date:20170309

Websocket client with SSL and authentication

2017-03-09 Thread radiatejava

Tomcat team, I have few questions on websocket:

1. I am looking for Java websocket client sample code that uses basic
(user) auth.
2. Is there any sample code for how to put in SSL (keystore and
truststore) websocket client ?
3. I want to create a websocket client within the Tomcat jvm. I know
there is an example TestWebSocketFrameClientSSL.java as part of Tomcat
project but wanted to know if that is the only way to create a
websocket. For example, if I have other websocket implementation
libraries in my tomcat server lib folder, how do I ensure I get the
implementation I want ? Which websocket implementation will I get when
I do : ContainerProvider.getWebSocketContainer();

Thanks.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How do I set the logger org.apache.tomcat.util.scan.StandardJarScanner's level to WARN

2017-03-09 Thread Hoa Phan

Oops just noticed I set the subject wrong. I meant to set it to SEVERE to
get rid of the FileNotFoundException all over the places.
I tried to overwrite logging.properties in tomcat itself and in the webapp
with the content:

handlers = java.util.logging.ConsoleHandler


# Handler specific properties.
# Describes specific configuration info for Handlers.


java.util.logging.ConsoleHandler.level = SEVERE
java.util.logging.ConsoleHandler.formatter =
java.util.logging.SimpleFormatter


# Facility specific properties.
# Provides extra control for each logger.


org.apache.catalina.level = SEVERE
org.apache.catalina.startup.HostConfig.level = SEVERE
org.apache.catalina.session.ManagerBase.level = SEVERE
org.apache.tomcat.util.scan.StandardJarScanner.level = SEVERE

Still I couldn't get rid of the WARN for FNFException

On Fri, Mar 10, 2017 at 11:31 AM, Hoa Phan  wrote:

> Unfortunately it's still the same.
> When I tried to debug it the logger tomcat is using is DirectJDKLog
>
> Is org.apache.tomcat.util.scan.StandardJarScanner.level=SEVERE the right
> way to turn off WARNING logging ?
>
> On Fri, Mar 10, 2017 at 10:34 AM, Hoa Phan  wrote:
>
>> Ouch!! My bad... sorry Chris.
>>
>> On Fri, Mar 10, 2017 at 10:31 AM, calder  wrote:
>>
>>> On Thu, Mar 9, 2017 at 9:48 PM, Hoa Phan  wrote:
>>> > Hi Chris,
>>> >
>>> > I tried:
>>> >
>>> > org.apache.tomcat.util.scan.StandardJarScanner.level=SERVERE //in the
>>> > logging.properties
>>> >
>>> > -Dorg.apache.tomcat.util.scan.StandardJarScanner.level=SERVERE //on
>>> startup
>>> >
>>> > org.apache.tomcat.util.scan.StandardJarScanner.level= SERVERE //as
>>> sysprops
>>> >
>>> > But they didn't help either :(, StandardJarScanner still prints WARN
>>> msgs...
>>> >
>>> > Any idea?
>>>
>>> > Thanks.
>>> > Hoa.
>>>
>>> Is "SEVERE" spelled "SERVERE" (as written above) in the properties file?
>>>
>>> If yes, then that's the issue
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>
>

Re: JMX currentThreadsBusy less than connections/requests when use APR connector

2017-03-09 Thread linbo liao

1、The load-generating vm has 2 cores.
2、Can I use currentThreadsBusy to monitor the performance of Tomcat using
APR connector?

2017-03-10 0:42 GMT+08:00 Christopher Schultz 
:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Linbo,
>
> On 3/8/17 8:13 PM, linbo liao wrote:
> > Here is the Connector configuration:
> >
> >  > protocol="org.apache.coyote.http11.Http11AprProtocol"
> > maxHttpHeaderSize="8192" maxThreads="400" acceptorThreadCount="4"
> > maxKeepAliveRequests="-1" enableLookups="false"
> > disableUploadTimeout="true" connectionTimeout="2" />
> >
> > I use wrk, the currentThreadsBusy is higher than the value in ab
> > testing, but most of time is less than 40.
> >
> > ./wrk -t100 -c 100 -d 10s http://10.211.55.4:8080/
>
> I've never used wrk. How many CPU cores does your load-generating
> computer have?
>
> > For APR connector, will it get one thread from the poll to deal
> > with each request?
>
> For both NIO/2 and APR, you'll have one accepter thread (4 in your
> case) and one poller thread for many (400 in your case)
> request-processing threads.
>
> It's possible that your server is handling the requests fast enough
> that they never pile-up enough to use more than 40 threads.
>
> Congratulations: you can handle the load you are putting on the server.
> :)
>
> - -chris
>
> > 2017-03-08 22:45 GMT+08:00 Christopher Schultz
> >  >> :
> >
> > Linbo,
> >
> > On 3/7/17 10:14 PM, linbo liao wrote:
>  I setup local environment to test Tomcat monitor.
> 
>  The Environment:
> 
>  Tomcat: 8.5.5 VM: Ubuntu 14.04.1 LTS HTTP PORT: 8080 IP:
>  10.211.55.4
> 
>  Tomcat use APR connector, I test the tomcat via ab command,
>  find JMX currentThreadsBusy < 10 all of the time.
> 
>  ab -n 10 -c 100 10.211.55.4:8080/
> >
> 
>  I tried to search the reason but without the result. For BIO
>  each thread to handle one connection, so currentThreadsBusy
>  can show the performance of tomcat.
> 
>  But for APR connector, what's the meaning of
>  currentThreadsBusy?
> >
> > Please post your  configuration.
> >
> > It seems that ab isn't a very good load-generator for several
> > reasons. But you should be able to get more than Java 10 threads
> > working at a tim e.
> >
> > You are probably expecting ~100 threads busy at all times, right?
> >
> > -chris
> >>
> >> -
> >>
> >>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYwYX2AAoJEBzwKT+lPKRYi2EP/1krL32JxAAkVa1C+lZiehoC
> KCufHoT/t4YK8yZRth+3TXK7wSqINwuZf+6PQXlQaR+Vy6chacS+DGvebsvBj58S
> q8Piu6kcTlnuK21nBBTW6pQ6vvLA7TpEaup8eCB3lVWIuUoTQlAL+OerAYP6M7pk
> 8oVHMatIJLSzhdjWo1S7Hz90TonGZvPb9Mk5587Dp8G2dKTu78abMVbGiR7xOn7g
> FMWS/k/HbAnGbkfwdTHww/inrXxfODfhcRuyyQW/j46PP6mQbzcjdjLuUGsKy6cm
> 8yUuy0h88o4l95X8oDf3yaI5nWZXvYuIHvT/9+L9DVhzpllol9CzBY6vXSFyuvQD
> Sd9GCNNgvQjN4CoKvlBeUIk7LOF7p4a15bBfDFnEAJVB7HGzU/Rx8Fp1+ON57pLA
> gN+IBT7joqCWissmZyO/lsQ6erQR2jmFvHBodXOEYFIy3WF3zGgt4K8KPfSxSCXu
> HtEuTR0enxBzSgfq0sx2nZxoetNn41BKPQo+T9E8zHTghoVGXHK8bpf1Z3/NZ2IP
> /9FUix6rxj+y1RaeQqXZmfnHPwRDsl+RV0tO/nGyqiD4LB9Gb+bM7yNZxsSTs3Uk
> YT6ZoZ1Dzys9Lifv+tFXK4pOWfeNAYo/3b58zGhHAlyEQySza8DgxTtsTql4i7TF
> Ebqjos00OCr3EeLg5ODi
> =6IxB
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: How do I set the logger org.apache.tomcat.util.scan.StandardJarScanner's level to WARN

2017-03-09 Thread Hoa Phan

Unfortunately it's still the same.
When I tried to debug it the logger tomcat is using is DirectJDKLog

Is org.apache.tomcat.util.scan.StandardJarScanner.level=SEVERE the right
way to turn off WARNING logging ?

On Fri, Mar 10, 2017 at 10:34 AM, Hoa Phan  wrote:

> Ouch!! My bad... sorry Chris.
>
> On Fri, Mar 10, 2017 at 10:31 AM, calder  wrote:
>
>> On Thu, Mar 9, 2017 at 9:48 PM, Hoa Phan  wrote:
>> > Hi Chris,
>> >
>> > I tried:
>> >
>> > org.apache.tomcat.util.scan.StandardJarScanner.level=SERVERE //in the
>> > logging.properties
>> >
>> > -Dorg.apache.tomcat.util.scan.StandardJarScanner.level=SERVERE //on
>> startup
>> >
>> > org.apache.tomcat.util.scan.StandardJarScanner.level= SERVERE //as
>> sysprops
>> >
>> > But they didn't help either :(, StandardJarScanner still prints WARN
>> msgs...
>> >
>> > Any idea?
>>
>> > Thanks.
>> > Hoa.
>>
>> Is "SEVERE" spelled "SERVERE" (as written above) in the properties file?
>>
>> If yes, then that's the issue
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>

Re: What is the correct way to use scanManifest

2017-03-09 Thread Hoa Phan

looks like I can't overwrite the webapp context.xml with tomcat
context.xml. I have no control over the WAR file until tomcat deployed it :(

If I try to use tomcat server.xml and add


  



inside  it somehow breaks the webapp.

Is there any other way for me to set this scanmanifest to false.

Says if I took all the jars that I saw reported as
WARNING: Failed to scan...
java.io.FileNotFoundException: .../common/lib/jonas_timer.jar (No such file
or directory)

And append them to:
tomcat.util.scan.StandardJarScanFilter.jarsToSkip

in catalina.properties, would that help ?

