date:20170824

On Thursday, August 24, 2017 5:48 PM, Bob Hall  wrote:
Yahoo auto-munged the URL, it should be:
https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html


- Bob

Re: Typo in my previous post, Re: Protecting files within a context

On Thursday, August 24, 2017 5:29 PM, James H. H. Lampert 
 wrote:
> Cache and cookies both cleared, all the way back, and the context 
> that theoretically should be presenting a sign-on dialog for the 
> forbidden pages still serves an immediate 403 page instead.

I don't use Tomcat's Realms for AuthN/AuthZ; the cookie clearing suggestion was 
a bit of a guess.
Does your app's web.xml include a  element?
Apache Tomcat 8 (8.0.46) - Realm Configuration HOW-TO

|  
|   |  
Apache Tomcat 8 (8.0.46) - Realm Configuration HOW-TO
 By Craig R. McClanahan   |  |

  |

- Bob

Re: Typo in my previous post, Re: Protecting files within a context


On 8/24/17, 5:18 PM, Bob Hall wrote:

If you successfully logged in previously, I suggest you check your browser for 
any cookies that were created at that time.  You will probably need to remove 
them before the login challenge will be presented.
- Bob


Well, I can try explicitly clearing cookies, but the only thing on the 
Tomcat server in question that currently uses "basic" sign-on is 
manager, and whenever I shut down my browser and restart it from 
scratch, I *always* get a sign-on dialog if I go to Manager.


There. Cache and cookies both cleared, all the way back, and the context 
that theoretically should be presenting a sign-on dialog for the 
forbidden pages still serves an immediate 403 page instead.


--
JHHL


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Typo in my previous post, Re: Protecting files within a context

James,

On Thursday, August 24, 2017 4:58 PM, James H. H. Lampert 
 wrote:
 
>> This is interesting:
>>
>> I added this (contents of web-resource-collection omitted) to the top of
>> the context's web.inf, right below the "web-app" and "display-name" tags:
>>
>>>      
>> . . .
>>>      
>>>      
>>> 
>. . .
>
> Of course, I meant to say, ". . . the context's WEB-INF/web.xml"
> 
> Oops. The question in my previous post still stands: why is it that when 
> I change the above to an auth-constraint that *should* produce a 
> password dialog, am I still going straight to a 403 page?
If you successfully logged in previously, I suggest you check your browser for 
any cookies that were created at that time.  You will probably need to remove 
them before the login challenge will be presented.
- Bob

Typo in my previous post, Re: Protecting files within a context


On 8/24/17, 4:29 PM, I wrote:

This is interesting:

I added this (contents of web-resource-collection omitted) to the top of
the context's web.inf, right below the "web-app" and "display-name" tags:


 

. . .

 
 


. . .

Of course, I meant to say, ". . . the context's WEB-INF/web.xml"

Oops. The question in my previous post still stands: why is it that when 
I change the above to an auth-constraint that *should* produce a 
password dialog, am I still going straight to a 403 page?


--
JHHL


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Protecting files within a context


This is interesting:

I added this (contents of web-resource-collection omitted) to the top of 
the context's web.inf, right below the "web-app" and "display-name" tags:



 

. . .

 
 



and restarted the context, and as advertised, all requests for anything 
that matched the url-pattern tags in the web-resource-collection were 
rebuffed with a default 403 message page. So far, so good.


But because I figured there was at least a remote possibility that there 
might be reason to grant some people web access to the forbidden 
resources, I tried another variation:


>  
. . .
>  
>  frobozz
> 

(note: "frobozz" is unknown to tomcat-users.xml). After restarting the 
context, there was no change in behavior: no sign-on dialog; just 
straight to a default 403 page.


I tried adding this to the web resource collection:


 GET
 POST


and adding this right below it:



 BASIC
 FOOBAR



 frobozz



(note: there are, so far as I'm aware, no references to "FOOBAR" 
anywhere on this particular Tomcat server). Again, after restarting the 
context with this change in place, no change in behavior: it still 
immediately serves a 403 page.


I looked over the web.xml in "manager," and I don't see a whole lot 
that's structurally different.


Any idea what I could be doing wrong?

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Protecting files within a context

On 24/08/17 22:26, James H. H. Lampert wrote:
> On 8/24/17, 12:52 PM, Mark Thomas wrote:
>> I can't recommend reading chapter 13 of the servlet spec, particularly
>> section 13.8, enough.
> 
> Thanks again.
> 
> Could you be a bit more specific on what edition of the servlet spec,
> and where I can find it?
> 
> The first one I grabbed ("Java Servlet Specification Version 2.4") is
> over a decade old, and doesn't *have* a section 13.8.

