Re: JNDIRealm doesn't work when binding as non-admin user
On 30/09/2014 01:11, Jesse Barnum wrote: I'm trying to configure Tomcat to authenticate against our Active Directory server. I do not want to configure an administrative account to bind with; I want to bind as the user logging in. The problem comes when JNDIRealm tries to get the list of roles that the user is a member of. From looking at the source code, it seems to strip out the login user's account credentials from the DirectoryContext. This causes the following exception when it tries to get a list of groups for the user: snip/ This bug report seems to indicate that it should work the way I'm expecting, as of 7.0.9 and onwards. https://issues.apache.org/bugzilla/show_bug.cgi?id=19444 I am running 7.0.52. Is there some configuration I need to do to tell Tomcat to use the user's credentials when getting a list of roles? To quote from the last comment in that bug report: quote I have added a new JNDIRealm option in Tomcat 7.0.x to optionally allow role searches as the user being authenticated rather than using using an anonymous user or using connectionName/connectionPassword. The new option will be included in 7.0.9 onwards. /quote Looking at the docs for the JNDI Realm (since I can't remember what name I used for that option) this looks promising: quote roleSearchAsUser When searching for user roles, should the search be performed as the user currently being authenticated? If false, connectionName and connectionPassword will be used if specified, else an anonymous. If not specified, the default value of false is used. Note that when accessing the directory using delegated credentials, this attribute is always ignored and the search is performed using the delegated credentials. /quote So, that begs two questions: 1. What configuration are you using for roleSearchAsUser 2. In the interests of improving the docs, what was it that meant you were unable to find this information in the JNDI Realm docs? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
tomcat7's welcome-file-list seems not to work fine on my server
Here is my env: Server version: Apache Tomcat/7.0.47 Server built: Oct 18 2013 01:07:38 Server number: 7.0.47.0 OS Name:Linux OS Version: 2.6.32-358.el6.x86_64 Architecture: amd64 JVM Version:1.6.0_20-b02 JVM Vendor: Sun Microsystems Inc. The problem: my application layout: root |-/WEB-INF/web.xml |-/WEB-INF/classes |-/bar/index.jsp |-/META-INF |-/index.jsp and In $CATALINA_BASE/conf/web.xml, a welcome-file-list was defined as: welcome-file-list welcome-fileindex.html/welcome-file welcome-fileindex.htm/welcome-file welcome-fileindex.jsp/welcome-file /welcome-file-list I didn't mapping any servlet on the /bar. So when I request http://127.0.0.1:8080/bar, it was mapped to the default servlet, and get a 302 response.() Like this: #curl 127.0.0.1:8080/bar -v * About to connect() to 127.0.0.1 port 8080 (#0) * Trying 127.0.0.1... connected * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) GET /bar HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Host: 127.0.0.1:8080 Accept: */* HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Location: http://127.0.0.1:8080/bar/ Transfer-Encoding: chunked Date: Tue, 30 Sep 2014 07:27:19 GMT * Connection #0 to host 127.0.0.1 left intact * Closing connection #0 But when I further make a request to the http://127.0.0.1:8080/bar/ . A 404 was responsed, like #curl 127.0.0.1:8080/bar/ -v * About to connect() to 127.0.0.1 port 8080 (#0) * Trying 127.0.0.1... connected * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) GET /bar/ HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Host: 127.0.0.1:8080 Accept: */* HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 949 Date: Tue, 30 Sep 2014 07:27:22 GMT * Connection #0 to host 127.0.0.1 left intact * Closing connection #0 I suggest that the /bar/index.jsp should be responsed for the welcome file mechanism. But why i get a 404?
Re: tomcat7's welcome-file-list seems not to work fine on my server
?? wrote: Here is my env: Server version: Apache Tomcat/7.0.47 Server built: Oct 18 2013 01:07:38 Server number: 7.0.47.0 OS Name:Linux OS Version: 2.6.32-358.el6.x86_64 Architecture: amd64 JVM Version:1.6.0_20-b02 JVM Vendor: Sun Microsystems Inc. The problem: my application layout: root root, or ROOT ? (case matters) |-/WEB-INF/web.xml |-/WEB-INF/classes |-/bar/index.jsp |-/META-INF |-/index.jsp and In $CATALINA_BASE/conf/web.xml, a welcome-file-list was defined as: welcome-file-list welcome-fileindex.html/welcome-file welcome-fileindex.htm/welcome-file welcome-fileindex.jsp/welcome-file /welcome-file-list I didn't mapping any servlet on the /bar. So when I request http://127.0.0.1:8080/bar, it was mapped to the default servlet, and get a 302 response.() Like this: #curl 127.0.0.1:8080/bar -v * About to connect() to 127.0.0.1 port 8080 (#0) * Trying 127.0.0.1... connected * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) GET /bar HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Host: 127.0.0.1:8080 Accept: */* HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Location: http://127.0.0.1:8080/bar/ Transfer-Encoding: chunked Date: Tue, 30 Sep 2014 07:27:19 GMT * Connection #0 to host 127.0.0.1 left intact * Closing connection #0 But when I further make a request to the http://127.0.0.1:8080/bar/ . A 404 was responsed, like #curl 127.0.0.1:8080/bar/ -v * About to connect() to 127.0.0.1 port 8080 (#0) * Trying 127.0.0.1... connected * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) GET /bar/ HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Host: 127.0.0.1:8080 Accept: */* HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 949 Date: Tue, 30 Sep 2014 07:27:22 GMT * Connection #0 to host 127.0.0.1 left intact * Closing connection #0 I suggest that the /bar/index.jsp should be responsed for the welcome file mechanism. But why i get a 404? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re:Re: tomcat7's welcome-file-list seems not to work fine on my server