On Fri, Mar 10, 2017 at 10:33 AM, Mark Thomas  wrote:

> On 09/03/17 21:38, Hoa Phan wrote:
> > I'll try that and see how it goes, thanks Mark. Btw, when I was
> debugging I
> > couldn't find where this method get called at all:
> > public void setScanManifest(boolean scanManifest) {
> > this.scanManifest = scanManifest;
> > }
> >
> > This props default to true:
> > private boolean scanManifest = true;
> >
> > And the StandardJarScanner always been constructed like:
> > jarScanner = new StandardJarScanner();
> >
> > How would scanManifest ever be set to false...
>
> Via the digester when processing server.xml or context.xml. Take a look
> at org.apache.catalina.startup.ContextRuleSet
>
> Mark
>
>
> >
> > Regards,
> >
> > Hoa Phan.
> >
> >
> >
> >
> > On Fri, Mar 10, 2017 at 6:44 AM, Mark Thomas  wrote:
> >
> >> On 09/03/17 13:15, Hoa Phan wrote:
> >>> Hi,
> >>>
> >>> I see that since 8.0.38 we added a scanManifest props to JarScanner.
> >>> But when I added the props
> >>> into: container/tomcat8x/apache-tomcat-8.0.38/conf/context.xml
> >>> 
> >>> 
> >>> WEB-INF/web.xml
> >>> ${catalina.base}/conf/web.xml
> >>>
> >>> 
> >>> 
> >>>
> >>> 
> >>> 
> >>> 
> >>>
> >>> It doesn't work and the prop is still true on startup:
> >>
> >> Hmm. That should work. Are you sure that file is being read at startup?
> >> One way to check is to deliberately break it and see what happens.
> >>
> >> Mark
> >>
> >>
> >>>
> >>> 
> >>> Must I put this in the context.xml of the webapp itself. I deploy the
> >>> webapp via a war file and have no control over the war content until
> >>> tomcat deploys it which is too late...
> >>>
> >>> Is there any other way for me to turn this off using global config of
> >>> tomcat.
> >>>
> >>> Thanks much.
> >>>
> >>> Regards,
> >>>
> >>> Hoa Phan
> >>>
> >>>
> >>
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

How to restrict access to specific webapp + denyStatus

2017-03-09 Thread Diego Gomes

Hello guys!


inside of my "/opt/tomcat7/webapps/" folder, I have many apps over there


I would like to protect for instance, "Student" (/opt/tomcat7/webapps/Student) 
app to only allow specific IP address, so I did:


"# vi /opt/tomcat7/conf/Catalina/localhost/Student.xml" and addedd:



   


It is working, I am not able to access the https://server.domain.com/Student 
while I am not source = 127.0.0.1 []

But, My HTTP Status on Browser, does not show 404, always saying 403...

My questions:

 - For the first statement, that configuration I did (Student.xml) is the 
correct way?
 - Why the 404 denyStatus is not working?

I am running tomcat 7.0.11

Thanks!


Diego

Re: Apache Tomcat 9

2017-03-09 Thread tomcat


On 10.03.2017 00:24, pina.freder...@gmail.com wrote:

How do I stop it ?


Close the lid of your laptop ?

(Sorry, could not stop myself)



Sent from Mail for Windows 10

From: Caldarale, Charles R
Sent: Thursday, March 9, 2017 6:16 PM
To: Tomcat Users List
Subject: RE: Apache Tomcat 9


From: pina.freder...@gmail.com [mailto:pina.freder...@gmail.com]
Subject: Apache Tomcat 9




I'm trying to teach myself Java Web App Development but can't seem to get this 
issue resolved.



Mar 09, 2017 5:44:17 PM org.apache.catalina.core.StandardServer await
SEVERE: StandardServer.await: create[localhost:8080]:
java.net.BindException: Address already in use: JVM_Bind


You already have something on your laptop that's using port 8080.  Either stop 
running that program, or configure your Tomcat to use a different port in the 
 element of server.xml.

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat 9

2017-03-09 Thread calder

>> From: pina.freder...@gmail.com [mailto:pina.freder...@gmail.com]
>> Subject: Apache Tomcat 9
>
>
>> I'm trying to teach myself Java Web App Development but can't seem to get 
>> this issue resolved.
>
>> Mar 09, 2017 5:44:17 PM org.apache.catalina.core.StandardServer await
>> SEVERE: StandardServer.await: create[localhost:8080]:
>> java.net.BindException: Address already in use: JVM_Bind

>> From: Caldarale, Charles R
>> Sent: Thursday, March 9, 2017 6:16 PM
>> To: Tomcat Users List
> Subject: RE: Apache Tomcat 9
>
> You already have something on your laptop that's using port 8080.  Either 
> stop running that program, or configure your Tomcat to use a different port 
> in the  element of server.xml.
>
>  - Chuck

On Thu, Mar 9, 2017 at 11:24 PM,   wrote:
> How do I stop it ?
>

Please don't top-post. I've fixed your reply.

If the "other" application is running as a Windows Service, then stop
the Service.

If you've run the "other" application from the command-line, then
usually you can do a  at the keyboard to stop the process.

If the application has run off as a rogue process, then use Task
Manager to kill it.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How do I set the logger org.apache.tomcat.util.scan.StandardJarScanner's level to WARN

2017-03-09 Thread Hoa Phan

Ouch!! My bad... sorry Chris.

On Fri, Mar 10, 2017 at 10:31 AM, calder  wrote:

> On Thu, Mar 9, 2017 at 9:48 PM, Hoa Phan  wrote:
> > Hi Chris,
> >
> > I tried:
> >
> > org.apache.tomcat.util.scan.StandardJarScanner.level=SERVERE //in the
> > logging.properties
> >
> > -Dorg.apache.tomcat.util.scan.StandardJarScanner.level=SERVERE //on
> startup
> >
> > org.apache.tomcat.util.scan.StandardJarScanner.level= SERVERE //as
> sysprops
> >
> > But they didn't help either :(, StandardJarScanner still prints WARN
> msgs...
> >
> > Any idea?
>
> > Thanks.
> > Hoa.
>
> Is "SEVERE" spelled "SERVERE" (as written above) in the properties file?
>
> If yes, then that's the issue
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: What is the correct way to use scanManifest

2017-03-09 Thread Mark Thomas

On 09/03/17 21:38, Hoa Phan wrote:
> I'll try that and see how it goes, thanks Mark. Btw, when I was debugging I
> couldn't find where this method get called at all:
> public void setScanManifest(boolean scanManifest) {
> this.scanManifest = scanManifest;
> }
> 
> This props default to true:
> private boolean scanManifest = true;
> 
> And the StandardJarScanner always been constructed like:
> jarScanner = new StandardJarScanner();
> 
> How would scanManifest ever be set to false...

Via the digester when processing server.xml or context.xml. Take a look
at org.apache.catalina.startup.ContextRuleSet

Mark


> 
> Regards,
> 
> Hoa Phan.
> 
> 
> 
> 
> On Fri, Mar 10, 2017 at 6:44 AM, Mark Thomas  wrote:
> 
>> On 09/03/17 13:15, Hoa Phan wrote:
>>> Hi,
>>>
>>> I see that since 8.0.38 we added a scanManifest props to JarScanner.
>>> But when I added the props
>>> into: container/tomcat8x/apache-tomcat-8.0.38/conf/context.xml
>>> 
>>> 
>>> WEB-INF/web.xml
>>> ${catalina.base}/conf/web.xml
>>>
>>> 
>>> 
>>>
>>> 
>>> 
>>> 
>>>
>>> It doesn't work and the prop is still true on startup:
>>
>> Hmm. That should work. Are you sure that file is being read at startup?
>> One way to check is to deliberately break it and see what happens.
>>
>> Mark
>>
>>
>>>
>>> 
>>> Must I put this in the context.xml of the webapp itself. I deploy the
>>> webapp via a war file and have no control over the war content until
>>> tomcat deploys it which is too late...
>>>
>>> Is there any other way for me to turn this off using global config of
>>> tomcat.
>>>
>>> Thanks much.
>>>
>>> Regards,
>>>
>>> Hoa Phan
>>>
>>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How do I set the logger org.apache.tomcat.util.scan.StandardJarScanner's level to WARN

2017-03-09 Thread calder

On Thu, Mar 9, 2017 at 9:48 PM, Hoa Phan  wrote:
> Hi Chris,
>
> I tried:
>
> org.apache.tomcat.util.scan.StandardJarScanner.level=SERVERE //in the
> logging.properties
>
> -Dorg.apache.tomcat.util.scan.StandardJarScanner.level=SERVERE //on startup
>
> org.apache.tomcat.util.scan.StandardJarScanner.level= SERVERE //as sysprops
>
> But they didn't help either :(, StandardJarScanner still prints WARN msgs...
>
> Any idea?

> Thanks.
> Hoa.

Is "SEVERE" spelled "SERVERE" (as written above) in the properties file?

If yes, then that's the issue

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Apache Tomcat 9

2017-03-09 Thread pina.frederick

How do I stop it ?

Sent from Mail for Windows 10

From: Caldarale, Charles R
Sent: Thursday, March 9, 2017 6:16 PM
To: Tomcat Users List
Subject: RE: Apache Tomcat 9

> From: pina.freder...@gmail.com [mailto:pina.freder...@gmail.com] 
> Subject: Apache Tomcat 9

> I'm trying to teach myself Java Web App Development but can't seem to get 
> this issue resolved.

> Mar 09, 2017 5:44:17 PM org.apache.catalina.core.StandardServer await
> SEVERE: StandardServer.await: create[localhost:8080]: 
> java.net.BindException: Address already in use: JVM_Bind

You already have something on your laptop that's using port 8080.  Either stop 
running that program, or configure your Tomcat to use a different port in the 
 element of server.xml.

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Apache Tomcat 9

2017-03-09 Thread Caldarale, Charles R

> From: pina.freder...@gmail.com [mailto:pina.freder...@gmail.com] 
> Subject: Apache Tomcat 9


> I'm trying to teach myself Java Web App Development but can't seem to get 
> this issue resolved.

> Mar 09, 2017 5:44:17 PM org.apache.catalina.core.StandardServer await
> SEVERE: StandardServer.await: create[localhost:8080]: 
> java.net.BindException: Address already in use: JVM_Bind

You already have something on your laptop that's using port 8080.  Either stop 
running that program, or configure your Tomcat to use a different port in the 
 element of server.xml.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Apache Tomcat 9

2017-03-09 Thread pina.frederick

Hello ! I’m trying to teach myself Java Web App Development but can’t seem to 
get this issue resolved. Can anyone give me a few hints ? I’m using a Windows 
10 Hope laptop with Eclipse Neon 2 IDE. Thanks. 