Latest released version:

https://jcp.org/en/jsr/detail?id=340

Servlet 4.0 is due out fairly soon but doesn't change any of the stuff
we are talking about in this thread.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: a question about tomcat thread

On 24/08/17 21:39, Christopher Schultz wrote:
> Mark,
> On 8/23/17 4:26 PM, Mark Thomas wrote:
>> On 23/08/17 21:17, Christopher Schultz wrote:



>>> Max threads >= current thread count Current thread count >=
>>> current thread busy Current thread count >= Keeped alive sockets
>>> count
> 
>> That is true for BIO, but not for any of the other connections
>> which are all non-blocking between requests. With those connectors
>> you can have up to maxConnections open sockets in HTTP keep-alive
>> waiting for data to arrive.
> 
> Yes, but the keep-alive connections are not using a thread from any
> pool. It's not clear to me whether "keeped alive sockets count"
> actually counts the sockets or the threads. I don't use the manager
> application for anything other than JMX :)

I'd assumed sockets rather than threads but I don't know for sure.

/me goes to look at source code...

It is sockets.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Protecting files within a context

 James,

On Thursday, August 24, 2017 2:26 PM, James H. H. Lampert 
 wrote:
 
> Could you be a bit more specific on what edition of the servlet spec, 
and where I can find it?

> The first one I grabbed ("Java Servlet Specification Version 2.4") is 
over a decade old, and doesn't *have* a section 13.8.

https://www.google.com/search?q=servlet+spec+section+13.8&oq=servlet+spec+section+13.8&aqs=chrome..69i57.7134j0j1&sourceid=chrome&ie=UTF-8

Re: Protecting files within a context


On 8/24/17, 12:52 PM, Mark Thomas wrote:

I can't recommend reading chapter 13 of the servlet spec, particularly
section 13.8, enough.


Thanks again.

Could you be a bit more specific on what edition of the servlet spec, 
and where I can find it?


The first one I grabbed ("Java Servlet Specification Version 2.4") is 
over a decade old, and doesn't *have* a section 13.8.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: letsencrypt integration?

2017-08-24 Thread Chris Cheshire

On Thu, Aug 24, 2017 at 4:29 PM, Christopher Schultz
 wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Chris,
>
> On 8/24/17 4:03 PM, Chris Cheshire wrote:
> > Cheers :)
> >
> > On Thu, Aug 24, 2017 at 3:35 PM, Mark Thomas 
> > wrote:
> >
> >> On 24/08/17 19:50, Chris Cheshire wrote:
> >>> Currently I am using httpd to handle SSL (because my certs are
> >>> generated via LE) with all content being passed off to Tomcat 7
> >>> (investigating 8.5 upgrade).
> >>>
> >>> I had a poke around on the archives and found mention of a talk
> >>> on it in
> >> a
> >>> conference in Miami.
> >>>
> >>> http://tomcat.10.x6.nabble.com/Dynamic-reloading-of-SSL-
> >> certificates-tt5059619.html#a5059673
> >>>
> >>> Did this happen? I looked in the Tomcat youtube channel and
> >>> found a
> >> handful
> >>> of videos from there, but nothing on LE. Is it something that
> >>> is still in the "we'd like to find time to do it, but don't
> >>> know who or when" phase,
> >> or
> >>> something that is being worked on for Tomcat 9?
> >>
> >> We only had video for the final day in Miami. But we have audio
> >> for the others.
> >>
> >> http://tomcat.apache.org/presentations.html
>
> There are two items here:
>
> 1. Can Tomcat be configured and scripted for LE (pretty easy)
> 2. Tomcat can (with caveats) reload the certificate store
>
> I have not made any progress on #2. The Tomcat/LE presentation in the
> above link mentions we'll be trying to implement seamless reloading,
> but it's not done, yet. The presentation shows you how to reload it in
> a potentially disruptive way (because the connector is stopped and
> re-started, killing any in-flight requests).
>
> So it's not great, but it IS possible.
>
> - -chris


Just finished listening to your audio and following the slides. Thank
you for making these available.

Tomcat 9.0 supports .pem files, correct? What about 8.5? (I am still
using 7 and working on upgrading). With this support, does this mean
we would just reference the files certbot produces without repackaging
them into a JKS?


Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: a question about tomcat thread

2017-08-24 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 8/23/17 4:26 PM, Mark Thomas wrote:
> On 23/08/17 21:17, Christopher Schultz wrote:
>> To whom it may concern,
>> 
>> On 8/22/17 10:28 PM, ophusky wrote:
>>> Server version: Apache Tomcat/8.0.35 Server built:   May 11
>>> 2016 21:57:08 UTC Server number:  8.0.35.0 OS Name:
>>> Linux OS Version: 3.2.35 Architecture:   amd64 JVM
>>> Version: 1.8.0_45-b14 JVM Vendor: Oracle Corporation
>> 
>> Thanks!
>> 
>>> 1. [root@app41 manager]# curl -s
>>> http://127.0.0.1/manager/status |grep -P -o 'Max
>>> threads:.*? ' Max threads: 700 Current thread count: 478
>>> Current thread busy: 17 Keeped alive sockets count: 5 2.
>>> [root@app41 manager]# pgrep jsvc 25446 25447 [root@app41 
>>> manager]# ps -Lf 25447 | wc -l 541
>> 
>> Okay.
>> 
>>> I want to figure out the meaning of "Current thread count" 
>>> "Current thread busy" "Keeped alive sockets count" and
>>> relationship between 1 and 2.
>> 
>> Max threads >= current thread count Current thread count >=
>> current thread busy Current thread count >= Keeped alive sockets
>> count
> 
> That is true for BIO, but not for any of the other connections
> which are all non-blocking between requests. With those connectors
> you can have up to maxConnections open sockets in HTTP keep-alive
> waiting for data to arrive.

Yes, but the keep-alive connections are not using a thread from any
pool. It's not clear to me whether "keeped alive sockets count"
actually counts the sockets or the threads. I don't use the manager
application for anything other than JMX :)

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZnzmKAAoJEBzwKT+lPKRY+fUP/ibWat/2gh/6sW+dM33HB9RX
lbv9crEOoc9VKxqiEkxYfkAXvHSlYMgNS8o1frjnvYucCvxYUp9RqkgH6KcZxtkA
imItAIXg5eg7ZZ5odpSrNqlG70S6ZM7mO8cWZWi9UCU0r84DQawBXxT6QRjkv3JI
+AqewX5KVP8CUItd/DT3YIfUvkGiLOPMCYuo8TJ4imXy5FySx2DTXArzHkC2LQ9p
bsu1fj5qtGS2IkQgLYQ0lzNxW3saDaqdm0CBMRzNsbNatz6pAsy432jmTZRPbHqE
xPuTuK+xEyHQaxiHae+PC85Mju93BjOa6txPB1IKMb9e8ihCK8CMXz9h81oirdU0
FrAiGtG8HJPwQ2W99tB4uKHYWvA5s104a9WQh1Cj//V0TKsx53Tp0f5H6qPPX+cP
MZDKGkHbhOLbsvyS1urcZ67uESIbAGvKcVHXk9FFta2O0GGzqvbAkN6sbc045JkJ
VVpQ6x/3o7YIxdLQj77n+h3AoLaXX6Cq3M/C/9byZXd0eP4OlOEdnkXnze1wfMJW
6Ova+D+D3tuvHJQjsyMkHfi3Fi72FGrZGdH5azIyn+UioxcE2x6f3RhT7bV9cqqc
0MBtGPfE6Bts7s6wN4bvhhTPPO13pV8J0c5sKpAE+MQkBuP+J9A2PRKoaKBYZfdn
8xC/wmJ2Lbeu41CWrMYm
=qLz/
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: letsencrypt integration?

2017-08-24 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chris,

On 8/24/17 4:03 PM, Chris Cheshire wrote:
> Cheers :)
> 
> On Thu, Aug 24, 2017 at 3:35 PM, Mark Thomas 
> wrote:
> 
>> On 24/08/17 19:50, Chris Cheshire wrote:
>>> Currently I am using httpd to handle SSL (because my certs are
>>> generated via LE) with all content being passed off to Tomcat 7
>>> (investigating 8.5 upgrade).
>>> 
>>> I had a poke around on the archives and found mention of a talk
>>> on it in
>> a
>>> conference in Miami.
>>> 
>>> http://tomcat.10.x6.nabble.com/Dynamic-reloading-of-SSL-
>> certificates-tt5059619.html#a5059673
>>> 
>>> Did this happen? I looked in the Tomcat youtube channel and
>>> found a
>> handful
>>> of videos from there, but nothing on LE. Is it something that
>>> is still in the "we'd like to find time to do it, but don't
>>> know who or when" phase,
>> or
>>> something that is being worked on for Tomcat 9?
>> 
>> We only had video for the final day in Miami. But we have audio
>> for the others.
>> 
>> http://tomcat.apache.org/presentations.html