Sorry,I made a mistake, the ROOT should be upper case. At 2014-09-30 17:13:40, André Warnier a...@ice-sa.com wrote: 罗茂林 wrote: Here is my env: Server version: Apache Tomcat/7.0.47 Server built: Oct 18 2013 01:07:38 Server number: 7.0.47.0 OS Name:Linux OS Version: 2.6.32-358.el6.x86_64 Architecture: amd64 JVM Version:1.6.0_20-b02 JVM Vendor: Sun Microsystems Inc. The problem: my application layout: root root, or ROOT ? (case matters) |-/WEB-INF/web.xml |-/WEB-INF/classes |-/bar/index.jsp |-/META-INF |-/index.jsp and In $CATALINA_BASE/conf/web.xml, a welcome-file-list was defined as: welcome-file-list welcome-fileindex.html/welcome-file welcome-fileindex.htm/welcome-file welcome-fileindex.jsp/welcome-file /welcome-file-list I didn't mapping any servlet on the /bar. So when I request http://127.0.0.1:8080/bar, it was mapped to the default servlet, and get a 302 response.() Like this: #curl 127.0.0.1:8080/bar -v * About to connect() to 127.0.0.1 port 8080 (#0) * Trying 127.0.0.1... connected * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) GET /bar HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Host: 127.0.0.1:8080 Accept: */* HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Location: http://127.0.0.1:8080/bar/ Transfer-Encoding: chunked Date: Tue, 30 Sep 2014 07:27:19 GMT * Connection #0 to host 127.0.0.1 left intact * Closing connection #0 But when I further make a request to the http://127.0.0.1:8080/bar/ . A 404 was responsed, like #curl 127.0.0.1:8080/bar/ -v * About to connect() to 127.0.0.1 port 8080 (#0) * Trying 127.0.0.1... connected * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) GET /bar/ HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Host: 127.0.0.1:8080 Accept: */* HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 949 Date: Tue, 30 Sep 2014 07:27:22 GMT * Connection #0 to host 127.0.0.1 left intact * Closing connection #0 I suggest that the /bar/index.jsp should be responsed for the welcome file mechanism. But why i get a 404? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat7's welcome-file-list seems not to work fine on my server
2014-09-30 11:53 GMT+04:00 罗茂林 a8156...@126.com: Here is my env: Server version: Apache Tomcat/7.0.47 Server built: Oct 18 2013 01:07:38 Server number: 7.0.47.0 OS Name:Linux OS Version: 2.6.32-358.el6.x86_64 Architecture: amd64 JVM Version:1.6.0_20-b02 JVM Vendor: Sun Microsystems Inc. The problem: my application layout: root |-/WEB-INF/web.xml What is in your web.xml file? |-/WEB-INF/classes |-/bar/index.jsp |-/META-INF |-/index.jsp (...) But when I further make a request to the http://127.0.0.1:8080/bar/ . A 404 was responsed, like #curl 127.0.0.1:8080/bar/ -v * About to connect() to 127.0.0.1 port 8080 (#0) * Trying 127.0.0.1... connected * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) GET /bar/ HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Host: 127.0.0.1:8080 Accept: */* HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 949 Date: Tue, 30 Sep 2014 07:27:22 GMT * Connection #0 to host 127.0.0.1 left intact * Closing connection #0 I suggest that the /bar/index.jsp should be responsed for the welcome file mechanism. But why i get a 404? What do you get if you invoke the file explicitly, without relying on welcome files feature? http://127.0.0.1:8080/bar/index.jsp Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Session lost in Tomcat 5.5.36
Hi everybody, Working on my company webapp I notice the following problem: sometimes the jsession cookie is lost, and therefore my whole http session is lost. The context is: - Tomcat v. 5.5.36 - JDK 1.5.0 - O.S. Windows - Client: Internet Explorer 8 Here is my use case: - I made a POST request to a servlet of my webapp - While processing this request, I create a new http session - Processing of the request will process a velocity template as last step - This velocity template contains 3 calls to 3 different servlets of my webapp, these 3 calls are made through an HTTP GET - While processing one of these 3 requests, Tomcat does not append jsessionid parameter to the requested URL: I have debugged Tomcat classes therefore I am sure of this This problem does not occur always, but just sometimes. While debugging Tomcat classes, I noticed that Tomcat starts 3 threads to manage the 3 GET requests of the velocity template, so maybe it is a concurrency problem. Finally, I noticed that this problem does not happen if I set the Windows registry key HKCU\Software\Microsoft\Internet Explorer\Main – TabProcGrowth to 0 or 1, which forces Internet Explorer to use one process for all tabs, not one process for single tab (which is the default). Do I miss some configuration settings? Do I have to set some particular parameter / cookie in the first response (or in the velocity template) ? If you need more details please tell me. Thanks in advice, Kind regards Diego
Connection reset error trying to deploy WAR file
I just installed Tomcat 7.0.55 on a Windows 7 64-bit machine. Previously, I was using Tomcat 6.0.32 (?) but I was having trouble running apps since I've installed Java 1.8. Anyway, the issue I am having with Tomcat 7 is that I am unable to deploy a WAR file via the Tomcat Manager HTML page. I browse to the WAR file location and then click Deploy. I immediately get a Connection was reset error and the WAR file does not deploy. I think the reason lies in the following exception in the manager log: SEVERE: HTMLManager: FAIL - Deploy Upload Failed, Exception: org.apache.tomcat.util.http.fileupload.FileUploadBase$SizeLimitExceededException: the request was rejected because its size (62772907) exceeds the configured maximum (52428800) java.lang.IllegalStateException: org.apache.tomcat.util.http.fileupload.FileUploadBase$SizeLimitExceededException: the request was rejected because its size (62772907) exceeds the configured maximum (52428800) at org.apache.catalina.connector.Request.parseParts(Request.java:2804) at org.apache.catalina.connector.Request.parseParameters(Request.java:3096) at org.apache.catalina.connector.Request.getParameter(Request.java:1145) at org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java:382) at org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:185) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:108) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:744) Caused by: org.apache.tomcat.util.http.fileupload.FileUploadBase$SizeLimitExceededException: the request was rejected because its size (62772907) exceeds the configured maximum (52428800) at org.apache.tomcat.util.http.fileupload.FileUploadBase$FileItemIteratorImpl.init(FileUploadBase.java:815) at org.apache.tomcat.util.http.fileupload.FileUploadBase.getItemIterator(FileUploadBase.java:259) at org.apache.tomcat.util.http.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:283) at org.apache.catalina.connector.Request.parseParts(Request.java:2737) ... 27 more Is there a configuration parameter somewhere that allows me to increase the allowable size? Funny, because I never got this error when using Tomcat 6. Thank you, Peter NOTICE from Ab Initio: This email (including any attachments) may contain information that is subject to confidentiality obligations or is legally privileged, and sender does not waive confidentiality or privilege. If received in error, please notify the sender, delete this email, and make no further use, disclosure, or distribution.
