Re: Enabling ssl in tomcat JSSE / APR

2014-10-15 Thread Igor Cicimov 
On 16/10/2014 12:10 PM, "Shashank"  wrote:
>
> Hi all
>
> I was trying to enable ssl in my tomcat server. I dont know whether my
> tomcat is using JSSE or APR. but as I created a keystore and imported a
> cert into it , can I use JSSE type irrespective of the connector?
>
> My server.xml block
>
>  protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"  clientAuth="false"
> sslProtocol="TLS"  keyAlias="x"   keystoreFile="
> {$Catalina.home}/cert/pdtkeystore.keystore" keystorePass="x"/>
>
>
Nio and Bio are jsse

Enabling ssl in tomcat JSSE / APR

2014-10-15 Thread Shashank 
Hi all

I was trying to enable ssl in my tomcat server. I dont know whether my 
tomcat is using JSSE or APR. but as I created a keystore and imported a 
cert into it , can I use JSSE type irrespective of the connector?

My server.xml block 




Thanks 



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Disabling SSLv3 with Tomcat ARP/Native but still retaining support for TLS 1.1 and TLS 1.2

2014-10-15 Thread Mark Eggers 
John,


> On Wednesday, October 15, 2014 6:20 AM, John Blaut  
> wrote:
> > When SSLv3 is enabled, it seems TLS1.1 and TLS 1.2 are supported however.
> It seems strange that the SSLv3 option controls the availability of TLS1.1
> and TLS1.2.
> 
> Now that SSLv3 is considered insecure and more people start to disable it,
> I suppose many on APR/Native will encounter the same issue.
> Is there any way to preserve TLS1.1 & TLS1.2 whilst disabling SSLv3?
> 
> Regards
> 
> John
> 

>From the Google blog post:

Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to 
mitigate this issue, but presents significant compatibility problems, even 
today.
I run Apache HTTPD in front of Tomcat servers, so I think it will be possible 
to disable the second (CBC-mode ciphers with SSL 3.0). I haven't really read 
the APR/Native SSL configuration carefully enough to know if this is possible 
with Tomcat.

As an aside, for the last 500K hits I've seen 37 requests that have used 
CBC-mode ciphers with SSLv3. At least for the sites I am concerned with 
disabling this does not seem to have 'significant compatibility problems'.

> 
> On Wed, Oct 15, 2014 at 3:09 PM, Giles Coochey  wrote:
> 
>>   On 15/10/2014 14:03, John Blaut wrote:
>> 
>>  I am using Tomcat 7. I can reproduce the issue even on Native 1.1.30.
>> 
>> 
>> 
>>   Apologies, yes Apr/Native only supports SSLv2, SSLv3 & TLSv1.0
>> 
>>SSLProtocol
>> 
>>  Protocol which may be used for communicating with clients. The default
>>  value is all, which is equivalent to SSLv3+TLSv1 with other acceptable
>>  values being SSLv2, SSLv3, TLSv1 and any combination of the three
>>  protocols concatenated with a plus sign. Note that the protocol SSLv2 is
>>  inherently unsafe.
>> 
>> 
>> 
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
>> 
>>  --
>>  Regards,
>> 
>>  Giles Coochey, CCNP, CCNA, CCNAS
>>  NetSecSpec Ltd+44 (0) 8444 780677+44 (0) 7584 
> 634135http://www.coochey.nethttp://www.netsecspec.co.ukgi...@coochey.net
>> 
>> 
> 
. . . using web mail while rebuilding my system from backups
/mde/

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How can Tomcat be started at boot time as a non-root user

2014-10-15 Thread Léa Massiot 
Thank you George Sexton for your explanations.
Best regards to you all.



--
View this message in context: 
http://tomcat.10.x6.nabble.com/How-can-Tomcat-be-started-at-boot-time-as-a-non-root-user-tp5023810p5023899.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Disabling SSLv3 with Tomcat ARP/Native but still retaining support for TLS 1.1 and TLS 1.2

2014-10-15 Thread John Blaut 
When SSLv3 is enabled, it seems TLS1.1 and TLS 1.2 are supported however.
It seems strange that the SSLv3 option controls the availability of TLS1.1
and TLS1.2.

Now that SSLv3 is considered insecure and more people start to disable it,
I suppose many on APR/Native will encounter the same issue.
Is there any way to preserve TLS1.1 & TLS1.2 whilst disabling SSLv3?

Regards

John

On Wed, Oct 15, 2014 at 3:09 PM, Giles Coochey  wrote:

>  On 15/10/2014 14:03, John Blaut wrote:
>
> I am using Tomcat 7. I can reproduce the issue even on Native 1.1.30.
>
>
>
>  Apologies, yes Apr/Native only supports SSLv2, SSLv3 & TLSv1.0
>
>   SSLProtocol
>
> Protocol which may be used for communicating with clients. The default
> value is all, which is equivalent to SSLv3+TLSv1 with other acceptable
> values being SSLv2, SSLv3, TLSv1 and any combination of the three
> protocols concatenated with a plus sign. Note that the protocol SSLv2 is
> inherently unsafe.
>
>
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
>
> --
> Regards,
>
> Giles Coochey, CCNP, CCNA, CCNAS
> NetSecSpec Ltd+44 (0) 8444 780677+44 (0) 7584 
> 634135http://www.coochey.nethttp://www.netsecspec.co.ukgi...@coochey.net
>
>

Re: Disabling SSLv3 with Tomcat ARP/Native but still retaining support for TLS 1.1 and TLS 1.2

2014-10-15 Thread Giles Coochey 

On 15/10/2014 14:03, John Blaut wrote:

I am using Tomcat 7. I can reproduce the issue even on Native 1.1.30.



Apologies, yes Apr/Native only supports SSLv2, SSLv3 & TLSv1.0

|SSLProtocol|   

Protocol which may be used for communicating with clients. The default 
value is |all|, which is equivalent to |SSLv3+TLSv1| with other 
acceptable values being |SSLv2|, |SSLv3|, |TLSv1| and any combination of 
the three protocols concatenated with a plus sign. Note that the 
protocol |SSLv2| is inherently unsafe.



http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native

--
Regards,

Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 8444 780677
+44 (0) 7584 634135
http://www.coochey.net
http://www.netsecspec.co.uk
gi...@coochey.net



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Disabling SSLv3 with Tomcat ARP/Native but still retaining support for TLS 1.1 and TLS 1.2

2014-10-15 Thread John Blaut 
I am using Tomcat 7. I can reproduce the issue even on Native 1.1.30.

On Wed, Oct 15, 2014 at 3:00 PM, James Drews  wrote:

>  That isn't working for tomcat 6, it will only accept TLSv1 for the
> SSLProtocol entry, and that results in in using TLS1.0 only.
>
>
> On 10/15/2014 7:48 AM, Giles Coochey wrote:
>
> On 15/10/2014 13:42, John Blaut wrote:
>
> Hi
>
> Following the recent announcement of the SSLv3 POODLE vulnerability
> (CVE-2014-3566), when disabling SSLv3 on Tomcat APR/Native using the
> following configuration: SSLProtocol="TLSv1", it seems that the effect is
> that besides the SSLv3 protocol even the TLSv1.1 and  TLSv1.2 protocols no
> longer remain available, at least according to the Qualys SSL Labs 
> test:https://www.ssllabs.com/ssltest/
>
> Protocols
> TLS 1.2 No
> TLS 1.1 No
> TLS 1.0 Yes
> SSL 3 No
> SSL 2 No
>
> Is there an explanation for this?
> What configuration is required in order to disable SSLv3 (and SSLv2 of
> course) whilst still retaining support for all TLS 1.0, 1.1 & 1.2?
>
>
>   TLS Supports some version of TLS; may support other versions  TLSv1 Supports
> RFC 2246: TLS version 1.0  ; may
> support other versions  TLSv1.1 Supports RFC 4346: TLS version 1.1
>  ; may support other versions
> TLSv1.2 Supports RFC 5246: TLS version 1.2
>  ; may support other versions
>
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext--
> Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444
> 780677 +44 (0) 7584 634135 http://www.coochey.net
> http://www.netsecspec.co.uk gi...@coochey.net
>
>
>

Re: Disabling SSLv3 with Tomcat ARP/Native but still retaining support for TLS 1.1 and TLS 1.2

2014-10-15 Thread John Blaut 
Thanks for your reply.

