to have JSR-356 released on Tomcat 7? > > > > Early September. Once bug 55314 has been solved, I plan to start the > > back-port to 7.0.x. > > > >> 2) How long do you anticipate the release cycle to be for > >> Tomcat 8 - from the recent initial alpha release until it's GA? > > > > Based on past experience, 6-9 months. However, a lot of that is out of > > our control. What will really drive this is user uptake of Tomcat 8 > > and folks creating bug reports for issues they find (like the issue > > Dan Mikusa reported a little earlier). > > It would be great if you (Bob) could give Tomcat 8 rigorous testing in your > environment. The more bugs you find and report the faster Tomcat > 8 can come to GA. Even if you go to production with Tomcat 7, consider running > in development with Tomcat 8. If it's working for you, then feel free to go to > production with an alpha release of Tomcat 8 :) > > I've started to deploy Tomcat 8 into some my development environments for > just this reason. We don't use any of the crazy new-ish features of the Java > Servlet Specification, so I'll have a good environment for regression testing > for > basic services, resource-loading, etc. We have some production services that > are very basic where I may consider deploying an alpha version of Tomcat just > to get some performance, etc. data. Rolling-back to Tomcat 7 for me is as easy > as editing a property file and bouncing the service so it's very cheap for me > to > provide this kind of testing for the community. > > - -chris Thanks, Chris - that's along the lines of what we're planning to do Based on Mark's reply that JSR-356 should be in Tomcat 7 in early September, that should allow us to re-implement our server-side WS endpoints/handling against the JSR api - testing first against Tomcat 8 RC, then copying it back for use in Tomcat 7. -bob > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.14 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJSAsuYAAoJEBzwKT+lPKRY7AQQAItT/LwJF8iGtXc5PihltsKT > VrAUKdDB4PlQHdFicZQ08njIbTSJPkz9106Fr79vdJa0PKCkHmB1M+qDylTr1gk6 > L7yARvCh8DmSukX/TwOrufUegbE71i+eBHln23qBCSDu6nvAMKkCo8UWIj3cquO > D > a4bax0AYYNK83vaAjAGc16kmcz33L4mfMgSY5xynLwNsZJkBEoTInKprUKvLBiBr > 0bBF/O7oYvuZDxvCGgeGi90vpfEYfmujuHfrqa5ira+KVAcwBdDmgOS6nhmYn791 > 6Mj+m67Q9ygm32umpEqpgm9xI4a576w9av91+CiR1iBuEEDlDAEuM3XdJ1y0my > FZ > 8RyX0ldzc/Z9a75sMZlRyCSo0jUXZjsLvC7jCm8FMDcRT9sXqDIGR4gMglriEaJ1 > MhX8VZ/Ikd1dUVhPCLT02tJmneMZxYgSipGHjdnAQLhoOfedAnc2IHoIF7oVfDv1 > D8QXsAQCKY48f2CwlzTbYeLvwuq0GVIRVfn+WB4tq9luXA7vGOeEcqtssqQlTcCN > EE3Vm0hQOavh793l0FI2aNN/cbjYvyi5g6SQBnIwVkjW6MZ41VKfBsmx2+1osncl > +gij9KTMkMw5jhS4lb55Qb3AfdU9L9Z31NEM7c+GU2RBA7ddZ/93EdDXjbW/Rc3 > Y > EHO74vyNeSMZuP5j6JC7 > =tppT > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat config question: 'compression' versus 'SSLDisableCompression'
On 08/08/2013 18:14, David Landis wrote: > Hi, > > I was wondering if someone could clarify the difference between the > configuration parameters mentioned in the subject of this email or point me > to some documentation that explains it? > > Do they both refer to the same type of compression? No. > Based on the Tomcat docs I know the former controls whether or not the > connector uses gzip compression. Regarding the latter, the Tomcat docs say: > "Disables compression if set to true and OpenSSL supports disabling > compression.". Is that referring to a different type of compression? Yes. The Tomcat connector implements compression. The SSL/TLS protocol has a separate compression implementation. I'd guess (no testing to back this up) that you'd be better off with using the connector compression as you can tailor that to the correct mime-types. I'd also guess that if you have one, enabling the other doesn't buy you much. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat config question: 'compression' versus 'SSLDisableCompression'
Hi, I was wondering if someone could clarify the difference between the configuration parameters mentioned in the subject of this email or point me to some documentation that explains it? Do they both refer to the same type of compression? Based on the Tomcat docs I know the former controls whether or not the connector uses gzip compression. Regarding the latter, the Tomcat docs say: "Disables compression if set to true and OpenSSL supports disabling compression.". Is that referring to a different type of compression? Here is the behavior I'm seeing: --compression=on and SSLDisableCompression=false, the responses are gzip'd --compression=on and SSLDisableCompression=true, the responses are gzip'd --compression=off and SSLDisableCompression=false, the responses are not gzip'd Environment: Tomcat 7.0.40 Java 7 RHEL (Linux) APR/native connector with SSL OpenSSL 1.0.0 APR 1.4.8 server.xml example:
Re: Altering ServerInfo.properties in Tomcat => ClassNotFoundException
On 8/8/2013 7:14 AM, Daniel Mikusa wrote:
On Aug 8, 2013, at 7:05 AM, "Edao, Aliye" wrote:
Dear all,
Altering ${catalina_home}/lib/org/apache/catalina/util/ServerInfo.properties
because of information disclosure concerns (TC version number)
in apache-tomcat-6.0.37, apache-tomcat-7.0.40, apache-tomcat-7.0.42 and Apache
Tomcat/8.0.0-RC1 as mentioned in the documentation
(http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html,
http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html)
leads to ClassNotFoundException and Tomcat cannot be started.