Tomcat returns Jsp source code as text/plain to the browser
Hi all, Tomcat version 7.0.30 Operating System – Windows server 2008 and above. When I concatenate “ ( quotes) to the end of the url when accessing a jsp for example: /pages/somePage.jsp” The browser returns the source code of the JSP. Does anyone see such a behavior before ? How can I filter it out ? Thanks
Re: Connection reset error trying to deploy WAR file
2014-09-30 15:21 GMT+04:00 pm...@abinitio.com: I just installed Tomcat 7.0.55 on a Windows 7 64-bit machine. Previously, I was using Tomcat 6.0.32 (?) but I was having trouble running apps since I've installed Java 1.8. Anyway, the issue I am having with Tomcat 7 is that I am unable to deploy a WAR file via the Tomcat Manager HTML page. I browse to the WAR file location and then click Deploy. I immediately get a Connection was reset error and the WAR file does not deploy. I think the reason lies in the following exception in the manager log: SEVERE: HTMLManager: FAIL - Deploy Upload Failed, Exception: org.apache.tomcat.util.http.fileupload.FileUploadBase$SizeLimitExceededException: the request was rejected because its size (62772907) exceeds the configured maximum (52428800) java.lang.IllegalStateException: org.apache.tomcat.util.http.fileupload.FileUploadBase$SizeLimitExceededException: the request was rejected because its size (62772907) exceeds the configured maximum (52428800) at org.apache.catalina.connector.Request.parseParts(Request.java:2804) at org.apache.catalina.connector.Request.parseParameters(Request.java:3096) at org.apache.catalina.connector.Request.getParameter(Request.java:1145) at org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java:382) at org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:185) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:108) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:744) Caused by: org.apache.tomcat.util.http.fileupload.FileUploadBase$SizeLimitExceededException: the request was rejected because its size (62772907) exceeds the configured maximum (52428800) at org.apache.tomcat.util.http.fileupload.FileUploadBase$FileItemIteratorImpl.init(FileUploadBase.java:815) at org.apache.tomcat.util.http.fileupload.FileUploadBase.getItemIterator(FileUploadBase.java:259) at org.apache.tomcat.util.http.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:283) at org.apache.catalina.connector.Request.parseParts(Request.java:2737) ... 27 more Is there a configuration parameter somewhere that allows me to increase the allowable size? Funny, because I never got this error when using Tomcat 6. In manager/WEB-INF/web.xml: multipart-config !-- 50MB max -- max-file-size52428800/max-file-size max-request-size52428800/max-request-size file-size-threshold0/file-size-threshold /multipart-config The error message mentions the number. Searching for the number would have found it. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail:
Re:Re: tomcat7's welcome-file-list seems not to work fine on my server
Thanks for replying,I answered after you questions. At 2014-09-30 17:25:53, Konstantin Kolinko knst.koli...@gmail.com wrote: 2014-09-30 11:53 GMT+04:00 罗茂林 a8156...@126.com: Here is my env: Server version: Apache Tomcat/7.0.47 Server built: Oct 18 2013 01:07:38 Server number: 7.0.47.0 OS Name:Linux OS Version: 2.6.32-358.el6.x86_64 Architecture: amd64 JVM Version:1.6.0_20-b02 JVM Vendor: Sun Microsystems Inc. The problem: my application layout: root |-/WEB-INF/web.xml What is in your web.xml file? Below is the content in my web.xml : ?xml version=1.0 encoding=UTF-8? web-app version=2.4 xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; display-nametest/display-name servlet servlet-namess/servlet-name servlet-classcom.Test/servlet-class /servlet servlet-mapping servlet-namess/servlet-name url-pattern/foo/*/url-pattern /servlet-mapping servlet-mapping servlet-namedefault/servlet-name url-pattern/healthcheck.html/url-pattern /servlet-mapping servlet-mapping servlet-namejsp/servlet-name url-pattern/WEB-INF/jsp/*/url-pattern /servlet-mapping servlet-mapping servlet-namejsp/servlet-name url-pattern/config/qmonitor.jsp/url-pattern /servlet-mapping /web-app |-/WEB-INF/classes |-/bar/index.jsp |-/META-INF |-/index.jsp (...) But when I further make a request to the http://127.0.0.1:8080/bar/ . A 404 was responsed, like #curl 127.0.0.1:8080/bar/ -v * About to connect() to 127.0.0.1 port 8080 (#0) * Trying 127.0.0.1... connected * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) GET /bar/ HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Host: 127.0.0.1:8080 Accept: */* HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 949 Date: Tue, 30 Sep 2014 07:27:22 GMT * Connection #0 to host 127.0.0.1 left intact * Closing connection #0 I suggest that the /bar/index.jsp should be responsed for the welcome file mechanism. But why i get a 404? What do you get if you invoke the file explicitly, without relying on welcome files feature? http://127.0.0.1:8080/bar/index.jsp call http://127.0.0.1:8080/bar/index.jsp directly still got 404. #curl 127.0.0.1:8080/bar/index.jsp -v * About to connect() to 127.0.0.1 port 8080 (#0) * Trying 127.0.0.1... connected * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) GET /bar/index.jsp HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Host: 127.0.0.1:8080 Accept: */* HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 949 Date: Tue, 30 Sep 2014 11:36:52 GMT * Connection #0 to host 127.0.0.1 left intact * Closing connection #0 Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat returns Jsp source code as text/plain to the browser