There are two items here:

1. Can Tomcat be configured and scripted for LE (pretty easy)
2. Tomcat can (with caveats) reload the certificate store

I have not made any progress on #2. The Tomcat/LE presentation in the
above link mentions we'll be trying to implement seamless reloading,
but it's not done, yet. The presentation shows you how to reload it in
a potentially disruptive way (because the connector is stopped and
re-started, killing any in-flight requests).

So it's not great, but it IS possible.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZnzcTAAoJEBzwKT+lPKRYfWYQALNPjuHyvxRFXucEfRAWiPNH
XhLlu5cA2l0Cc5ZrvgwWbws4Ljyg7OSaE3xPI3hUSL6k4PT92KQpNnq7zJXNVOqc
zr/vD51KpvXxWJMJKIN2xWvGqdTLY2PsMPIn3LvG+QwC11iD4c+EC0dsMyDJR58/
wd5twkH8Hx+ucGugodkC7uVlgAr5K7xdmRGVBiUgACIzBEfuwyi/CsaQG6fzWPWa
KVUDxcpgP1lIe3k+8EbuD2lEwtaH8wprLr9J58bjclrbB+XNwP/hmJgLQUnG4rkp
s824HwNbn+zVE8rTPOQHgh51nhC0lFgo+QCrIKffE7Z6IkIKpTlugrCoA3TO6l4p
pQOC72FcDP2vR0oNTT7CipCcvNEqqTnANuowAV6EK3ObFGtdwYI7LSJ4heVBRqet
8AJCiGXypw84SDVFOOC479vZjzMtIAQUgr0kTTIck/TTp/Rd7Y9Qgf+BqxOFw4oL
dcOp1Ndx8aYEuX8SON2BSw/Il79v5CH/p9f4IkC7untScu2piI65GmFCXUqKA46h
kVpIF+7hCz88A4B/XQOMyUuhW5uiAb/OXxWWgSkxlyU9QaVwe3gNy5Nzka+RfMB1
W9Z3C8nsjz3O3D/GNPyqLdFn3QsCTq6U4Tu0XraJLe/jGMjzmkzva7Zhie2PXEyl
6u06+djW9i8p9OmO5GEo
=ZQlB
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Protecting files within a context

2017-08-24 Thread tomcat

On 24.08.2017 21:43, James H. H. Lampert wrote:

On 8/24/17, 11:35 AM, Mark Thomas wrote:

Tomcat will prevent access to anything in WEB-INF or META_INF.
Everything else is up to the app to control.

Note: You can place content in WEB-INF and include it from JSPs and
Servlets (and it will work) but direct access will not.

You might want to take a look in the Servlet spec for security constraints.

Thanks. I've just discovered security constraints, along with some material on
StackExchange's ServerFault board demonstrating how to create them. It's taken
a very
large load off my back.

So far, I've only scratched the surface of the subject.

There seems to be a good explanation here :
https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html

Am I correct in understanding that a security constraint in a context's web.inf
only
blocks access from outside? That the webapp itself still has full access to the
information?

As long as the webapp's way of accessing this data is via some local file access method,
yes. (I mean "open file; read from it; close file"). That's the webapp doing it, and
Tomcat doesn't even know about it, so Tomcat will not prevent it.

(These file's ownership and permissions may still prevent it).

And that if I give it a role name that hasn't been given to anybody in
tomcat-users.xml,
then nobody can get in at all? Can I set up a security constraint to just
unconditionally
deny all outside access, without even offering a sign-on dialog?

According to that same document mentioned above :
"If there is an authorization constraint but no roles are specified within it, the
container will not allow access to constrained requests under any circumstances."

The one problem that I see with this, is that you need a "positive" defense to protect
these files : you need to specify a URL-pattern that applies to the files which you want
to forbid (and which does not apply to the ones you want to leave accessible, like your
real JSP (or HTML) pages).

That means that any file that is NOT covered by your URL pattern, is left
accessible.
In a security-conscious way, it should be the opposite : anything which you do not
explicitly specify as accessible, should be non-accessible.
(Because even if you specify a correct pattern now, covering all the files
not-to-be-accessible, it is always possible for someone to put a file there later (and
carelessly), which does not match that pattern, and would ipso-facto be accessible again).