Mar 09, 2017 5:44:16 PM org.apache.tomcat.util.digester.SetPropertiesRule begin
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting 
property 'source' to 'org.eclipse.jst.jee.server:helloworld' did not find a 
matching property.
Mar 09, 2017 5:44:16 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server version:Apache Tomcat/9.0.0.M17
Mar 09, 2017 5:44:16 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server built:  Jan 10 2017 20:59:20 UTC
Mar 09, 2017 5:44:16 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server number: 9.0.0.0
Mar 09, 2017 5:44:16 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: OS Name:   Windows 10
Mar 09, 2017 5:44:16 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: OS Version:10.0
Mar 09, 2017 5:44:16 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Architecture:  amd64
Mar 09, 2017 5:44:16 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Java Home: C:\Program Files\Java\jre1.8.0_121
Mar 09, 2017 5:44:16 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: JVM Version:   1.8.0_121-b13
Mar 09, 2017 5:44:16 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: JVM Vendor:Oracle Corporation
Mar 09, 2017 5:44:16 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: CATALINA_BASE: 
C:\Users\fpina\workspace\.metadata\.plugins\org.eclipse.wst.server.core\tmp0
Mar 09, 2017 5:44:16 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: CATALINA_HOME: C:\Program Files\Apache Software Foundation\Tomcat 
9.0
Mar 09, 2017 5:44:16 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: 
-Dcatalina.base=C:\Users\fpina\workspace\.metadata\.plugins\org.eclipse.wst.server.core\tmp0
Mar 09, 2017 5:44:16 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dcatalina.home=C:\Program Files\Apache Software 
Foundation\Tomcat 9.0
Mar 09, 2017 5:44:16 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: 
-Dwtp.deploy=C:\Users\fpina\workspace\.metadata\.plugins\org.eclipse.wst.server.core\tmp0\wtpwebapps
Mar 09, 2017 5:44:16 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djava.endorsed.dirs=C:\Program Files\Apache 
Software Foundation\Tomcat 9.0\endorsed
Mar 09, 2017 5:44:16 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dfile.encoding=Cp1252
Mar 09, 2017 5:44:16 PM org.apache.catalina.core.AprLifecycleListener 
lifecycleEvent
INFO: The APR based Apache Tomcat Native library which allows optimal 
performance in production environments was not found on the java.library.path: 
C:\Program 
Files\Java\jre1.8.0_121\bin;C:\WINDOWS\Sun\Java\bin;C:\WINDOWS\system32;C:\WINDOWS;C:/Program
 Files/Java/jre1.8.0_121/bin/server;C:/Program 
Files/Java/jre1.8.0_121/bin;C:/Program 
Files/Java/jre1.8.0_121/lib/amd64;C:\Program Files (x86)\Common 
Files\Intel\Shared Files\cpp\bin\Intel64;C:\Program Files 
(x86)\Embarcadero\Studio\18.0\bin;C:\Users\Public\Documents\Embarcadero\Studio\18.0\Bpl;C:\Program
 Files 
(x86)\Embarcadero\Studio\18.0\bin64;C:\Users\Public\Documents\Embarcadero\Studio\18.0\Bpl\Win64;C:\ProgramData\Oracle\Java\javapath;C:\Program
 Files\Microsoft MPI\Bin\;C:\Program Files (x86)\Intel\iCLS Client\;C:\Program 
Files\Intel\iCLS 
Client\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Program
 Files (x86)\Intel\Intel(R) Management Engine Components\DAL;C:\Program 
Files\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files 
(x86)\Intel\Intel(R) Management Engine Components\IPT;C:\Program 
Files\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files 
(x86)\Windows Kits\10\Windows Performance Toolkit\;C:\Program 
Files\dotnet\;C:\Program Files\Microsoft SQL Server\130\Tools\Binn\;C:\Program 
Files\Anaconda3;C:\Program Files\Anaconda3\Scripts;C:\Program 
Files\Anaconda3\Library\bin;C:\Program Files (x86)\GtkSharp\2.12\bin;C:\Program 
Files (x86)\Microsoft SQL Server\130\Tools\Binn\;C:\Program Files 
(x86)\Microsoft SQL Server\130\DTS\Binn\;C:\Program Files\Microsoft SQL 
Server\130\DTS\Binn\;C:\Program Files\Microsoft SQL Server\Client 
SDK\ODBC\130\Tools\Binn\;C:\Program Files (x86)\Microsoft SQL Server\Client 
SDK\ODBC\130\Tools\Binn\;C:\Program Files (x86)\Microsoft SQL 
Server\130\Tools\Binn\ManagementStudio\;C:\Program Files (x86)\Microsoft SQL 
Server\110\DTS\Binn\;C:\Program Files (x86)\Microsoft SQL 
Server\120\DTS\Binn\;C:\Program Files\Intel\WiFi\bin\;C:\Program Files\Common

Re: How do I set the logger org.apache.tomcat.util.scan.StandardJarScanner's level to WARN

2017-03-09 Thread Hoa Phan

Hi Chris,

I tried:

org.apache.tomcat.util.scan.StandardJarScanner.level=SERVERE //in the
logging.properties

-Dorg.apache.tomcat.util.scan.StandardJarScanner.level=SERVERE //on startup

org.apache.tomcat.util.scan.StandardJarScanner.level= SERVERE //as sysprops

But they didn't help either :(, StandardJarScanner still prints WARN msgs...


Any idea?


Thanks.

Hoa.

On Fri, Mar 10, 2017 at 4:26 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Hoa,
>
> On 3/9/17 11:58 AM, Hoa Phan wrote:
> > I have tried:
> >
> > org.apache.tomcat.util.scan.StandardJarScanner.level = SERVERE //in
> > the logging.properties
> >
> > -Dorg.apache.tomcat.util.scan.StandardJarScanner=SERVERE //on
> > startup
> >
> > org.apache.tomcat.util.scan.StandardJarScanner=SERVER //as
> > sysprops
> >
> >
> > None of them works... That logger is still WARN enabled
>
> Try this:
>
> org.apache.tomcat.util.scan.StandardJarScanner.level=SEVERE
>
> You were missing the ".level" at the end of the setting.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYwZArAAoJEBzwKT+lPKRYoFsP/j+a8iikLatZQnkrd4laj1RA
> uXiTpylD2MC1v23avrziBzsaewJmRJYRAx5kqFpfgVciRIEjTJY5kaVKlnndqzzq
> eww9G4WRPir1OKSvY1XifXIjcSMCA7U5oV+tzYvWiohNB89FPg4FruOThOb3lmth
> Rm30/GhSqFNt3Fr0lm8YUaeB7A1Kmzf6YuLjsTbYUYBjCC1Z8/+J6Mn2BjkpEtQ1
> dX/ZL5oz+58A11Vfq1X6KTkxU7zYyYokZlgN1++ncqLmiLyIj0yq4kKbIESTf+8b
> +isMG5oIydnWbucQx0RxOzS802q6AKyO7vVVTjXXOxZm6stzJD586TCmP9AOUiD1
> Y40iS4Ft0vCt6XoCekpLon6pUsUMKQC65WWpEFtnwn9BBn6dQ6cmVpToUxXUwYjY
> by56Mtb48Aho2vu4MLFu+CEhlVapI64dbQaGVlD7ZXeMJJUX4/WeAxX16zt2Jj/q
> NdCcfScB2ytep3SSZg/WwVth+mSIYxZ6gNaPfTLuJ+HsjPUAdsKUPul0BKOUC7+O
> r6hwN8s1Ue9/b1X1bpCZxB41QbwgfAYoHNU0xjeBnJa3aa1brNFoc4Ii0RiLLrMi
> XQ570RyG9hry3NHG7AxmXReD3rkqpGSFlZnYC5nfy+iX+jjNP8tkWLgupRNzSaUc
> NVSFCpvceCZLhMNgV/fk
> =BvRN
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: What is the correct way to use scanManifest

2017-03-09 Thread Hoa Phan

I'll try that and see how it goes, thanks Mark. Btw, when I was debugging I
couldn't find where this method get called at all:
public void setScanManifest(boolean scanManifest) {
this.scanManifest = scanManifest;
}

This props default to true:
private boolean scanManifest = true;

And the StandardJarScanner always been constructed like:
jarScanner = new StandardJarScanner();

How would scanManifest ever be set to false...

Regards,

Hoa Phan.




On Fri, Mar 10, 2017 at 6:44 AM, Mark Thomas  wrote:

> On 09/03/17 13:15, Hoa Phan wrote:
> > Hi,
> >
> > I see that since 8.0.38 we added a scanManifest props to JarScanner.
> > But when I added the props
> > into: container/tomcat8x/apache-tomcat-8.0.38/conf/context.xml
> > 
> > 
> > WEB-INF/web.xml
> > ${catalina.base}/conf/web.xml
> >
> > 
> > 
> >
> > 
> > 
> > 
> >
> > It doesn't work and the prop is still true on startup:
>
> Hmm. That should work. Are you sure that file is being read at startup?
> One way to check is to deliberately break it and see what happens.
>
> Mark
>
>
> >
> > 
> > Must I put this in the context.xml of the webapp itself. I deploy the
> > webapp via a war file and have no control over the war content until
> > tomcat deploys it which is too late...
> >
> > Is there any other way for me to turn this off using global config of
> > tomcat.
> >
> > Thanks much.
> >
> > Regards,
> >
> > Hoa Phan
> >
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: getRealPath is a bad idea?

2017-03-09 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cris,

On 3/9/17 3:18 PM, Berneburg, Cris J. - US wrote:
>>> BTW, why doesn't getRealPath return the full path to the folder
>>> that the WAR file is in instead of null?
>> 
>> You mean for a call like getRealPath("/")?
> 
> Yes, exactly!
> 
>> Well, that would require a path to be returned to the "root" of 
>> the application. Let's say that ROOT.war is in 
>> /home/tomcat/webapps/ROOT.war and also index.html is in the 
>> "root" of the WAR File.
>> 
>> If you used getRealPath("/index.html") it would, as described, 
>> return null -- because there's no file path that could get you to
>> that file.
>> 
>> If you used getRealPath("/") and then added "/index.html" to the
>> end of it, you'd expect to be able to read index.html from the
>> resulting path (/home/tomcat/webapps/index.html). Not only does
>> that not work (because the file isn't there), it's not even the
>> right path. The "right" path (if there even is one) would be
>> something like "/home/tomcat/webapps/ROOT.war/index.html".
> 
> While that is exactly the sort of result I would want, it does
> seem kind of hackish. It isn't a response that can be supplied to a
> file system to retrieve the file. It would require some sort of
> analysis and parsing. So I can see why null is the safer answer,
> even if I don't like it. ;-)

If you really REALLY want a file path, you could use the catalina.base
system property or the tmpdir and go from there. The former is
Tomcat-specific, of course, and the tmpdir would be *anywhere*, but if
you just really REALLY need a path on the disk, you could get it from
there.