Kindly note that for SSL on Tomcat, I do not use the standard JSSE SSL but
OpenSSL via APR/native.
According to the documentation, the SSL protocols can be configured in this
manner for APR/native:

"SSLProtocolProtocol which may be used for communicating with clients.
The default value is all, which is equivalent to SSLv3+TLSv1 with other
acceptable values being SSLv2, SSLv3, TLSv1 and any combination of the
three protocols concatenated with a plus sign. Note that the protocol SSLv2
is inherently unsafe."

When using: SSLv3+TLSv1  - SSLv3 & TLSv1.0,1.1.1.2 are all available
When using: TLSv1  - only TLSv1.0 seems available
without TLS1.1 and 1.2

I am wondering if there is a solution for Tomcat APR/Native where SSLv3 can
be disabled without losing support for TLS 1.1 & 1.2 ?

Regards

John


On Wed, Oct 15, 2014 at 2:48 PM, Giles Coochey  wrote:

>  On 15/10/2014 13:42, John Blaut wrote:
>
> Hi
>
> Following the recent announcement of the SSLv3 POODLE vulnerability
> (CVE-2014-3566), when disabling SSLv3 on Tomcat APR/Native using the
> following configuration: SSLProtocol="TLSv1", it seems that the effect is
> that besides the SSLv3 protocol even the TLSv1.1 and  TLSv1.2 protocols no
> longer remain available, at least according to the Qualys SSL Labs 
> test:https://www.ssllabs.com/ssltest/
>
> Protocols
> TLS 1.2 No
> TLS 1.1 No
> TLS 1.0 Yes
> SSL 3 No
> SSL 2 No
>
> Is there an explanation for this?
> What configuration is required in order to disable SSLv3 (and SSLv2 of
> course) whilst still retaining support for all TLS 1.0, 1.1 & 1.2?
>
>
>   TLS Supports some version of TLS; may support other versions  TLSv1 Supports
> RFC 2246: TLS version 1.0  ; may
> support other versions  TLSv1.1 Supports RFC 4346: TLS version 1.1
>  ; may support other versions
> TLSv1.2 Supports RFC 5246: TLS version 1.2
>  ; may support other versions
>
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext--
> Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444
> 780677 +44 (0) 7584 634135 http://www.coochey.net
> http://www.netsecspec.co.uk gi...@coochey.net
>

Re: Disabling SSLv3 with Tomcat ARP/Native but still retaining support for TLS 1.1 and TLS 1.2

2014-10-15 Thread James Drews 
That isn't working for tomcat 6, it will only accept TLSv1 for the 
SSLProtocol entry, and that results in in using TLS1.0 only.


On 10/15/2014 7:48 AM, Giles Coochey wrote:

On 15/10/2014 13:42, John Blaut wrote:

Hi

Following the recent announcement of the SSLv3 POODLE vulnerability
(CVE-2014-3566), when disabling SSLv3 on Tomcat APR/Native using the
following configuration: SSLProtocol="TLSv1", it seems that the effect is
that besides the SSLv3 protocol even the TLSv1.1 and  TLSv1.2 protocols no
longer remain available, at least according to the Qualys SSL Labs test:
https://www.ssllabs.com/ssltest/

Protocols
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3 No
SSL 2 No

Is there an explanation for this?
What configuration is required in order to disable SSLv3 (and SSLv2 of
course) whilst still retaining support for all TLS 1.0, 1.1 & 1.2?


TLS Supports some version of TLS; may support other versions
TLSv1 	Supports RFC 2246: TLS version 1.0 
 ; may support other versions
TLSv1.1 	Supports RFC 4346: TLS version 1.1 
 ; may support other versions
TLSv1.2 	Supports RFC 5246: TLS version 1.2 
 ; may support other versions



http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext-- 
Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 
780677 +44 (0) 7584 634135 http://www.coochey.net 
http://www.netsecspec.co.uk gi...@coochey.net 




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Disabling SSLv3 with Tomcat ARP/Native but still retaining support for TLS 1.1 and TLS 1.2

2014-10-15 Thread Giles Coochey 

On 15/10/2014 13:42, John Blaut wrote:

Hi

Following the recent announcement of the SSLv3 POODLE vulnerability
(CVE-2014-3566), when disabling SSLv3 on Tomcat APR/Native using the
following configuration: SSLProtocol="TLSv1", it seems that the effect is
that besides the SSLv3 protocol even the TLSv1.1 and  TLSv1.2 protocols no
longer remain available, at least according to the Qualys SSL Labs test:
https://www.ssllabs.com/ssltest/

Protocols
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3 No
SSL 2 No

Is there an explanation for this?
What configuration is required in order to disable SSLv3 (and SSLv2 of
course) whilst still retaining support for all TLS 1.0, 1.1 & 1.2?


TLS Supports some version of TLS; may support other versions
TLSv1 	Supports RFC 2246: TLS version 1.0 
 ; may support other versions
TLSv1.1 	Supports RFC 4346: TLS version 1.1 
 ; may support other versions
TLSv1.2 	Supports RFC 5246: TLS version 1.2 
 ; may support other versions



http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext-- 
Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 
780677 +44 (0) 7584 634135 http://www.coochey.net 
http://www.netsecspec.co.uk gi...@coochey.net


smime.p7s
Description: S/MIME Cryptographic Signature

Disabling SSLv3 with Tomcat ARP/Native but still retaining support for TLS 1.1 and TLS 1.2

2014-10-15 Thread John Blaut 
Hi

Following the recent announcement of the SSLv3 POODLE vulnerability
(CVE-2014-3566), when disabling SSLv3 on Tomcat APR/Native using the
following configuration: SSLProtocol="TLSv1", it seems that the effect is
that besides the SSLv3 protocol even the TLSv1.1 and  TLSv1.2 protocols no
longer remain available, at least according to the Qualys SSL Labs test:
https://www.ssllabs.com/ssltest/

Protocols
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3 No
SSL 2 No

Is there an explanation for this?
What configuration is required in order to disable SSLv3 (and SSLv2 of
course) whilst still retaining support for all TLS 1.0, 1.1 & 1.2?