If you want better security, then do as Mark said, and put the files under webapp/WEB-INF/
or webapp/META-INF/, where *by default* they are not accessible. And modify the webapp to
search for them there.

It is also more efficient that way, because Tomcat does not have to start evaluating
security-constraints, and match the filenames with URL patterns (and neither do you).
Tomcat already, by default, checks each request URL to see if it contains /WEB-INF/ or
/META-INF/, and if it does, it is automatically NO, without looking any further.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [ANN] Webinar: Tomcat and MoSKito

2017-08-24 Thread Johanes Soetanto

On 25 Aug. 2017 5:57 am, "Igal @ Lucee.org"  wrote:

On 8/24/2017 12:55 PM, Mark Thomas wrote:

> On 03/08/17 15:18, Mark Thomas wrote:
>
>> The webinar will be recorded and the recording made available on the
>> Tomcat YouTube channel shortly afterwards.
>>
> As promised:
>
> https://www.youtube.com/watch?v=5RCkx-hGK1Q
>
> on the Apache Tomcat YouTube channel:
>
> https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g
>

Awesome, thank you!

Indeed, thank you. Was planning to join but such weird time specially for
AEST.


Igal Sapir
Lucee Core Developer
Lucee.org

Re: letsencrypt integration?

2017-08-24 Thread Chris Cheshire

Cheers :)

On Thu, Aug 24, 2017 at 3:35 PM, Mark Thomas  wrote:

> On 24/08/17 19:50, Chris Cheshire wrote:
> > Currently I am using httpd to handle SSL (because my certs are generated
> > via LE) with all content being passed off to Tomcat 7 (investigating 8.5
> > upgrade).
> >
> > I had a poke around on the archives and found mention of a talk on it in
> a
> > conference in Miami.
> >
> > http://tomcat.10.x6.nabble.com/Dynamic-reloading-of-SSL-
> certificates-tt5059619.html#a5059673
> >
> > Did this happen? I looked in the Tomcat youtube channel and found a
> handful
> > of videos from there, but nothing on LE. Is it something that is still in
> > the "we'd like to find time to do it, but don't know who or when" phase,
> or
> > something that is being worked on for Tomcat 9?
>
> We only had video for the final day in Miami. But we have audio for the
> others.
>
> http://tomcat.apache.org/presentations.html
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: [ANN] Webinar: Tomcat and MoSKito

2017-08-24 Thread Igal @ Lucee.org


On 8/24/2017 12:55 PM, Mark Thomas wrote:

On 03/08/17 15:18, Mark Thomas wrote:

The webinar will be recorded and the recording made available on the
Tomcat YouTube channel shortly afterwards.

As promised:

https://www.youtube.com/watch?v=5RCkx-hGK1Q

on the Apache Tomcat YouTube channel:

https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g


Awesome, thank you!

Igal Sapir
Lucee Core Developer
Lucee.org

Re: [ANN] Webinar: Tomcat and MoSKito

On 03/08/17 15:18, Mark Thomas wrote:
> All,
> 
> The Tomcat community is hosting a webinar by Leon Rosenberg:
> 
> Monitoring your tomcat web-application in production with MoSKito. Get
> full control of threads, memory and execution time usage of the JVM and
> your code.
> 
> Topic: Tomcat and MoSKito
> Time: Aug 24, 2017 14:00 UTC
>15:00 London, Dublin
>16:00 Amsterdam, Berlin, Rome, Stockholm, Vienna
> 
> Join from PC, Mac, Linux, iOS or Android:
> https://pivotal.zoom.us/j/949439493
> 
> The webinar will be recorded and the recording made available on the
> Tomcat YouTube channel shortly afterwards.

As promised:

https://www.youtube.com/watch?v=5RCkx-hGK1Q

on the Apache Tomcat YouTube channel:

https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g

Thanks once again to Leon for presenting this. It was an excellent session.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Protecting files within a context

On 24/08/17 20:43, James H. H. Lampert wrote:
> On 8/24/17, 11:35 AM, Mark Thomas wrote:
> 
>> Tomcat will prevent access to anything in WEB-INF or META_INF.
>> Everything else is up to the app to control.
>>
>> Note: You can place content in WEB-INF and include it from JSPs and
>> Servlets (and it will work) but direct access will not.
>>
>> You might want to take a look in the Servlet spec for security
>> constraints.
> 
> Thanks. I've just discovered security constraints, along with some
> material on StackExchange's ServerFault board demonstrating how to
> create them. It's taken a very large load off my back.
> 
> So far, I've only scratched the surface of the subject.
> 
> Am I correct in understanding that a security constraint in a context's
> web.inf only blocks access from outside? That the webapp itself still
> has full access to the information?