>> So when the WAR is not unpacked, there really isn't any 
>> meaningful return value from getRealPath, even for special- cases
>> like "" or "/".
> 
> Thanks for explaining.  I need to absorb all that info.
> 
> Also, maybe I'm not asking the right question. How do you all 
> configure the location of a special folder that is not part of the 
> deployment package itself? A site-specific config file perhaps?

Well-known location like /etc/myapp/config.cfg? Well-known
configuration URL like https://internal-config.myapp.com/config.cfg?

> Currently I'm using getRealPath for a relative-path location, but
> it sounds like that may need to be changed. Fortunately, the impact
> points are somewhat limited since all calls to getRealPath are
> wrapped with other centralized methods.

If the file can be bundled with the WAR file (which would be best),
then you should get
ServletContext.getResource("/path/rooted/in/the/WAR/file/config.cfg").

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYwcrTAAoJEBzwKT+lPKRYYl4QAK8P3tdjGOgYZ/6MK4cj+vHb
fakVPT6IKu99ACdhubH0rllxQOSnaXzi/OGxtp3QxU0HHogb/zPYeW/eky5Hmq0I
G9aJnTMXcvvlpPBwB/8FymKcIExW+NtRlrzeSKxyOQY2sPHvnyaEcqQSi5Gj0fvq
7EYQ8C2D+U/n/heU0byntAAq+/vdyvTGLuH7vabjDa0BkkK8i4RDLjUWHbQhTg45
sIbmG75pexUN654uBJ9Y2cyfVC9ZI/pyhqRv4/vHq5W5OBOWI87mRmOfd5KpxQJF
z8ryXW0yImyqHc5TSmFTf4uW2A+4x4r/s9V2ghQqZMmPDYIRvjcHOzmBtTk38FGm
oMQhkfY46XAat480aTc35KmWMutzyMdlYERcCf0Xet+YlGQKAyjkj5xXt1X+YjnH
WQmPynjJizVzrWo6spwWNrVs5uMK3+fF2y4ubRjJ8KCeSBEWK21Y0Zu8ueyeURGc
KG7qfHM53uooD7+CQnfdkBFjICWJHXPGfqHEv5eHbPlGNzUQJGNg6eVLT0QjmHev
cJ1JALl1K9D5O1a3tkdjDR4mgXRfXY3qWnqQOeTfEfzjcyBnIJ+0Z7KRxYNx5XOQ
j+yBI7xdOndNglEtVCGj8gJARKxfhDHpvbQMhY4f4O3pUg//P6ckzGP2QgbInD8J
f63TvM/Zas0u6BmmN0Do
=AUo9
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: getRealPath is a bad idea?

2017-03-09 Thread Caldarale, Charles R

> From: Berneburg, Cris J. - US [mailto:cberneb...@caci.com] 
> Subject: RE: getRealPath is a bad idea?

> How do you all configure the location of a special folder that is not part of 
> the 
> deployment package itself?  A site-specific config file perhaps?

Take a look at this:
http://tomcat.apache.org/tomcat-8.5-doc/config/resources.html

A  element within  allows specification of areas outside of 
the Tomcat deployment that the webapp can access via 
ServletContext.getResource() or getResourceAsStream().

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: getRealPath is a bad idea?

2017-03-09 Thread Berneburg, Cris J. - US

Chris

>> BTW, why doesn't getRealPath return the full path to the
>> folder that the WAR file is in instead of null?
>
> You mean for a call like getRealPath("/")?

Yes, exactly!

> Well, that would require a path to be returned to the "root" of
> the application. Let's say that ROOT.war is in
> /home/tomcat/webapps/ROOT.war and also index.html is in the
> "root" of the WAR File.
>
> If you used getRealPath("/index.html") it would, as described,
> return null -- because there's no file path that could get you
> to that file.
>
> If you used getRealPath("/") and then added "/index.html" to
> the end of it, you'd expect to be able to read index.html from
> the resulting path (/home/tomcat/webapps/index.html). Not only
> does that not work (because the file isn't there), it's not
> even the right path. The "right" path (if there even is one)
> would be something like "/home/tomcat/webapps/ROOT.war/index.html".

While that is exactly the sort of result I would want, it does seem kind of 
hackish.  It isn't a response that can be supplied to a file system to retrieve 
the file.  It would require some sort of analysis and parsing.  So I can see 
why null is the safer answer, even if I don't like it.  ;-)

> So when the WAR is not unpacked, there really isn't any
> meaningful return value from getRealPath, even for special-
> cases like "" or "/".

Thanks for explaining.  I need to absorb all that info.

Also, maybe I'm not asking the right question.  How do you all configure the 
location of a special folder that is not part of the deployment package itself? 
 A site-specific config file perhaps?  Currently I'm using getRealPath for a 
relative-path location, but it sounds like that may need to be changed.  
Fortunately, the impact points are somewhat limited since all calls to 
getRealPath are wrapped with other centralized methods.

--
Cris Berneburg
CACI Lead Software Engineer

Re: [ANN] TomcatCon schedule announced

2017-03-09 Thread Igal @ Lucee.org


On 3/9/2017 11:42 AM, Mark Thomas wrote:

We typically make these available free of charge. For
past Tomcat related sessions see:

http://tomcat.apache.org/presentations.html

We should have audio for more of those. I'll see if I can track it down.

Thanks for the link!

I've been on that Tomcat website hundreds of times and somehow managed 
to miss it there until now.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [ANN] TomcatCon schedule announced

2017-03-09 Thread Mark Thomas

On 09/03/17 19:51, Christopher Schultz wrote:
> Mark,
> 
> On 3/9/17 2:42 PM, Mark Thomas wrote:
>> On 09/03/17 18:36, Igal @ Lucee.org wrote:
>>> This is great, but unfortunately I will not be able to attend in
>>> person due to scheduling conflicts.
>>>
>>> Will the sessions be recorded?  I'd be willing to pay a
>>> reasonable fee to watch them afterwards.
> 
>> We should have audio recordings. I believe the availability of
>> video (and the speed at which we can make all of this available)
>> will depend on sponsorship. We typically make these available free
>> of charge. For past Tomcat related sessions see:
> 
>> http://tomcat.apache.org/presentations.html
> 
>> We should have audio for more of those. I'll see if I can track it
>> down.
> 
> Audio has been spotty on a per-presentation (or usually per-track)
> basis. I've been to ApacheCons where 100% of the audio was available,
> when 0% was available, and somewhere in between.
> 
> Mark, any idea on the process for sponsorship for things like this?
> I've never even seen a solicitation for sponsorship for an ApacheCon.

http://events.linuxfoundation.org/events/apachecon-north-america/sponsors

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Status code 403 Forbidden issue for websocket creation using WSS protocol

2017-03-09 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Nishant,

On 3/9/17 2:12 PM, nishant singh wrote:
> Thank you for the response.I am using a self signed certificate.
> How to make httpd trust the certificate that Tomcat is presenting?

I think this is the directive you are looking for:

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycacertificatef
ile

It's obscure in that it's a part of mod_ssl and not mod_proxy_*, so
it's not entirely obvious that it's a configurable setting.

Hope that helps,
- -chris

> On Fri, Mar 10, 2017 at 12:09 AM, Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
> Nishant,
> 
> On 3/9/17 1:16 PM, nishant singh wrote:
 I am creating a websocket connection to server using "wss" 
 protocol from client.  I have configured apache as proxy(mod
 proxy and mod_proxy_wstunnel.so module is enabled in Apache
 httpd.conf file) to my tomcat server. In apache VirtualHost
 for port 443 is created.Attached is Apache httpd.conf file
 for reference.Tomcat connector for ssl is mentioned below. I
 am getting response  status code 403 Forbidden for websocket
 request sent from client using "wss" protocol. The  same
 set-up works fine using "ws" protocol websocket connection on
 port 80 of apache proxied to port 8080 of tomcat.I assume
 that SSL handshake is failing in this scenario. Please
 suggest the solution.
> 
> Does httpd trust the certificate that Tomcat is presenting when
> httpd connects to Tomcat using TLS?
> 
> -chris
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYwbNnAAoJEBzwKT+lPKRY2msP/0Y+YzgBbQE1eXXqWxpmocsB
xF7hNSwMIcMfzLxJGEBIostSlw3okhgQtBOL68Ql4OW0lC3PCp7mW+7hZd5MNb+A
/iGltYiYr6OVfynYqGdrP98vaijUo6OLL9jbQI+fUBonNLrBB+6eh/S5/l4Bq/BC
B/tJtA5q/eU6KLb/DJtNKugbryuJu7kJNF+2gYTp6vcgYXUZX4/ZLS4+rtGWHkHK
jTz+hLJ2QDXUK5INrsEvusie8jeknj0rVq3b2IfUqBxJv5lWGzG9rCWt9vlKS/xp
VaVjgSnnOvErUDCnGoYVzQndODOhYNZTkIai1RY+FWB9+kgaZiXWRenhlyxmA9Sg
E+eaPCr6EmatXhIJucK8W+QykmZ2nmv4VxpOi3EK1Ibq9KncVFTNI7kiYO1u50X+
TRXQ9M/sgB79o7nLtaUYvvkkCeiihUjUuZbGP+oSu10NITyw+XsFwghLUn81vpQr
T1+PN0mky8czR7i3/viK7mzGz/HeA3/TzBSVveima9KAlfJZ1S4/wARNtfMiSh7m
Qzs8yJMeB6fPW8k+Kb1Xnf4dCEhvXPRqTNWuux/IffLpbGSDO8GrspoZoIAMou2E
ZliwxGz4iVqSEeAYbRxVuYMOs+gXTC5nKVGcJCV63+UGTgx300d6cgLbNzsyJn6H
9/LP4Hz7j373HJe/VaJx
=uEGn
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [ANN] TomcatCon schedule announced

2017-03-09 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 3/9/17 2:42 PM, Mark Thomas wrote:
> On 09/03/17 18:36, Igal @ Lucee.org wrote:
>> This is great, but unfortunately I will not be able to attend in
>> person due to scheduling conflicts.
>> 
>> Will the sessions be recorded?  I'd be willing to pay a
>> reasonable fee to watch them afterwards.
> 
> We should have audio recordings. I believe the availability of
> video (and the speed at which we can make all of this available)
> will depend on sponsorship. We typically make these available free
> of charge. For past Tomcat related sessions see:
> 
> http://tomcat.apache.org/presentations.html
> 
> We should have audio for more of those. I'll see if I can track it
> down.