Regards

John

Re: Embedded Tomcat

2014-10-15 Thread Achim Nierbeck 
Hi Mark,

thanks for the pointer I think I've found the reason.
Could it be that the initialization of the servlets changed from 7 to 8 :)
I used to load the servlet in the initialization phase. So that's the part
I need to alter.
Need to move that part to the loadOnStartup method call.

just in case anyone is interested, I've linked the source in question below
[1].

regards, Achim

[1] -
https://github.com/ops4j/org.ops4j.pax.web/blob/master/pax-web-tomcat/src/main/java/org/ops4j/pax/web/service/tomcat/internal/TomcatServerWrapper.java#L273


2014-10-15 13:26 GMT+02:00 Mark Thomas :

> On 15/10/2014 11:38, Achim Nierbeck wrote:
> > Hi Johan,
> >
> > 2014-10-15 12:22 GMT+02:00 Johan Compagner :
> >
> >> yes we tried to go that way with whiteboard registration also (jetty is
> >> shipped by default in eclipse also with that)
> >> but that was way to hard to control and to really configure the way we
> want
> >> so we decided to make tomcat a full osgi package itself.
> >>
> >
> > even though I hate to do advertising ... :)
> > Might be interested in the way Pax Web works then ;)
> >
> > still, does anyone know why the children, containing also the Servlets,
> are
> > started before the ServletContainerInitializers and/or
> > what am I doing wrong. Most likely my assumption is wrong but I couldn't
> > spot which one.
> > I somehow fear that while registering the Wrapper I'm doing something
> > wrong.
>
> Put a break point on StandardWrapper.startInternal() and see what the
> call stack is at that point.
>
> Mark
>
>
> >
> > regards, Achim
> >
> >
> >
> >
> >> On 15 October 2014 12:13, Achim Nierbeck 
> wrote:
> >>
> >>> Hi Johan,
> >>>
> >>> thanks for the pointer. To me it looks like it does have a different
> >> scope.
> >>> Pax Web has been one of the first OSGi HttpService providers with
> >>> additional support for Web Application Bundles (std. war with OSGi
> >>> Manifest)
> >>> This has been achieved so far very successfully with Jetty. Now we try
> to
> >>> add additional Containers like Tomcat and Undertow.
> >>> As for this Pax Web needs to be the one in control over registering
> >>> Servlets etc. by either HttpService registration, Whiteboard
> registration
> >>> or by using the bundle-extender approach.
> >>> You could regard this to be a mediation layer between the OSGi Service
> >>> Registry and the underlying web-container.
> >>>
> >>> regards, Achim
> >>>
> >>>
> >>> 2014-10-15 11:46 GMT+02:00 Johan Compagner :
> >>>
>  maybe you are interested in this one:
> 
>  https://github.com/Servoy/servoy-eclipse-tomcat
> 
>  thats also a osgi enabled tomcat (but the full tomcat) we use that one
>  right in eclipse, where other plugins just contribute filters and
> >>> servlets
> 
> 
>  On 14 October 2014 23:56, Achim Nierbeck 
> >>> wrote:
> 
> > Hi
> >
> > I'm currently working on integrating embedded tomcat in the OPS4j Pax
> >>> Web
> > OSGi container as alternativ underlying web container. Right now I'm
>  stuck
> > on a certain point that is kind of hard to understand so I'm sure I'm
>  doing
> > something "awfully" wrong :)
> >
> > So here is what I'm struggling with.
> > Using Tomcat 8 embedded core
> > While the context is started I eventually end up at [1]
> > This is the point I don't get cause I'd expect Servlets to be started
> >>> at
> > [2], but obviously the Servlets are already started at [1]. Therefore
> >>> the
> > ServletContainerInitializers are never called [3].
> >
> > Now my question, what am I doing wrong, as all servlets are
> >> registered
> >>> as
> > children.
> >
> > I'm very well aware that these questions might not really make a lot
> >> of
> > sense, therefore you'll find the current implementation at [4].
> >
> > regards, Achim
> >
> > [1] -
> >
> >
> 
> >>>
> >>
> https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5098
> >
> > [2] -
> >
> >
> 
> >>>
> >>
> https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5229
> > [3] -
> >
> >
> 
> >>>
> >>
> https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5182
> > [4] -
> >
> >
> 
> >>>
> >>
> https://github.com/ops4j/org.ops4j.pax.web/blob/master/pax-web-tomcat/src/main/java/org/ops4j/pax/web/service/tomcat/internal/TomcatServerWrapper.java#L342
> >
> >
> > --
> >
> > Apache Member
> > Apache Karaf  Committer & PMC
> > OPS4J Pax Web 
> >>> Committer
>  &
> > Project Lead
> > blog 
> > Co-Author of Apache Karaf Cookbook 
> >
> > Software Architect / Project Manager / Scrum Master
> >
> 
> 
> 
>  --

ChunkedInputFilter: No data available due to previous error

2014-10-15 Thread Jose María Zaragoza 
Hello:

I'm using Tomcat 6.0.24 and sometimes I'm getting an IOException like :

Caused by: java.io.IOException: No data available due to previous error
at
org.apache.coyote.http11.filters.ChunkedInputFilter.checkError(ChunkedInputFilter.java:588)
~[tomcat-coyote-6.0.24.jar:na]
at
org.apache.coyote.http11.filters.ChunkedInputFilter.doRead(ChunkedInputFilter.java:153)
~[tomcat-coyote-6.0.24.jar:na]
at
org.apache.coyote.http11.InternalInputBuffer.doRead(InternalInputBuffer.java:710)
~[tomcat-coyote-6.0.24.jar:na]
at org.apache.coyote.Request.doRead(Request.java:428)
~[tomcat-coyote-6.0.24.jar:na]
at
org.apache.catalina.connector.InputBuffer.realReadBytes(InputBuffer.java:304)
~[catalina-6.0.24.jar:na]
at
org.apache.tomcat.util.buf.ByteChunk.substract(ByteChunk.java:405)
~[tomcat-coyote-6.0.24.jar:na]
at
org.apache.catalina.connector.InputBuffer.read(InputBuffer.java:327)
~[catalina-6.0.24.jar:na]
at
org.apache.catalina.connector.CoyoteInputStream.read(CoyoteInputStream.java:162)
~[catalina-6.0.24.jar:na]
at org.apache.cxf.helpers.IOUtils.copy(IOUtils.java:154)
~[cxf-api-2.7.8.jar:2.7.8]
at org.apache.cxf.helpers.IOUtils.copy(IOUtils.java:104)
~[cxf-api-2.7.8.jar:2.7.8]
at
org.apache.cxf.helpers.IOUtils.copyAndCloseInput(IOUtils.java:110)
~[cxf-api-2.7.8.jar:2.7.8]
at
org.apache.cxf.interceptor.LoggingInInterceptor.logging(LoggingInInterceptor.java:158)
~[cxf-api-2.7.8.jar:2.7.8]
... 24 common frames omitted


I cannot see the request that throws this error
I don't know if it's caused by a malformed request

The requests (which are fine )  usually are POST requests with

Http-Method: POST
Content-Type: text/xml; charset=utf-8
Headers: {Accept=[text/html, image/gif, image/jpeg, */*; q=.2],
connection=[Keep-Alive], content-type=[text/xml; charset=utf-8],
host=[x.x.x.x], transfer-encoding=[chunked], user-agent=[Java1.6.0_20]}

Could be a malformed request ? How I could see it ? ( I guess tcpdump ...)
Any known bug in 6.0.24 ?

Thanks

Re: Embedded Tomcat

2014-10-15 Thread Mark Thomas 
On 15/10/2014 11:38, Achim Nierbeck wrote:
> Hi Johan,
> 
> 2014-10-15 12:22 GMT+02:00 Johan Compagner :
> 
>> yes we tried to go that way with whiteboard registration also (jetty is
>> shipped by default in eclipse also with that)
>> but that was way to hard to control and to really configure the way we want
>> so we decided to make tomcat a full osgi package itself.
>>
> 
> even though I hate to do advertising ... :)
> Might be interested in the way Pax Web works then ;)
> 
> still, does anyone know why the children, containing also the Servlets, are
> started before the ServletContainerInitializers and/or
> what am I doing wrong. Most likely my assumption is wrong but I couldn't
> spot which one.
> I somehow fear that while registering the Wrapper I'm doing something
> wrong.

Put a break point on StandardWrapper.startInternal() and see what the
call stack is at that point.