Correct.

> And that if I give it a role name that hasn't been given to anybody in
> tomcat-users.xml, then nobody can get in at all?

Yes, but even simpler (and with the intention clearer):



means deny all access.

> Can I set up a security
> constraint to just unconditionally deny all outside access, without even
> offering a sign-on dialog?

If you use the syntax above, yes. Tomcat will return a 403 in this case.

If you specify a role no user has, you'll get an authentication dialogue.

I can't recommend reading chapter 13 of the servlet spec, particularly
section 13.8, enough.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Protecting files within a context


On 8/24/17, 11:35 AM, Mark Thomas wrote:


Tomcat will prevent access to anything in WEB-INF or META_INF.
Everything else is up to the app to control.

Note: You can place content in WEB-INF and include it from JSPs and
Servlets (and it will work) but direct access will not.

You might want to take a look in the Servlet spec for security constraints.


Thanks. I've just discovered security constraints, along with some 
material on StackExchange's ServerFault board demonstrating how to 
create them. It's taken a very large load off my back.


So far, I've only scratched the surface of the subject.

Am I correct in understanding that a security constraint in a context's 
web.inf only blocks access from outside? That the webapp itself still 
has full access to the information?


And that if I give it a role name that hasn't been given to anybody in 
tomcat-users.xml, then nobody can get in at all? Can I set up a security 
constraint to just unconditionally deny all outside access, without even 
offering a sign-on dialog?


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: letsencrypt integration?

On 24/08/17 19:50, Chris Cheshire wrote:
> Currently I am using httpd to handle SSL (because my certs are generated
> via LE) with all content being passed off to Tomcat 7 (investigating 8.5
> upgrade).
> 
> I had a poke around on the archives and found mention of a talk on it in a
> conference in Miami.
> 
> http://tomcat.10.x6.nabble.com/Dynamic-reloading-of-SSL-certificates-tt5059619.html#a5059673
> 
> Did this happen? I looked in the Tomcat youtube channel and found a handful
> of videos from there, but nothing on LE. Is it something that is still in
> the "we'd like to find time to do it, but don't know who or when" phase, or
> something that is being worked on for Tomcat 9?

We only had video for the final day in Miami. But we have audio for the
others.

http://tomcat.apache.org/presentations.html

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: letsencrypt integration?

2017-08-24 Thread Martynas Jusevičius

Hi,

we have made a Docker image that configures Tomcat with LE certs:
https://hub.docker.com/r/atomgraph/letsencrypt-tomcat/

It hasn't been tested in production though.

Martynas
atomgraph.com
On Thu, 24 Aug 2017 at 20.50, Chris Cheshire  wrote:

> Currently I am using httpd to handle SSL (because my certs are generated
> via LE) with all content being passed off to Tomcat 7 (investigating 8.5
> upgrade).
>
> I had a poke around on the archives and found mention of a talk on it in a
> conference in Miami.
>
>
> http://tomcat.10.x6.nabble.com/Dynamic-reloading-of-SSL-certificates-tt5059619.html#a5059673
>
> Did this happen? I looked in the Tomcat youtube channel and found a handful
> of videos from there, but nothing on LE. Is it something that is still in
> the "we'd like to find time to do it, but don't know who or when" phase, or
> something that is being worked on for Tomcat 9?
>

letsencrypt integration?

2017-08-24 Thread Chris Cheshire

Currently I am using httpd to handle SSL (because my certs are generated
via LE) with all content being passed off to Tomcat 7 (investigating 8.5
upgrade).

I had a poke around on the archives and found mention of a talk on it in a
conference in Miami.

http://tomcat.10.x6.nabble.com/Dynamic-reloading-of-SSL-certificates-tt5059619.html#a5059673

Did this happen? I looked in the Tomcat youtube channel and found a handful
of videos from there, but nothing on LE. Is it something that is still in
the "we'd like to find time to do it, but don't know who or when" phase, or
something that is being worked on for Tomcat 9?