Audio has been spotty on a per-presentation (or usually per-track)
basis. I've been to ApacheCons where 100% of the audio was available,
when 0% was available, and somewhere in between.

Mark, any idea on the process for sponsorship for things like this?
I've never even seen a solicitation for sponsorship for an ApacheCon.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYwbJXAAoJEBzwKT+lPKRYQYEQAKRBRD/d33BLd/W3VISgPoAE
Lk3n3Be3GdB18uhAWTbHgqWJwTYq+82k9jG/NgB0C8l6mERsN2MrKIQKxL1Dgbqm
aQtDfi3mIYbGMfzBXM0EG4r2zlO7Vixg/8Rk7/Wt+rFgGDLvNVUKzbzzj2uHjoRd
ReP6gpiyOPIWh286HcHz462EuJ05MBOvO8/OFrYl5mgvU8gEq/PkG7Xo1zOSVI3Y
dHvUk6UJj6IbunWMp7R0Ocvb95WjNE/yUm20USE6dM0udAMAvggAVl/YcnkPnDRU
hGxIip+EZnXF4OuB4brt5X3+LOa0J0b7QySqkJGGTNUI16Z7X4pyGpy9Jc5hjGhH
YYlxJZHdbPQKOdW9k8S7En5TuDckl6tObwQ0Xvm31s5V6qEhr0m5WbUZpzX1/4cD
XRCPt3cWPB8r5eDry9JjdrKqH8t1eJptxLi9ZoBcb0I6lXc5WsHlKD4/N/tbIZuj
O9eO/aabcXUPEqgy2sGJFFtTo7IBC1PJE0qaju4cHtoE2WeP5qd2Ml+h+sJgSpil
LYKYJJXFyN/XmQOe+oLJHlBZ5AXk+8XlwwFGvKJ9NTeWU6fvgm0rXHNGwJviR4HE
PDQDNrRSbXdhcrEB7cuvV+TDzHEXf01RBq7EPpUsskXsNb689i3i8b1VNuJWo4ZJ
8JQhgjQZ6XygQFmThanK
=Th9f
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: What is the correct way to use scanManifest

2017-03-09 Thread Mark Thomas

On 09/03/17 13:15, Hoa Phan wrote:
> Hi,
> 
> I see that since 8.0.38 we added a scanManifest props to JarScanner.
> But when I added the props
> into: container/tomcat8x/apache-tomcat-8.0.38/conf/context.xml
> 
> 
> WEB-INF/web.xml
> ${catalina.base}/conf/web.xml
> 
> 
> 
> 
> 
> 
> 
> 
> It doesn't work and the prop is still true on startup:

Hmm. That should work. Are you sure that file is being read at startup?
One way to check is to deliberately break it and see what happens.

Mark


> 
> 
> Must I put this in the context.xml of the webapp itself. I deploy the
> webapp via a war file and have no control over the war content until
> tomcat deploys it which is too late...
> 
> Is there any other way for me to turn this off using global config of
> tomcat.
> 
> Thanks much.
> 
> Regards,
> 
> Hoa Phan
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [ANN] TomcatCon schedule announced

2017-03-09 Thread Mark Thomas

On 09/03/17 18:36, Igal @ Lucee.org wrote:
> This is great, but unfortunately I will not be able to attend in person
> due to scheduling conflicts.
> 
> Will the sessions be recorded?  I'd be willing to pay a reasonable fee
> to watch them afterwards.

We should have audio recordings. I believe the availability of video
(and the speed at which we can make all of this available) will depend
on sponsorship. We typically make these available free of charge. For
past Tomcat related sessions see:

http://tomcat.apache.org/presentations.html

We should have audio for more of those. I'll see if I can track it down.

Kind regards,

Mark


> 
> Thanks,
> 
> Igal Sapir
> Lucee Core Developer
> Lucee.org 
> 
> On 3/9/2017 6:08 AM, Mark Thomas wrote:
>> All,
>>
>> I am delighted to announce that the schedule for TomcatCon has been
>> published:
>>
>> https://apachecon2017.sched.com/overview/type/TomcatCon
>>
>> Registration is open at:
>>
>> http://events.linuxfoundation.org/events/apachecon-north-america/attend/register-
>>
>>
>> with early bird pricing ($600) through Sunday 12th March saving 25% on
>> the standard registration fee.
>>
>> Note that registration for TomcatCon includes access to ApacheCon and
>> Apache Big Data.
>>
>> See you in Miami!
>>
>> Mark
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Status code 403 Forbidden issue for websocket creation using WSS protocol

2017-03-09 Thread nishant singh

Hello Chris,

Thank you for the response.I am using a self signed certificate. How to
make httpd trust the certificate that Tomcat is presenting?

Nishant

On Fri, Mar 10, 2017 at 12:09 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Nishant,
>
> On 3/9/17 1:16 PM, nishant singh wrote:
> > I am creating a websocket connection to server using "wss"
> > protocol from client.  I have configured apache as proxy(mod proxy
> > and mod_proxy_wstunnel.so module is enabled in Apache httpd.conf
> > file) to my tomcat server. In apache VirtualHost for port 443 is
> > created.Attached is Apache httpd.conf file for reference.Tomcat
> > connector for ssl is mentioned below. I am getting response  status
> > code 403 Forbidden for websocket request sent from client using
> > "wss" protocol. The  same set-up works fine using "ws" protocol
> > websocket connection on port 80 of apache proxied to port 8080 of
> > tomcat.I assume that SSL handshake is failing in this scenario.
> > Please suggest the solution.
>
> Does httpd trust the certificate that Tomcat is presenting when httpd
> connects to Tomcat using TLS?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYwaFYAAoJEBzwKT+lPKRYhckP/jN5Ic4B9VP8pdP/Cm4XduG9
> OB/SZdXee8VvY4UpmTIsM+SfduOxPAilFiv4v4QrvEsoipE0ofzvsBjnFB5t468g
> rmagK10r/DcTLIu2SD4R9HeNmcDocWx6mUvePNfpTzIXIn0vZPCn7blCPGatUyQ0
> 6sdMKYWG/PhTRkFniGJGfbJ7rtYpbxUpBm+qbkQ0MGev+yos4Z7A5G4LSzt8KFtv
> N0mCKhvWrviUru71fqRv9mr2HLv+nv5t0SRYY03egbP2AqlYaot2VWzijwU96wbZ
> OdUoHwrjmQ5SjOKJFYA7QM2KmXAo+zClI2zgSQYt3cDtxGjobGlOQhiUmj/lrpnC
> +wbY3ftPiMT3aV5vWuSSNLIbXFnxba3TFEgFA4VvyPOMPqFdY76tJvaRuEyO92/h
> 2kdnjQb13ZE5eaABnN2G/OKUJGs0PxOcVY3xW+4L0BDrVZ+HFjTwvWb1PccJhtPP
> EMmM6AQYlrYtEwOP59K6a2922C6rKKNVY+lvla5JlRlBVGmeH+6aAMS/evYDf/C5
> eT6m+jhfBYCw0qh1NCdAQMnG8lX4WEvE4j4Ze38OAHLFIu1Rj5zXFhiq/71cm2cg
> YYAD4f2l8ZYucWo331sHSzHJlflb8qyb1DgtwjfTlX26GMhYTdB7NlDHn83qld9e
> HVjhVZMoyB+TSIN7/ant
> =8kml
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Status code 403 Forbidden issue for websocket creation using WSS protocol

2017-03-09 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Nishant,

On 3/9/17 1:16 PM, nishant singh wrote:
> I am creating a websocket connection to server using "wss"
> protocol from client.  I have configured apache as proxy(mod proxy
> and mod_proxy_wstunnel.so module is enabled in Apache httpd.conf
> file) to my tomcat server. In apache VirtualHost for port 443 is
> created.Attached is Apache httpd.conf file for reference.Tomcat
> connector for ssl is mentioned below. I am getting response  status
> code 403 Forbidden for websocket request sent from client using
> "wss" protocol. The  same set-up works fine using "ws" protocol
> websocket connection on port 80 of apache proxied to port 8080 of
> tomcat.I assume that SSL handshake is failing in this scenario.
> Please suggest the solution.

Does httpd trust the certificate that Tomcat is presenting when httpd
connects to Tomcat using TLS?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYwaFYAAoJEBzwKT+lPKRYhckP/jN5Ic4B9VP8pdP/Cm4XduG9
OB/SZdXee8VvY4UpmTIsM+SfduOxPAilFiv4v4QrvEsoipE0ofzvsBjnFB5t468g
rmagK10r/DcTLIu2SD4R9HeNmcDocWx6mUvePNfpTzIXIn0vZPCn7blCPGatUyQ0
6sdMKYWG/PhTRkFniGJGfbJ7rtYpbxUpBm+qbkQ0MGev+yos4Z7A5G4LSzt8KFtv
N0mCKhvWrviUru71fqRv9mr2HLv+nv5t0SRYY03egbP2AqlYaot2VWzijwU96wbZ
OdUoHwrjmQ5SjOKJFYA7QM2KmXAo+zClI2zgSQYt3cDtxGjobGlOQhiUmj/lrpnC
+wbY3ftPiMT3aV5vWuSSNLIbXFnxba3TFEgFA4VvyPOMPqFdY76tJvaRuEyO92/h
2kdnjQb13ZE5eaABnN2G/OKUJGs0PxOcVY3xW+4L0BDrVZ+HFjTwvWb1PccJhtPP
EMmM6AQYlrYtEwOP59K6a2922C6rKKNVY+lvla5JlRlBVGmeH+6aAMS/evYDf/C5
eT6m+jhfBYCw0qh1NCdAQMnG8lX4WEvE4j4Ze38OAHLFIu1Rj5zXFhiq/71cm2cg
YYAD4f2l8ZYucWo331sHSzHJlflb8qyb1DgtwjfTlX26GMhYTdB7NlDHn83qld9e
HVjhVZMoyB+TSIN7/ant
=8kml
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [ANN] TomcatCon schedule announced

2017-03-09 Thread Igal @ Lucee.org

This is great, but unfortunately I will not be able to attend in person 
due to scheduling conflicts.


Will the sessions be recorded?  I'd be willing to pay a reasonable fee 
to watch them afterwards.


Thanks,

Igal Sapir
Lucee Core Developer
Lucee.org 

On 3/9/2017 6:08 AM, Mark Thomas wrote:

All,

I am delighted to announce that the schedule for TomcatCon has been
published:

https://apachecon2017.sched.com/overview/type/TomcatCon

Registration is open at:

http://events.linuxfoundation.org/events/apachecon-north-america/attend/register-

with early bird pricing ($600) through Sunday 12th March saving 25% on
the standard registration fee.