2014-09-30 15:30 GMT+04:00 Gadi Sastiel gadi.sast...@gmail.com: Hi all, Tomcat version 7.0.30 Operating System – Windows server 2008 and above. When I concatenate “ ( quotes) to the end of the url when accessing a jsp for example: /pages/somePage.jsp” The browser returns the source code of the JSP. Does anyone see such a behavior before ? I cannot reproduce this with the currently being tested 7.0.56 (release candidate), nor with the current Tomcat 6 and Tomcat 8. Is your Tomcat directly accessible via HTTP port, or it is behind another HTTP server (IIS, Apache HTTPD)? What Connector is used to access it (Bio/Nio/Apr, HTTP or AJP protocol)? What web browser are you using? What version of Java is used to run it? How can I filter it out ? That depends on the root cause. Is the source code displayed by Tomcat or by other web server? Is this request mentioned in Tomcat access log file? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat returns Jsp source code as text/plain to the browser
Hi , we are behind Apache. , we have HTTP and AJP connectors. Java 1.7.17 it was reproduced on Latest chrome and firefox I can see the request on the tomcat access log. Thanks Gadi On Tue, Sep 30, 2014 at 2:59 PM, Konstantin Kolinko knst.koli...@gmail.com wrote: 2014-09-30 15:30 GMT+04:00 Gadi Sastiel gadi.sast...@gmail.com: Hi all, Tomcat version 7.0.30 Operating System – Windows server 2008 and above. When I concatenate “ ( quotes) to the end of the url when accessing a jsp for example: /pages/somePage.jsp” The browser returns the source code of the JSP. Does anyone see such a behavior before ? I cannot reproduce this with the currently being tested 7.0.56 (release candidate), nor with the current Tomcat 6 and Tomcat 8. Is your Tomcat directly accessible via HTTP port, or it is behind another HTTP server (IIS, Apache HTTPD)? What Connector is used to access it (Bio/Nio/Apr, HTTP or AJP protocol)? What web browser are you using? What version of Java is used to run it? How can I filter it out ? That depends on the root cause. Is the source code displayed by Tomcat or by other web server? Is this request mentioned in Tomcat access log file? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session lost in Tomcat 5.5.36
On Tue, Sep 30, 2014 at 6:56 AM, Diego Ruotolo druot...@noemalife.com wrote: Hi everybody, Working on my company webapp I notice the following problem: sometimes the jsession cookie is lost, and therefore my whole http session is lost. The context is: - Tomcat v. 5.5.36 - JDK 1.5.0 Both of these pieces of software are very old and no longer supported. There are very likely bugs and security issues in them which will never get fixed. You should consider upgrading ASAP. As a bonus, upgrading may solve the problem you're having. http://tomcat.apache.org/tomcat-55-eol.html Dan - O.S. Windows - Client: Internet Explorer 8 Here is my use case: - I made a POST request to a servlet of my webapp - While processing this request, I create a new http session - Processing of the request will process a velocity template as last step - This velocity template contains 3 calls to 3 different servlets of my webapp, these 3 calls are made through an HTTP GET - While processing one of these 3 requests, Tomcat does not append jsessionid parameter to the requested URL: I have debugged Tomcat classes therefore I am sure of this This problem does not occur always, but just sometimes. While debugging Tomcat classes, I noticed that Tomcat starts 3 threads to manage the 3 GET requests of the velocity template, so maybe it is a concurrency problem. Finally, I noticed that this problem does not happen if I set the Windows registry key HKCU\Software\Microsoft\Internet Explorer\Main – TabProcGrowth to 0 or 1, which forces Internet Explorer to use one process for all tabs, not one process for single tab (which is the default). Do I miss some configuration settings? Do I have to set some particular parameter / cookie in the first response (or in the velocity template) ? If you need more details please tell me. Thanks in advice, Kind regards Diego
Re: Tomcat returns Jsp source code as text/plain to the browser
On Tue, Sep 30, 2014 at 9:04 AM, Gadi Sastiel gadi.sast...@gmail.com wrote: Hi , we are behind Apache. , we have HTTP and AJP connectors. Java 1.7.17 it was reproduced on Latest chrome and firefox I've seen similar issues when Apache HTTPD is not configured correctly. How are you proxying requests to your Tomcat server? mod_proxy? mod_jk? Can you include relevant configuration? I can see the request on the tomcat access log. Can you include the log entries from both HTTPD Tomcat? Dan On Tue, Sep 30, 2014 at 2:59 PM, Konstantin Kolinko knst.koli...@gmail.com wrote: 2014-09-30 15:30 GMT+04:00 Gadi Sastiel gadi.sast...@gmail.com: Hi all, Tomcat version 7.0.30 Operating System – Windows server 2008 and above. When I concatenate “ ( quotes) to the end of the url when accessing a jsp for example: /pages/somePage.jsp” The browser returns the source code of the JSP. Does anyone see such a behavior before ? I cannot reproduce this with the currently being tested 7.0.56 (release candidate), nor with the current Tomcat 6 and Tomcat 8. Is your Tomcat directly accessible via HTTP port, or it is behind another HTTP server (IIS, Apache HTTPD)? What Connector is used to access it (Bio/Nio/Apr, HTTP or AJP protocol)? What web browser are you using? What version of Java is used to run it? How can I filter it out ? That depends on the root cause. Is the source code displayed by Tomcat or by other web server? Is this request mentioned in Tomcat access log file? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDIRealm doesn't work when binding as non-admin user
On Sep 30, 2014, at 2:43 AM, Mark Thomas ma...@apache.org wrote:
On 30/09/2014 01:11, Jesse Barnum wrote:
I'm trying to configure Tomcat to authenticate against our Active Directory
server.