Re: Protecting files within a context

On 24/08/17 19:29, James H. H. Lampert wrote:
> I've just discovered that a number of files within our webapp context
> are reachable from outside. Not all of them, but a number that really
> shouldn't be.
> 
> By its nature, the webapp itself has its own access control, based on
> the outside resource it accesses, rather than on, say, tomcat-users.xml
> 
> What controls browser access to static files in a Tomcat context? Where
> can I learn more about this, and how to restrict it?

Tomcat will prevent access to anything in WEB-INF or META_INF.
Everything else is up to the app to control.

Note: You can place content in WEB-INF and include it from JSPs and
Servlets (and it will work) but direct access will not.

You might want to take a look in the Servlet spec for security constraints.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Protecting files within a context

I've just discovered that a number of files within our webapp context 
are reachable from outside. Not all of them, but a number that really 
shouldn't be.


By its nature, the webapp itself has its own access control, based on 
the outside resource it accesses, rather than on, say, tomcat-users.xml


What controls browser access to static files in a Tomcat context? Where 
can I learn more about this, and how to restrict it?


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [ANN] Webinar: Tomcat and MoSKito

2017-08-24 Thread Leon Rosenberg

Thanks Mark!
Leon

> On 24. Aug 2017, at 15:36, Mark Thomas  wrote:
> 
> Final reminder - this will be starting in just over 20 minutes.
> 
> Do join us if you can.
> 
> Mark
> 
> 
>> On 03/08/17 15:18, Mark Thomas wrote:
>> All,
>> 
>> The Tomcat community is hosting a webinar by Leon Rosenberg:
>> 
>> Monitoring your tomcat web-application in production with MoSKito. Get
>> full control of threads, memory and execution time usage of the JVM and
>> your code.
>> 
>> Topic: Tomcat and MoSKito
>> Time: Aug 24, 2017 14:00 UTC
>>   15:00 London, Dublin
>>   16:00 Amsterdam, Berlin, Rome, Stockholm, Vienna
>> 
>> Join from PC, Mac, Linux, iOS or Android:
>> https://pivotal.zoom.us/j/949439493
>> 
>> The webinar will be recorded and the recording made available on the
>> Tomcat YouTube channel shortly afterwards.
>> 
>> Hope to see you there.
>> 
>> Mark
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [ANN] Webinar: Tomcat and MoSKito

Final reminder - this will be starting in just over 20 minutes.

Do join us if you can.

Mark


On 03/08/17 15:18, Mark Thomas wrote:
> All,
> 
> The Tomcat community is hosting a webinar by Leon Rosenberg:
> 
> Monitoring your tomcat web-application in production with MoSKito. Get
> full control of threads, memory and execution time usage of the JVM and
> your code.
> 
> Topic: Tomcat and MoSKito
> Time: Aug 24, 2017 14:00 UTC
>15:00 London, Dublin
>16:00 Amsterdam, Berlin, Rome, Stockholm, Vienna
> 
> Join from PC, Mac, Linux, iOS or Android:
> https://pivotal.zoom.us/j/949439493
> 
> The webinar will be recorded and the recording made available on the
> Tomcat YouTube channel shortly afterwards.
> 
> Hope to see you there.
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 8.5.15/502: Bad Gateway

On 24/08/17 11:43, Petr Nemecek wrote:
> Hi,
> 
> this error occurs even if I bypass IIS i.e. go directly to Tomcat.
> 
> My request are SOAP requests, I get thet bad gateway error on the client 
> side, then when the processing of the request finishes I could see following 
> error in Tomcat/stderr.
> 
> com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet caught throwable
>  javax.xml.ws.WebServiceException: com.ctc.wstx.exc.WstxIOException: 
> java.io.IOException: An existing connection was forcibly closed by the remote 
> host

Looks like you need to increase the client timeout.

> What is weird, that when I don't run the Tomcat as service, but just from 
> command line, I don't get this error.

Indeed. That should have no effect.