Mark


> 
> regards, Achim
> 
> 
> 
> 
>> On 15 October 2014 12:13, Achim Nierbeck  wrote:
>>
>>> Hi Johan,
>>>
>>> thanks for the pointer. To me it looks like it does have a different
>> scope.
>>> Pax Web has been one of the first OSGi HttpService providers with
>>> additional support for Web Application Bundles (std. war with OSGi
>>> Manifest)
>>> This has been achieved so far very successfully with Jetty. Now we try to
>>> add additional Containers like Tomcat and Undertow.
>>> As for this Pax Web needs to be the one in control over registering
>>> Servlets etc. by either HttpService registration, Whiteboard registration
>>> or by using the bundle-extender approach.
>>> You could regard this to be a mediation layer between the OSGi Service
>>> Registry and the underlying web-container.
>>>
>>> regards, Achim
>>>
>>>
>>> 2014-10-15 11:46 GMT+02:00 Johan Compagner :
>>>
 maybe you are interested in this one:

 https://github.com/Servoy/servoy-eclipse-tomcat

 thats also a osgi enabled tomcat (but the full tomcat) we use that one
 right in eclipse, where other plugins just contribute filters and
>>> servlets


 On 14 October 2014 23:56, Achim Nierbeck 
>>> wrote:

> Hi
>
> I'm currently working on integrating embedded tomcat in the OPS4j Pax
>>> Web
> OSGi container as alternativ underlying web container. Right now I'm
 stuck
> on a certain point that is kind of hard to understand so I'm sure I'm
 doing
> something "awfully" wrong :)
>
> So here is what I'm struggling with.
> Using Tomcat 8 embedded core
> While the context is started I eventually end up at [1]
> This is the point I don't get cause I'd expect Servlets to be started
>>> at
> [2], but obviously the Servlets are already started at [1]. Therefore
>>> the
> ServletContainerInitializers are never called [3].
>
> Now my question, what am I doing wrong, as all servlets are
>> registered
>>> as
> children.
>
> I'm very well aware that these questions might not really make a lot
>> of
> sense, therefore you'll find the current implementation at [4].
>
> regards, Achim
>
> [1] -
>
>

>>>
>> https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5098
>
> [2] -
>
>

>>>
>> https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5229
> [3] -
>
>

>>>
>> https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5182
> [4] -
>
>

>>>
>> https://github.com/ops4j/org.ops4j.pax.web/blob/master/pax-web-tomcat/src/main/java/org/ops4j/pax/web/service/tomcat/internal/TomcatServerWrapper.java#L342
>
>
> --
>
> Apache Member
> Apache Karaf  Committer & PMC
> OPS4J Pax Web 
>>> Committer
 &
> Project Lead
> blog 
> Co-Author of Apache Karaf Cookbook 
>
> Software Architect / Project Manager / Scrum Master
>



 --
 Johan Compagner
 Servoy

>>>
>>>
>>>
>>> --
>>>
>>> Apache Member
>>> Apache Karaf  Committer & PMC
>>> OPS4J Pax Web  Committer
>> &
>>> Project Lead
>>> blog 
>>> Co-Author of Apache Karaf Cookbook 
>>>
>>> Software Architect / Project Manager / Scrum Master
>>>
>>
>>
>>
>> --
>> Johan Compagner
>> Servoy
>>
> 
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Embedded Tomcat

2014-10-15 Thread Achim Nierbeck 
Hi Johan,

2014-10-15 12:22 GMT+02:00 Johan Compagner :

> yes we tried to go that way with whiteboard registration also (jetty is
> shipped by default in eclipse also with that)
> but that was way to hard to control and to really configure the way we want
> so we decided to make tomcat a full osgi package itself.
>

even though I hate to do advertising ... :)
Might be interested in the way Pax Web works then ;)

still, does anyone know why the children, containing also the Servlets, are
started before the ServletContainerInitializers and/or
what am I doing wrong. Most likely my assumption is wrong but I couldn't
spot which one.
I somehow fear that while registering the Wrapper I'm doing something
wrong.

regards, Achim




> On 15 October 2014 12:13, Achim Nierbeck  wrote:
>
> > Hi Johan,
> >
> > thanks for the pointer. To me it looks like it does have a different
> scope.
> > Pax Web has been one of the first OSGi HttpService providers with
> > additional support for Web Application Bundles (std. war with OSGi
> > Manifest)
> > This has been achieved so far very successfully with Jetty. Now we try to
> > add additional Containers like Tomcat and Undertow.
> > As for this Pax Web needs to be the one in control over registering
> > Servlets etc. by either HttpService registration, Whiteboard registration
> > or by using the bundle-extender approach.
> > You could regard this to be a mediation layer between the OSGi Service
> > Registry and the underlying web-container.
> >
> > regards, Achim
> >
> >
> > 2014-10-15 11:46 GMT+02:00 Johan Compagner :
> >
> > > maybe you are interested in this one:
> > >
> > > https://github.com/Servoy/servoy-eclipse-tomcat
> > >
> > > thats also a osgi enabled tomcat (but the full tomcat) we use that one
> > > right in eclipse, where other plugins just contribute filters and
> > servlets
> > >
> > >
> > > On 14 October 2014 23:56, Achim Nierbeck 
> > wrote:
> > >
> > > > Hi
> > > >
> > > > I'm currently working on integrating embedded tomcat in the OPS4j Pax
> > Web
> > > > OSGi container as alternativ underlying web container. Right now I'm
> > > stuck
> > > > on a certain point that is kind of hard to understand so I'm sure I'm
> > > doing
> > > > something "awfully" wrong :)
> > > >
> > > > So here is what I'm struggling with.
> > > > Using Tomcat 8 embedded core
> > > > While the context is started I eventually end up at [1]
> > > > This is the point I don't get cause I'd expect Servlets to be started
> > at
> > > > [2], but obviously the Servlets are already started at [1]. Therefore
> > the
> > > > ServletContainerInitializers are never called [3].
> > > >
> > > > Now my question, what am I doing wrong, as all servlets are
> registered
> > as
> > > > children.
> > > >
> > > > I'm very well aware that these questions might not really make a lot
> of
> > > > sense, therefore you'll find the current implementation at [4].
> > > >
> > > > regards, Achim
> > > >
> > > > [1] -
> > > >
> > > >
> > >
> >
> https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5098
> > > >
> > > > [2] -
> > > >
> > > >
> > >
> >
> https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5229
> > > > [3] -
> > > >
> > > >
> > >
> >
> https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5182
> > > > [4] -
> > > >
> > > >
> > >
> >
> https://github.com/ops4j/org.ops4j.pax.web/blob/master/pax-web-tomcat/src/main/java/org/ops4j/pax/web/service/tomcat/internal/TomcatServerWrapper.java#L342
> > > >
> > > >
> > > > --
> > > >
> > > > Apache Member
> > > > Apache Karaf  Committer & PMC
> > > > OPS4J Pax Web 
> > Committer
> > > &
> > > > Project Lead
> > > > blog 
> > > > Co-Author of Apache Karaf Cookbook 
> > > >
> > > > Software Architect / Project Manager / Scrum Master
> > > >
> > >
> > >
> > >
> > > --
> > > Johan Compagner
> > > Servoy
> > >
> >
> >
> >
> > --
> >
> > Apache Member
> > Apache Karaf  Committer & PMC
> > OPS4J Pax Web  Committer
> &
> > Project Lead
> > blog 
> > Co-Author of Apache Karaf Cookbook 
> >
> > Software Architect / Project Manager / Scrum Master
> >
>
>
>
> --
> Johan Compagner
> Servoy
>



-- 

Apache Member
Apache Karaf  Committer & PMC
OPS4J Pax Web  Committer &
Project Lead
blog 
Co-Author of Apache Karaf Cookbook 

Software Architect / Project Manager / Scrum Master

Re: Embedded Tomcat

2014-10-15 Thread Johan Compagner 
yes we tried to go that way with whiteboard registration also (jetty is
shipped by default in eclipse also with that)
but that was way to hard to control and to really configure the way we want
so we decided to make tomcat a full osgi package itself.