Note that registration for TomcatCon includes access to ApacheCon and
Apache Big Data.

See you in Miami!

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Status code 403 Forbidden issue for websocket creation using WSS protocol

2017-03-09 Thread nishant singh

Hi,

   I am creating a websocket connection to server using "wss" protocol from
client.  I have configured apache as proxy(mod proxy and
mod_proxy_wstunnel.so module is enabled in Apache httpd.conf file) to my
tomcat server. In apache VirtualHost for port 443 is created.Attached is
Apache httpd.conf file for reference.Tomcat connector for ssl is mentioned
below. I am getting response  status code 403 Forbidden for websocket
request sent from client using "wss" protocol. The  same set-up works fine
using "ws" protocol websocket connection on port 80 of apache proxied to
port 8080 of tomcat.I assume that SSL handshake is failing in this
scenario. Please suggest the solution.
Tomcat version:-9.0.0.M13
Apache version:- 2.4.23

==in Tomcat Server.xml connector configuration on port 443==
 

==Chrome debugger trace for this Request


[image: Inline image 1]

===sample websocket code for request creation From client
==
 this.websocket = new
WebSocket("wss://localhost:443/NG/nmsgServletApp/wsHandler/");

  this.websocket.onopen =  (evt) => {
  this.websocket.send("Hello Nishant");
  };
//nmsgServletApp:--> is my application name which is deployed in tomcat
//wsHandler:--> is the server side websocket handler mapping name
//NG:--> Proxy token for web-application deployed in Tomcat

Apache virtual port configuration for request proxy to
tomcat===
 
SSLCertificateFile ../certificate.pem
SSLCertificateKeyFile ../privkey.pem
ServerAdmin a...@localhost.com
ServerName "localhost"
SSLEngine on
SSLProxyEngine on
SecRuleEngine On
ProxyRequests Off
/*Below is Proxy configuration for above web-application deployed in Tomcat
*/

   * ProxyPass /NG/nmsgServletApp/wsHandler
wss://localhost:8443/nmsgServletApp/wsHandler*
*ProxyPassReverse /NG/nmsgServletApp/wsHandler
wss://localhost:8443/nmsgServletApp/wsHandler  *
*ProxyPass /NG https://localhost:8443/  *
*ProxyPassReverse /NG https://localhost:8443/ *

/*Below is Proxy configuration for another application deployed in another
server*/

ProxyPass / https://localhost:49101/ retry=10
ProxyPassReverse / https://localhost:49101/

 
ProxyPreserveHost Off
Order deny,allow
deny from all
Allow from all
SetOutputFilter DEFLATE

  
==

Please let me know if some more info is required or my description of the
problem is not clear.Please guide..

Thanks,
Nishant

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How do I set the logger org.apache.tomcat.util.scan.StandardJarScanner's level to WARN

2017-03-09 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hoa,

On 3/9/17 11:58 AM, Hoa Phan wrote:
> I have tried:
> 
> org.apache.tomcat.util.scan.StandardJarScanner.level = SERVERE //in
> the logging.properties
> 
> -Dorg.apache.tomcat.util.scan.StandardJarScanner=SERVERE //on
> startup
> 
> org.apache.tomcat.util.scan.StandardJarScanner=SERVER //as
> sysprops
> 
> 
> None of them works... That logger is still WARN enabled

Try this:

org.apache.tomcat.util.scan.StandardJarScanner.level=SEVERE

You were missing the ".level" at the end of the setting.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYwZArAAoJEBzwKT+lPKRYoFsP/j+a8iikLatZQnkrd4laj1RA
uXiTpylD2MC1v23avrziBzsaewJmRJYRAx5kqFpfgVciRIEjTJY5kaVKlnndqzzq
eww9G4WRPir1OKSvY1XifXIjcSMCA7U5oV+tzYvWiohNB89FPg4FruOThOb3lmth
Rm30/GhSqFNt3Fr0lm8YUaeB7A1Kmzf6YuLjsTbYUYBjCC1Z8/+J6Mn2BjkpEtQ1
dX/ZL5oz+58A11Vfq1X6KTkxU7zYyYokZlgN1++ncqLmiLyIj0yq4kKbIESTf+8b
+isMG5oIydnWbucQx0RxOzS802q6AKyO7vVVTjXXOxZm6stzJD586TCmP9AOUiD1
Y40iS4Ft0vCt6XoCekpLon6pUsUMKQC65WWpEFtnwn9BBn6dQ6cmVpToUxXUwYjY
by56Mtb48Aho2vu4MLFu+CEhlVapI64dbQaGVlD7ZXeMJJUX4/WeAxX16zt2Jj/q
NdCcfScB2ytep3SSZg/WwVth+mSIYxZ6gNaPfTLuJ+HsjPUAdsKUPul0BKOUC7+O
r6hwN8s1Ue9/b1X1bpCZxB41QbwgfAYoHNU0xjeBnJa3aa1brNFoc4Ii0RiLLrMi
XQ570RyG9hry3NHG7AxmXReD3rkqpGSFlZnYC5nfy+iX+jjNP8tkWLgupRNzSaUc
NVSFCpvceCZLhMNgV/fk
=BvRN
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How do I set the logger org.apache.tomcat.util.scan.StandardJarScanner's level to WARN

2017-03-09 Thread Hoa Phan

I have tried:

org.apache.tomcat.util.scan.StandardJarScanner.level = SERVERE //in the
logging.properties

-Dorg.apache.tomcat.util.scan.StandardJarScanner=SERVERE //on startup

org.apache.tomcat.util.scan.StandardJarScanner=SERVER //as sysprops


None of them works... That logger is still WARN enabled

Re: Logging TLS Session Failures

2017-03-09 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Durga,

On 3/9/17 3:34 AM, Durga Srinivasu Karuturi wrote:
> This is one of the requirement from FIPS/CC certification.

Can you provide a reference for this requirement?

- -chris

> On Wed, Mar 8, 2017 at 11:03 PM, Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
> Durga,
> 
> On 3/8/17 10:02 AM, Durga Srinivasu Karuturi wrote:
 We are using JSSE only not APR. Looking for handshake
 failures.
 
 Yes, using JSSE SSL debug, we are able to get all handshake 
 (-Djavax.net.debug=ssl:handshake) logs including success
 cases. These are still quite bit expense logs and meant for
 debug purposes. As you said it might impact performance
 that's the reason, trying for any other optimal solution
 here.
> 
> I know of no way to be notified about handshake failures on the
> server side. You may not be able to fulfill this requirement if
> using Java for your crypto.
> 
> Honestly, I'm not sure why you care about failed TLS handshakes.
> Are you trying to implement a NIDS in your application? This is 
> better-handled by a network component specifically-designed for
> this kind of thing.
> 
> -chris
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYwYazAAoJEBzwKT+lPKRYZsAP/2H4FMI9PuZ6/PtwIgpmSea8
k9jJY50HVgf6OP0rYlzR57dvZnL/x3op9kzSCplTmgNZrRnltc36SzDN8dHQMKm6
Xi0MYnC2whf+Y2+Hh/4mvFnP4UCSiUXpTTLcXITG3x3BA84IPS179BMRSlV4W8MW
ZvLJ9z2mi8JZAqZq/aT7/b7Oq46BMSiomsi9so1fxr5PClqASIxFmhhQhIXhwnKx
1MevZ/6ZELD4vs1o9ek79JpVPVb5yillVTEK8RbSzWXEdgzKk26NI4xdRh8MZH6F
HkH358AANspDlhyAB+ofRmr1hzDSJ/kp58KxlQ439i8GqvtFd1TxUkoPF8Yk6aEI
ifv+FBsxsuW3vJFhbVShXJkLBO0GLiYAQezDnQ6tVWPGdeMkRPnQaSioaFrmsm6z
tL3vbjrj3ynTRadYVAF4mz+7R/uRBt3jUkB93J6dUzZqrBIiB/SwX4i97pKvQfeo
IOqdQAkVJMdb3IHaBJgLQd3No8Kbz/j9hC+VwQZmrpMi5jmjpLkHAjlyUuabvfqU
cko0vuCl/cCMbCBYm9c2J2zuhK3nzTBUpvXNVRP35+dkBSCrz2jYL/chOeqvdzcs
xSImhV4N0vn36lc9E+97ohha2RPR9uPvCp5DW9HFjmP+EqaH8Fbl4z2Wg5Twlaxo
scB4nofvUIxz2n7rRr//
=51TA
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JMX currentThreadsBusy less than connections/requests when use APR connector

2017-03-09 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Linbo,

On 3/8/17 8:13 PM, linbo liao wrote:
> Here is the Connector configuration:
> 
>  protocol="org.apache.coyote.http11.Http11AprProtocol" 
> maxHttpHeaderSize="8192" maxThreads="400" acceptorThreadCount="4" 
> maxKeepAliveRequests="-1" enableLookups="false"
> disableUploadTimeout="true" connectionTimeout="2" />
> 
> I use wrk, the currentThreadsBusy is higher than the value in ab
> testing, but most of time is less than 40.
> 
> ./wrk -t100 -c 100 -d 10s http://10.211.55.4:8080/

I've never used wrk. How many CPU cores does your load-generating
computer have?

> For APR connector, will it get one thread from the poll to deal
> with each request?

For both NIO/2 and APR, you'll have one accepter thread (4 in your
case) and one poller thread for many (400 in your case)
request-processing threads.

It's possible that your server is handling the requests fast enough
that they never pile-up enough to use more than 40 threads.

Congratulations: you can handle the load you are putting on the server.
:)

- -chris

> 2017-03-08 22:45 GMT+08:00 Christopher Schultz
> > :
> 
> Linbo,
> 
> On 3/7/17 10:14 PM, linbo liao wrote:
 I setup local environment to test Tomcat monitor.
 
 The Environment:
 
 Tomcat: 8.5.5 VM: Ubuntu 14.04.1 LTS HTTP PORT: 8080 IP: 
 10.211.55.4
 
 Tomcat use APR connector, I test the tomcat via ab command,
 find JMX currentThreadsBusy < 10 all of the time.
 
 ab -n 10 -c 100 10.211.55.4:8080/
> 
 
 I tried to search the reason but without the result. For BIO
 each thread to handle one connection, so currentThreadsBusy
 can show the performance of tomcat.
 