The older versions of Tomcat 6 and Tomcat 7 are not affected. Is this now
intended or did I miss something?
Error message (Tomcat 8):
I'm not seeing this issue in my environment. I've pulled and built Tomcat 8
from SVN though. Perhaps you could try that and see if the issue has already
been resolved?
Here are the steps I followed:
1.) Check out Tomcat 8 from SVN (svn co
https://svn.apache.org/repos/asf/tomcat/trunk/ tomcat-trunk)
2.) Build (instructions can be found here ->
https://svn.apache.org/repos/asf/tomcat/trunk/BUILDING.txt)
3.) cd to output/build/
4.) cd to lib
5.) mkdir -p org/apache/catalina/util
6.) unzip catalina.jar org/apache/catalina/util/ServerInfo.properties
7.) Edit org/apache/catalina/util/ServerInfo.properties, replace info with
"N/A".
8.) ./bin/startup.sh
9.) Check the logs, which were clean for me.
10.) curl http://localhost:8080/does-not-exist verify output has version listed as
"N/A".
Dan
I'm not seeing this in my environment either:
1. 64 bit Windows 7
2. JRE 1.7.0_25
3. Tomcat 7.0.42
a. create a file
%CATALINA_HOME%\lib\org\apache\catalina\util\ServerInfo.properties
b. server.info=unknown
c. start up Tomcat from batch file
d. clean logs
e. Browse to http://localhost:8080/foo
f. get Server unknown at the bottom of the error page
g. Manager application also reports unknown for server version
/mde/
java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:271)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:461)
Tomcat:
apache-tomcat-6.0.37
apache-tomcat-7.0.40
apache-tomcat-7.0.42
Tomcat/8.0.0-RC1
JDK:
Oracle jdk1.7.0_25
OS:
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 1
Thank you very much!
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Downgrade Tomcat7 to Tomcat6
On Aug 7, 2013, at 9:53 PM, Sumilang Plucena wrote: > I have a development server Ubuntu12.10 and Tomcat-7.0.30. Are you installing from the Ubuntu repository or from the tomcat.apache.org download? If you're installing from an Ubuntu repository, I'd suggest that you don't. The versions there are always way behind and install files into distro specific locations (which makes it harder for us, the tomcat mailing list, to support). Installation from the zip / tar.gz on tomcat.apache.org is quite simple and give you more control over the version you install (i.e. you can get all the latest security fixes) and where you install the files. In fact, when you use this method you can even install multiple versions on the same machine at the same time, which makes upgrades a bit easier. > But prior to upgrading Tomcat7 from Tomcat-6.0.29 we never had problem with > our website. You're going from one major version of Tomcat to another, which means you could see some differences with your applications. Please checkout the migration guide for more information about what has changed. https://tomcat.apache.org/migration-7.html > I would like to know how I can go about downgrading Tomcat7 without affecting > applications hosted by tomcat7. I'd suggest just fixing the issue that you are seeing with Tomcat 7 (feel free to post another thread asking for help with that), but if you *really* want to downgrade I suppose it should be possible. First, how did you upgrade from Tomcat 6 to Tomcat 7? What steps did you take? Dan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [Probe]- Tomcat deployment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Vicky, On 8/4/13 4:20 PM, vicky007aggar...@yahoo.co.in wrote: > Thanks Chris .. But is there any sample example which illustrates > how to configure/use cluster deployer ?? Pls suggest Did you read the docs reference I already sent? > Does this can be used only if the tomcat instances are clustered? Did you read the docs reference I already sent? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSA6l8AAoJEBzwKT+lPKRYSSEP/iX5Bd8iAeYxQQN+FeZ+usUA 95D5sIoamx/gRuoGlBHIWV8QRSbiP6ZPDRjSUryQgIdHSJpWvdyPrv8S197nGIyq xLcwxNwD9vNa7WAt7O2g1V1htUEk2os5pPcesqDL+RtiXvaMXy9LHTHof6nffCF5 6AXg3q4AvKYQ7E3YzIF+Z7zSmnPwGbeCKbYvw4XYYeWkQqR+pQAzf7qmeXFkE/Oz hmjDGJJ/U+Q6/w/QwQBwhBRC6yEQIYsbStPxPPZkeTHVo2NRTqbFFEPh0Vyrr8O4 ebjE5+fsVDycc31BP6EK1lulE9d999ifVNF6+35Col8FI6syCexUkrChacOhQJjI Njc1L6qr0azFm3ytQtXamd67eD/36cAsaAnA7f//gg6SJDnBU1riJ4e0T5OwIkao M1kR9FRPbk8lR6fMKCxnTI/drirTBGs7ObLGqG6UGBBM6Y720IsVEft8VLZVA60v T0rCY3IsxWxDigA+enQ9xqh4aS1fY0voe7tp8Wv1HtMC7WKcdFcs5+y+fg/fZokH 9SeXrQjqoRDH6hbv/vL9GsdiwJ777vzqUlyRVy38VNWW+ggsOqME3HAwS7YN3FsU NtwgjzbpyhTu4gZjO/mgCm6QhGj6Zb/PytPTWh2+jh6NzQ9w4lLax0JDTa2PB0yb Sl+6GrwIRp3pfv/n6/da =cy7L -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Altering ServerInfo.properties in Tomcat => ClassNotFoundException
On Aug 8, 2013, at 7:05 AM, "Edao, Aliye" wrote:
> Dear all,
>
> Altering ${catalina_home}/lib/org/apache/catalina/util/ServerInfo.properties
> because of information disclosure concerns (TC version number)
> in apache-tomcat-6.0.37, apache-tomcat-7.0.40, apache-tomcat-7.0.42 and
> Apache Tomcat/8.0.0-RC1 as mentioned in the documentation
> (http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html,
> http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html)
> leads to ClassNotFoundException and Tomcat cannot be started.
>
> The older versions of Tomcat 6 and Tomcat 7 are not affected. Is this now
> intended or did I miss something?
>
> Error message (Tomcat 8):
I'm not seeing this issue in my environment. I've pulled and built Tomcat 8
from SVN though. Perhaps you could try that and see if the issue has already
been resolved?
Here are the steps I followed:
1.) Check out Tomcat 8 from SVN (svn co
https://svn.apache.org/repos/asf/tomcat/trunk/ tomcat-trunk)
2.) Build (instructions can be found here ->
https://svn.apache.org/repos/asf/tomcat/trunk/BUILDING.txt)
3.) cd to output/build/
4.) cd to lib
5.) mkdir -p org/apache/catalina/util
6.) unzip catalina.jar org/apache/catalina/util/ServerInfo.properties
7.) Edit org/apache/catalina/util/ServerInfo.properties, replace info with
"N/A".
8.) ./bin/startup.sh
9.) Check the logs, which were clean for me.
10.) curl http://localhost:8080/does-not-exist verify output has version listed
as "N/A".
Dan
>
> java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina
>at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
>at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
>at java.security.AccessController.doPrivileged(Native Method)
>at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
>at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
>at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
>at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:271)
>at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:461)
>
> Tomcat:
>
> apache-tomcat-6.0.37
> apache-tomcat-7.0.40
> apache-tomcat-7.0.42
> Tomcat/8.0.0-RC1
>
> JDK:
> Oracle jdk1.7.0_25
>
> OS:
> SUSE Linux Enterprise Server 11 (x86_64)
> VERSION = 11
> PATCHLEVEL = 1
>
> Thank you very much!
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Altering ServerInfo.properties in Tomcat => ClassNotFoundException
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Aliye,
On 8/8/13 7:05 AM, Edao, Aliye wrote:
> Dear all,
>
> Altering
> ${catalina_home}/lib/org/apache/catalina/util/ServerInfo.properties
> because of information disclosure concerns (TC version number) in
> apache-tomcat-6.0.37, apache-tomcat-7.0.40, apache-tomcat-7.0.42
> and Apache Tomcat/8.0.0-RC1 as mentioned in the documentation
> (http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html,
> http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html) leads
> to ClassNotFoundException and Tomcat cannot be started.