I do not want to configure an administrative account to bind with; I want to
bind as the user logging in.
The problem comes when JNDIRealm tries to get the list of roles that the
user is a member of. From looking at the source code, it seems to strip out
the login user's account credentials from the DirectoryContext. This causes
the following exception when it tries to get a list of groups for the user:
snip/
This bug report seems to indicate that it should work the way I'm expecting,
as of 7.0.9 and onwards.
https://issues.apache.org/bugzilla/show_bug.cgi?id=19444
I am running 7.0.52. Is there some configuration I need to do to tell Tomcat
to use the user's credentials when getting a list of roles?
To quote from the last comment in that bug report:
quote
I have added a new JNDIRealm option in Tomcat 7.0.x to optionally allow
role searches as the user being authenticated rather than using using an
anonymous user or using connectionName/connectionPassword.
The new option will be included in 7.0.9 onwards.
/quote
Looking at the docs for the JNDI Realm (since I can't remember what name
I used for that option) this looks promising:
quote
roleSearchAsUser
When searching for user roles, should the search be performed as the
user currently being authenticated? If false, connectionName and
connectionPassword will be used if specified, else an anonymous. If not
specified, the default value of false is used. Note that when accessing
the directory using delegated credentials, this attribute is always
ignored and the search is performed using the delegated credentials.
/quote
So, that begs two questions:
1. What configuration are you using for roleSearchAsUser
Mark, thanks for the fast response.
I did not have that attribute set. I've changed it to true. Here is my Realm
definition after making the change:
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://activedirectory.360works.com/cn=Users,dc=360works,dc=com;
userPattern=cn={0},cn=Users,dc=360works,dc=com
roleBase=
roleName=cn
roleSearch=(member={0})
roleSearchAsUser=true
/
By the way, I've noticed that I get a NPE if I don't define roleBase with an
empty string (it should be optional, since I've specified the search base in my
connectionURL). I don't have to define userBase; it seems like the behavior
should be consistent for these two attributes.
After adding the roleSearchAsUser attribute, I'm getting a new error:
FINE: Checking constraint 'SecurityConstraint[Protected Area]' against GET
/index.html -- true
Sep 30, 2014 10:12:22 AM org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Calling hasUserDataPermission()
Sep 30, 2014 10:12:22 AM org.apache.catalina.realm.RealmBase
hasUserDataPermission
FINE: User data constraint has no restrictions
Sep 30, 2014 10:12:22 AM org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Calling authenticate()
Sep 30, 2014 10:12:22 AM org.apache.catalina.realm.CombinedRealm authenticate
FINE: Attempting to authenticate user Jesse Barnum with realm
org.apache.catalina.realm.JNDIRealm/1.0
Sep 30, 2014 10:12:22 AM org.apache.catalina.realm.JNDIRealm authenticate
INFO: Exception performing authentication. Retrying...
java.lang.NullPointerException
at java.util.Hashtable.put(Hashtable.java:394)
at javax.naming.InitialContext.addToEnvironment(InitialContext.java:514)
at
org.apache.catalina.realm.JNDIRealm.userCredentialsAdd(JNDIRealm.java:1635)
at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1734)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1169)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052)
at
org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146)
at
org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180)
at
org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:164)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:573)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at
Re: Tomcat returns Jsp source code as text/plain to the browser
I have in httpd.conf: LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so # Configure mod_proxy_html to understand HTML4/XHTML1 IfModule proxy_html_module Include conf/extra/proxy-html.conf /IfModule LoadModule jk_module modules/mod_jk.so Gadi On Tue, Sep 30, 2014 at 4:38 PM, Daniel Mikusa dmik...@pivotal.io wrote: On Tue, Sep 30, 2014 at 9:04 AM, Gadi Sastiel gadi.sast...@gmail.com wrote: Hi , we are behind Apache. , we have HTTP and AJP connectors. Java 1.7.17 it was reproduced on Latest chrome and firefox I've seen similar issues when Apache HTTPD is not configured correctly. How are you proxying requests to your Tomcat server? mod_proxy? mod_jk? Can you include relevant configuration? I can see the request on the tomcat access log. Can you include the log entries from both HTTPD Tomcat? Dan On Tue, Sep 30, 2014 at 2:59 PM, Konstantin Kolinko knst.koli...@gmail.com wrote: 2014-09-30 15:30 GMT+04:00 Gadi Sastiel gadi.sast...@gmail.com: Hi all, Tomcat version 7.0.30 Operating System – Windows server 2008 and above. When I concatenate “ ( quotes) to the end of the url when accessing a jsp for example: /pages/somePage.jsp” The browser returns the source code of the JSP. Does anyone see such a behavior before ? I cannot reproduce this with the currently being tested 7.0.56 (release candidate), nor with the current Tomcat 6 and Tomcat 8. Is your Tomcat directly accessible via HTTP port, or it is behind another HTTP server (IIS, Apache HTTPD)? What Connector is used to access it (Bio/Nio/Apr, HTTP or AJP protocol)? What web browser are you using? What version of Java is used to run it? How can I filter it out ? That depends on the root cause. Is the source code displayed by Tomcat or by other web server? Is this request mentioned in Tomcat access log file? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
question on certificate use