 But for APR connector, what's the meaning of
 currentThreadsBusy?
> 
> Please post your  configuration.
> 
> It seems that ab isn't a very good load-generator for several
> reasons. But you should be able to get more than Java 10 threads
> working at a tim e.
> 
> You are probably expecting ~100 threads busy at all times, right?
> 
> -chris
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYwYX2AAoJEBzwKT+lPKRYi2EP/1krL32JxAAkVa1C+lZiehoC
KCufHoT/t4YK8yZRth+3TXK7wSqINwuZf+6PQXlQaR+Vy6chacS+DGvebsvBj58S
q8Piu6kcTlnuK21nBBTW6pQ6vvLA7TpEaup8eCB3lVWIuUoTQlAL+OerAYP6M7pk
8oVHMatIJLSzhdjWo1S7Hz90TonGZvPb9Mk5587Dp8G2dKTu78abMVbGiR7xOn7g
FMWS/k/HbAnGbkfwdTHww/inrXxfODfhcRuyyQW/j46PP6mQbzcjdjLuUGsKy6cm
8yUuy0h88o4l95X8oDf3yaI5nWZXvYuIHvT/9+L9DVhzpllol9CzBY6vXSFyuvQD
Sd9GCNNgvQjN4CoKvlBeUIk7LOF7p4a15bBfDFnEAJVB7HGzU/Rx8Fp1+ON57pLA
gN+IBT7joqCWissmZyO/lsQ6erQR2jmFvHBodXOEYFIy3WF3zGgt4K8KPfSxSCXu
HtEuTR0enxBzSgfq0sx2nZxoetNn41BKPQo+T9E8zHTghoVGXHK8bpf1Z3/NZ2IP
/9FUix6rxj+y1RaeQqXZmfnHPwRDsl+RV0tO/nGyqiD4LB9Gb+bM7yNZxsSTs3Uk
YT6ZoZ1Dzys9Lifv+tFXK4pOWfeNAYo/3b58zGhHAlyEQySza8DgxTtsTql4i7TF
Ebqjos00OCr3EeLg5ODi
=6IxB
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Logging TLS Session Failures

2017-03-09 Thread Jammy Chen

If you are using JSSE which you mentioned in earlier post, you probably can
only enable debug for all or specially one
-Djavax.net.debug=ssl:record or -Djavax.net.debug=ssl:handshake - but it
will log all sessions

You could try to register a customized SSL socket factory in JSSE, you may
extend the default sun impl to overwrite the method, catch the exception
and log the failure, and throw it.

2017-03-09 20:04 GMT+08:00 Durga Srinivasu Karuturi <
durgasriniv...@gmail.com>:

> Our application meaning on RHEL machine within JVM with embedded tomcat
> (with single web-app)
>
> Okay, tomcat may not have this information on handshake failures.
>
> I need to see little higher level for capturing these failures.
>
> Thanks for answers so far.
>
> Thanks,
> Durga Srinivasu
>
> On Thu, Mar 9, 2017 at 3:44 PM, André Warnier (tomcat) 
> wrote:
>
> > On 09.03.2017 09:34, Durga Srinivasu Karuturi wrote:
> >
> >> This is one of the requirement from FIPS/CC certification.
> >>
> >> Thanks,
> >> Durga Srinivasu
> >>
> >>
> > Durga,
> >
> > I believe that in your original post, you said :
> > "We have a requirement in our application to log all TLS session
> failures."
> >
> > You should probably have another look a the precise requirements, and the
> > exact definition of "our application".
> > Because it may be that the requirements are wrong, as far as you are
> > concerned.
> >
> > It depends on what is included in "our application".
> > In the java servlet container (like Tomcat) terminology, an "application"
> > is a webapp.
> > A webapp runs inside a servlet container.
> > The servlet container (here Tomcat) runs inside a java JVM.
> > The java JVM runs inside an OS.
> > The OS runs inside a host.
> >
> > In that hierarchy, a webapp only sees a request, when the servlet
> > container has received this request on one of its ports, and "delegates"
> > the request to the webapp.
> > By that time, the webapp does not even know through which interface the
> > request came in, nor if that interface required HTTP, HTTPS or whatever
> > other communications protocol.
> > And if a TLS connection from a browser failed, the webapp is not even
> > called, so it does not know anything about it.
> > Of course the webapp cannot log a failure, if it is never called when
> that
> > failure happens.
> >
> > To move one level up : if a TLS connection from a browser fails, Tomcat
> > probably never even sees that (because the connection never reaches
> > Tomcat). So Tomcat cannot log this failure either. Tomcat is just telling
> > some underlying layer of software (in the JVM, in the OS, or in some
> > external library), what kind of connections to accept. But it does  not
> > manage these connections, it just "gets" a connection when it succeeds.
> >
> > So if you (your team, your company) is responsible for providing the
> whole
> > service, including the host, the OS, the JVM, the servlet container, and
> > the webapp inside it, then the requirement may make sense. And then you
> > have to look for the component, at the right level, which can provide
> that
> > information. (But it is not the webapp, and it is not Tomcat).
> >
> > At the other extreme, if you are providing only the web application, then
> > the requirement does not make sense /for you/, because it is impossible.
> > It is not that it does not make sense in general, but "as part of the
> > webapp" it does not make sense.
> >
> > And that is what Christopher is also telling you (in a lot less words).
> >
> >
> >
> > On Wed, Mar 8, 2017 at 11:03 PM, Christopher Schultz <
> >> ch...@christopherschultz.net> wrote:
> >>
> >> -BEGIN PGP SIGNED MESSAGE-
> >>> Hash: SHA256
> >>>
> >>> Durga,
> >>>
> >>> On 3/8/17 10:02 AM, Durga Srinivasu Karuturi wrote:
> >>>
>  We are using JSSE only not APR. Looking for handshake failures.
> 
>  Yes, using JSSE SSL debug, we are able to get all handshake
>  (-Djavax.net.debug=ssl:handshake) logs including success cases.
>  These are still quite bit expense logs and meant for debug
>  purposes. As you said it might impact performance that's the
>  reason, trying for any other optimal solution here.
> 
> >>>
> >>> I know of no way to be notified about handshake failures on the server
> >>> side. You may not be able to fulfill this requirement if using Java
> >>> for your crypto.
> >>>
> >>> Honestly, I'm not sure why you care about failed TLS handshakes. Are
> >>> you trying to implement a NIDS in your application? This is
> >>> better-handled by a network component specifically-designed for this
> >>> kind of thing.
> >>>
> >>> - -chris
> >>> -BEGIN PGP SIGNATURE-
> >>> Comment: GPGTools - http://gpgtools.org
> >>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >>>
> >>> iQIcBAEBCAAGBQJYwEBVAAoJEBzwKT+lPKRYHzkP/1O2jPMu6Z9MBdnCF6LD7FQl
> >>> LMWA6jmO2YjmZFPtJykyUXHuL3beBk/+5cPV275ZApp1brJmmqnxR68P4ZuedOwY
> >>>

[ANN] TomcatCon schedule announced

2017-03-09 Thread Mark Thomas

All,

I am delighted to announce that the schedule for TomcatCon has been
published:

https://apachecon2017.sched.com/overview/type/TomcatCon

Registration is open at:

http://events.linuxfoundation.org/events/apachecon-north-america/attend/register-

with early bird pricing ($600) through Sunday 12th March saving 25% on
the standard registration fee.

Note that registration for TomcatCon includes access to ApacheCon and
Apache Big Data.

See you in Miami!

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

What is the correct way to use scanManifest

2017-03-09 Thread Hoa Phan

Hi,

I see that since 8.0.38 we added a scanManifest props to JarScanner.
But when I added the props
into: container/tomcat8x/apache-tomcat-8.0.38/conf/context.xml


WEB-INF/web.xml
${catalina.base}/conf/web.xml








It doesn't work and the prop is still true on startup:


Must I put this in the context.xml of the webapp itself. I deploy the
webapp via a war file and have no control over the war content until tomcat
deploys it which is too late...

Is there any other way for me to turn this off using global config of
tomcat.

Thanks much.

Regards,

Hoa Phan

Re: Logging TLS Session Failures

2017-03-09 Thread Durga Srinivasu Karuturi

Our application meaning on RHEL machine within JVM with embedded tomcat
(with single web-app)

Okay, tomcat may not have this information on handshake failures.

I need to see little higher level for capturing these failures.

Thanks for answers so far.

Thanks,
Durga Srinivasu

On Thu, Mar 9, 2017 at 3:44 PM, André Warnier (tomcat) 
wrote:

> On 09.03.2017 09:34, Durga Srinivasu Karuturi wrote:
>
>> This is one of the requirement from FIPS/CC certification.
>>
>> Thanks,
>> Durga Srinivasu
>>
>>
> Durga,
>
> I believe that in your original post, you said :
> "We have a requirement in our application to log all TLS session failures."
>
> You should probably have another look a the precise requirements, and the
> exact definition of "our application".
> Because it may be that the requirements are wrong, as far as you are
> concerned.
>
> It depends on what is included in "our application".
> In the java servlet container (like Tomcat) terminology, an "application"
> is a webapp.
> A webapp runs inside a servlet container.
> The servlet container (here Tomcat) runs inside a java JVM.
> The java JVM runs inside an OS.
> The OS runs inside a host.
>
> In that hierarchy, a webapp only sees a request, when the servlet
> container has received this request on one of its ports, and "delegates"
> the request to the webapp.
> By that time, the webapp does not even know through which interface the
> request came in, nor if that interface required HTTP, HTTPS or whatever
> other communications protocol.
> And if a TLS connection from a browser failed, the webapp is not even
> called, so it does not know anything about it.
> Of course the webapp cannot log a failure, if it is never called when that
> failure happens.
>
> To move one level up : if a TLS connection from a browser fails, Tomcat
> probably never even sees that (because the connection never reaches
> Tomcat). So Tomcat cannot log this failure either. Tomcat is just telling
> some underlying layer of software (in the JVM, in the OS, or in some
> external library), what kind of connections to accept. But it does  not
> manage these connections, it just "gets" a connection when it succeeds.
>
> So if you (your team, your company) is responsible for providing the whole
> service, including the host, the OS, the JVM, the servlet container, and
> the webapp inside it, then the requirement may make sense. And then you
> have to look for the component, at the right level, which can provide that
> information. (But it is not the webapp, and it is not Tomcat).
>
> At the other extreme, if you are providing only the web application, then
> the requirement does not make sense /for you/, because it is impossible.
> It is not that it does not make sense in general, but "as part of the
> webapp" it does not make sense.
>
> And that is what Christopher is also telling you (in a lot less words).
>
>
>
> On Wed, Mar 8, 2017 at 11:03 PM, Christopher Schultz <
>> ch...@christopherschultz.net> wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA256
>>>
>>> Durga,
>>>
>>> On 3/8/17 10:02 AM, Durga Srinivasu Karuturi wrote:
>>>
 We are using JSSE only not APR. Looking for handshake failures.