>
> The older versions of Tomcat 6 and Tomcat 7 are not affected. Is
> this now intended or did I miss something?
>
> Error message (Tomcat 8):
>
> java.lang.ClassNotFoundException:
> org.apache.catalina.startup.Catalina at
> java.net.URLClassLoader$1.run(URLClassLoader.java:366) at
> java.net.URLClassLoader$1.run(URLClassLoader.java:355) at
> java.security.AccessController.doPrivileged(Native Method) at
> java.net.URLClassLoader.findClass(URLClassLoader.java:354) at
> java.lang.ClassLoader.loadClass(ClassLoader.java:424) at
> java.lang.ClassLoader.loadClass(ClassLoader.java:357) at
> org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:271) at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:461)
>
> Tomcat:
>
> apache-tomcat-6.0.37 apache-tomcat-7.0.40 apache-tomcat-7.0.42
> Tomcat/8.0.0-RC1
What is the difference between your ServerInfo.properties and the one
from catalina.jar?
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSA6ZIAAoJEBzwKT+lPKRYyM0QALWYY0XspcBn8hXfeJDGnQCz
ooC6p/LCL+2FZq0gJA08nWmv7u72tgQfUUonHKExffJuK23gEGMoecQLP3r0AwKS
YD4Z7AqKHePH+rnigf/LkS+sKqB1OROuIDo7mjFY1Num8keovyTwJxpyqzUbUjUA
6SNF55ILH1X48gUqCyV2AatxQv+wz3ibFN16WWpQ1Lj9do3jlsJtsrANppAX+oxT
0wDJ7a85jeSG2DIIECOYWvWwYGv+fDx/WrXWNA5FbsVC86ov0Uc4e27BORTe7CmV
GvcJtccKlSK/X4CrGFP5U6KhcuNwHsMPtoDs5vEDgoPseHA21Ea1o6YzR+9lPwvr
CzCK9uBv1dHg4YFJvDWF204OAu+/KPHBuRQmy2czkDWhsQESZ/mOFHB8MCkRa2O6
gKRwcDeZAdSD+rYxWTYSwHa53qEv36ymEDDfsU+X3DJ20sIdLeZQjD6XUIG4an5X
jAPdHIOgJhWzvjSwq5zlCOzk5TZnmEgjv3z1iWQIA2W2DRrjUeFBmDA/8ceP13sY
LnBv7GWmPsLCPrnwEqnAsazIH5FLFlkOy3xyqYCT+R2u3su4bUSVeUhpefGdiBgS
EWU3qJSH+LOKgppbB++uggiftT/6iQKH1EJRyTvFvN9CGdGwdeuY3lbnbhh4AP8F
FGyiq6eugLJKF8943mAO
=Vs+L
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Downgrade Tomcat7 to Tomcat6
Sumilang, On 8.8.2013 3:53, Sumilang Plucena wrote: I have a development server Ubuntu12.10 and Tomcat-7.0.30. But prior to upgrading Tomcat7 from Tomcat-6.0.29 we never had problem with our website. I would like to know how I can go about downgrading Tomcat7 without affecting applications hosted by tomcat7. Since that is your development server, how do you feel about resolving problems you have with Tomcat 7, rather than downgrading? Mailing lists are here to help you. Upgrading and downgrading may be done in phases. You may install Tomcat 6 and Tomcat 7 on the same server and migrate your webapps one at the time. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Altering ServerInfo.properties in Tomcat => ClassNotFoundException
Dear all,
Altering ${catalina_home}/lib/org/apache/catalina/util/ServerInfo.properties
because of information disclosure concerns (TC version number)
in apache-tomcat-6.0.37, apache-tomcat-7.0.40, apache-tomcat-7.0.42 and Apache
Tomcat/8.0.0-RC1 as mentioned in the documentation
(http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html,
http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html)
leads to ClassNotFoundException and Tomcat cannot be started.
The older versions of Tomcat 6 and Tomcat 7 are not affected. Is this now
intended or did I miss something?
Error message (Tomcat 8):
java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:271)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:461)
Tomcat:
apache-tomcat-6.0.37
apache-tomcat-7.0.40
apache-tomcat-7.0.42
Tomcat/8.0.0-RC1
JDK:
Oracle jdk1.7.0_25
OS:
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 1
Thank you very much!