I installed an SSL certificate using keytool on the apache tomcat server. When my site loads, depending on the certificate, I either get a blank screen loading or the certificate error on the toolbar next to the URL that doesn't go away. The site works though, but I would like to get rid of that Certificate Error displaying. I am using Internet Explorer 8 and a self signed certificate when the site works, although with the certificates error displaying. And when I use a proper CA certificate that is when I get a blank screen. I run the following command: Keytool allowed me to place the certificate into the keystore where my selfsigned certificate is located. It gave no errors when I added, just asked if I should trust the certificate which I said yes. Then in my connector, I have: Connector port=443 maxThreads=200 scheme=https secure=true SSLEnabled=true keystoreFile=C:\Bonaire\REVPORT\.keystore keystorePass=changeit keyAlias=tomcat2 proxyName=revport-it.us.bank-dns.com proxyPort=443 / And then on the browser, when I try to load the site, I get a blank screen again: If I use tomcat as the alias in my connector, the site loads but then I get the certificate error popup again, which is what I need to get rid of. Please help! Thanks! Ray U.S. BANCORP made the following annotations - Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation. -
Re: Tomcat returns Jsp source code as text/plain to the browser
On Tue, Sep 30, 2014 at 10:32 AM, Gadi Sastiel gadi.sast...@gmail.com wrote: I have in httpd.conf: LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so # Configure mod_proxy_html to understand HTML4/XHTML1 IfModule proxy_html_module Include conf/extra/proxy-html.conf /IfModule LoadModule jk_module modules/mod_jk.so Looks like you're loading both mod_proxy mod_jk. Which one are you using? There should be more to this config. Possibly some ProxyPass statements or a JkMount? Dan Gadi On Tue, Sep 30, 2014 at 4:38 PM, Daniel Mikusa dmik...@pivotal.io wrote: On Tue, Sep 30, 2014 at 9:04 AM, Gadi Sastiel gadi.sast...@gmail.com wrote: Hi , we are behind Apache. , we have HTTP and AJP connectors. Java 1.7.17 it was reproduced on Latest chrome and firefox I've seen similar issues when Apache HTTPD is not configured correctly. How are you proxying requests to your Tomcat server? mod_proxy? mod_jk? Can you include relevant configuration? I can see the request on the tomcat access log. Can you include the log entries from both HTTPD Tomcat? Dan On Tue, Sep 30, 2014 at 2:59 PM, Konstantin Kolinko knst.koli...@gmail.com wrote: 2014-09-30 15:30 GMT+04:00 Gadi Sastiel gadi.sast...@gmail.com: Hi all, Tomcat version 7.0.30 Operating System – Windows server 2008 and above. When I concatenate “ ( quotes) to the end of the url when accessing a jsp for example: /pages/somePage.jsp” The browser returns the source code of the JSP. Does anyone see such a behavior before ? I cannot reproduce this with the currently being tested 7.0.56 (release candidate), nor with the current Tomcat 6 and Tomcat 8. Is your Tomcat directly accessible via HTTP port, or it is behind another HTTP server (IIS, Apache HTTPD)? What Connector is used to access it (Bio/Nio/Apr, HTTP or AJP protocol)? What web browser are you using? What version of Java is used to run it? How can I filter it out ? That depends on the root cause. Is the source code displayed by Tomcat or by other web server? Is this request mentioned in Tomcat access log file? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
R: Session lost in Tomcat 5.5.36
Thanks Daniel, best regards Diego -Messaggio originale- Da: Daniel Mikusa [mailto:dmik...@pivotal.io] Inviato: martedì 30 settembre 2014 15:33 A: Tomcat Users List Oggetto: Re: Session lost in Tomcat 5.5.36 On Tue, Sep 30, 2014 at 6:56 AM, Diego Ruotolo druot...@noemalife.com wrote: Hi everybody, Working on my company webapp I notice the following problem: sometimes the jsession cookie is lost, and therefore my whole http session is lost. The context is: - Tomcat v. 5.5.36 - JDK 1.5.0 Both of these pieces of software are very old and no longer supported. There are very likely bugs and security issues in them which will never get fixed. You should consider upgrading ASAP. As a bonus, upgrading may solve the problem you're having. http://tomcat.apache.org/tomcat-55-eol.html Dan - O.S. Windows - Client: Internet Explorer 8 Here is my use case: - I made a POST request to a servlet of my webapp - While processing this request, I create a new http session - Processing of the request will process a velocity template as last step - This velocity template contains 3 calls to 3 different servlets of my webapp, these 3 calls are made through an HTTP GET - While processing one of these 3 requests, Tomcat does not append jsessionid parameter to the requested URL: I have debugged Tomcat classes therefore I am sure of this This problem does not occur always, but just sometimes. While debugging Tomcat classes, I noticed that Tomcat starts 3 threads to manage the 3 GET requests of the velocity template, so maybe it is a concurrency problem. Finally, I noticed that this problem does not happen if I set the Windows registry key HKCU\Software\Microsoft\Internet Explorer\Main – TabProcGrowth to 0 or 1, which forces Internet Explorer to use one process for all tabs, not one process for single tab (which is the default). Do I miss some configuration settings? Do I have to set some particular parameter / cookie in the first response (or in the velocity template) ? If you need more details please tell me. Thanks in advice, Kind regards Diego - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: question on certificate use