On 15 October 2014 12:13, Achim Nierbeck  wrote:

> Hi Johan,
>
> thanks for the pointer. To me it looks like it does have a different scope.
> Pax Web has been one of the first OSGi HttpService providers with
> additional support for Web Application Bundles (std. war with OSGi
> Manifest)
> This has been achieved so far very successfully with Jetty. Now we try to
> add additional Containers like Tomcat and Undertow.
> As for this Pax Web needs to be the one in control over registering
> Servlets etc. by either HttpService registration, Whiteboard registration
> or by using the bundle-extender approach.
> You could regard this to be a mediation layer between the OSGi Service
> Registry and the underlying web-container.
>
> regards, Achim
>
>
> 2014-10-15 11:46 GMT+02:00 Johan Compagner :
>
> > maybe you are interested in this one:
> >
> > https://github.com/Servoy/servoy-eclipse-tomcat
> >
> > thats also a osgi enabled tomcat (but the full tomcat) we use that one
> > right in eclipse, where other plugins just contribute filters and
> servlets
> >
> >
> > On 14 October 2014 23:56, Achim Nierbeck 
> wrote:
> >
> > > Hi
> > >
> > > I'm currently working on integrating embedded tomcat in the OPS4j Pax
> Web
> > > OSGi container as alternativ underlying web container. Right now I'm
> > stuck
> > > on a certain point that is kind of hard to understand so I'm sure I'm
> > doing
> > > something "awfully" wrong :)
> > >
> > > So here is what I'm struggling with.
> > > Using Tomcat 8 embedded core
> > > While the context is started I eventually end up at [1]
> > > This is the point I don't get cause I'd expect Servlets to be started
> at
> > > [2], but obviously the Servlets are already started at [1]. Therefore
> the
> > > ServletContainerInitializers are never called [3].
> > >
> > > Now my question, what am I doing wrong, as all servlets are registered
> as
> > > children.
> > >
> > > I'm very well aware that these questions might not really make a lot of
> > > sense, therefore you'll find the current implementation at [4].
> > >
> > > regards, Achim
> > >
> > > [1] -
> > >
> > >
> >
> https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5098
> > >
> > > [2] -
> > >
> > >
> >
> https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5229
> > > [3] -
> > >
> > >
> >
> https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5182
> > > [4] -
> > >
> > >
> >
> https://github.com/ops4j/org.ops4j.pax.web/blob/master/pax-web-tomcat/src/main/java/org/ops4j/pax/web/service/tomcat/internal/TomcatServerWrapper.java#L342
> > >
> > >
> > > --
> > >
> > > Apache Member
> > > Apache Karaf  Committer & PMC
> > > OPS4J Pax Web 
> Committer
> > &
> > > Project Lead
> > > blog 
> > > Co-Author of Apache Karaf Cookbook 
> > >
> > > Software Architect / Project Manager / Scrum Master
> > >
> >
> >
> >
> > --
> > Johan Compagner
> > Servoy
> >
>
>
>
> --
>
> Apache Member
> Apache Karaf  Committer & PMC
> OPS4J Pax Web  Committer &
> Project Lead
> blog 
> Co-Author of Apache Karaf Cookbook 
>
> Software Architect / Project Manager / Scrum Master
>



-- 
Johan Compagner
Servoy

RE: Tomcat windows authentication domain login issue

2014-10-15 Thread Felix Schumacher 


Am 15. Oktober 2014 11:05:59 MESZ, schrieb tantaryu :
>Okay, this might sounds funny. But how do I add a newlines?

I don't know how to do it in your mail client. But generally I would try to 
configure it to not use html (only).

You could try another mal Client or provider. Maybe it has saner defaults. 

Regards
Felix

>
>Date: Wed, 15 Oct 2014 01:37:42 -0700
>From: ml-node+s10n5023863...@n6.nabble.com
>To: ming...@outlook.com
>Subject: Re: Tomcat windows authentication domain login issue
>
>
>
>   Am 15.10.2014 um 10:22 schrieb tantaryu:
>
>>> Let's hope it works this time.
>
>If this was your try to add newlines, than I think it failed.
>
>
>Felix
>
>>> I need some idea on what's wrong with my tomcat configuration for
>windows authentication. I followed the tomcat windows authentication
>tutorial and uses the "manager" web application comes with tomcat to do
>a poc. In my web.xml I change > BASIC > to>
>SPNEGO> and also changes the auth-constraint
>to the following > >  *>
>
>
>>> This is my krb5.ini > [libdefaults]> default_realm = ACME>
>default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab>
>default_tkt_enctypes =
>rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96>
>default_tgs_enctypes =
>rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96>
>forwardable=true> [realms]> ACME = {>kdc = AD-Server:88>}>
>[domain_realm]> acme= ACME> .acme= ACME
>
>>> This is my jaas.conf > com.sun.security.jgss.krb5.initiate {>   
>com.sun.security.auth.module.Krb5LoginModule required>debug=true>  
>doNotPrompt=true>principal="HTTP/Client2@ACME">useKeyTab=true> 
>keyTab="C:/tomcat/conf/tomcat.keytab">//useTicketCache=true>   
>storeKey=true;> };> com.sun.security.jgss.krb5.accept {>   
>com.sun.security.auth.module.Krb5LoginModule required>debug=true>  
>doNotPrompt=true>principal="HTTP/Client2@ACME">useKeyTab=true> 
>keyTab="C:/tomcat/conf/tomcat.keytab">//useTicketCache=true>   
>storeKey=true;>};
>
>>> The weird thing is regardless of what username and password I put in
>when I accessed the tomcat manager web-app the debug message shown is
>the same.
>
>>> Debug is  true storeKey true useTicketCache false useKeyTab true
>doNotPrompt true ticketCache is null isInitiator true KeyTab is
>C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is
>HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass
>is false clearPass is false> >>> KeyTabInputStream, readName(): acme>
 KeyTabInputStream, readName(): HTTP> >>> KeyTabInputStream,
>readName(): Client2> >>> KeyTab: load() entry length: 52; type: 23>
>Looking for keys for: HTTP/Client2@ACME> Java config name:
>C:\tomcat\conf\krb5.ini> Loaded from Java config> Added key: 23version:
>0> >>> KdcAccessibility: reset> Looking for keys for:
>HTTP/Client2@ACME> Added key: 23version: 0> default etypes for
>default_tkt_enctypes: 23 17.> >>> KrbAsReq creating message> >>>
>KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries
>=3, #> bytes=124> >>> KDCCommunication: kdc=AD-Server UDP:88,
>timeout=3,Attempt =1, #bytes=124
>
>> KrbKdcReq send: #bytes read=538> >>> KdcAccessibility: remove
>AD-Server:88> Looking for keys for: HTTP/Client2@ACME> Added key:
>23version: 0> >>> EType:
>sun.security.krb5.internal.crypto.ArcFourHmacEType> >>> KrbAsRep cons
>in KrbAsReq.getReply HTTP/Client2> principal is HTTP/Client2@ACME> Will
>use keytab> Commit Succeeded
>
>>> Search Subject for SPNEGO ACCEPT cred (<>,
>sun.security.jgss.spnego.SpNegoCredElement)> Search Subject for
>Kerberos V5 ACCEPT cred (<>,
>sun.security.jgss.krb5.Krb5AcceptCredential)> Found KeyTab
>C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found KeyTab
>C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found ticket for
>HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14
>02:49:29 CST 2014>[Krb5LoginModule]: Entering logout>  
> [Krb5LoginModule]: logged out Subject
>
>>> I added this in my server.xml > className="org.apache.catalina.realm.LockOutRealm">>   className="org.apache.catalina.realm.JAASRealm"
>appName="JspKerberosDemo" allRolesMode="strictAuthOnly" />> 
>
>>> When I tried login, it doesn't seem to recognize the valid
>credential. The app keeps on asking me to enter a valid credential.
>What do I need to change to make it work?
>
>> Date: Wed, 15 Oct 2014 00:56:33 -0700
>
>> From: [hidden email]
>
>> To: [hidden email]
>
>> Subject: Re: Tomcat windows authentication domain login issue
>
>>
>
>>
>
>>
>
>>  Am 15.10.2014 um 03:48 schrieb tantaryu:
>
>>
>
>>> Okay, now I tried with a email client. Let's see if it works.
>
>>> I need some idea on what's wrong with my tomcat configuration for
>windows authentication. I followed the tomcat windows authentication
>tutorial and uses the "manager" web application comes with tomcat to do
>a poc. In my web.xml I change BASIC to
>SPNEGO and also changes the auth-constraint
>to the following  
>*.
>
>>> This is