 Yes, using JSSE SSL debug, we are able to get all handshake
 (-Djavax.net.debug=ssl:handshake) logs including success cases.
 These are still quite bit expense logs and meant for debug
 purposes. As you said it might impact performance that's the
 reason, trying for any other optimal solution here.

>>>
>>> I know of no way to be notified about handshake failures on the server
>>> side. You may not be able to fulfill this requirement if using Java
>>> for your crypto.
>>>
>>> Honestly, I'm not sure why you care about failed TLS handshakes. Are
>>> you trying to implement a NIDS in your application? This is
>>> better-handled by a network component specifically-designed for this
>>> kind of thing.
>>>
>>> - -chris
>>> -BEGIN PGP SIGNATURE-
>>> Comment: GPGTools - http://gpgtools.org
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>
>>> iQIcBAEBCAAGBQJYwEBVAAoJEBzwKT+lPKRYHzkP/1O2jPMu6Z9MBdnCF6LD7FQl
>>> LMWA6jmO2YjmZFPtJykyUXHuL3beBk/+5cPV275ZApp1brJmmqnxR68P4ZuedOwY
>>> pX+dLiBTvmLYmsFoYxxfdvpl44UICwvq6qx/4VsSS0okrz9JYQtmO9d2glYG6bDD
>>> onLmqYoivB2N+18jXoT7PAzBZcAhHFbIFPIox4VXjs9za/WQ4Oc+BUecUKpOCc0i
>>> yvMz1I9Bo5E+tCMkTsTpbtq/Sk5lF7JozOycda3OVmLpVTf7Xz07luOF0ZaJAY0t
>>> VMHvNEOuph9dJxkS6mXlPnqqQwf3Prlwhx/zjWm6HT9prGBMraVb9laq44qMMUcg
>>> rDSSgfxZDiSJKDw7bCA3+o3KQfqIqbkLH9nQ2WICS2YAd9jn5tqy5Faf/H7Dd71D
>>> mYOdVxXPk5XJPuVOWaK9dVQOEppZ8JWjxxKaofFxFXmQpaiVbSP5FLduRrkvKgJc
>>> e9necMTzyxs9RwvpJjQtf10blDc51bL3Y+KjbTgJoPTqAIm8kUgI9VOE5NUs5eip
>>> 1MO9ub52ojavC10B+lU3OGggwHp068ozkM491stTZialCaTCmbo7LPZtKzIz0g4j
>>> q3JgDS4Y4LVPOoLPjUSfcbzTsxnS2V/SkLhOwQpnvw4lTLrotq5CGPJDQD5ix67j
>>> 2WbMcngOqAvk16kPb5u+
>>> =F7yo
>>> -END PGP SIGNATURE-
>>>
>>>

Re: Logging TLS Session Failures

2017-03-09 Thread tomcat

On 09.03.2017 09:34, Durga Srinivasu Karuturi wrote:

This is one of the requirement from FIPS/CC certification.

Thanks,
Durga Srinivasu

Durga,

I believe that in your original post, you said :
"We have a requirement in our application to log all TLS session failures."

You should probably have another look a the precise requirements, and the exact definition
of "our application".

Because it may be that the requirements are wrong, as far as you are concerned.

It depends on what is included in "our application".
In the java servlet container (like Tomcat) terminology, an "application" is a
webapp.
A webapp runs inside a servlet container.
The servlet container (here Tomcat) runs inside a java JVM.
The java JVM runs inside an OS.
The OS runs inside a host.

In that hierarchy, a webapp only sees a request, when the servlet container has received
this request on one of its ports, and "delegates" the request to the webapp.
By that time, the webapp does not even know through which interface the request came in,
nor if that interface required HTTP, HTTPS or whatever other communications protocol.
And if a TLS connection from a browser failed, the webapp is not even called, so it does
not know anything about it.

Of course the webapp cannot log a failure, if it is never called when that
failure happens.

To move one level up : if a TLS connection from a browser fails, Tomcat probably never
even sees that (because the connection never reaches Tomcat). So Tomcat cannot log this
failure either. Tomcat is just telling some underlying layer of software (in the JVM, in
the OS, or in some external library), what kind of connections to accept. But it does not
manage these connections, it just "gets" a connection when it succeeds.

So if you (your team, your company) is responsible for providing the whole service,
including the host, the OS, the JVM, the servlet container, and the webapp inside it, then
the requirement may make sense. And then you have to look for the component, at the right
level, which can provide that information. (But it is not the webapp, and it is not Tomcat).

At the other extreme, if you are providing only the web application, then the requirement
does not make sense /for you/, because it is impossible.
It is not that it does not make sense in general, but "as part of the webapp" it does not
make sense.

And that is what Christopher is also telling you (in a lot less words).

On Wed, Mar 8, 2017 at 11:03 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Durga,

On 3/8/17 10:02 AM, Durga Srinivasu Karuturi wrote:

We are using JSSE only not APR. Looking for handshake failures.

Yes, using JSSE SSL debug, we are able to get all handshake
(-Djavax.net.debug=ssl:handshake) logs including success cases.
These are still quite bit expense logs and meant for debug
purposes. As you said it might impact performance that's the
reason, trying for any other optimal solution here.

I know of no way to be notified about handshake failures on the server
side. You may not be able to fulfill this requirement if using Java
for your crypto.

Honestly, I'm not sure why you care about failed TLS handshakes. Are
you trying to implement a NIDS in your application? This is
better-handled by a network component specifically-designed for this
kind of thing.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYwEBVAAoJEBzwKT+lPKRYHzkP/1O2jPMu6Z9MBdnCF6LD7FQl
LMWA6jmO2YjmZFPtJykyUXHuL3beBk/+5cPV275ZApp1brJmmqnxR68P4ZuedOwY
pX+dLiBTvmLYmsFoYxxfdvpl44UICwvq6qx/4VsSS0okrz9JYQtmO9d2glYG6bDD
onLmqYoivB2N+18jXoT7PAzBZcAhHFbIFPIox4VXjs9za/WQ4Oc+BUecUKpOCc0i
yvMz1I9Bo5E+tCMkTsTpbtq/Sk5lF7JozOycda3OVmLpVTf7Xz07luOF0ZaJAY0t
VMHvNEOuph9dJxkS6mXlPnqqQwf3Prlwhx/zjWm6HT9prGBMraVb9laq44qMMUcg
rDSSgfxZDiSJKDw7bCA3+o3KQfqIqbkLH9nQ2WICS2YAd9jn5tqy5Faf/H7Dd71D
mYOdVxXPk5XJPuVOWaK9dVQOEppZ8JWjxxKaofFxFXmQpaiVbSP5FLduRrkvKgJc
e9necMTzyxs9RwvpJjQtf10blDc51bL3Y+KjbTgJoPTqAIm8kUgI9VOE5NUs5eip
1MO9ub52ojavC10B+lU3OGggwHp068ozkM491stTZialCaTCmbo7LPZtKzIz0g4j
q3JgDS4Y4LVPOoLPjUSfcbzTsxnS2V/SkLhOwQpnvw4lTLrotq5CGPJDQD5ix67j
2WbMcngOqAvk16kPb5u+
=F7yo
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Logging TLS Session Failures

2017-03-09 Thread Durga Srinivasu Karuturi

This is one of the requirement from FIPS/CC certification.

Thanks,
Durga Srinivasu

On Wed, Mar 8, 2017 at 11:03 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Durga,
>
> On 3/8/17 10:02 AM, Durga Srinivasu Karuturi wrote:
> > We are using JSSE only not APR. Looking for handshake failures.
> >
> > Yes, using JSSE SSL debug, we are able to get all handshake
> > (-Djavax.net.debug=ssl:handshake) logs including success cases.
> > These are still quite bit expense logs and meant for debug
> > purposes. As you said it might impact performance that's the
> > reason, trying for any other optimal solution here.
>
> I know of no way to be notified about handshake failures on the server
> side. You may not be able to fulfill this requirement if using Java
> for your crypto.
>
> Honestly, I'm not sure why you care about failed TLS handshakes. Are
> you trying to implement a NIDS in your application? This is
> better-handled by a network component specifically-designed for this
> kind of thing.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYwEBVAAoJEBzwKT+lPKRYHzkP/1O2jPMu6Z9MBdnCF6LD7FQl
> LMWA6jmO2YjmZFPtJykyUXHuL3beBk/+5cPV275ZApp1brJmmqnxR68P4ZuedOwY
> pX+dLiBTvmLYmsFoYxxfdvpl44UICwvq6qx/4VsSS0okrz9JYQtmO9d2glYG6bDD
> onLmqYoivB2N+18jXoT7PAzBZcAhHFbIFPIox4VXjs9za/WQ4Oc+BUecUKpOCc0i
> yvMz1I9Bo5E+tCMkTsTpbtq/Sk5lF7JozOycda3OVmLpVTf7Xz07luOF0ZaJAY0t
> VMHvNEOuph9dJxkS6mXlPnqqQwf3Prlwhx/zjWm6HT9prGBMraVb9laq44qMMUcg
> rDSSgfxZDiSJKDw7bCA3+o3KQfqIqbkLH9nQ2WICS2YAd9jn5tqy5Faf/H7Dd71D
> mYOdVxXPk5XJPuVOWaK9dVQOEppZ8JWjxxKaofFxFXmQpaiVbSP5FLduRrkvKgJc
> e9necMTzyxs9RwvpJjQtf10blDc51bL3Y+KjbTgJoPTqAIm8kUgI9VOE5NUs5eip
> 1MO9ub52ojavC10B+lU3OGggwHp068ozkM491stTZialCaTCmbo7LPZtKzIz0g4j
> q3JgDS4Y4LVPOoLPjUSfcbzTsxnS2V/SkLhOwQpnvw4lTLrotq5CGPJDQD5ix67j
> 2WbMcngOqAvk16kPb5u+
> =F7yo
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

39 matches

Mail list logo