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ray, Attachments were stripped. Can you please resend? - -chris On 9/30/14 10:37 AM, ray.d...@usbank.com wrote: I installed an SSL certificate using keytool on the apache tomcat server. When my site loads, depending on the certificate, I either get a blank screen loading or the certificate error on the toolbar next to the URL that doesn't go away. The site works though, but I would like to get rid of that Certificate Error displaying. I am using Internet Explorer 8 and a self signed certificate when the site works, although with the certificates error displaying. And when I use a proper CA certificate that is when I get a blank screen. I run the following command: Keytool allowed me to place the certificate into the keystore where my selfsigned certificate is located. It gave no errors when I added, just asked if I should trust the certificate which I said yes. Then in my connector, I have: Connector port=443 maxThreads=200 scheme=https secure=true SSLEnabled=true keystoreFile=C:\Bonaire\REVPORT\.keystore keystorePass=changeit keyAlias=tomcat2 proxyName=revport-it.us.bank-dns.com proxyPort=443 / And then on the browser, when I try to load the site, I get a blank screen again: If I use tomcat as the alias in my connector, the site loads but then I get the certificate error popup again, which is what I need to get rid of. Please help! Thanks! Ray U.S. BANCORP made the following annotations - Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation. - -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUKu1oAAoJEBzwKT+lPKRY45QP/0hBEYql20RVbCYE2aWbI5L5 Wk+WI2PKYwXdg6220atNC0vfQCOjHWQcaYid8m2dmg7d5EAqUawRGPPFCajipXVq PVVE7sZOBxkhmGvGE3hma5bphcfuIBRRxMPyJ0H7RaHdaYar4m83nWeaQJimesae kCrCa0EZSIR/PnzrzQD5OyEJbUhUSk/PgUIvZO+dLqz2STjlhxRXrmCku2aoU7h4 0Dbslg6gmH1zS+HC37fCehT48urv7X5naBxMOIrXhyaVFkoF5YeNiGGyU/XB4pVm Y7wKBJXRwJ+j0a0v1JyyplMdIti+asuUNBik7DJlaK4Eaea06BVAkElBdjy/QPXz 2Nq7TXJ/PJmrw3bToxlK8gxkDt9tnRFgrZQM0/aVILFqriGzi5ErWRZY9FLepuMF EoQSA8TKLLfLgOmerHeoV4B764P+xT9eB7Nty6KfqKDsDcC8HlvwEDmG9nFLhWOl w4WIN8ALj3z01/XOB0SgmDAMDzlngbKnnPg8aCY5tjYclK/hd/8P8HJ1v6yxO+29 nm6qHstj+rZm2BlOIKh8g7D30f1GaRooR1u/skfdT9oZ9O7p5BazoWskor0r/2aq Rnekeo06Bhmg15JFtglvZjBD/IINMcgn9kVx1wPf7NDdu1LSF+bsKzVOgrrALORl mRQ39vBKGUtfWJ2UMChF =HGvO -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: question on certificate use - resending with attachment descriptions in case they get stripped out again. If this doesnt work I will resend the email when I get home
I installed an SSL certificate using keytool on the apache tomcat server. When my site loads, depending on the certificate, I either get a blank screen loading or the certificate error on the toolbar next to the URL that doesn't go away. The site works though, but I would like to get rid of that Certificate Error displaying. I am using Internet Explorer 8 and a self signed certificate when the site works, although with the certificates error displaying. And when I use a proper CA certificate that is when I get a blank screen. I run the following command: keytool -import -trustcacerts -alias tomcat2 -file C:\bonaire\revport\revport-it.us.bank-dns.com.crt -keystore c:\bonaire\revport\.keystore Keytool allowed me to place the certificate into the keystore where my selfsigned certificate is located. (If I run a keytool -list -keystore c:\bonaire\revport\.keystore, I see 2 entries now, one with the self signed certificate I created, and one with the new certificate I just created above). It gave no errors and allowed me to add it, just asked if I should trust the certificate which I said yes. Then in my connector, I have: Connector port=443 maxThreads=200 scheme=https secure=true SSLEnabled=true keystoreFile=C:\Bonaire\REVPORT\.keystore keystorePass=changeit keyAlias=tomcat2 proxyName=revport-it.us.bank-dns.com proxyPort=443 / And then on the browser, when I try to load the site, I get a blank screen again, says Internet Explorer cannot display the webpage. If I use tomcat as the alias in my connector, the site loads but then I get the Certificate Error popup again, which is what I need to get rid of (on the top right the Internet Explorer). Please help! Thanks! Ray U.S. BANCORP made the following annotations - Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation. -
Re: Tomcat returns Jsp source code as text/plain to the browser
Gadi Sastiel wrote: I have in httpd.conf: LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so # Configure mod_proxy_html to understand HTML4/XHTML1 IfModule proxy_html_module Include conf/extra/proxy-html.conf /IfModule LoadModule jk_module modules/mod_jk.so Gadi Maybe to gain some time, let me point you to the explanation of what both Konstantin and Daniel are looking for : https://tomcat.apache.org/connectors-doc/reference/apache.html See the text in red ? In more words : a frequent configuration error in such cases (where Apache httpd in a front-end for Tomcat, and both are on the same machine), is to allow Apache httpd to see the contents of the Tomcat application directories (/webapps/*). Tomcat knows that a JSP page is something which has to be processed, and that it is the result that should be returned to the client, not the source. But httpd doesn't know that, and for him a JSP page is just text, and it returns it as is. So if the URL of the request is such, that Apache does not think that this request has to be forwarded to Tomcat, it will try to process this request itself. And if it can do that (aka it sees the directory where this file is located, and the file in it), then it will return that page itself to the client, as text. And that seems to be what you are seeing. From there comes the suspicion of Konstantin and Daniel, because Tomcat, correctly configured, wouldn't do that. Except that you mention somwhere else that the request is visible in the Tomcat access log. That would normally mean that httpd /is/ forwarding this request to Tomcat, and that the error is on the Tomcat side. So before going any further, make absolutely sure that that is the case, and that it is really /this/ request that you are seeing in the tomcat logs. Otherwise everyone is going to lose a lot of time searching in the wrong places. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDIRealm doesn't work when binding as non-admin user
On 30/09/2014 15:19, Jesse Barnum wrote:
On Sep 30, 2014, at 2:43 AM, Mark Thomas ma...@apache.org wrote:
On 30/09/2014 01:11, Jesse Barnum wrote:
I'm trying to configure Tomcat to authenticate against our Active Directory
server.
snip/
1. What configuration are you using for roleSearchAsUser
Mark, thanks for the fast response.