Mark


> 
> My startup Options for Tomcat are:
> 
> -Dcatalina.home=c:\tomcat\apache-tomcat-8.5.15-dev
> -Dcatalina.base=c:\tomcat\apache-tomcat-8.5.15-dev
> -Djava.io.tmpdir=c:\tomcat\apache-tomcat-8.5.15-dev\temp
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> -Djava.util.logging.config.file=c:\tomcat\apache-tomcat-8.5.15-dev\conf\logging.properties
> -Dfile.encoding=utf-8
> -Dorg.apache.cxf.stax.allowInsecureParser=true
> -Djava.rmi.server.hostname=w.x.y.z
> -Dcom.sun.management.jmxremote=true
> -Dcom.sun.management.jmxremote.port=8101
> -Dcom.sun.management.jmxremote.local.only=false
> -Dcom.sun.management.jmxremote.authenticate=false
> -Dcom.sun.management.jmxremote.ssl=false
> 
> Regards,
>  Petr
> 
> -Original Message-
> From: Mark Thomas [mailto:ma...@apache.org] 
> Sent: Thursday, August 24, 2017 10:04 AM
> To: Tomcat Users List 
> Subject: Re: Tomcat 8.5.15/502: Bad Gateway
> 
> On 24/08/17 08:39, Petr Nemecek wrote:
>> Hello,
>>
>> I have a Tomcat behind IIS, and I get the 502: Bad Gateway error for long 
>> running requests.
>>
>> After some experiments I've found out, that if I use connector 8082 (see 
>> below), I have this problem, but when I switch to 8084 (see below), the 
>> problem disappears. The only difference is that proxyName, proxyPort and 
>> scheme are set in the first connector.
>>
>> Obviously I need both, to have those set and to serve the log running 
>> requests without error... Any idea?
> 
> Those attributes won't make the slightest difference.
> 
> Tomcat has no control over how long IIS gives a request to complete before 
> deciding to return a 502. You should look at your IIS / ISAPI configuration.
> 
> Mark
> 
>>
>> Many thanks,
>>  Petr Nemecek
>>
>> >connectionTimeout="2"
>>redirectPort="8444"
>>URIEncoding="UTF-8"
>>proxyName="www.xyz.eu"
>>proxyPort="80"
>>scheme="http" />
>> 
>> >connectionTimeout="2"
>>redirectPort="8444"
>>URIEncoding="UTF-8" />
>>
>>
>> ---
>> This email has been checked for viruses by Avast antivirus software.
>> https://www.avast.com/antivirus
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat 8.5.15/502: Bad Gateway

2017-08-24 Thread Petr Nemecek

Hi,

this error occurs even if I bypass IIS i.e. go directly to Tomcat.

My request are SOAP requests, I get thet bad gateway error on the client side, 
then when the processing of the request finishes I could see following error in 
Tomcat/stderr.

com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet caught throwable
 javax.xml.ws.WebServiceException: com.ctc.wstx.exc.WstxIOException: 
java.io.IOException: An existing connection was forcibly closed by the remote 
host

What is weird, that when I don't run the Tomcat as service, but just from 
command line, I don't get this error.

My startup Options for Tomcat are:

-Dcatalina.home=c:\tomcat\apache-tomcat-8.5.15-dev
-Dcatalina.base=c:\tomcat\apache-tomcat-8.5.15-dev
-Djava.io.tmpdir=c:\tomcat\apache-tomcat-8.5.15-dev\temp
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=c:\tomcat\apache-tomcat-8.5.15-dev\conf\logging.properties
-Dfile.encoding=utf-8
-Dorg.apache.cxf.stax.allowInsecureParser=true
-Djava.rmi.server.hostname=w.x.y.z
-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.port=8101
-Dcom.sun.management.jmxremote.local.only=false
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=false

Regards,
 Petr

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Thursday, August 24, 2017 10:04 AM
To: Tomcat Users List 
Subject: Re: Tomcat 8.5.15/502: Bad Gateway

On 24/08/17 08:39, Petr Nemecek wrote:
> Hello,
> 
> I have a Tomcat behind IIS, and I get the 502: Bad Gateway error for long 
> running requests.
> 
> After some experiments I've found out, that if I use connector 8082 (see 
> below), I have this problem, but when I switch to 8084 (see below), the 
> problem disappears. The only difference is that proxyName, proxyPort and 
> scheme are set in the first connector.
> 
> Obviously I need both, to have those set and to serve the log running 
> requests without error... Any idea?

Those attributes won't make the slightest difference.

Tomcat has no control over how long IIS gives a request to complete before 
deciding to return a 502. You should look at your IIS / ISAPI configuration.

Mark

> 
> Many thanks,
>  Petr Nemecek
> 
> connectionTimeout="2"
>redirectPort="8444"
>URIEncoding="UTF-8"
>proxyName="www.xyz.eu"
>proxyPort="80"
>scheme="http" />
> 
> connectionTimeout="2"
>redirectPort="8444"
>URIEncoding="UTF-8" />
> 
> 
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 8.5.15/502: Bad Gateway