Re: Embedded Tomcat

2014-10-15 Thread Achim Nierbeck 
Hi Johan,

thanks for the pointer. To me it looks like it does have a different scope.
Pax Web has been one of the first OSGi HttpService providers with
additional support for Web Application Bundles (std. war with OSGi Manifest)
This has been achieved so far very successfully with Jetty. Now we try to
add additional Containers like Tomcat and Undertow.
As for this Pax Web needs to be the one in control over registering
Servlets etc. by either HttpService registration, Whiteboard registration
or by using the bundle-extender approach.
You could regard this to be a mediation layer between the OSGi Service
Registry and the underlying web-container.

regards, Achim


2014-10-15 11:46 GMT+02:00 Johan Compagner :

> maybe you are interested in this one:
>
> https://github.com/Servoy/servoy-eclipse-tomcat
>
> thats also a osgi enabled tomcat (but the full tomcat) we use that one
> right in eclipse, where other plugins just contribute filters and servlets
>
>
> On 14 October 2014 23:56, Achim Nierbeck  wrote:
>
> > Hi
> >
> > I'm currently working on integrating embedded tomcat in the OPS4j Pax Web
> > OSGi container as alternativ underlying web container. Right now I'm
> stuck
> > on a certain point that is kind of hard to understand so I'm sure I'm
> doing
> > something "awfully" wrong :)
> >
> > So here is what I'm struggling with.
> > Using Tomcat 8 embedded core
> > While the context is started I eventually end up at [1]
> > This is the point I don't get cause I'd expect Servlets to be started at
> > [2], but obviously the Servlets are already started at [1]. Therefore the
> > ServletContainerInitializers are never called [3].
> >
> > Now my question, what am I doing wrong, as all servlets are registered as
> > children.
> >
> > I'm very well aware that these questions might not really make a lot of
> > sense, therefore you'll find the current implementation at [4].
> >
> > regards, Achim
> >
> > [1] -
> >
> >
> https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5098
> >
> > [2] -
> >
> >
> https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5229
> > [3] -
> >
> >
> https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5182
> > [4] -
> >
> >
> https://github.com/ops4j/org.ops4j.pax.web/blob/master/pax-web-tomcat/src/main/java/org/ops4j/pax/web/service/tomcat/internal/TomcatServerWrapper.java#L342
> >
> >
> > --
> >
> > Apache Member
> > Apache Karaf  Committer & PMC
> > OPS4J Pax Web  Committer
> &
> > Project Lead
> > blog 
> > Co-Author of Apache Karaf Cookbook 
> >
> > Software Architect / Project Manager / Scrum Master
> >
>
>
>
> --
> Johan Compagner
> Servoy
>



-- 

Apache Member
Apache Karaf  Committer & PMC
OPS4J Pax Web  Committer &
Project Lead
blog 
Co-Author of Apache Karaf Cookbook 

Software Architect / Project Manager / Scrum Master

Re: Embedded Tomcat

2014-10-15 Thread Johan Compagner 
maybe you are interested in this one:

https://github.com/Servoy/servoy-eclipse-tomcat

thats also a osgi enabled tomcat (but the full tomcat) we use that one
right in eclipse, where other plugins just contribute filters and servlets


On 14 October 2014 23:56, Achim Nierbeck  wrote:

> Hi
>
> I'm currently working on integrating embedded tomcat in the OPS4j Pax Web
> OSGi container as alternativ underlying web container. Right now I'm stuck
> on a certain point that is kind of hard to understand so I'm sure I'm doing
> something "awfully" wrong :)
>
> So here is what I'm struggling with.
> Using Tomcat 8 embedded core
> While the context is started I eventually end up at [1]
> This is the point I don't get cause I'd expect Servlets to be started at
> [2], but obviously the Servlets are already started at [1]. Therefore the
> ServletContainerInitializers are never called [3].
>
> Now my question, what am I doing wrong, as all servlets are registered as
> children.
>
> I'm very well aware that these questions might not really make a lot of
> sense, therefore you'll find the current implementation at [4].
>
> regards, Achim
>
> [1] -
>
> https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5098
>
> [2] -
>
> https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5229
> [3] -
>
> https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5182
> [4] -
>
> https://github.com/ops4j/org.ops4j.pax.web/blob/master/pax-web-tomcat/src/main/java/org/ops4j/pax/web/service/tomcat/internal/TomcatServerWrapper.java#L342
>
>
> --
>
> Apache Member
> Apache Karaf  Committer & PMC
> OPS4J Pax Web  Committer &
> Project Lead
> blog 
> Co-Author of Apache Karaf Cookbook 
>
> Software Architect / Project Manager / Scrum Master
>



-- 
Johan Compagner
Servoy

RE: Tomcat windows authentication domain login issue

2014-10-15 Thread tantaryu 
Okay, this might sounds funny. But how do I add a newlines?

Date: Wed, 15 Oct 2014 01:37:42 -0700
From: ml-node+s10n5023863...@n6.nabble.com
To: ming...@outlook.com
Subject: Re: Tomcat windows authentication domain login issue



Am 15.10.2014 um 10:22 schrieb tantaryu:

>> Let's hope it works this time.

If this was your try to add newlines, than I think it failed.


Felix

>> I need some idea on what's wrong with my tomcat configuration for windows 
>> authentication. I followed the tomcat windows authentication tutorial and 
>> uses the "manager" web application comes with tomcat to do a poc. In my 
>> web.xml I change > BASIC > to> 
>> SPNEGO> and also changes the auth-constraint to 
>> the following > >  *> 
>> 

>> This is my krb5.ini > [libdefaults]> default_realm = ACME> 
>> default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab> 
>> default_tkt_enctypes = 
>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> 
>> default_tgs_enctypes = 
>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> forwardable=true> 
>> [realms]> ACME = {>kdc = AD-Server:88>}> [domain_realm]> acme= ACME> 
>> .acme= ACME

>> This is my jaas.conf > com.sun.security.jgss.krb5.initiate {>
>> com.sun.security.auth.module.Krb5LoginModule required>debug=true>
>> doNotPrompt=true>principal="HTTP/Client2@ACME">useKeyTab=true>
>> keyTab="C:/tomcat/conf/tomcat.keytab">//useTicketCache=true>
>> storeKey=true;> };> com.sun.security.jgss.krb5.accept {>
>> com.sun.security.auth.module.Krb5LoginModule required>debug=true>
>> doNotPrompt=true>principal="HTTP/Client2@ACME">useKeyTab=true>
>> keyTab="C:/tomcat/conf/tomcat.keytab">//useTicketCache=true>
>> storeKey=true;>};

>> The weird thing is regardless of what username and password I put in when I 
>> accessed the tomcat manager web-app the debug message shown is the same.

>> Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt 
>> true ticketCache is null isInitiator true KeyTab is 
>> C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is 
>> HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is 
>> false clearPass is false> >>> KeyTabInputStream, readName(): acme> >>> 
>> KeyTabInputStream, readName(): HTTP> >>> KeyTabInputStream, readName(): 
>> Client2> >>> KeyTab: load() entry length: 52; type: 23> Looking for keys 
>> for: HTTP/Client2@ACME> Java config name: C:\tomcat\conf\krb5.ini> Loaded 
>> from Java config> Added key: 23version: 0> >>> KdcAccessibility: reset> 
>> Looking for keys for: HTTP/Client2@ACME> Added key: 23version: 0> default 
>> etypes for default_tkt_enctypes: 23 17.> >>> KrbAsReq creating message> >>> 
>> KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, 
>> #> bytes=124> >>> KDCCommunication: kdc=AD-Server UDP:88, 
>> timeout=3,Attempt =1, #bytes=124

> KrbKdcReq send: #bytes read=538> >>> KdcAccessibility: remove 
> AD-Server:88> Looking for keys for: HTTP/Client2@ACME> Added key: 
> 23version: 0> >>> EType: 
> sun.security.krb5.internal.crypto.ArcFourHmacEType> >>> KrbAsRep cons in 
> KrbAsReq.getReply HTTP/Client2> principal is HTTP/Client2@ACME> Will use 
> keytab> Commit Succeeded

>> Search Subject for SPNEGO ACCEPT cred (<>, 
>> sun.security.jgss.spnego.SpNegoCredElement)> Search Subject for Kerberos V5 
>> ACCEPT cred (<>, sun.security.jgss.krb5.Krb5AcceptCredential)> Found 
>> KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found KeyTab 
>> C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found ticket for 
>> HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 
>> CST 2014>[Krb5LoginModule]: Entering logout>
>> [Krb5LoginModule]: logged out Subject

>> I added this in my server.xml > > className="org.apache.catalina.realm.LockOutRealm">>  > className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo" 
>> allRolesMode="strictAuthOnly" />> 

>> When I tried login, it doesn't seem to recognize the valid credential. The 
>> app keeps on asking me to enter a valid credential. What do I need to change 
>> to make it work?

> Date: Wed, 15 Oct 2014 00:56:33 -0700

> From: [hidden email]

> To: [hidden email]

> Subject: Re: Tomcat windows authentication domain login issue

>

>

>

>   Am 15.10.2014 um 03:48 schrieb tantaryu:

>

>> Okay, now I tried with a email client. Let's see if it works.

>> I need some idea on what's wrong with my tomcat configuration for windows 
>> authentication. I followed the tomcat windows authentication tutorial and 
>> uses the "manager" web application comes with tomcat to do a poc. In my 
>> web.xml I change BASIC to 
>> SPNEGO and also changes the auth-constraint to 
>> the following   *.

>> This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = 
>> FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = 
>> rc4-h

Re: Tomcat windows authentication domain login issue

2014-10-15 Thread Felix Schumacher 

Am 15.10.2014 um 10:22 schrieb tantaryu:

Let's hope it works this time.

If this was your try to add newlines, than I think it failed.

Felix

I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the 
"manager" web application comes with tomcat to do a poc. In my web.xml I change > BASIC > to> 
SPNEGO> and also changes the auth-constraint to the following > >  
*> 
This is my krb5.ini > [libdefaults]> default_realm = ACME> default_keytab_name = 
FILE:C:\tomcat\conf\tomcat.keytab> default_tkt_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> default_tgs_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> forwardable=true> [realms]> ACME = {>kdc 
= AD-Server:88>}> [domain_realm]> acme= ACME> .acme= ACME
This is my jaas.conf > com.sun.security.jgss.krb5.initiate {>com.sun.security.auth.module.Krb5LoginModule required>debug=true>doNotPrompt=true>
principal="HTTP/Client2@ACME">useKeyTab=true>keyTab="C:/tomcat/conf/tomcat.keytab">//useTicketCache=true>storeKey=true;> };> 
com.sun.security.jgss.krb5.accept {>com.sun.security.auth.module.Krb5LoginModule required>debug=true>doNotPrompt=true>
principal="HTTP/Client2@ACME">useKeyTab=true>keyTab="C:/tomcat/conf/tomcat.keytab">//useTicketCache=true>storeKey=true;>};
The weird thing is regardless of what username and password I put in when I 
accessed the tomcat manager web-app the debug message shown is the same.
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is 
HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false> >>> KeyTabInputStream, readName(): acme> >>> KeyTabInputStream, 
readName(): HTTP> >>> KeyTabInputStream, readName(): Client2> >>> KeyTab: load() entry length: 52; type: 23> Looking for keys for: HTTP/Client2@ACME> Java config name: 
C:\tomcat\conf\krb5.ini> Loaded from Java config> Added key: 23version: 0> >>> KdcAccessibility: reset> Looking for keys for: HTTP/Client2@ACME> Added key: 23version: 0> 
default etypes for default_tkt_enctypes: 23 17.> >>> KrbAsReq creating message> >>> KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, #> 
bytes=124> >>> KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt =1, #bytes=124

KrbKdcReq send: #bytes read=538> >>> KdcAccessibility: remove AD-Server:88> Looking for keys for: 
HTTP/Client2@ACME> Added key: 23version: 0> >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType> 
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/Client2> principal is HTTP/Client2@ACME> Will use keytab> Commit 
Succeeded

Search Subject for SPNEGO ACCEPT cred (<>, sun.security.jgss.spnego.SpNegoCredElement)> Search 
Subject for Kerberos V5 ACCEPT cred (<>, sun.security.jgss.krb5.Krb5AcceptCredential)> Found KeyTab 
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found KeyTab C:\tomcat\conf\tomcat.keytab for 
HTTP/Client2@ACME> Found ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 
2014>[Krb5LoginModule]: Entering logout>[Krb5LoginModule]: logged out Subject
I added this in my server.xml > >   > 

When I tried login, it doesn't seem to recognize the valid credential. The app 
keeps on asking me to enter a valid credential. What do I need to change to 
make it work?

Date: Wed, 15 Oct 2014 00:56:33 -0700
From: ml-node+s10n5023861...@n6.nabble.com
To: ming...@outlook.com
Subject: Re: Tomcat windows authentication domain login issue



Am 15.10.2014 um 03:48 schrieb tantaryu:


Okay, now I tried with a email client. Let's see if it works.
I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication 
tutorial and uses the "manager" web application comes with tomcat to do a poc. In my web.xml I change 
BASIC to SPNEGO and also changes the auth-constraint to the 
following   *.
This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = 
FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
 = {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate {com.sun.security.auth.module.Krb5LoginModule required
debug=truedoNotPrompt=trueprincipal="HTTP/Client2@ACME"useKeyTab=true
keyTab="C:/tomcat/conf/tomcat.keytab"//useTicketCache=true
storeKey=true;};com.sun.security.jgss.krb5.accept {com.sun.security.auth.module.Krb5LoginModule required
debug=truedoNotPrompt=truepri