I did not have that attribute set. I've changed it to true. Here is my Realm
definition after making the change:
OK. That should help.
Realm className=org.apache.catalina.realm.JNDIRealm
connectionURL=ldap://activedirectory.360works.com/cn=Users,dc=360works,dc=com;
userPattern=cn={0},cn=Users,dc=360works,dc=com
roleBase=
roleName=cn
roleSearch=(member={0})
roleSearchAsUser=true
/
By the way, I've noticed that I get a NPE if I don't define roleBase with an
empty string (it should be optional, since I've specified the search base in
my connectionURL). I don't have to define userBase; it seems like the
behavior should be consistent for these two attributes.
OK. I'll take a look at that NPE.
After adding the roleSearchAsUser attribute, I'm getting a new error:
FINE: Checking constraint 'SecurityConstraint[Protected Area]' against GET
/index.html -- true
Sep 30, 2014 10:12:22 AM org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Calling hasUserDataPermission()
Sep 30, 2014 10:12:22 AM org.apache.catalina.realm.RealmBase
hasUserDataPermission
FINE: User data constraint has no restrictions
Sep 30, 2014 10:12:22 AM org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Calling authenticate()
Sep 30, 2014 10:12:22 AM org.apache.catalina.realm.CombinedRealm authenticate
FINE: Attempting to authenticate user Jesse Barnum with realm
org.apache.catalina.realm.JNDIRealm/1.0
Sep 30, 2014 10:12:22 AM org.apache.catalina.realm.JNDIRealm authenticate
INFO: Exception performing authentication. Retrying...
java.lang.NullPointerException
at java.util.Hashtable.put(Hashtable.java:394)
at javax.naming.InitialContext.addToEnvironment(InitialContext.java:514)
at
org.apache.catalina.realm.JNDIRealm.userCredentialsAdd(JNDIRealm.java:1635)
at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1734)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1169)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052)
at
org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146)
at
org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180)
at
org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:164)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:573)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:695)
Hmm. OK. Let me play around with my AD test environment and see how much
of this I can reproduce and fix.
2. In the interests of improving the docs, what was it that meant you
were unable to find this information in the JNDI Realm docs?
There is no mention of 'roleSearchAsUser' on these pages:
http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm
http://tomcat.apache.org/tomcat-7.0-doc/funcspecs/fs-jndi-realm.html
It is mentioned in the method-specific docs on this page, but I didn't see
that because I was setting all of my attributes based on the class-level
JavaDocs that outline the various parameters:
https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/realm/JNDIRealm.html
OK. I *really* need to find some time to sit down and re-organise the
Tomcat docs. If users would just stop finding bugs for a few months ;)
My recommendation would be to use the available reference material in
this order of preference:
- the attribute by attribute config guide
- the Javadoc
- the source code
- the How-Tos
That won't always be the best order but it should work in most cases.
Mark
Re: JNDIRealm doesn't work when binding as non-admin user
On 30/09/2014 20:24, Mark Thomas wrote: On 30/09/2014 15:19, Jesse Barnum wrote: snip/ By the way, I've noticed that I get a NPE if I don't define roleBase with an empty string (it should be optional, since I've specified the search base in my connectionURL). I don't have to define userBase; it seems like the behavior should be consistent for these two attributes. OK. I'll take a look at that NPE. After adding the roleSearchAsUser attribute, I'm getting a new error: snip/ OK. Both errors fixed in 8.0.x and 7.0.x for 8.0.15 and 7.0.57 respectively. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: question on certificate use - resending with attachment descriptions in case they get stripped out again. If this doesnt work I will resend the email when I get home
Ray, On 30.9.2014 20:54, ray.d...@usbank.com wrote: Connector port=443 maxThreads=200 scheme=https secure=true SSLEnabled=true keystoreFile=C:\Bonaire\REVPORT\.keystore keystorePass=changeit keyAlias=tomcat2 proxyName=revport-it.us.bank-dns.com proxyPort=443 / And then on the browser, when I try to load the site, I get a blank screen again, says Internet Explorer cannot display the webpage. If I use tomcat as the alias in my connector, the site loads but then I get the Certificate Error popup again, which is what I need to get rid of (on the top right the Internet Explorer). It seems that you created key pair under alias tomcat and imported certificate reply from your CA under alias tomcat2. That is wrong. You should be importing certificate reply under same alias as you generated key pair. Here is exceprt from Oracle keytool docs: You import a certificate for two reasons: to add it to the list of trusted certificates, or to import a certificate reply received from a CA as the result of submitting a Certificate Signing Request (see the -certreq command) to that CA. Which type of import is intended is indicated by the value of the -alias option: If the alias does not point to a key entry, then keytool assumes you are adding a trusted certificate entry. In this case, the alias should not already exist in the keystore. If the alias does already exist, then keytool outputs an error, since there is already a trusted certificate for that alias, and does not import the certificate. If the alias points to a key entry, then keytool assumes you are importing a certificate reply. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