RE: Tomcat windows authentication domain login issue

2014-10-15 Thread tantaryu 
> Let's hope it works this time.
> I need some idea on what's wrong with my tomcat configuration for windows 
> authentication. I followed the tomcat windows authentication tutorial and 
> uses the "manager" web application comes with tomcat to do a poc. In my 
> web.xml I change > BASIC > to> 
> SPNEGO> and also changes the auth-constraint to 
> the following > >  *> 
> 
> This is my krb5.ini > [libdefaults]> default_realm = ACME> 
> default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab> default_tkt_enctypes 
> = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> 
> default_tgs_enctypes = 
> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> forwardable=true> 
> [realms]> ACME = {>kdc = AD-Server:88>}> [domain_realm]> acme= ACME> 
> .acme= ACME
> This is my jaas.conf > com.sun.security.jgss.krb5.initiate {>
> com.sun.security.auth.module.Krb5LoginModule required>debug=true>
> doNotPrompt=true>principal="HTTP/Client2@ACME">useKeyTab=true>
> keyTab="C:/tomcat/conf/tomcat.keytab">//useTicketCache=true>
> storeKey=true;> };> com.sun.security.jgss.krb5.accept {>
> com.sun.security.auth.module.Krb5LoginModule required>debug=true>
> doNotPrompt=true>principal="HTTP/Client2@ACME">useKeyTab=true>
> keyTab="C:/tomcat/conf/tomcat.keytab">//useTicketCache=true>
> storeKey=true;>};
> The weird thing is regardless of what username and password I put in when I 
> accessed the tomcat manager web-app the debug message shown is the same. 
> Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt 
> true ticketCache is null isInitiator true KeyTab is 
> C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is 
> HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is 
> false clearPass is false> >>> KeyTabInputStream, readName(): acme> >>> 
> KeyTabInputStream, readName(): HTTP> >>> KeyTabInputStream, readName(): 
> Client2> >>> KeyTab: load() entry length: 52; type: 23> Looking for keys for: 
> HTTP/Client2@ACME> Java config name: C:\tomcat\conf\krb5.ini> Loaded from 
> Java config> Added key: 23version: 0> >>> KdcAccessibility: reset> Looking 
> for keys for: HTTP/Client2@ACME> Added key: 23version: 0> default etypes for 
> default_tkt_enctypes: 23 17.> >>> KrbAsReq creating message> >>> KrbKdcReq 
> send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, #> 
> bytes=124> >>> KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt 
> =1, #bytes=124
> >>> KrbKdcReq send: #bytes read=538> >>> KdcAccessibility: remove 
> >>> AD-Server:88> Looking for keys for: HTTP/Client2@ACME> Added key: 
> >>> 23version: 0> >>> EType: 
> >>> sun.security.krb5.internal.crypto.ArcFourHmacEType> >>> KrbAsRep cons in 
> >>> KrbAsReq.getReply HTTP/Client2> principal is HTTP/Client2@ACME> Will use 
> >>> keytab> Commit Succeeded
> Search Subject for SPNEGO ACCEPT cred (<>, 
> sun.security.jgss.spnego.SpNegoCredElement)> Search Subject for Kerberos V5 
> ACCEPT cred (<>, sun.security.jgss.krb5.Krb5AcceptCredential)> Found 
> KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found KeyTab 
> C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found ticket for 
> HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 
> CST 2014>[Krb5LoginModule]: Entering logout>
> [Krb5LoginModule]: logged out Subject
> I added this in my server.xml >  className="org.apache.catalina.realm.LockOutRealm">>className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo" 
> allRolesMode="strictAuthOnly" />> 
> When I tried login, it doesn't seem to recognize the valid credential. The 
> app keeps on asking me to enter a valid credential. What do I need to change 
> to make it work?
Date: Wed, 15 Oct 2014 00:56:33 -0700
From: ml-node+s10n5023861...@n6.nabble.com
To: ming...@outlook.com
Subject: Re: Tomcat windows authentication domain login issue



Am 15.10.2014 um 03:48 schrieb tantaryu:

> Okay, now I tried with a email client. Let's see if it works.

> I need some idea on what's wrong with my tomcat configuration for windows 
> authentication. I followed the tomcat windows authentication tutorial and 
> uses the "manager" web application comes with tomcat to do a poc. In my 
> web.xml I change BASIC to 
> SPNEGO and also changes the auth-constraint to the 
> following   *.

> This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = 
> FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = 
> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes 
> = 
> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
>  = {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME

> This is my jaas.conf com.sun.security.jgss.krb5.initiate {
> com.sun.security.auth.module.Krb5LoginModule requireddebug=true
> doNotPrompt=trueprincipal="HTTP/Client2@ACM

Re: Tomcat windows authentication domain login issue

2014-10-15 Thread Felix Schumacher 

Am 15.10.2014 um 03:48 schrieb tantaryu:

Okay, now I tried with a email client. Let's see if it works.
I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication 
tutorial and uses the "manager" web application comes with tomcat to do a poc. In my web.xml I change 
BASIC to SPNEGO and also changes the auth-constraint to the 
following   *.
This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = 
FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
 = {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate {com.sun.security.auth.module.Krb5LoginModule required
debug=truedoNotPrompt=trueprincipal="HTTP/Client2@ACME"useKeyTab=true
keyTab="C:/tomcat/conf/tomcat.keytab"//useTicketCache=true
storeKey=true;};com.sun.security.jgss.krb5.accept {com.sun.security.auth.module.Krb5LoginModule required
debug=truedoNotPrompt=trueprincipal="HTTP/Client2@ACME"useKeyTab=true
keyTab="C:/tomcat/conf/tomcat.keytab"//useTicketCache=truestoreKey=true;};
The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. 
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is 
C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false 
clearPass is false>>> KeyTabInputStream, readName(): acme>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, 
readName(): Client2>>> KeyTab: load() entry length: 52; type: 23Looking for keys for: HTTP/Client2@ACMEJava config name: 
C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23version: 0>>> KdcAccessibility: resetLooking for keys for: HTTP/Client2@ACMEAdded 
key: 23version: 0default etypes for default_tkt_enctypes: 23 17.>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=AD-Server 
UDP:88, timeout=3, number of retries =3, #bytes=124>>> KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt =1, #bytes=124
Could you try to add the missing newlines? It is really hard to read the 
text without them.


Regards Felix


KrbKdcReq send: #bytes read=538>>> KdcAccessibility: remove AD-Server:88Looking for keys for: 
HTTP/Client2@ACMEAdded key: 23version: 0>>> EType: 
sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons in KrbAsReq.getReply 
HTTP/Client2principal is HTTP/Client2@ACMEWill use keytabCommit Succeeded

Search Subject for SPNEGO ACCEPT cred (<>, 
sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred 
(<>, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab 
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab C:\tomcat\conf\tomcat.keytab for 
HTTP/Client2@ACMEFound ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 
02:49:29 CST 2014[Krb5LoginModule]: Entering logout[Krb5LoginModule]: 
logged out Subject
I added this in my server.xml  
When I tried login, it doesn't seem to recognize the valid credential. The app 
keeps on asking me to enter a valid credential. What do I need to change to 
make it work?
Date: Tue, 14 Oct 2014 18:03:07 -0700
From: ml-node+s10n5023854...@n6.nabble.com
To: ming...@outlook.com
Subject: RE: Tomcat windows authentication domain login issue



> From: tantaryu [mailto:[hidden email]]


Subject: Re: Tomcat windows authentication domain login issue



Let me know if you can read it still. I didn't checked the "Message is in
HTML Format"  option.


It didn't help.  Don't use Nabble - post to the user's list directly from an 
e-mail client.


  - Chuck



THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.



-

To unsubscribe, e-mail: [hidden email]

For additional commands, e-mail: [hidden email]













If you reply to this email, your message will be added to the 
discussion below:

http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html



To unsubscribe from Tomcat windows authentication domain login 
issue, click here.

NAML




--
View this message in con